Menu
What's new
By:
Filters Better Search

pixelserv pixelserv - A Better One-pixel Webserver for Adblock

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Clark Griswald said:
AB-Solution has option to install.
I did not know there was any reason to run two pixelserv within a network, as long as you are running on main router.
Click to expand...

AB-Solution dont have option to install two consecutive instances of pixelserv-tls.

And the reason is either load balancing or make the secondary instance act as a filter for rouge domains which failed TLS Handshake for multiple reasons, that way the primary instance stats looks neat.
 
kvic said:
Unknown TLS handshake errors

Remember slu / uce / uca that we introduced in pixelserv-tls 2.1?

I'm tired of glimpsing my pixelserv.log for suspicious errors. So wrote a little script to do the task for me. The script will skip suppressed (client, server) pairs, and highlight any new unknown cert/unknown CA entries for the day.

It sends an email report. See screenshot below. If there are new entries, they'll be listed in place of the "hooray" message.

The script has following requirements:
  1. You enable minimum log LEVEL 2 in pixelserv-tls.
  2. Set up a cron job for this script to run at the end of the day (23:59 recommended)
  3. Supply your own email sending script that takes two arguments: 1st arg subject as in double quotes. 2nd arg body of email from a file.
Any privacy conscious ppl want to try...pls let me know. :)
Click to expand...

Today's run with layout change and a new feature.
K977WGN.png

If "New breaks (uce/uca)" is non zero, the corresponding section of details will be shown as before.

The new feature of showing "New certs (slm)" was suggested by @Asad Ali. Looks interesting!
 
Hi pixelserv users,

I don't have broken sites but since installing pixelserv-tls thru ab-solution, i'm finding my ESET Anti-Virus warns me many times every day about untrusted certificates. Whenever i check the certificate, it is issued by Pixelserv.

Should i uninstall pixelserv? I'm not noticing any performance boosts with it on. However i may not be understanding how to properly use it, athough it is on the default setup when you install it via Ab-Solution.

Thanks,
gwopman
 
kvic said:
You're lucky that I looked at it before :)

Try to put your pixelserv ip in ESET's exception list. This post has more details: https://www.snbforums.com/threads/ab-solution-webpage-antivirus-problems.46817/page-3#post-408752

That particular thread was not conclusive about the result though. Hence, would appreciate if you could try and provide feedback.
Click to expand...

Your timing couldn't have been more perfect! I did check the first and last pages of the thread quickly so i missed that. I'll white list the pixelserv IP in ESET for now, and report back whether everything's perfect or any problems after i've tried it out for a little while.
 
I'm getting lots of handshake failed logs for my iphone even though certificate is installed. Safari is OK but when I use apps like instagram I get these. any comments?

Code: 
Jun 22 00:29:31 Ev pixelserv-tls: handshake failed: client 172.24.5.8:63574 server (null). Lib(20) Func(118) Reason(252)
Jun 22 00:29:39 Ev pixelserv-tls: handshake failed: client 172.24.5.8:63575 server (null). Lib(20) Func(118) Reason(252)
Jun 22 00:29:39 Ev pixelserv-tls: handshake failed: client 172.24.5.8:63576 server (null). Lib(20) Func(118) Reason(252)
Jun 22 00:29:39 Ev pixelserv-tls: handshake failed: client 172.24.5.8:63577 server (null). Lib(20) Func(118) Reason(252)
Jun 22 00:29:51 Ev pixelserv-tls: handshake failed: client 172.24.5.8:63578 server (null). Lib(20) Func(118) Reason(252)
 
pattiri said:
I'm getting lots of handshake failed logs for my iphone even though certificate is installed. Safari is OK but when I use apps like instagram I get these. any comments?

Code: 
Jun 22 00:29:31 Ev pixelserv-tls: handshake failed: client 172.24.5.8:63574 server (null). Lib(20) Func(118) Reason(252)
Jun 22 00:29:39 Ev pixelserv-tls: handshake failed: client 172.24.5.8:63575 server (null). Lib(20) Func(118) Reason(252)
Jun 22 00:29:39 Ev pixelserv-tls: handshake failed: client 172.24.5.8:63576 server (null). Lib(20) Func(118) Reason(252)
Jun 22 00:29:39 Ev pixelserv-tls: handshake failed: client 172.24.5.8:63577 server (null). Lib(20) Func(118) Reason(252)
Jun 22 00:29:51 Ev pixelserv-tls: handshake failed: client 172.24.5.8:63578 server (null). Lib(20) Func(118) Reason(252)
Click to expand...

Block graph.instagram.com manually in your hosts file to 0.0.0.0 and you'll see improvement.
 
pattiri said:
I'm getting lots of handshake failed logs for my iphone even though certificate is installed. Safari is OK but when I use apps like instagram I get these. any comments?

Code: 
Jun 22 00:29:31 Ev pixelserv-tls: handshake failed: client 172.24.5.8:63574 server (null). Lib(20) Func(118) Reason(252)
Jun 22 00:29:39 Ev pixelserv-tls: handshake failed: client 172.24.5.8:63575 server (null). Lib(20) Func(118) Reason(252)
Jun 22 00:29:39 Ev pixelserv-tls: handshake failed: client 172.24.5.8:63576 server (null). Lib(20) Func(118) Reason(252)
Jun 22 00:29:39 Ev pixelserv-tls: handshake failed: client 172.24.5.8:63577 server (null). Lib(20) Func(118) Reason(252)
Jun 22 00:29:51 Ev pixelserv-tls: handshake failed: client 172.24.5.8:63578 server (null). Lib(20) Func(118) Reason(252)
Click to expand...

