pixelserv pixelserv - A Better One-pixel Webserver for Adblock

[kernol]

Can I suggest not, and that actually it goes the other way? 2.3.1 will be available in the normal pipeline shortly and Diversion/amtm will make it available. When that happens 2.3.0 can be deleted from amtm. It served its glorious, finger-in-the-dike, purpose.

Also the instructions to install 2.3.1 manually are in this thread four or five times. Download, rename, replace /opt/sbin/pixelserv-tls

Been running on 2.3.1 since the day after its announcement on this forum (installed manually per instructions without hassle) ... I was just being "cheeky" ... hence the big smiley face.

 

[Jack Yaz]

Can I suggest not, and that actually it goes the other way? 2.3.1 will be available in the normal pipeline shortly and Diversion/amtm will make it available. When that happens 2.3.0 can be deleted from amtm. It served its glorious, finger-in-the-dike, purpose.

Also the instructions to install 2.3.1 manually are in this thread four or five times. Download, rename, replace /opt/sbin/pixelserv-tls

I also support the older platforms, as well as the entware backports repo so that older MIPS routers etc. can take advantage of the latest and greatest entware packages.
I'm not sure but I think MIPS devices had support dropped from the main Entware repo.

 

[kman]

I'm looking to make the jump from 2.2.1-1 to 2.3.1 but have a few questions:

• As per kvic-z, he recommends to retain the existing 'ca.crt' / 'ca.key' (1024 bits), but shouldn't the key now be 2048 bit for Apple compliance, etc.? What am I missing?

Your root CA certificate with key size 1024 bits (generated as per this wiki) should be fine. You're recommended to continue to use your existing root CA certificate. 1024 bit (in contrary to 2048 bit) helps to reduce workload on your router/server when doing automatic generation of server certificates

• In my current setup, pixelserv-tls is a link to beta. Can I just override the 2.3.1 pixelserv-tls on /opt/bin/pixelserv-tls and set permissions to 755?

lrwxrwxrwx    1 admin    root            51 Apr  2  2019 /opt/bin/pixelserv-tls -> /opt/tmp/pixelserv-tls-beta/dist/pixelserv-tls-beta

Appreciate your help!

 

[thelonelycoder]

As per kvic-z, he recommends to retain the existing 'ca.crt' / 'ca.key' (1024 bits), but shouldn't the key now be 2048 bit for Apple compliance, etc.? What am I missing?

My tests on multiple iOS devices concluded that only certificates with 2048 bits work.
Diversion therefore only generates a 2048 bit pixelserv-tls CA certificate.

In my current setup, pixelserv-tls is a link to beta. Can I just override the 2.3.1 pixelserv-tls on /opt/bin/pixelserv-tls and set permissions to 755?

Remove the link in /opt/bin and place the new pixelserv-tls binary there, chmod it to 0755.

 

[kman]

Thank you @thelonelycoder

FYI - I tried upgrading to v2.3.0 through Diversion but ran into the issue mentioned on Diversion thread about "Not downgrading package pixelserv-tls on root from V35.HZ12.Ki-1 to 2.3.0-1."

ok so did this, now when I try I see
....
Not downgrading package pixelserv-tls on root from V35.HZ12.Ki-1 to 2.3.0-1.
....

I tried forced re-installing pixelserv-tls via the following command

opkg install pixelserv-tls --force-reinstall

but ran into :

...
@RT-AC68U-1DA8:/tmp/home/root# opkg install pixelserv-tls --force-reinstall
No packages removed.
Installing pixelserv-tls (V35.HZ12.Ki-1) to root...
Collected errors:
* opkg_download_pkg: Package pixelserv-tls is not available from any configured src.
* opkg_install_pkg: Failed to download pixelserv-tls. Perhaps you need to run 'opkg update'?
* opkg_install_cmd: Cannot install package pixelserv-tls.

At this stage I just used WinSCP to upload the v2.3.1. pixelserv-tls into /opt/bin/pixelserv-tls and updated the permissions to (755).

