What's new

pixelserv pixelserv - A Better One-pixel Webserver for Adblock

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

rc.3 y’all

Butter_with_a_butter_knife.jpg
 
@dave14305 I'm flattered to learn that you went through the whole thread! Glad to hear you also enjoy it. Recently I did something similar on another forum..lol

To clarify one thing. Entware not incorporating the "OpenSSL flag" has little impact on me personally. Perhaps a ripple but even that has long been gone with the introduction with TLS 1.3. What we really need is OpenSSL 1.1.1 going forward..

On another day I was told Merlin FW has picked up the OpenSSL flag. So I should ensure people (and myself) who discovered and helped testing this change that your effort still make a non-trivial impact and perhaps benefit yourselves even more.

I also think my users should rest assured that pixelserv-tls will continue to evolve. For one simple reason, I'm still actively using it 24-7..
 
I noticed that 2.2.1-rc3 has this new update: "NEW enhance blocking of pop-up ads during playback of YouTube video", but I didn't see discussion on this topic.

May anyone offer some explanation about this? Does this mean pixelserv-tls integrated some own method of blocking or should we add some other blocking rules via Diversion?
 
I just updated to Rc3 to check this youtube blocking.

Normally when playing music and just letting the auto play go youtube will slip ads in before each song play which is super annoying.

After Rc3 I still noticed it after the first song I played, however I also let it auto playing for over an hour and I didn't get any ads coming up in between songs so it seems to be working :)
 
What we really need is OpenSSL 1.1.1 going forward..

I experimented with OpenSSL 1.1.1 a few weeks ago during a quiet afternoon. I can't replace the main OpenSSL version due to closed source parts linked specifically against 1.0.2, so I did static builds of mssl (used to provide SSL to the webui) and OpenVPN, linked against 1.1.1.

First thing I noticed (and was a bit surprised by it) is 1.1.1 had a very slight drop in performance over 1.0.2 (both in openssl speed and openvpn cipher tests). Nothing major, but still surprising as I expected 1.1.1 to maybe be a bit more optimized than 1.0.2 (1.0.2 had a very sizable performance gain over 1.0.0, to the point that for quite some time, I used 1.0.0 with performance backports from 1.0.2).

Otherwise, mssl now fully supports and take advantage of 1.1.1 (themiron did further work on it recently, to improve upon the various hardening changes I did a few years ago). While watching your webui support TLS 1.3 and also be able to use Chacha (tho AES still gets preferred due to hardware acceleration being available for it) might be nice for bragging purposes (cipher-wise, that made Asuswrt-Merlin more secure than a lot of public websites LOL), it brought little benefit in the real world.

upload_2018-11-17_13-37-41.png


None of this can justify IMHO adding 2+ MB to the firmware image (and also increasing memory usage by having two separate copies of OpenSSL in memory), so for now, we can only hope that Asus will eventually migrate the main openssl version to 1.1.1. I'm certainly gonna try to push them toward that next year, as we approach the 1.0.2 EOL date. If they don't move, then I have a partial plan B in mind where I can at least link a few open-source components against a separate 1.1.1 copy.
 
While watching your webui support TLS 1.3 and also be able to use Chacha (tho AES still gets preferred due to hardware acceleration being available for it) might be nice for bragging purposes (cipher-wise, that made Asuswrt-Merlin more secure than a lot of public websites LOL), it brought little benefit in the real world.

I appreciate Merlin share his experiment in detail..

Just want to re-assure pixelserv-tls users that going with TLS 1.3 (OpenSSL 1.1.1) brings non-trivial improvement in a couple of areas. Don't doubt for a moment about the worthiness of the move..
 
I just updated to Rc3 to check this youtube blocking.

Normally when playing music and just letting the auto play go youtube will slip ads in before each song play which is super annoying.

After Rc3 I still noticed it after the first song I played, however I also let it auto playing for over an hour and I didn't get any ads coming up in between songs so it seems to be working :)

I also noticed rc3 blocked most of the youtube ads during playback - no pop up ads on the yellow bar.
However I still see few ads that manage to pop up but not through yellow bar.
 
