Menu
What's new
By:
Filters Better Search

pixelserv pixelserv - A Better One-pixel Webserver for Adblock

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

jrmwvu04 said:
Yeah I’m overthinking again - pixelserv will be fine as is. I was thinking ahead to using the using the certificate for other uses like gui, etc.
Click to expand...
you're still able to use pixelserv generated certs, because pixelserv is creating them in a iOS 13/catalina compliant way. The openssl command users run is to create a certificate authority, which is then used to sign certificates issued by Pixelserv.
 
Thanks for the work on this guys. I currently don't have any iOS devices in my network so I will stay put until this is pushed upstream into amtm or diversion.
 
What’s the best way to verify that my iOS devices and pixelserv are (indeed) using the newly created CA root certificate?
 
XIII said:
What’s the best way to verify that my iOS devices and pixelserv are (indeed) using the newly created CA root certificate?
Click to expand...
The best way is probably to wait until Thursday and install iOS 13. :)
 
XIII said:
What’s the best way to verify that my iOS devices and pixelserv are (indeed) using the newly created CA root certificate?
Click to expand...

Just check your "slu" values, also visit pixelserv-tls statistics page and check that it's opening in https without asking you to force trust the certificate. Refresh the page few times and check "slh" it should increment on each refresh.
 
Asad Ali said:
Just check your "slu" values, also visit pixelserv-tls statistics page and check that it's opening in https without asking you to force trust the certificate. Refresh the page few times and check "slh" it should increment on each refresh.
Click to expand...
Uh Oh.
Code: 
pixelserv-tls 2.3.0 (compiled: May 25 2019 13:27:38 flags: tfo tls1_3) options: 192.168.1.2

uts 1d 00:53 process uptime
log 1 critical (0) error (1) warning (2) notice (3) info (4) debug (5)
kcc 1 number of active service threads
kmx 9 maximum number of service threads
kvg 1.27 average number of requests per service thread
krq 10 max number of requests by one service thread

req 10962 total # of requests (HTTP, HTTPS, success, failure etc)
avg 471 bytes average size of requests
rmx 2382 bytes largest size of request(s)
tav 25 ms average processing time (per request)
tmx 341 ms longest processing time (per request)

slh 399 # of accepted HTTPS requests
slm 131 # of rejected HTTPS requests (missing certificate)
sle 0 # of rejected HTTPS requests (certificate available but not usable)
slc 17 # of dropped HTTPS requests (client disconnect without sending any request)
slu 10402 # of dropped HTTPS requests (other TLS handshake errors)

Regenerated new cert yesterday, imported into AC86U webgui, iPhone, iPad and MacBook Air. No errors on web page loads, secure site padlock shows. Hmmmm.
 
Butterfly Bones said:
Uh Oh.
Code: 
pixelserv-tls 2.3.0 (compiled: May 25 2019 13:27:38 flags: tfo tls1_3) options: 192.168.1.2

uts 1d 00:53 process uptime
log 1 critical (0) error (1) warning (2) notice (3) info (4) debug (5)
kcc 1 number of active service threads
kmx 9 maximum number of service threads
kvg 1.27 average number of requests per service thread
krq 10 max number of requests by one service thread

req 10962 total # of requests (HTTP, HTTPS, success, failure etc)
avg 471 bytes average size of requests
rmx 2382 bytes largest size of request(s)
tav 25 ms average processing time (per request)
tmx 341 ms longest processing time (per request)

slh 399 # of accepted HTTPS requests
slm 131 # of rejected HTTPS requests (missing certificate)
sle 0 # of rejected HTTPS requests (certificate available but not usable)
slc 17 # of dropped HTTPS requests (client disconnect without sending any request)
slu 10402 # of dropped HTTPS requests (other TLS handshake errors)

Regenerated new cert yesterday, imported into AC86U webgui, iPhone, iPad and MacBook Air. No errors on web page loads, secure site padlock shows. Hmmmm.
Click to expand...

All your devices have the new cert imported on them?
 
Asad Ali said:
All your devices have the new cert imported on them?
Click to expand...
Regenerated new cert yesterday, imported into AC86U webgui, iPhone, iPad and MacBook Air.
Two other computers still in boxes to be unpacked.
 