Diversion was able to start pixelserv-tls and then I just purged and regenerated the certificates as mentioned on and also deleted pixelserv-tls-beta from /opt/tmp/

...
3. Re-generate the pixelserv-tls CA certificate in ep, 3, 2 (all domain certificates will be purged during that step)
4. Import the new pixelserv-tls CA certificate (ca.crt) into browsers and devices, replacing the previous certificate.
Open the certificate link in a browser with your pixelserv-tls IP address, typically this is 192.168.1.2/ca.crt and import it.

All seems to be working now.

Thanks everyone.

 

[thelonelycoder]

Thank you @thelonelycoder

FYI - I tried upgrading to v2.3.0 through Diversion but ran into the issue mentioned on Diversion thread about "Not downgrading package pixelserv-tls on root from V35.HZ12.Ki-1 to 2.3.0-1."


I tried forced re-installing pixelserv-tls via the following command

opkg install pixelserv-tls --force-reinstall

but ran into :


At this stage I just used WinSCP to upload the v2.3.1. pixelserv-tls into /opt/bin/pixelserv-tls and updated the permissions to (755).

Diversion was able to start pixelserv-tls and then I just purged and regenerated the certificates as mentioned on and also deleted pixelserv-tls-beta from /opt/tmp/

All seems to be working now.

Thanks everyone.

Make sure your Entware installation is up to date, use ep, 6, 5, or the amtm u function.

 

[kman]

Make sure your Entware installation is up to date, use ep, 6, 5, or the amtm u function.

Thanks. Anyway I can ensure I have the latest Entware installation and everything is up to date?

Spoiler

This updates installed Entware packages.

Entware version: Entware (armv7sf-k2.6)
Installed from: bin.entware.net

1. show pixelserv-tls info
2. show installed packages
3. update or upgrade pixelserv-tls
4. update list of available packages
5. update and upgrade installed packages

Enter selection [1-5 e=Exit] 5

Downloading http://bin.entware.net/armv7sf-k2.6/Packages.gz
Updated list of available packages in /opt/var/opkg-lists/entware

 

[thelonelycoder]

Thanks. Anyway I can ensure I have the latest Entware installation and everything is up to date?

Spoiler

This updates installed Entware packages.

Entware version: Entware (armv7sf-k2.6)
Installed from: bin.entware.net

1. show pixelserv-tls info
2. show installed packages
3. update or upgrade pixelserv-tls
4. update list of available packages
5. update and upgrade installed packages

Enter selection [1-5 e=Exit] 5

Downloading http://bin.entware.net/armv7sf-k2.6/Packages.gz
Updated list of available packages in /opt/var/opkg-lists/entware

You are up to date.

 

[gattaca]

BINGO!!
... I would have NEVER figured out the having to install the sftp package first

adding SFTP should be one of the tools in the super "scMerlin" option - please!! Like #TY, I too spent about 2 hours googling my *@(@* off for why SFTP was being closed by a lower layer protocol when using MobaXTerm (or any other various SFTP tooling). I too never ever THOUGHT it would be yet another ENTWARE opkg I needed to install for basic functions. Burned very well... Thanks!

 

[thelonelycoder]

adding SFTP should be one of the tools in the super "scMerlin" option - please!! Like #TY, I too spent about 2 hours googling my *@(@* off for why SFTP was being closed by a lower layer protocol when using MobaXTerm (or any other various SFTP tooling). I too never ever THOUGHT it would be yet another ENTWARE opkg I needed to install for basic functions. Burned very well... Thanks!

If the client supports the scp protocol, then you don't need to install sftp support on the router. WinSCP does both.

 

[gattaca]

If the client supports the scp protocol, then you don't need to install sftp support on the router. WinSCP does both.

OK I've used Moba for so long.. I'd rather not have sFTP active..

 

[mrchow]

My tests on multiple iOS devices concluded that only certificates with 2048 bits work.
Diversion therefore only generates a 2048 bit pixelserv-tls CA certificate.

