AfroThundr3007730
11/13/2017 - 1:01 AM
My notes on setting up and configuring GenieACS.
My notes on setting up and configuring GenieACS.
# /etc/systemd/system/genieacs-fs.service
[Unit]
Description=GUI for GenieACS
After=network.target
Requires=genieacs-cwmp.service
Requires=genieacs-nbi.service
Requires=genieacs-fs.service
[Service]
Type=simple
User=root
#PIDFile=/opt/genieacs-gui/tmp/pids/server.pid
WorkingDirectory=/opt/genieacs-gui
#ExecStartPre=rm -f tmp/pids/server.pid
ExecStart=/usr/local/bin/rails s -e development -b 127.0.0.1 -p 8080
Restart=on-abort
[Install]
WantedBy=multi-user.target
# /etc/systemd/system/genieacs-nbi.service
[Unit]
Description=FileServer service for GenieACS
After=network.target
[Service]
Type=simple
User=root
WorkingDirectory=/opt/genieacs
ExecStart=/opt/genieacs/bin/genieacs-fs
Restart=on-abort
[Install]
WantedBy=multi-user.target
# /etc/systemd/system/genieacs-gui.service
[Unit]
Description=NBI server service for GenieACS
After=network.target
[Service]
Type=simple
User=root
WorkingDirectory=/opt/genieacs
ExecStart=/opt/genieacs/bin/genieacs-nbi
Restart=on-abort
[Install]
WantedBy=multi-user.target
# /etc/systemd/system/genieacs-cwmp.service
[Unit]
Description=CWMP server service for GenieACS
After=network.target
[Service]
Type=simple
User=root
WorkingDirectory=/opt/genieacs
ExecStart=/opt/genieacs/bin/genieacs-cwmp
Restart=on-abort
[Install]
WantedBy=multi-user.target
# /etc/nginx/ms-htpasswd
# Nginx Auth Credentials
# Replace with actual creds (openssl passwd -apr1)
user:$apr1$DEADBEEF
# /etc/nginx/sites-available/genieacs.conf
# Nginx configuration for genieacs services
# Ensure you change the listening IP address
# If you're allergic to security, you can remove the `add_header` lines
# without breaking functionality
upstream genieacs-gui {
server 127.0.0.1:8080;
}
upstream genieacs-cwmp {
server 127.0.0.1:7547;
}
upstream genieacs-nbi {
server 127.0.0.1:7557;
}
upstream genieacs-fs {
server 127.0.0.1:7567;
}
server {
listen 80 default_server;
server_name web.acs.test.local acs.test.local;
add_header Content-Security-Policy "default-src 'self'" always;
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "sameorigin" always;
add_header X-XSS-Protection "1; mode block" always;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
server_name web.acs.test.local acs.test.local;
ssl_certificate_key /opt/genieacs/config/web.key;
ssl_certificate /opt/genieacs/config/web.crt;
access_log /var/log/nginx/genieacs-web-access.log combined;
error_log /var/log/nginx/genieacs-web-error.log;
client_max_body_size 50M;
root /opt/genieacs-gui/public;
try_files $uri $uri/index.html @app;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header Content-Security-Policy "default-src 'self' 'unsafe-inline'" always;
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "sameorigin" always;
add_header X-XSS-Protection "1; mode block" always;
location @app {
proxy_pass http://genieacs-gui;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_cache_bypass $http_upgrade;
proxy_redirect off;
}
}
server {
listen 192.168.1.10:7547 ssl;
server_name cwmp.acs.test.local acs.test.local;
ssl_certificate_key /opt/genieacs/config/cwmp.key;
ssl_certificate /opt/genieacs/config/cwmp.crt;
access_log /var/log/nginx/genieacs-cwmp-access.log combined;
