[spockz]

In general, install a proxy which has its own certificate, resign every tls session with those keys, add the certificate of the proxy as a trusted certificate on your device.

I’m not familiar with off the shelf solutions for this that have ad blocking built in. Also ads are injected by JS so you need a mechanism to detect that.

More and more ads are now served from the same domain as the site making it harder to distinguish them from real content.

[Bender]

The open source solution is to configure the latest Squid proxy as a Squid SSL Bump proxy. There are a handful of sites it will not work with due to them still using public key pinning but its a tiny list. I do not have it handy at the moment.

Squid supports ACL's that can block URL patterns, domains, IP addresses, file extensions, mime types and much more.

Here [1] is an out of date example. There are probably better and more up to date examples. Some examples are based off Squid V3 as some distros still ship with that but Squid 6 added more flexibility around chaining options SOCKS options and such.

[1] - https://github.com/alatas/squid-alpine-ssl

[kotaKat]

ZScaler Internet Access will do it with the right blocking configurations (eg, blocking "Advertising" groups).

But then you're using ZScaler and that just feels all nice and icky.