Browser errors rather than deny pages for HTTPS sites
Why do I see a browser error instead of a deny page for HTTPS sites?
If a web browser is configured to use the proxy explicitly, and the client requests a blocked https://
URL (for example https://facebook.com/) the following steps occur:
- The browser establishes regular HTTP connection with the proxy and sends a CONNECT facebook.com:443 request to establish a secure tunnel between the client and Facebook's secure web server.
- LiveStream's filtering engine evaluates the CONNECT request against the client's policy and determines it should be denied.
- Squid responds with a TCP_DENIED message back to client's web browser.
- The browser, expecting to receive an SSL handshake from Facebook, instead receives an unexpected sequence of bytes (TCP_DENIED response) and displays a generic “The proxy is refusing connections”/"The website is temporarily unavailable" message to the client.
This is a known limitation of all modern web browsers which is not likely to change due to the perceived security advantages.
Note:This does not affect intercepting (transparent) proxy clients which already have their HTTPS traffic decrypted by the proxy, leaving the browser unaware of what's occurring.
Further reading: