Secure FS Service with authentification

Timeuhmeuh · August 5, 2021, 4:24pm

Hi,

I need to secure the FS service with authentication so that files are private.

In 1.1.3 I was simply using this below and it seems to me that it worked.
(LUA script checks the device S/N in a third-party database and it works for cwmp service)

location / {
                access_by_lua_file /usr/local/openresty/nginx/conf/auth_acs.lua;
                proxy_pass http://127.0.0.1:7567;
        }

In 1.2.5, I cannot add an authentication mechanism to the config updater provision.

// Compare the current revision with the expected revision
if (cur_rev == res.expected_version) {
    log(serial + ' => is in the latest version')
    return;
    } else {
    log(serial + ' => Current revision: ' + cur_rev + ' & Remote revision: ' +  res.expected_version);
    log(serial + ' => Need Config Update');

    declare("Downloads.[FileType:3 Vendor Configuration File]", {path: 1}, {path: 1});
    declare("Downloads.[FileType:3 Vendor Configuration File].FileName", {value: 1}, {value: serial});
    declare("Downloads.[FileType:3 Vendor Configuration File].Download", {value: 1}, {value: Date.now()});
}

I try with cwmp.auth or fs.auth with the same result.
Ideally, the credentials would be the device serial number.

Do you have an idea ?

Thanks.

JonasGhost · August 5, 2021, 7:40pm

I think it is not possible to add authentication throw this way.

Does the lua script check if the file is allow for this CPE or does it only check if the device is allowed to download any file?

Timeuhmeuh · August 6, 2021, 8:28am

The LUA script is just a dynamic .htaccess.

For 1.1 the FS seems to support authentication GenieACS Auth Config · genieacs/genieacs Wiki · GitHub with nginx reverse proxy.

I try without success :

Pass authentification to GENIEACS_FS_URL_PREFIX with this format GENIEACS_FS_URL_PREFIX=http://USER:PASSWORD@acsconfig.example.com:7567/
Use classic htaccess.

CWMP Log :

2021-08-06T06:22:18.920Z [INFO] 127.0.0.1 hAP%20ac%C2%B2: ACS request; acsRequestId="17b1a20685c0000" acsRequestName="Download" acsRequestCommandKey="17b1a20685c0000"
2021-08-06T06:22:21.066Z [INFO] 127.0.0.1 hAP%20ac%C2%B2: Inform; informEvent="7 TRANSFER COMPLETE,M Download" informRetryCount=0
2021-08-06T06:22:22.056Z [INFO] 127.0.0.1 hAP%20ac%C2%B2: CPE request; cpeRequestName="TransferComplete" cpeRequestCommandKey="17b1a20685c0000"
2021-08-06T06:22:22.056Z [WARN] 127.0.0.1 hAP%20ac%C2%B2: Channel has faulted; channel="boot" retries=7 faultCode="cwmp.9012" faultMessage="HTTP 401 auth failed"

Nginx FS Log (the log format shows that it’s not trying to use a user) :

192.168.0.1 - - [06/Aug/2021:08:22:18 +0200] "GET /B4A00C15417C HTTP/1.1" 401 29 "-" "MikroTik"

Nginx CWMP Log :
192.168.0.1 - user1 [06/Aug/2021:10:33:40 +0200] "POST / HTTP/1.1" 204 0 "-" "MikroTik"

Topic		Replies	Views
CWMP service sending HTTP url on RPC download (func sendAcsRequest) regardless of FS_SSL_CERT	8	1580	November 20, 2021
CPE to ACS authentication	16	1836	August 29, 2023
Incorrect connection request credentials (v1.2)	32	18111	December 1, 2023
CPE Authentication request error	0	468	March 8, 2022
CPE authentication with 1.2.3	9	2150	February 26, 2021

Secure FS Service with authentification

Related Topics