pixelserv pixelserv - A Better One-pixel Webserver for Adblock

[Makaveli]

Stat update on 2.2.1 and its solid so far.

pixelserv-tls 2.2.1 (compiled: Dec 29 2018 15:01:03 flags: tls1_3) options: 192.168.1.3

uts    29d 07:50    process uptime
log    1    critical (0) error (1) warning (2) notice (3) info (4) debug (5)
kcc    7    number of active service threads
kmx    24    maximum number of service threads
kvg    1.01    average number of requests per service thread
krq    51    max number of requests by one service thread
req    144084    total # of requests (HTTP, HTTPS, success, failure etc)
avg    779 bytes    average size of requests
rmx    57740 bytes    largest size of request(s)
tav    12 ms    average processing time (per request)
tmx    503 ms    longest processing time (per request)
slh    7988    # of accepted HTTPS requests
slm    69    # of rejected HTTPS requests (missing certificate)
sle    0    # of rejected HTTPS requests (certificate available but not usable)
slc    51215    # of dropped HTTPS requests (client disconnect without sending any request)
slu    83530    # of dropped HTTPS requests (other TLS handshake errors)
v13    9717    slh/slc break-down: TLS 1.3
v12    46447    slh/slc break-down: TLS 1.2
v10    3039    slh/slc break-down: TLS 1.0
zrt    2008    slh break-down: TLS 1.3 Early Data aka 0-RTT
uca    43    slu break-down: # of unknown CA reported by clients
ucb    16671    slu break-down: # of bad certificate reported by clients
uce    66466    slu break-down: # of unknown cert reported by clients
ush    251    slu break-down: # of shutdown by clients after ServerHello
sct    217    cert cache: # of certs in cache
sch    138350    cert cache: # of reuses of cached certs
scm    49    cert cache: # of misses to find a cert in cache
scp    0    cert cache: # of purges to give room for a new cert
ssh    30726    sess cache: # of reuses of cached TLS sessions
ssm    97    sess cache: # of misses to find a TLS session in cache
ssp    0    sess cache: # of purges to give room for a new TLS session
nfe    4025    # of GET requests for server-side scripting
gif    628    # of GET requests for GIF
ico    41    # of GET requests for ICO
txt    3284    # of GET requests for Javascripts
jpg    17    # of GET requests for JPG
png    2    # of GET requests for PNG
swf    0    # of GET requests for SWF
ufe    554    # of GET requests /w unknown file extension
opt    0    # of OPTIONS requests
pst    556    # of POST requests
hed    0    # of HEAD requests (HTTP 501 response)
rdr    0    # of GET requests resulted in REDIRECT response
nou    0    # of GET requests /w empty URL
pth    0    # of GET requests /w malformed URL
204    0    # of GET requests (HTTP 204 response)
bad    132    # of unknown HTTP requests (HTTP 501 response)

 

[jrmwvu04]

v10 3039

Interesting. Do you know what is causing that

 

[Makaveli]

Interesting. Do you know what is causing that

I don't the logs enabled right now but will put them on and investigate.

 

[Twiglets]

I am getting the following appearing in the logs for Pixelserv:

Jan 31 13:32:28 pixelserv-tls[26330]: handshake failed: client xxx.xxx.xxx.xxx:47899 server fls-eu.amazon.co.uk. Lib(20) Func(143) Reason(267)

Anyone know what it means ?

The openssl-err.rs error code ('Reason') equates to ... EC_F_ECX_PRIV_ENCODE: c_int = 267 .... this does not help me !!!

 

[kvic]

I am getting the following appearing in the logs for Pixelserv:

Jan 31 13:32:28 pixelserv-tls[26330]: handshake failed: client xxx.xxx.xxx.xxx:47899 server fls-eu.amazon.co.uk. Lib(20) Func(143) Reason(267)

Anyone know what it means ?

The openssl-err.rs error code ('Reason') equates to ... EC_F_ECX_PRIV_ENCODE: c_int = 267 .... this does not help me !!!

Likely SSL_R_WRONG_VERSION_NUMBER caused by non TLS clients knocking on port 443.

 

[Twiglets]

Likely SSL_R_WRONG_VERSION_NUMBER caused by non TLS clients knocking on port 443.

Sorry kvic, could you simplify your reply !!! ......... otherwise known as 'huh !!!'

 

[kvic]

Sorry kvic, could you simplify your reply !!! ......... otherwise known as 'huh !!!'

Common slu errors are categorised under uce, uca & etc. Uncommon ones will be logged on LEVEL 2 as you've found out above. Reason(267) very likely means "wrong ssl version number". That I suspect it's caused by non SSL/TLS clients running on some of your LAN devices that are attempting connection to pixelserv-tls port 443. If it's not flooding your syslog, perhaps you could safely ignore.

 

[Twiglets]

That I suspect it's caused by non SSL/TLS clients running on some of your LAN devices that are attempting connection to pixelserv-tls port 443. If it's not flooding your syslog, perhaps you could safely ignore.

kvic,
This does not make sense as I do not have a 'non TLS client' running on the IP address in the error message.
The IP address equates to the PC I use for everything, it runs Windows 7 Sp1 + Firefox 65.0. + various addons.
The address is defined in the Network setup of the PC (no DHCP used at all) so it cannot be another machine/tablet/phone etc.
It was the reason I asked for a simplified answer because the original answer did not make sense for the PC I use.
The error only appeared when I had purchased something via Amazon and the tab was left open while I was following the 'Tracking' of the delivery. (Use Amazon very infrequently so typically there is no connection to Amazon on any device.)

