Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Safari ignores Squid blocking rules for https sites

Hi,


i'm using a squid proxy server within my network. I'm trying to protect my family from several dangerous sites by blocking them with the proxy. i recently discovered that Safari is ignoring the blocking-rules i set by loading the site through https even when its receiving a 403 error.


within my squid.conf i defined the acl


acl forbidden_domains dstdomain "/etc/squid/forbidden_domains.acl"


to deny connections to domains mentioned within the forbidden_domains.acl file by using


http_access deny CONNECT forbidden_domains


The forbidden_domains.acl file contains lines like


.thisisanotallowed.com


My Problem is, that when i connect to a forbidden domain by ussing ssl (https) Safari is receiving the message


TCP_DENIED/403 CONNECT


from the proxy but it continues to load the site.


I don't understand why. Our Firewall does only allow the Proxy server to establish connections on port 80 and 443. No other mac is allowed to access the net on these ports directly.


I thought it could be a configuration issue, so i tried other browsers. But Firefox worked like it should by not loading the site. In OSX the https proxy setting is set correctly. The proxy server works fine only Safari is breaking through is blocking rules somehow.


Unfortunately we don't want to use other browsers than safari (if it could be avoided!) ... is there a way to get Safari to obey the proxy blocking rules?


i'm working on this for a while now. i really need help on this!!!


Thank you 😉

MacBook Pro, OS X Mountain Lion (10.8.4), Safari SSL HTTPS Squid Proxy

Posted on Jun 5, 2013 12:17 PM

Reply
6 replies

Jun 6, 2013 12:57 AM in response to Linc Davis

Hmm. But why is it working with Firefox? Also i tested it with my iPhone and iPad. Both cannot connect to the forbidden sites using https. I can see the 403 messages within the access log of squid. I think that Safari for osx is tunneling the https connections through the proxy. In that case Squid cannot filter the encrypted connection.


Assuming that is correct:


- How can i disable SSL tunneling in Safari (if possible)

- Or how can i setup Squid to block SSL tunneling

Safari ignores Squid blocking rules for https sites

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.