On 29/01/11 02:02, Jason Doran wrote:
RHEL6
squid-3.1.4-1.el6.x86_64
kernel 2.6.32-71.14.1.el6.x86_64

Hi,

I suspect this is not possible, but I thought I would ask anyway. I have:

acl SSL_ports port 443
acl CONNECT method CONNECT
http_access deny CONNECT !SSL_ports


When a user tries a CONNECT to !SSL_ports, the error on browser is some
like:

The proxy server is refusing connections

I have tried to put in a deny_info directive to perhaps give a more
meaningful error to the user to say this this port is
not allowed. I have deny_info working for other acls. Is it possible to
give a custom error message with the CONNECT acl/method?

Regards,
Jason Doran
National University of Ireland, Maynooth


It is both possible and not possible.

No...

Modern browsers have been targeted with attacks sent in the body of such rejection replies. So they now reject any body data we send.

HTTP 302 status code is also very problematic with CONNECT due to its handling by browsers. They often drop it as an error to prevent themselves trouble.


Yes...

In order to get anything useful to happen the deny_info must perform a URL redirect with a 307 status code. And the browser must support correct RFC 2616 handling of that status code.

Support for 307 has been added to 3.1 since the last formal package. So you will need to build one of the recent the 3.1 daily update bundles.

As of this writing Firefox or Iceweasel are the only known browsers to handle this correctly.

Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.10
  Beta testers wanted for 3.2.0.4

Reply via email to