What's new

pixelserv pixelserv - A Better One-pixel Webserver for Adblock

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Yeah I’m overthinking again - pixelserv will be fine as is. I was thinking ahead to using the using the certificate for other uses like gui, etc.
you're still able to use pixelserv generated certs, because pixelserv is creating them in a iOS 13/catalina compliant way. The openssl command users run is to create a certificate authority, which is then used to sign certificates issued by Pixelserv.
 
Thanks for the work on this guys. I currently don't have any iOS devices in my network so I will stay put until this is pushed upstream into amtm or diversion.
 
What’s the best way to verify that my iOS devices and pixelserv are (indeed) using the newly created CA root certificate?
 
What’s the best way to verify that my iOS devices and pixelserv are (indeed) using the newly created CA root certificate?
The best way is probably to wait until Thursday and install iOS 13. :)
 
What’s the best way to verify that my iOS devices and pixelserv are (indeed) using the newly created CA root certificate?

Just check your "slu" values, also visit pixelserv-tls statistics page and check that it's opening in https without asking you to force trust the certificate. Refresh the page few times and check "slh" it should increment on each refresh.
 
Just check your "slu" values, also visit pixelserv-tls statistics page and check that it's opening in https without asking you to force trust the certificate. Refresh the page few times and check "slh" it should increment on each refresh.
Uh Oh.
Code:
pixelserv-tls 2.3.0 (compiled: May 25 2019 13:27:38 flags: tfo tls1_3) options: 192.168.1.2

uts 1d 00:53 process uptime
log 1 critical (0) error (1) warning (2) notice (3) info (4) debug (5)
kcc 1 number of active service threads
kmx 9 maximum number of service threads
kvg 1.27 average number of requests per service thread
krq 10 max number of requests by one service thread

req 10962 total # of requests (HTTP, HTTPS, success, failure etc)
avg 471 bytes average size of requests
rmx 2382 bytes largest size of request(s)
tav 25 ms average processing time (per request)
tmx 341 ms longest processing time (per request)

slh 399 # of accepted HTTPS requests
slm 131 # of rejected HTTPS requests (missing certificate)
sle 0 # of rejected HTTPS requests (certificate available but not usable)
slc 17 # of dropped HTTPS requests (client disconnect without sending any request)
slu 10402 # of dropped HTTPS requests (other TLS handshake errors)

Regenerated new cert yesterday, imported into AC86U webgui, iPhone, iPad and MacBook Air. No errors on web page loads, secure site padlock shows. Hmmmm.
 
Uh Oh.
Code:
pixelserv-tls 2.3.0 (compiled: May 25 2019 13:27:38 flags: tfo tls1_3) options: 192.168.1.2

uts 1d 00:53 process uptime
log 1 critical (0) error (1) warning (2) notice (3) info (4) debug (5)
kcc 1 number of active service threads
kmx 9 maximum number of service threads
kvg 1.27 average number of requests per service thread
krq 10 max number of requests by one service thread

req 10962 total # of requests (HTTP, HTTPS, success, failure etc)
avg 471 bytes average size of requests
rmx 2382 bytes largest size of request(s)
tav 25 ms average processing time (per request)
tmx 341 ms longest processing time (per request)

slh 399 # of accepted HTTPS requests
slm 131 # of rejected HTTPS requests (missing certificate)
sle 0 # of rejected HTTPS requests (certificate available but not usable)
slc 17 # of dropped HTTPS requests (client disconnect without sending any request)
slu 10402 # of dropped HTTPS requests (other TLS handshake errors)

Regenerated new cert yesterday, imported into AC86U webgui, iPhone, iPad and MacBook Air. No errors on web page loads, secure site padlock shows. Hmmmm.

All your devices have the new cert imported on them?
 
All your devices have the new cert imported on them?
Regenerated new cert yesterday, imported into AC86U webgui, iPhone, iPad and MacBook Air.
Two other computers still in boxes to be unpacked.
 
Regenerated new cert yesterday, imported into AC86U webgui, iPhone, iPad and MacBook Air.
Two other computers still in boxes to be unpacked.

You generated the certificate using my commands? Make sure Extended Key usage flag is enabled on it. You can check it on your iPhone by going into Settings>General>Profiles and check the Pixelserv-tls certificate details.

Edit: Also these three are the only devices in your network? No IoT devices which can generate unnecessary network noise?
 
Last edited:
You generated the certificate using my commands? Make sure Extended Key usage flag is enabled on it. You can check it on your iPhone by going into Settings>General>Profiles and check the Pixelserv-tls certificate details.

Edit: Also these three are the only devices in your network? No IoT devices which can generate unnecessary network noise?
No, there were questions about your script and TLS server certificates. I research that more and ended up using the merlin script that another poster here had modified with the new requirements. I know the EKU flag is enabled. I inspected the new cert and compared it with the new posted Apple requirements.

I have no IoT device back on. I was gone for six weeks while my apartment was gutted and renovated, so I was on MacBook, iPhone or iPad (with VPN) on various networks traveling. About one third of my apartment items still need to be unpacked and put out. Only my AC86U, iPhone, iPad, and MacBook are in use right now.

Oh and a BT body scale and BP cuff, that communicate via wifi back to the iPhone. They are assigned static IPs so I can watch them in Skynet. They do not try to call the mothership, at least not yet. :) :oops:

I had them for over a month before I was displaced, and now two weeks back and never any outbound activity from their IPs.
 
