AdGuard Home installation tutorial

Use Envoy and AdGuard Home to block annoying ads

Usually when we use the network, the broadband operator assigns us a DNS server. This DNS is usually the fastest and closest to the server, but there are many problems, such as:

Access to some Web services, such as Apple’s iCloud service, is slow.
More concerned about security issues, hope to set up DNS to ensure that you access to secure websites.
Tired of being redirected to a screen full of ads every time you enter the wrong url.

In this case, you need to customize DNS. Customizing DNS not only speeds up the opening of web pages, but also improves the security of web pages. More importantly, if you’ve used Google Chrome, you should know that Google will limit AD blocking extensions in the future by installing either global AD blocking software or blocking ads directly from the DNS server level (if you don’t want to switch browsers).

AdGuard Home is a web wide AD blocking and anti-tracking software that blocks domain names associated with ads and tracking, pointing them to empty hosts (DNS black holes). In short, it is an open source public DNS service, developed using the Go language, and supports parental controls and AD filtering! Crucially, it also supports DNS over TLS and DNS over HTTPS, which can run on x86 Linux, Raspberry PI, and can be deployed on Clusternas via Docker.

1. Install the AdGuard Home

The installation of AdGuard Home varies depending on the platform you are using, and its binaries are located at github.com/AdguardTeam… , you can download the latest version according to your own platform. The MacOS installation method is as follows:

# Download AdGuard Home$wget HTTP: / / https://github.com/AdguardTeam/AdGuardHome/releases/download/v0.98.1/AdGuardHome_MacOS.zipUnzip and go to the AdGuardHome_MacOS directory
$ unzip AdGuardHome_MacOS.zip && cd AdGuardHome_MacOS

# Copy binary files to $PATH
$ cp ./AdGuardHome /usr/local/bin/

Create the plist file for Launch Daemon and start the service
$ AdGuardHome -s install
Copy the code

Now you can see the configuration and status information of the service:

$ sudo launchctl list AdGuardHome

{
	"StandardOutPath" = "/var/log/AdGuardHome.stdout.log";
	"LimitLoadToSessionType" = "System";
	"StandardErrorPath" = "/var/log/AdGuardHome.stderr.log";
	"Label" = "AdGuardHome";
	"TimeOut" = 30;
	"OnDemand" = false;
	"LastExitStatus" = 0;
	"PID" = 1464;
	"Program" = "/usr/local/bin/AdGuardHome";
	"ProgramArguments" = (
		"/usr/local/bin/AdGuardHome";
		"-s";
		"run";
	);
};
Copy the code

The plist file is in the /Library/LaunchDaemons/ directory:

$ cat /Library/LaunchDaemons/AdGuardHome.plist

<?xml version='1.0' encoding='UTF-8'? >

      
<plist version='1.0'>
<dict>
<key>Label</key><string>AdGuardHome</string>
<key>ProgramArguments</key>
<array>
        <string>/usr/local/bin/AdGuardHome</string>

        <string>-s</string>

        <string>run</string>

</array>


<key>WorkingDirectory</key><string>/Users/freya/Downloads/Compressed/AdGuardHome_MacOS</string>
<key>SessionCreate</key><false/>
<key>KeepAlive</key><true/>
<key>RunAtLoad</key><true/>
<key>Disabled</key><false/>
<key>StandardOutPath</key>
<string>/var/log/AdGuardHome.stdout.log</string>
<key>StandardErrorPath</key>
<string>/var/log/AdGuardHome.stderr.log</string>
</dict>
</plist>
Copy the code

Those unfamiliar with Launch Daemons can refer to Launch Daemons/Agents for Mac OS X.

View the port number:

$ sudo lsof -iTCP -sTCP:LISTEN -P -n|grep AdGuard
AdGuardHo 9990  root    3u  IPv6 0xb76d091ec878f951      0t0  TCP *:3000 (LISTEN)
Copy the code

Open a browser and type http://127.0.0.1:3000/ to access the AdGuard Home administration interface.

