replace old squid

nnicola82

Hello!
I would have a fairly difficult situation in the enterprise environment for current proxies in production, old squid and old list squidguard, without support and out of maintenance. unfortunately it is not possible to buy from a vendor
I thought about using pfsense but, having about 5000 users, I am undecided whether to continue with a new webproxy or only dns filtering since most of the traffic is TLS

what do you recommend? I state that we have firewalls from a vendor and a domain (I would like to use domain groups for acl)
you recommend me, given the scope
installing squid + squidguard + mitm for https and pfblockerng
and also an ips as suricata or ntop
or just a dnsfiltering? in this case I would lose the possibility to manage the lists.

it's quite expensive to break https: a colleague recommended me haproxy with redis but I don't know how
also, I would like to avoid users bypassing the dns and proxy settings as some are local pc administrators

my idea was to use a transparent proxy with inspection of the https traffic not full, since here in the domain there is a pool of generic users and non-domain users, initially, I would like

block all sites that are forbidden to everyone, domain and non-domain users
block all sites prohibited at all and browsing allowed on a group of domain users only on a specific whitelist
enable some lists e.g. videoconference on a group of domain users

Thanks for the help, I gladly accept solutions that can be implemented with pfsense. Thanks