Secure FS Service with authentification

Hi,

I need to secure the FS service with authentication so that files are private.

In 1.1.3 I was simply using this below and it seems to me that it worked.
(LUA script checks the device S/N in a third-party database and it works for cwmp service)

location / {
                access_by_lua_file /usr/local/openresty/nginx/conf/auth_acs.lua;
                proxy_pass http://127.0.0.1:7567;
        }

In 1.2.5, I cannot add an authentication mechanism to the config updater provision.

// Compare the current revision with the expected revision
if (cur_rev == res.expected_version) {
    log(serial + ' => is in the latest version')
    return;
    } else {
    log(serial + ' => Current revision: ' + cur_rev + ' & Remote revision: ' +  res.expected_version);
    log(serial + ' => Need Config Update');

    declare("Downloads.[FileType:3 Vendor Configuration File]", {path: 1}, {path: 1});
    declare("Downloads.[FileType:3 Vendor Configuration File].FileName", {value: 1}, {value: serial});
    declare("Downloads.[FileType:3 Vendor Configuration File].Download", {value: 1}, {value: Date.now()});
}

I try with cwmp.auth or fs.auth with the same result.
Ideally, the credentials would be the device serial number.

Do you have an idea ?

Thanks.

I think it is not possible to add authentication throw this way.

Does the lua script check if the file is allow for this CPE or does it only check if the device is allowed to download any file?

The LUA script is just a dynamic .htaccess.

For 1.1 the FS seems to support authentication GenieACS Auth Config · genieacs/genieacs Wiki · GitHub with nginx reverse proxy.

I try without success :

  • Pass authentification to GENIEACS_FS_URL_PREFIX with this format GENIEACS_FS_URL_PREFIX=http://USER:PASSWORD@acsconfig.example.com:7567/
  • Use classic htaccess.

CWMP Log :

2021-08-06T06:22:18.920Z [INFO] 127.0.0.1 hAP%20ac%C2%B2: ACS request; acsRequestId="17b1a20685c0000" acsRequestName="Download" acsRequestCommandKey="17b1a20685c0000"
2021-08-06T06:22:21.066Z [INFO] 127.0.0.1 hAP%20ac%C2%B2: Inform; informEvent="7 TRANSFER COMPLETE,M Download" informRetryCount=0
2021-08-06T06:22:22.056Z [INFO] 127.0.0.1 hAP%20ac%C2%B2: CPE request; cpeRequestName="TransferComplete" cpeRequestCommandKey="17b1a20685c0000"
2021-08-06T06:22:22.056Z [WARN] 127.0.0.1 hAP%20ac%C2%B2: Channel has faulted; channel="boot" retries=7 faultCode="cwmp.9012" faultMessage="HTTP 401 auth failed"

Nginx FS Log (the log format shows that it’s not trying to use a user) :

192.168.0.1 - - [06/Aug/2021:08:22:18 +0200] "GET /B4A00C15417C HTTP/1.1" 401 29 "-" "MikroTik"

Nginx CWMP Log :
192.168.0.1 - user1 [06/Aug/2021:10:33:40 +0200] "POST / HTTP/1.1" 204 0 "-" "MikroTik"