Run pixelserv-tls on EdgeRouter-X

This article introduces a Debian package pixelserv-tls for ER-X which as of firmware v1.10.0 runs a variant of Debian Wheezy. ER-X has four logical cores which are a huge advantage. pixelserv-tls can make use of as many cores as you throw at it.

I believe the package can also be installed on other Debian Wheezy (mipsel) systems. The package has not been tested on Debian Jessie which will be the baseline for EdgeOS v2.

Installation

pixelserv-tls for ER-X is made available as a Debian package. Hence, installation and removal are easy. Steps to install:

$ sudo -i
$ cd /tmp
$ curl -O https://raw.githubusercontent.com/kvic-z/goodies-edgemax/master/pixelserv-tls_2.0.1-1_mipsel.deb
$ dpkg -i pixelserv-tls_2.0.1-1_mipsel.deb

The dpkg command will install the following files:

/usr/bin/pixelserv-tls
/usr/share/man/man1/pixelserv-tls.1.gz
/usr/share/doc/pixelserv-tls/
/usr/share/doc/pixelserv-tls/changelog.gz
/usr/share/doc/pixelserv-tls/README.md
/usr/share/doc/pixelserv-tls/changelog.Debian.gz
/usr/share/doc/pixelserv-tls/copyright
/etc/default/pixelserv-tls
/etc/init.d/pixelserv-tls
/var/cache/pixelserv

Move EdgeOS GUI to other ports

pixelserv-tls requires ports 80 and 443. By default ER-X's web GUI runs on these two ports. We have to migrate the GUI to other ports, e.g. 8080 and 8081 for HTTP and HTTPS respectively:

configure  
set service gui http-port 8080  
set service gui https-port 8081  
commit; save; exit  

Bind pixelserv-tls to one interface

By default pixelserv-tls binds to all interfaces. To change this behaviour, specify an IP address that pixelserv-tls shall only listen. Edit /etc/default/pixelserv-tls:

# Configuration file for pixelserv-tls

# Options to pass to pixelserv-tls:
DAEMON_ARGS="192.168.1.10 -z /var/cache/pixelserv"  

Restart pixelserv-tls to take effect:

$ service pixelserv-tls restart

In this example, 192.168.1.10 is the LAN ip on the ER-X switch. Other options for DAEMON_ARGS can be found here.

Generate the CA certificate

If it's your first time running pixelserv-tls, you want to generate a root CA certificate. The instructions are available here. Repeat and adapt slightly for ER-X below:

$ cd /var/cache/pixelserv
$ openssl genrsa -out ca.key 1024
$ openssl req -key ca.key -new -x509 -days 3650 -sha256 -extensions v3_ca -out ca.crt -subj "/CN=Pixelserv CA"

This will generate two files, ca.crt and ca.key. The certificate is good for ten years. Don't forget to restart pixelsev-tls to take effect.

It's a good idea to backup both ca.crt and ca.key in /config on ER-X as well as offline. This will save you much hassle in future. Now start importing the CA certificate to your devices. Also read the wiki and get familiar with pixelserv-tls.

Attention on firmware upgrade

Like any add-on packages, you have to re-install pixelserv-tls after firmware upgrade. Restore ca.crt and ca.key from backup to /var/cache/pixelserv.

Note that no worry about other certificates in /var/cache/pixelserv. They are automatically generated by pixelserv-tls and will be generated again if missing.

Uninstall

To completely remove pixelserv-tls:

$ sudo -i
$ dpkg --purge pixelserv-tls
$ rm -rf /var/cache/pixelserv

Author

Stephen Yip

Something about you know. Come and share.

comments powered by Disqus