Respond with 403 in an HTTPS proxy

Question

I want to block some sites with my proxy by responding with 403. I succeeded with responding in such a way in an HTTP proxy, but when I get the CONNECT method, I respond with: HTTP/1.1 403 Forbidden Status: 403 Forbidden Proxy-agent: smth Connection: close But users still get the ERR_TUNNEL_CONNECTION_FAILED. What can I do to provide users with a nice 403 error?

Answer 1

RFC 2817 does not disallow 4xx codes, and the Draft has the section "4. Extensibility" that states that

"The tunneling handshake is freely extensible using the HTTP/1.x headers;"

But it looks like all browsers decided to just ignore almost every non-2xx codes for security reasons.

Here are some bugs reports:

1. https://learn.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/compatibility/dd565641(v=vs.85)

Internet Explorer 8 has a feature that ensures that the secure connection is made all the way to the target server. If it isn't, then no page is displayed.

1. https://bugzilla.mozilla.org/show_bug.cgi?id=479880

I realize that I'm way late to the party here, but [...] this fix is terrible for proxy admins (myself included). Our proxy returns a 403 forbidden for filtered SSL content and an error page about why the content is blocked, and Firefox just drops all of it on the floor

1. https://bugs.chromium.org/p/chromium/issues/detail?id=7338

So that's the way it is.