pixelserv pixelserv - A Better One-pixel Webserver for Adblock

[Protik]

@Protik @elorimer

I suspect the CA certificate has issue in your cases. Can you try following the instruction in the same tutorial:

1. clean up everything in /opt/var/cache/pixelserv
2. follow the tutorial to generate the CA certificate
3. restart pixelserv-tls (/opt/etc/init.d/S80pixelserv-tls restart)
4. import the new CA cert into a client

That fixed it. The slh started increasing.

slh    31    # of accepted HTTPS requests
slm    52    # of rejected HTTPS requests (missing certificate)
sle    0    # of rejected HTTPS requests (certificate available but bad)
slc    42    # of dropped HTTPS requests (client disconnect without sending any request)
slu    34    # of dropped HTTPS requests (unknown error)

Just to be sure, in the /opt/var/cache/pixelserv directory both ca.key and ca.crt are owned by admin. Is that OK or I have to change the ownership to nobody?

 

[Raphie]

@kvic
not sure if this worked

ASUSWRT-Merlin RT-AC5300 380.68-4 Wed Oct  4 19:03:28 UTC 2017
admin@RT-AC5300-7380:/tmp/home/root# cd /opt/var/cache/pixelserv
admin@RT-AC5300-7380:/tmp/mnt/AB-Solution/entware/var/cache/pixelserv# openssl g
enrsa -out ca.key 1024
ca.key: Read-only file system
716465072:error:0200101E:system library:fopen:Read-only file system:bss_file.c:406:fopen('ca.key','w')
716465072:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:408:
admin@RT-AC5300-7380:/tmp/mnt/AB-Solution/entware/var/cache/pixelserv# openssl r
eq -key ca.key -new -x509 -days 3650 -sha256 -extensions v3_ca -out ca.crt -subj
 "/CN=Pixelserv CA"
ca.crt: Read-only file system
717292464:error:0200101E:system library:fopen:Read-only file system:bss_file.c:406:fopen('ca.crt','w')
717292464:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:408:
admin@RT-AC5300-7380:/tmp/mnt/AB-Solution/entware/var/cache/pixelserv# l

I've got a file called ca.crt in the pixelserv folder, but how do I now copy it to my windows system? do I need to FTP into the router? as I don't run Linux on the desktop?

 

[thelonelycoder]

@kvic
not sure if this worked

ASUSWRT-Merlin RT-AC5300 380.68-4 Wed Oct  4 19:03:28 UTC 2017
admin@RT-AC5300-7380:/tmp/home/root# cd /opt/var/cache/pixelserv
admin@RT-AC5300-7380:/tmp/mnt/AB-Solution/entware/var/cache/pixelserv# openssl g
enrsa -out ca.key 1024
ca.key: Read-only file system
716465072:error:0200101E:system library:fopen:Read-only file system:bss_file.c:406:fopen('ca.key','w')
716465072:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:408:
admin@RT-AC5300-7380:/tmp/mnt/AB-Solution/entware/var/cache/pixelserv# openssl r
eq -key ca.key -new -x509 -days 3650 -sha256 -extensions v3_ca -out ca.crt -subj
 "/CN=Pixelserv CA"
ca.crt: Read-only file system
717292464:error:0200101E:system library:fopen:Read-only file system:bss_file.c:406:fopen('ca.crt','w')
717292464:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:408:
admin@RT-AC5300-7380:/tmp/mnt/AB-Solution/entware/var/cache/pixelserv# l

I've got a file called ca.crt in the pixelserv folder, but how do I now copy it to my windows system? do I need to FTP into the router? as I don't run Linux on the desktop?

Two things:
Make sure /opt/var/cache/pixelserv has read/write permissions set:

chmod 0755 /opt/var/cache/pixelserv/

Then remove everything in /opt/var/cache/pixelserv/

Then regenerate the certificates, you can use the /opt/var/cache/pixelserv instead of /tmp/mnt/AB-Solution/entware/var/cache/pixelserv, it points to the same directory.
To import the certs, you could use the backup function bu in AB-Solution. The manual backup includes the certificates.

 

[Raphie]

Ok, so I managed to login to the router with Filezilla, followed the tutorial to import the certificate, restarted the router to have an empty stats page. I'll now email the certificate to all devices as well.
this should prevent the dropped connections? does this certificate remain valid after updates or Merlin updates / reinstalls? or should I regenerate it everytime? otherwise I'll save it on my nas to reimport again if ever needed

 

[Raphie]

Just missed your post
will try below as well ThnX!

Two things:
Make sure /opt/var/cache/pixelserv has read/write permissions set:

chmod 0755 /opt/var/cache/pixelserv/

Then remove everything in /opt/var/cache/pixelserv/

Then regenerate the certificates, you can use the /opt/var/cache/pixelserv instead of /tmp/mnt/AB-Solution/entware/var/cache/pixelserv, it points to the same directory.
To import the certs, you could use the backup function bu in AB-Solution. The manual backup includes the certificates.

