I think you are on the right track. Using a web proxy solution that
only allows outbound access to a white-list of allowed domains is
definitely a good solution, and one that works. The list might get
large(ish), but no matter what, it is a whitelist, which is a great
step in the right direction.
Of course, you will have to back this up with a firewall ACL that only
allows the web proxy solution to initiate outbound connections to the
Internet,. Otherwise, the servers could just bypass the proxy.
This protection helps you in multiple ways, mainly making data
exfiltration, and command and control extremely hard to pull off.
If one of your boxes gets owned (ie: malware on removable media,
publicly accessible network service that is vulnerable), and the only
way out of your server subnet is through a proxy that only allows
outbound access to a limited list of websites on one of two ports
(443/tcp and 80/tcp), it is going to be mighty hard for someone to
ex-filtrate data out of your network.
Of course this is a defense in depth strategy, not a silver bullet.
There will always be people telling you "But our servers are not
owned". haha. A lot harder to prove than people think.
I do not have as much experience to draw on for your last question,
but I don't really see a problem with a manual override, as long as it
is 1) Temporary, and 2) Documented. I'm less concerned with the
machine that is being updated and watched closely, than I am with the
entire network that is NOT being watched as closely, especially if it
is Internet facing.
Good luck!
Seth