Proxy chaining with Squid - possible?

What happened?

I tried to configure the server runnning Pomerium to use Squid for internet access

What did you expect to happen?

Expected that Pomerium would use Squid as a next-hop proxy for routes going to the internet

How’d it happen?

  1. Installed Pomerium on a standalone virtual server and configured Squid with environment vars (http_proxy|https_proxy) in both /etc/profile and /etc/systemd/system/pomerium.service.d/override.conf
  2. Tried accessing the configured route
  3. Saw that proxied traffic was still going directly to internet instead of to Squid

What’s your environment like?

  • Pomerium version (retrieve with pomerium --version): 0.20.0-1668445494+9413123c
  • Server Operating System/Architecture/Cloud: RHEL 8.7

What’s your config.yaml?

# Required settings below.  See complete documentation at

# To run on :443 set AmbientCapabilities=CAP_NET_BIND_SERVICE
# in a systemd override

# this is the domain the identity provider will callback after a user authenticates

# certificate settings:
autocert: false
  - cert: /etc/pki/http/my_configured_cert.crt
    key: /etc/pki/http/my_configured_cert.key

shared_secret: <generated secret>
cookie_secret: <another generated secret>
idp_provider: oidc
idp_client_id: pomerium-client-001
idp_client_secret: <sso client secret>

- from:
  tls_skip_verify: true
  - allow:
      - domain:

What did you see in the logs?

Nothing out of the ordinary

Additional context

Is it possible to get Pomerium to send internet bound traffic to a second proxy?

Pomerium does not currently support this. I have added an issue to track this feature request: Proxy support for outbound connections · Issue #3875 · pomerium/pomerium · GitHub.

@torch – thanks for the feature request. Could you provide a bit more context about why this is important in your environment? Would be very helpful thank you.

Hi, and thanks for looking into this.

In our environment company policy dictates that internet-bound traffic should be explicitly whitelisted and predominantly routed through a forward proxy, for security reasons and for optimization/caching.

In addition, since we’re whitelisting outbound traffic on Squid, server admins and application owners can configure access lists without involving the firewall team.

Hope that’s helpful