No, there were questions about your script and TLS server certificates. I research that more and ended up using the merlin script that another poster here had modified with the new requirements. I know the EKU flag is enabled. I inspected the new cert and compared it with the new posted Apple requirements.

I have no IoT device back on. I was gone for six weeks while my apartment was gutted and renovated, so I was on MacBook, iPhone or iPad (with VPN) on various networks traveling. About one third of my apartment items still need to be unpacked and put out. Only my AC86U, iPhone, iPad, and MacBook are in use right now.

Oh and a BT body scale and BP cuff, that communicate via wifi back to the iPhone. They are assigned static IPs so I can watch them in Skynet. They do not try to call the mothership, at least not yet. :) :oops:

I had them for over a month before I was displaced, and now two weeks back and never any outbound activity from their IPs.

Your 'slu' is little high but it depends on lots of factors, most important one is hard coded fingerprints. In your blocklist do you also have "graph.instagram.com" if yes then that's a known domain to hog up 'slu'.
 
Your 'slu' is little high but it depends on lots of factors, most important one is hard coded fingerprints. In your blocklist do you also have "graph.instagram.com" if yes then that's a known domain to hog up 'slu'.
Nope, I just checked the Diversion blacklist, it only has 12 entries. I don't do FB, IG or most of those social media. I follow a few people on Twitter is all.

In early Pixelserv testing with kvic, we analyzed all that very throughly. Most were caused by cell phone analytics from my Android devices. A couple medical issues that only have iOS apps got me to change from Google devices to Apple devices. Lesser of two evils, I think, maybe, hell who knows!? I use what provides my cardiologist, oncologists, and audiologist with the info they need.
 
Nope, I just checked the Diversion blacklist, it only has 12 entries. I don't do FB, IG or most of those social media. I follow a few people on Twitter is all.

In early Pixelserv testing with kvic, we analyzed all that very throughly. Most were caused by cell phone analytics from my Android devices. A couple medical issues that only have iOS apps got me to change from Google devices to Apple devices. Lesser of two evils, I think, maybe, hell who knows!? I use what provides my cardiologist, oncologists, and audiologist with the info they need.

Just 12 entries? In that case your 'slu' should be even lower. It seems there's one or two rouge domains which are causing this spike but unfortunately you can only do further investigation by enabling log level two+ in pixelserv-tls and check your syslog for clues.

BTW you said "blacklist" in Diversion that's what we use to force block domains, your actual "blocklist" might have way more domains.
 
Uh Oh.
Code:
pixelserv-tls 2.3.0 (compiled: May 25 2019 13:27:38 flags: tfo tls1_3) options: 192.168.1.2

uts 1d 00:53 process uptime
log 1 critical (0) error (1) warning (2) notice (3) info (4) debug (5)
kcc 1 number of active service threads
kmx 9 maximum number of service threads
kvg 1.27 average number of requests per service thread
krq 10 max number of requests by one service thread

req 10962 total # of requests (HTTP, HTTPS, success, failure etc)
avg 471 bytes average size of requests
rmx 2382 bytes largest size of request(s)
tav 25 ms average processing time (per request)
tmx 341 ms longest processing time (per request)

slh 399 # of accepted HTTPS requests
slm 131 # of rejected HTTPS requests (missing certificate)
sle 0 # of rejected HTTPS requests (certificate available but not usable)
slc 17 # of dropped HTTPS requests (client disconnect without sending any request)
slu 10402 # of dropped HTTPS requests (other TLS handshake errors)

Regenerated new cert yesterday, imported into AC86U webgui, iPhone, iPad and MacBook Air. No errors on web page loads, secure site padlock shows. Hmmmm.
Your 'slu' is little high but it depends on lots of factors, most important one is hard coded fingerprints. In your blocklist do you also have "graph.instagram.com" if yes then that's a known domain to hog up 'slu'.
I have no solution to offer but I was seeing this as well. Also a big uptick in the ucb counter. I’ve reverted to 2.2.1-1 for the time being because I’m frankly tired of testing all the new stuff. I’ve decided to take a break from it for a few days.
 
This is awesome news!!! I've been away a few days and there were 4 pages to catch up on. It sounds like we need to sit tight and wait until this is cut into amtm and diversion? In summary, it sounds like the certs will need to be purged and then regenerated which is expected and then reimported into all the devices. TY TY.
 
Just 12 entries? In that case your 'slu' should be even lower. It seems there's one or two rouge domains which are causing this spike but unfortunately you can only do further investigation by enabling log level two+ in pixelserv-tls and check your syslog for clues.

BTW you said "blacklist" in Diversion that's what we use to force block domains, your actual "blocklist" might have way more domains.
My Diversion blocklist is Small+ and adequate for me as an old retired geek with no others in my household any longer, and I'm 'Net savvy enough to stay away from sketchy sites.

I'll increase the pixelserv debug level, I run Scribe and have a filter to clean and sort my syslog-ng already. Webgui syslog sees less than 20 entries any day. All other functions have their own tab to monitor via Loggly, thanks to Scribe /syslog-ng.
 
It occurs to me that 2 years will roll over pretty fast. Perhaps Diversion could keep a timer going and pop up or email a reminder when the certs need to be regenerated and the pixelserv certs purged, like the update popup.
 

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top