I just got it to work in a slightly different way.  I can probably delete my NAT rule as you surmised so I'll play with it a bit, but I wonder if it's more secure keeping the NAT as it has to follow a traditional port-forward-nat rule first.

Basically the gist of it is I point it to my internal pfSense LAN IP and I assume STunnel does the rest.

Stunnel rule
Listen on 192.168.1.1  (internal IP of pfSense firewall LAN)
Listen on port 3456
Redirect to 192.168.1.15  (Camera software box)
Redirects on port 81

NAT rule
Interface  WAN
Protocol  TCP
Dest Address  WAN Address
Dest Ports  3456
NAT IP  192.168.1.1
NAT Ports  3456

NAT created FW rule
Protocol  IPv4 TCP
Source  *
Destination  192.168.1.1
Port  3456

Absolutely sure.  We don't use policies or any other sorts of enforcements.  We tried to build our network around KISS.

I took a look at the trace I saved:
The process querying for the WPAD data got no name (is called "unavailable"), but the "GET /wpad.dat" packet says:  "User-Agent: WinHttp-Autoproxy-Service/5.1".  So I believe it is a std Windows process.
If you never set up proxy settings to be automatic, it does not query for wpad.dat (at least not within the first 2-3 hours after initial Win10 install - I did not wait any longer).  It starts doing this after the first time you set up the proxy settings to be automatic.  Windows initially gets the wpad.dat and then the proxy answers "304 Not Modified" for the following queries.  And after each of these following queries for wpad.dat, "manual settings" are unchecked, "automatic settings" are unchecked, but wpad.dat settings are active again.  And any data entered into the manual fields are cleared.
It may take 10 minutes or it may take 60 minutes for the following "GET /wpad.dat" to be sent.  For me it looked like "out of a sudden someone asks for wpad.dat and resets my settings".  At first I thought it would be time to do something else because I can't concentrate anymore…
The clean install of Windows 10 does not even have any AV software, which often does some sort of proxy stuff.
Maybe it has to do with a specific Windows version after lots of OS updates that come in after install.  I have no clue...
I just wanted to let others know, because this drove me crazy.  Maybe it's gone again with next Windows updates.

Great to hear I'm not the only one with that issue. We have over 15 sites with PFSense with that issue. For the moment I'm using a cron job to delete the log file every night as it grows so fast and already caused lack of disk space on some sites.
It would be great if the developers could describe how the squid config really works in terms of squid.conf and squid.inc etc.
So far no reply from them.

Thanks,

Rafe

crickets
nothing? no help? I pinpointed my issue more towards router iptables anyway.
I was told the brightest people on this subject would know how to get this going I guess they were wrong, either that or people too lazy to read a long thorough post instead of guessing the setup and giving wrong replies.

@sichent:

If you need to bypass the HTTPS description you cannot just whitelist in pfSense UI I guess. You need to actively splice by ssl::server_name.

Now I have a question! ??? So, what's the whitelist purpose?

Worked like a charm! Thanks anything else you noticed in my haconfig that should be changed?

Thanks for the reply.  Will move over there, thanks.

In case of 'shared frontends' only 1 frontend is written to the config, and the configuration settings are 'combined' so that might be ok.

The webserver server line does also count bytes in/out ?

What if you run a 'curl http://webserver.example.net/' request to the haproxy frontend.? Does that timeout as well? Or does it perhaps redirect to a https://wanip:443/ while haproxy is listening on :80 or perhaps a redirect to https://url:9001 ? In which case the timeout would make sense as those ports are likely not open..

What do haproxy logs tell for the request? Either send them to a syslog server elsewhere on the network, or to the local log socket so it will show in status\packagelogs.

@KOM:

Isn't Diladele some paid application??  You don't need them to do URL filtering.

Thanks for pointing that out. I'm at work and gave the guide he posted a quick look, and the first page had what appeared to be clear instructions. I didn't realize he was promoting a company… Was definitely misled.

-RYknow

Haproxy just makes a plain tcp connection to port 25 and sends a few commands.. to push out a receiver subject and body.. the mailserver must be configured to not require authentication from haproxy's ip for this to work.

No authentication setting is available:
http://cbonte.github.io/haproxy-dconv/1.8/snapshot/configuration.html#3.6

An update…

I connected a laptop to the WAN side segment and I was able to connect to the proxy. So seems the problem is the router port forward... it is like it needs another port besides 3128 to connect.

Leo Manes

For anyone that bumped into this issue, the following thread solved the issue https://forum.pfsense.org/index.php?topic=141555.msg772504#msg772504

Thanks again PiBa,

I must be blind. Did not see the down arrow to add a lua script. Worked like a charm.

Regards,

Thanks for the links,

A single certificate can be valid for multiple domains, so you can make 1 certificate thats valid for both www.domain.com and domain.com as a 'Subject Alternative Name'. And yes to be able to send a redirect you still need a valid cert..

Having IIS bound to * should also work imho.. as long as it accepts haproxy's connection the request should be handled the same..

As for internally it should just work the same as externally.. Unless you visit it by a different hostname and have iis check for that also?

Will look further into it.

@DDDSSS:

and hopefully whatever's causing the HTTPS filtering to work inconsistently with PFsense gets sorted out

Not gonna happen. Since it seems that nobody in pfSense cares about Squid HTTPS filtering in transparent mode with Splice-All setting.
I read a lot of topics here. And the most common answer - Do not use HTTPS filtering in transparent mode. It's not designed for that, blah-blah-blah.
Despite it working flawlessly on other distros.