Just wanted to chime in to confirm this. The CA needs to be 2048 bit, otherwise the generated certificates are not trusted.

 

[elorimer]

https://kazoo.ga/pixelserv-tls/tls-alert.sh

I rewrote this a tad, following @thelonelycoder 's gentle suggestion, to eliminate the need for the bash shell and the need to install bind-dig. @kvic's script has a copyright notice, so I am reluctant to quote the revised script here without permission. It took me a long time to follow how his script worked, and it is a wicked good bit of coding.

Basically, I moved the suppression array off into a new text file. To build the filter, instead of a for loop I used a while loop to read the file in, avoiding the need for the declare statement (which needed bash):

suppressfile="/jffs/scripts/suppressfile"
while IFS= read -r elem; do
_filter="$_filter\|$(echo $elem|sed 's/  */.*/g')"
done < "$suppressfile"

Then instead of using dig to look up the breaking client's hostname, I adapted a bit that is in @thelonelycoder's stats.div file:

cat /tmp/tmp.newbreaks|grep -oE '[0-9]{1,3}(\.[0-9]{1,3}){3}'|sort -u > /tmp/tlshost.tmp
for i in $(awk '{print $1}' /tmp/tlshost.tmp); do
echo "$1 " " "$(awk -v var="$i" -F' ' '$1 == var{print $1, $2}' <insert here a path to hosts.dnsmasq>)" #for some reason I can't insert the /tmp/etc part
done

Really crude, I know
Part of my thinking in moving the suppression array into a new text file was maybe adapting @Jack Yaz 's method of excluding log files from the webui in uiScribe and automatically adding to the text file new breaking client/server combos.

EDIT: So I rewrote the last chunk to eliminate the interim file:

cat /tmp/tmp.newbreaks|grep -oE '[0-9]{1,3}(\.[0-9]{1,3}){3}'|
(while read line; do
 echo "$line" "$(awk -v var="$line" -F' ' '$1 == var{print $2}' <path to the host file>)"
done) | 
 sort -u -t . -k 4,4n

 

[Protik]

Any word on when Entware will have the latest pixelserv?

 

[Makaveli]

Any word on when Entware will have the latest pixelserv?

Just update it yourself is a very straight forward process.

 

[bluepoint]

Just update it yourself is a very straight forward process.

That is true I did it myself but it's interesting to know why Entware is taking too long to release the latest kvic pixelserv. Is there betting going on?

 

[Centrifuge]

why Entware is taking too long

It looks like Entware releases are anywhere from 3-4 months apart, last one was in October 2019, so maybe soon. I too installed manually, but Entware is the distribution we're hanging our scripting hats on, so it would be nice to have a "blessed" install, although the manually installed pixelserv seems to work as expected, that might not always be the case when you manually upgrade one component of a distribution given dependencies and integration of new features etc., which could cause breakage.

 

[elorimer]

why Entware is taking too long

I appreciate the voluntary efforts of everyone who makes this ecosphere so rich.

 

[thelonelycoder]

That is true I did it myself but it's interesting to know why Entware is taking too long to release the latest kvic pixelserv. Is there betting going on?

You should know that the Entware team works on their own pace, on their own free time and are not paid for it.
Be respectful and grateful for what they do. That includes the people who offer firmware or other software for free.

 

[bluepoint]

You should know that the Entware team works on their own pace, on their own free time and are not paid for it.
Be respectful and grateful for what they do. That includes the people who offer firmware or other software for free.

Wow, didn't realiize I've scratch some nerve. There was no intention on my part to malign the Entware group and/or anybody in the community. It's more on being naive on what they do that's why I ask if there is betting going on. It's more on like understanding what's going on and nothing much being zero knowledge of the linux community. I thought being in the community for a little while earns me a little benefit of the doubt but guess not. I do respect and appreciate people in this community in fact being zero knowledge of linux I follow each one of you blindly.