Reverse proxy issues with CWMP

Hi,

using CWMP with reverse proxy is a pain. With Apache I have to use disableReuse=on but then many requests end with “Connection dropped” rendering provisioning of some devices impossible. Without “disableReuse=on” almost everything works except some requests, eg. setting WiFi SSID on Huawei ONT I get “Bad session”:

2021-03-04T08:38:44.363Z [INFO] 10.113.153.249 00259E-HG8546M-4857544359AE748A: ACS request; acsRequestId="177fc63a2fc0101" acsRequestName="GetParameterValues"
2021-03-04T08:38:44.473Z [ERROR] 10.112.197.181 00259E-HG8546M-4857544359AE748A: Bad session state

This must be related to session cache as the CWMP backend maps the response to invalid IP address.

CWMP without reverse proxying works like a charm. I also tried Nginx with the same results (eg. Connection dropped without setting keepalive on upstream or Bad session with keepalive enabled).

Has anyone got a working CWMP reverse proxy?

Mirek

I can share my apache setup which is using a Balancer as well. We have the ACS server running on port 7548 as we used a previous ACS server and are redirecting it to GenieACS.

<Proxy balancer://acs>
    BalancerMember http://IP.GOES.HERE:7548 disablereuse=On keepalive=On
    ProxySet lbmethod=byrequests
</Proxy>

<VirtualHost *:7547>
    ServerName acs.domain:7547
    ServerAlias acs.ip.goes.here:7547
    ProxyVia on
    RewriteEngine On
    ProxyPass "/service/cwmp" "balancer://acs/"
    ProxyPassReverse "/service/cwmp" "balancer://acs/"

    ProxyPass "/service/cwmp/" "balancer://acs/"
    ProxyPassReverse "/service/cwmp/" "balancer://acs/"

    ProxyPass "/" "balancer://acs/"
    ProxyPassReverse "/" "balancer://acs/"
</VirtualHost>

on which versions?
I had similar problems with 1.2.3 and 1.2.4

Unfortunatly it did not see this topic and created one.

Unfortunately it does not work for me, I always get Connection dropped od Bad session errors:

2021-03-10T07:11:14.620Z [ERROR] 10.113.153.249 00259E-HG8546M-4857544359AE748A: Connection dropped
2021-03-10T07:11:14.620Z [WARN] 10.113.153.249 00259E-HG8546M-4857544359AE748A: Channel has faulted; channel="huawei" retries=1 faultCode="session_terminated" faultMessage="The TR-069 session was unsuccessfully terminated"

Only way it works is direct connection to Genieacs.

This is my reverse proxy setup as suggested:

<Proxy balancer://cwmp>
    BalancerMember http://127.0.0.1:7547 disablereuse=On keepalive=On
    ProxySet lbmethod=byrequests
</Proxy>

<VirtualHost 172.25.7.3:7547>

  ProxyVia          On

  ProxyPass         /  "balancer://cwmp/"
  ProxyPassReverse  /  "balancer://cwmp/"

  RequestHeader       set Forwarded expr=for=%{REMOTE_ADDR}

</VirtualHost>

I am now getting the same error after going to 1.2.4 as well.

I found by changing the ACS Url that I defined in the inform to point to the ACS itself instead of the reverse proxy resolved the errors I was getting.

That’s not my case. InternetGatewayDevice.ManagementServer.URL of my devices is set to http://172.25.7.3:7547 which is the reverse proxy itself, since Genieacs is bound to loopback on the same machine (see above).

Hello,
In my case, HTTP 1.1 post via nginx passed like HTTP 1.0 it causes data loss (HTTP headers).
To fixe this I added on nginx conf : proxy_http_version 1.1
Best regards

There is no such thing in Apache reverse proxy as far as I know.

I reduced the problem at my installation by speeding up external scripts.
(E.g. if the external DB is not already in the memory, it will take too long and it will produce the error)
It is definitely not perfect, because it is still something like a race condition.

Well, how is that possible that directly exposing Genieacs eliminates the errors completely?

I do not know.
In wireshark I see, that the connection from nginx to genieacs is HTTP 1.0 but the answer is HTTP 1.1,
Maby there is some kind of timeout with the proxy constellation, that caused that problem.
I have not tried setting HTTP proxy version to 1.1, yet.