Simple adblock using unbound and nginx

azurata · Apr 29, 2015, 12:07 AM

1. Create a virtual IP in the LAN interface:

2. ssh to the pfsense and install nginx and nano:
pkg install nginx nano

3. create update_adblock_file.sh:
/usr/local/bin/nano -w /usr/local/sbin/update_adblock_file.sh

#!/bin/sh

adblock_file='/etc/adblock_file'
nginx_ip='1.2.3.4'

my_block_list=" \
	254a.com \
	yp.xn--i1b2e6b6ah.com \
"
mylist=`for host in $my_block_list; do echo "127.0.0.1 $host"; done`

yoyo=`/usr/bin/fetch -qo- 'http://pgl.yoyo.org/adservers/serverlist.php?hostformat=hosts&mimetype=plaintext'`
if [ $? -eq 0 ]; then
	rm -f $adblock_file
	echo "$mylist\n$yoyo" | uniq -di | grep 127.0.0.1 | awk '{print "Duplicate:",$2}' >&2
	echo "$mylist\n$yoyo" | sort -uf | grep 127.0.0.1 | awk '{print $2}' | \
	while read line; do
		echo "local-zone: \"$line.\" redirect" >> $adblock_file
		echo "local-data: \"$line. 3600 IN A $nginx_ip\"" >> $adblock_file
	done
else
	echo "FAIL TO DOWNLOAD"
fi

4. mark file executable:
chmod +x /usr/local/sbin/update_adblock_file.sh

5. execute:
/usr/local/sbin/update_adblock_file.sh

6. generate certificate:
openssl req -x509 -nodes -days 3650 -subj "/C=PT/CN=1.2.3.4" -sha512 -newkey rsa:4096 -keyout /usr/local/etc/nginx/nginx.key -out /usr/local/etc/nginx/nginx.pem

7. edit nginx.conf:
/usr/local/bin/nano -w /usr/local/etc/nginx/nginx.conf

user  nobody;
worker_processes  1;

pid        /var/run/nginx.pid;

events {
    worker_connections  1024;
}

http {
        server {
                listen 1.2.3.4:80;
                listen 1.2.3.4:443 ssl;
                server_name adblocker;

                ssl_certificate /usr/local/etc/nginx/nginx.pem;
                ssl_certificate_key /usr/local/etc/nginx/nginx.key;
                ssl_protocols TLSv1.1 TLSv1.2;
                ssl_ciphers 'AES128+EECDH:AES128+EDH';

                expires max;
                rewrite ^(.*)$ / last;
                location / {
                        return 204;
                }
        }
}

7. run nginx:
/usr/local/sbin/nginx

8. add block rules to unbound:

When you reboot pfsense don't forget to start nginx, and update the adblock list from time to time.(automate this using cron)

regards azurata

KOM · Apr 29, 2015, 1:56 PM

I'm not sure how this is easier than just using squidGuard. What is the point of nginx in this? pfSense already has a working web server.

azurata · Apr 29, 2015, 3:13 PM

@KOM:

I'm not sure how this is easier than just using squidGuard.

I don't use squid.

@KOM:

What is the point of nginx in this?

nginx will speed browsers page load(by not waiting for servers that will not respond)

@KOM:

pfSense already has a working web server.

For my need config, nginx is better than lighttpd.

neo_ · May 3, 2015, 6:03 AM

Sorry for the basic question, how how do we actually enable this? Transparent proxy…?

wilixje · May 3, 2015, 8:01 PM

I performed all the steps like described in your great guide, but Unbound isn't starting anymore when the General DNS Resolver Options for the advanced field be changed to:


server:
include: /etc/adblock_file

The content of the /etc/adblock_file looks like this format:

local-zone: "101com.com." redirect
local-data: "101com.com. 3600 IN A 172.16.0.1"
local-zone: "101order.com." redirect
local-data: "101order.com. 3600 IN A 172.16.0.1"
local-zone: "123found.com." redirect
local-data: "123found.com. 3600 IN A 172.16.0.1"

Do you have any tips to help me solve the issue so Unbound will start?

Update:
If I copy the content of /etc/adblock_file within the advanced field, started with server: on the first row, unbound is starting fine. But this is more a workaround, because the this field isn't updated automatically.

zuperjotmeil · Feb 13, 2016, 6:30 PM

To solve the proble you have to put the adblock_file in /var/unbound/adblock_file.conf

So modify the script with this:

#!/bin/sh

adblock_file='/var/unbound/adblock_file.conf'
nginx_ip='1.2.3.4'

my_block_list="
254a.com
yp.xn–i1b2e6b6ah.com
"
mylist=for host in $my_block_list; do echo "127.0.0.1 $host"; done

yoyo=/usr/bin/fetch -qo- 'http://pgl.yoyo.org/adservers/serverlist.php?hostformat=hosts&mimetype=plaintext'
if [ $? -eq 0 ]; then
rm -f $adblock_file
echo "$mylist\n$yoyo" | uniq -di | grep 127.0.0.1 | awk '{print "Duplicate:",$2}' >&2
echo "$mylist\n$yoyo" | sort -uf | grep 127.0.0.1 | awk '{print $2}' |
while read line; do
echo "local-zone: "$line." redirect" >> $adblock_file
echo "local-data: "$line. 3600 IN A $nginx_ip"" >> $adblock_file
done
else
echo "FAIL TO DOWNLOAD"
fi

That solve the problem

BBcan177 · Feb 13, 2016, 6:43 PM

https://forum.pfsense.org/index.php?topic=102470.0