pixelserv pixelserv - A Better One-pixel Webserver for Adblock

[Frankster]

I am getting a bit frustrated: tried to do everything that is mentioned in the first post, but whatever precomputed binary I try, I always get:
line 1: syntax error: unexpected word ( expecting ")")
I triple checked that I send the binary as binary file (even downloaded it directly on the router) but nothing helps.
I run Asusmerlin on an AC66U with entware, so I tried both the arm and the entware-arm version of pixelserv-tls.

Can anyone indicate what I am doing wrong?

 

[kvic]

I run Asusmerlin on an AC66U with entware, so I tried both the arm and the entware-arm version of pixelserv-tls.

AC66U comes with MIPS processor. I would try the mips binary instead.

Let me know how far you go...

 

[kvic]

for what you using this?

Post #1 and #67 have some relevant bullet points.

How about a little story..?

Below is a screenshot of servstats mentioned in #1. I've been running pixelserv-tls for close to 8 days and 13 hours non-stop. During this period users in my home LAN made a total of 43,698 ad requests. Of which, 11,005 are over HTTPS. Stunning revelation: SSL ads are a quarter of all ad volumes from me...one sample point!

Of the 43,698 requests, 953 (# of POST method) attempts to upload something to ad servers. I would assert one of the 953 attempted uploads consists of 31,238 bytes of data collected from me or another user of my home LAN.

Online ad landscape changed completely from earlier years. GIF? Out of vogue. Only 516 requests (~1%) out of 43,698 total. Same goes for JPG, PNG, SWF... ad people are no longer serving you "static" data. In future (not sure when), such items in pixelserv would be good to replace with more relevant and new categories...

txt files are a little surprise. 15,062 (~35%) out of 43698 total. Ever wonder why web developers are using TXT files? Perhaps a web dev friend can reveal the secret to you or we can dig up ourselves from Web Inspector of a modern browser.

 

[bayern1975]

please, this tutorial is not so easy for non english users....i need better tutorial, step by step how, what and where install something....? i am trying to install easyrsa over putty and got error.....

RT-AC68U login: admin
Password:


ASUSWRT-Merlin RT-AC68U_3.0.0.4 Mon Nov  2 14:58:44 UTC 2015
admin@RT-AC68U:/tmp/home/root# ./easyrsa init-pki
-sh: ./easyrsa: not found
admin@RT-AC68U:/tmp/home/root# sh ./easyrsa init-pki
sh: can't open './easyrsa'
admin@RT-AC68U:/tmp/home/root# /jffs/bin/pixelserv 192.168.200.1 -u admin
-sh: /jffs/bin/pixelserv: not found
admin@RT-AC68U:/tmp/home/root# /jffs/bin/pixelserv 192.168.1.1 -u admin
-sh: /jffs/bin/pixelserv: not found
admin@RT-AC68U:/tmp/home/root# /jffs/bin/pixelserv 192.168.200.1 -u admin
-sh: /jffs/bin/pixelserv: not found
admin@RT-AC68U:/tmp/home/root#

 

[elorimer]

Forgive the noob question--but is there an entware-ng version of this? Thinking about trying both now that there is an install script in the alpha builds.

 

[Jarnootje]

I recommend that it's better for the real novices to keep stuck with simply adblocking with custom hostfile only. Setting up pixelserv (tls), for sure with https ads and certificates, is too difficult for newbies and might lead to potential security vulnerabilities.

 

[kvic]

i need better tutorial, step by step how, what and where install something....? i am trying to install easyrsa over putty and got error.....

As mentioned before I don't plan to create a complete step by step guide that people can copy & paste due to huge variance in people's setup. Sorry. For high-level steps/milestones, you can refer to post #58.

Regarding Root CA cert generation, post #70 is a step by step guide ready for copy & paste. When I wrote it, I actually tried on my AC56U (378.55) and worked without a glitch..

Forgive the noob question--but is there an entware-ng version of this?

A specific version for Entware/Ng is not required. For MIPS routers (N66, AC66), pick the mips binary. For ARM routers (AC56, AC68 etc), pick the ARM binary.

I created Entware-arm binary for testing native pthread support. In general, you're much better off running mips or arm instead of Entware-arm binary in terms of run-time RAM usage. I think I'll remove Entware-arm binary soon..in order not to confuse people.

 

[shooter40sw]

Hi, to keep things simple is it posible to just skip the https ad blocking?, I mentioned before I got SSH on WAN and on the 443 port, and cant move it, so I can give this a try and use only port 80 by moving the default ASUS gui to the https port, I want to keep things simple, Im already using lonelycoders scripts and happy with them, but If I can improve performance Ill give it a try, thanks

 

[mstombs]

txt files are a little surprise. 15,062 (~35%) out of 43698 total. Ever wonder why web developers are using TXT files?

Sorry, the TXT label was originally used as default for non-image, now means javascript .js* files. So plain text in type, but not .txt extension. Perhaps you would like to amend your fork!

https://github.com/kvic-z/pixelserv-tls/blob/master/socket_handler.c#L770

Hi, to keep things simple is it posible to just skip the https ad blocking?, I mentioned before I got SSH on WAN and on the 443 port, and cant move it, so I can give this a try and use only port 80 by moving the default ASUS gui to the https port, I want to keep things simple, Im already using lonelycoders scripts and happy with them, but If I can improve performance Ill give it a try, thanks

Trouble is dns poisoning diverts a request to the remote website to pixelserv on the router, your browser the tries to connect using https with port 443 on that IP address, and will try to login to the router web gui unless you also do the iptables magic.

