What's new

pixelserv pixelserv - A Better One-pixel Webserver for Adblock

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Would this be a symptom that I need to purge regen my certs? : www.icloud.com times out, i've disabled Diversion, Skynet, started in firefox safe mode, cleared cache. Certificate is 2048 generated by pixelserv 2.3.0. If I switch to a VPN connection it loads fine.
 
Last edited:
Would this be a symptom that I need to purge regen my certs? : www.icloud.com times out, i've disabled Diversion, Skynet, started in firefox safe mode, cleared cache. Certificate is 2048 generated by pixelserv 2.3.0. If I switch to a VPN connection it loads fine.
Doesn't seem like it. Once you've disabled Diversion pixelserv is out of the picture and the certs don't matter. If skynet is stopped that is the other thing that could block the ip. Sounds more like a stubby/DNS problem
 
I used /opt/etc/init.d/S80pixelserv-tls to stop and start.
I did some extra steps before starting pixelserv-tls, however it only makes sense to do these steps after you upgrade to diversion 4.1.8.
Backup your current key and cert from entware/var/cache/pixelserv (Pixelserv cache directory)
Delete all of the old certs created by the old key and cert in your Pixelserv cache directory.
Delete the old key and cert in your Pixelserv cache directory.
Run Asad Ali's instructions to generate an Apple-compliant key and certificate. I ran this from a directory on my external drive and copied the results to the Pixelserv cache directory.
Code:
cat /etc/openssl.cnf > /jffs/openssl.cnf
sed -i "/\[ v3_ca \]/aextendedKeyUsage = serverAuth" /jffs/openssl.cnf
openssl genrsa -out ca.key 2048
openssl req -key ca.key -new -x509 -days 825 -sha256 -extensions v3_ca -out ca.crt -subj "/CN=Pixelserv CA" -config /jffs/openssl.cnf
rm /jffs/openssl.cnf
The following from Kvic makes it easy to use the pixelserv-tls key and cert for the router GUI https
Code:
sh -c "$(wget -qO - https://kazoo.ga/pixelserv-tls/config-webgui.sh)"
Install ca.crt in Windows and iOS devices.
What does this add over using Diversion to purge/regenerate and amtm to fire off the helper script?
 
Would this be a symptom that I need to purge regen my certs? : www.icloud.com times out, i've disabled Diversion, Skynet, started in firefox safe mode, cleared cache. Certificate is 2048 generated by pixelserv 2.3.0. If I switch to a VPN connection it loads fine.

FWIW, this is exactly the scenario that I have found myself in....(and actually just posted in it's own thread!). Are you able to access System Update?

There is something that is gumming up access to Apple domains and I have yet to track down what.....like you, VPN connection clears the issue, but back to DoT/Div/Skynet standard System Update times out.....a minor thing really, the scripts are awesome and I'd much rather have them operational than not.
 
What does this add over using Diversion to purge/regenerate and amtm to fire off the helper script?
Probably nothing when an Entware pixelserv-tls 2.3.1 comes out. I moved 2.3.1 in manually. I would not know whether Diversion would handle everything gracefully under the circumstances.
 
FWIW, this is exactly the scenario that I have found myself in....(and actually just posted in it's own thread!). Are you able to access System Update?

There is something that is gumming up access to Apple domains and I have yet to track down what.....like you, VPN connection clears the issue, but back to DoT/Div/Skynet standard System Update times out.....a minor thing really, the scripts are awesome and I'd much rather have them operational than not.

For pages timing out.

On the Wan - Internet connection tab set it to this below and try them again.

DNS-over-TLS Profile Strict Opportunistic

It was timing out or very slow for me until I set that on www.icloud.com
 
Last edited:
Probably nothing when an Entware pixelserv-tls 2.3.1 comes out. I moved 2.3.1 in manually. I would not know whether Diversion would handle everything gracefully under the circumstances.
I'm sure it would, and it does.
 
Thanks @jrmwvu04 - that makes perfect sense now. The kids iPhones are hitting snapchat and instagram like there's no tomorrow, so that would explain what you mentioned above.

I use R7000 with WiFi disabled and Unifi NanoHD and it does the job for now, however I might need to upgrade to some of the newer ASUS models soon.

My pixelserv-tls was getting hammered with slu's - [tens of thousands over a few days] - which also seemed to push up RAM consumption. Somewhere in the thousands of posts in either the Diversion thread or this one - I came across a lifesaver [for me anyway].

In essence I used switch -l2 on pixelserv-tls to identify the incessant slu's - added those domains to my Diversion whitelist - while at the same time adding them to a "hosts.add" file [pointing each to 0.0.0.0] which I dropped in to the JFFS/configs folder and set permission properties to 666. Restart pixelserv-tls or better yet - reboot the router after changes done.