Click “Start Configuration” and set the port for the web page administration and DNS service.

Click “Next” to set the user name and password.

Finally, click “Next” and you’re done.

On the dashboard, we can see the number of DNS queries, the sites blocked by the filter, the address of the client that queried the DNS request, and so on.

Now check the port number, the admin interface will change to the port you just set, plus an additional DNS service port:

$ sudo lsof -iTCP -sTCP:LISTEN -P -n|grep AdGuard
AdGuardHo 10619  root   11u  IPv6 0xb76d091eb6671751      0t0  TCP *:53 (LISTEN)
AdGuardHo 10619  root   12u  IPv6 0xb76d091ebc3c7751      0t0  TCP *:5300 (LISTEN)

$ sudo lsof -iUDP -P -n|grep AdGuard
AdGuardHo 10619           root   10u  IPv6 0xb76d091eb89601c1      0t0  UDP *:53
Copy the code

2. Optimize the configuration

The default configuration is relatively simple and can be optimized for more robust AD blocking.

General setup

Check “Use filters and Hosts files to block specified domain names”, “Use AdGuard to browse secure Web services”, and “Force secure Search”. If you want to block adult sites, you can also check “Use AdGuard parent control service”.

The filter

Although AdGuard itself provides AdGuard and AdAway advertising filtering rules, it is not suitable for China. If you want to achieve a more perfect AD blocking, you need to add your own rules. AdGuard can be compatible with Adblock syntax. The most well-known filter rule, EasyList, is maintained by the Adblock Plus team. The filter rule is usually a TXT file with the last updated date displayed at the beginning of the file.

Recommended advertising filtering rules:

EasyList China: the main rules of advertising filtering on domestic websites.
EasyPrivacy: EasyPrivacy is privacy protection, do not be tracked.
CJX’s Leans List: Filter annoying self-promotional, and supplement EasyPrivacy privacy rules.
Advertising purifier rules: most of the domestic video website advertising filtering.
I don’t care about cookies. I don’t care about cookies.

If you want to play infinite loads, add a custom static rule @@mp4.ts (see below).

Upstream DNS Settings

By default, Cloudflare’s DNS over HTTPS is used as the upstream server. In China, the delay for requesting the upstream DNS may be high. You can add or replace the domestic DNS. I have also added two groups of non-polluting DNS from uSTC. Each query will query all upstream DNS simultaneously to speed up resolution.

Query log

On this interface, you can view the DNS query logs of all devices, download the entire log file, and quickly intercept and permit a domain name.

Ascension QPS

There are two parameters that can significantly improve QPS:

ratelimit: DDoS protection. The number of packets received by the client per second. You are advised to disable this parameter (change the value to 0). The default value is 20.
blocked_response_ttl: TTL cache duration. You are advised to set the value to 60

The default configuration file path is/usr/local/bin/AdGuardHome yaml

Use Envoy as the front proxy

That’s the end of it, but I’m obsessive-compulsive, and I don’t want my app’s admin interface to be some weird, non-standard port. One might say: why don’t you set the admin interface to port 80 or port 443? Good question, because of all the weird applications deployed on my computer, I only have one port 80, which is not enough, so I have to consider adding a front-end proxy.

Being a cloud native enthusiast, of course, is an Envoy. Although an Envoy is difficult to compile, The engineers at Tetrate (including the core contributors and maintainers of An Envoy) have launched the GetEnvoy project, which aims to build an Envoy using a set of proven build tools, And distributed through the usual package managers, including Homebrew. We can install directly from Homebrew:

