pixelserv pixelserv - A Better One-pixel Webserver for Adblock

[kvic]

I have no issue with the slu when using android browser. But in my ipad mini4 , all sites request can see increase in slu. The ca.crt already installed in profile. Wonder why...

I can confirm this. In my network the slu kreps increasing when a ipad mini is in use. Not to mention the device has cert installed.

in my network there is a iphone 6, the cert is installed, but this causes me a high slu value. now 2 days after 8466

During a TLS handshake, a client will present a list of supported ciphers. Server presents its own. When they could find a match, the handshake continues. Otherwise, it'll end up as failure.

There was a bug introduced by me in the middle of Km test versions and existed in Km-test.7. That will cause a handshake failure in some situations. I believe that's what happened in your cases. This bug has been fixed in 2.1.0-rc.1.

 

[kvic]

slu is very large compared to req though.
Good news. No folks at home felt any noticeable slowness though slu is very large

You appear to be one of the 'slu' bug victims too. However, you rightly pointed out there was no noticeable slow down.

The way pixelserv-tls works is to provide a fast and empty response to ad request. So that browsers will not end up waiting or spending time processing errors.

When pixelserv-tls sends out a positive response, browsers are very happy. When it's negative response, browsers are still happy. No response or wrong content in a positive response usually upset browsers.

That's why any DNS based adblock should consider integrating pixelserv-tls in the interests of their users for best performance and smoothest browsing experience.

At the moment I've heard pfBlocker, Pi-Hole, OpenWRT adblock..all the experienced adblock authors are still in FUD (fear, uncertainty and doubt) mode..

pixelserv-tls - Instant On! Butter Smooth

 

[esco]

I have reinstalled everything and updatetd to the latest beta, high hopes here Thank you, @kvic!

 

[elorimer]

rc.1 just installed.

Something funny with kvg and kvq:

pixelserv-tls 2.1.0-rc.1 (compiled: Mar 17 2018 21:02:50) options: 192.168.0.3

uts 0d 00:03 process uptime
log 1 critical (0) error (1) warning (2) notice (3) info (4) debug (5)
kcc 10 number of active service threads
kmx 10 maximum number of service threads
kvg 0.00 average number of requests per service thread
krq 0 max number of requests by one service thread

req 29 total # of requests (HTTP, HTTPS, success, failure etc)
avg 473 bytes average size of requests
rmx 1059 bytes largest size of request(s)
tav 6 ms average processing time (per request)
tmx 28 ms longest processing time (per request)

slh 11 # of accepted HTTPS requests
slm 0 # of rejected HTTPS requests (missing certificate)
sle 0 # of rejected HTTPS requests (certificate available but bad)
slc 0 # of dropped HTTPS requests (client disconnect without sending any request)
slu 5 # of dropped HTTPS requests (other TLS handshake errors)

And yowza! Look at this txt and tav, after hitting fivethirtyeight.com:

uts 0d 00:13 process uptime
log 1 critical (0) error (1) warning (2) notice (3) info (4) debug (5)

kcc 6 number of active service threads
kmx 23 maximum number of service threads
kvg 2.00 average number of requests per service thread
krq 4 max number of requests by one service thread

req 71601 total # of requests (HTTP, HTTPS, success, failure etc)
avg 553 bytes average size of requests
rmx 1960 bytes largest size of request(s)
tav 0 ms average processing time (per request)
tmx 40 ms longest processing time (per request)

slh 71558 # of accepted HTTPS requests
slm 0 # of rejected HTTPS requests (missing certificate)
sle 0 # of rejected HTTPS requests (certificate available but bad)
slc 1 # of dropped HTTPS requests (client disconnect without sending any request)
slu 10 # of dropped HTTPS requests (other TLS handshake errors)

sct 79 cert cache: # of certs in cache
sch 32 cert cache: # of reuses of cached certs
scm 4 cert cache: # of misses to find a cert in cache
scp 0 cert cache: # of purges to give room for a new cert
sst 6 sess cache: # of cached TLS sessions (for older non-RFC5077 clients)
ssh 1 sess cache: # of reuses of cached TLS sessions
ssm 12 sess cache: # of misses to find a TLS session in cache
ssp 0 sess cache: # of purges to give room for a new TLS session

nfe 5 # of GET requests for server-side scripting
gif 0 # of GET requests for GIF
ico 9 # of GET requests for ICO
txt 71544 # of GET requests for Javascripts
jpg 0 # of GET requests for JPG
png 0 # of GET requests for PNG
swf 0 # of GET requests for SWF
sta 11 # of GET requests for HTML stats
stt 0 # of GET requests for plain text stats
ufe 0 # of GET requests /w unknown file extension

