So far, you've tried to encrypt the Location field in 302 redirects. This doesn't handle the links in the response content. I'm not sure why you'd only want to encrypt the redirect links but not the response content links. Trying to encrypt the response content links wouldn't be so easy. You could try doing this using a regular expression to identify links. You could configure this regex as a STREAM::expression and encrypt the links in the STREAM_MATCHED event. You would not want to encrypt links to URI's that users could legitimately start accessing the application at. In requests, you could check the requested URI against the defined start pages. If it's not a defined start page, then you try to decrypt the path.
You can check the stream related pages for examples on using a stream profile to rewrite response content (
Click here).
Aaron