Yes: Use a full-featured proxy, like squid.
Your usage case is one more argument against using MT for hotspots
with above-basic requirements.
As in openwrt, I often integrated squid. Also to implement
your requested functionality
Ha-ha, verry funny
Now I use an IPFire proxy, and I want to get rid of it, because I can use blocklists and safe DNS with the MT box (3011) what is strong enough to serve all of my users (30) and neither the IPfire cant do ssl intercept, so unnecessary a seperate proxy server, and because IPFire run on a very loaded Hyper-V server, I can save some memory and CPU resource.
There is a Layer7 filter, it really doesnt use for this? I am very unfamiliar with Layer7 filter and regular expressions. I tought, there is somebody who can help me.