 

[kvic]

kvic,
This does not make sense as I do not have a 'non TLS client' running on the IP address in the error message.
The IP address equates to the PC I use for everything, it runs Windows 7 Sp1 + Firefox 65.0. + various addons.
The address is defined in the Network setup of the PC (no DHCP used at all) so it cannot be another machine/tablet/phone etc.
It was the reason I asked for a simplified answer because the original answer did not make sense for the PC I use.
The error only appeared when I had purchased something via Amazon and the tab was left open while I was following the 'Tracking' of the delivery. (Use Amazon very infrequently so typically there is no connection to Amazon on any device.)

Many months ago when some people reported they could not browse in Amazon app, I tried to reproduce the issue. I tried in apps and browsers. I didn't see browsers on PC hit this domain: fls-eu.amazon.co.uk but Android (and perhaps iOS apps) apps do.

Perhaps you could try to figure out where on the page and in the code (javascript?) that this domain is accessed. Everything is open in browsers on PC.

 

[kvic]

Perhaps you could try to figure out where on the page and in the code (javascript?) that this domain is accessed. Everything is open in browsers on PC.

Btw, that means for most ppl wanting to be hassle free should have fls-eu.amazon.co.uk and American equivalent domain whitelisted. But I recall you like experimenting things new..

So perhaps you could spend sometime figuring out or simply whitelist it.

 

[elorimer]

The address is defined in the Network setup of the PC (no DHCP used at all) so it cannot be another machine/tablet/phone etc.

Not quite. Presumably it is outside the DHCP range, but it would be better to reserve it on the DHCP page. Is it not possible that DHCP handed that IP out to another device?

I suspect also, that fls-eu.amazon.co.uk isn't necessarily associated with Amazon shopping but instead something on Amazon AWS, and that could be most anybody.

 

[Twiglets]

Not quite. Presumably it is outside the DHCP range, but it would be better to reserve it on the DHCP page. Is it not possible that DHCP handed that IP out to another device?

I suspect also, that fls-eu.amazon.co.uk isn't necessarily associated with Amazon shopping but instead something on Amazon AWS, and that could be most anybody.

Sorry late reply.
I get what you are saying and in general it is valid.

BUT

I do not *use* DHCP but have it configured.
I define *All* devices IP Addresses and add them to the 'Manually Assigned IP around the DHCP list" section of the DHCP Server page of the router. (Creates fallback that still matches 'my defined IP addresses' in case any device is 'accidentally' booted to retrieve its address via DHCP.)
I like to have known IP Addresses for all my devices and know them by heart !!!

If any address appears that is not in my known list it 'sticks out' !!! (There is a small range of 'new' unused addresses that will be picked up by any device using DHCP.)

 

[JimbobJay]

Just wanted to give a heads up that according to this message from Apple to the IETF https://mailarchive.ietf.org/arch/msg/tls/5QjzTilqjomSyzENtgfaAqQOhbA iOS 12.2 should roll out support for TLS 1.3, so we can finally benefit from the speed and security benefits of 1.3 in pixelserv, most noticeable 0-RTT, on our mobile devices when 12.2 released

 

[bluzfanmr1]

Just wanted to give a heads up that according to this message from Apple to the IETF https://mailarchive.ietf.org/arch/msg/tls/5QjzTilqjomSyzENtgfaAqQOhbA iOS 12.2 should roll out support for TLS 1.3, so we can finally benefit from the speed and security benefits of 1.3 in pixelserv, most noticeable 0-RTT, on our mobile devices when 12.2 released

I have been running the iOS 12.2 beta and indeed TLS 1.3 is working.

 

[EmeraldDeer]

It appears that the Pixelserv certificate and key pair can be used for the web interface on a Cisco SG300 (SSL Server Authentication Settings).
Certificate ca.crt is OK as is
Private key ca.key is OK as is because it is already in PEM format.
You will need a public key in RSA public format rather than the more common public format, however.

openssl rsa -in ca.key -RSAPublicKey_out > ca.rsapub

 

[EmeraldDeer]

For the life of me, I can't figure out why Stubby daemon logging does not work.

# egrep "PROCS|ARGS" /opt/etc/init.d/rc.func
    $PREARGS $PROC $ARGS > /dev/null 2>&1 &
    #echo $PREARGS $PROC $ARGS
for PROC in $PROCS; do

 

[cmkelley]

For the life of me, I can't figure out why Stubby daemon logging does not work.

# egrep "PROCS|ARGS" /opt/etc/init.d/rc.func
    $PREARGS $PROC $ARGS > /dev/null 2>&1 &
    #echo $PREARGS $PROC $ARGS
for PROC in $PROCS; do

As far as I can tell, it flat out doesn't work. My stubby log file hasn't ever budged from zero length.

 

[EmeraldDeer]

It appears that the Pixelserv certificate and key pair can be used for the web interface on a Cisco SG300 (SSL Server Authentication Settings).
Certificate ca.crt is OK as is
Private key ca.key is OK as is because it is already in PEM format.
You will need a public key in RSA public format rather than the more common public format, however.

openssl rsa -in ca.key -RSAPublicKey_out > ca.rsapub

Chrome is OK with this.
Kaspersky is not OK with this. Why doesn't Kaspersky complain about the router as well? Because Kaspersky does not scan port 8443. SG300 does not allow changing https port.
Safari is not OK with this. I have installed and enabled the Pixelserv CA certificate but Apple has it as Not Trusted.

 

[EmeraldDeer]

As far as I can tell, it flat out doesn't work. My stubby log file hasn't ever budged from zero length.

So it isn't because rc.func throws it away?

 

[cmkelley]

So it isn't because rc.func throws it away?

rc.func is only throwing away messages generated when stubby is started or stopped. Logging is a completely separate function.