What's new

pixelserv pixelserv - A Better One-pixel Webserver for Adblock

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

1046 count is 296, syslog was cleared so that count is not accurate.
slu is 828

found this in the ssl errors link I posted above

Code:
SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN                      1046    sslv3 alert certificate unknown
SSL_R_TLSV1_ALERT_UNKNOWN_CA                               1048    tlsv1 alert unknown ca
 
I just uploaded a rebuilt of 2.1.0-rc.1
I have loaded it to participate in the science. I don't think my slu was anything to be excited about but who knows what we could find.

bDTiH5i.png
 
The sad news is CERTIFICATE_UNKNOWN (1046) is a catch all error code in OpenSSL i.e. when it cannot classify an error into more precise categories, it defaults to this. So it might not mean what the name may suggest otherwise. Let's leave this aside for now.

UNKNOWN_CA (1048) is worth a bit more investigation. It really should not happen if you have pixelserv-tls properly setup including file/directory permissions. So just to make sure, issue this in SSH
Code:
chown -R nobody /opt/var/cache/pixelserv
and then restart pixelserv-tls. Also, pay attention to any other errors from pixelserv-tls in /tmp/syslog.log such as reading ca.crt or other certificates.

Once the above conditions are met, watch out on your client access. I assume you all get a padlock when visiting the servstats page over HTTPS. Hence, the browser itself is probably fine. Pay attention to other apps (and their embedded browsers).

Then jot down observations on using what apps leading to '1048'. This might be a bit tideous and only good guess at best as some of the processes on your Android/iOS might be simply background tasks. However, given the client ip and timestamp in the debug traces. You shall be able to make an educated guess..

edit:

Just to reiterate how to make best use of the trace.
  • from client ip, you shall be able to rule out errors (hence slu counts) originated from clients without CA imported.
  • from above, if the errors from clients without CA imported account for the majority of your total slu counts, then not much to worry about. If not, proceed to next..
  • next from timestamp (+ client ip), you shall be able to roughly tell what Apps on which device you were using and leading to the errors (hence slu counts)
In case, you're less fluent in Linux to do efficient filtering and counting with grep, pls take a snapshot of /tmp/syslog.log as well as full servstats page, and post it somewhere so that I can help to analyse..
 
Last edited:
While a few of us working hard to rule out any slu issue, let me break a piece of news to readers of this thread.

The next test version has scored an A in the SSL Labs tests. A pleasant reward of the refinement in v2.1 :)

More details are available in this blog post.

View attachment 12366
The blog refers to rc2 version. Is this typo? Latest I see is rc1...
 
my logs are like;

Code:
pixelserv-tls: client `t0+ ssl error:14094412:lib(20):func(148):reason(1042)

I have no idea why client IP address is like that.

I think it's fixed itself and now my iphone floods;

Code:
Mar 19 22:38:44 pixelserv-tls[16984]: client 172.24.5.8 ssl error:140760FC:lib(20):func(118):reason(252)
Mar 19 22:38:45 pixelserv-tls[16984]: client 172.24.5.8 ssl error:140760FC:lib(20):func(118):reason(252)
Mar 19 22:38:47 pixelserv-tls[16984]: client 172.24.5.8 ssl error:140760FC:lib(20):func(118):reason(252)
Mar 19 22:38:47 pixelserv-tls[16984]: client 172.24.5.8 ssl error:140760FC:lib(20):func(118):reason(252)
 
Last edited:
I think I've set a new record:
Code:
uts 2d 07:48 process uptime
log 1 critical (0) error (1) warning (2) notice (3) info (4) debug (5)
kcc 10 number of active service threads
kmx 34 maximum number of service threads
kvg 1.30 average number of requests per service thread
krq 457676 max number of requests by one service thread

req 508059 total # of requests (HTTP, HTTPS, success, failure etc)
avg 743 bytes average size of requests
rmx 29779 bytes largest size of request(s)
tav 7 ms average processing time (per request)
tmx 6598 ms longest processing time (per request)

slh 500304 # of accepted HTTPS requests
slm 18 # of rejected HTTPS requests (missing certificate)
sle 0 # of rejected HTTPS requests (certificate available but bad)
slc 6302 # of dropped HTTPS requests (client disconnect without sending any request)
slu 637 # of dropped HTTPS requests (other TLS handshake errors)
 
I think I've set a new record:
Code:
uts 2d 07:48 process uptime
log 1 critical (0) error (1) warning (2) notice (3) info (4) debug (5)
kcc 10 number of active service threads
kmx 34 maximum number of service threads
kvg 1.30 average number of requests per service thread
krq 457676 max number of requests by one service thread

req 508059 total # of requests (HTTP, HTTPS, success, failure etc)
avg 743 bytes average size of requests
rmx 29779 bytes largest size of request(s)
tav 7 ms average processing time (per request)
tmx 6598 ms longest processing time (per request)

slh 500304 # of accepted HTTPS requests
slm 18 # of rejected HTTPS requests (missing certificate)
sle 0 # of rejected HTTPS requests (certificate available but bad)
slc 6302 # of dropped HTTPS requests (client disconnect without sending any request)
slu 637 # of dropped HTTPS requests (other TLS handshake errors)
I think this is replicable on 538 if you have the patience.
 
my logs are like;

Code:
pixelserv-tls: client `t0+ ssl error:14094412:lib(20):func(148):reason(1042)

I have no idea why client IP address is like that.

The scrambled display is understood. Potential underlying issue fixed in next test version.

