pixelserv pixelserv - A Better One-pixel Webserver for Adblock

[elorimer]

Haven't seen him here in a long while. He was working on a similar idea for unbound. You might try him at kazoo.ga or in the right forum.

 

[tokra]

hi there everyone !

I have the following setup.

I have pixelcerv-tls with pihole without web interface and pivpn installed on debian stretch 9. with all the clients connecting through vpn.

despite pixelserv-tls listening on port 80 and 443 with cert installed on windows and android device and pihole sending requests to 0.0.0.0 , pixelserv-tls is not intercepting, resulting in page not found for ads. does it has something to do with vpn settings or any other issue ?

can please someone help me out it has been couple totaly stuck here may be lack of networking knowledge.

note: tried starting pixelserve with ip address for e.g 10.128.0.6 , no result.

xxxx@xxxx:~$ sudo su
xxxx@xxxx:/home/xxxx# netstat -ltnp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name   
tcp        0      0 127.0.0.1:4711          0.0.0.0:*               LISTEN      2223/pihole-FTL     
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      2745/pixelserv-tls 
tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN      2223/pihole-FTL     
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      862/sshd           
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      2745/pixelserv-tls 
tcp        0      0 0.0.0.0:444             0.0.0.0:*               LISTEN      604/openvpn         
tcp6       0      0 ::1:4711                :::*                    LISTEN      2223/pihole-FTL     
tcp6       0      0 :::53                   :::*                    LISTEN      2223/pihole-FTL     
tcp6       0      0 :::22                   :::*                    LISTEN      862/sshd

setting in setupVars.conf

PIHOLE_INTERFACE=eth0
PIHOLE_INTERFACE=tun0
PIHOLE_INTERFACE=tun1
IPV4_ADDRESS=0.0.0.0
IPV6_ADDRESS=0.0.0.0
PIHOLE_DNS_1=10.128.0.1
#PIHOLE_DNS_2=8.8.4.4
QUERY_LOGGING=true
INSTALL_WEB_SERVER=false
INSTALL_WEB_INTERFACE=false
LIGHTTPD_ENABLED=false
BLOCKING_ENABLED=true
DNSMASQ_LISTENING=all

following is settings in pihole-FTL.conf

PRIVACYLEVEL=0
BLOCKINGMODE=IP-NODATA-AAAA

sample output from pihole -t

dnsmasq[2223]: query[A] ssl.google-analytics.com from 10.8.0.3
dnsmasq[2223]: /etc/pihole/gravity.list ssl.google-analytics.com is 0.0.0.0

ifconfig

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1460
       inet 10.128.0.6  netmask 255.255.255.255  broadcast 10.128.0.6
       inet6 fe80::4001:aff:fe80:6  prefixlen 64  scopeid 0x20<link>
       ether 42:01:0a:80:00:06  txqueuelen 1000  (Ethernet)
       RX packets 3319  bytes 883009 (862.3 KiB)
       RX errors 0  dropped 0  overruns 0  frame 0
       TX packets 2513  bytes 623072 (608.4 KiB)
       TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
       inet 127.0.0.1  netmask 255.0.0.0
       inet6 ::1  prefixlen 128  scopeid 0x10<host>
       loop  txqueuelen 1  (Local Loopback)
       RX packets 48  bytes 4659 (4.5 KiB)
       RX errors 0  dropped 0  overruns 0  frame 0
       TX packets 48  bytes 4659 (4.5 KiB)
       TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
       inet 10.9.0.1  netmask 255.255.255.0  destination 10.9.0.1
       inet6 fe80::1ab:3b0c:547e:d869  prefixlen 64  scopeid 0x20<link>
       unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
       RX packets 0  bytes 0 (0.0 B)
       RX errors 0  dropped 0  overruns 0  frame 0
       TX packets 10  bytes 480 (480.0 B)
       TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tun1: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
       inet 10.8.0.1  netmask 255.255.255.0  destination 10.8.0.1
       inet6 fe80::111a:a7a7:5dd1:2df5  prefixlen 64  scopeid 0x20<link>
       unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
       RX packets 0  bytes 0 (0.0 B)
       RX errors 0  dropped 0  overruns 0  frame 0
       TX packets 11  bytes 528 (528.0 B)
       TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

 

[Correlor]

hi there everyone !

I have the following setup.

