What's new

pixelserv pixelserv - A Better One-pixel Webserver for Adblock

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

opkg update
opkg upgrade
NO! This can screw up stuff, like syslog-ng. Better to update, then upgrade only the components you intend to upgrade.
 
Installed the arm7 binary to my 87U, used diversion to purge the certificates and restart pixelserv (separate steps). Seems to be working fine.

I did NOT regenerate ca.crt and key so I didn't have to reimport those. Only one iOS device, in the hands of the the Spouse, who will not permit touching of the Device, so I don't know if she has upgraded to 13.

i think the issue with ios 13 are the 2048 bit and 2 year only cert requirement. if not u will see a lot of the # of dropped HTTPS requests (other TLS handshake errors) on that iOS 13
 
i think the issue with ios 13 are the 2048 bit and 2 year only cert requirement.
Ah, the penny drops. Unless ca.crt is regenerated the resulting certificates will all be rejected. Thanks.
 
Installed the arm7 binary to my 87U, used diversion to purge the certificates and restart pixelserv (separate steps). Seems to be working fine.

I did NOT regenerate ca.crt and key so I didn't have to reimport those. Only one iOS device, in the hands of the the Spouse, who will not permit touching of the Device, so I don't know if she has upgraded to 13.
Ah, the penny drops. Unless ca.crt is regenerated the resulting certificates will all be rejected. Thanks.
iOS 13 is not released until 19 Sep., next week. The iOS 13 beta has to be intentionally installed for now. I did it on my new iPad to see it, that is just a casual device, not critical functions. I did load iOS 13 beta on my iPhone and reverted quickly when a needed medical app ceased to function (the only reason now use an iPhone).
 
NO! This can screw up stuff, like syslog-ng. Better to update, then upgrade only the components you intend to upgrade.
It really doesn't. opkg will create a -pkg version of any conf files so as to explicitly not affect any of your running applications. Or should, anyway

amtm uses similar code. The main issue is pixelserv, but Diversion can self-heal iirc
Code:
    # ep Entware packages menu
    if [ -f /opt/bin/opkg ]; then
        upd=" "
        printf "${GREEN_BG} ep${NC} %-9s%s\\n" "update" "Entware packages"
        case_ep(){
            print_end_line
            echo " This updates and upgrades Entware packages"
            if [ -f /opt/bin/diversion ]; then
                echo
                echo " Note: Diversion is installed on this router."
                echo " It's recommended to update Entware packages"
                echo " in Diversion using the ${RED_BG} ep ${NC} option."
                echo " Especially so when pixelserv-tls is installed."
            fi
            if [ -f /jffs/scripts/install_stubby.sh ] && [ -f /opt/etc/stubby/stubby.yml ]; then
                echo
                echo " Note: Stubby DNS Privacy Daemon is installed"
                echo " on this router."
                echo " It's recommended to update Entware packages"
                echo " selectively through the Stubby DNS menu to"
                echo " prevent overwriting configuration files."
            fi
            continue_dialog
            opkg update
            opkg upgrade
            show_amtm " Entware packages updated and upgraded"

Besides, as long as you're taking regular backups (which you should be as a responsible admin), you have a rollback path :)
 
Last edited:
BINGO! got my padlock!

I was not watching the URL since Apple hides the url details by default, showing only site name. Just had to use https://router.asus.com:8443/ and then tell it I really, really, really did want to visit this page and trust it. Now I have the secure site padlock on all three devices and have imported the new cert in all four iThing devices. :D :mad: This is a love / hate thing for me.
 
BINGO! got my padlock!

I was not watching the URL since Apple hides the url details by default, showing only site name. Just had to use https://router.asus.com:8443/ and then tell it I really, really, really did want to visit this page and trust it. Now I have the secure site padlock on all three devices and have imported the new cert in all four iThing devices. :D :mad: This is a love / hate thing for me.

That's not the correct approach, if you generate the correct Root CA and have it imported in the device you won't need to do any of this and iOS/macOS will automatically accept the certificate.

Force trusting the certificate is useless because you'll need to do that for every domain you have in your blocklist otherwise the handshake will fail.
 
I've just uploaded the ipks here: https://github.com/jackyaz/pixelserv-tls/releases/tag/2.3.0

Download the ipk, then place on your router using WinSCP or similar. Next run opkg install, e.g.
Code:
opkg install /jffs/pixelserv-tls_2.3.0-1_aarch64-3.10.ipk

can just use this?
Code:
cd /opt/var/cache/pixelserv
openssl genrsa -out ca.key 2048
openssl req -key ca.key -new -x509 -days 720 -sha256 -extensions v3_ca -out ca.crt -subj "/CN=Pixelserv CA"

I dl'ed and installed the ipk (aarch64 - AC86U) with no issues, generated new crt and key as DonnyJohnny shows above, and imported it into my iPhone (replaced old Pixelserv CA cert), iPad (running iPadOS 13.1 beta) and MacBook Air.

I added the new Pixelserv CA cert to my AC86U using the script from @kvic in this post #1352, and all seems well. I see no errors in the iPad with iOS 13.1 beta or the iPhone on 12.4.1 or MacBook Air (stable Catalina).


Installed Jack's pixelserv-tls_2.3.0-1_armv7-2.6.ipk on my AC5300 and its all working smoothly.

Thank you Jack for working on pixleserv and updating it for what we needed.

And thank you Jack, DonnyJohnny, and Butterfly Bones for the various steps to make it super easy.
 
So how do you tell if pixelserv-tls_2.3.0-1 is installed? Does this version display on the Diversion menu?
 
So how do you tell if pixelserv-tls_2.3.0-1 is installed? Does this version display on the Diversion menu?
In an SSH terminal:
Code:
opkg list-installed | grep pixelserv

Yes
 
In an SSH terminal:
Code:
opkg list-installed | grep pixelserv

Yes

My Diversion shows:

upload_2019-9-14_17-33-23.png


Whereas this shows:

Code:
@RT-AX88U-40E0:/tmp/home/root# opkg list-installed | grep pixelserv
pixelserv-tls - 2.3.0-1

and this shows:

upload_2019-9-14_17-35-46.png


I purged all the other certs and restarted PS

Anything I am doing wrong?
 
can you update to this with inside diversion using the update pixelserv option?
I think Diversion looks at the Entware repository. These newly compiled ink version are not in that repository. Jack Yaz posted instructions in his link.
 
@Marin, it is working fine, it shows the same for me. The -1 doesn’t matter.

I just updated pixelserv folowing the posted instructions.
I was getting an error that I had a newer version installed and I had to use --force-downgrade to make it work. I also had to use opkg update / upgrade libopenssl to get 1.1.1.
Then I generated the new CA, purged the certificates and imported the CA on my iOS13 devices and it works perfectly. Thanks everyone who contributed to this.
 
Last edited:
My Diversion shows:

View attachment 19322

Whereas this shows:

Code:
@RT-AX88U-40E0:/tmp/home/root# opkg list-installed | grep pixelserv
pixelserv-tls - 2.3.0-1

and this shows:

View attachment 19323

I purged all the other certs and restarted PS

Anything I am doing wrong?
I am seeing the same compile date in servstats page of May 25, so whatever is wrong, me too.
 

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top