pixelserv pixelserv - A Better One-pixel Webserver for Adblock

[elorimer]

opkg update
opkg upgrade

NO! This can screw up stuff, like syslog-ng. Better to update, then upgrade only the components you intend to upgrade.

 

[DonnyJohnny]

Installed the arm7 binary to my 87U, used diversion to purge the certificates and restart pixelserv (separate steps). Seems to be working fine.

I did NOT regenerate ca.crt and key so I didn't have to reimport those. Only one iOS device, in the hands of the the Spouse, who will not permit touching of the Device, so I don't know if she has upgraded to 13.

i think the issue with ios 13 are the 2048 bit and 2 year only cert requirement. if not u will see a lot of the # of dropped HTTPS requests (other TLS handshake errors) on that iOS 13

 

[elorimer]

i think the issue with ios 13 are the 2048 bit and 2 year only cert requirement.

Ah, the penny drops. Unless ca.crt is regenerated the resulting certificates will all be rejected. Thanks.

 

[Butterfly Bones]

Installed the arm7 binary to my 87U, used diversion to purge the certificates and restart pixelserv (separate steps). Seems to be working fine.

I did NOT regenerate ca.crt and key so I didn't have to reimport those. Only one iOS device, in the hands of the the Spouse, who will not permit touching of the Device, so I don't know if she has upgraded to 13.

Ah, the penny drops. Unless ca.crt is regenerated the resulting certificates will all be rejected. Thanks.

iOS 13 is not released until 19 Sep., next week. The iOS 13 beta has to be intentionally installed for now. I did it on my new iPad to see it, that is just a casual device, not critical functions. I did load iOS 13 beta on my iPhone and reverted quickly when a needed medical app ceased to function (the only reason now use an iPhone).

 

[Jack Yaz]

NO! This can screw up stuff, like syslog-ng. Better to update, then upgrade only the components you intend to upgrade.

It really doesn't. opkg will create a -pkg version of any conf files so as to explicitly not affect any of your running applications. Or should, anyway

amtm uses similar code. The main issue is pixelserv, but Diversion can self-heal iirc

    # ep Entware packages menu
    if [ -f /opt/bin/opkg ]; then
        upd=" "
        printf "${GREEN_BG} ep${NC} %-9s%s\\n" "update" "Entware packages"
        case_ep(){
            print_end_line
            echo " This updates and upgrades Entware packages"
            if [ -f /opt/bin/diversion ]; then
                echo
                echo " Note: Diversion is installed on this router."
                echo " It's recommended to update Entware packages"
                echo " in Diversion using the ${RED_BG} ep ${NC} option."
                echo " Especially so when pixelserv-tls is installed."
            fi
            if [ -f /jffs/scripts/install_stubby.sh ] && [ -f /opt/etc/stubby/stubby.yml ]; then
                echo
                echo " Note: Stubby DNS Privacy Daemon is installed"
                echo " on this router."
                echo " It's recommended to update Entware packages"
                echo " selectively through the Stubby DNS menu to"
                echo " prevent overwriting configuration files."
            fi
            continue_dialog
            opkg update
            opkg upgrade
            show_amtm " Entware packages updated and upgraded"

Besides, as long as you're taking regular backups (which you should be as a responsible admin), you have a rollback path

 

[Butterfly Bones]

BINGO! got my padlock!

I was not watching the URL since Apple hides the url details by default, showing only site name. Just had to use https://router.asus.com:8443/ and then tell it I really, really, really did want to visit this page and trust it. Now I have the secure site padlock on all three devices and have imported the new cert in all four iThing devices. This is a love / hate thing for me.

 

[Asad Ali]

BINGO! got my padlock!

I was not watching the URL since Apple hides the url details by default, showing only site name. Just had to use https://router.asus.com:8443/ and then tell it I really, really, really did want to visit this page and trust it. Now I have the secure site padlock on all three devices and have imported the new cert in all four iThing devices. This is a love / hate thing for me.

That's not the correct approach, if you generate the correct Root CA and have it imported in the device you won't need to do any of this and iOS/macOS will automatically accept the certificate.

Force trusting the certificate is useless because you'll need to do that for every domain you have in your blocklist otherwise the handshake will fail.

