Why HTTPS filtering exclusions do not work when Squid intercepts HTTPS connections transparently?

If your Squid proxy is configured to transparently intercept and decrypt HTTPS connections, then HTTPS domain name exclusions shown in the UI of Web Safety cannot be activated. The reason for this is simple - domain name is not available at the time when Squid need to decide whether to decrypt the HTTPS connection or not. Only IP addresses of client and server are available. Domain name becomes available only after HTTPS decryption.

In order to exclude sites from HTTPS decryption you must configure your firewall not to redirect HTTPS connections to the desired servers to Squid. In other words, all HTTPS connections transparently intercepted by Squid are decrypted.

On the other hand, if your browser is using Squid as explicit proxy, HTTPS exclusions work as expected because in this case browser first establishes SSL tunnel to the remote domain and Squid has enough information to skip HTTPS decryption.