These are known as "other TLS handshake errors" that in v2.1.1 were logged on LEVEL 5 and moved to LEVEL 2 in 2.1.2.

252 indicates "unknown protocol". I suspect Instagram is doing something unusual to protect traffics between its client and server.

Even the server domain isn't available that indicates failure happens pretty early in the handshake stage.
 
I'm sure this is covered somewhere, but I havne't been able to track down the post. Is this message OK? As far as I know, it's blocked by ab-solution (which is how I'd like it to be)
Code: 
pixelserv-tls[23910]: handshake failed: unknown cert. client 10.14.16.100:38381 server ssl.google-analytics.com
 
@kvic What is the acceptable number for "slc" ? Also any way to trace the cause of "slc" higher than "slh" ?
 
@kvic

I have had your suggestions in place regarding ESET Security on Windows for 4-5 days now,
i have noticed as soon as i whitelisted the pixelserv IP in ESET the internet performance on that machine was even faster than before.
It makes sense since my other devices (PS4, Roku TV, iPhone) all were not slowed down like the PC with ESET.
So i am considering the problem "fixed".

Now i will update to the newest version. :)

BTW i have not checked my failed logs but I have been using a lot of Instagram with no problem
 
Jack Yaz said:
I'm sure this is covered somewhere, but I havne't been able to track down the post. Is this message OK? As far as I know, it's blocked by ab-solution (which is how I'd like it to be)
Code: 
pixelserv-tls[23910]: handshake failed: unknown cert. client 10.14.16.100:38381 server ssl.google-analytics.com
Click to expand...

It's perfectly fine. Your client checks server certificate against its hardcoded local copy. It sees difference and refuses to proceed further and send actual data. The client doesn't want others to inspect what data actually being sent to the real server.

Also, "unknown cert" corresponds to +1 in uce count. "unknown CA" corresponds to +1 in uca count.
 
Asad Ali said:
@kvic What is the acceptable number for "slc" ? Also any way to trace the cause of "slc" higher than "slh" ?
Click to expand...

There is no limit for slc. Any number is valid and acceptable. It's also not unexpected that slc >> slh.

If you have a few "rogue" clients, slc will keep increasing. For example, recently I found Instagram uses a twisted protocol to send data between its client and server graph.instagram.com that had puzzled me for a long time since the beta of v2.1.

It turns out graph.instagram.com uses TLSv1.2 but a cipher from TLSv1.3. No standard server can accept such connection except Facebook's twisted implementation!
 
kvic said:
There is no limit for slc. Any number is valid and acceptable. It's also not unexpected that slc >> slh.

If you have a few "rogue" clients, slc will keep increasing. For example, recently I found Instagram uses a twisted protocol to send data between its client and server graph.instagram.com that had puzzled me for a long time since the beta of v2.1.

It turns out graph.instagram.com uses TLSv1.2 but a cipher from TLSv1.3. No standard server can accept such connection except Facebook's twisted implementation!
Click to expand...

Alighty! Thanks and is such entries (slc) show/logged in any log level?
 
Asad Ali said:
Alighty! Thanks and is such entries (slc) show/logged in any log level?
Click to expand...

All are logged in LEVEL 2 in v2.1.2.

For example, Instagram will look like this:

Code: 
Jun 24 14:42:25 Phaeo pixelserv-tls[25623]: handshake failed: client 192.168.1.111:58931 server graph.instagram.com. Lib(20)         Func(138) Reason(193)

No solution atm. So I continue to send graph.instagram.com to 0.0.0.0 (or a 2nd instance of pixelserv-tls if you have).
 
kvic said:
All are logged in LEVEL 2 in v2.1.2.
Click to expand...

You talking about these entries?

Code: 
 handshake failed: client 192.168.1.10:59653 server stats.appsflyer.com. Lib(20) Func(138) Reason(227)

Aren't they logged in "slu" ?
 
You must log in or register to reply here.

Similar threads

MegaMango
dnsmasq-surrogate for RT-BE88U: Ad Blocking & Security Enhancement
Replies
2
Views
575
MegaMango
MegaMango
L
pixelserv SOLVED - Is PixelServ WebGui script trustworthy at the moment? Redirects to strange website...
Replies
10
Views
4K
gspannu
gspannu
thelonelycoder
Diversion Need help with selecting new set of filter lists / block lists for Diversion 5.0
2
Replies
21
Views
4K
thelonelycoder
thelonelycoder
blacksheep
pixelserv Does "How to best run Pixelserv tls on asuswrt" still apply?
Replies
3
Views
3K
elorimer
E
garycnew
Entware [SOLUTION] Cross-Compile PixelServ-TLS 2.4 Entware Package via Debian Live DVD
Replies
13
Views
3K
garycnew
garycnew
Similar threads
Thread starter Title Forum Replies Date
C Diversion Pixelserv replacement Asuswrt-Merlin AddOns 2
L Is Diversion better than NextDNS, PiHole or AdGuard Home? Asuswrt-Merlin AddOns 10

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 640 (members: 19, guests: 621)
Top