[squid-users] https requests the squid rejects the connection

Amos Jeffries squid3 at treenet.co.nz
Mon Aug 20 20:28:55 UTC 2018 

On 21/08/18 8:19 AM, Marcelo J. Martinez wrote:
> access.log:
> 
> 1534782486.761      0 10.10.1.101 TCP_DENIED/403 3917 CONNECT aus5.mozilla.org:443 - HIER_NONE/- text/html
> 1534782486.767      0 10.10.1.101 TCP_DENIED/403 3926 CONNECT redirector.gvt1.com:443 - HIER_NONE/- text/html
> 1534782486.768      0 10.10.1.101 TCP_DENIED/403 4221 GET http://ciscobinary.openh264.org/openh264-win64-0410d336bb748149a4f560eb6108090f078254b1.zip - HIER_NONE/- text/html
> 1534782606.751      0 10.10.1.101 TCP_DENIED/403 3989 CONNECT blocklists.settings.services.mozilla.com:443 - HIER_NONE/- text/html
> 1534782606.754      0 10.10.1.101 TCP_DENIED/403 3980 CONNECT firefox.settings.services.mozilla.com:443 - HIER_NONE/- text/html
> 1534783061.435      0 10.10.1.101 TCP_DENIED/403 3914 CONNECT www.youtube.com:443 - HIER_NONE/- text/html
> 1534783486.477      0 10.10.1.101 TCP_DENIED/403 4123 GET http://argenteam.net/ - HIER_NONE/- text/html
> 1534783486.506      0 10.10.1.101 TCP_DENIED/403 4169 GET http://smbserver2:3128/squid-internal-static/icons/SN.png - HIER_NONE/- text/html
> 1534785311.331      0 10.10.1.101 TCP_DENIED/403 3914 CONNECT www.youtube.com:443 - HIER_NONE/- text/html
> 1534788567.647      0 10.10.1.101 TCP_DENIED/403 3950 CONNECT safebrowsing.googleapis.com:443 - HIER_NONE/- text/html
> 1534791437.517      0 10.10.1.101 TCP_DENIED/403 3917 CONNECT aus5.mozilla.org:443 - HIER_NONE/- text/html
> 
> Bear in mind that the server is configured to reject the connection from my ip, the problem is that:
> with http queries, the normal squid error page appears.
> with https queries, the browser informs me that the proxy rejected the connection and the normal squid page does not appear.
> 

This is intentional behaviour by the Browsers. Squid does send the same
error page if the CONNECT tunnel is rejected, but they all refuse to
display anything but their own text. There were some workarounds that
worked some time ago, but those have also been blocked in recent years.

I do mean "refuse" above. The Browser authors have repeatedly been asked
to re-asses and always close the bugs as WONTFIX citing security risks
which are demonstrably false, or ignore it.


There is nothing Squid (or we) can do about it these days short of fully
decrypting the client TLS and injecting a fake response containing the
error page. Yes that is as nasty as it sounds (maybe more) and assumes
that the traffic on port 443 actually is HTTPS instead of something else.

Amos

More information about the squid-users mailing list