[squid-users] TCP_DENIED/403
Amos Jeffries
squid3 at treenet.co.nz
Thu Nov 6 09:23:48 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 6/11/2014 9:45 p.m., navari.lorenzo wrote:
> hello boys, excuse my bad english
>
> there is something i don't understand. If i write an URL into a
> browser which use Squid (for example www.xxx.com) (denied whith an
> acl)
>
> I expect that Squid answer saying: you cannot access this url
> because it is a denied url. This should happen without squid goes
> to look for that url.
>
> What's wrong ?
Your thinking is wrong.
1) When you enter an HTTP URI the browser passes *the URL* to Squid
and asks for it.
-> Squid replies 403 Forbidden (to access URL)
2) when you enter an HTTPS URL the browser tries to open a CONNECT
tunnel through the proxy.
-> Squid replies 403 Forbidden (to setup tunnel).
*** HTTPS URL is never seen by Squid (unseen URL cannot be forbidden)
-> Browser leaves your https:// URL in the address bar.
** Browser people think its false to display the 403 Forbidden (about
CONNET) as the page, because the URL in address bar was not forbidden.
Which is understandable though annoying - only the CONNECT tunnel is
known to be forbidden.
So what does the browser display for HTTPS URLs?
"Cannot CONNECT to server" or something like that.
Amos
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)
iQEcBAEBAgAGBQJUWz4jAAoJELJo5wb/XPRj0fQH/0K3+WFy9ld2g7div1ygGjbA
Y8xHFSTEXlw1QcuFHGDudKaAKVsGrnbLk0MTKSVcG0zooWpvqHKM3gvtkRt2da9K
vPMNGgI1cZ97NZqoJOOYlI8aXSpVUT6Bx/1+cPRLdmIpbD8OZSIhZ3UfPBtL3VIN
gFtgkMAGj5quQmjHIFOJbXZgkc+zZY9rbt0oBhji8CtK6B9DfK2yRZe25gneDnz4
rt9TzUoaFnExvdsJUKWRGTqn0fEc9N5JDaK1kx/UBgjNPpszbVUVZQFVPipe/Mrn
Gz4bff49EeQ2ZsAoCrSr7dalB1dcH2fPs2ROGYNtPG7HxxYf8AN+t85jTP9NUsA=
=fNhm
-----END PGP SIGNATURE-----
More information about the squid-users
mailing list