pixelserv pixelserv - A Better One-pixel Webserver for Adblock

[SeaDweller]

you could try ublockr think that one can play nice with tomato

I tried that. However it took ages to generate the blacklist (appx. 5 times longer than the existing with ablock.sh).
Then pixelserv did not seem to start at all. I also did not find where it would be started.
And the end: It did not work and I stopped spending more time on ublockr.

 

[Popov]

Indeed, it could be easier. I also tried Ab-Solution yesterday. It did not even install but aborted with some kind of messages saying router needs reboot and after reboot same thing again and again.
(...)
Having done troubleshooting now for about one day I would say: It was good having made this experience but I am not sure if I would do it again.

The main problem is that you're dealing with SSL certificates, and everything related to this is not simple, either on purpose or because people behind didn't try to.

When you're using a self-signed certificate, either you register it in a single application (usually the browser), or into the system.
If it's multiples certificate, you can register all of them, or use the easiest way and sign them with a CA certificate. Using and registering such certificate make all other signed by it automatically valids, without the need to do anything more.
The usual way to register any certificate for a brower is to open it like a webpage, be it on Windows, Mac, android or IOS. It will automatically ask if you want to import it, and in some case, not into the browser but directly into the sytem.


@kvic,
this said, could you add to the /servstats page a link to the CA public certificate, with pixelserv able to serve it ?
It would help for people not used to manage certificates.
Also maybe a line or 2 in a box with the link, explaining the use.

It's me again. After testing a while it turned out that the pixelserv-tls throws error messages if the process is started from the routers scripts page (WAN-UP) or schedule page within tomato.
The error reads:

Sending HTTP 501 response for unknown HTTP method or non-SSL, non-HTTP request:

(...)

you might have a conflict with the router admin page, that might try to also bind the https port even if not used at boot.
Check the log to see the starting order of the processes, maybe adding a sleep at boot when starting pixelserv might help

 

[Denna]

@kvic,

What is the difference between running pixelserv-tls and blocking ads with host lists on unbound or dnscrypt ?​

 

[heysoundude]

what I would love to know is if you can run dnscrypt as well as pixelserv-tls with ab-solution or if there will be a mess of problems to sort out...is there a "right" way to do it?
I like (love, actually) the ad-blocking, but that's only part of the privacy equation I think...and if I can similarly get dnscrypt happening centrally, on my router, for every connected client...
or am I not making some key connection in my brain about this?
Someone senior commenting with terminal commands would be helpful...my linux-fu is beginner at best.

 

[redhat27]

I'm not a senior in the forums by any means, but I am fairly certain that dnscrypt (ssl'd request to an external resolver) and pixelserv/pixelserv-tls with a host based dns poisoning are not conflicting in any way. If you've setup all that you've mentioned above, this is how it works: Lets say a device on you LAN asks for a domain to be resolved to its IP. It will make a dns request to its configured resolver. The router should trap that dns request (udp/53) and send it to its own local resolver (say dnsmasq) It will try to see if the domain is existing on its own hosts (provided by ab-solution, for example). If found in the local hosts, it's probably a domain you'd want to block (ad/malware/etc.) so the dns request is routed to pixelserv in the hosts IP poisoning (pixelserv's IP). If it is not found in the local hosts, dnsmasq will send it to the configured server (where is where dnscrypt is listening on the router), defined in /etc/dnsmasq.conf for example the server=127.0.0.1#65053 line) which is then routed out to whichever dns server dnscrypt is configured to use

 

[kvic]

dnsmasq is a DNS forwarder with cache capability in which the content of cache happens to being able to be initialised from local host files and not to be overridden after initialization. When dnsmasq cannot resolve locally, it'll forward the request to its upstream servers that you set up in its configuration.

dnscrypt "disguises" itself as one of such upstream servers to Dnsmasq. So they can work together. I agree with all @redhat27 described except that your router doesn't have to trap DNS requests on udp/53. Clients on your LAN are configured to make requests to Dnsmasq.

Personally I don't use Dnscrypt because I worry less about ISP spying on my DNS queries or DNS replies being altered by a man in the middle. The response time with Dnscrypt in my trial was two orders longer, say 100ms with Dnscrypt vs 2ms without it.

One major advantage of running pixelserv-tls is transparency to what ads and trackers are blocked through its logging capability and statistics page. There are other fringe benefits which were more profound in the old days of Internet.

Here is my stats:

 

[redhat27]

except that your router doesn't have to trap DNS requests on udp/53. Clients on your LAN are configured to make requests to Dnsmasq.

Pardon my ignorance, but what happens if a device is set to use a different server, and not what the router tells it to? If a device is say using google's 8.8.8.8 dns server (for example) I thought having something like this:

iptables -t nat -A PREROUTING -i br0 -p udp --dport 53 -j DNAT --to-destination $(nvram get lan_ipaddr)

would be necessary. Am I wrong in thinking that?

 

[kvic]

Pardon my ignorance, but what happens if a device is set to use a different server, and not what the router tells it to? If a device is say using google's 8.8.8.8 dns server (for example) I thought having something like this:

iptables -t nat -A PREROUTING -i br0 -p udp --dport 53 -j DNAT --to-destination $(nvram get lan_ipaddr)

would be necessary. Am I wrong in thinking that?

