CPE fails to authenticate to GenieACS v1.2 behind NGINX

The CPE fails to authenticate to GenieACS v1.2 behind NGINX (as reverse proxy).
The ACS returns “Authentication failure”.
If the ACS direct (not after NGIX) is working perfect.

My setup:

  1. NGINX (terminate SSL):
> server {
>             listen MY_IP_ADDRESS:7547 ssl;
>             server_name tr1.telenor.bg;`
>             ssl_certificate_key /etc/nginx/cert.key;
>             ssl_certificate /etc/nginx/cert.crt;
>         location / {
>             proxy_ssl_session_reuse off;
>             proxy_http_version      1.1;
>             proxy_buffering         off;
>             proxy_pass_header Authorization;
>             proxy_set_header Host               $host;
>             proxy_set_header Connection          "Keep-Alive";
>             proxy_set_header X-Forwarded-User   $remote_user;
>             proxy_set_header X-Forwarded-For    $proxy_add_x_forwarded_for;
>             proxy_pass;
>         }
>     }
  1. GenieACS configuration (no SSL):

After looking in the code I found that this check fails ( if (!s || n.nonce !== s || n.qop && (!n.cnonce || !n.nc)) ) due to “s” is empty:

async function authenticate(e, t) {
                const s = getConfigExpression(e.cacheSnapshot, "cwmp.auth");
                if (!s)
                    return !0;
                let n;
                if (e.httpRequest.headers.authorization && (n = parseAuthorizationHeader(e.httpRequest.headers.authorization)),
                n && "Digest" === n.method) {
                    const s = sessionsNonces.get(e.httpRequest.connection);
                    if (!s || n.nonce !== s || n.qop && (!n.cnonce || !n.nc)){
                        return !1;
                    n.body = t

Some how e.httpRequest.connection is no not exist and is droped from WeakMap (sessionsNonces).

Any suggestions?

I can look into it if you can send me a packet capture of the Digest authentication request and response between GenieACS and nginx.

Hi Zaid,
I forgot to mention that the “code” post is a bit different: we skip the NGINX and we use load balancer to ofload the SSL. In this case the communication is successful only in case without authentication. If the authentication is used - the behavior is the same as ASC behind NGINX proxy (fails with 401 Unauthorized).

So, I’ll send you tcpdump files soon.


Sorry for the late replay.
I found the problem that cause the problem. It was configuration in F5 load balancer. After some switch change in F5, now the authentication is working fine.

Now there is a other issue probably it is not related to ACS.

Once again sorry for the late replay.

1 Like