Exception page not returned when accessing blocked HTTPS website through explicit proxy with latest browser versions


<< Back to Knowledge Search

Solution

Overview

If an explicitly proxied client attempts to access an HTTPS website that is blocked based on the content filtering rules that have been applied, the user will get a browser error instead of an exception page.

This behavior has been seen with Firefox 3.0.10 and above and with IE 8.  It is believed that the latest version of Opera (as of 29 June 2009) also demonstrates this behavior. 

It results from a change made to the browser to prevent possible "Man in the Middle" attacks occurring when a non-200 HTTP response is returned in response to an HTTP CONNECT.

The following Mozilla bug documents this change:

https://bugzilla.mozilla.org/show_bug.cgi?id=479880 

Cause
Resolution

This is not a Proxy problem.

The following KB article gives a good step-by-step approach to working round this issue.   However, it is not possible to work around this issue without an SSL license:

/articles/Solution/GettingHTTPSexceptionpagesworkingusingnewerwebbrowsers

If the preceding KB article does not prove helpful, then the following two workarounds which require SSL interception to be enabled will work in some circumstances:

The first possible solution, which requires enabling SSL interception is:

1. ALLOW all CONNECT requests. Deny anything that isn't SSL (for security).
2. Enable SSL interception on these CONNECT requests.

The second possible solution, which also requires enabling SSL interception is to replace any "Deny" actions in the Web Access Layer for HTTPS sites with "Notify User" actions. The "deny" action will return an exception which uses HTTP 403 responses. These are rejected by recent browsers as discussed above. Notify User actions instead use HTTP 200 responses, so browsers will happily accept this and display the message to the client.

Workaround
Additional Information
Bug Number
InQuira Doc IdKB3787
Attachment

Article Feedback

Hide Properties
First Published      10/01/2014
Last Modified      10/01/2014
Last Published      10/01/2014
Article Audience
Product      ProxySG
Software      SGOS 4, SGOS 5
Topic      Content Access, Content Filtering, SSL / HTTPS
Article Number      000009391
Summary     
Was this helpful?
Comments:
 
Previous MonthNext Month
SunMonTueWedThuFriSat