I have the following ACLs here at my squid.conf with a custom "error page" file called ERR_TJS, located at "/usr/share/squid/errors/English":
acl tjs_sites url_regex "/etc/squid/sites_regex.acl"
acl tjs_domains dstdomain "/etc/squid/domains.acl"
http_access deny tjs_sites
http_access deny tjs_domains
deny_info ERR_TJS tjs_sites
deny_info ERR_TJS tjs_domains
Specially for the ACL file "/etc/squid/domains.acl", I have the following domains:
flyordie.com
www.flyordie.com
king.com
www.king.com
miniclip.com
www.miniclip.com
kongregate.com
www.kongregate.com
clashroyale.com
www.clashroyale.com
facebook.com
www.facebook.com
instagram.com
www.instagram.com
snapchat.com
www.snapchat.com
The problem is that when a HTTPS request is performed to Squid, instead of giving the custom error page for "https://www.facebook.com", for example, is showing a generic error page sent by the browser, like this one from Mozilla Firefox:
The proxy server is refusing connections
Firefox is configured to use a proxy server that is refusing connections.
Check the proxy settings to make sure that they are correct.
Contact your network administrator to make sure the proxy server is working.
I found this information at Squid Documentation:
Custom error pages not displayed for HTTPS
HTTPS uses HTTP CONNECT messages to relay through a proxy. Due to browser behaviour handling these CONNECT messages (described in https://bugzilla.mozilla.org/show_bug.cgi?id=479880) any custom error page produced by the proxy is ignored and a generic browser page displayed instead.
Usually this browser page mentions connection faulure or other such irrelevant details.
In fact any response other than 200 OK is completely dropped by the browser and the same browser template page displayed. This can lead to some very weird authentication problems when using HTTPS through an authenticated proxy as well for authentication schemes where the 407 message body has relevance.
I heard that with Squid, you can intercept some "states" from HTTP/HTTPS connections, like handling these CONNECT messages..
My questions are: is there any way to apply a custom deny_info like this one that I have for HTTPS requests, maybe manipulating these CONNECT messages, or via any other method? And how can I achieve this (with some example, please) ?
Best Answer
When browser is configured to use the proxy for HTTPS, it first tries to establish CONNECT tunnel through the proxy to remote site. Any HTTP response from the proxy other than "200 Tunnel Ready" is ignored and results to the "Proxy refusing connection" error. This can be fixed by first decrypting the connection and then denying access to it as you configured. Please see https://docs.diladele.com/faq/squid/cannot_connect_to_site_using_https.html article describing this in more detail.