sorry, I post my question again since last time I was not a subscriber yet. ================================================ Hi, after a lot of google, I finally got this post, I met the exactly same problem as you, and can't use squid to handle https traffic behind parent proxy. I also tried with proxychains + squid, but without luck, it didn't work, so could I ask your configuration about proxychains + squid ? this is mine: for proxychains, it's very easy: strict_chain [ProxyList] http 127.0.0.1 12345 (for some reason, I must use ssh reverse tunnel to map my parent http proxy to my local port 12345) for squid 3.4: http_access allow all http_port 3128 intercept https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/squid.crt key=/etc/squid/ssl_cert/private.key always_direct allow all ssl_bump server-first all sslproxy_cert_error allow all sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/spool/squid_ssldb -M 4MB sslcrtd_children 8 startup=1 idle=1 coredump_dir /var/spool/squid # Add any of your own refresh_pattern entries above these. refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 my iptables rules: -A PROXY -p tcp --dport 80 -j REDIRECT --to-ports 3128 -A PROXY -p tcp --dport 443 -j REDIRECT --to-ports 3129 and in the last, i use the proxychains to chain them together: proxychains4 -f proxychains.conf squid -f /etc/squid/squid.conf but it didn't work both for http and https, I checked the http log, it turned out that it's denied by squid, but I'm sure ACL settings should be fine. so I switched squid setting back to use cache_peer, then http works, then I modify the proxychains.conf to use proxy which doesn't exist, then chain the squid again, http still work, so I'm pretty sure proxychains is not working for chaining parent proxy and squid together. but I have tested proxychains in my environment with other commands like yum or telnet, they works fine, why it can't work for squid, is it because squid run as daemon? so how did you integrate them? thanks in advance. best regards. -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/ssl-bump-with-cache-peer-problem-Handshake-fail-after-Client-Hello-tp4672064p4674381.html Sent from the Squid - Users mailing list archive at Nabble.com. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
