[squid-users] TCP_DENIED/403

Amos Jeffries squid3 at treenet.co.nz
Wed Nov 5 10:29:01 UTC 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 5/11/2014 10:39 p.m., navari.lorenzo at gmail.com wrote:
> Good day today. I' m configuring a Squid Web Proxy Cache and  I
> apply the deny policy to some sites l this is the problem:
> 
> when people accesses sites with GET they have the right html error
> page ERR_ACCES_DENIED (LOG = TCP_DENIED/403 4069 GET
> http://www.sex.com/ - HIER_NONE/- text/html)
> 
> when people accesses sites with CONNECT they DON'T  have the right
> html error page but te message CONNECTION REFUSED BY PROXY SERVER 
> (LOG = TCP_DENIED/403 3681 CONNECT facebook.com:443 - HIER_NONE/-
> text/html)
> 
> I would like to have the same error page for all.
> 
> Can anyone help ??
> 

Sorry, the answer there is no.

If you look at the TCP packets being sent back by Squid, adn also
shown by those log entries. Squid *is* sending back the same 403 error
in both cases to the client browser.

What is happening is that the browser treates CONNECT and GET
differently. Specifically they refuse to show any remotely generated
(by Squid) content in the even of a 4xx or 5xx response to CONNECT.

To get this changed you will have to discuss it with the browser
people. They do it this way because of past hstory with malicious
payloads being delivered back in 4xx errors to CONNECT.

Amos

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUWfvtAAoJELJo5wb/XPRjiMgH/iBOO2WiuZ8QnWrcxz/spKpe
pf8KAGwzvtqJMuP0ZUWSLzmfVXEHWf1HlljiwoP+2n73zg3JS51iVSd7f6L3rbGM
eWhZhZ+syWJQ3LBretZHgpvXMuyjiu74PF7m/LkL61G4j/41oVvZeBIt8DQ54ml0
8yC196NIVEAjf2PXasHywgO+Is8L839l4uEh+WVudrDt9VCGEO7V1TJAt6qXiF6j
nwzJEbzzjCLfTosqwdBW1I/QuXVjj230XRVRVT38x/SSu7C1DFY68AvrkIK4DKae
YD0h2ElYEvg2O97KFo6BUugbbUeT/SNz+NGTKNvbz0di0AlwNVVyGj6nuTKayEg=
=Ol/T
-----END PGP SIGNATURE-----


More information about the squid-users mailing list