Butterfly Bones said:
Regenerated new cert yesterday, imported into AC86U webgui, iPhone, iPad and MacBook Air.
Two other computers still in boxes to be unpacked.
Click to expand...

You generated the certificate using my commands? Make sure Extended Key usage flag is enabled on it. You can check it on your iPhone by going into Settings>General>Profiles and check the Pixelserv-tls certificate details.

Edit: Also these three are the only devices in your network? No IoT devices which can generate unnecessary network noise?
 
Last edited:
Asad Ali said:
You generated the certificate using my commands? Make sure Extended Key usage flag is enabled on it. You can check it on your iPhone by going into Settings>General>Profiles and check the Pixelserv-tls certificate details.

Edit: Also these three are the only devices in your network? No IoT devices which can generate unnecessary network noise?
Click to expand...
No, there were questions about your script and TLS server certificates. I research that more and ended up using the merlin script that another poster here had modified with the new requirements. I know the EKU flag is enabled. I inspected the new cert and compared it with the new posted Apple requirements.

I have no IoT device back on. I was gone for six weeks while my apartment was gutted and renovated, so I was on MacBook, iPhone or iPad (with VPN) on various networks traveling. About one third of my apartment items still need to be unpacked and put out. Only my AC86U, iPhone, iPad, and MacBook are in use right now.

Oh and a BT body scale and BP cuff, that communicate via wifi back to the iPhone. They are assigned static IPs so I can watch them in Skynet. They do not try to call the mothership, at least not yet. :) :oops:

I had them for over a month before I was displaced, and now two weeks back and never any outbound activity from their IPs.
 
Butterfly Bones said:
No, there were questions about your script and TLS server certificates. I research that more and ended up using the merlin script that another poster here had modified with the new requirements. I know the EKU flag is enabled. I inspected the new cert and compared it with the new posted Apple requirements.

I have no IoT device back on. I was gone for six weeks while my apartment was gutted and renovated, so I was on MacBook, iPhone or iPad (with VPN) on various networks traveling. About one third of my apartment items still need to be unpacked and put out. Only my AC86U, iPhone, iPad, and MacBook are in use right now.

Oh and a BT body scale and BP cuff, that communicate via wifi back to the iPhone. They are assigned static IPs so I can watch them in Skynet. They do not try to call the mothership, at least not yet. :) :oops:

I had them for over a month before I was displaced, and now two weeks back and never any outbound activity from their IPs.
Click to expand...

Your 'slu' is little high but it depends on lots of factors, most important one is hard coded fingerprints. In your blocklist do you also have "graph.instagram.com" if yes then that's a known domain to hog up 'slu'.
 
Asad Ali said:
Your 'slu' is little high but it depends on lots of factors, most important one is hard coded fingerprints. In your blocklist do you also have "graph.instagram.com" if yes then that's a known domain to hog up 'slu'.
Click to expand...
Nope, I just checked the Diversion blacklist, it only has 12 entries. I don't do FB, IG or most of those social media. I follow a few people on Twitter is all.

In early Pixelserv testing with kvic, we analyzed all that very throughly. Most were caused by cell phone analytics from my Android devices. A couple medical issues that only have iOS apps got me to change from Google devices to Apple devices. Lesser of two evils, I think, maybe, hell who knows!? I use what provides my cardiologist, oncologists, and audiologist with the info they need.
 
Butterfly Bones said:
Nope, I just checked the Diversion blacklist, it only has 12 entries. I don't do FB, IG or most of those social media. I follow a few people on Twitter is all.

In early Pixelserv testing with kvic, we analyzed all that very throughly. Most were caused by cell phone analytics from my Android devices. A couple medical issues that only have iOS apps got me to change from Google devices to Apple devices. Lesser of two evils, I think, maybe, hell who knows!? I use what provides my cardiologist, oncologists, and audiologist with the info they need.
Click to expand...

Just 12 entries? In that case your 'slu' should be even lower. It seems there's one or two rouge domains which are causing this spike but unfortunately you can only do further investigation by enabling log level two+ in pixelserv-tls and check your syslog for clues.

BTW you said "blacklist" in Diversion that's what we use to force block domains, your actual "blocklist" might have way more domains.
 
