DPI works on connections traversing the firewall, ie going from a pc to the net.
When there is a proxy, there are two connections and none of them traverses the firewall:
1. pc to nethserver
2. nethserver to net
The rules are simple:
* want to block a web site (http)? Use the proxy
* want to block a protocol (torrent)? use the firewall
If you want to identify http traffic with DPI techniques you must "take it out" from the proxy. A common scenario is windows update, which is usually put on low priority. Configure as follows:
1. add the list of windows update domains in Domains without proxy (use google to find the list)
2. add a rule to set ndpi windowsupdate to low prio in firewall rules
This sentence should be slightly reworded to clarify the limitations.