"Transparent" Squid with filtering HTTPS resources without replacing certificates (x86, x64 - universal instruction )

Maybe Pfsense will appeal to IMHO: as for the gateway, there is a lot of functionality (squid, squid guard. clamav, the ability to implement various VPNs, traffic capture, etc. and all this from the web muzzle - including the installation of additional packages based on the latest fryaha). I got it on xen with half a kick, I think there should be no problems on KVM either. True, it requires a minimum gig of RAM, well, they are whistle-blowers to eat memory.

Monitoring site visits by office staff. SQUID or are there alternatives?

Administrative problems should not be solved technically! If the manager cannot organize the workflow, is not able to establish feedback, then it may not be the employees, but the management and the business processes themselves. It's simple: block the wired Internet, they will sit from smartphones and tablets, hang around in the smoking room, rummage around the territory, or knead boobs in the workplace.
Similarly, technical problems are not solved administratively (at least not directly). If the server is lying or barely tossing and turning, it is necessary for a technical specialist to deal with it. And reprimands, threats of fines, shouting load average will not bring you back to normal.

In an organization, everything is implemented quite simply, if the first and main rule is observed - the Principle of the First Head
Monitoring the attendance of the tyrnet by employees is one of the main measures to control the (in) purposeful spending of working time. In fact, everything is done simply as a log.
1. CA is deployed (not necessarily on Windows, even better on linux)
2. CA issues certificates for proxy
3. CA certificate is put to all users as trusted using GPO. This is the key point.
4. Proxy settings are prescribed for everyone through GPO
5. If access groups are needed (and they will certainly be needed), groups are made, there are a lot of mana in this case, by the way, I'm going to write a detailed article about this soon.
6. After the statistics has gone, it needs to be processed with something - squid issues only a raw log. I'm using a certain bike, washed down a long time ago from a fork of sarg.
What about the Principle of the First Leader? You will have to make changes to the settings of user computers and not everyone will be happy that vkontaktik has disappeared :)

In general, squid, and yes, you will have to hemorrhoid on the https account.
Regarding:
It works and you can solve the biggest problem in the form of self-signed certificates quite bloodlessly when you raise the domain at the same time and raise your CA that domain users will trust, again, destroy it with politicians.
In transparent mode, of course, you can get confused, but it's better to fasten access through the domain.