Dear sir
I want to office use facebook / line for business , I don’t want other website use
method
question
thank you & best regard
Not possible this way, https is secure for a reason - so you can’t check content 
You could block specific sites by assigning their DNS names a fake IP, but to allow only one or two, I can’t see how.
You could allow only the LINE and Facebook IP addresses through TCP Port 443 and block any other connection, but you would have to know all the IP that they use, and there are a lot.
My idea:
Use hotspot (or other proxy service) Allow only facebook like that (this is for hotspot version)
/ip hotspot walled-garden
add dst-host=.facebook.com dst-port=443
add dst-host=.fb*.com dst-port=443
add dst-host=.facebook.com dst-port=80
add dst-host=.fb*.com dst-port=80
add dst-host=.akamai.net dst-port=443
add dst-host=.akamai.net dst-port=80
add dst-host=akamaiedge.net
add dst-host=akamaiedge.net dst-port=443
add dst-host=.edgekey.net
add dst-host=.edgekey.net dst-port=443
add dst-host=facebook
add dst-host=fbcdn
add dst-host=akamai
You can change default hotspot page in /file for information page: Sorry only FB is allowed
have you tested it?
It is impossible to accurately get real dst-host name from HTTPS connection. HTTPS encrypts everything, including headers of HTTP request and host name within it. In which packets can we see the domain name? The only reliable filtering for HTTPS is based on IP addresses.
Hotspot server tries to guess the DNS name from given dst-ip by getting appropriate entry from DNS cache on hotspot router. If multiple host names have the same IP and at least two of them are in DNS cache, then it could pick wrong DNS name for that IP. It explains why access to www.youtube.com gets allowed even though it is disabled in walled garden rules.
I am not aware of any solution to this problem without some bad consequences. For example,
Maybe you can enable web proxy on the Mikrotik, and then block all port 80&443 traffic, and then configure the browser to use the Mikrotik as a proxy. Then in the proxy configuration, block all but your desired websites.
https://blog.x-way.org/Networking/2012/12/30/Automatic-Proxy-Configuration-via-DHCP.html
The only thing missing in the blog is the http server to host the wpad.dat file. You could probably put a quick-and-dirty OpenWRT virtual on the Mikrotik to host the file…
I haven’t tried it, but perhaps the wpad.dat file’s location in the DHCP 252 option could be an ftp:// url, in which case you could host the file on the Mikrotik itself with FTP.
Thank you Dear sir , I try to use line server . It is OK but , I still not accept for Facebook.com
Dear sir
My script
/ip firewall filter
add action=add-dst-to-address-list address-list=facebook chain=forward
layer7-protocol=facebook src-address=192.168.1.0/24
add action=add-dst-to-address-list address-list=line chain=forward disabled=
yes src-address=192.168.1.254
add chain=forward dst-address-list=line src-address=192.168.1.254
add chain=forward dst-address-list=facebook src-address=192.168.1.254
add action=drop chain=forward src-address=192.168.1.0/24
add action=drop chain=forward disabled=yes dst-port=443 protocol=tcp
My question
it will not work for two reasons:
https !
Not transparent proxy, Normis.
Explicitly-configured proxy server can proxy https.
I have confirmed this works:
[admin@router.home.zerobyte.org] /ip proxy> export
# dec/14/2015 12:23:34 by RouterOS 6.27
# software id = F3LA-T902
#
/ip proxy
set anonymous=yes enabled=yes
/ip proxy access
add dst-host=*.facebook.com
add dst-host=*.fbcdn.net
add action=deny
Again - I had to configure my browser to use the Mikrotik as a proxy - a transparent proxy would fail on HTTPS.
I’ve confirmed that you can filter https:// sites using the web proxy feature of the Mikrotik, but only if you configure the browser to use the proxy server.
I set my home router up as a web proxy, and configured a computer at my office to use the home router as a proxy.
(In Internet Explorer, go into Tools > Internet Options > Connections TAB > LAN Settings button, and then check the checkbox for “Use a proxy server for your LAN” and in the address field, just type the IP of your Mikrotik, port: 8080)
You should probably also check the bypass proxy server for local addresses setting - but I’ll leave that up to you.
Once the browser explicitly uses the Mikrotik as a proxy, the Mikrotik can inspect the https:// host headers before establishing connections. You can then create a list of permitted hosts (dst host=*.facebook.com action=allow, and a second rule for dst host=fbcdn.net) and finally a deny rule. You could set up a redirect-to address with an “access denied” page on your deny rule - I think this URL must be non-ssl, but I didn’t play with it very long.
You’ll also want to find the URL that Facebook’s certificate verification / revocation lists use, so that you can permit these hosts also - because in my testing, I was getting a warning that IE couldn’t verify whether the certificate had been revoked. This would get annoying to your user.