 

[kvic]

I've solved my case by deleting everything under mnt\var\cache\pixelserv and re-generating ca.cert and of course importing the new one to my clients. Currently my adblocker is turned off and I don't think to turn it on again

Your servstats look much much..much..better now.

To make 'slu' clearer, I've updated its description on the servstats page. Now it reads slu - other SSL handshake errors.

There are many contributing factors that result in a slu. Clients without a CA cert installed is one. It could also be TLS protocol mismatch (wrong versions..wrong parameters..). In order not to swamp the servstats page, at the moment I've decided not to classify and list the sub-categories.

If one day we reach a consensus to do it, pixelserv-tls will end up a good and quick SSL diagnosis tool for some IT professionals I hope.

 

[kvic]

rc.1 just installed.

Something funny with kvg and kvq:

pixelserv-tls 2.1.0-rc.1 (compiled: Mar 17 2018 21:02:50) options: 192.168.0.3

uts 0d 00:03 process uptime
log 1 critical (0) error (1) warning (2) notice (3) info (4) debug (5)
kcc 10 number of active service threads
kmx 10 maximum number of service threads
kvg 0.00 average number of requests per service thread
krq 0 max number of requests by one service thread

What happened is that HTTP_KEEPALIVE default is changed to 300s (was 120s in v2.0) in one or two test versions ago. So in the first 5 minutes of start-up. Your 10 service threads (kcc) are still happily high flying. Their corresponding clients also enjoy the glide. Don't want to stop. So the service threads (i.e. the HTTP/1.1 persistent connections) are still alive. Once connection closed by clients or timeout after inactivity on server side, then kvg and krq will be updated accordingly.

And yowza! Look at this txt and tav, after hitting fivethirtyeight.com:

'Amazing' site for testing

 

[quant88]

I noticed spike on slu after installing the latest update. Maybe its the way I installed..This time I disabled ab-blocking completely on AB solution with option a. Enable again.
This time slu looks better. There are 2 more clients to install certificates and some web cams -cannot install certificates on those
https://prnt.sc/ishb49

 

[kvic]

I noticed spike on slu after installing the latest update. Maybe its the way I installed..This time I disabled ab-blocking completely on AB solution with option a. Enable again.
This time slu looks better. There are 2 more clients to install certificates and some web cams -cannot install certificates on those
https://prnt.sc/ishb49

Hmm...percentage wise (slu/req) not looking good. Let's give it more time to run. I have faith in the fix.

 

[quant88]

There seem no way to install certificates without enabling screen lock on android device.
Manage to find third party apps that will let you hide or “suppress” the lock screen. You will still need to set a password or pin, but these apps will bypass the lock screen while they are running. An example is No Lock.
https://play.google.com/store/apps/details?id=org.jraf.android.nolock

 

[DonnyJohnny]

Hmm...percentage wise (slu/req) not looking good. Let's give it more time to run. I have faith in the fix.

Rc1, iPad mini4 still no good.. slu remains high. Android /pc no issue.
What I did, restart router, regent ca cert, install new ca cert on client, purge cert.
Other than that all good. Mini4 speed remains good.

 

[JaimeZX]

Lastly, you might want to check out:
https://github.com/decoderman/amtm

Two quick questions here:
1) I have now installed that excellent menu. Why does it give me (4) Install pixelserv-tls beta version when I installed that already on Thursday night, from the ABS menu?
2) What page are the directions for pulling the certs from the pixelserv intstall off the router to import into my browsers? I'm certain I've seen that somewhere over the last week of browsing this forum, but I'll be darned if I can locate them now.

