[squid-users] ERR_ACCESS_DENIED when using transparent https proxy

Amos Jeffries squid3 at treenet.co.nz
Sat Jun 30 09:03:51 UTC 2018

On 30/06/18 16:54, CZ Huang wrote:
> I used the following command to send requests (see details below) but got
> "HTTP/1.1 403 Forbidden".
> curl https://www.online.citi.com -x --verbose
> --proxy-insecure
> I understand the error was caused by "CONNECT HTTP/1.1".
> But curl did not send it so where did it come from?

It came from your machines NAT system, in combination with SSL-Bump.

> If I change "https_port ssl-bump intercept" to
> "https_port" in the config file, then there is no error
> (proxy does not take part in the 2nd SSL handshake anymore).
> Please help me fix the errors. Thanks!

The error is that you told Squid to contact the system NAT tables to
find out where the client connection was going (the "intercept" option
on http_port) without having configured any NAT rules, AND when testing
explicit-proxy message syntax with curl.


   intercept	Support for IP-Layer NAT interception delivering
   		traffic to this Squid port.

You do not use NAT, so "intercept" is absolutely the wrong thing to be
configuring. That is why removing it "fixed" the problem.

If you intend the proxy to be an explicit/forward proxy, then removal of
the "intercept" option is your full solution.

If you intend the proxy to be intercepting traffic, then you need to
start there and get the NAT intercept part working _first_. Things that
work for explicit/forward proxy don't work with intercept, and the
reverse. So its just a waste of effort testing irrelevant traffic "modes".


More information about the squid-users mailing list