pixelserv pixelserv - A Better One-pixel Webserver for Adblock

[swetoast]

With ublockr you don't have any idea what you are pulling from. But I didn't like ublockr running every night and writing to jffs (although I think that is changed).

1. https://gitlab.com/spitfire-project/ublockr/blob/master/ip.list and https://gitlab.com/spitfire-project/ublockr/blob/master/no.list thats where it gets is lists from just remove the ones you dont want to have
   
2. https://gitlab.com/spitfire-project/ublockr/blob/master/ublockr.cfg just change to desired path its simple and ive removed writing jffs stuff since there was concerns about that.

 

[elorimer]

I started all over and its working better. A couple of things:

1. It would be nice to have a personal blacklist. I've manually added the sites to the hosts file, but that will get overwritten.
2. My system log has lots of entries like this;

May  7 07:31:10 pixelserv[15297]: Failed to open/read ca.crt
May  7 07:31:10 pixelserv[15297]: Failed to get issuer name from ca.crt
May  7 07:31:10 pixelserv[15301]: settings-win.data.microsoft.com _.data.microsoft.com missing
May  7 07:31:10 pixelserv[15302]: Failed to open/read ca.crt
May  7 07:31:10 pixelserv[15302]: Failed to get issuer name from ca.crt
May  7 07:31:10 pixelserv[15306]: p.typekit.net _.typekit.net missing
May  7 07:31:10 pixelserv[15307]: Failed to open/read ca.crt
May  7 07:31:10 pixelserv[15307]: Failed to get issuer name from ca.crt
May  7 07:31:11 pixelserv[15308]: device-metrics-us-2.amazon.com _.amazon.com missing

Is that normal or have I missed a step?

 

[jrmwvu04]

Is that normal or have I missed a step?

Have you generated a certificate and placed ca.crt and ca.key at /opt/var/cache/pixelserv/ ?

 

[elorimer]

No, that is clearly my problem to work on. I'm a little confused about where things stand with post #1, #40 and #49 and thought ublockr somehow handled that.

 

[kvic]

No, that is clearly my problem to work on. I'm a little confused about where things stand with post #1, #40 and #49 and thought ublockr somehow handled that.

Easier to follow the README on github than going through this whole thread:
https://github.com/kvic-z/pixelserv-tls#pixelserv-tls

 

[elorimer]

Easier to follow the README on github than going through this whole thread:
https://github.com/kvic-z/pixelserv-tls#pixelserv-tls

Thanks. Seems to be working now, generating certificates. The hardest part was figuring out how to install EasyRSA 3.01 and mktemp. The readme did the rest.

 

[jrmwvu04]

Since pixelserv was updated a bit ago in the Entware repo, I decided to install and reboot. I put a line in services-stop to capture the stats and save them to usb, and I wrote a small script to add up some of the stats. Here's what the last few weeks look like.

Total pixelserv stats generated 05/13/16 03:59:08
uts: 1739697 (20 days, 3 hours, 14 minutes)
req: 160517
err: 0
tmo: 0
cls: 87840
nou: 0
pth: 0
nfe: 20328
ufe: 3062
gif: 3619
bad: 356
txt: 22502
jpg: 459
png: 5561
swf: 0
ico: 30
slh: 90256
slm: 722
sle: 0
slu: 35093
204: 41204
rdr: 6339
pst: 10175
hed: 15

 

[mstombs]

One word of warning - updating pixelserv-tls from Entware over-writes your custom args, need to manually edit the S80... startup file, but maybe others don't use as many as me!

pixelserv-tls version: V35.HZ12.Kh compiled: May 11 2016 15:13:54 options: 192.168.66.254 -p 80 -p 81 -p 8080 -p 8081 -k 443 -o 2

 

[swetoast]

hmm thats not good @zyxmon might be able to fix that

 

[mstombs]

Here's my update log, in case it was user error ... seems to reinstall rather than upgrade?