error_log /var/log/nginx/genieacs-cwmp-error.log;
client_max_body_size 50M;
add_header Strict-Transport-Security "max-age=31536000" always;
add_header Content-Security-Policy "default-src 'self'" always;
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "sameorigin" always;
add_header X-XSS-Protection "1; mode block" always;
location / {
proxy_pass https://genieacs-cwmp;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_cache_bypass $http_upgrade;
proxy_set_header Authorization "";
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/ms-htpasswd;
}
}
server {
listen 192.168.1.10:7557 ssl;
server_name nbi.acs.test.local acs.test.local;
ssl_certificate_key /opt/genieacs/config/nbi.key;
ssl_certificate /opt/genieacs/config/nbi.crt;
access_log /var/log/nginx/genieacs-nbi-access.log combined;
error_log /var/log/nginx/genieacs-nbi-error.log;
client_max_body_size 50M;
add_header Strict-Transport-Security "max-age=31536000" always;
add_header Content-Security-Policy "default-src 'self'" always;
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "sameorigin" always;
add_header X-XSS-Protection "1; mode block" always;
location / {
proxy_pass https://genieacs-nbi;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_cache_bypass $http_upgrade;
proxy_set_header Authorization "";
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/ms-htpasswd;
}
}
server {
listen 192.168.1.10:7567 ssl;
server_name fs.acs.test.local acs.test.local;
ssl_certificate_key /opt/genieacs/config/fs.key;
ssl_certificate /opt/genieacs/config/fs.crt;
access_log /var/log/nginx/genieacs-fs-access.log combined;
error_log /var/log/nginx/genieacs-fs-error.log;
client_max_body_size 50M;
add_header Strict-Transport-Security "max-age=31536000" always;
add_header Content-Security-Policy "default-src 'self'" always;
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "sameorigin" always;
add_header X-XSS-Protection "1; mode block" always;
location / {
proxy_pass https://genieacs-fs;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_cache_bypass $http_upgrade;
proxy_set_header Authorization "";
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/ms-htpasswd;
}
}
# /etc/nginx/nginx.conf (partial)
# Added the following directives to nginx.conf under the http block:
http {
##
# Basic Settings
##
server_tokens off;
##
# SSL Settings
##
ssl_protocols TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECHDE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256';
ssl_prefer_server_ciphers on;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
}
# /opt/genieacs-gui/Gemfile (partial)
# Append the following lines to the beginning of the file
# Use .env to load environmental variables
gem 'dotenv-rails', groups: [:production, :test, :development]
# /opt/genieacs-gui/.env
# Replace SECRET_KEY_BASE with your own
export HOSTNAME="acs.test.local"
export RAILS_ENV="production"
export SECRET_KEY_BASE="DEADBEEF"
# /opt/genieacs/config/openssl.cnf
# OpenSSL config for genieacs certificate
[acs_cert]
basicConstraints=CA:false
subjectKeyIdentifier=hash
keyUsage=digitalSignature
subjectAltName=@alt_names
extendedKeyUsage=serverAuth
[alt_names]
DNS.1=acs.test.local
DNS.2=web.acs.test.local
DNS.3=cwmp.acs.test.local
DNS.4=nbi.acs.test.local
DNS.5=fs.acs.test.local
#/opt/genieacs/config/config.json (remove this line in actual file)
