web filtering https without mitm

[Deku2]

I want to use the web proxy filtering for ssl without doing the entire ca ssl mitm.  I don't need to inspect, cache or authenticate anything.  I just want to block people from going to youtube and social media sites.  That shouldn't require me doing anything within SSL.  However, I can't get it to work.  When I do the transparent proxy forward on the ssl port, it just breaks the internet.

help please
thanks

[bartjsmit]

The only part of an HTTPS connection that is clear text is the DNS lookup. Don't bother with a transparent proxy, set youtube.com etc. on your DNS server to point to 127.0.0.1 instead and block your clients from using internet DNS servers by a firewall rule.

Beware that this will only stop casual users but will still let URL shorting services through.

Bart...

[Deku2]

Thanks, I'm trying to move to the unbound dns via DNSBL, but the lists are not as extensive as those for the proxy.  If I wanted to block all video streaming sites, it would be a very difficult task via DNSBL.  I just can't find good lists like you can with squid. 

[bartjsmit]

If you have a URL list, run a script to pick out the FQDN's and add those to a DNS block list.

You're obviously running the risk of false positives (e.g. http://interesting.site.com/video) and you'll miss any IP address links in the Squid list. You'd need to add those to an alias you block on a firewall rule.

Bart...