<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body dir="auto">
<div>Please note if you first let the connect tunnel to succeed (forcing bump) and then block the next coming request through that tunnel - you will get the blocked message displayed.</div>
<div id="AppleMailSignature"><br>
</div>
<div id="AppleMailSignature">We do it in ICAP (<a href="https://docs.diladele.com/faq/squid/cannot_connect_to_site_using_https.html">https://docs.diladele.com/faq/squid/cannot_connect_to_site_using_https.html</a>) - other community members may know better if
 it is possible to do that in Squid directly.</div>
<div id="AppleMailSignature"><br>
</div>
<div id="AppleMailSignature">Beware of those using your tunnels to pump non http traffic though. Blocking the connect as it is done now in Squid keeps you on safe side.<br>
<br>
Best regards,
<div>Rafael Akchurin</div>
</div>
<div><br>
Op 17 mei 2017 om 4:04 PM heeft Amos Jeffries <<a href="mailto:squid3@treenet.co.nz">squid3@treenet.co.nz</a>> het volgende geschreven:<br>
<br>
</div>
<blockquote type="cite">
<div><span>On 17/05/17 23:32, chcs wrote:</span><br>
<blockquote type="cite"><span>Firefox 53.0.2 , Chrome 58.3029 y Opera 44 display "Proxy Server Refused</span><br>
</blockquote>
<blockquote type="cite"><span>Connection" page, instead of Squid custom error page, when connect to HTTPS</span><br>
</blockquote>
<blockquote type="cite"><span>site which blocked by proxy server.</span><br>
</blockquote>
<blockquote type="cite"><span>For example we try to connect to <a href="https://www.something.com">
https://www.something.com</a> via Squid proxy</span><br>
</blockquote>
<blockquote type="cite"><span>server which denied with 403 error this connect and send custom error page</span><br>
</blockquote>
<blockquote type="cite"><span>with description of problem in older versions it's worked.</span><br>
</blockquote>
<blockquote type="cite"><span>I'm using pfSense 2.4 (actual version squid 3.5.24).</span><br>
</blockquote>
<blockquote type="cite"><span></span><br>
</blockquote>
<blockquote type="cite"><span>Reproducible: Always</span><br>
</blockquote>
<blockquote type="cite"><span></span><br>
</blockquote>
<blockquote type="cite"><span>Steps to Reproduce:</span><br>
</blockquote>
<blockquote type="cite"><span>1. Configure Firefox to use proxy server (SSL Proxy).</span><br>
</blockquote>
<blockquote type="cite"><span>2. HTTPS/SSL Interception , Enable SSL filtering, splice all, CA: Let's</span><br>
</blockquote>
<blockquote type="cite"><span>Encript autority</span><br>
</blockquote>
<blockquote type="cite"><span>3. Try to connect to HTTPS site, which will be blocked by proxy server</span><br>
</blockquote>
<blockquote type="cite"><span></span><br>
</blockquote>
<blockquote type="cite"><span>Actual Results:</span><br>
</blockquote>
<blockquote type="cite"><span>Firefox will display "Page Load Error" with description "Proxy Server</span><br>
</blockquote>
<blockquote type="cite"><span>Refused Connection. Firefox is configured to use a proxy server that is</span><br>
</blockquote>
<blockquote type="cite"><span>refusing connections."</span><br>
</blockquote>
<blockquote type="cite"><span>If we connect to HTTPS site which not blocked by proxy server OR using CA</span><br>
</blockquote>
<blockquote type="cite"><span>self-signed issuer , all works fine.</span><br>
</blockquote>
<blockquote type="cite"><span></span><br>
</blockquote>
<blockquote type="cite"><span>Expected Results:</span><br>
</blockquote>
<blockquote type="cite"><span>Display proxy server error page with deny info.</span><br>
</blockquote>
<span></span><br>
<span>This is a well-known problem with Browsers, they all refuse to display any response to a CONNECT tunnel message.</span><br>
<span><On 17/05/17 23:32, chcs wrote:</span><br>
<blockquote type="cite"><span>Firefox 53.0.2 , Chrome 58.3029 y Opera 44 display "Proxy Server Refused</span><br>
</blockquote>
<blockquote type="cite"><span>Connection" page, instead of Squid custom error page, when connect to HTTPS</span><br>
</blockquote>
<blockquote type="cite"><span>site which blocked by proxy server.</span><br>
</blockquote>
<blockquote type="cite"><span>For example we try to connect to <a href="https://www.something.com">
https://www.something.com</a> via Squid proxy</span><br>
</blockquote>
<blockquote type="cite"><span>server which denied with 403 error this connect and send custom error page</span><br>
</blockquote>
<blockquote type="cite"><span>with description of problem in older versions it's worked.</span><br>
</blockquote>
<blockquote type="cite"><span>I'm using pfSense 2.4 (actual version squid 3.5.24).</span><br>
</blockquote>
<blockquote type="cite"><span></span><br>
</blockquote>
<blockquote type="cite"><span>Reproducible: Always</span><br>
</blockquote>
<blockquote type="cite"><span></span><br>
</blockquote>
<blockquote type="cite"><span>Steps to Reproduce:</span><br>
</blockquote>
<blockquote type="cite"><span>1. Configure Firefox to use proxy server (SSL Proxy).</span><br>
</blockquote>
<blockquote type="cite"><span>2. HTTPS/SSL Interception , Enable SSL filtering, splice all, CA: Let's</span><br>
</blockquote>
<blockquote type="cite"><span>Encript autority</span><br>
</blockquote>
<blockquote type="cite"><span>3. Try to connect to HTTPS site, which will be blocked by proxy server</span><br>
</blockquote>
<blockquote type="cite"><span></span><br>
</blockquote>
<blockquote type="cite"><span>Actual Results:</span><br>
</blockquote>
<blockquote type="cite"><span>Firefox will display "Page Load Error" with description "Proxy Server</span><br>
</blockquote>
<blockquote type="cite"><span>Refused Connection. Firefox is configured to use a proxy server that is</span><br>
</blockquote>
<blockquote type="cite"><span>refusing connections."</span><br>
</blockquote>
<blockquote type="cite"><span>If we connect to HTTPS site which not blocked by proxy server OR using CA</span><br>
</blockquote>
<blockquote type="cite"><span>self-signed issuer , all works fine.</span><br>
</blockquote>
<blockquote type="cite"><span></span><br>
</blockquote>
<blockquote type="cite"><span>Expected Results:</span><br>
</blockquote>
<blockquote type="cite"><span>Display proxy server error page with deny info.</span><br>
</blockquote>
<span></span><br>
<span>This is a well-known problem with Browsers, they all refuse to display any response to a CONNECT tunnel message.</span><br>
<span><<a href="http://wiki.squid-cache.org/Features/CustomErrors#Custom_error_pages_not_displayed_for_HTTPS">http://wiki.squid-cache.org/Features/CustomErrors#Custom_error_pages_not_displayed_for_HTTPS</a>></span><br>
<span></span><br>
<span>Use of TLS to secure the connection to the proxy does not affect this browser behaviour on HTTPS traffic. The best you can hope for is to make Squid use a 511 status code with deny_info and hope that it chooses to display something halfway useful.</span><br>
<span></span><br>
<span>Amos</span><br>
<span></span><br>
<span>_______________________________________________</span><br>
<span>squid-users mailing list</span><br>
<span><a href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a></span><br>
<span><a href="http://lists.squid-cache.org/listinfo/squid-users">http://lists.squid-cache.org/listinfo/squid-users</a></span><br>
</div>
</blockquote>
</body>
</html>