pixelserv pixelserv - A Better One-pixel Webserver for Adblock

[kernol]

It is also possible to just add the model to the list that is in this script?

For personal use - as a coder - that works ... or as I did - simply rem'd the lines dealing with model numbers ... but thelonelycoder is fixing it for amtm so that non-coders like me just enjoy the magic of selecting menu items and have all the heavy lifting done for you.

 

[Slawek P]

Hi, confused somehow by pixelserv SSL certifactes - I would like to replace them with my own CA and domain certs for with my private CA authority create in XCA.
I found ca.crt and ca.key, but how can I replace domain certificates?

 

[Asad Ali]

Hi, confused somehow by pixelserv SSL certifactes - I would like to replace them with my own CA and domain certs for with my private CA authority create in XCA.
I found ca.crt and ca.key, but how can I replace domain certificates?

You don't have to, just delete/purge all the generated domain certificates and that's it. Pixelserv-tls generates the domain certificates on the fly.

 

[Slawek P]

You don't have to, just delete/purge all the generated domain certificates and that's it. Pixelserv-tls generates the domain certificates on the fly.

Gotcha - found this option, appears it keeps them in the same folder for all blocked ad domains + admin TLS, let me try that and see how it goes

 

[Asad Ali]

Gotcha - found this option, appears it keeps them in the same folder for all blocked ad domains + admin TLS, let me try that and see how it goes

Don't forget to import your newly created CA authority in your devices, otherwise TLS handshake will fail.

 

[Slawek P]

Don't forget to import your newly created CA authority in your devices, otherwise TLS handshake will fail.

Yes CA authority has been imported, but I need to import individual domain certs too - so I have done for admin page with various aliases, but what about adblocked sites...

 

[Asad Ali]

Yes CA authority has been imported, but I need to import individual domain certs too - so I have done for admin page with various aliases, but what about adblocked sites...

You're mixing things here, first clear some things. You're trying to import WebUI domain certificates in the router for its web UI? Or you're talking about ad domains?

If ad domains then you don't have to import the generated ad certificates anywhere.

 

[Slawek P]

Asus WebUI is long time sorted. Pixelserv admin serverstats is sorted

Am talking about ad domains since I noticed this, but it could related pixelserv admin page before I installed certs, will need it find out where logs are and grep them
slm 26 # of rejected HTTPS requests (missing certificate)

 

[dave14305]

Asus WebUI is long time sorted. Pixelserv admin serverstats is sorted

Am talking about ad domains since I noticed this, but it could related pixelserv admin page before I installed certs, will need it find out where logs are and grep them
slm 26 # of rejected HTTPS requests (missing certificate)

Watch the uca stat for any domain certs rejected because the device did not trust the CA used to generate it. No need to import anything other than the CA. The first time you visit a domain the cert is not existing yet, so you get the slm counter incremented. The next visit, it is fine.

 

[Asad Ali]

Asus WebUI is long time sorted. Pixelserv admin serverstats is sorted

Am talking about ad domains since I noticed this, but it could related pixelserv admin page before I installed certs, will need it find out where logs are and grep them
slm 26 # of rejected HTTPS requests (missing certificate)

That missing certificates are generated on the fly the first time you visit a blocked domain.

For example, you have "ads.com" blocked in your blocking file, when you visit the domain "ads.com" the first time you will get a TLS handshake error and one count in slm counter because there was no matching domain certificate for that in pixelserv-tls certificates cache. But next time whenever you'll visit "ads.com" you will not see any error and no slm certificate counter (slm) increase either.

 

[archiel]

I have only recently installed Diversion Standard - everything seem to be working fine but I have a few questions around the data on the Servstats page. Initially I was seeing slu:slh ratio of about 20:1. Having installed a lot of client certificates (and have about 4 devices to go) this is now down to about 2:1 and I have set logging to -l 2 to investigate further.

Looking at the syslog I am seeing three types of output
pixelserv-tls[24063]: handshake failed: shutdown after ServerHello. client 10.55.00.134:56774 server nexusrules.officeapps.live.com
pixelserv-tls[24063]: handshake failed: unknown cert. client 10.55.00.136:58418 server reports.crashlytics.com
pixelserv-tls[24063]: handshake failed: unknown CA. client 10.55.00.134:56803 server telemetry.dropbox.com

Are all three of these in relation to the slu failures?
What is the difference between unknown cert and unknown CA
Also I have some (very few) slm - does this refer to a missing certificate at the website or if not, where should I be looking?

While I have yet to install a certificate on 10.55.00.134, device 10.55.00.136 is a Samsung S7 running Android 8 - I can see the Pixelserv certificate sitting in the Certificates list, yet I am still seeing a steady stream of unknown cert Another user is a Nokia 7.1 running Android 10 - again the certificate is where it should be, but the devices is getting the same unknown cert errors - any idea where I can look to see why these phones are ignoring / bypassing the certs?

