Spend the hour instead to read through this thread, which was highly educational to me on a number of levels.
Basically, when pixelserv is in the mix a call to a domain blocked by ab-s is forwarded to the pixelserv address. For a http request, pixelserv sends back a one pixel response instantly. For a https request, pixelserv sends back a one pixel response with a cert it generates, or pulls from one already generated, for that site. If it has to generate a cert, that takes a little bit of time. If it has already generated a cert, it pulls that cert from the stick and sends that back. If it has that cert in cache, then it sends it back more or less instantly. If the cert it sends back matches the imported root cert, then the pixel is served up and the web page goes on its merry way. If you havent' imported the root cert, then the web page sees a security violation and handles it that way. So either way, the web page moves on; but one way is faster and cleaner.
You can tell from the stats page if it is working, because it breaks out https requests as accepted or not, and if they fail, why. There is a script in the thread that will run a cron and email you a report that identifies which devices are generating denied requests, and those are where the import should be made. For some devices, like IP cameras, you may not be able to import a cert.
Thanks
@elorimer. I was continuing to search for information while I posted this. Weeding through 108 pages of thread posts to find relevant information was not really proving effective. I appreciate you having done it and sharing what you can. I was trying to focus on the documentation provided in the OP, which I have read most of, including:
I also (just) imported the cert onto my clients. In all honesty I couldn't observe any tangible difference in behavior. Ads appeared to still be blocked, but my servstats definitely did change. Prior to doing this it looked like "# of accepted HTTPS requests" was 0 and after about 50% of all total requests are now accepted. That being said I still have 50% of them listed under slm/sle/slc/slu/uca/uce.
Is this normal? Or is this something wrong with my configuration?
I still have some questions about architecture. Some of this may be re-iteration of what you described I'm just looking to clarify here as I'm a bit fuzzy. In the end, I'm looking to understand this both architecturally and from an end-user perspective so I can actually observe if things are not working optimally. While I can look at the servstats they only tell me numbers, not if those numbers are optimal or if something is misconfigured:
1) It sounds like what you are saying is that if using pixleserv-tls with ab-s, then
pixleserv is actually doing *all* the blocking - both http & https. Is this correct? If so, then the main think ab-s continues to do is just generate the lists, but instead of using the ab-s behavior of sending them to 127.0.0.1, pixleserv-tls updates ALL the entires to the pixleserv-tls IP address to serve back the transparent pixel instead of serving back a time-out. Do I have that right?
2) Forgive my ignorance on the complete picture. With basic https traffic between a client and server the client obtains a copy of the server's public key. It trusts this public key either because this certificate (or it's issuing authority) is stored as a trusted root certificate. Using this public certificate the browser encrypts the data and sends it back to the server along with a (symmetric) session key. The rest of the secure exchange (on both ends) is done using this private session key. Now - this brief description is from my understanding 20 years ago and I don't believe the basic idea here has changed.
I'm trying to reconcile that basic behavior with the pixelserv-tls requirements/behavior.
1) As you state - pixleserv-tls is creating (or retrieving from cache) a certificate for each session. These appear to be stored here:
Code:
/tmp/mnt/xxxxx/entware/var/cache/pixelserv
Which certificates are these? As in within the basic SSL structure I describe above? Normally the only key a client/browser has to generate is the symmetric session key to return to the server. I was under the belief that this key was not something that was normally saved, but rather the client would generate a new session key for every new session and therefore not something we even needed to be aware of. Perhaps I was wrong and the
keys stored in this location are the session keys? If so, that would make sense to me (though be surprising from a security standpoint that all session keys were saved). If not, then I don't understand why pixleserv is creating/needing these keys.
(I believe this to *not* be the case as I update below. I'm keeping it here though for others who may have the same misunderstanding)
2) When a client talks to a server and obtains it's public key it will give an error of some sort if that public key isn't trusted by a CA it knows about. Usually this is manifested in a browser with a security warning but I suspect in a non-interactive environment this will simply fail to establish any connection depending on the coding (kind of like wget with a --no-certificate override). Since we need to communicate to pixelserv-tls to get our transparent pixel we need to trust it just like any other https server or else we would get a security error.
Apart from a speed differential (which may be so nominal as to be unobservable) will the page actually appear different? It seems many pages still show frames/divs even when blocked so whether it was empty or a single pixel the blocked ad may still take up the same space. What I haven't seen (prior to importing the cert) is any blocked ads saying
"certificate error" which I guess is what I would expect if we couldn't talk to the server?
Actually, in describing the scenarios myself and re-reading your description I have one more interpretation of what you describe regarding the certs generated. This may be what you were trying to describe and I simply couldn't grasp it in those words until re-hashing the above.
The pixelserv-tls server needs to communicate back to me as if it was the server I was talking to. So if the ad being redirected is from
ads.sucky.com my browser needs to believe it is communicating with
ads.sucky.com the whole time and not the pixelserv server at all. So when pixelserv intercepts this query from my browser it creates its own certificate for
ads.sucky.com, caches it and returns it to me to make me believe it is that source. This makes more sense then my description of the session keys above since there is really no reason for pixelserv-tls to even speak to the real
ads.sucky.com since the point is *not* to talk to it.
Once again, if I don't trust the pixelserv-tls CA, this communication would be blocked (I couldn't get my pixel) and instead I would get a certificate error. What I still don't understand on this is from observed behavior
I wasn't seeing any "certificate errors" shown on my webpages. You state that without the certs installed, things still work - it is just "faster and cleaner." I'm trying to understand exactly what is cleaner about it from an end-user perspective.
What will/might I see if this certificate transaction fails vs it working?
For instance, I am still seeing a lot of blocked ads showing with the gray frowny page face (Chrome) or the "Can’t reach this page" (IE) within the frame of the ad. I don't know if this is normal behavior or not. I would expect that the page *should* be found in the form of the transparent pixel. But,
perhaps there are certain ads that pixleserv still can't deal with?
I realize these questions might be tedious for those of you who already know the answers, but I suspect the hard work put into this project wasn't just meant to be enjoyed by those who have immaculate understandings of all things SSL. I believe I'm far from a layperson when it comes to technology, but I'm not an SSL expert and I can only RTFM of which I'm not finding all the answers.
I appreciate your patience and assistance!