In general, install a proxy which has its own certificate, resign every tls session with those keys, add the certificate of the proxy as a trusted certificate on your device.

I’m not familiar with off the shelf solutions for this that have ad blocking built in. Also ads are injected by JS so you need a mechanism to detect that.

More and more ads are now served from the same domain as the site making it harder to distinguish them from real content.

The open source solution is to configure the latest Squid proxy as a Squid SSL Bump proxy. There are a handful of sites it will not work with due to them still using public key pinning but its a tiny list. I do not have it handy at the moment.

Squid supports ACL's that can block URL patterns, domains, IP addresses, file extensions, mime types and much more.

Here [1] is an out of date example. There are probably better and more up to date examples. Some examples are based off Squid V3 as some distros still ship with that but Squid 6 added more flexibility around chaining options SOCKS options and such.

[1] - https://github.com/alatas/squid-alpine-ssl

ZScaler Internet Access will do it with the right blocking configurations (eg, blocking "Advertising" groups).

But then you're using ZScaler and that just feels all nice and icky.