Browser errors rather than deny pages for HTTPS sites

Why do I see a browser error instead of a deny page for HTTPS sites?

If a web browser is configured to use the proxy explicitly, and the client requests a blocked https:// URL (for example https://facebook.com/) the following steps occur:

  1. The browser establishes regular HTTP connection with the proxy and sends a CONNECT facebook.com:443 request to establish a secure tunnel between the client and Facebook's secure web server.

  2. LiveStream's filtering engine evaluates the CONNECT request against the client's policy and determines it should be denied.

  3. Squid responds with a TCP_DENIED message back to client's web browser.

  4. The browser, expecting to receive an SSL handshake from Facebook, instead receives an unexpected sequence of bytes (TCP_DENIED response) and displays a generic “The proxy is refusing connections”/"The website is temporarily unavailable" message to the client.

This is a known limitation of all modern web browsers which is not likely to change due to the perceived security advantages.

Note: This does not affect intercepting (transparent) proxy clients which already have their HTTPS traffic decrypted by the proxy, leaving the browser unaware of what's occurring.

Further reading: