CPE fails to authenticate to GenieACS v1.2 behind NGINX

1

Hi,
The CPE fails to authenticate to GenieACS v1.2 behind NGINX (as reverse proxy).
The ACS returns “Authentication failure”.
If the ACS direct (not after NGIX) is working perfect.

My setup:

  1. NGINX (terminate SSL):
> server {
>             listen MY_IP_ADDRESS:7547 ssl;
>             server_name tr1.telenor.bg;`
>             ssl_certificate_key /etc/nginx/cert.key;
>             ssl_certificate /etc/nginx/cert.crt;
>         location / {
>             proxy_ssl_session_reuse off;
>             proxy_http_version      1.1;
>             proxy_buffering         off;
>             proxy_pass_header Authorization;
>             proxy_set_header Host               $host;
>             proxy_set_header Connection          "Keep-Alive";
>             proxy_set_header X-Forwarded-User   $remote_user;
>             proxy_set_header X-Forwarded-For    $proxy_add_x_forwarded_for;
>             proxy_pass http://127.0.0.1:7546;
>         }
>     }
  1. GenieACS configuration (no SSL):
    GENIEACS_CWMP_INTERFACE=127.0.0.1
    GENIEACS_CWMP_PORT=7546
2

After looking in the code I found that this check fails ( if (!s || n.nonce !== s || n.qop && (!n.cnonce || !n.nc)) ) due to “s” is empty:

async function authenticate(e, t) {
                const s = getConfigExpression(e.cacheSnapshot, "cwmp.auth");
                if (!s)
                    return !0;
                let n;
                if (e.httpRequest.headers.authorization && (n = parseAuthorizationHeader(e.httpRequest.headers.authorization)),
                n && "Digest" === n.method) {
                    const s = sessionsNonces.get(e.httpRequest.connection);
                    if (!s || n.nonce !== s || n.qop && (!n.cnonce || !n.nc)){
                        return !1;
					}
                    n.body = t
                }

Some how e.httpRequest.connection is no not exist and is droped from WeakMap (sessionsNonces).

Any suggestions?

3

I can look into it if you can send me a packet capture of the Digest authentication request and response between GenieACS and nginx.

4

Hi Zaid,
I forgot to mention that the “code” post is a bit different: we skip the NGINX and we use load balancer to ofload the SSL. In this case the communication is successful only in case without authentication. If the authentication is used - the behavior is the same as ASC behind NGINX proxy (fails with 401 Unauthorized).

So, I’ll send you tcpdump files soon.

Thanks

5

Sorry for the late replay.
I found the problem that cause the problem. It was configuration in F5 load balancer. After some switch change in F5, now the authentication is working fine.

Now there is a other issue probably it is not related to ACS.

Once again sorry for the late replay.

1 Like