I appreciate Merlin share his experiment in detail..

Just want to re-assure pixelserv-tls users that going with TLS 1.3 (OpenSSL 1.1.1) brings non-trivial improvement in a couple of areas. Don't doubt for a moment about the worthiness of the move..

The TLS 1.3 improvement on round-trip is one thing that you will definitely benefit from in this case. It just won't bring any improvement in the webui or OpenVPN cases.
 
The TLS 1.3 improvement on round-trip is one thing that you will definitely benefit from in this case. It just won't bring any improvement in the webui or OpenVPN cases.

webui and OpenVPN...I don't want to get into any of these..

I just think you setup the discussion of TLS 1.3 (OpenSSL 1.1.1) in the wrong backdrop. Regardless TLS 1.3 should bring improvement to webui if you understand how it works..
 
RC3 running smooth as butter indeed (68U). I have noticed a significant drop in tav and tmx values specifically during the last two days on this latest build.

Code:
pixelserv-tls 2.2.1-rc.3 (compiled: Nov 14 2018 20:19:45 flags: tls1_3) options: 192.168.1.2

uts    2d 06:19    process uptime
log    1    critical (0) error (1) warning (2) notice (3) info (4) debug (5)
kcc    1    number of active service threads
kmx    47    maximum number of service threads
kvg    1.01    average number of requests per service thread
krq    25    max number of requests by one service thread
req    15523    total # of requests (HTTP, HTTPS, success, failure etc)
avg    402 bytes    average size of requests
rmx    658 bytes    largest size of request(s)
tav    26 ms    average processing time (per request)
tmx    82 ms    longest processing time (per request)
slh    150    # of accepted HTTPS requests
slm    21    # of rejected HTTPS requests (missing certificate)
sle    0    # of rejected HTTPS requests (certificate available but not usable)
slc    7311    # of dropped HTTPS requests (client disconnect without sending any request)
slu    8004    # of dropped HTTPS requests (other TLS handshake errors)
v13    154    slh/slc break-down: TLS 1.3
v12    7    slh/slc break-down: TLS 1.2
v10    0    slh/slc break-down: TLS 1.0
uca    17    slu break-down: # of unknown CA reported by clients
ucb    0    slu break-down: # of bad certificate reported by clients
uce    3    slu break-down: # of unknown cert reported by clients
ush    5754    slu break-down: # of shutdown by clients after ServerHello
sct    110    cert cache: # of certs in cache
sch    15315    cert cache: # of reuses of cached certs
scm    31    cert cache: # of misses to find a cert in cache
scp    0    cert cache: # of purges to give room for a new cert
sst    2    sess cache: # of cached TLS sessions (for older non-RFC5077 clients)
ssh    315    sess cache: # of reuses of cached TLS sessions
ssm    15    sess cache: # of misses to find a TLS session in cache
ssp    0    sess cache: # of purges to give room for a new TLS session
nfe    26    # of GET requests for server-side scripting
gif    0    # of GET requests for GIF
ico    0    # of GET requests for ICO
txt    1    # of GET requests for Javascripts
jpg    0    # of GET requests for JPG
png    112    # of GET requests for PNG
swf    0    # of GET requests for SWF
sta    9    # of GET requests for HTML stats
stt    0    # of GET requests for plain text stats
ufe    0    # of GET requests /w unknown file extension
opt    0    # of OPTIONS requests
pst    0    # of POST requests
hed    0    # of HEAD requests (HTTP 501 response)
rdr    0    # of GET requests resulted in REDIRECT response
nou    0    # of GET requests /w empty URL
pth    0    # of GET requests /w malformed URL
204    0    # of GET requests (HTTP 204 response)
bad    0    # of unknown HTTP requests (HTTP 501 response)
tmo    11    # of timeout requests (client connect w/o sending a request in 'select_timeout' secs)
cls    7311    # of dropped requests (client disconnect without sending any request)
cly    0    # of dropped requests (client disconnect before response sent)
clt    0    # of dropped requests (reached maximum service threads)
err    0    # of dropped requests (unknown reason)
 
