Browser errors rather than deny pages for HTTPS sites
If a web browser is configured to use the proxy explicitly, and
the client requests a blocked
https:// URL (for
the following steps occur:
The browser establishes regular HTTP connection with the proxy and sends a CONNECT facebook.com:443 request to establish a secure tunnel between the client and Facebook's secure web server.
LiveStream's filtering engine evaluates the CONNECT request against the client's policy and determines it should be denied.
Squid responds with a TCP_DENIED message back to client's web browser.
The browser, expecting to receive an SSL handshake from Facebook, instead receives an unexpected sequence of bytes (TCP_DENIED response) and displays a generic “The proxy is refusing connections”/"The website is temporarily unavailable" message to the client.
This is a known limitation of all modern web browsers which is not likely to change due to the perceived security advantages.
Note: This does not affect intercepting (transparent) proxy clients which already have their HTTPS traffic decrypted by the proxy, leaving the browser unaware of what's occurring.