essandess / adblock2privoxy

Convert adblock config files to privoxy format
https://hackage.haskell.org/package/adblock2privoxy
GNU General Public License v3.0
95 stars 16 forks source link
adblock adblocking css easylist lan privacy-enhancing-technologies privacy-tools privoxy proxy proxy-configuration tracker

adblock2privoxy

Convert adblock config files to privoxy format.

This is a fork of Zubr's adblock2privoxy repo with minor optimizations for regular expressions, large outputs to the CSS debug directory turned off, and upgrades for the latest ghc compiler and modules.

The webserver configation file nginx.conf is used for both element blocking and as a blackhole (including within HTTPS-secured pages) for the Proxy Autoconfiguration (PAC) file in the parent repo easylist-pac-privoxy.

Synopsis

adblock2privoxy [OPTION...] [URL...]

The files in the example privoxy and css directories are created with the command:

adblock2privoxy -p ./privoxy -w ./css -d 127.0.0.1:8119 ./easylist/*.txt

After installing working binaries (below), an example production run with regular updates looks like:

adblock2privoxy -p /usr/local/etc/adblock2privoxy/privoxy -w /usr/local/etc/adblock2privoxy/css -d 10.0.1.3:8119 \
  https://easylist.to/easylist/easyprivacy.txt  \
  https://easylist.to/easylist/easylist.txt  \
  https://easylist.to/easylist/fanboy-annoyance.txt  \
  https://easylist.to/easylist/fanboy-social.txt  \
  https://easylist-downloads.adblockplus.org/antiadblockfilters.txt  \
  https://easylist-downloads.adblockplus.org/malwaredomains_full.txt  \
  https://raw.githubusercontent.com/ryanbr/fanboy-adblock/master/fanboy-antifacebook.txt \
  https://raw.githubusercontent.com/Dawsey21/Lists/master/adblock-list.txt

# then every few days
adblock2privoxy -t /usr/local/etc/adblock2privoxy/privoxy/ab2p.task
# restart privoxy, e.g. sudo port unload privoxy ; sudo port load privoxy

macOS Installation

The macOS repo is part of MacPorts. The installation details below this section are deprecated.

To install:

sudo port install adblock2privoxy
sudo port load adblock2privoxy

Unix Installation

Quick Build/Install Example

This will build a local /usr/local/bin/adblock2privoxy executable from source and templates saved in /usr/local/etc/adblock2privoxy/adblock2privoxy.

curl -sSL https://get.haskellstack.org/ | sh
sudo mkdir -p /usr/local/etc/adblock2privoxy
sudo rsync -a ./adblock2privoxy* /usr/local/etc/adblock2privoxy
PATH=/usr/bin:$PATH sudo -E bash -c 'export STACK_ROOT=/usr/local/etc/.stack ; cd /usr/local/etc/adblock2privoxy/adblock2privoxy && stack setup --allow-different-user && stack install --local-bin-path /usr/local/bin --allow-different-user'

macOS launchd.plist daemons

macOS launchd.plist daemons to start nginx and update the privoxy database on a schedule. See macOS-Fortress for a working example.

sudo install -m 644 ./com.github.essandess.adblock2privoxy.plist /Library/LaunchDaemons
sudo install -m 644 ./com.github.essandess.adblock2privoxy.nginx.plist /Library/LaunchDaemons
sudo launchctl load -w /Library/LaunchDaemons/com.github.essandess.adblock2privoxy.plist
sudo launchctl load -w /Library/LaunchDaemons/com.github.essandess.adblock2privoxy.nginx.plist
sudo launchctl start com.github.essandess.adblock2privoxy

Objectives

AdBlock Plus browser plugin has great block lists provided by big community, but it is client software and cannot work on a server as a proxy.

Privoxy proxy has good potential to block ads at server side, but it experiences acute shortage of updated block lists.

This software converts adblock lists to privoxy config files format.

Almost all adblock features are supported including

Description

Adblock files specified by [URL]... are converted to privoxy config files and auxiliarly elemHide CSS files. Local file names and http(s) addresses are accepted as URLs.

If no source URLs are specified, task file is used to determine sources: previously processed sources are processed again if any of them is expired. Nothing is done if all sources in the task file are up to date.

Options

-v, --version
  Show version number
-p PATH, --privoxyDir=PATH
  Privoxy config output path
-w PATH, --webDir=PATH
  Css files output path
-d DOMAIN, --domainCSS=DOMAIN
  Domain of CSS web server (required for Element Hide functionality)
-u, --useHTTP
  Use HTTP for CSS web server; the default is HTTPS to avoid mixed content
-g INT, --debugLevel=INT
  Debug Level. 0: Off; 1: top directory CSS; 2: full directory.
-t PATH, --taskFile=PATH
  Path to task file containing urls to process and options.
-f, --forced
  Run even if no sources are expired

If taskFile is not specified explicilty, [privoxyDir]/ab2p.task is used.

If task file exists and privoxyDir, webDir or domainCSS is not specified, corresponding value is taken from task file.

