# pixelserv-tls **Repository Path**: oldrivers/pixelserv-tls ## Basic Information - **Project Name**: pixelserv-tls - **Description**: Tiny web server for sending empty responses to advertisement and tracking requests. - **Primary Language**: C - **License**: LGPL-3.0 - **Default Branch**: master - **Homepage**: None - **GVP Project**: No ## Statistics - **Stars**: 0 - **Forks**: 0 - **Created**: 2020-09-15 - **Last Updated**: 2020-12-19 ## Categories & Tags **Categories**: Uncategorized **Tags**: None ## README ## pixelserv-tls _pixelserv-tls_ is a fork of pixelserv with added support for HTTPS - the tiny webserver that responds to all requests with "nothing" and yet particularly useful for whitelisting hosts on troubled websites, and for mining "big data" on adservers and trackers. Certificates for adserver domains are automatically generated at real-time upon first request. All requests to adserver are optionally written to syslogd. The stats in text format are preserved, good for command line parsing. The same stats in HTML format are revamped to be more legible. ### Prepare your Root CA cert _pixelserv-tls_ requires a Root CA cert to run. Assume OpenSSL already installed in your systems. Execute the following statements in a command shell: * `cd /opt/var/cache/pixelserv` * `openssl genrsa -out ca.key 1024` * `openssl req -key ca.key -new -x509 -days 3650 -sha256 -extensions v3_ca -out ca.crt -subj "/CN=Pixelserv CA"` These create a 1024-bit CA cert with Common Name "Pixelserv CA" in `/opt/var/cache/pixelserv`. ### Import ca.crt into Clients Note that installation of `ca.cert` on client OS is not mandatory but recommended. Clients without `ca.crt` will interact smoothly with pixelserv-tls. #### iOS Multiple ways to get it done. The simplest is to email yourself `ca.crt`. Go to your iOS device. Click on the attachment and follow the instructions. Here is a [guide by IBM] that provides a bit more details. #### Android Email yourself the CA cert as attachment. Double click on the attachment and follow on-screen instructions to import the certificate. I found this way the CA cert will be imported in "User" category instead of "System" category. That's no problem as the CA cert is still properly recognized. If people insist on importing into "System" certificates, try this [Android guide]. #### MacOS In Terminal, type * `sudo security add-trusted-cert -d -r trustRoot -k /System/Library/Keychains/SystemRootCertificates.keychain ca.crt` Note: since OS X El Capitan, System Integrity Protection need to be disabled first. Reboot, then run the above command line. System Integrity Protection can be enabled afterward. Here is a [SIP tutorial] to disable/enable System Integrity Protection. `ca.crt` need to be re-added after every OS update unfortunately. #### Windows Chrome/IE/Edge uses Root CA certs from Windows system-wide repository. Follow this [Windows guide] carefully to add ca.cert into the system-wide Root CAs. Firefox manages its own repository of Root CAs. Follow this [Firefox guide] only if you also run Firefox. ### Launch pixelserv-tls A few examples of launching _pixelserv-tls_: * `pixelserv-tls 192.168.1.1` * `pixelserv-tls 192.168.1.1 -p 80 -p 8080 -k 443 -k 2443 -u admin` The first example runs pixelserv as `nobody` with non-root privilege. Listens on port 80 for HTTP and 443 for HTTPS. The second example additionally listens on 8080 for HTTP and 2443 for HTTPS, and runs as `admin` - the root account in ASUSWRT. ### Binaries pixelserv-tls is now (circa April 2016) available on Entware-NG. Use `opkg install pixelserv-tls` to install on supported platforms including Asuswrt/Merlin. Going forward binaries for Asuswrt/Merlin in Releases section will be provided only on requests. ### New command line switches ``` $ pixelserv-tls --help Usage:pixelserv-tls ip_addr/hostname (all if omitted) -2 (disable HTTP 204 reply to generate_204 URLs) -f (stay in foreground - don't daemonize) -k https_port (443 if omitted) -l (log access to syslog) -n i/f (all interfaces if omitted) -o select_timeout (10 seconds) -p http_port (80 if omitted) -r (deprecated - ignored) -R (disable redirect to encoded path in tracker links) -s /relative_stats_html_URL (/servstats if omitted) -t /relative_stats_txt_URL (/servstats.txt if omitted) -u user ("nobody" if omitted) -z path_to_https_certs (/opt/var/cache/pixelserv if omitted) ``` `-k`, `-l` and `-z` are new options. `-k` specifies one https port and use multiple times for more ports. `-l` will log all ad requests to syslogd. If we don't specify in the command line, no logging which is the default. Access logging can generate lots of data. Either use it only when troubleshoot a browsing issue or you have a more capable syslog on your router (e.g. syslog-ng + logrotate from Entware). `-z` specifies the path to certs storage. Each ad domain and its sub-domain will require one wildcard cert. Generated certs will be stored and re-used from there. ### Stats Stats are viewable by default at http://pixelservip/servstats.txt (for raw text format) or http://pixelservip/servstats for html format), where pixelserv ip is the ip address that pixelserv is listening on.
MnemonicsExampleExplanation
uts2d 17:50pixelserv uptime
log1logging access to syslog (0=disabled 1=enabled)
req18122total # of requests (HTTP, HTTPS, success, failure etc)
avg514 bytesaverage length of request URL
rmx25965 bytesmaximum length of request URL
tav12 msaverage processing time (per request)
tmx17036 msmaximum processing time (per request)
slh8824# of accepted HTTPS requests
slm5# of rejected HTTPS requests (missing certificate)
sle0# of rejected HTTPS requests (certificate available but bad)
slu14# of dropped HTTPS requests (unknown error)
nfe3830# of GET requests for server-side scripting
gif165# of GET requests for GIF
ico0# of GET requests for ICO
txt7895# of GET requests for Javascripts
jpg9# of GET requests for JPG
png6# of GET requests for PNG
swf0# of GET requests for SWF
sta7# of GET requests for HTML stats
stt0# of GET requests for plain text stats
ufe956# of GET requests /w unknown file extension
rdr799# of GET requests resulted in REDIRECT response
nou1# of GET requests /w empty URL
pth0# of GET requests /w malformed URL
2040# of GET requests (HTTP 204 response)
pst588# of POST requests (HTTP 501 response)
hed7# of HEAD requests (HTTP 501 response)
bad1# of unknown HTTP requests (HTTP 501 response)
err0# of dropped requests (failed to accept client connection)
tmo1030# of dropped requests (client timeout before connection accepted)
cls2828# of dropped requests (client disconnect before connection accepted)
### Forum Discussion for pixelserv-tls * [pixelserv-tls]: Pixelserv with support for HTTPS born here. ### Other References * [pixelserv]: The thread on LinksysInfo.org where the parent of this fork is produced. * [pixelserv-ddwrt]: An even older thread of an early version of pixelserv. * [Page load time]: Measure page load time in Google Chrome [Page load time]: [Windows guide]: [Firefox guide]: [SIP tutorial]: [guide by IBM]: [Android guide]: [pixelserv-tls]: [pixelserv]: [pixelserv-ddwrt]: