sending HTTPS traffic after Squid+SSL_BUMP to a second proxy

After configuring Squid to perform SSL Bump on HTTPS SSL requests from clients..i want to send this to another proxy that will perform its own MITM and connect to the ‘target Server’ and return back the information to the client…….. What is needed for squid to pass the requests(after ssl bump is performed) to the second proxy?


box1 was updated with iptable rules

iptables -t nat -A OUTPUT -p tcp --dport 443 -j DNAT --to

box2 has SSL_BUMP configured to listen and decrypt on 8444.. however i am unsure how to configure squid how to pass the descrypted ssl redirect from the ssl_bump…I’ve tried cache_peer(parent) and squid does not successfully connect to the ‘cache_peer(parent)..


I’m pretty sure you can’t specify a downstream proxy server in squid.conf if you are using SslBump (or I couldn’t when I used it with Squid 3.4.??). I’m guessing the way you could do this is set up another transparent https/SslBump iptables/squid as you have in your example:


with box4 redirecting all 443TCP traffic to box5 port 8884 (your https squid intercept port)

But do you really need to do this? Its looking over complicated to me.

BTW if you are using iptables (eg box2) as a router, you can run squid+ssl_bump on it too to save on boxes.

Source : Link , Question Author : Jeryl Cook , Answer Author : Jim ReesPotter

Leave a Comment