 

[DonnyJohnny]

Two quick questions here:
1) I have now installed that excellent menu. Why does it give me (4) Install pixelserv-tls beta version when I installed that already on Thursday night, from the ABS menu?

That is previously for 2.0beta... but I think it is still applicable for current 2.1 beta. But don’t need install from there since you can do it in ABS menu.

2) What page are the directions for pulling the certs from the pixelserv intstall off the router to import into my browsers? I'm certain I've seen that somewhere over the last week of browsing this forum, but I'll be darned if I can locate them now.

Check here to generate cert
https://github.com/kvic-z/pixelserv-tls/wiki/Create-and-Import-the-CA-Certificate
Just go to client browser and go “pixelserv ip”/ca.crt and install the cert. easy import.

 

[DonnyJohnny]

Rc1, iPad mini4 still no good.. slu remains high. Android /pc no issue.
What I did, restart router, regent ca cert, install new ca cert on client, purge cert.
Other than that all good. Mini4 speed remains good.

kvic
Ladies and gentlemen... I have resolve the slu issue for IOS!!

Refers to https://stackoverflow.com/questions...ficates-not-trusted-automatically-self-signed

You need to set it to trusted in the General, About, Certificate Trust setting!!

Have fun!

Kvic, can please add this into to the wiki on importing to IOS 11 and above

 

[jrmwvu04]

Rc1, iPad mini4 still no good.. slu remains high. Android /pc no issue.
What I did, restart router, regent ca cert, install new ca cert on client, purge cert.
Other than that all good. Mini4 speed remains good.

One quick question, are you also trusting the certificate after installing it? This is a required step in iOS 10.3 and newer.

https://support.apple.com/en-us/HT204477

 

[jrmwvu04]

Kvic, can please add this into to the wiki on importing to IOS 11 and above

Timing, huh?

This is actually in the wiki already.

https://github.com/kvic-z/pixelserv-tls/wiki/Create-and-Import-the-CA-Certificate

 

[jrmwvu04]

And yowza! Look at this txt and tav, after hitting fivethirtyeight.com:

That is astonishing. I had to try it out myself and it's bananas. 45,000 requests in a few minutes.

 

[DonnyJohnny]

Timing, huh?

This is actually in the wiki already.

https://github.com/kvic-z/pixelserv-tls/wiki/Create-and-Import-the-CA-Certificate

Haha..
Saw... I must be too excited with the new version that I forgotten about that steps after I generate and import a new cert...

 

[JaimeZX]

Check here to generate cert
https://github.com/kvic-z/pixelserv-tls/wiki/Create-and-Import-the-CA-Certificate
Just go to client browser and go “pixelserv ip”/ca.crt and install the cert. easy import.

OK! So I tried this. Didn't need to do the certificate generation since the installer performed that automatically.
Unfortunately just going in my browser to 192.168.x.3/ca.crt didn't do anything for me (just delivered a blank screen) although I could CD into /opt/var/cache/pixelserv and see ca.crt and ca.key in there.
I wound up doing cp ca.crt /tmp/mnt/ExternalHD/documents/ and then pulling it down through my Samba share. SO. WIN!!

 

[pattiri]

That is astonishing. I had to try it out myself and it's bananas. 45,000 requests in a few minutes.

@kvic maybe you can use this website for testing

 

[vesalius]

pixelserv-tls 2.1.0-rc.1 (compiled: Mar 17 2018 21:02:50) options:
23317 uts, 1 log, 4 kcc, 31 kmx, 1.49 kvg, 63 krq, 100745 req, 351 avg, 4221 rmx, 0 tav, 305 tmx, 97458 slh, 2 slm, 0 sle, 602 slc, 2197 slu, 110 sct, 2351 sch, 37 scm, 9 scp, 84 sst, 216 ssh, 13 ssm, 0 ssp, 546 nfe, 6 gif, 0 ico, 97233 txt, 0 jpg, 0 png, 0 swf, 0 sta, 21 stt, 80 ufe, 0 opt, 25 pst, 1 hed, 30 rdr, 0 nou, 0 pth, 0 204, 0 bad, 0 tmo, 605 cls, 0 cly, 0 clt, 0 err