GenieACS Auth Config - genieacs/genieacs GitHub Wiki
auth.js acts as the authentication configuration file and is stored in /path_to_genieacs/config/. In this folder there's also a backup file of the main(/default) config (auth-sample.js).
Authentication can be achieved on both directions, from CPE to ACS and, vice versa, from ACS to CPE. Within the InternetGatewayDevice.ManagementServer. Object, there are 2 pairs of authentication parameters defined.
InternetGatewayDevice.ManagementServer.Username
InternetGatewayDevice.ManagementServer.Password
Currently authentication to the ACS side (from CPE) is not implemented, yet. GenieACS will accept any incomming connection via HTTP/HTTPS and respond to it. This is a feature which will be implemented in the (near) future though. A workaround is to use nginx for auth from cpe to the acs side.
Go to Admin tab, then click Config at the right sidebar. Add new config cwmp.auth with value AUTH("acs-username", "acs-password"). Change the acs-username and acs-password accordingly.
For this workaround it is only possible to make a auth with username/password the deviceid will not be checked! The genieacs services will be bind to the local interface "127.0.0.1". To use https for File Ddownload "FS_SSL" must be set to true to send the download request to the cpe with an https url enabled.
Edit genieacs/config/config.json
{
"MONGODB_CONNECTION_URL" : "mongodb://127.0.0.1/genieacs",
"REDIS_PORT" : "6379",
"REDIS_HOST" : "127.0.0.1",
"CWMP_INTERFACE" : "127.0.0.1",
"CWMP_PORT" : 7547,
"NBI_INTERFACE" : "127.0.0.1",
"NBI_PORT" : 7557,
"FS_INTERFACE" : "127.0.0.1",
"FS_PORT" : 7567,
"FS_HOSTNAME" : "tr069.tdt.de",
"FS_SSL" : true,
"LOG_INFORMS" : true,
"DEBUG" : false
}Bind genieacs-gui to inteface and port
./genieacs-gui-trunk/bin/rails s -p 8080 -b 127.0.0.1
On the same server we have to install nginx (Debian)
- sudo apt-get install nginx <- install nginx
- touch /etc/nginx/sites-available/tr069.tdt.de <- add new nginx config
- ln -s /etc/nginx/sites-available/tr069.tdt.de /etc/nginx/sites-enabled/tr069.tdt.de <- enable config
Redirect all http gui requests to https gui
server {
listen 80;
server_name example.de;
return 301 https://$server_name$request_uri;
}
Redirect all gui requests to local gui service
server {
listen 10.1.4.17:443;
server_name example.de;
ssl on;
ssl_certificate_key /home/tr069/genieacs/genieacs-trunk/config/acs_key.pem;
ssl_certificate /home/tr069/genieacs/genieacs-trunk/config/acs_cert.pem;
access_log /var/log/nginx/example.de.cwmp.gui.log combined;
error_log /var/log/nginx/example.cwmp.gui.log;
client_max_body_size 50M;
location / {
proxy_pass http://127.0.0.1:8080;
#proxy_http_version 1.1;
#proxy_set_header Upgrade $http_upgrade;
#proxy_set_header Connection 'upgrade';
#proxy_set_header Host $host;
#proxy_cache_bypass $http_upgrade;
}
}
Redirect all nbi requests to local nbi service
server {
listen 10.1.4.17:7557;
server_name example.de;
ssl on;
ssl_certificate_key /home/tr069/genieacs/genieacs-trunk/config/acs_key.pem;
ssl_certificate /home/tr069/genieacs/genieacs-trunk/config/acs_cert.pem;
access_log /var/log/nginx/example.de.nbi.log combined;
error_log /var/log/nginx/example.de.nbi.log;
location / {
proxy_pass http://127.0.0.1:7557;
#proxy_http_version 1.1;
#proxy_set_header Upgrade $http_upgrade;
#proxy_set_header Connection 'upgrade';
#proxy_set_header Host $host;
#proxy_cache_bypass $http_upgrade;
proxy_set_header Authorization "";
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/ms-htpasswd;
}
}
Redirect all cwmp requests to local cwmp service
server {
listen 10.1.4.17:7547;
server_name example.de;
ssl on;
ssl_certificate_key /home/tr069/genieacs/genieacs-trunk/config/acs_key.pem;
ssl_certificate /home/tr069/genieacs/genieacs-trunk/config/acs_cert.pem;
access_log /var/log/nginx/example.de.cwmp.log combined;
error_log /var/log/nginx/example.de.cwmp.log;
location / {
proxy_pass http://127.0.0.1:7547;
#proxy_http_version 1.1;
#proxy_set_header Upgrade $http_upgrade;
#proxy_set_header Connection 'upgrade';
#proxy_set_header Host $host;
#proxy_cache_bypass $http_upgrade;
proxy_set_header Authorization "";
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/ms-htpasswd;
}
}
Redirect all fs requests to local fs service
server {
listen 10.1.4.17:7567;
server_name example.de;
ssl on;
ssl_certificate_key /home/tr069/genieacs/genieacs-trunk/config/acs_key.pem;
ssl_certificate /home/tr069/genieacs/genieacs-trunk/config/acs_cert.pem;
access_log /var/log/nginx/example.de.fs.log combined;
error_log /var/log/nginx/example.de.fs.log;
location / {
proxy_pass https://127.0.0.1:7567;
#proxy_http_version 1.1;
#proxy_set_header Upgrade $http_upgrade;
#proxy_set_header Connection 'upgrade';
#proxy_set_header Host $host;
#proxy_cache_bypass $http_upgrade;
proxy_set_header Authorization "";
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/ms-htpasswd;
}
}
Create links for cert and key file:
cd genieacs-trunk/config/ ln -s acs_key.pem fs.key ln -s acs_cert.pem fs.crt
Create /etc/nginx/ms-htpasswd with the format described here.
InternetGatewayDevice.ManagementServer.ConnectionRequestUsername InternetGatewayDevice.ManagementServer.ConnectionRequestPassword
The configuration file auth.js is used for ACS to CPE connection request authentication. By default, the deviceId is used as the username.
function connectionRequest(deviceId, url, username, password, callback) {
return callback(username || deviceId, password || "");
}After defining a pair of credentials this file should look like:
"use strict";
function connectionRequest(deviceId, url, username, password, callback) {
return callback('someUsername', 'somePassword');
}
exports.connectionRequest = connectionRequest;In the default implementation, you can put just one pair of fixed credentials into it but it's a javascript file and you're free to implement any logic you need to provide the passwords.
After making changes to the config/auth.js file, it is necessary to restart the NBI.