I have pixelcerv-tls with pihole without web interface and pivpn installed on debian stretch 9. with all the clients connecting through vpn.

despite pixelserv-tls listening on port 80 and 443 with cert installed on windows and android device and pihole sending requests to 0.0.0.0 , pixelserv-tls is not intercepting, resulting in page not found for ads. does it has something to do with vpn settings or any other issue ?

can please someone help me out it has been couple totaly stuck here may be lack of networking knowledge.

note: tried starting pixelserve with ip address for e.g 10.128.0.6 , no result.

@tokra

I'm not een expert but you direct your requests to 0.0.0.0, shouldn't you direct them to the ip-address of pixelserv-tls?

 

[elorimer]

I think you are mostly in the wrong place unless you are running pi-hole on the router.

This might help: pixelserv - A Better One-pixel Webserver for Adblock

Also this: Setup pixelserv-tls for Pi-Hole

 

[tokra]

@tokra

I'm not een expert but you direct your requests to 0.0.0.0, shouldn't you direct them to the ip-address of pixelserv-tls?

i did it and even restarted pihole and even reinstall crt but same result no interception from pixelserv

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name   
tcp        0      0 127.0.0.1:4711          0.0.0.0:*               LISTEN      17253/pihole-FTL   
tcp        0      0 10.128.0.6:80           0.0.0.0:*               LISTEN      17121/pixelserv-tls 
tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN      17253/pihole-FTL   
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      861/sshd           
tcp        0      0 10.128.0.6:443          0.0.0.0:*               LISTEN      17121/pixelserv-tls 
tcp        0      0 0.0.0.0:444             0.0.0.0:*               LISTEN      596/openvpn         
tcp6       0      0 ::1:4711                :::*                    LISTEN      17253/pihole-FTL   
tcp6       0      0 :::53                   :::*                    LISTEN      17253/pihole-FTL   
tcp6       0      0 :::22                   :::*                    LISTEN      861/sshd

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1460
        inet 10.128.0.6  netmask 255.255.255.255  broadcast 10.128.0.6
        inet6 fe80::4001:aff:fe80:6  prefixlen 64  scopeid 0x20<link>
        ether 42:01:0a:80:00:06  txqueuelen 1000  (Ethernet)
        RX packets 32375  bytes 7364972 (7.0 MiB)
        RX errors 0  dropped 0  overruns 0  frame 12
        TX packets 29536  bytes 3634927 (3.4 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1  (Local Loopback)
        RX packets 322  bytes 32828 (32.0 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 322  bytes 32828 (32.0 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.9.0.1  netmask 255.255.255.0  destination 10.9.0.1
        inet6 fe80::8840:f4fb:e3f7:501d  prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 31  bytes 1488 (1.4 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tun1: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.8.0.1  netmask 255.255.255.0  destination 10.8.0.1
        inet6 fe80::f76a:43eb:eab7:1ec2  prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
        RX packets 3702  bytes 249215 (243.3 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 3730  bytes 389503 (380.3 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

 

[tokra]

I think you are mostly in the wrong place unless you are running pi-hole on the router.

This might help: pixelserv - A Better One-pixel Webserver for Adblock

Also this: Setup pixelserv-tls for Pi-Hole

Thank you i already followed the seconf tutorial and setup up admin less pihole to keep ports 80 and 443 free. one thing to add i am using debian stretch 9 on cloud with static address. with pihole, pivpn and pixelserv-tls installed, therefore all the clients are connected through vpn. Secondly, pihole is working as some adverts http do get "page not found" but some how pixelserv is not intercepting the traffic

15:08:50 dnsmasq[17253]: query[A] pagead2.googlesyndication.com from 10.8.0.2
15:08:50 dnsmasq[17253]: /etc/pihole/gravity.list pagead2.googlesyndication.com is 0.0.0.0
15:09:18 dnsmasq[17253]: query[A] ssl.google-analytics.com from 10.8.0.2
15:09:18 dnsmasq[17253]: /etc/pihole/gravity.list ssl.google-analytics.com is 0.0.0.0

 

[tokra]

I think you are mostly in the wrong place unless you are running pi-hole on the router.

