Good and easy solution to GenieACS with HTTPS

We have been working on a approach to deploying genieACS automatically for some time with ansible now and has come to realize that a lot of people face the issue with using GenieACS and also wanting https.

So yeah, let me introduce you to caddy https://caddyserver.com/
It will automagically negotiate your certs(and renew), it will make you coffee, its written in go,is 11mb and also takes care of rewrites and all that good stuff you have been relaying on NginX for.

A basic setup goes like this.

  1. Ubuntu server with genieACS installed
  2. Correctly setup dns pointing to the server ip(so ssl certs can be setup etc)
  3. ufw blocking all ports except for 80,443(maybe allow ssh if you need it)
  4. Caddy installed Caddy install instructions
  5. Caddy runs and listens on those two ports.
  6. Give Caddy about 5-10 minuts to get all those nice certs in order.
  7. Optional, a reboot. (not actually sure if this is even needed, sorry), the configs look something like this.

/etc/caddy/Caddyfile

{
    acme_ca https://acme.zerossl.com/v2/DV90
    email   ketil@ourdomain.com
}

import domains/*

/etc/caddy/domains/customer-01-gacs01

http://customer-01-gacs01.ourdomain.com {
  reverse_proxy localhost:7547
}

/etc/caddy/domains/ui.customer-01-gacs01

https://ui.customer-01-gacs01.ourdomain.com {
  reverse_proxy localhost:3000
}

And thats basically IT.

Requests coming in to http://customer-01-gacs01.ourdomain.com will be redirected to localhost:7547 where GenieACS CWMP is listening.

Requests coming into https://ui.customer-01-gacs01.ourdomain.com will be redirected localhost:3000 where the UI is waiting for someone to login.

I case your CPE devices can speak CWMP over https(not all can ofc) then you simply change to code in the domains file pointing to the cwmp port so it says https instead of http

This has been a headache for a while it feels like, and this might help out with getting a update to the HTTPS — GenieACS Documentation 1.2.5 documentation page, so it no longer just says TODO :slight_smile:

All the best
Ketil

ps. i will check in and see if i have managed to oversimplify the setup so much that people end up not being able to get it to work, but i hope this is enough

1 Like
  • I am not associated with the caddyserver project in any way, just found a great solution :slight_smile:
1 Like

Does caddy support TLS client auth? Does it report authenticated client cert identifiers (subject name) to the upstream server?

Hi Ketil,

When local or remote PC is trying to access the same Server for a different service, one for CWMP and the other is GenieAcs server UI, I can understand the configuration is trying to identify which services:

  1. http://customer-01-gacs01.ourdomain.com {
    reverse_proxy localhost:7547
    }
  2. https://ui.customer-01-gacs01.ourdomain.com {
    reverse_proxy localhost:3000
    }

For the PC it would first resolve the IP address of the server which I guess you might manually setup the both “customer-01-gacs01.ourdomain.com” and “ui.customer-01-gacs01.ourdomain.com” are the same IP address, but when the http/https request reaches the actually Server and it’s just IP address, right?
How the caddy is able to distinguish which service the request is?
I can setup IP address instead of domain name
for example “192.168.200.3 (which is the server’s IP)” to replace “ui.customer-01-gacs01”, but I don’t know how to set up the https for the " customer-01-gacs01" for CWMP to register.

Thank you for your quick answer.

No, that’s not how HTTP/HTTPS works. When you hit a server, your browser/client device sends the hostname that it is trying to access the server with as part of the request header. Caddy is looking at the host header and then using that to choose how to direct the request.

You would run into problems if you attempted to hit the server directly via its IP, though. Caddy would need an entry in the config to tell it what to do then (I would think that most likely you’d want to assume it’s a misconfigured CPE device or something, and direct that way… but it depends on your environment).

Note that in the example above, caddy is NOT using an HTTPS interface for the CWMP redirection either - it only has an SSL cert associated with the management UI.

1 Like