Sorry for the belated reply. The fact is, Bots suck a lot of bandwidth from this site. Anonymous downloads would increase the bandwidth and increase the sites outgoings. All users that want something from the site must register and prove to me and staff that they are not a bot.
Here is a development version V31, which includes the nullserv jpg, png and swf responses. Perhaps more significant is a change for the default response to be text/html - note haven't implemented nullserv's range of null text responses. seems to function for me, but only new responses are from my test at the moment! Code: Jun 1 23:47:23 easyN16 daemon.info pixelserv[19515]: ./pixelserv V31 compiled: Jun 1 2013 23:40:13 from pixelserv31.c Jun 1 23:47:23 easyN16 daemon.notice pixelserv[19517]: Listening on 192.168.10.200:80 Jun 2 00:05:28 easyN16 daemon.info pixelserv[19517]: 71 req, 0 err, 0 bad, 10 gif, 58 txt, 1 jpg, 1 png, 1 swf
Update: Seems to be working fine, thanks. Got another email from the author of nullserv with a couple of comments: He's wondering if pixelserv's source is or could be hosted on github or similar. He also mentioned that a utility called "stunnel" could potentially be used to allow pixelserv to work for redirected HTTPS URLs. stunnel appears to be available via entware, so I may give it a shot. It also appears to support both inetd/xinetd and daemon modes: https://www.stunnel.org/howto.html The latest nullserv readme has some info on using stunnel with nullserv, although this wouldn't directly translate to pixelserv running in daemon mode, as nullserv is inetd/xinetd based: https://github.com/flexiondotorg/nullserv/blob/master/README.md Edit: Info on listening on specified alternate IP (e.g. pixelserv on 192.168.1.254): https://www.stunnel.org/pipermail/stunnel-users/2007-December/001796.html
The whole pixelserv.c source and a tomato router binary is posted in the attachment above, together with a script file used to compile using a previously installed tomato toolchain. The whole development is in this thread, or over on dd-wrt forums where others have compiled for Atheros, and the simplistic inetd (no filename parsing) and external file/gif read was added, (inted mode now removed!) There is no licence, its just an assemblage of library calls from examples elsewhere, and should compile/run on any Linux box, router or RaspberryPi etc! Intended to be a small/efficient as possible, the response is a single string pushed out in one send command. I never intend to do much with it, so if someone want to host elsewhere fine! Will look at stunnel, it does have a daemon mode, and https ads are becoming more common. Something that answers with 'no thanks' may improve web surfing on pages with blocked adds if alternative is to wait for browser to timeout.
Nullserv's author was asking because he would like to put a link in his nullserv documentation and/or site to pixelserv for those who may be interested in it, but he feels there isn't much point when random people can't easily download pixelserv from here due to the moderation restrictions on new users. I don't know if I can find the time, but it would probably be useful to download all of the posted versions of pixelserv's source and upload them successively to a version-controlled hosting site (Github, sourceforge, or Google Code) so that people can see the version history. I got entware's stunnel working in deamon mode with pixelserv to some degree, and intend to post details sometime this week. There are two quirks that I haven't come up with a good solution for, but it's still an improvement because worst case is that the browser gets an instant answer it doesn't like versus no answer at all. I'm also not confident that I could package a standalone stunnel installation, as entware's has some dependencies (openssl and at least 2 other packages whose names I don't remember). Fortunately, it's pretty painless to get entware working via a cifs mount (or jffs partition, or USB or whatever - just loop mount to /opt and you're done!).
Posted stunnel info here: http://www.linksysinfo.org/index.ph...-and-mean-adblocking.68464/page-3#post-229120
Interesting, thanks, I set entware off to recompile everything last night - so will have all sources and binaries on my PC! You get the "invalid/corrupted" browser message if you just run pixelserv to answer on port 443 (BTDTGTTS)! Thinking about non-entware 'cut down options' there's discussion about compiling just stunnel here http://www.linksysinfo.org/index.php?threads/stunnel.32007/ But clearly Rodney managed it and standalone binaries are available on his site - but static compile is large! http://multics.minidns.net/tomato/
That will probably be large. Even the minimal binary-only install with no optional packages is a couple hundred MB I think (unless something else on my router cifs mount is taking up a lot of space). A downside of building it all from source is that you won't know if they update something. Entware is meant to be a package manager that lets you install and update packages from their package repository. I guess maybe you could periodically update your mass checkout? Yeah, I think nullserv's author mentioned the same thing. Haarp suggested trying this in his adblocker thread, and I think it may be the best option short of using stunnel because it still provides the browser with an instant response (it will just be something the browser doesn't know how to handle). Using iptables to reject with a TCP reset is probably the next-best option, but doesn't seem to be as fast as giving a real response for some reason. Of course, stunnel isn't perfect either (as I mention in the adblocker thread). Not having a CA-issued SSL certificate means that browsers won't display pixelserv data automatically through stunnel connections, and even when I get past that it seems that stunnel still serves up corrupted data some of the time.
