Simple adblock using unbound and nginx
-
1. Create a virtual IP in the LAN interface:
2. ssh to the pfsense and install nginx and nano:
pkg install nginx nano3. create update_adblock_file.sh:
/usr/local/bin/nano -w /usr/local/sbin/update_adblock_file.sh#!/bin/sh adblock_file='/etc/adblock_file' nginx_ip='1.2.3.4' my_block_list=" \ 254a.com \ yp.xn--i1b2e6b6ah.com \ " mylist=`for host in $my_block_list; do echo "127.0.0.1 $host"; done` yoyo=`/usr/bin/fetch -qo- 'http://pgl.yoyo.org/adservers/serverlist.php?hostformat=hosts&mimetype=plaintext'` if [ $? -eq 0 ]; then rm -f $adblock_file echo "$mylist\n$yoyo" | uniq -di | grep 127.0.0.1 | awk '{print "Duplicate:",$2}' >&2 echo "$mylist\n$yoyo" | sort -uf | grep 127.0.0.1 | awk '{print $2}' | \ while read line; do echo "local-zone: \"$line.\" redirect" >> $adblock_file echo "local-data: \"$line. 3600 IN A $nginx_ip\"" >> $adblock_file done else echo "FAIL TO DOWNLOAD" fi4. mark file executable:
chmod +x /usr/local/sbin/update_adblock_file.sh5. execute:
/usr/local/sbin/update_adblock_file.sh6. generate certificate:
openssl req -x509 -nodes -days 3650 -subj "/C=PT/CN=1.2.3.4" -sha512 -newkey rsa:4096 -keyout /usr/local/etc/nginx/nginx.key -out /usr/local/etc/nginx/nginx.pem7. edit nginx.conf:
/usr/local/bin/nano -w /usr/local/etc/nginx/nginx.confuser nobody; worker_processes 1; pid /var/run/nginx.pid; events { worker_connections 1024; } http { server { listen 1.2.3.4:80; listen 1.2.3.4:443 ssl; server_name adblocker; ssl_certificate /usr/local/etc/nginx/nginx.pem; ssl_certificate_key /usr/local/etc/nginx/nginx.key; ssl_protocols TLSv1.1 TLSv1.2; ssl_ciphers 'AES128+EECDH:AES128+EDH'; expires max; rewrite ^(.*)$ / last; location / { return 204; } } }7. run nginx:
/usr/local/sbin/nginx8. add block rules to unbound:
When you reboot pfsense don't forget to start nginx, and update the adblock list from time to time.(automate this using cron)
regards azurata
-
I'm not sure how this is easier than just using squidGuard. What is the point of nginx in this? pfSense already has a working web server.
-
@KOM:
I'm not sure how this is easier than just using squidGuard.
I don't use squid.
@KOM:
What is the point of nginx in this?
nginx will speed browsers page load(by not waiting for servers that will not respond)
@KOM:
pfSense already has a working web server.
For my need config, nginx is better than lighttpd.
-
Sorry for the basic question, how how do we actually enable this? Transparent proxy…?
-
I performed all the steps like described in your great guide, but Unbound isn't starting anymore when the General DNS Resolver Options for the advanced field be changed to:
server: include: /etc/adblock_fileThe content of the /etc/adblock_file looks like this format:
local-zone: "101com.com." redirect local-data: "101com.com. 3600 IN A 172.16.0.1" local-zone: "101order.com." redirect local-data: "101order.com. 3600 IN A 172.16.0.1" local-zone: "123found.com." redirect local-data: "123found.com. 3600 IN A 172.16.0.1"Do you have any tips to help me solve the issue so Unbound will start?
Update:
If I copy the content of /etc/adblock_file within the advanced field, started with server: on the first row, unbound is starting fine. But this is more a workaround, because the this field isn't updated automatically. -
To solve the proble you have to put the adblock_file in /var/unbound/adblock_file.conf
So modify the script with this:
#!/bin/sh
adblock_file='/var/unbound/adblock_file.conf'
nginx_ip='1.2.3.4'my_block_list="
254a.com
yp.xn–i1b2e6b6ah.com
"
mylist=for host in $my_block_list; do echo "127.0.0.1 $host"; doneyoyo=
/usr/bin/fetch -qo- 'http://pgl.yoyo.org/adservers/serverlist.php?hostformat=hosts&mimetype=plaintext'
if [ $? -eq 0 ]; then
rm -f $adblock_file
echo "$mylist\n$yoyo" | uniq -di | grep 127.0.0.1 | awk '{print "Duplicate:",$2}' >&2
echo "$mylist\n$yoyo" | sort -uf | grep 127.0.0.1 | awk '{print $2}' |
while read line; do
echo "local-zone: "$line." redirect" >> $adblock_file
echo "local-data: "$line. 3600 IN A $nginx_ip"" >> $adblock_file
done
else
echo "FAIL TO DOWNLOAD"
fiThat solve the problem
-
https://forum.pfsense.org/index.php?topic=102470.0