$ brew tap tetratelabs/getenvoy
==> Tapping tetratelabs/getenvoy
Cloning into '/usr/local/Homebrew/Library/Taps/tetratelabs/homebrew-getenvoy'. Tapped 1 formula. $ brew install envoy ==> Installing envoy from tetratelabs/getenvoy ==> Downloading ...# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # (100.0%)🍺 / usr /localCellar/ Envoy / 1.10.0:3 files, 27.9MB, builtin13 seconds $ envoy --version envoy version: E349fb6139e4b7a59a9a359be0ea45dd61e589c5/1.11.1 / clean - d4a5 / RELEASE/BoringSSL getenvoy - 930Copy the code

Here’s my envoy profile:

static_resources:
  listeners:
  - address:
      # Tells Envoy to listen on 0.0.0.0:80
      socket_address:
        address: 0.0. 0. 0
        port_value: 80
    filter_chains:
    # Any requests received on this address are sent through this chain of filters
    - filters:
      # If the request is HTTP it will pass through this HTTP filter
      - name: envoy.http_connection_manager
        typed_config:
          "@type": type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager
          codec_type: auto
          stat_prefix: http
          access_log:
            name: envoy.file_access_log
            typed_config:
              "@type": type.googleapis.com/envoy.config.accesslog.v2.FileAccessLog
              path: /dev/stdout
          route_config:
            name: search_route
            virtual_hosts:
            - name: backend
              domains:
              - "*"
              routes:
              - match:
                  prefix: "/"
                route:
                  cluster: adguard
          http_filters:
          - name: envoy.router
            typed_config: {}
  clusters:
  - name: adguard
    connect_timeout: 1s
    type: strict_dns
    dns_lookup_family: V4_ONLY
    lb_policy: round_robin
    load_assignment:
      cluster_name: adguard
      endpoints:
      - lb_endpoints:
        - endpoint:
            address:
              socket_address:
                address: 127.0. 01.
                port_value: 5300
admin:
  access_log_path: "/dev/stdout"
  address:
    socket_address:
      address: 0.0. 0. 0
      port_value: 15001
Copy the code

Create the plist file for the Launch Agent:

$ cat /Library/LaunchAgents/envoy.plist

<?xml version="1.0" encoding="UTF-8"? >

      
<plist version="1.0">
  <dict>
    <key>Label</key>
    <string>envoy</string>
    <key>ProgramArguments</key>
    <array>
      <string>/usr/local/bin/envoy</string>
      <string>--config-path</string>
      <string>/Users/freya/bin/front-proxy.yaml</string>
    </array>
    <key>StandardOutPath</key>
    <string>/var/log/envoy.stdout.log</string>
    <key>StandardErrorPath</key>
    <string>/var/log/envoy.stderr.log</string>
    <key>KeepAlive</key>
    <true/>
    <key>RunAtLoad</key>
    <true/>
    <key>Disabled</key>
    <false/>
  </dict>
</plist>
Copy the code

Load the Envoy service:

$ sudo launchctl load /Library/LaunchAgents/envoy.plist
Copy the code

You can now access the AdGuard Home administration interface in your browser via the url http://127.0.0.1/

Later, if there are other applications that cannot be described, their administrative interfaces can be added to the envoy’s back end based on different URL paths. More advanced play can also access Prometheus monitoring, the envoy’s metrics path is /stats/ Prometheus.

If you’re wondering why my browser outputs metrics in color, please reply ◉ Prometheus ◉ behind the official account

Finally, don’t forget to set MacOS DNS to 127.0.0.1.

Wechat official account

Scan the qr code below to follow the wechat public account, reply ◉ and ◉ to join our cloud native communication group, and discuss cloud native technology with Sun Hongliang, Zhang Curator, Yang Ming and other leaders

1. Install the AdGuard Home

2. Optimize the configuration

General setup

The filter

Upstream DNS Settings

Query log

Ascension QPS

Use Envoy as the front proxy

Wechat official account

Related Posts

PostgreSqlHelper C# class library PostgreSqlHelper

4. Cross-language Microservices Framework – Istio official Example (timeout control, fuses, traffic replication)

What allowed the Spectre bug to remain hidden for seven months before it was revealed