pixelserv pixelserv - A Better One-pixel Webserver for Adblock

[dirtyreturn]

Pardon me for this question.
What is the reason for creating certificates?
And how do you use them along with pixelserv?

Sent from my Nexus 6P using Tapatalk

 

[Raphie]

@kvic thnx for the update seems to run smoothly

 

[pattiri]

I think I have a problem but I'm not sure if it is expected or not.

I'm using AB-Solution 3.10 and pixelserv pixelserv-tls: v2.0.0-rc1.

when my PC is on, always an SSH session is up and following the logfile via AB-Solution. During this time pixelserv-tls works OK I can access servstats page.

I exit AB-Solution with "e" option, SSH session is still there and pixelserv-tls still works and I can access servstats page.

I quit the SSH session then I can't access servstats page but ping I can ping the IP address of pixelserv-tls.

To access servstats page I need to SSH router again and run "./ab-solution.sh". but " uts 0d 00:00"

Or I run "/opt/etc/init.d/S80pixelserv-tls restart" and I can access servstats page but when I exit the SSH session then I can't access servstats page again but ping works.

So somehow quiting SSH session causes pixelserv to stop but I can ping it.

Is this expected?

Update: rebooted the router now it seems OK. If it happens again I'll update. Thanks.

 

[kvic]

Pardon me for this question.
What is the reason for creating certificates?
And how do you use them along with pixelserv?

Sent from my Nexus 6P using Tapatalk

You've to do some reading on HTTPS and its underlying Public Key Infrastructure cryptography. A tutorial about them is beyond a forum post.

In brief, your web browser talks to an adverts server over HTTPS. The server need a certificate, and your client need a way to verify the certificate is valid. This is configured by your OS on client side, and by admin on adverts server side. Both use a shared security infrastructure PKI.

dnsmasq (or another DNS forwarder/server) redirects your adverts requests to pixelserv-tls. Instead of creating thousands of certificates by hands, pixelserv-tls creates them automatically on demand. So that your browsers can talk to pixelserv-tls over HTTPS.

You only need to create one certificate manually, known as CA cert. This CA certificate need to be trusted by your clients and pixelserv-tls. That's the basis of PKI.

See here on how to create & use the CA cert.

#FAQ#

 

[kvic]

I quit the SSH session then I can't access servstats page but ping I can ping the IP address of pixelserv-tls.

Based on your description, when you exist the SSH session, pixelserv-tls was crashed for unknown reason. I suspect it's related to how AB-SOLUTION interact with pixelserv-tls.

@Protik also reported an issue on ABS and pixelserv-tls interactions earlier.

 

[Raphie]

One day of v2, seems a lot mor dropped connections?

ixelserv-tls: v2.0.0-rc1 compiled: Nov 26 2017 20:53:17 options: 192.168.1.2
55763 uts, 1 log, 1 kcc, 4 kmx, 1.71 kvg, 3 krq, 2226 req, 1031 avg, 1091 rmx, 21 tav, 1573 tmx, 749 slh, 2 slm, 0 sle, 1276 slc, 8 slu, 74 nfe, 0 gif, 0 ico, 3 txt, 0 jpg, 0 png, 0 swf, 14 sta, 5 stt, 0 ufe, 0 opt, 0 pst, 0 hed, 0 rdr, 0 nou, 0 pth, 0 204, 0 bad, 0 tmo, 1290 cls, 678 cly, 0 clt, 0 err

 

[jrmwvu04]

One day of v2, seems a lot mor dropped connections?

I’m not seeing that in my environment. Could be a coincidence if you have a device without certificates getting very active for some reason, such as a console or tv.

 

[Raphie]

Yeah, YT is playing for the kids on the TV, might be that.

 

[System Error Message]

does it serve pixels?

 

[thelonelycoder]

Congrats @kvic, version 2.0.0 is released. Crossing fingers that the Entware maintainers have time to merge it in time.

 

[rromeroa]

I have installed v2.0.0-rc1 and KL-test8d in my RT-AC68U, both crashed after two hours... no traces in logs... I cleared cache but does not work.
I use pixelserv with -p and -k switches, anything I can do to identify the isssue?

