Proxies and ssl are not the greatest of friends since the session between your device and the server is encrypted. Interrupting that encryption anywhere along the way will cause problems. while ssl is good for security it does make running caching servers painful as you have to have a cert installed on every machine behind the proxy and i dont know about you but i am not able to install it on things like blu-ray players, iot devices, and anything you dont own like a device that a guest owns. blocking secure sites is not a practical solution as most of the internet sits behind ssl. thanks to organizations like Let’s Encrypt, and browsers like Chrome and Firefox trying to deprecate HTTP in favor of HTTPS.
Don’t use it for HTTPS traffic, the so called “man in the middle” setup. It’s possible but not worth it as you will need to manually install your own cert on every network device so they trust it. Pain in the butt, and not even possible on some devices.
But for non encrypted traffic you may see some benefit. I personally use Squid Proxy and Squid Guard for non encrypted traffic.
The benefit of having a cache right on your network. If the content can be cached, it’s a lot faster to retrieve it from your pfSense box than pulling it from some server on the net somewhere.
If you want to read about using Squid with HTTPS (encrypted) traffic here’s a good article.
I will do a more in depth video about this soon, but a lot of the internet traffic has been moving to the QUIC protocol because it is faster due to being a more efficient protocol. To me knowledge no one has come up with a a way to cache this protocol as it work on UDP so proxies such as Squid suggest you block it. Blocking QUIC will make your connection slower for now and probably broken in the future if sites such as Google, Facebook, YouTube, etc… turn off the fall back to TCP when it is blocked.
If you’re just looking to block sites, Squid has a feature to filter TLS traffic based on the SNI information allowing you to block encrypted sites without needing to install certificates on client machines. Since the traffic doesn’t get decrypted on the firewall, it obviously doesn’t do you any good with caching. Also, this solution will likely not work in the future as newer versions of TLS encrypt the SNI extension.