@reinerotto
I've always used explicit proxy because I know for HTTPS the client will know it needs to do a CONNECT through the proxy, and the proxy will get a domain name to connect to. I can then filter on this domain name if desired.
With transparent, my understanding is the client tries to connect directly to a given IP address, the proxy intercepts it, connects to the IP address and tunnels traffic for the client. It does NOT get a domain name, only an IP address, and so the only kind of filtering that can be done is on the IP address, which is already available in Iptables with ipsets... so my impression is that transparent proxy offers much less functionality than for explicit proxy. Correct me if I'm wrong.
There are many many web pages discussing the "SSL bump" technique which is completely outside the scope of any "transparent" SSL (because in fact it's a man-in-the-middle attack that you must explicitly allow on each client). Unfortunately because that takes up a lot of the web's energy to describe, it's not so clear how you even configure transparent SSL tunneling without bump. I'd appreciate if you can link to a good site for doing that.
Also for a background discussion of the security implications of WPAD method: https://en.wikipedia.org/wiki/Web_Proxy_Auto-Discovery_Protocol#Security
Given all these issues, I've chosen to just set up explicit proxies on my devices. This way I know my devices are talking to the proxy, they know and respond appropriately to the proxy, features are maximized, and compatibility issues, debugging, and wasted time are minimized.