This article introduces a Debian package pixelserv-tls for ER-X which as of firmware v1.10.0 runs a variant of Debian Wheezy. ER-X has four logical cores which are a huge advantage. pixelserv-tls can make use of as many cores as you throw at it.
I believe the package can also be installed on other Debian Wheezy (mipsel) systems. The package has not been tested on Debian Jessie which will be the baseline for EdgeOS v2.
pixelserv-tls for ER-X is made available as a Debian package. Hence, installation and removal are easy. Steps to install:
$ sudo -i $ cd /tmp $ curl -O https://raw.githubusercontent.com/kvic-z/goodies-edgemax/master/pixelserv-tls_2.0.1-1_mipsel.deb $ dpkg -i pixelserv-tls_2.0.1-1_mipsel.deb
dpkg command will install the following files:
/usr/bin/pixelserv-tls /usr/share/man/man1/pixelserv-tls.1.gz /usr/share/doc/pixelserv-tls/ /usr/share/doc/pixelserv-tls/changelog.gz /usr/share/doc/pixelserv-tls/README.md /usr/share/doc/pixelserv-tls/changelog.Debian.gz /usr/share/doc/pixelserv-tls/copyright /etc/default/pixelserv-tls /etc/init.d/pixelserv-tls /var/cache/pixelserv
Move EdgeOS GUI to other ports
pixelserv-tls requires ports 80 and 443. By default ER-X's web GUI runs on these two ports. We have to migrate the GUI to other ports, e.g. 8080 and 8081 for HTTP and HTTPS respectively:
configure set service gui http-port 8080 set service gui https-port 8081 commit; save; exit
Bind pixelserv-tls to one interface
By default pixelserv-tls binds to all interfaces. To change this behaviour, specify an IP address that pixelserv-tls shall only listen. Edit
# Configuration file for pixelserv-tls # Options to pass to pixelserv-tls: DAEMON_ARGS="192.168.1.10 -z /var/cache/pixelserv"
Restart pixelserv-tls to take effect:
$ service pixelserv-tls restart
In this example,
192.168.1.10 is the LAN ip on the ER-X switch. Other options for
DAEMON_ARGS can be found here.
Generate the CA certificate
If it's your first time running pixelserv-tls, you want to generate a root CA certificate. The instructions are available here. Repeat and adapt slightly for ER-X below:
$ cd /var/cache/pixelserv $ openssl genrsa -out ca.key 1024 $ openssl req -key ca.key -new -x509 -days 3650 -sha256 -extensions v3_ca -out ca.crt -subj "/CN=Pixelserv CA"
This will generate two files,
ca.key. The certificate is good for ten years. Don't forget to restart pixelsev-tls to take effect.
It's a good idea to backup both
/config on ER-X as well as offline. This will save you much hassle in future. Now start importing the CA certificate to your devices. Also read the wiki and get familiar with pixelserv-tls.
Attention on firmware upgrade
Like any add-on packages, you have to re-install pixelserv-tls after firmware upgrade. Restore
ca.key from backup to
Note that no worry about other certificates in
/var/cache/pixelserv. They are automatically generated by pixelserv-tls and will be generated again if missing.
To completely remove pixelserv-tls:
$ sudo -i $ dpkg --purge pixelserv-tls $ rm -rf /var/cache/pixelserv