Menu
What's new
By:
Filters Better Search

pixelserv pixelserv - A Better One-pixel Webserver for Adblock

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Makaveli said:
It is also possible to just add the model to the list that is in this script?
Click to expand...
For personal use - as a coder - that works ... or as I did - simply rem'd the lines dealing with model numbers ... but thelonelycoder is fixing it for amtm so that non-coders like me just enjoy the magic of selecting menu items and have all the heavy lifting done for you;).
 
Hi, confused somehow by pixelserv SSL certifactes - I would like to replace them with my own CA and domain certs for with my private CA authority create in XCA.
I found ca.crt and ca.key, but how can I replace domain certificates?
 
Slawek P said:
Hi, confused somehow by pixelserv SSL certifactes - I would like to replace them with my own CA and domain certs for with my private CA authority create in XCA.
I found ca.crt and ca.key, but how can I replace domain certificates?
Click to expand...

You don't have to, just delete/purge all the generated domain certificates and that's it. Pixelserv-tls generates the domain certificates on the fly.
 
Asad Ali said:
You don't have to, just delete/purge all the generated domain certificates and that's it. Pixelserv-tls generates the domain certificates on the fly.
Click to expand...
Gotcha - found this option, appears it keeps them in the same folder for all blocked ad domains + admin TLS, let me try that and see how it goes
 
Slawek P said:
Gotcha - found this option, appears it keeps them in the same folder for all blocked ad domains + admin TLS, let me try that and see how it goes
Click to expand...

Don't forget to import your newly created CA authority in your devices, otherwise TLS handshake will fail.
 
Asad Ali said:
Don't forget to import your newly created CA authority in your devices, otherwise TLS handshake will fail.
Click to expand...
Yes CA authority has been imported, but I need to import individual domain certs too - so I have done for admin page with various aliases, but what about adblocked sites...
 
Slawek P said:
Yes CA authority has been imported, but I need to import individual domain certs too - so I have done for admin page with various aliases, but what about adblocked sites...
Click to expand...

You're mixing things here, first clear some things. You're trying to import WebUI domain certificates in the router for its web UI? Or you're talking about ad domains?

If ad domains then you don't have to import the generated ad certificates anywhere.
 
Asus WebUI is long time sorted. Pixelserv admin serverstats is sorted

Am talking about ad domains since I noticed this, but it could related pixelserv admin page before I installed certs, will need it find out where logs are and grep them
slm 26 # of rejected HTTPS requests (missing certificate)
 
Slawek P said:
Asus WebUI is long time sorted. Pixelserv admin serverstats is sorted

Am talking about ad domains since I noticed this, but it could related pixelserv admin page before I installed certs, will need it find out where logs are and grep them
slm 26 # of rejected HTTPS requests (missing certificate)
Click to expand...
Watch the uca stat for any domain certs rejected because the device did not trust the CA used to generate it. No need to import anything other than the CA. The first time you visit a domain the cert is not existing yet, so you get the slm counter incremented. The next visit, it is fine.
 
Slawek P said:
Asus WebUI is long time sorted. Pixelserv admin serverstats is sorted

Am talking about ad domains since I noticed this, but it could related pixelserv admin page before I installed certs, will need it find out where logs are and grep them
slm 26 # of rejected HTTPS requests (missing certificate)
Click to expand...

That missing certificates are generated on the fly the first time you visit a blocked domain.

For example, you have "ads.com" blocked in your blocking file, when you visit the domain "ads.com" the first time you will get a TLS handshake error and one count in slm counter because there was no matching domain certificate for that in pixelserv-tls certificates cache. But next time whenever you'll visit "ads.com" you will not see any error and no slm certificate counter (slm) increase either.
 
I have only recently installed Diversion Standard - everything seem to be working fine but I have a few questions around the data on the Servstats page. Initially I was seeing slu:slh ratio of about 20:1. Having installed a lot of client certificates (and have about 4 devices to go) this is now down to about 2:1 and I have set logging to -l 2 to investigate further.

Looking at the syslog I am seeing three types of output
pixelserv-tls[24063]: handshake failed: shutdown after ServerHello. client 10.55.00.134:56774 server nexusrules.officeapps.live.com
pixelserv-tls[24063]: handshake failed: unknown cert. client 10.55.00.136:58418 server reports.crashlytics.com
pixelserv-tls[24063]: handshake failed: unknown CA. client 10.55.00.134:56803 server telemetry.dropbox.com

Are all three of these in relation to the slu failures?
What is the difference between unknown cert and unknown CA
Also I have some (very few) slm - does this refer to a missing certificate at the website or if not, where should I be looking?

While I have yet to install a certificate on 10.55.00.134, device 10.55.00.136 is a Samsung S7 running Android 8 - I can see the Pixelserv certificate sitting in the Certificates list, yet I am still seeing a steady stream of unknown cert Another user is a Nokia 7.1 running Android 10 - again the certificate is where it should be, but the devices is getting the same unknown cert errors - any idea where I can look to see why these phones are ignoring / bypassing the certs?
 
archiel said:
I have only recently installed Diversion Standard - everything seem to be working fine but I have a few questions around the data on the Servstats page. Initially I was seeing slu:slh ratio of about 20:1. Having installed a lot of client certificates (and have about 4 devices to go) this is now down to about 2:1 and I have set logging to -l 2 to investigate further.

