Hello everyone 
,
I’m new here please welcome me , and answer my question:
we really need to work hard to find a way to block google images . I spend a lot of time just trying to block the google images but there is no way , so please if any one has solution for this issue I need your help..
Thank you..
This is not easily possible. Welcome to the new world of https: impossible to block URLs.
Thanks , but I’ll keep trying
Hello,
Firefox there is the Block site 1.1.8.1 Module
There are very effective
I’m enjoying this brave new world. Middlebox operators, not so much. 
OP - I think you’re going to have to use an http(s) proxy to do what you want in today’s world. ROS’s proxy is pretty lightweight and requires that you set browsers up to explicitly use it as a proxy server if you want to be able to filter SSL-based URLs. If you need to do it with a transparent proxy, then you’re going to need an external proxy server such as squid that can do https pass-through after examining the requested URL for policy compliance.
But a proxy can only filter https by hostname, not by full URL!
So you can block https://images.google.com/ but not https://www.google.com/imghp
(when you don’t want to block Google entirely)
Don’t do those things and deliver the uncensored Internet to your customers. Let the customer to decide what he wants to see and what he doesn’t want to see.
I get that when it comes to a transparent proxy - what about an explicitly-configured proxy, though? I can see it both ways because on the one hand, if a browser trusts a proxy to be full man-in-the-middle, the proxy could give its own cert for the proxy->client leg (validating itself to the client), and the browser could be happy with that, trusting the proxy to say “the site you’re visiting just gave a bad certificate” in case of bad/revoked/expired certificates on the upstream side. But then I can also see browsers never operating in this mode either. In this case, you’re trusting the proxy not to do anything bad… Let’s just say that if I went to a hotspot and the banner said “install this certificate in your browser and trust our proxy” I would rip the battery right out of the computer before any further harm could be done. 
In general, I dislike middleboxes so I’m not exactly lighting any candles for devices that get stymied by the current wave of SSL adoption…
HAha - this was posted while I was writing this reply… I agree.
Yes that can be done, but probably not by a small MikroTik… I am no expert on that, but generally boxes that can do this
require serious CPU power and/or crypto accelleration.
A normal proxy will not decrypt/encrypt but has a CONNECT command. The client connects the proxy, sends a
CONNECT with the hostname and port, the proxy makes the connection and ties the two ends together. Then, the
client negotiates the TLS connection directly with the server, and the proxy has no way of seeing the actual URL
being fetched from the server.
A proxy that is a real man-in-the-middle is possible, and it can even be transparent. But indeed in that case you need
to install a trusted certificate on the client. Not a thing one should do as a hotspot client. In corporate environments
this is done to be able to inspect the data (scan for viruses, block URLs). But there the workstations are under
control of the company and certificates can be automatically installed.
Yep - and we have such boxes at my company for exactly the purpose you stated, virus/policy enforcement, and they do require that we use our own certificate that we push to workstations with AD policy…
Personally, I hate the things. If someone keeps goofing off and playing fantasy football at work, then take disciplinary action. All this putting up fences and having to get 10 hours of recorded footage to prove that you can fire someone is just plain madness in my opinion.