pixelserv pixelserv - A Better One-pixel Webserver for Adblock

[froggy666uk]

Should be soon I think. In weeks..not longer than October. Have been trying One More Thing..so perhaps one more rc run.



...running Pi Hole?

Curious what's the current status of OpenSSL 1.1.1 on Rasp Pi?

To make most out of v2.2, you'll need OpenSSL 1.1.1..

Thanks for that.

I use ab-solution on my router with a custom IP block which hands ad requests off to the pixelserv instance on my pi.

Looks like openssl is still at 1.1.0 on the Pi, I'll have a go at compiling 1.1.1 - thanks for the heads up!

Cheers,
Dave

Sent from my LLD-L31 using Tapatalk

 

[IT Guy]

Pixelserv-tls does not show white pixel/screen when blocking "googleads.g.doubleclick.net" should it be like that?
If I ping the googleads.g.doubleclick.net then pixel server replies so I know pixelserver is handeling it. But on the webpage I see the error msg connection fail ect...

In diversion I cleard the stored cert befor I updated to the R5 release, had the same problem on 2.1.2..so no change at all. Fells like it just drops the HTTPS request insted of white pixeling it. Attach pixservstats.pdf
This is the webpage: http://hola.klonec.co/black-cat-emoji/

In chrome it shows this insted of a just white background in the ad area:
https://googleads.g.doubleclick.net...pc=xiwNElnmmo&p=http://hola.klonec.co&dtd=193

 

[vesalius]

Interesting.. was the command used to generated the CA cert same in both cases? What are full command lines if I may ask?

If what you've described is correct, I think there is some issue we might need to take a closer look for new users using openssl 1.0.2p to generate a CA cert.

Pretty sure I have the same issue after I recently generated new certificates as a result of a USB fail.

 

[kvic]

In chrome it shows this insted of a just white background in the ad area:
https://googleads.g.doubleclick.net...pc=xiwNElnmmo&p=http://hola.klonec.co&dtd=193

Dns based Adblock with pixelserv-tls is an interesting task and requires understanding the web standards. The ancestors of the old pixelserv worked out some bits in this area which might be possibly outdated.

In this particular case, there is long time feature for it, -R cli option. If u enable -R when u launch pixelserv-tls, test the same url above. What did u get?

 

[kvic]

Pretty sure I have the same issue after I recently generated new certificates as a result of a USB fail.

Not clear at all from your brief description what problem u faced nor u mentioned how u solved it. Implying same issue as the user above is simply misleading because he even hasn confirmed with a reply of what his actual issue is...

So up to now I consider his case is user error.

 

[jrmwvu04]

I've generated certificates with OpenSSL 1.0.2p for pixelserv-tls that work perfectly, so the problem isn't there (or there alone).

 

[IT Guy]

Dns based Adblock with pixelserv-tls is an interesting task and requires understanding the web standards. The ancestors of the old pixelserv worked out some bits in this area which might be possibly outdated.

In this particular case, there is long time feature for it, -R cli option. If u enable -R when u launch pixelserv-tls, test the same url above. What did u get?

Samething, I enable -R in Diversion and also did a restart of pixelserv-tls - It did not change anything. In firefox it says: This site uses HTTP Strict Transport Security (HSTS), could that be the reson or that its DNS based ad URL.... I hope its possible to fix becouse many webpages uses the googleads.g.doubleclick.net ad redirection.

 

[kvic]

Samething, I enable -R in Diversion and also did a restart of pixelserv-tls - It did not change anything. In firefox it says: This site uses HTTP Strict Transport Security (HSTS), could that be the reson or that its DNS based ad URL.... I hope its possible to fix becouse many webpages uses the googleads.g.doubleclick.net ad redirection.

Could you review and update the link you provided above and I quoted? Seems like you maybe testing two slightly different links

If in all your tests, you're seeing the same HSTS error, then I believe there is definitely something wrong in copy&paste of the above link. That link doesn't give HSTS error in Firefox but server not found.

I can't work from the main site that requires guess work on what you were trying to do. So an updated URL that gives the HSTS error will help to better understand the issue.

 

[kvic]

In the coming rc.6, we'll get this new feature on servstats:

 

[regae]

at first i thought pixelserv is only working with dnsmasq "host method".
i tried unbound with python script, and it works . support regex too.
can't wait for rc6,

 

[thelonelycoder]

at first i thought pixelserv is only working with dnsmasq "host method".
i tried unbound with python script, and it works . support regex too.
can't wait for rc6,

Theoretically, any forwarder should work if there's a way to "poison" DNS queries. Dnsmasq just happens to be the most used and easiest to manipulate in my opinion.