Looking at the syslog I am seeing three types of output
pixelserv-tls[24063]: handshake failed: shutdown after ServerHello. client 10.55.00.134:56774 server nexusrules.officeapps.live.com
pixelserv-tls[24063]: handshake failed: unknown cert. client 10.55.00.136:58418 server reports.crashlytics.com
pixelserv-tls[24063]: handshake failed: unknown CA. client 10.55.00.134:56803 server telemetry.dropbox.com

Are all three of these in relation to the slu failures?
What is the difference between unknown cert and unknown CA
Also I have some (very few) slm - does this refer to a missing certificate at the website or if not, where should I be looking?

While I have yet to install a certificate on 10.55.00.134, device 10.55.00.136 is a Samsung S7 running Android 8 - I can see the Pixelserv certificate sitting in the Certificates list, yet I am still seeing a steady stream of unknown cert Another user is a Nokia 7.1 running Android 10 - again the certificate is where it should be, but the devices is getting the same unknown cert errors - any idea where I can look to see why these phones are ignoring / bypassing the certs?
Click to expand...
Some devices or applications are hard-coded to only accept a specific cert and will close the connection anything else is received. Lookup certificate pinning.

You can fix the unknown CA messages by installing the CA cert if the device allows it. The rest you can either live with, or take a more tedious approach to whitelist them in Diversion then add them to /jffs/configs/hosts.add with a 0.0.0.0 IP to avoid the bad pixelserv stats. I don't bother anymore, but crashlytics is very hostile against Pixelserv certs.
 
dave14305 said:
a more tedious approach to whitelist them in Diversion then add them to /jffs/configs/hosts.add with a 0.0.0.0 IP to avoid the bad pixelserv stats
Click to expand...
Hmmmm..... wonder how tricky it would be to automate that? @thelonelycoder would it make the browsing experience snappier/smoother or would it just make the stats nicer?
 
dave14305 said:
I wouldn't tempt him. He's just as likely to eradicate pixelserv-tls completely. :eek:
Click to expand...
That wouldn't be too surprising at all, our beloved lonely coder has had some remarks in the past indicating his displeasure with pixelserv in general (the reasons escape me right now).
 
Jack Yaz said:
I've stopped using it and I forked it to update it for iOS 13 after all ;-)
Click to expand...
Sorry for being dense - did you stop using pixelserv-tls or Diversion - what did you fork and is it applicable/available for other users?
 
dave14305 said:
Some devices or applications are hard-coded to only accept a specific cert and will close the connection anything else is received. Lookup certificate pinning.

You can fix the unknown CA messages by installing the CA cert if the device allows it. The rest you can either live with, or take a more tedious approach to whitelist them in Diversion then add them to /jffs/configs/hosts.add with a 0.0.0.0 IP to avoid the bad pixelserv stats. I don't bother anymore, but crashlytics is very hostile against Pixelserv certs.
Click to expand...

I have tried the method above, and the slu count is now minimal. However I am now seeing adds where they had been blocked, specifically those delivered via www.googleadservices.com, even though if I click on the add I get 'Hmmm... cannot reach this page' and pinging www.googleadservices.com gets
'Ping request could not find host www.googleadservices.com. Please check the name and try again.' which is what I would expect with www.googleadservices.com is sitting in hosts.add.

I am guessing that as the ads are using redirect and www.googleadservices.com is in my whitelist, diversion/pixelserv are allowing the ads to show. For this sort of ad redirect, do I need to remove the site from the whitelist & hosts.add (and get the slu errors) or is there another way to do this?
 
Jack Yaz said:
pixelserv-tls

My changes got merged into the last official release, when @kvic briefly resurfaced
Click to expand...
Thanks for clarifying - if you no longer use pixelserv-tls, what (if anything) to you now use to remove / replace the blocked content?
 
You must log in or register to reply here.

Similar threads

MegaMango
dnsmasq-surrogate for RT-BE88U: Ad Blocking & Security Enhancement
Replies
2
Views
568
MegaMango
MegaMango
L
pixelserv SOLVED - Is PixelServ WebGui script trustworthy at the moment? Redirects to strange website...
Replies
10
Views
4K
gspannu
gspannu
thelonelycoder
Diversion Need help with selecting new set of filter lists / block lists for Diversion 5.0
2
Replies
21
Views
4K
thelonelycoder
thelonelycoder
blacksheep
pixelserv Does "How to best run Pixelserv tls on asuswrt" still apply?
Replies
3
Views
3K
elorimer
E
garycnew
Entware [SOLUTION] Cross-Compile PixelServ-TLS 2.4 Entware Package via Debian Live DVD
Replies
13
Views
3K
garycnew
garycnew
Similar threads
Thread starter Title Forum Replies Date
C Diversion Pixelserv replacement Asuswrt-Merlin AddOns 2
L Is Diversion better than NextDNS, PiHole or AdGuard Home? Asuswrt-Merlin AddOns 10

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 846 (members: 27, guests: 819)
Top