Menu
What's new
By:
Filters Better Search

pixelserv pixelserv - A Better One-pixel Webserver for Adblock

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

kfp said:
So you’ve visited a blocked site and the behaviour is different?

Say xyz.com is in the blocklist you are using, and you’ve typed that into the URL bar and you DON’T see the cert error?
Click to expand...

I believe @dugaduga hasn't imported his Pixelserv CA into browsers/clients. Here is the HOWTO if that's the case.
 
non pixelserv-tls issue but nonetheless related...

I haven't tinkered my network for a very long time. Something exciting happened in the past weekend that I want to share with the audience in this thread.

Finally I migrated to Unbound as my main DNS server that regrettably I haven't done so earlier in retrospect.

Also did a quick & dirty (but effective & convincing) comparison between Cloudflare and Google DNS. In a nutshell, Cloudflare is doing much better at my point of presence.

A picture worth thousand words, and visit my latest blog post for explanation.

Screen Shot 2018-07-03 at 12.18.58 PM.png
 
kvic said:
Luckily it's an easy fix :D

Re-uploaded 2.1.3-test.2. New builds have a timestamp similar to "compiled: Jul 3 2018 11:58:xx"

Pls re-run the one-liner script to install. Updated instructions in #2035 as well.
Click to expand...

Updated. Will keep you posted.
 
@kfp after extensive testing from the blocklist I found that some sites do indeed show a cert error. So I've just imported the CA. Wow so many layers to this onion :) What exactly does this do?
 
@kvic I had to reset my router and formatted USB in the process to get a clean setup (retaining the CA certs). Prior to doing so, I was seeing tav of around 14 ms, but following the reset, on 2.1.3-test.2, I am seeing tav between 150 - 300 ms and MEM% of 2.7 across processes. Now this may be in part due to certificates having been cleared and requiring regeneration, however I would expect that to be a one-time event per site and not materially affect the tav over time. With a clean install of AB-Solution, entware, and pixelserv-tls, are any other entware modules or tweaks required to see the lower process use and increased performance?
Code: 
pixelserv-tls 2.1.3-test.2 (compiled: Jul 3 2018 11:58:22 flags: tfo) options: 192.168.50.4

uts    0d 10:16    process uptime
log    1    critical (0) error (1) warning (2) notice (3) info (4) debug (5)
kcc    2    number of active service threads
kmx    18    maximum number of service threads
kvg    1.21    average number of requests per service thread
krq    16    max number of requests by one service thread

req    5740    total # of requests (HTTP, HTTPS, success, failure etc)
avg    1604 bytes    average size of requests
rmx    57113 bytes    largest size of request(s)
tav    203 ms    average processing time (per request)
tmx    10070 ms    longest processing time (per request)

slh    1036    # of accepted HTTPS requests
slm    26    # of rejected HTTPS requests (missing certificate)
sle    0    # of rejected HTTPS requests (certificate available but bad)
slc    647    # of dropped HTTPS requests (client disconnect without sending any request)
slu    2993    # of dropped HTTPS requests (other TLS handshake errors)
uca    0    slu break-down: # of unknown CA reported by clients
uce    2774    slu break-down: # of unknown cert reported by clients

sct    50    cert cache: # of certs in cache
sch    4311    cert cache: # of reuses of cached certs
        
scm    15    cert cache: # of misses to find a cert in cache
        
scp    2    cert cache: # of purges to give room for a new cert
sst    3    sess cache: # of cached TLS sessions (for older non-RFC5077 clients)
ssh    297    sess cache: # of reuses of cached TLS sessions
ssm    35    sess cache: # of misses to find a TLS session in cache
ssp    0    sess cache: # of purges to give room for a new TLS session
 
Reading back to some posts, it does appear that I might need to uninstall libopenssl v1.0.2o and load the version with the appropriate flag for performance. Is there guidance for doing so on a greenfield install for anyone loading through the amtm method and installing from within AB-Solution?
 
pixelserv-tls 2.1.3-test.2 working flawless for 10 hours.

Any chance of getting libopenssl 1.0.2o-1 compiled with the proper tag soon?
 
Protik said:
Any chance of getting libopenssl 1.0.2o-1 compiled with the proper tag soon?
Click to expand...

Don't think so because if they wanted to then they should've released 1.0.2o-1 with the appropriate flag enabled.
 
penguin22 said:
Reading back to some posts, it does appear that I might need to uninstall libopenssl v1.0.2o and load the version with the appropriate flag for performance. Is there guidance for doing so on a greenfield install for anyone loading through the amtm method and installing from within AB-Solution?
Click to expand...

Memory usage @ 2.7% is due to libopenssl v1.0.2o not optimised. tav could be a transient issue. Without optimisation, libopenssl takes extra cpu cycles to manage its useless memory pool. But I won't expect in the order of 100ms..

Downgrade libopenssl v1.0.2o to v1.0.2n-1c

To downgrade from a higher version to 1.0.2n-1c, see #1669

Rationale for good to downgrade

What's new in 1.0.2o is one fix to a potential security issue. That's it. IMHO, not a big deal to live without. See #2016

EDIT:
updated downgrade instructions.
 
Last edited:
kvic said:
Memory usage @ 2.7% is due to libopenssl v1.0.2o not optimised. tav could be a transient issue. Without optimisation, libopenssl takes extra cpu cycles to manage its useless memory pool. But I won't expect in the order of 100ms..