 

[thelonelycoder]

Ok, so I managed to login to the router with Filezilla, followed the tutorial to import the certificate, restarted the router to have an empty stats page. I'll now email the certificate to all devices as well.
this should prevent the dropped connections? does this certificate remain valid after updates or Merlin updates / reinstalls? or should I regenerate it everytime? otherwise I'll save it on my nas to reimport again if ever needed

I use the same certificate on my primary router and also on all my test routers. And I've had it for a while now.
Updating firmware does not affect the certificates as they are stored on your USB device, /opt/var/cache/pixelserv is a link to your /mnt/<yourdevice>/entware.../var/cache/pixelserv folder. In fact, the whole tree in /mnt/<yourdevice>/entware.../ is available to the system under /opt/.

 

[Raphie]

ok, so how do I regenerate all the certificates?

 

[Raphie]

I don't have an opt/var/cache on my USB?
I've got:
adblocking
entware
lost+found
Skynet

 

[thelonelycoder]

I don't have an opt/var/cache on my USB?
I've got:
adblocking
entware
lost+found
Skynet

Ahem, /opt/var/cache on the system.

 

[Raphie]

ok, got there with telnet rm * and now it's empty
how to i regenerate all the other certificates? (deleted 340 files from there)
just by visiting sites?

edit: now my 192.168.1.2/servstats is broken

 

[thelonelycoder]

Can you follow this:
https://www.snbforums.com/threads/p...bserver-for-adblock.26114/page-37#post-359643

 

[thelonelycoder]

I found a file that does not seem to belong into /opt/var/cache/pixelserv:
.spots.im
The content is Certificate (-----BEGIN CERTIFICATE-----) and the private key (-----BEGIN PRIVATE KEY-----).
Should I be worried? I've removed it from the router for now.

 

[Raphie]

hmmm https://en.wikipedia.org/wiki/Spot.IM

 

[elorimer]

Emptied /cache, brought the certificate back in, restarted pixelserv-tls, and imported a certificate into windows. Still 0's for slh.

But the owner of /cache was not admin or nobody, but my login. Changed the owner to nobody and slh started incrementing.

 

[tom-]

Work always take the priority of course. Is it your practice to restart on a weekly basis? Frankly I don't like the idea. You shall leave pixelserv-tls running as long as you could.

I think it'll stuck eventually. The process is not dead but the socket won't respond. I suspect it's kernel issue on old routers like 56U. But that's after 18million requests served in my stress test on an earlier test version of KL.

What I meant by pixelserv restarting wasn't due to it having any error. I just restart it to get fresh stats after updating lists, but I can disable the restart of pixelserv and keep it running instead. Also, servstats page works flawless on https. Glad that was fixed. Before it wasn't accessible in previous versions. Thought that's just was how it was didn't know that was actually a bug.
Here's my serv stats for KL test 8d on mipsel about 13 hrs. Note: I didn't try the previous test8. Just grabbed the latest test8. Which was 8d. Perhaps I should try those too? https://i.imgur.com/lI3iDKr.png Not sure why there's 22k bads. I'm going to restart it and watch the logs a little more closely.
Think I found the culprit : SSL_ERROR_RX_RECORD_TOO_LONG for https://ads.doubleclick.net/ and many others. hmm. Not sure why. I didn't change any certs.

 

[kvic]

Just to be sure, in the /opt/var/cache/pixelserv directory both ca.key and ca.crt are owned by admin. Is that OK or I have to change the ownership to nobody?

Yeah, this is fine for a router system.

 

[thelonelycoder]

Emptied /cache, brought the certificate back in, restarted pixelserv-tls, and imported a certificate into windows. Still 0's for slh.

But the owner of /cache was not admin or nobody, but my login. Changed the owner to nobody and slh started incrementing.

A reminder: AB-solution sets the owner to "nobody" whenever you restart pixelserv through it.

 

[kvic]

I'll now email the certificate to all devices as well.
this should prevent the dropped connections? does this certificate remain valid after updates or Merlin updates / reinstalls? or should I regenerate it everytime? otherwise I'll save it on my nas to reimport again if ever needed

The CA certificate generate by following the tutorial will be valid for TEN years.

Other than ca.crt & ca.key, other certificates are automatically generated by pixelserv-tls.

Feel free to purge them from time to time (for no good reason). They'll be re-generated on demand when you visit the sites next time.

Generating certificate is an expensive operation computationally. Hence, we save them for re-use.

#FAQ# make a note for myself for an FAQ item

 

[kvic]

Think I found the culprit : SSL_ERROR_RX_RECORD_TOO_LONG for https://ads.doubleclick.net/ and many others. hmm. Not sure why. I didn't change any certs.

if ssh into your router, and then

openssl ciphers

What is the full output?

 

[kvic]

I've made a manpage for pixelserv-tls.

Proof read & feedback welcome as well as comments to other documentation on the wiki page.