Butterfly Bones said:
Uh Oh.
Code: 
pixelserv-tls 2.3.0 (compiled: May 25 2019 13:27:38 flags: tfo tls1_3) options: 192.168.1.2

uts 1d 00:53 process uptime
log 1 critical (0) error (1) warning (2) notice (3) info (4) debug (5)
kcc 1 number of active service threads
kmx 9 maximum number of service threads
kvg 1.27 average number of requests per service thread
krq 10 max number of requests by one service thread

req 10962 total # of requests (HTTP, HTTPS, success, failure etc)
avg 471 bytes average size of requests
rmx 2382 bytes largest size of request(s)
tav 25 ms average processing time (per request)
tmx 341 ms longest processing time (per request)

slh 399 # of accepted HTTPS requests
slm 131 # of rejected HTTPS requests (missing certificate)
sle 0 # of rejected HTTPS requests (certificate available but not usable)
slc 17 # of dropped HTTPS requests (client disconnect without sending any request)
slu 10402 # of dropped HTTPS requests (other TLS handshake errors)

Regenerated new cert yesterday, imported into AC86U webgui, iPhone, iPad and MacBook Air. No errors on web page loads, secure site padlock shows. Hmmmm.
Click to expand...
Asad Ali said:
Your 'slu' is little high but it depends on lots of factors, most important one is hard coded fingerprints. In your blocklist do you also have "graph.instagram.com" if yes then that's a known domain to hog up 'slu'.
Click to expand...
I have no solution to offer but I was seeing this as well. Also a big uptick in the ucb counter. I’ve reverted to 2.2.1-1 for the time being because I’m frankly tired of testing all the new stuff. I’ve decided to take a break from it for a few days.
 
This is awesome news!!! I've been away a few days and there were 4 pages to catch up on. It sounds like we need to sit tight and wait until this is cut into amtm and diversion? In summary, it sounds like the certs will need to be purged and then regenerated which is expected and then reimported into all the devices. TY TY.
 
Asad Ali said:
Just 12 entries? In that case your 'slu' should be even lower. It seems there's one or two rouge domains which are causing this spike but unfortunately you can only do further investigation by enabling log level two+ in pixelserv-tls and check your syslog for clues.

BTW you said "blacklist" in Diversion that's what we use to force block domains, your actual "blocklist" might have way more domains.
Click to expand...
My Diversion blocklist is Small+ and adequate for me as an old retired geek with no others in my household any longer, and I'm 'Net savvy enough to stay away from sketchy sites.

I'll increase the pixelserv debug level, I run Scribe and have a filter to clean and sort my syslog-ng already. Webgui syslog sees less than 20 entries any day. All other functions have their own tab to monitor via Loggly, thanks to Scribe /syslog-ng.
 
It occurs to me that 2 years will roll over pretty fast. Perhaps Diversion could keep a timer going and pop up or email a reminder when the certs need to be regenerated and the pixelserv certs purged, like the update popup.
 
You must log in or register to reply here.

Similar threads

MegaMango
dnsmasq-surrogate for RT-BE88U: Ad Blocking & Security Enhancement
Replies
2
Views
588
MegaMango
MegaMango
L
pixelserv SOLVED - Is PixelServ WebGui script trustworthy at the moment? Redirects to strange website...
Replies
10
Views
4K
gspannu
gspannu
thelonelycoder
Diversion Need help with selecting new set of filter lists / block lists for Diversion 5.0
2
Replies
21
Views
4K
thelonelycoder
thelonelycoder
blacksheep
pixelserv Does "How to best run Pixelserv tls on asuswrt" still apply?
Replies
3
Views
3K
elorimer
E
garycnew
Entware [SOLUTION] Cross-Compile PixelServ-TLS 2.4 Entware Package via Debian Live DVD
Replies
13
Views
3K
garycnew
garycnew
Similar threads
Thread starter Title Forum Replies Date
C Diversion Pixelserv replacement Asuswrt-Merlin AddOns 2
L Is Diversion better than NextDNS, PiHole or AdGuard Home? Asuswrt-Merlin AddOns 10

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 696 (members: 18, guests: 678)
Top