I was thinking about this problem (how to allow clicks while blocking ads from same servers) after I set up pi-hole yesterday.
A solution I thought of was to spoof www.googleadservices.com with a server that just replies with a 404 for everything except the adclick urls (eg: /pagead/aclk?.......&adurl=http://www.destinationurl.com/), which the server would respond to with a simple 302 redirect to correct URL (shouldn't be hard, after all the destination URL is right there).
First problem is that it's https, which makes spoofing difficult, but not impossible if you have control of client device (the browser) and can add trusted certificates to it. So first I tried making a self-signed certificate for www.googleadservices.com:
openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem
cat key.pem certificate.pem > key-and-cert.pem
openssl pkcs12 -inkey key.pem -in certificate.pem -export -out certificate.p12
And used it to set up a https server under lighttpd (running on same server as pi-hole):
$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/certs/key-and-cert.pem"
server.document-root = "/srv/http/empty"
}
I visited https://www.googleadservices.com/ and got a "cannot verify trust blah blah blah" error, I expected that, but I found that I kept getting them even after adding the certificate (the .p12 file) to firefox. It seems like self-signed certs are just not allowed for HSTS sites whether you add the cert or not. So I followed this guide to make a Certificate Authority, an Intermediate Certificate Authority, and a new CA signed cert, which I then configured lighttpd to use:
$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.ca-file = "/etc/lighttpd/certs/ca-chain.cert.pem"
ssl.pemfile = "/etc/lighttpd/certs/key-and-cert.pem"
server.document-root = "/srv/http/empty"
$HTTP["host"] == "www.googleadservices.com" {
ssl.pemfile = "/etc/lighttpd/certs/key-and-cert.pem"
ssl.ca-file = "/etc/lighttpd/certs/ca-chain.cert.pem"
url.redirect = ("^/pagead/.*adurl=(.*)$" => "$1")
}
}
After adding ca-chain.cert.pem to firefox this worked, and with the url.redirect expression I added above it successfully performed redirection of google search results for me. But there's a problem, that server will now answer all https traffic directed to it (eg: all the https ad servers pi-hole has blocked) and it will get cert errors on all of them except www.googleadservices.com. One possible way around this is to put this spoofing server on a different machine to where pi-hole is running, then unblock the google ad sites but use hosts file (on pi-hole) to redirect them to the new server. You could probably even use IP aliasing to run https on same server as pi-hole, infact you might need to do this anyway to support the multiple domains google uses.
This solution is getting quite complicated at this point, and I'm not sure I can be bothered continuing just so I can click google ad's in their search results, so I'm posting this info incase someone really wants it bad enough to finish what I've started.