Sam,
I'm sure we will succeed at aligning our views.
1 - I do understand that goal is not to block all HTTPS traffic. This is clear to me.
2 - Test I made is blocking only Facebook, both HTTP and HTTPS, which is the goal if I understand well
3 - with transparent proxy enabled, this can NOT be achieved without firewall rules.
If you have Zentyal test platform, try the following:
- set up Zentyal as gateway with firewall and proxy
- configure proxy as "NON transparent"
- configure your browser to use proxy for all protocols (yes, including SSL/TLS, i.e. HTTPS)
- do not configure extra rules in FW and ensure HTTPS does not bypass proxy (when you stop proxy, access to internet should not work for HTTP nor HTTPS)
- ensure you can access Facebook with both HTTP and HTTPS.
So far so good
Then go to HTTP proxy menu then filter profiles.
change configuration of default profile to add, in domains filtering, "facebook.com" in "domains and URL rules".
save then try to access facebook with either HTTP or HTTPS.
How to is behaves?