Run multiple SSL enabled services behind single IP on Edgerouter

Until recently I had a routed /29 on my home connection, but got “downgraded” to 2 public IPs.
Since I run multiple SSL enabled services (RDS gateway, SSTP VPN and a couple of websites, including this one), I had to figure a way.
I stumbled across the reverse proxy HAProxy, which seemed perfect for the job. I COULD run it on a VM, but I’d rather run it on the Edgerouter itself.
Since the Edgerouter is based on Debian 7 (Wheezy), its possible to install Debian packages on it.
There isnt a “native” Wheezy package, but the Debian “backports” system makes it possible.
Basic Linux skills like editing and copying files etc are required for this.

Lets get started !
First we need to add the Wheezy and Wheezy Backports repositories to the system, this is the supported way, don’t just edit /etc/apt/sources.lst.

SSH into the Edgerouter
configure

set system package repository wheezy components “main contrib non-free”
set system package repository wheezy distribution wheezy
set system package repository wheezy url http://http.us.debian.org/debian
set system package repository wheezy-backports components main
set system package repository wheezy-backports distribution wheezy-backports
set system package repository wheezy-backports url http://http.us.debian.org/debian

commit
save

Now we need to install HAProxy
su to root :

sudo su –
apt-get update
apt-get -t wheezy-backports install haproxy

Haproxy uses the configuration file in /etc/haproxy/haproxy.cfg , make a backup of this one.

We’re gonna use most of the configuration found here on reddit , with 2 exceptions.
In this line :
frontend ssl_relay 0.0.0.0:443
Change 0.0.0.0 to the public IP address you plan to use for the incoming requests.

Also, in the “backend ssl_rd” section, we need to add a timeout value, since it defaults to a very short timeout, causing the RD sessions to drop every few minutes.
I tend to be logged in for pretty long, so I set it to 12 hours, so the start of the “backend ssl_rd” looks like this :

backend ssl_rd
timeout server 12h

Of course you’ll need to edit the SNI’s and backend IP addresses etc, look around HAProxy howto’s if thats unclear. I managed to get the reddit one to work in less than half an hour of playing around.

Create new haproxy.cfg with Vi.
For some reason my Edgerouter has a “funny” autoindent setting in Vi, so I had to turn that off, to be able to paste in the configuration.

set noai

Paste the edited configuration, save the file.

service haproxy restart

That should be pretty much it, make sure the rule you have to “protect router” from Internet allows traffic to port 443, or whatever ports you plan to use with HAProxy.
The file /var/log/haproxy.log contains entries from HAProxy,  put this line in haproxy.cfg to get more info :
log /dev/log    local6
Also, make a backup of haproxy.cfg , I’m pretty sure it will get overwritten by Ubiquiti firmware updates.

Just to clarify, after updating to 1.9.1, haproxy is no longer installed, so you will have to run these steps :
apt-get update
apt-get -t wheezy-backports install haproxy

After that, restore the haproxy.cfg and do

service haproxy restart

 

Leave a Comment