Exception page not returned when accessing blocked HTTPS website through explicit proxy with latest browser versions

<< Back to Knowledge Search



If an explicitly proxied client attempts to access an HTTPS website that is blocked based on the content filtering rules that have been applied, the user will get a browser error instead of an exception page.

This behavior has been seen with Firefox 3.0.10 and above and with IE 8.  It is believed that the latest version of Opera (as of 29 June 2009) also demonstrates this behavior. 

It results from a change made to the browser to prevent possible "Man in the Middle" attacks occurring when a non-200 HTTP response is returned in response to an HTTP CONNECT.

The following Mozilla bug documents this change:



This is not due to a bug or a misconfigured ProxySG.

The following article gives a good step-by-step approach to working round this issue. However, it is not possible to work around this issue without an SSL license:

Getting HTTPS exception pages working using newer web browsers

If the preceding article does not prove helpful, then the following two workarounds, which require SSL interception to be enabled, will work in some circumstances:

The first possible solution, which requires enabling SSL interception is:

  1. ALLOW all CONNECT requests. Deny anything that isn't SSL (for security).
  2. Enable SSL interception on these CONNECT requests.

The second possible solution, which also requires enabling SSL interception is to replace any "Deny" actions in the Web Access Layer for HTTPS sites with "Notify User" actions. The "Deny" action will return an exception which uses HTTP 403 responses. These are rejected by recent browsers as discussed above. Notify User actions instead use HTTP 200 responses, so browsers will happily accept this and display the message to the client.

Additional Information
Bug Number
InQuira Doc IdKB3787

Article Feedback

Hide Properties
First Published      10/01/2014
Last Modified      04/25/2016
Last Published      10/01/2014
Article Audience
Product      ProxySG
Software      SGOS 4, SGOS 5, SGOS 6
Topic      Content Access, Content Filtering, SSL / HTTPS
Article Number      000009391
Summary      Due to changes in default browser behavior ProxySG no longer returns a denied exception page if SSL interception is not enabled
Was this helpful?
Previous MonthNext Month