 

[IT Guy]

Could you review and update the link you provided above and I quoted? Seems like you maybe testing two slightly different links

If in all your tests, you're seeing the same HSTS error, then I believe there is definitely something wrong in copy&paste of the above link. That link doesn't give HSTS error in Firefox but server not found.

I can't work from the main site that requires guess work on what you were trying to do. So an updated URL that gives the HSTS error will help to better understand the issue.

Hello,
I run diversion with the -R on pixelserv Rc5
In firefox it says "HTTP Strict Transport Security (HSTS)" where it should display white pixel backgound in this webpage: "http://kazan.klonec.co/black-cat-emoji/" at Ads area for https://googleads.g.doubleclick.net. On Edge browser and Google Chrome it says "Can not connect" -If pixelserv worked correctly it should only be a white area insted of the text right?

I also notice that the statistic logs from pixelserv are diffrent when I get them from https://192.168.0.2/servstats or http://192.168.0.2/servstats whats up with that??? see attachment

I have also notice "connection failure" to other https websites -that I dont have any blocking to, but if I refresh the webpage then I it shows the webpage. I think it could be related to pixelserver see my logs.

I will also attach a syslog from my router to this message.

 

[kvic]

In firefox it says "HTTP Strict Transport Security (HSTS)" where it should display white pixel backgound in this webpage: "http://kazan.klonec.co/black-cat-emoji/" at Ads area for https://googleads.g.doubleclick.net. On Edge browser and Google Chrome it says "Can not connect" -If pixelserv worked correctly it should only be a white area insted of the text right?

I do not see what you saw. I see snowy white page. No error messages.

The only difference between last time you posted and now is that the cartoon figure violates copyright and has been removed from the page you pointed to under requests by its copyright holders.

I also notice that the statistic logs from pixelserv are diffrent when I get them from https://192.168.0.2/servstats or http://192.168.0.2/servstats whats up with that???

That's called servstats page. The numbers will get updated every time you load the page.

I failed to see any difference in your screenshots other than normal updates.

I have also notice "connection failure" to other https websites -that I dont have any blocking to, but if I refresh the webpage then I it shows the webpage. I think it could be related to pixelserver see my logs.

No, it's not related to pixelserv-tls.

 

[kvic]

at first i thought pixelserv is only working with dnsmasq "host method".
i tried unbound with python script, and it works . support regex too.
can't wait for rc6,

Almost every platform has a script or two implements DNS based adblock. This is regardless what DNS server software runs on the platforms.

If your machine can cope with Unbound, perhaps you should stay with it. Snappier browsing experience overall in my opinion.

 

[Xentrk]

Almost every platform has a script or two implements DNS based adblock. This is regardless what DNS server software runs on the platforms.

If your machine can cope with Unbound, perhaps you should stay with it. Snappier browsing experience overall in my opinion.

I now have DNS over TLS working with DNSMASQ + Stubby. In my research, found it's possible to combine Unbound as the local caching forwarder with Stubby. Have not had time to research it much more. I need the IPSET feature of DNSMASQ. So DNSMASQ + Unbound + Stubby would all have to play together. One step at a time...

Unbound can be run as a local caching forwarder, configured to use SSL upstream, however it cannot yet re-use TCP/TLS connections or send several of the privacy related options (padding, ECS privacy) etc. The 1.7.1 release of Unbound supports authentication of upstream recursive resolvers using an authentication domain name (i.e. PKIX authentication) if a certificate bundle is configured. An example minimal config is given below.

 

[XIII]

I'm not sure but I think I'm using dnsmasq + unbound.

What would Stubby add?

 

[M@rco]

What would Stubby add?

DNS over TLS (DoT).

 

[XIII]

DNS over TLS (DoT).

unbound already supports DNS over TLS, so I'm still not sure what Stubby would add.

 

[kvic]

however it cannot yet re-use TCP/TLS connections or send several of the privacy related options (padding, ECS privacy) etc.

Basically they have to go through some of the TLS optimization that pixelserv-tls already done. But this sounds like two-edged sword to some extend. Won't be hard for Unbound to catch up if they think they should get the same TLS feature. So in that sense given presence of Unbound, Stubby is trying hard to find a place for itself.

 

[kvic]

2.2.0-rc.6 is available

This should be the last one before v2.2 release. Debug info has been stripped from binaries. Hence, you'll see a small shrink in binary sizes when compared to previous one or two rc's.

Also encourage you to read the release notes at kazoo.ga/pixelserv-tls/