 

[Ayitaka]

I've just uploaded the ipks here: https://github.com/jackyaz/pixelserv-tls/releases/tag/2.3.0

Download the ipk, then place on your router using WinSCP or similar. Next run opkg install, e.g.

opkg install /jffs/pixelserv-tls_2.3.0-1_aarch64-3.10.ipk

can just use this?

cd /opt/var/cache/pixelserv
openssl genrsa -out ca.key 2048
openssl req -key ca.key -new -x509 -days 720 -sha256 -extensions v3_ca -out ca.crt -subj "/CN=Pixelserv CA"

I dl'ed and installed the ipk (aarch64 - AC86U) with no issues, generated new crt and key as DonnyJohnny shows above, and imported it into my iPhone (replaced old Pixelserv CA cert), iPad (running iPadOS 13.1 beta) and MacBook Air.

I added the new Pixelserv CA cert to my AC86U using the script from @kvic in this post #1352, and all seems well. I see no errors in the iPad with iOS 13.1 beta or the iPhone on 12.4.1 or MacBook Air (stable Catalina).

Installed Jack's pixelserv-tls_2.3.0-1_armv7-2.6.ipk on my AC5300 and its all working smoothly.

Thank you Jack for working on pixleserv and updating it for what we needed.

And thank you Jack, DonnyJohnny, and Butterfly Bones for the various steps to make it super easy.

 

[Marin]

So how do you tell if pixelserv-tls_2.3.0-1 is installed? Does this version display on the Diversion menu?

 

[Butterfly Bones]

So how do you tell if pixelserv-tls_2.3.0-1 is installed? Does this version display on the Diversion menu?

In an SSH terminal:

opkg list-installed | grep pixelserv

Yes

 

[Makaveli]

This should show it also.

https://pixelservip/servstats.txt

 

[Marin]

In an SSH terminal:

opkg list-installed | grep pixelserv

Yes

My Diversion shows:

Whereas this shows:

@RT-AX88U-40E0:/tmp/home/root# opkg list-installed | grep pixelserv
pixelserv-tls - 2.3.0-1

and this shows:

I purged all the other certs and restarted PS

Anything I am doing wrong?

 

[SomeWhereOverTheRainBow]

In an SSH terminal:

opkg list-installed | grep pixelserv

Yes

can you update to this with inside diversion using the update pixelserv option?

 

[Butterfly Bones]

can you update to this with inside diversion using the update pixelserv option?

I think Diversion looks at the Entware repository. These newly compiled ink version are not in that repository. Jack Yaz posted instructions in his link.

 

[AlexD]

@Marin, it is working fine, it shows the same for me. The -1 doesn’t matter.

I just updated pixelserv folowing the posted instructions.
I was getting an error that I had a newer version installed and I had to use --force-downgrade to make it work. I also had to use opkg update / upgrade libopenssl to get 1.1.1.
Then I generated the new CA, purged the certificates and imported the CA on my iOS13 devices and it works perfectly. Thanks everyone who contributed to this.

 

[Marin]

can you update to this with inside diversion using the update pixelserv option?

These are the option inside the Diversion regarding PS:

 

[SomeWhereOverTheRainBow]

These are the option inside the Diversion regarding PS:

View attachment 19324

these are what i was referring to.

 

[Butterfly Bones]

My Diversion shows:

View attachment 19322

Whereas this shows:

@RT-AX88U-40E0:/tmp/home/root# opkg list-installed | grep pixelserv
pixelserv-tls - 2.3.0-1

and this shows:

View attachment 19323

I purged all the other certs and restarted PS

Anything I am doing wrong?

I am seeing the same compile date in servstats page of May 25, so whatever is wrong, me too.

 

[SomeWhereOverTheRainBow]

I am seeing the same compile date in servstats page of May 25, so whatever is wrong, me too.

is there any new added benefits to this version over the current version diversion is using?

 

[Marin]

View attachment 19325

these are what i was referring to.

I see, thank you - Yes I tried that too but apparently the version stays the same in Diversion (as @AlexD confirmed - thank you!).

And as @Butterfly Bones stated, the servstats page still displays the old version which is also my case - thank you!

Will keep researching this more......Thanks again all!