What's new
By:

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

pixelserv pixelserv - A Better One-pixel Webserver for Adblock

I faced the same 404 error too. I am sure the link worked in the rc release.
 
kvic said:
404 error on /ca.crt is indeed an issue introduced by my code refactoring done in the last minutes before v2.1 release.

2.1.1 fixes this issue.

Please check kazoo.ga/pixelserv-tls/ how to install.
Click to expand...

Yeah I was entering the Pixelserv IP with the /ca.crt after it. I'll upgrade to 2.1.1 and hope that solves it for me. Thanks!
 
I'm having a problem on Android with the cert. I've initially installed direct through AB-Solutions then updated to v2.1.1 with sh -c "$(wget -qO - https://kazoo.ga/pixelserv-tls/install-beta.sh)"

On my Android phone (v8.0), I've downloaded and installed the cert (192.168.1.2/ca.crt) successfully for VPN and apps, and rebooted. However my Amazon app won't connect, (oops, something went wrong...). If I disable pixelserv it connects without error. I have the latest whitelist from AB-Solutions.

I must be doing something wrong, and have searched for a solution, but need a little help please to get it working with the Amazon app.
 
@bmb your case is an interesting one and the second time it was raised in this thread.

On the first time I provided instructions for people to be fishermen. Not well received. :D Anyway, here is again the HOW-TO figure out domains to whitelist for troubled websites/apps.

I encourage people to try on their own. Gather, share and maintain a whitelist. That seems to be of great value.

For the Amazon apps issue, looks like the iOS and Android apps are doing something differently. It seems the Android version is indeed doing more strict checking.

Try to whitelist fls-na.amazon.com in your adblock script.

See if this resolves the issue.
 
Thanks for the guidance, I thought I wasn't installing the cert properly. I'll look into what needs whitlisting, added your suggestion but still the app fails.

I don't mind fishing, didn't know enough to realise that was the way to go. Once I have little fishy in the net I'll report back

Update:

The following appeared in the log against 'handshake failed: unknown cert' when using the Amazon app
Code: 
mads.amazon-adsystem.com
device-metrics-us.amazon.com
mobileanalytics.us-east-1.amazonaws.com

I whitelisted them and the app worked for a little longer, only a few seconds, before the error, so something changed but still broken. After that no more log entries when using the app and no further clues, so I opened Amazon in a browser on the same device and saw fls-eu.amazon.co.uk in the log. Whitelisting this fixed the problem.

Amazon app is now working on all our devices :)
 
Last edited:
So Amazon basically forces you to activate mobile ads (mads.amazon-adsystem.com) and tracking scripts (device-metrics-us.amazon.com and mobileanalytics.us-east-1.amazonaws.com) if you want to use their app. Whitlisting this defeats the whole purpose of using ab-solution, pixelsrev and skynet. I would rather not use the Amazon app than opening my network to Amazons tracking servers.
 
Mutzli said:
So Amazon basically forces you to activate mobile ads (mads.amazon-adsystem.com) and tracking scripts (device-metrics-us.amazon.com and mobileanalytics.us-east-1.amazonaws.com) if you want to use their app. Whitlisting this defeats the whole purpose of using ab-solution, pixelsrev and skynet. I would rather not use the Amazon app than opening my network to Amazons tracking servers.
Click to expand...
Got it in One !!! ;):D

My rule is if an 'App' forces me to break my security the 'App' goes in the bit bin !!!
If more people refused to allow all this 'Crud' it would eventually have some impact.
 
bmb said:
I opened Amazon in a browser on the same device and saw fls-eu.amazon.co.uk in the log. Whitelisting this fixed the problem.

Amazon app is now working on all our devices :)
Click to expand...

Good to hear you get it working. Look forward to more people picking up and using the tool.

Mutzli said:
So Amazon basically forces you to activate mobile ads (mads.amazon-adsystem.com) and tracking scripts (device-metrics-us.amazon.com and mobileanalytics.us-east-1.amazonaws.com) if you want to use their app.
Click to expand...

I think some people have these two whitelisted by default as part of showing solidarity with SNB.

From my brief tests of using Amazon App, both could remain blocked. The key domain that interferes the App's operation on Android seems to be "fls-na" (and its european equivalent "fls-eu").
 
One further question, how does the app work without whitlisting fls-eu.amazon.co.uk when pixelserv is disabled? AB-Solutions is still blocking that domain, and the others I just whitelisted, yet the app works. Those domains only need whitelisting when pixelserv is enabled.
 
bmb said:
One further question, how does the app work without whitlisting fls-eu.amazon.co.uk when pixelserv is disabled? AB-Solutions is still blocking that domain, and the others I just whitelisted, yet the app works. Those domains only need whitelisting when pixelserv is enabled.
Click to expand...

What happened is that the App talks to fls-na/fls-eu and refuses to finish TLS handshake (hence, you saw "unknown cert" in the log i.e. uce on servstats page).

Apparently the Apps handles this exception differently than the other exception that bumping into wall i.e. 0.0.0.0 (the default case (?) in ABS without pixelserv-tls).

So a better solution we could conclude here for the Amazon app is to whitelist fls-na/fls-eu in ABS, and then add them to /jffs/configs/hosts.add as per "fallback approach" in a few pages back on the discussion of slu/uca/uce.
 
