[squid-users] Squid custom error page

Amos Jeffries squid3 at treenet.co.nz
Wed May 17 14:04:28 UTC 2017 

On 17/05/17 23:32, chcs wrote:
> Firefox 53.0.2 , Chrome 58.3029 y Opera 44 display "Proxy Server Refused
> Connection" page, instead of Squid custom error page, when connect to HTTPS
> site which blocked by proxy server.
> For example we try to connect to https://www.something.com via Squid proxy
> server which denied with 403 error this connect and send custom error page
> with description of problem in older versions it's worked.
> I'm using pfSense 2.4 (actual version squid 3.5.24).
>
> Reproducible: Always
>
> Steps to Reproduce:
> 1. Configure Firefox to use proxy server (SSL Proxy).
> 2. HTTPS/SSL Interception , Enable SSL filtering, splice all, CA: Let's
> Encript autority
> 3. Try to connect to HTTPS site, which will be blocked by proxy server
>
> Actual Results:
> Firefox will display "Page Load Error" with description "Proxy Server
> Refused Connection. Firefox is configured to use a proxy server that is
> refusing connections."
> If we connect to HTTPS site which not blocked by proxy server OR using CA
> self-signed issuer , all works fine.
>
> Expected Results:
> Display proxy server error page with deny info.

This is a well-known problem with Browsers, they all refuse to display 
any response to a CONNECT tunnel message.
<On 17/05/17 23:32, chcs wrote:
> Firefox 53.0.2 , Chrome 58.3029 y Opera 44 display "Proxy Server Refused
> Connection" page, instead of Squid custom error page, when connect to HTTPS
> site which blocked by proxy server.
> For example we try to connect to https://www.something.com via Squid proxy
> server which denied with 403 error this connect and send custom error page
> with description of problem in older versions it's worked.
> I'm using pfSense 2.4 (actual version squid 3.5.24).
>
> Reproducible: Always
>
> Steps to Reproduce:
> 1. Configure Firefox to use proxy server (SSL Proxy).
> 2. HTTPS/SSL Interception , Enable SSL filtering, splice all, CA: Let's
> Encript autority
> 3. Try to connect to HTTPS site, which will be blocked by proxy server
>
> Actual Results:
> Firefox will display "Page Load Error" with description "Proxy Server
> Refused Connection. Firefox is configured to use a proxy server that is
> refusing connections."
> If we connect to HTTPS site which not blocked by proxy server OR using CA
> self-signed issuer , all works fine.
>
> Expected Results:
> Display proxy server error page with deny info.

This is a well-known problem with Browsers, they all refuse to display 
any response to a CONNECT tunnel message.
<http://wiki.squid-cache.org/Features/CustomErrors#Custom_error_pages_not_displayed_for_HTTPS>

Use of TLS to secure the connection to the proxy does not affect this 
browser behaviour on HTTPS traffic. The best you can hope for is to make 
Squid use a 511 status code with deny_info and hope that it chooses to 
display something halfway useful.

Amos

More information about the squid-users mailing list