Self-hosted ad blocker

Your browser should
work for you

A network-wide HTTPS proxy that blocks ads at the HTTP layer. Adblock Plus and uBlock Origin filter syntax, scriptlet injection, cosmetic filtering, and per-user passkey authentication. Goes where DNS blockers can't.

Quick Start View on GitHub
user@ublproxy:~
# Run with Docker
$ docker run -p 8080:8080 -p 8443:8443 \
  -v ublproxy-data:/data \
  ghcr.io/andrioid/ublproxy:edge
The problem

Ads got smarter. Your tools didn't.

Browser extensions are being weakened. DNS blockers leave gaps. There's a better layer to fight at.

🌐

Browsers serve advertisers

Browsers were supposed to be "user-agents" that work for you. Manifest V3 restricts ad-blocking extensions, making them less effective by design. Your browser's incentives aren't aligned with yours.

🔍

DNS blocking has blind spots

Pi-hole and AdGuard Home block entire hostnames -- but same-origin ads, tracking scripts on CDN paths, and anti-adblock scripts all slip through. You can't block /ads/banner.js at the DNS level.

Features

HTTP-layer ad blocking, done right

Everything you need to take back control of your browsing experience across every device on your network.

📋

Adblock filter lists

Subscribe to EasyList, EasyPrivacy, uBlock Filters, and other community blocklists. Supports Adblock Plus syntax and uBlock Origin extensions — $redirect, $removeparam, $csp, regex patterns, and more.

✂️

URL-path blocking

Block specific paths like /ads/tracker.js while allowing legitimate content from the same domain. Impossible with DNS blockers.

🎨

Cosmetic filtering & scriptlets

CSS element hiding, scriptlet injection (##+js()), and blocked resource stripping. 11 scriptlets neutralize anti-adblock scripts and tracking.

🖱️

Interactive element picker

Press Alt+Shift+B on any proxied page to visually select and block elements. Point, click, done.

🔑

Passkey authentication

No usernames or passwords. Each user authenticates with WebAuthn passkeys and gets their own rules and subscriptions, layered on top of server-wide blocklists.

🌐

Transparent proxy mode

Deploy on a VLAN with firewall rules to intercept all traffic automatically. A captive portal guides new devices through CA certificate setup.

📡

DNS resolver

Devices that can't install a CA cert — smart TVs, game consoles, IoT — get host-level ad blocking via a built-in DNS resolver that null-routes blocked domains. Same blocklists, same per-user rules.

See it in action

A portal you'll actually use

Setup wizard, activity feed, subscription management. All accessible through the proxy's built-in web portal.

ublproxy setup wizard showing CA certificate installation for iOS and macOS
Setup wizard — Guided CA cert install for each platform
ublproxy dashboard showing blocked and passed request statistics
Dashboard — Live stats for blocked and passed requests
ublproxy activity feed showing blocked ads and hidden elements
Activity feed — Every blocked, hidden, and passed request
ublproxy subscriptions page with filter list management
Subscriptions — Manage filter lists with one click
Architecture

Three ways to block ads

Full MITM proxy for browsers, transparent interception for managed networks, or DNS-level blocking for everything else.

Explicit proxy

Explicit proxy mode: Desktop, Laptop and Phone connect to ublproxy on ports 8443 and 8080, which forwards to the Internet
Explicit proxy — PAC file or manual proxy settings. Full MITM filtering with CSS injection, scriptlets, and resource stripping.

Transparent proxy

Transparent proxy mode: Device traffic is redirected by a firewall to ublproxy, which forwards to the Internet
Transparent proxy — Firewall redirects VLAN traffic. No client config needed. Captive portal for CA setup.

DNS resolver

DNS resolver mode: Smart TV and IoT devices query ublproxy on port 53, which forwards to upstream DNS
DNS resolver — Null-routes blocked hostnames. For devices that can't install a CA certificate.
Comparison

ublproxy vs DNS blockers

Different layers, different strengths. They work best together.

Capability ublproxy DNS blockers
URL-path blocking Yes No — hostname only
Cosmetic filtering (hide elements) Yes — CSS injection No — leaves placeholders
Adblock filter syntax ABP + uBO extensions Domain lists only
Anti-adblock resilience Content-level modification Easily detected
Per-user rules Passkey auth No — network-wide only
Setup complexity CA cert + proxy config Change DNS server
Devices without CA support Built-in DNS resolver Native
Non-HTTP protocols HTTP/HTTPS only All protocols
Resource usage Higher — TLS decrypt/re-encrypt Minimal

These approaches aren't mutually exclusive. A DNS blocker handles the bulk of known ad domains cheaply, while ublproxy handles the cases DNS blocking can't reach. ublproxy's built-in DNS resolver (--dns-port) covers devices that can't install a CA cert.

Security

Tradeoffs you should know about

ublproxy decrypts your traffic to block ads. That power comes with responsibilities and limitations.

🔏

This is a MITM proxy

All HTTPS traffic is decrypted, inspected, and re-encrypted. That's the point — but it means you should only run this on a network you control. Self-hosted, not cloud.

🏦

Cert-pinned apps need exceptions

Banking apps, security tools, and some system services use certificate pinning and will reject MITM certs. The proxy detects this automatically and switches to passthrough. You can also add manual rules (@@||domain^).

📱

Mobile connections are unencrypted

iOS and Android don't support HTTPS proxy connections. Mobile devices use HTTP CONNECT on port 8080 — the target hostname is visible on your LAN, though the tunneled content stays TLS-encrypted.

Get started

Up and running in minutes

Single binary, no external dependencies, pure Go. Docker or download -- your choice.

Docker

Pull the multi-arch image and run:

$ docker run -p 8080:8080 -p 8443:8443 \
  -p 53:53/udp -p 53:53/tcp \
  -e UBLPROXY_DNS_PORT=53 \
  -v ublproxy-data:/data \
  ghcr.io/andrioid/ublproxy:edge
Full setup guide →

Binary

Download a pre-built binary for your platform. Available for Linux, macOS, and Windows on amd64 and arm64.

$ tar xzf ublproxy-linux-amd64.tar.gz
$ ./ublproxy
# Windows (zip archive)
> ublproxy.exe
Download from Releases →