 

[kvic]

Sorry, the TXT label was originally used as default for non-image, now means javascript .js* files. So plain text in type, but not .txt extension. Perhaps you would like to amend your fork!

No wonder it retains a high percentage these days. ~35% in my access. Perhaps a good idea to analyse current ad traffics and add new categories to this project...

Hi, to keep things simple is it posible to just skip the https ad blocking?

A simpler check before proceeding further..what do you see from running the below command on your router?

• netstat -n | grep :443

 

[shooter40sw]

Hi, this is what I get, I ssh on that port internally and from WAN to my public IP
Thanks,

/tmp/home/root# netstat -n |grep :443
tcp 0 64 172.23.1.1:443 172.23.1.2:52503 ESTABLISHED


A simpler check before proceeding further..what do you see from running the below command on your router?

• netstat -n | grep :443

[/QUOTE]

 

[kvic]

Hi, this is what I get, I ssh on that port internally and from WAN to my public IP

Sorry, I meant to be "netstat -na". I actually did some check on my router. I believe port 443 is bounded to all interface. You can confirm that by seeing "0.0.0.0:443 0.0.0.0:* LISTEN"

So yes...you will need some workaround for https to work. And yes..you can run pixelserv without https.

EDIT:

One possible workaround..in case of interest...is that

• disable WAN SSH from WebUI, and revert ssh to default port 22
• go to WAN page, and create a port forward with Port Range=443, Local IP=your.router.private.ip.address, Local Port=22, Protocol=TCP

With that your SSH will run on default port 22. SSH from WAN on 443 will continue to work.

Regarding performance gain from pixelserv, just want to set people's expectation right. Bare eyes probably won't notice any gain.

My recommendation: Don't fancy pixelserv if people's goal is to see faster page load...

 

[nick8565]

Please generate the certs with unique serial number as Firefox is rather strict and will cough out this error:

Secure Connection Failed

An error occurred during a connection to doubleclick.com. You have received an invalid certificate. Please contact the server administrator or email correspondent and give them the following information: Your certificate contains the same serial number as another certificate issued by the certificate authority. Please get a new certificate containing a unique serial number. (Error code: sec_error_reused_issuer_and_serial)

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.​

 

[kvic]

Please generate the certs with unique serial number as Firefox is rather strict and will cough out this error:

Interesting finding. I could reproduce in a freshly installed Firefox. I was thinking how smart Firefox is at detecting a collision in serial number of the generated certs...

Here is the new and fixed version: V35.HZ12.Kg

• Fixed serial number in generated certs that upset Firefox

Thanks for posting!

 

[nick8565]

Thanks thats fast. It works now but only after I deleted the earlier certs from /opt/var/cache/pixelserv, so take note of this if anyone is still having the errors.

 

[kvic]

Thanks thats fast. It works now but only after I deleted the earlier certs from /opt/var/cache/pixelserv, so take note of this if anyone is still having the errors.

The serial number is stamped on individual certs auto generated by pixelserv. You're right that old certs have to be removed so that new certs (good for Firefox) can re-generated again on demand.

Firefox does a better job than both Chrome and Safari on cert security. Surprise!

 

[Txdk]

Got your compiled version running a 14mb TinyCore image that I pxeboot. I can see it generating certs without issue now, however; all sites still give NET::ERR_CERT_AUTHORITY_INVALID in Chrome and a blank page in internet explorer. I have the cert imported as a Trusted Root CA authority, chrome even shows it as the certificate it flagged as bad. Or do I have to manually import EVERY cert that's generated? Any thoughts?

mind making a guide to installing it on tinycore

 

[jtp10181]

Ok I got the pixelserv working. I have the certs in place. It works fine on http, but https I get this error below.
Any ideas of what is going on exactly? I am running the Kg version on port 8080 only using args "192.168.1.1 -p 8080"

 

[kvic]

Ok I got the pixelserv working. I have the certs in place. It works fine on http, but https I get this error below.
Any ideas of what is going on exactly? I am running the Kg version on port 8080 only using args "192.168.1.1 -p 8080"

View attachment 5197

I believe you prefer WebUI to continue running port 80, and hence setup prerouting as mentioned in #1? If so, please try this:

iptables -t nat -A PREROUTING --dest 10.8.10.8 -p tcp --dport 80 -j DNAT --to-dest 192.168.1.1:8080
iptables -t nat -A PREROUTING --dest 10.8.10.8 -p tcp --dport 443 -j DNAT --to-dest 192.168.1.1:8088

Then start pixelserv with args "192.168.1.1 -p 8080 -k 8088" and as usual replace "10.8.10.8" with your own pick of the ip address you assign in dnsmasq conf files.

(It was my bad I didn't update nor really removed the chopped content in #1. Going to update now..)

EDIT: correct pixelserv args. #1 updated.

 

[jtp10181]

That seems to have done the trick. I was thinking about trying that but was trusting the info in the first post where it could all go to the same port.

Oh I had the rules in firewall-start but they did not fire when I rebooted. I looked on the docs and then moved it to "nat-start". I have not rebooted yet to test but I think that's where they belong. EDIT: That did not work either. not sure why but either place they are not going into the iptables rules. Do I need something else at the end to save it? If I just run the file from command line after it boots, it works fine. I could just add it to some other script that executes later but would rather not.

EDIT MORE - I read the docs again and noticed I forgot the "shebang" at the start of the script. I added the "#!/bin/sh" to start of it, renamed it back to firewall-start and rebooted again. Works now!