Code:
pixelserv-tls 2.2.1-rc.3 (compiled: Nov 14 2018 20:19:45 flags: tls1_3) options: 10.19.1.2 -u admin

uts    4d 01:18    process uptime
log    1    critical (0) error (1) warning (2) notice (3) info (4) debug (5)
kcc    1    number of active service threads
kmx    29    maximum number of service threads
kvg    2.29    average number of requests per service thread
krq    109    max number of requests by one service thread
req    20888    total # of requests (HTTP, HTTPS, success, failure etc)
avg    804 bytes    average size of requests
rmx    18496 bytes    largest size of request(s)
tav    8 ms    average processing time (per request)
tmx    598 ms    longest processing time (per request)
slh    6735    # of accepted HTTPS requests
slm    247    # of rejected HTTPS requests (missing certificate)
sle    0    # of rejected HTTPS requests (certificate available but not usable)
slc    109    # of dropped HTTPS requests (client disconnect without sending any request)
slu    12910    # of dropped HTTPS requests (other TLS handshake errors)
v13    6218    slh/slc break-down: TLS 1.3
v12    552    slh/slc break-down: TLS 1.2
v10    0    slh/slc break-down: TLS 1.0
uca    0    slu break-down: # of unknown CA reported by clients
ucb    10512    slu break-down: # of bad certificate reported by clients
uce    0    slu break-down: # of unknown cert reported by clients
ush    2225    slu break-down: # of shutdown by clients after ServerHello
 
v2.2.y has rock solid performance with LAN clients, and much improved performance over WAN/VPN.

My latest servstats. HTTPS ads have taken over the world!

qDPvadO.png
I completely agree!!! When I saw my sch just now I was FLOORED!!! 96,000 ads blocked in 17 hours! I’m convinced our 5 new Alexa Echos are the culprit!

ZJeWCYB.jpg
 
Last edited:
webui and OpenVPN...I don't want to get into any of these..

I just think you setup the discussion of TLS 1.3 (OpenSSL 1.1.1) in the wrong backdrop. Regardless TLS 1.3 should bring improvement to webui if you understand how it works..

This should entertain anyone who wants to know more !!!

The New Illustrated TLS Connection
Every byte explained and reproduced
A revised edition in which we dissect the new manner of secure and authenticated data exchange, the TLS 1.3 cryptographic protocol.

https://tls13.ulfheim.net/

[It entertained me as I like 'to know' everything I can !!! :) ]
 
today's stats. "reached max retries" is less than 2% out of total failures in the past 24 hours. Perhaps we shall have # of retries to be a command line option..let me think through it.

5CefwPh.png
Has @kvic ever published this TLS Report script? I would like to try it.
 
I wonder what magic @kvic has built into 2.2.1-rc4:
2.2.1-rc.4 (2018-12-5)
Changes
  • NEW enhance adblocking during playback of YouTube video
 
I wonder what magic @kvic has built into 2.2.1-rc4:
It's a mystery. The source code included in the Github release package is not updated for rc4.

From https://kazoo.ga/pixelserv-tls/
2.2.1-rc.4 (2018-12-5)
Changes
  • NEW enhance adblocking during playback of YouTube video
Notes on Blocking YouTube Adverts
  • You must point "manifest.googlevideo.com" to IP address of pixelserv-tls in order to experience the new way of blocking YouTube ads.

  • For Entware users, you may need "opkg install libcurl" in case you see errors on startup.

  • It's known phenomenon that if you recently spend some time on YouTube, tav might be skewed to a few hundred milliseconds. Rest assured that pixelserv-tls runs just as fast as before.

  • Only "dynamic" versions are available for this test release. Hence, TLSv1.3 is not available together with the new enhancement.
 
New beta 4 runs great after installing the libcurl package. YouTube ads are not showing anymore!
 

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top