I am running ipfire in a school. The underaged students should be allowed to work and use the web unsupervised, which makes a filter mandatory. The integrated URL filter of ipfire which updates the black lists by itself is great, but soon I realised that it does not filter HTTPS URLs.
So far I have understood that URL filtering for HTTPS is not possible because the proxy cannot see the URLs in encrypted HTTPS packages. I am wondering, would it not be possible to inspect and intercept the unencrypted DNS requests in which the URLs are still visible? Or are the DNS requests not going through the proxy which is doing the filtering? I found this old forum post, where @arne_f said, filtering HTTPS by domains would be possible. That would be fine with me! I would not even need an error page if students try to access forbidden pages. A log of such attempts would be nice but also not mandatory.
If the above is not feasible for some reason, I have read that putting the proxy into non-transparent mode would help? But why exactly is this? Would the URLs in HTTPS packages not be encrypted just the same?