Solutions

Exception page not returned when accessing blocked HTTPS website through explicit proxy with latest browser versions

Solutions ID:    KB3787
Version:    4.0
Status:    Published
Published date:    05/06/2010
Updated:    02/12/2014
 

Problem Description

If an explicitly proxied client attempts to access an HTTPS website that is blocked based on the content filtering rules that have been applied, the user will get a browser error instead of an exception page.

This behavior has been seen with Firefox 3.0.10 and above and with IE 8.  It is believed that the latest version of Opera (as of 29 June 2009) also demonstrates this behavior. 

It results from a change made to the browser to prevent possible "Man in the Middle" attacks occurring when a non-200 HTTP response is returned in response to an HTTP CONNECT.

The following Mozilla bug documents this change:

https://bugzilla.mozilla.org/show_bug.cgi?id=479880 

Resolution

This is not a Proxy problem.

The following KB article gives a good step-by-step approach to working round this issue.   However, it is not possible to work around this issue without an SSL license:

https://kb.bluecoat.com/index?page=content&id=KB3866

If the preceding KB article does not prove helpful, then the following two workarounds which require SSL interception to be enabled will work in some circumstances:

The first possible solution, which requires enabling SSL interception is:

1. ALLOW all CONNECT requests. Deny anything that isn't SSL (for security).
2. Enable SSL interception on these CONNECT requests.

The second possible solution, which also requires enabling SSL interception is to replace any "Deny" actions in the Web Access Layer for HTTPS sites with "Notify User" actions. The "deny" action will return an exception which uses HTTP 403 responses. These are rejected by recent browsers as discussed above. Notify User actions instead use HTTP 200 responses, so browsers will happily accept this and display the message to the client.


Rate this Page

Please take a moment to complete this form to help us better serve you.

Did this document help answer your question?
 
 
If you are finished providing feedback, please click the RATE CONTENT button. Otherwise, please add more detail in the following text box and then click RATE CONTENT.
 
 

Your response will be used to improve our document content.

Ask a Question