This might help: pixelserv - A Better One-pixel Webserver for Adblock

Also this: Setup pixelserv-tls for Pi-Hole

i followed the guide and started pixelserv-tls with for eg this ip 10.128.0.6 , also bind pihole to listen to 10.128.0.6

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name   
tcp        0      0 127.0.0.1:4711          0.0.0.0:*               LISTEN      2410/pihole-FTL     
tcp        0      0 10.128.0.6:80           0.0.0.0:*               LISTEN      2438/pixelserv-tls 
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      2410/pihole-FTL     
tcp        0      0 10.128.0.6:53           0.0.0.0:*               LISTEN      2410/pihole-FTL     
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      842/sshd           
tcp        0      0 10.128.0.6:443          0.0.0.0:*               LISTEN      2438/pixelserv-tls 
tcp        0      0 0.0.0.0:444             0.0.0.0:*               LISTEN      642/openvpn         
tcp6       0      0 ::1:4711                :::*                    LISTEN      2410/pihole-FTL     
tcp6       0      0 ::1:53                  :::*                    LISTEN      2410/pihole-FTL     
tcp6       0      0 :::22                   :::*                    LISTEN      842/sshd

Also checked log for pixelserv and following is the output

egrep 'pixelserv' /var/log/syslog

Jul 29 16:06:09 x pixelserv-tls[2438]: pixelserv-tls 2.2.1 (compiled: Jul 27 2019 20:11:34 flags: tfo no_tls1_3) options: 10.128.0.6 -l 5
Jul 29 16:06:09 x pixelserv-tls[2438]: sslctx_tbl_load: 10.128.0.6
Jul 29 16:06:09 x pixelserv-tls[2438]: Listening on :10.128.0.6:443
Jul 29 16:06:09 x pixelserv-tls[2438]: Listening on :10.128.0.6:80
Jul 29 16:06:18 x pixelserv-tls[2438]: x.x.x.x x.x.x.x GET /servstats HTTP/1.1 tls_none
Jul 29 16:06:21 x pixelserv-tls[2438]: x.x.x.x x.x.x.x GET /servstats HTTP/1.1 tls_none
Jul 29 16:06:22 x pixelserv-tls[2438]: x.x.x.x x.x.x.x GET /favicon.ico HTTP/1.1 tls_none
Jul 29 16:06:24 x pixelserv-tls[2438]: x.x.x.x x.x.x.x GET /servstats HTTP/1.1 tls_none
Jul 29 16:06:24 x pixelserv-tls[2438]: x.x.x.x x.x.x.x GET /favicon.ico HTTP/1.1 tls_none
Jul 29 16:06:25 x pixelserv-tls[2438]: x.x.x.x x.x.x.x GET /servstats HTTP/1.1 tls_none
Jul 29 16:06:25 x pixelserv-tls[2438]: x.x.x.x x.x.x.x GET /favicon.ico HTTP/1.1 tls_none
Jul 29 16:06:25 x pixelserv-tls[2438]: x.x.x.x x.x.x.x GET /servstats HTTP/1.1 tls_none
Jul 29 16:08:00 x pixelserv-tls[2438]: x.x.x.x x.x.x.x GET /servstats HTTP/1.1 tls_none
Jul 29 16:08:01 x pixelserv-tls[2438]: x.x.x.x x.x.x.x GET /favicon.ico HTTP/1.1 tls_none
Jul 29 16:08:26 x pixelserv-tls[2438]: Exit recv loop socket:9 rv:690 errno:11 num_req:7
Jul 29 16:09:21 x pixelserv-tls[2438]: no file extension / from path /
Jul 29 16:09:21 x pixelserv-tls[2438]: x.x.x.x x.x.x.x:80 GET / HTTP/1.1 tls_none
Jul 29 16:09:27 x pixelserv-tls[2438]: Exit recv loop socket:9 rv:102 errno:0 num_req:1
Jul 29 16:10:02 x pixelserv-tls[2438]: Exit recv loop socket:10 rv:690 errno:11 num_req:3

 

[tokra]

thank you very much for the help friends, for the time being i figured out what was the issue. and currently working on it, however, iam now stuck on another issue;
i installed pixelserv through brew on a non root user , and chmod the /var/cache/pixelserv-tls as mentiond in creating certificate guide however after running pixerlserv-tls and getting the logfile i get the following error;