 

[kvic]

Congrats @kvic, version 2.0.0 is released. Crossing fingers that the Entware maintainers have time to merge it in time.

I've been busy at work lately. So the whole release process is splitter into several nights & still haven't finished.

I found time to test & created a patch for Entware build. And submitted a ticket a moment ago.

This shall speed up the roll out on Entware but ppl will still have to wait for next cycle update I believe.

Nevertheless, the v2.0.0-rc1 binary is functionally same as v2 release. So early birds can use install-beta.sh to get it.

In addition, I actually have ipk files for both mipsel & armv7 built but I'm reluctant to break the protocol by distributing it myself. I think it's worth ppl's wait with extra checking & care that Entware team put into their distributions.

 

[kvic]

I have installed v2.0.0-rc1 and KL-test8d in my RT-AC68U, both crashed after two hours... no traces in logs... I cleared cache but does not work.
I use pixelserv with -p and -k switches, anything I can do to identify the isssue?

Same as @Protik and @pattiri mentioned above. I think you'll need to check with AB-SOLUTION creator... I'm readily available to assist.

 

[kvic]

does it serve pixels?

I realised I forgot to reply. It can. I added a favicon so you can see when visit the servstats page. But abandoned the idea for v2 release.

 

[pattiri]

Same as @Protik and @pattiri mentioned above. I think you'll need to check with AB-SOLUTION creator... I'm readily available to assist.

All working great on my side after a reboot you can try

 

[dirtyreturn]

You've to do some reading on HTTPS and its underlying Public Key Infrastructure cryptography. A tutorial about them is beyond a forum post.

In brief, your web browser talks to an adverts server over HTTPS. The server need a certificate, and your client need a way to verify the certificate is valid. This is configured by your OS on client side, and by admin on adverts server side. Both use a shared security infrastructure PKI.

dnsmasq (or another DNS forwarder/server) redirects your adverts requests to pixelserv-tls. Instead of creating thousands of certificates by hands, pixelserv-tls creates them automatically on demand. So that your browsers can talk to pixelserv-tls over HTTPS.

You only need to create one certificate manually, known as CA cert. This CA certificate need to be trusted by your clients and pixelserv-tls. That's the basis of PKI.

See here on how to create & use the CA cert.

#FAQ#

Hey, thanks. I have the keys all ready to go. Do they need also to be on a client device?
And, accessing the stats page - is it the router IP? Followed by serverstats/.txt?

Sent from my Nexus 6P using Tapatalk

 

[jrmwvu04]

I have the keys all ready to go. Do they need also to be on a client device?

The ca.crt would be imported on the client.

And, accessing the stats page - is it the router IP? Followed by serverstats/.txt?

Pixelserv IP address. IPADDR/servstats for html, IPADDR/servstats.txt for text output.

Edit: not router IP, you need the IP address that pixerlserv is running on. That could be the Router IP, but only if you have done some setup, such as moving the web interface or whatever else.

 

[tom-]

@kvic
I was reading your manpage for pixelserv-tls. And saw I could specify a hostname. I was doing that already with dnsmasq along with the ip pixelserv-tls is on and it works great. I'm just a little confused on how I could set it with pixelserv-tls. I would like to have both ip and hostname set on pixelserv-tls. I tried specifying ip and hostname, but it fails to start. Is it only one or the other? Could you please share an example of how I can get this to work?

 

[kvic]

All working great on my side after a reboot you can try

@rromeroa Does a reboot resolve your issue?

I perhaps shall clarify a bit wrt my previous reply. I'm not the first go-to person for your issue (or any issue of interactions between ABS and pixelserv-tls) because I had the impression from previous two issues that were related to interactions between ABS and pixelserv-tls.

Surely a robust pixelserv-tls as it's right now shall not crash at any rate (*cough*). But bad things happen with unknown reasons. I meant to say once there was some clue from ABS perspective, I would be readily available for help.

 

[kvic]

I have the keys all ready to go. Do they need also to be on a client device?

As @jrmwvu04 said only the 'ca.crt' need to be imported on client devices _only if_ you can or want. It's recommended. I hope you already found the wiki page. If not, here is the [one](https://github.com/kvic-z/pixelserv...-the-CA-Certificate#import-cacrt-into-clients) on importing ca.crt on various platforms.