Hi, we need to block https://www.facebook.com/abs/ssd
from our microtik CCR1009.
How do we do that ?
I would try using a L7 firewall rule but these are high CPU cost. Lucky you have a ccr 
So possible to do with CCR ?
How ?
No it is not possible! Note the “https” which means “secure” communication.
The communication is encrypted and the router never sees the URL.
Even when you setup a proxy server, the router sees only the hostname not the part after it. So then you
can block entire facebook but not one specific page.
And possible to do specific URL block for http URLs ?
Yes, with http the proxy sees the full URL.
Are you sure? I didn’t know that - I have set up a URL blocker with proxy.
It wasn’t transparent proxy but an explitly configured proxy in the browser.
The proxy seemed to “see” inside the SSL.
(granted I only tested it on hostnames)
I guess I learned something today.
When you set a proxy in a browser and it connects to https://www.facebook.com/abc/def, you see this in the proxy:
CONNECT http://www.facebook.com:443
So you can match on the domainname and portnumber.
However, the proxy then connects that hostname and port and splices that connection to the incoming connection
to the client. The client itself will do the SSL handshake and when that is finished, it sends:
GET /abc/def HTTP/1.1
Host: http://www.facebook.com
over the encrypted connection. What the proxy sees is just the SSL negotiation and binary gibberish.
Of course, there are proxy servers who will not do the transparent splice, but they will insert a man-in-the-middle
that makes an encrypted connection to http://www.facebook.com, and make the client believe they are talking to that
server by presenting a locally generated SSL certificate. To make this work without the client immediately noticing
it, the fake certificate is signed by a root certificate that has been added to the client certificate store. That only
works in e.g. a company, where the IT staff can add that certificate while installing the machines. You cannot do
that in a normal customer WiFi network unless you are a state government or intelligence organisation, who have
trusted root certificates in the commonly used browsers.
Even then it is being detected in newer browsers like Google Chrome, who can detect that a presented certificate
is signed by an unusual root certificate.
Awesome - thanks for the proxy lesson. I like knowing things down at the atomic level. 
FWIW - I do understand the certificate stuff - I just didn’t think about what the proxy was doing under the hood. It all makes more sense now.
Note that the forum software has inserted a couple of “http://” that I did not type and that should not be there…
Thanks for the clarification. Your explanation is excellent We can block www.facebook.com but not the specific pages due to https.