admin@RT-N66U:/tmp/home/root# opkg update
Downloading http://pkg.entware.net/binaries/mipsel/Packages.gz.
Updated list of available packages in /opt/var/opkg-lists/entware-ng.
admin@RT-N66U:/tmp/home/root# 
admin@RT-N66U:/tmp/home/root# opkg updategrade
Upgrading pixelserv-tls on root from V35.HZ12.Kh-20160313-1 to V35.HZ12.Kh-20160429-1...
Downloading http://pkg.entware.net/binaries/mipsel/pixelserv-tls_V35.HZ12.Kh-20160429-1_mipselsf.ipk.
Upgrading openssl-util on root from 1.0.2g-1 to 1.0.2h-1...
Downloading http://pkg.entware.net/binaries/mipsel/openssl-util_1.0.2h-1_mipselsf.ipk.
Upgrading findutils on root from 4.5.14-1 to 4.6.0-1...
Downloading http://pkg.entware.net/binaries/mipsel/findutils_4.6.0-1_mipselsf.ipk.
Upgrading libopenssl on root from 1.0.2g-1 to 1.0.2h-1...
Downloading http://pkg.entware.net/binaries/mipsel/libopenssl_1.0.2h-1_mipselsf.ipk.
Configuring libopenssl.
Configuring pixelserv-tls.
Place ca.crt and ca.key to /opt/var/cache/pixelserv before starting HTTPS mode.
Start options can be adjusted via /opt/etc/init.d/S80pixelserv-tls.

See 'pixelserv-tls -h' for details
Configuring openssl-util.
Configuring findutils.

 

[Veldkornet]

Hey guys,

I thought I'd give this a try, but I'm in need of some information to get it working properly.

So first, my routers WebUI is running on 80 & 443, so for pixelserv I want to use 8080 and 8443.

Right, so I got it installed:

opkg install pixelserv-tls

Easy.

Created the CA cert and key and copied to /opt/var/cache/pixelserv

Then I started it:

pixelserv-tls 192.168.1.1 -p 8080 -k 8443 -u admin

But when I looked at http://192.168.1.1:8080/serverstats, it didn't seem to be blocking anything... or am I just impatient?

1. Do I need to do the following:

iptables -t nat -A PREROUTING --dest 10.8.10.8 -p tcp --dport 80 -j DNAT --to-dest 192.168.1.1:8080
iptables -t nat -A PREROUTING --dest 10.8.10.8 -p tcp --dport 443 -j DNAT --to-dest 192.168.1.1:8443

My only question there is, why 10.8.10.8, where was this defined?

2. I have dnscrypt-proxy running as well. Does this cause any conflict? Since it's already redirecting DNS to 127.0.0.1?

3. The file /opt/etc/init.d/S80pixelserv-tls. Do I need to modify it in any way so that it always starts as pixelserv-tls 192.168.1.1 -p 8080 -k 8443 -u admin?

4. What am I missing? I've ready the first post, and the instructions here: https://github.com/kvic-z/pixelserv-tls#pixelserv-tls but it feels like I'm missing half the things I should know.

 

[kvic]

You're adopting a more complicated installation...
Not recommended for most users. But seems you're almost there...

1. Okay, so I assume that I need to do the following:

iptables -t nat -A PREROUTING --dest 10.8.10.8 -p tcp --dport 80 -j DNAT --to-dest 192.168.1.1:8080
iptables -t nat -A PREROUTING --dest 10.8.10.8 -p tcp --dport 443 -j DNAT --to-dest 192.168.1.1:8443

My only question there is, why 10.8.10.8, where was this defined?

10.8.10.8 is a "phantom" ip address. In your host files for adblock, point all ad domains to it (instead of 192.168.1.1 people do in a simpler installation).

When a client looks up an ad domain, it gets 10.8.10.8. On access, it gets redirected to pixelserv with the above iptables rules..

2. I have dnscrypt-proxy running as well. Does this cause any conflict? Since it's already redirecting DNS to 127.0.0.1?

Can't recall how dnscrypt-proxy works with dnsmasq..does dnsmasq point to dnscrypt-proxy? If so, then adblock will still work as long as you have some kind of host files defined for dnsmasq.

3. The file /opt/etc/init.d/S80pixelserv-tls. Do I need to modify it in any way so that it always starts as pixelserv-tls 192.168.1.1 -p 8080 -k 8443 -u admin?