  • Like
Reactions: bmb
Thank you for the explanation. I'll read up about the"fallback approach" discussion and go with that in due course.
 
Butterfly Bones said:
I look forward to a RT-AC86U owner getting syslog-ng running. I've locked up my router four times now requiring a hard reset and reconfigure, and no new ideas why. I've searched until my brain turns to jello with no results. Fingers crossed here. o_O
Click to expand...
Prior to jumping into syslog-ng, I have also locked up my router twice now requiring a hard reset and reconfigure. You've seen the laundry list of services I have, so I won't repeat that here, however the internet was disconnected (thanks Comcast) on Friday when a neighbor had their service installed and didn't get restored until yesterday. At first I didn't realize that it was physically disconnected and was troubleshooting from the router. After a restart, things of course are not happy without the internet.

On service restoration, the cable modem came back no problem, router showed connection to WAN, but things did not work. OpenVPN would not connect, failing to resolve DNS; I shut down ancillary services, ejected USB, and gave a cold boot, WAN showed connected, no clients connecting. Turned off OpenVPN, allowing access while tunnel is down, nada; manual population of DNS to Google, which showed as pingable, nada. Something in the scheme of things is not happy at times and needing to get it back online, I took the reset route with USB unplugged. Immediately after a simple reconfigure, everything came back and then it was re-initializing everything from the USB, which is far better than a full reinstall.

tl;dr, Without syslog-ng I've also had several hard reset and reconfigure on the AC86U, with the source not being found yet.
 
penguin22 said:
the internet was disconnected (thanks Comcast) on Friday when a neighbor had their service installed and didn't get restored until yesterday. At first I didn't realize that it was physically disconnected and was troubleshooting from the router. After a restart, things of course are not happy without the internet.
Click to expand...

Ouch
 
@kvic
Just wondering when I set -c 150, the initial load in memory is only 75. Why not set it to what we set based on the latest 150 generated cert?
 
DonnyJohnny said:
@kvic
Just wondering when I set -c 150, the initial load in memory is only 75. Why not set it to what we set based on the latest 150 generated cert?
Click to expand...

It's all automatic (but manual intervention is possible).

When pixelserv-tls quits normally (on SIGTERM), the top 3/4 of mostly used certs in cache is saved to 'prefetch' file in CERT_PATH.

So most likely your previous value is '-c 100'. Hence, 75 certs were saved. After you change to '-c 150', the first launch will be still the 75 certs saved from previous session.

You can simply let the cache grow itself. Or stop pixelserv-tls and manually populate the number of certs to 150. The 'prefetch' file has the following format.
  • each line represents one cert and how frequently it was used in your previous session
  • the first field is the cert filename. the 2nd field is # of reuses. separated by a tab.
If you populate manually, the 2nd field could simply be 0 or a high value if you regard it as an important cert.

Note that when you quit pixelserv-tls next time, only the top 3/4 most frequently used will be saved. I believe this is more effective use of certs in cache. No certs will be immediately swapped out after startup.
 
@kvic I got a question about using the ca.crt for the web GUI. I followed this in your faq:

https://github.com/kvic-z/pixelserv...ixelserv-CA-to-issue-a-certificate-for-WebGUI

I am given two choices:
  1. Use your Pixelserv CA to issue a certificate to domain:
a. router.asus.com
b. all.dnsomatic.com​

If I select a, I am only able to use it to access the web GUI, but not the hostname of the router. Is there a way to get be able to use my router hostname but still show the nice green padlock?
 
Goobi said:
If I select a, I am only able to use it to access the web GUI, but not the hostname of the router. Is there a way to get be able to use my router hostname but still show the nice green padlock?
Click to expand...

When you said "hostname" above, you meant IP address? As-is it's not possible to access webgui by hostname (router.asus.com) as well as IP address (e.g. 192.168.1.1) at the same time.

The reason is that pixelserv-tls has no such usage scenarios. The config-webgui.sh simply leverages pixelserv-tls to generate a server cert for WebGUI.
 
You must log in or register to reply here.

Similar threads

MegaMango
dnsmasq-surrogate for RT-BE88U: Ad Blocking & Security Enhancement
Replies
2
Views
829
MegaMango
MegaMango
L
pixelserv SOLVED - Is PixelServ WebGui script trustworthy at the moment? Redirects to strange website...
Replies
10
Views
4K
gspannu
gspannu
thelonelycoder
Diversion Need help with selecting new set of filter lists / block lists for Diversion 5.0
2
Replies
21
Views
4K
thelonelycoder
thelonelycoder
blacksheep
pixelserv Does "How to best run Pixelserv tls on asuswrt" still apply?
Replies
3
Views
4K
elorimer
E
garycnew
Entware [SOLUTION] Cross-Compile PixelServ-TLS 2.4 Entware Package via Debian Live DVD
Replies
13
Views
3K
garycnew
garycnew
Similar threads
Thread starter Title Forum Replies Date
C Diversion Pixelserv replacement Asuswrt-Merlin AddOns 2
L Is Diversion better than NextDNS, PiHole or AdGuard Home? Asuswrt-Merlin AddOns 27

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 829 (members: 15, guests: 814)
Back
Top