Good and easy solution to GenieACS with HTTPS

We have been working on a approach to deploying genieACS automatically for some time with ansible now and has come to realize that a lot of people face the issue with using GenieACS and also wanting https.

So yeah, let me introduce you to caddy https://caddyserver.com/
It will automagically negotiate your certs(and renew), it will make you coffee, its written in go,is 11mb and also takes care of rewrites and all that good stuff you have been relaying on NginX for.

A basic setup goes like this.

  1. Ubuntu server with genieACS installed
  2. Correctly setup dns pointing to the server ip(so ssl certs can be setup etc)
  3. ufw blocking all ports except for 80,443(maybe allow ssh if you need it)
  4. Caddy installed Caddy install instructions
  5. Caddy runs and listens on those two ports.
  6. Give Caddy about 5-10 minuts to get all those nice certs in order.
  7. Optional, a reboot. (not actually sure if this is even needed, sorry), the configs look something like this.

/etc/caddy/Caddyfile

{
    acme_ca https://acme.zerossl.com/v2/DV90
    email   ketil@ourdomain.com
}

import domains/*

/etc/caddy/domains/customer-01-gacs01

http://customer-01-gacs01.ourdomain.com {
  reverse_proxy localhost:7547
}

/etc/caddy/domains/ui.customer-01-gacs01

https://ui.customer-01-gacs01.ourdomain.com {
  reverse_proxy localhost:3000
}

And thats basically IT.

Requests coming in to http://customer-01-gacs01.ourdomain.com will be redirected to localhost:7547 where GenieACS CWMP is listening.

Requests coming into https://ui.customer-01-gacs01.ourdomain.com will be redirected localhost:3000 where the UI is waiting for someone to login.

I case your CPE devices can speak CWMP over https(not all can ofc) then you simply change to code in the domains file pointing to the cwmp port so it says https instead of http

This has been a headache for a while it feels like, and this might help out with getting a update to the HTTPS — GenieACS Documentation 1.2.5 documentation page, so it no longer just says TODO :slight_smile:

All the best
Ketil

ps. i will check in and see if i have managed to oversimplify the setup so much that people end up not being able to get it to work, but i hope this is enough

1 Like
  • I am not associated with the caddyserver project in any way, just found a great solution :slight_smile:
1 Like

Does caddy support TLS client auth? Does it report authenticated client cert identifiers (subject name) to the upstream server?