Nothing wrong...people use such iptables rule to transparently force clients on LAN to use Dnsmasq running on your router as DNS resolver. Personally I don't enforce such on my home LAN.

 

[kvic]

Imagine you have one or two windows workstations, one iPhone plus one Android device. Just to maintain the certificate import you easily spend some hours on that if you haven't done this before. If you change a device or only install a new browser, you need to do this again.

The problem in itself has little to do with pixelserv-tls or any certificate based applications. People have to understand concepts in PKI, and I believe more and more people will be conversant in it as PKI and HTTPS in particular proliferate.

Imagine in near future, every enterprise (think of your home/families as a small enterprise) has its own CA (public or self-signed), it'll be configured in every device. Then what you have to do is to generate an intermediate CA certificate for pixelserv-tls. Support for intermediate CA certs was added in version Ki (upon @Popov's suggestion).

I don't know how people look at pixelserv-tls. Personally to me, it's really not about adblock but adventure into PKI. In the process, I think I ended up with something also happens to be quite useful.

Having done troubleshooting now for about one day I would say: It was good having made this experience but I am not sure if I would do it again.

You will but perhaps in another way. History is never going to be repeated in the same way. But PKI is here to stay

 

[kvic]

@kvic,
this said, could you add to the /servstats page a link to the CA public certificate, with pixelserv able to serve it ?
It would help for people not used to manage certificates.
Also maybe a line or 2 in a box with the link, explaining the use.

It's not going to relieve the situation by a lot. I believe people still can't simply click on the link to import the CA cert on most platforms...I can look into it in a future version if a link really reduces the effort by a huge margin.

Pixelserv doesn't have ability to serve files. It won't be difficult to add but I think it isn't justified atm for just serving the ca file.

 

[thelonelycoder]

It's not going to relieve the situation by a lot. I believe people still can't simply click on the link to import the CA cert on most platforms...I can look into it in a future version if a link really reduces the effort by a huge margin.

Pixelserv doesn't have ability to serve files. It won't be difficult to add but I think it isn't justified atm for just serving the ca file.

As most pixelserv users are using it through AB-Solution, I will add a way to let them email the file.
But a download link for it in the stats for simplicity would be great.

 

[kvic]

As most pixelserv users are using it through AB-Solution, I will add a way to let them email the file.
But a download link for it in the stats for simplicity would be great.

Browsers should be already receiving a copy of the CA cert (...even on a fresh device) when they access a pixelserv-tls page over https. I think getting the CA cert to a device isn't the problem here.

 

[thelonelycoder]

Browsers should be already receiving a copy of the CA cert (...even on a fresh device) when they access a pixelserv-tls page over https. I think getting the CA cert to a device isn't the problem here.

Yes I know, but I have had users ask for a way to download the file in my threads before.
Either for backup or other reasons. A link to both, the ca.crt and ca.key would be helpful for those that have use for it.

 

[kvic]

New version Kj. Details here.

Pls read the release note before upgrade.

Binary will be available through Entware in a while. If someone wants it early, I can upload statically built binaries.

 

[jrmwvu04]

If someone wants it early, I can upload statically built binaries.

I wouldn't mind playing around with it if ARM binaries are ready.

 

[thelonelycoder]

For those running AB-Solution and updating to Kj, an update of the addon file will be released soon with an option to delete the old auto-generated certificates to take advantage of the new SAN extension.

 

[kvic]

I wouldn't mind playing around with it if ARM binaries are ready.

Here you go:

https://github.com/kvic-z/pixelserv-tls/releases/download/v35.HZ12.Kj/pixelserv-tls.Kj.zip

 

[jrmwvu04]

All set, thanks @kvic

 

[mike37]

Greetings all!
I'm using a Merlin-Asus RT-AC68. FWICT both ublockr and AB-Solution use pixelserv and dnsmasq to substitute a gif for blocked ads; and they both use port 443 (and 80?).

How can I change those ports? I'd like to use 443 for an OpenVPN server. (I'd guess I need to tweak a config file somewhere for each of them?)

TIA

 

[jrmwvu04]

$ pixelserv-tls --help
Usage:pixelserv-tls
    ip_addr/hostname (all if omitted)
    -2 (disable HTTP 204 reply to generate_204 URLs)
    -f (stay in foreground - don't daemonize)
    -k https_port (443 if omitted)
    -l (log access to syslog)
    -n i/f (all interfaces if omitted)
    -o select_timeout (10 seconds)
    -p http_port (80 if omitted)
    -r (deprecated - ignored)
    -R (disable redirect to encoded path in tracker links)
    -s /relative_stats_html_URL (/servstats if omitted)
    -t /relative_stats_txt_URL (/servstats.txt if omitted)
    -u user ("nobody" if omitted)
    -z path_to_https_certs (/opt/var/cache/pixelserv if omitted)

In short, the -k switch for https and the -p switch for http. If you're going to be using either ab-solution or ublockr, they might have more user friendly ways of changing the settings. If you haven't already, ask in the threads for those. It depends on how you have it set up. I have my pixselserv-tls installed through entware-ng, and so I edit the config file to pass those settings, opt/etc/init.d/S80pixelserv-tls in my case.

Edit: if I remember correctly, there's additional work you have to do to forward pixelserv requests to the proper ports. So it might not be as simple as I made it seem.