I've enabled proxy on my RB2011 and added some sites in deny list with simple rule /ip proxy access add dst-host=*some.site action=deny
These sites can be accessed by http as well as https (facebook for example).
When I try access by http proxy shows me an error page (access denied), but when I changed protocol to https it shows nothing and browser waits until connection will be dropped by timeout. It's especially strange because proxy counts hits on block rule correctly for both protocols.

Hi,

Is it solved finally? I have the same problem in 2020....
thank you

You can't forge HTTPS certificate of the visited site, so you will never be able to show an error.

You can't forge HTTPS certificate of the visited site, so you will never be able to show an error.

Thank you for answer.

So you can not deny a http site, without waiting timeout?

I don't understand why should present any certificate of "visited site", when in real that site is DENIED in proxy rules (as it appears in the log)?
In log I can see for example: CONNECT shavar.services.mozilla.com:443 action=deny, so I think the proxy should ignore this connect method.

In my mind it should work (but maybe i'm wrong):
-Client to proxy: please do a method CONNECT x.y:443
-proxy: hmm x.y is in my deny list so my answer: hey dude, it is forbidden for you!
-Client to proxy: omg... should show something to user (and not waiting for any timeout!).

While with a separate squid proxy it works, the browser immediately shows: "The proxy server is refusing connection", with my mikrotik (updated version, ccr1036 and rb750) the browser just waiting for response from the denied site.

I captured the proxy's answer, and I found the following differences:
-in case of squid in the tcp payload carries not only the html headers, but also a html formatted message body,
-while in case of mikrotik the answer tcp packet payload only includes the html headers without message body.
However both cases carries the "forbidden 403" answer in the headers!

Is it really only my problem? Is there anybody who deny some https pages and can receive a fast deny respone from his/her browser?

thank you very much

You are bound to the limitations of RoS.
In general, it is possible to achieve, what you want, _BUT_ getting a security warning from the browser, first,
because of wrong certificate.

I do this on openwrt, however. Which is more suited for such tasks. Which are typical for advanced hotspots, requiring
filters for adult contents.

There are very simple ways of solving timeout which is as follows;
1. Go to start and search internet options then select connections. Check the LAN settings and turn on the automatically detect settings.
2. Go to settings then open internet. Select Proxy and turn on the automatically detect settings.
3. Open Network, Change Adapter options on the taskbar then select internet protocol version and turn on obtain ip address automatically.
4. Simply go to Network and disable then enable Ethernet.
All this methods apply windows 7 all the way to windows 10.

Thank you for answering. I thing there is some misunderstanding here.
It is a simple task I would like to achieve: just DENY SITES on mikrotik proxy.
It seems the error is related to the marriage of mikrotik proxy (6.47.1, but older is involved) and firefox browser (quantum 68.110esr). However the same browser works well with a separate squid.

So the problem:
I can deny and it works like a charm when sites are simple http://any_http_site.com (NO SSL/TLS magic)
I simple add blabla.com to the access list with action=deny like this:
/ip proxy access add dst-host=blabla.com action=deny
I try to look blabla.com in the browser it immediately show: hey PROXY ACCESS DENIED!
Nice.

I would like to deny some site, which use https://...., but is does not work:
I use the same method (here youtube.com, but whatever that use https://):
/ip proxy access add dst-host=youtube.com action=deny
I try to look youtube.com in the browser, mikrotik log that youtube deny, but the browser just wait, just wait, just wait, just wait, till timeout.
Mikrotik log -> deny, but browser wait for something, maybe a http message body.