 

[dave14305]

I have only recently installed Diversion Standard - everything seem to be working fine but I have a few questions around the data on the Servstats page. Initially I was seeing slu:slh ratio of about 20:1. Having installed a lot of client certificates (and have about 4 devices to go) this is now down to about 2:1 and I have set logging to -l 2 to investigate further.

Looking at the syslog I am seeing three types of output
pixelserv-tls[24063]: handshake failed: shutdown after ServerHello. client 10.55.00.134:56774 server nexusrules.officeapps.live.com
pixelserv-tls[24063]: handshake failed: unknown cert. client 10.55.00.136:58418 server reports.crashlytics.com
pixelserv-tls[24063]: handshake failed: unknown CA. client 10.55.00.134:56803 server telemetry.dropbox.com

Are all three of these in relation to the slu failures?
What is the difference between unknown cert and unknown CA
Also I have some (very few) slm - does this refer to a missing certificate at the website or if not, where should I be looking?

While I have yet to install a certificate on 10.55.00.134, device 10.55.00.136 is a Samsung S7 running Android 8 - I can see the Pixelserv certificate sitting in the Certificates list, yet I am still seeing a steady stream of unknown cert Another user is a Nokia 7.1 running Android 10 - again the certificate is where it should be, but the devices is getting the same unknown cert errors - any idea where I can look to see why these phones are ignoring / bypassing the certs?

Some devices or applications are hard-coded to only accept a specific cert and will close the connection anything else is received. Lookup certificate pinning.

You can fix the unknown CA messages by installing the CA cert if the device allows it. The rest you can either live with, or take a more tedious approach to whitelist them in Diversion then add them to /jffs/configs/hosts.add with a 0.0.0.0 IP to avoid the bad pixelserv stats. I don't bother anymore, but crashlytics is very hostile against Pixelserv certs.

 

[tomsk]

a more tedious approach to whitelist them in Diversion then add them to /jffs/configs/hosts.add with a 0.0.0.0 IP to avoid the bad pixelserv stats

Hmmmm..... wonder how tricky it would be to automate that? @thelonelycoder would it make the browsing experience snappier/smoother or would it just make the stats nicer?

 

[dave14305]

Hmmmm..... wonder how tricky it would be to automate that? @thelonelycoder would it make the browsing experience snappier/smoother or would it just make the stats nicer?

I wouldn't tempt him. He's just as likely to eradicate pixelserv-tls completely.

 

[jsbeddow]

I wouldn't tempt him. He's just as likely to eradicate pixelserv-tls completely.

That wouldn't be too surprising at all, our beloved lonely coder has had some remarks in the past indicating his displeasure with pixelserv in general (the reasons escape me right now).

 

[Jack Yaz]

I wouldn't tempt him. He's just as likely to eradicate pixelserv-tls completely.

I've stopped using it and I forked it to update it for iOS 13 after all ;-)

 

[archiel]

I've stopped using it and I forked it to update it for iOS 13 after all ;-)

Sorry for being dense - did you stop using pixelserv-tls or Diversion - what did you fork and is it applicable/available for other users?

 

[Jack Yaz]

Sorry for being dense - did you stop using pixelserv-tls or Diversion - what did you fork and is it applicable/available for other users?

pixelserv-tls

My changes got merged into the last official release, when @kvic briefly resurfaced

 

[archiel]

Some devices or applications are hard-coded to only accept a specific cert and will close the connection anything else is received. Lookup certificate pinning.

You can fix the unknown CA messages by installing the CA cert if the device allows it. The rest you can either live with, or take a more tedious approach to whitelist them in Diversion then add them to /jffs/configs/hosts.add with a 0.0.0.0 IP to avoid the bad pixelserv stats. I don't bother anymore, but crashlytics is very hostile against Pixelserv certs.

I have tried the method above, and the slu count is now minimal. However I am now seeing adds where they had been blocked, specifically those delivered via www.googleadservices.com, even though if I click on the add I get 'Hmmm... cannot reach this page' and pinging www.googleadservices.com gets
'Ping request could not find host www.googleadservices.com. Please check the name and try again.' which is what I would expect with www.googleadservices.com is sitting in hosts.add.

I am guessing that as the ads are using redirect and www.googleadservices.com is in my whitelist, diversion/pixelserv are allowing the ads to show. For this sort of ad redirect, do I need to remove the site from the whitelist & hosts.add (and get the slu errors) or is there another way to do this?

 

[archiel]

pixelserv-tls

My changes got merged into the last official release, when @kvic briefly resurfaced

Thanks for clarifying - if you no longer use pixelserv-tls, what (if anything) to you now use to remove / replace the blocked content?