If webDir is not specified and cannot be taken from task file, privoxyDir value is used for webDir.

If domainCSS is not specified and cannot be taken from task file, Element Hide functionality become disabled. No webserver is needed in this case.

domainCSS can contain just IP address if CSS web server has no associated domain. Use localhost or 127.0.0.1 if you run your browser on the same machine with webserver.

Usage

Example of first run:

adblock2privoxy -p /etc/privoxy -w /var/www/privoxy -d www.example.com -t my_ab2b.task https://easylist-downloads.adblockplus.org/easylist.txt https://easylist-downloads.adblockplus.org/advblock.txt my_custom.txt

Example of subsequent runs:

adblock2privoxy -t my_ab2b.task

The app generates following files

How to apply results

  1. Install privoxy. Optionally setup it as transparent proxy. See privoxy installation manual for details.

  2. Change privoxy config file located in

Add following lines:

actionsfile ab2p.system.action
actionsfile ab2p.action
filterfile ab2p.system.filter
filterfile ab2p.filter
  1. In order to make Element hiding work you also need a webserver to serve CSS files. You can choose nginx, apache or any other webserver. See nginx installation manual, apache on linux installation manual or apache on windows intallation manual for details.

  2. Change webserver config. In examples below

    • replace www.example.com with your domain or IP address (equal to --domainCSS adblock2privoxy parameter)
    • replace /var/www/privoxy with your CSS files location (equal to --webDir adblock2privoxy parameter)
    • remember, these examples are simplified to use by unexperienced people. If you're familiar with webservers administration, you'll find better ways to apply these configs.

Nginx config: add following lines into http section of nginx.conf file

server {
      listen www.example.com:443;
      #ab2p css domain name (optional, should be equal to --domainCSS parameter)
      server_name www.example.com;

      ssl on;
      ssl_certificate      certs/adblock2privoxy-nginx.chain.pem;
      ssl_certificate_key  certs/adblock2privoxy-nginx.key.pem.decrypted;
      # use modern crypto
      # https://ssl-config.mozilla.org
      ssl_protocols TLSv1.3;
      ssl_prefer_server_ciphers on;
      ssl_dhparam certs/dhparam.pem;
      ssl_ciphers TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:EECDH+AESGCM:EDH+AESGCM;
      ssl_ecdh_curve secp384r1;
      ssl_session_timeout  180m;
      ssl_session_cache    shared:SSL:20m;
      ssl_session_tickets  off;
      add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";

      # comply with Content Security policy
      add_header Content-Type "text/css";
      add_header X-Content-Type-Options nosniff;

      #root = --webDir parameter value
      root /var/www/privoxy;

      location ~ ^/[^/.]+\..+/ab2p.css$ {
          # first reverse domain names order
          rewrite ^/([^/]*?)\.([^/.]+)(?:\.([^/.]+))?(?:\.([^/.]+))?(?:\.([^/.]+))?(?:\.([^/.]+))?(?:\.([^/.]+))?(?:\.([^/.]+))?(?:\.([^/.]+))?/ab2p.css$ /$9/$8/$7/$6/$5/$4/$3/$2/$1/ab2p.css last;
      }

      location ~ (^.*/+)[^/]+/+ab2p.css {
          # then try to get CSS for current domain
          # if it is unavailable - get CSS for parent domain
          try_files $uri $1ab2p.css;
      }
}

The CSS web server must use HTTPS to comply with standard Content Security policies that prohibit mixed content. Example nginx.conf and openssl.cnf files are included in this repo that generate the necessary PKI. Modify these as appropriate. Example openssl commands:

mkdir certs && cd certs
touch index.txt
echo 1000 > serial

# CA certificate encrypted key passphrase, both -passin and -passout
sf-pwgen --algorithm memorable --count 2 --length 24 2>/dev/null | paste -s -d -- '-' \
    1>passphrase.txt || true
if [ $(head -1 passphrase.txt | wc -c) < 20 ]; then \
    openssl rand -base64 23 1>passphrase.txt 2>/dev/null; fi
cat passphrase.txt passphrase.txt > passphrase-dbl.txt \
    && mv passphrase-dbl.txt passphrase.txt \
    || rm -f passphrase-dbl.txt
chmod go-rwx passphrase.txt

# CA encrypted key
# EC
openssl genpkey -out ca.key.pem -algorithm EC \
    -pkeyopt ec_paramgen_curve:P-256 -aes256 \
    -pass file:passphrase.txt

# RSA
# # openssl genpkey -out ca.key.pem -algorithm RSA \
# #     -pkeyopt rsa_keygen_bits:2048 -aes256 \
# #     -pass file:passphrase.txt

# CA certificate
openssl req -config openssl.cnf \
    -new -x509 -days 3650 -sha256 -extensions v3_ca -out certs/ca.cert.pem \
    -key ca.key.pem -passin file:passphrase.txt -batch