Change ARGS line in the launch script to below:

ARGS="192.168.1.1 -p 8080 -k 8443"​

(-u admin is no longer required)

 

[Veldkornet]

In your host files for adblock, point all ad domains to it

Okay, then I think I have it running, I'm just needing to add some things to the hosts file...

What's recommended here?

 

[kvic]

Okay, then I think I have it running, I'm just needing to add some things to the hosts file...

What's recommended here?

If you want a simple test, anything would be fine. Why not start with doubleclick.net?

Sooner or later you need some way to update and maintain the host files. You can come up with your own..a few threads on such topic. Or use a ready made such ublockr or ab-solution.

In your setup, I think you need to change the IP address in both solutions to 10.8.10.8. So decide if you want a minimal setup or a more user friendly solution..

 

[Veldkornet]

If you want a simple test, anything would be fine. Why not start with doubleclick.net?

Sooner or later you need some way to update and maintain the host files. You can come up with your own..a few threads on such topic. Or use a ready made such ublockr or ab-solution.

In your setup, I think you need to change the IP address in both solutions to 10.8.10.8. So decide if you want a minimal setup or a more user friendly solution..

Thanks, I've decided to use ublockr for a start, currently on pixelserv-tls version: V35.HZ12.Kh compiled: May 12 2016.

FYI, in FireFox, Chrome, Opera, when I access https://192.168.1.1/servstats , I get the following error:

Unsupported protocol
The client and server don't support a common SSL protocol version or cipher suite. This is likely to be caused when the server needs RC4, which is no longer considered secure.

Safari seems to let me bypass it luckily. Is the old RC4 cipher expected?

 

[mstombs]

Thanks, I've decided to use ublockr for a start, currently on pixelserv-tls version: V35.HZ12.Kh compiled: May 12 2016.

FYI, in FireFox, Chrome, Opera, when I access https://192.168.1.1/servstats , I get the following error:



Safari seems to let me bypass it luckily. Is the old RC4 cipher expected?

I reported this before - you should see https;//doubleclick.net/servsats works - but no reason to use https for this just use the http version!

 

[Peter Danckaert]

I have implemented pixelserv tls with ublockr and it seems to work fine with normal sites. However i'm still gettings ads on Iphone/Ipad on the youtube application of google itself even with the cert installed on the IOS. Anybody got a clue? Or does google has some magic code in the app itself? How can I activate logging? because syslog is not providing me alot of info

May 16 12:45:15 pixelserv[2877]: (14) 192.168.2.209: s.youtube.com GET /api/stats/qoe?bwe=0.059%3A3930950&c=ios&ns=yt&bat=0.006%3A0.64%3A0%2C51.522%3A0.63%3A0%2C235.343%3A0.62%3A0%2C439.546%3A0.61%3A0&cplatform=mobile&cver=11.17.8&vnd=0.002%3A0&cos=iOS&ad_break_type=0&docid=4_SSEtPnBOk&vps=0.000%3AN%2C0.419%3AB%2C0.422%3APL%2C600.425%3APL%2C641.174%3AEN&plid=AAUy9NfFzd_qFD8y&cnetwork=wifi&conn=0.001%3A3&cl=122177092&cosver=9.3.1&event=streamingstats&vis=0.002%3A0&snd=0.002%3A0&vfs=0.059%3A230%3B%3A230%

 

[kvic]

i'm still gettings ads on Iphone/Ipad on the youtube application of google itself

I heard youtube ads are a challenge to block. Also pixelserv itself doesn't do any blocking.

It's host list created by e.g. ublockr or ab-solution that determines what ad domains are blocked. Personally I have no experience of using either..sorry.

 

[matthew_eli]

Hi kvic, is there a list of steps I can follow for installing pixelsrv-tls (and the related hosts I would lie to block) in DD-WRT? I haven't found a guide/tutorial for this platform and I'd really appreciate any contribution/help

 

[mstombs]

There's a couple of threads on dd-wrt forums re an old single binary version of pixelserv. One user documented his method, which may be a starting point

http://www.howtogeek.com/51477/how-to-remove-advertisements-with-pixelserv-on-dd-wrt/

pixelserv-tls will need the same ip diverts but in addition port 80 will need also the https port 443. The use of dnsmasq for ad host diversion to pixelserv IP is the same.

Do check the date - no doubt dd-wrt moved on in last 6 years