Jul 29 18:22:14 pixelserv pixelserv-tls[17083]: pixelserv-tls 2.2.1 (compiled: Jul 29 2019 18:09:05 flags: tfo tls1_3) options: -l 5
Jul 29 18:22:14 pixelserv pixelserv-tls[17083]: chown failed to set owner of /tmp/pixelcerts to nobody
Jul 29 18:26:19 pixelserv pixelserv-tls[17132]: pixelserv-tls 2.2.1 (compiled: Jul 29 2019 18:09:05 flags: tfo tls1_3) options: -l 5
Jul 29 18:26:19 pixelserv pixelserv-tls[17132]: chown failed to set owner of /tmp/pixelcerts to nobody
Jul 29 18:28:35 pixelserv pixelserv-tls[17152]: pixelserv-tls 2.2.1 (compiled: Jul 29 2019 18:09:05 flags: tfo tls1_3) options: -l 5
Jul 29 18:28:35 pixelserv pixelserv-tls[17152]: chown failed to set owner of /tmp/pixelcerts to nobody

and tmp directory shows following files

xxxxx@pixelserv:/tmp$ ls -l
total 8
-rw------- 1 xxxxx xxxxx    0 Jul 29 18:05 cpan_install_8kk4.txt
-rw------- 1 xxxxx xxxxx   37 Jul 29 18:05 cpan_install_kj9f.txt
prw------- 1 nobody  xxxxx    0 Jul 29 18:12 pixelcerts
drwx------ 2 xxxxx xxxxx 4096 Jul 29 17:54 ssh-TECOJCgX5F

 

[tokra]

I imported crt on my device and then rebooted but the "# of accepted HTTPS requests is 0 and rejections are high, is it normal and what is the reason ? however, the ads are being blocked.

slh 0 # of accepted HTTPS requests
slc 0 # of dropped HTTPS requests (client disconnect without sending any request)
slu 428 # of dropped HTTPS requests (other TLS handshake errors)
uca 0 slu break-down: # of unknown CA reported by clients
ucb 0 slu break-down: # of bad certificate reported by clients
uce 481 slu break-down: # of unknown cert reported by clients
ush 0 slu break-down: # of shutdown by clients after ServerHello
sct 71 cert cache: # of certs in cache
sch 422 cert cache: # of reuses of cached certs
scm 71 cert cache: # of misses to find a cert in cache
scp 0 cert cache: # of purges to give room for a new cert
ssh 0 sess cache: # of reuses of cached TLS sessions
ssm 507 sess cache: # of misses to find a TLS session in cache
ssp 0 sess cache: # of purges to give room for a new TLS session

is this normal behaviour ? or am i missing something ??
Thank you

 

[tokra]

I imported crt on my device and then rebooted but the "# of accepted HTTPS requests is 0 and rejections are high, is it normal and what is the reason ? however, the ads are being blocked.

slh 0 # of accepted HTTPS requests
slc 0 # of dropped HTTPS requests (client disconnect without sending any request)
slu 428 # of dropped HTTPS requests (other TLS handshake errors)
uca 0 slu break-down: # of unknown CA reported by clients
ucb 0 slu break-down: # of bad certificate reported by clients
uce 481 slu break-down: # of unknown cert reported by clients
ush 0 slu break-down: # of shutdown by clients after ServerHello
sct 71 cert cache: # of certs in cache
sch 422 cert cache: # of reuses of cached certs
scm 71 cert cache: # of misses to find a cert in cache
scp 0 cert cache: # of purges to give room for a new cert
ssh 0 sess cache: # of reuses of cached TLS sessions
ssm 507 sess cache: # of misses to find a TLS session in cache
ssp 0 sess cache: # of purges to give room for a new TLS session

is this normal behaviour ? or am i missing something ??
Thank you

I also what to add that i am unable to access servstats from https

 

[Ozioh]

I am getting certificate error on zerohedge.com and blank page.
Already completed steps in https://github.com/kvic-z/pixelserv...ixelserv-CA-to-issue-a-certificate-for-WebGUI.


I am using diversion.
Any suggestions?
Anyone having issues on this site?

 

[elorimer]

1. No issue here.
2. Those steps are for https access to the router's webui, not visiting a page.
3. Pixelserv won't create a blank page unless the whole page is blocked in diversion.
4. Go to diversion and follow the dnsmasq log to see if the page is blocked.

 

[jsbeddow]

And as Step 5 to Elorimer's above: make sure it is not Skynet blocking the whole page/site from loading (if you are using Skynet in addition to Diversion).

 

[Ozioh]

Thank you very much for your advices.

