On 11/06/19 6:24 pm, afkout wrote: > i try ssl_bump and header_replace , not working > TCP_MISS/503 5452 GET https://steamcommunity.com/ cjm > ROUNDROBIN_PARENT/72.246.190.104 text/html > > config > acl sc ssl::server_name steamcommunity.com > cache_peer steamuserimages-a.akamaihd.net parent 443 7 no-query proxy-only > round-robin name=ak1 tls tls-min-version=1.2 originserer > cache_peer_access ak1 allow sc > http_port 3128 ssl-bump generate-host-certificates=on > dynamic_cert_mem_cache_size=4MB cert=/etc/squid/cacert.pem > key=/etc/squid/cakey.pem > Ah. This is not a reverse-proxy config. This is a regular forward-proxy that decrypts / MITM's any HTTPS going through it. This would be a reverse-proxy for the steamcommunity.com domain: https_port 443 accel \ cert=/etc/squid/cacert.pem \ key=/etc/squid/cakey.pem cache_peer steamuserimages-a.akamaihd.net parent 443 0 name=ak1 \ originserver no-query proxy-only tls-min-version=1.2 acl sc dstdomain .steamcommunity.com cache_peer_access ak1 allow sc http_access allow sc For multiple domains in that same https_port (note the 's') your cert/key need to cover all of them. That could be a wildcard cert, or one with multiple domains in its CN SubjectAltName. Alternatively you can have multiple https_port lines with different IPs for different certs. If you are using the latest Squid-4, then GnuTLS builds (not OpenSSL) can also support multiple certs. Bundle the key+cert (plus any relevant CA chain) into one PEM file for each domain and load each file with tls-cert= option. Like so: https_port 443 accel \ tls-cert=/etc/squid/example.com.pem \ tls-cert=/etc/squid/example.net.pem \ tls-cert=/etc/squid/example.org.pem Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users