# CA certificate text verification
openssl x509 -text -noout -in ca.cert.pem

# CA certificate openssl self-verification
openssl verify -CAfile ca.cert.pem ca.cert.pem

# Server certificate encrypted key and decrypted key
openssl genpkey -out adblock2privoxy-nginx.key.pem \
    -algorithm EC -pkeyopt ec_paramgen_curve:P-384 -aes256 \
    -pass file:passphrase.txt
openssl ec -in adblock2privoxy-nginx.key.pem -passin file:passphrase.txt \
    -out adblock2privoxy-nginx.key.pem.decrypted
chmod go-rwx adblock2privoxy-nginx.key.pem.decrypted

# Server certificate CSR
openssl req -config openssl.cnf -new -sha256 -extensions server_cert \
    -key adblock2privoxy-nginx.key.pem -passin file:passphrase.txt \
    -out adblock2privoxy-nginx.csr.pem -batch

# Server certificate (825 days maximum validity)
# https://support.apple.com/en-us/HT210176
openssl ca -config openssl.cnf -days 825 -notext -md sha256 \
    -extensions server_cert -in adblock2privoxy-nginx.csr.pem \
    -out adblock2privoxy-nginx.cert.pem -passin file:passphrase.txt \
    -subj '/CN=adblock2privoxy-nginx' -batch

# Server certificate chain of trust
cat adblock2privoxy-nginx.cert.pem ca.cert.pem > adblock2privoxy-nginx.chain.pem

# Server certificate text
openssl x509 -in adblock2privoxy-nginx.cert.pem -text -noout

# Server certificate and chain validity
openssl verify -CAfile ca.cert.pem adblock2privoxy-nginx.cert.pem
openssl verify -CAfile ca.cert.pem adblock2privoxy-nginx.chain.pem

# DH params
openssl dhparam -out dhparam.pem 2048

Apache config: put following lines into

<VirtualHost *:80>
      #ab2p css domain name (optional, should be equal to --domainCSS parameter)
      ServerName www.example.com

      #root = --webDir parameter value
      DocumentRoot /var/www/privoxy

      RewriteEngine on

      # first reverse domain names order
      RewriteRule ^/([^/]*?)\.([^/.]+)(?:\.([^/.]+))?(?:\.([^/.]+))?(?:\.([^/.]+))?(?:\.([^/.]+))?(?:\.([^/.]+))?(?:\.([^/.]+))?(?:\.([^/.]+))?/ab2p.css$ /$9/$8/$7/$6/$5/$4/$3/$2/$1/ab2p.css [N]

      # then try to get CSS for current domain
      # if it is unavailable - get CSS for parent domain
      RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f
      RewriteRule (^.*/+)[^/]+/+ab2p.css$ $1ab2p.css [N]
</VirtualHost>
  1. Get adblock2privoxy output

    • Either run adblock2privoxy providing privoxy dir, web dir, domain and adblock input file urls such as
    • EasyList
    • Russian AD list
    • and many others from official adblock repository
    • Or just download processed lists from downloads page and unpack privoxy to and web directories content into
    • /var/www/privoxy and /var/www/privoxy for linux
    • C:\Program Files\Privoxy and [your webserver directory] for windows
  2. Restart privoxy and webserver to load updated configs

Contribution

Adblock2Privoxy installation

From binary package

There are packages for various systems available at downloads page

From sources

You can build and run adblock2privoxy from sources if there is no binary package for your system.

  1. Ensure you have Haskell Stack environment

    • Install Stack for your platform
  2. Build the app:

cd adblock2privoxy
stack setup
stack build

[Note: issuing the command stack unpack adblock2privoxy downloads the original adblock2privoxy from Hackage to the directory ./adblock2privoxy-*, which does not contain the modifications of this fork.]

macOS build specifics

* The `.stack` directory cannot be in a path that contains spaces
* Use macOS's native gcc compiler in `/usr/bin/gcc`, not Macports (see issues).
$ which gcc
/usr/bin/gcc

$ gcc --version
Configured with: --prefix=/Applications/Xcode.app/Contents/Developer/usr --with-gxx-include-dir=/usr/include/c++/4.2.1
Apple LLVM version 8.1.0 (clang-802.0.42)

export PATH=/usr/bin:$PATH  # ensure that /usr/bin/gcc is found first
export STACK_ROOT=/path/to/local/stack/dir/without/spaces/.stack

stack setup
stack build

Install the binary (e.g. to /usr/local/bin):

sudo -E bash -c 'export PATH=/usr/bin:$PATH ; export STACK_ROOT=/path/to/local/stack/dir/without/spaces/.stack ; stack setup --allow-different-user ; stack install --local-bin-path /usr/local/bin --allow-different-user'
  1. Run the app:
stack exec adblock2privoxy -- [YOUR ARGS]
#for example: stack exec adblock2privoxy -- -p /etc/privoxy -d example.com https://easylist-downloads.adblockplus.org/easylist.txt
adblock2privoxy -- [YOUR ARGS]

Packaging

You can create your own binary package for adblock2privoxy.

Use scripts from distribution folder for your platform.