You can get free ssl certs that work with all browsers and devices at startssl. http://www.startssl.com/ I use it for my home server share and it work great.
The Entware maintainers do a great job "make clean all" ran to completion - but I haven't looked at anything. I did code an option to make pixelserv.c listen on configurable port but I thought this only useful for testing so dont usually build it in - I don't think the browser mesage was pleasant. I'm sure there must be a simple polite "not today thanks" response to the initial request to set up the https tunnel - but we didn't find one in the thread about blocking https sites.
Thanks. I've signed up, but I can't see how to get a certificate. It wants me to verify ownership of a top-level domain first, but I just want to use it for my private LAN.
Ah, I think remember reading somehwere they can only do top-level domains, so maybe not an option after all.
I know that v30 doesn't work with the E3000 and E4200 which I have tested before. Having tested the latest v31, it still gives me an error 'pixelsrv error' - thingy in my logs using ALL-U-NEED adblocker script. on Toastman's latest 0502.7 NOCAT Am I correct that only v27.c works in my routers? Thanks!
Yes, sorry I removed support for the interface option, expecting the script would be updated. Config changes via gui could redefine the interface and leave pixelserv non operational. In the lean mean adblock script iptables is used be more selective as to which interface has access to the pixelserv IP, and I think that's the best place for that filtering. I could add it back but you need to kill and restart the prog in the firewall script to be sure it re-attaches to the interface (negligible size increase compared to extra null responses!) My stats after a couple of days usage Code: Jun 8 12:22:57 unknown daemon.info pixelserv[19517]: 3151 req, 629 err, 3 bad, 115 gif, 2151 txt, 1 jpg, 250 png, 2 swf Questions for anyone:- If a web-page asks for a jpg or png does the browser really mind if a gif with correct header is returned? I have seen a browser script error which made it clear it had attempted to execute the binary gif, so guess anything possible? Is it worth adding the different versions of null text generated by nullserve? In similar query with above ifyou access a website with php extension, you don't expect a plain text source file to be sent, the php code more likely to send text/html ?
Here's another test version with an attempt at an attempt to reject an https ssl/tls request. I've tried a few options, all result in browsers making repeat attempts with lower levels of encryption - but hopefully conversation is quick and web pages don't wait for timeouts? Also compiled with options to select interface and port, to answer https requests either have to divert port 443 to port 80 using iptables DNAT, or run second copy of pixelserv on port 443 using Code: root@easy-RTN16:/tmp/var# ./pixelserv 192.168.10.200 -p 443 pixelserv[16324]: ./pixelserv V32 compiled: Jun 9 2013 19:16:14 from pixelserv32.c ... Jun 9 19:20:02 unknown daemon.info pixelserv[16326]: 1 req, 0 err, 0 gif, 0 bad, 0 txt, 0 jpg, 0 png, 0 swf, 1 ssl Jun 9 19:20:02 unknown daemon.info pixelserv[16310]: 3 req, 0 err, 0 gif, 0 bad, 0 txt, 0 jpg, 0 png, 0 swf, 3 ssl
Thank you, mstombs! This version seems to be working quite well on my E3000's and E4200 using Toastman's latest 0502.8 Build and running ALL-U-NEED adblock script. pixelserv 32.c loads just fine. No more errors when loading Code: daemon.info pixelserv[1045]: /tmp/pixelserv V32 compiled: Jun 9 2013 19:16:14 from pixelserv32.c user.notice root: ADBLOCK: 35197 entries user.notice root: ADBLOCK: sorting hosts... user.notice root: ADBLOCK: hosts sorted. user.notice root: ADBLOCK: 27971 entries
Just got the new version working in place of my previous stunnel solution. I decided to run two copies of pixelserv because I am not enough of a wizard to guess what the iptables command would be to direct SSL connections to pixelserv on port 80. Seems to work about as well as stunnel so far, with firefox saying it gets a valid certificate but that access is denied (ssl_error_access_denied_alert).
A candidate iptables command for the redirect is Code: iptables -t nat -A PREROUTING -i br0 -p tcp -d 192.168.66.254 --dport 443 -j DNAT --to 192.168.66.254:80 I could get various messages from Chromium and Iceweasel, by modifying the response and disabling the excellent AdblockPlus! - but have to admit have not yet used wireshark or equivalent to see what other browsers such as Internet Explorer or Mobile try to do. If interested in the details the code above optionally includes a hex_dump of the received message which matches this http://en.wikipedia.org/wiki/Transport_Layer_Security#Handshake_protocol and I have selected the Access denied response from http://en.wikipedia.org/wiki/Transport_Layer_Security#Alert_protocol