For e.g. hosts.add file format ...
Code:
0.0.0.0    ade.googlesyndication.com
0.0.0.0    ads.api.vungle.com
0.0.0.0    adservice.google.com
0.0.0.0    analytics.localytics.com
0.0.0.0    api.mixpanel.com
0.0.0.0    api.segment.io
etc ...

I only bothered with the heavy hitters [39 of them] - but after that my slu's hit list dropped significantly and RAM no longer got chewed up unnecessarily.

BTW - I use MobaXterm for SSH and SFTP access to the router - has built in editor and many more useful features :D.
 
In essence I used switch -l2 on pixelserv-tls to identify the incessant slu's - added those domains to my Diversion whitelist - while at the same time adding them to a "hosts.add" file [pointing each to 0.0.0.0] which I dropped in to the JFFS/configs folder and set permission properties to 666. Restart pixelserv-tls or better yet - reboot the router after changes done.
Important to restart dnsmasq to update the hosts file with your updates.
 
FWIW, this is exactly the scenario that I have found myself in....(and actually just posted in it's own thread!). Are you able to access System Update?

There is something that is gumming up access to Apple domains and I have yet to track down what.....like you, VPN connection clears the issue, but back to DoT/Div/Skynet standard System Update times out.....a minor thing really, the scripts are awesome and I'd much rather have them operational than not.
Do you have any time discrepancy between the router and iPad?
 
Are you able to access System Update?
Yes, apple.com, the store, it's just www.icloud.com. Setting DoT profile to opportunistic made no difference @Makaveli . I started looking at the NTP setup and it says "Reminder: The System time zone is different from your locale setting." I'm getting out of my depth here.

Code:
PING www.icloud.com (104.87.146.10): 56 data bytes

--- www.icloud.com ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss
Code:
; <<>> DiG 9.10.6 <<>> www.icloud.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52592
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1452
;; QUESTION SECTION:
;www.icloud.com.            IN    A

;; ANSWER SECTION:
www.icloud.com.        1143    IN    CNAME    www-cdn.icloud.com.akadns.net.
www-cdn.icloud.com.akadns.net. 106 IN    CNAME    www.icloud.com.edgekey.net.
www.icloud.com.edgekey.net. 4742 IN    CNAME    e4478.a.akamaiedge.net.
e4478.a.akamaiedge.net.    12    IN    A    104.87.146.10

;; Query time: 310 msec
;; SERVER: 192.168.50.1#53(192.168.50.1)
;; WHEN: Sat Dec 28 12:27:32 HST 2019
;; MSG SIZE  rcvd: 269

edit: As @dave14305 suggested in another thread it may be a cloudflare blocking issue, so I switched back to Quad 9 in DoT and that solved it..
 
Last edited:
Yes, apple.com, the store, it's just www.icloud.com. Setting DoT profile to opportunistic made no difference @Makaveli . I started looking at the NTP setup and it says "Reminder: The System time zone is different from your locale setting." I'm getting out of my depth here.

Code:
PING www.icloud.com (104.87.146.10): 56 data bytes

--- www.icloud.com ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss
Code:
; <<>> DiG 9.10.6 <<>> www.icloud.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52592
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1452
;; QUESTION SECTION:
;www.icloud.com.            IN    A

;; ANSWER SECTION:
www.icloud.com.        1143    IN    CNAME    www-cdn.icloud.com.akadns.net.
www-cdn.icloud.com.akadns.net. 106 IN    CNAME    www.icloud.com.edgekey.net.
www.icloud.com.edgekey.net. 4742 IN    CNAME    e4478.a.akamaiedge.net.
e4478.a.akamaiedge.net.    12    IN    A    104.87.146.10

;; Query time: 310 msec
;; SERVER: 192.168.50.1#53(192.168.50.1)
;; WHEN: Sat Dec 28 12:27:32 HST 2019
;; MSG SIZE  rcvd: 269

edit: As @dave14305 suggested in another thread it may be a cloudflare blocking issue, so I switched back to Quad 9 in DoT and that solved it..


Cloudflare is the fastest dns server by far where I am. Unusable though, as you report, some sites seem to break when using it.
Cleanbrowsing-security does the job.:)
 
Will you have link installed in amtm by @thelonelycoder so we can upgrade effortlessly :D?
Can I suggest not, and that actually it goes the other way? 2.3.1 will be available in the normal pipeline shortly and Diversion/amtm will make it available. When that happens 2.3.0 can be deleted from amtm. It served its glorious, finger-in-the-dike, purpose.

Also the instructions to install 2.3.1 manually are in this thread four or five times. Download, rename, replace /opt/sbin/pixelserv-tls
 

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Staff online

Top