Downgrade libopenssl v1.0.2o to v1.0.2n-1c

To uninstall latest libopenssl, see #1913

To install 1.0.2n-1c, see #1669

Rationale for good to downgrade

What's new in 1.0.2o is one fix to a potential security issue. That's it. IMHO, not a big deal to live without. See #2016
Click to expand...
I think it was mentioned before, however running:
Code: 
opkg install http://bin.entware.net/aarch64-k3.10/test/libopenssl_1.0.2n-1c_aarch64-3.10.ipk
loads the new version, is there a way to obtain the version you referenced?
Code: 
Downloading http://bin.entware.net/aarch64-k3.10/test/libopenssl_1.0.2n-1c_aarch64-3.10.ipk
Installing libopenssl (1.0.2o-1) to root...
Downloading http://bin.entware.net/aarch64-k3.10/libopenssl_1.0.2o-1_aarch64-3.10.ipk
Configuring libopenssl.
admin1@RT-AC86U:/tmp/home/root# opkg list-installed |grep libopenssl
libopenssl - 1.0.2o-1
 
Same thing happened with me too ( see few posts below the original reply I posted ) the workaround is to manually install it
 
Asad Ali said:
Same thing happened with me too ( see few posts below the original reply I posted ) the workaround is to manually install it
Click to expand...
Where are you obtaining the file to manually install?

Edit: I thought the redirect from opkg meant the 1.0.2n-1c wasn't available, but by browsing to: http://bin.entware.net/aarch64-k3.10/test/, the file was able to be downloaded. Now to figure out the command to manually install.
 
Last edited:
@zyxmon , can we please have a test binary of 1.0.2o-1 compiled with the flag mentioned here? We had access to a test binary for 1.0.2n-1c earlier. Seems like there are some security fixes in the new version.
 
penguin22 said:
I think it was mentioned before, however running:
Code: 
opkg install http://bin.entware.net/aarch64-k3.10/test/libopenssl_1.0.2n-1c_aarch64-3.10.ipk
loads the new version, is there a way to obtain the version you referenced?
Code: 
Downloading http://bin.entware.net/aarch64-k3.10/test/libopenssl_1.0.2n-1c_aarch64-3.10.ipk
Installing libopenssl (1.0.2o-1) to root...
Downloading http://bin.entware.net/aarch64-k3.10/libopenssl_1.0.2o-1_aarch64-3.10.ipk
Configuring libopenssl.
admin1@RT-AC86U:/tmp/home/root# opkg list-installed |grep libopenssl
libopenssl - 1.0.2o-1
Click to expand...

Updated downgrade instructions. Pls see #2053 again..
 
penguin22 said:
Where are you obtaining the file to manually install?

Edit: I thought the redirect from opkg meant the 1.0.2n-1c wasn't available, but by browsing to: http://bin.entware.net/aarch64-k3.10/test/, the file was able to be downloaded. Now to figure out the command to manually install.
Click to expand...

You can also do,

Code: 
wget (file link)

This will download the file in current directory. Then,

Code: 
opkg install (file name)

Don't forget to remove the earlier libopenssl by doing this,

Code: 
opkg --force-depends remove libopenssl
 
Asad Ali said:
From here:
http://bin.entware.net/aarch64-k3.10/test/libopenssl_1.0.2n-1c_aarch64-3.10.ipk

Download that file with the help of a browser and SSH it your router /tmp folder.

Then use:

opkg install /tmp/libopenssl_1.0.2n-1c_aarch64-3.10.ipk

Make sure to first remove the already installed libopenssl.
Click to expand...
This fixed it completely. Mem is at 1% now and tav is 13 ms.

@kvic Your updated instructions will help anyone just coming to this and those of us that went through a reset and a fresh install of entware.
 
Protik said:
You can also do,

Code: 
wget (file link)

This will download the file in current directory. Then,

Code: 
opkg install (file name)

Don't forget to remove the earlier libopenssl by doing this,

Code: 
opkg --force-depends remove libopenssl
Click to expand...

I've updated downgrade instructions in #1669. Remove & install in one-go..no need for separate typing.

For downgrade, going forward we can either refer to #1669 or #2053.

Perhaps we shall clean up the latest posts a bit on the downgrade process. It's quite confusing :)
 
You must log in or register to reply here.

Similar threads

MegaMango
dnsmasq-surrogate for RT-BE88U: Ad Blocking & Security Enhancement
Replies
2
Views
570
MegaMango
MegaMango
L
pixelserv SOLVED - Is PixelServ WebGui script trustworthy at the moment? Redirects to strange website...
Replies
10
Views
4K
gspannu
gspannu
thelonelycoder
Diversion Need help with selecting new set of filter lists / block lists for Diversion 5.0
2
Replies
21
Views
4K
thelonelycoder
thelonelycoder
blacksheep
pixelserv Does "How to best run Pixelserv tls on asuswrt" still apply?
Replies
3
Views
3K
elorimer
E
garycnew
Entware [SOLUTION] Cross-Compile PixelServ-TLS 2.4 Entware Package via Debian Live DVD
Replies
13
Views
3K
garycnew
garycnew
Similar threads
Thread starter Title Forum Replies Date
C Diversion Pixelserv replacement Asuswrt-Merlin AddOns 2
L Is Diversion better than NextDNS, PiHole or AdGuard Home? Asuswrt-Merlin AddOns 10

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 829 (members: 29, guests: 800)
Top