I think it's fixed itself and now my iphone floods;

Code:
Mar 19 22:38:44 pixelserv-tls[16984]: client 172.24.5.8 ssl error:140760FC:lib(20):func(118):reason(252)
Mar 19 22:38:45 pixelserv-tls[16984]: client 172.24.5.8 ssl error:140760FC:lib(20):func(118):reason(252)
Mar 19 22:38:47 pixelserv-tls[16984]: client 172.24.5.8 ssl error:140760FC:lib(20):func(118):reason(252)
Mar 19 22:38:47 pixelserv-tls[16984]: client 172.24.5.8 ssl error:140760FC:lib(20):func(118):reason(252)

There will be improvement on the slu situation in next version.

ASUSWRT need a more powerful way to do syslog. Hence, for adventurers, I suggest migrate to syslog-ng and save log files on Entware partition. Here is a thread discussing this: https://www.snbforums.com/threads/configuring-syslog-ng-with-merlin-firmware.35095/
 
2.1.0-rc.2 will be available in 10 hours.

So far it runs really well with respect to improving the slu situation (or rather restoring back the glory of v2.0 on this aspect).

This may irrelevant here, but I am trying to compile pixelserv-tls on my own just for fun. But got the following error,

Code:
pi@retropie:~/pixelserv-tls/pixelserv-tls $ autoreconf -i
configure.ac:3: installing './compile'
configure.ac:2: installing './install-sh'
configure.ac:2: installing './missing'
Makefile.am: installing './depcomp'
pi@retropie:~/pixelserv-tls/pixelserv-tls $ ./configure
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... /bin/mkdir -p
checking for gawk... no
checking for mawk... mawk
checking whether make sets $(MAKE)... yes
checking whether make supports nested variables... yes
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking whether gcc understands -c and -o together... yes
checking for style of include used by make... GNU
checking dependency style of gcc... gcc3
checking for EVP_EncryptInit in -lcrypto... no
configure: error: in `/home/pi/pixelserv-tls/pixelserv-tls':
configure: error: can't find openssl crypto lib
See `config.log' for more details

@kvic, any idea on how can I compile? I am using my raspberry pi to compile pixelserv-tls.
 
Code:
checking dependency style of gcc... gcc3
checking for EVP_EncryptInit in -lcrypto... no
configure: error: in `/home/pi/pixelserv-tls/pixelserv-tls':
configure: error: can't find openssl crypto lib
See `config.log' for more details

The hint is above error. Your Rasp Pi is missing libssl-dev package (for openssl dev library). To get it and install:
Code:
sudo apt-get install libssl-dev
 
The hint is above error. Your Rasp Pi is missing libssl-dev library. To get it and install:
Code:
sudo apt-get install libssl-dev

Thanks! I just figured it out. :)
 
Look forward to people setting up a cluster of Rasp Pi, and run one instance of pixelserv-tls on each Pi that will act as a node.

Believe me it'll be SUPER fast and a SUPERIOR browsing experience.

:D
 
New beta version 2.1.0-rc.2

Thanks again for all the GREAT test effort. Without many servstats from you, we can't spot the issue in slu. We may settle it finally in this RC!

Manage to squeeze in another new feature as well since the change is minimal. Now pixelserv-tls could run without a CA cert. Pls read kazoo.ga/pixelserv-tls for what it means and how to make use of it.

Entware (ARMv7, mipsel, ARMv8) users can use the one liner below as usual or otherwise to install.

Code:
sh -c "$(wget -qO - https://kazoo.ga/pixelserv-tls/install-beta.sh)"
Will appreciate any feedback.
 
Thnx @kvic To close the previous version off then
Code:
pixelserv-tls 2.1.0-rc.1 (compiled: Mar 19 2018 01:00:01) options: 192.168.1.2
75307 uts, 1 log, 1 kcc, 20 kmx, 2.19 kvg, 192 krq, 3033 req, 1050 avg, 21885 rmx, 36 tav, 10095 tmx, 2509 slh, 45 slm, 0 sle, 71 slc, 342 slu, 99 sct, 1637 sch, 24 scm, 0 scp, 16 sst, 740 ssh, 6 ssm, 0 ssp, 656 nfe, 1 gif, 0 ico, 735 txt, 0 jpg, 1 png, 0 swf, 20 sta, 1 stt, 14 ufe, 2 opt, 277 pst, 0 hed, 251 rdr, 0 nou, 0 pth, 0 204, 14 bad, 13 tmo, 71 cls, 591 cly, 0 clt, 0 err
 
Thank you for the new RC :)
To run without CA cert, do I have to set any flag to pixelserv-tls or its a default behaviour?
 
Thnx @kvic To close the previous version off then
Code:
pixelserv-tls 2.1.0-rc.1 (compiled: Mar 19 2018 01:00:01) options: 192.168.1.2
75307 uts, 1 log, 1 kcc, 20 kmx, 2.19 kvg, 192 krq, 3033 req, 1050 avg, 21885 rmx, 36 tav, 10095 tmx, 2509 slh, 45 slm, 0 sle, 71 slc, 342 slu, 99 sct, 1637 sch, 24 scm, 0 scp, 16 sst, 740 ssh, 6 ssm, 0 ssp, 656 nfe, 1 gif, 0 ico, 735 txt, 0 jpg, 1 png, 0 swf, 20 sta, 1 stt, 14 ufe, 2 opt, 277 pst, 0 hed, 251 rdr, 0 nou, 0 pth, 0 204, 14 bad, 13 tmo, 71 cls, 591 cly, 0 clt, 0 err

Thanks for posting update. From your rc.1 servstats, slu doesn't appear to be an issue in your environment. See if rc.2 will improve below 11% (slu/req=342/3033) while at around the same 98% HTTPS [ (slh+slu.+slm+sle+slc)/req=(2509+342+45+71)/3033 ]
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top