[squid-users] deny_info page not shown

Janos Dohanics web at 3dresearch.com
Fri Aug 28 06:22:54 UTC 2020 

On Fri, 28 Aug 2020 17:08:01 +1200
Amos Jeffries <squid3 at treenet.co.nz> wrote:

> [...]

Amos,

thank you for the quick reply.

> > deny_info http://google.com custom
> 
> Asks Squid to perform a URL-redirect to http://google.com instead of
> delivering error pages when ACL "deny custom" happens.
> 
> 
> > http_reply_access deny custom
> 
> ... denies Squid permission to deliver your custom URL-redirect to the
> client.

I have removed the http_reply_access... line.

> > 
> > Would you please point out the problem?
> 
> 
> Two problems. The one mentioned above.
> 
> Plus the fact that Browsers refuse to display or do anything for
> non-200 status responses to CONNECT tunnels. Whenever Browsers access
> https:// URLs through the proxy they use CONNECT tunnels.

I tried different browsers:

-Firefox79/FreeBSD12: no redirect
-Firefox80/Windows7:  no redirect
-Explorer11/Windows7: sometimes does redirect, sometimes doesn't
-Chrome84/Windows7:   sometimes does redirect, sometimes doesn't

>From the log (10.61.70.68=Win7, 10.61.70.200=FreeBSD):

1598593892.883    342 10.61.70.68 TCP_DENIED/307 403 CONNECT www.netflix.com:443 - HIER_NONE/- text/html
1598593917.883      0 10.61.70.68 TCP_DENIED/307 403 CONNECT www.netflix.com:443 - HIER_NONE/- text/html
1598593953.145  61038 10.61.70.68 TCP_TUNNEL/200 4768 CONNECT netflix.com:443 - HIER_DIRECT/34.198.43.9 -
1598593965.273    167 10.61.70.68 TCP_MISS/301 992 GET http://netflix.com/ - HIER_DIRECT/34.198.43.9 -
1598593966.352      0 10.61.70.68 TCP_DENIED/302 390 CONNECT www.netflix.com:443 - HIER_NONE/- text/html
1598593978.145  60456 10.61.70.68 TCP_TUNNEL/200 4768 CONNECT netflix.com:443 - HIER_DIRECT/34.198.43.9 -
1598593998.290  32918 10.61.70.68 TCP_TUNNEL/200 4610 CONNECT netflix.com:443 - HIER_DIRECT/34.198.43.9 -
1598594045.752      0 10.61.70.68 TCP_DENIED/302 390 CONNECT www.netflix.com:443 - HIER_NONE/- text/html
1598594086.507  41199 10.61.70.68 TCP_TUNNEL/200 4610 CONNECT netflix.com:443 - HIER_DIRECT/34.198.43.9 -
1598594166.954      0 10.61.70.68 TCP_DENIED/307 403 CONNECT www.netflix.com:443 - HIER_NONE/- text/html
1598594449.238      0 10.61.70.68 TCP_DENIED/302 390 CONNECT www.netflix.com:443 - HIER_NONE/- text/html
1598594475.705      0 10.61.70.68 TCP_DENIED/302 390 CONNECT www.netflix.com:443 - HIER_NONE/- text/html
1598594523.052  47644 10.61.70.68 TCP_TUNNEL/200 4610 CONNECT netflix.com:443 - HIER_DIRECT/34.198.43.9 -

1598595287.510      0 10.61.70.200 TCP_DENIED/307 403 CONNECT www.netflix.com:443 - HIER_NONE/- text/html

I think the TCP_DENIED/307 entries are from Firefox.

Is there a way to have deny_info instruct browsers to reliably display
the desired URL/page?

More information about the squid-users mailing list