 

[eepohboy]

Hi,

I recently installed pixelserv-tls on my AC87U to work together with Diversion. Upon reboot after installation, my OpenVPN server borked. From the logs, it says:

Aug 11 00:02:03 ovpn-server1[28611]: TCP/UDP: Socket bind failed on local address [AF_INET6][undef]:443: Address already in use (errno=98)
Aug 11 00:02:03 ovpn-server1[28611]: Exiting due to fatal error

After a mild panic attack (I was doing this remotely, and thought I no longer had access to my router), I managed to reconfigure ovpn to use the default port (1194/udp).

I am guessing this is happening because the pixelserv-tls service starts before ovpn, and reserves the 443/TCP port.

Is there any way of running pixelserv-tls on a different port without breaking my Diversion configuration? I would like ovpn to be on 443/TCP for "accessibility" reasons, but would also like my router to do my adblocking for me.

Note: will be cross-posting this on the Diversion thread (https://www.snbforums.com/threads/diversion-the-router-ad-blocker.48538/page-174#post-509913)

 

[martinr]

Hi,

I recently installed pixelserv-tls on my AC87U to work together with Diversion. Upon reboot after installation, my OpenVPN server borked. From the logs, it says:

Aug 11 00:02:03 ovpn-server1[28611]: TCP/UDP: Socket bind failed on local address [AF_INET6][undef]:443: Address already in use (errno=98)
Aug 11 00:02:03 ovpn-server1[28611]: Exiting due to fatal error

After a mild panic attack (I was doing this remotely, and thought I no longer had access to my router), I managed to reconfigure ovpn to use the default port (1194/udp).

I am guessing this is happening because the pixelserv-tls service starts before ovpn, and reserves the 443/TCP port.

Is there any way of running pixelserv-tls on a different port without breaking my Diversion configuration? I would like ovpn to be on 443/TCP for "accessibility" reasons, but would also like my router to do my adblocking for me.

Note: will be cross-posting this on the Diversion thread (https://www.snbforums.com/threads/diversion-the-router-ad-blocker.48538/page-174#post-509913)

Welcome to the forum. Tgere’s a simple fix:

https://www.snbforums.com/threads/ab-solution-the-ad-blocking-solution.37511/page-131#post-386022

Set up second server to reduce panic attacks.

(Cross posting doesn’t always go dow well )

 

[eepohboy]

Welcome to the forum. Tgere’s a simple fix:

https://www.snbforums.com/threads/ab-solution-the-ad-blocking-solution.37511/page-131#post-386022

Set up second server to reduce panic attacks.

(Cross posting doesn’t always go dow well )

Hi martinr, thanks for the pointer!

Noted about cross posting. My problem was a conflict with pixelserv-tls, which could be answered here, but then again it was installed because I wanted to use Diversion.

50/50 if you ask me.

 

[martinr]

Hi martinr, thanks for the pointer!

Noted about cross posting. My problem was a conflict with pixelserv-tls, which could be answered here, but then again it was installed because I wanted to use Diversion.

50/50 if you ask me.

The important thing is you got a fix and no-one complained - they very rarely do on this forum. And I take your point about the 50/50.

 

[trx1138]

Hi, I recently installed pixelserv with diversion adblock and it worked as expected in most cases.

but some sites return 'NET::ERR_CERT_COMMON_NAME_INVALID'
(i.e. opensubtitles.org, regardless of what os or browser is)
some times it's avoidable with full domain name like www.something.net, but not always.

it seems it's server side fault which can't handle redirection properly
anyways, it'll be better to avoid this from client side than expect them to fix it.

is there any solution for this?
thanks.

 

[elorimer]

This is not a pixelserv problem, I think. I tried opensubtitles.org on a Chromebook and saw it present problems a few times (blocked with a different error than yours. Then I tried forum.opensubtitles.org and that loaded, and thereafter the pages loaded. Odd. But the problem was with that site, and not the page trying to load from another site.

I then looked in my diversion blocklist and the domain was not blocked. Sometimes blocking is due to skynet, not diversion, but this domain wasn't blocked in skynet either.

Pixelserv binds itself to an ip address on your network. Diversion loads a collection of domains to block by giving dnsmasq a pointer to the pixelserv address. When your browser goes to load from a blocked domain, it sends the request to pixelserv instead, which sends back a single pixel that looks to the browser like it is valid so off it goes. But pixelserv doesn't deal at all with anything that is not blocked. So the problem between this site and a browser is going to be something else.