{
"MONGODB_CONNECTION_URL" : "mongodb://127.0.0.1/genieacs",
"REDIS_PORT" : "6379",
"REDIS_HOST" : "127.0.0.1",
"CWMP_INTERFACE" : "127.0.0.1",
"CWMP_PORT" : 7547,
"CWMP_SSL" : false,
"CWMP_LOG_FILE" : "/var/log/genieacs/cwmp.log",
"CWMP_ACCESS_LOG_FILE" : "/var/log/genieacs/cwmp.log",
"NBI_INTERFACE" : "127.0.0.1",
"NBI_PORT" : 7557,
"NBI_SSL" : false,
"NBI_LOG_FILE" : "/var/log/genieacs/nbi.log",
"NBI_ACCESS_LOG_FILE" : "/var/log/genieacs/nbi.log",
"FS_INTERFACE" : "127.0.0.1",
"FS_PORT" : 7567,
"FS_SSL" : false,
"FS_HOSTNAME" : "acs.test.local",
"FS_LOG_FILE" : "/var/log/genieacs/fs.log",
"FS_ACCESS_LOG_FILE" : "/var/log/genieacs/fs.log",
"LOG_INFORMS" : true,
"DEBUG" : false
}
#!/bin/sh
# GenieACS installation steps and dependencies
# Don't try to just run this script directly!
##
# Install necessary packages
##
apt install curl wget vim git subversion openssl nodejs ruby bundler mongodb \
redis-server redis-tools nginx-full build-essential autoconf automake \
libtool bison tcl sqlite libsqlite3-0 libsqlite3-dev libxml2 libxml2-dev \
zlib1g zlib1g-dev libssl-dev libreadline-dev libxslt-dev libncurses5-dev
##
# Clone and setup genieacs
##
cd /opt; git clone https://github.com/zaidka/genieacs.git
cd genieacs; git checkout $(git tag -l v1.1.1)
# Build node modules
npm install; npm run compile
# Setup config files
mv config/auth{-sample,}.js
mv config/config{-sample,}.json
mv config/ext{-sample,}.js
# NOTE: Copy my config.json over existing config/config.json file
chmod 0700 config; cd config; mkdir cert
# NOTE: Copy my openssl.cnf into config/cert directory
openssl ecparam -genkey -name secp384r1 -out cert/genieacs.key
# To prevent prompting for certificate CN, `-subj` was added
openssl req -new -key cert/genieacs.key -days 370 -sha384 \
-out cert/genieacs.csr -subj "/"
openssl x509 -req -in cert/genieacs.csr -signkey cert/genieacs.key \
-out cert/genieacs.crt -extfile cert/openssl.cnf -extensions acs_cert \
-days 370 -sha384
chmod 0700 cert; chmod 0600 cert/genieacs.key; cd ..
# Create certificate symlinks (necessary for genieacs)
ln -s cert/genieacs.crt web.crt; ln -s cert/genieacs.key web.key
ln -s cert/genieacs.crt cwmp.crt; ln -s cert/genieacs.key cwmp.key
ln -s cert/genieacs.crt nbi.crt; ln -s cert/genieacs.key nbi.key
ln -s cert/genieacs.crt fs.crt; ln -s cert/genieacs.key fs.key
##
# Clone and setup genieacs-gui
##
cd /opt; git clone https://github.com/zaidka/genieacs-gui.git
cd genieacs-gui
# Setup config files
cp config/graphs{-sample,}.json.erb
cp config/index_parameters{-sample,}.yml
cp config/summary_parameters{-sample,}.yml
cp config/parameters_edit{-sample,}.yml
cp config/parameter_renderers{-sample,}.yml
cp config/roles{-sample,}.yml
cp config/users{-sample,}.yml
# Build gems
bundle
# Add dotenv gem to handle environmental variables file
gem install dotenv
# NOTE: Copy .env file into place in genieacs-gui directory
# Generate your own secret_key_base for .env file
echo SECRET_KEY_BASE=$(RAILS_ENV="production" rails secret) >> .env
# NOTE: Add the dotenv from this repo to the beginning of your Gemfile
gem update; bundle update
##
# Nginx setup and configuration
##
systemctl enable nginx
cd /etc/nginx
# NOTE: Modify nginx.conf with the lines from this repo.
# NOTE: Copy genieacs.conf file into sites-available directory
ln -s sites-available/genieacs.conf sites-enabled/
# Create creds for basic_auth on non-web endpoints
echo username:$(openssl passwd -apr1) >> ms-htpasswd
systemctl restart nginx
##
# Systemd integration
##
# NOTE: Copy all the systemd service files into /etc/systemd/system/
systemctl daemon-reload
systemctl enable genieacs-cwmp; systemctl start genieacs-cwmp
systemctl enable genieacs-nbi; systemctl start genieacs-nbi
systemctl enable genieacs-fs; systemctl start genieacs-fs
systemctl enable genieacs-gui; systemctl start genieacs-gui
# That should be the end of it.
Config files to get GenieACS up and running, complete with GUI, Nginx SSL proxy, and systemd services.
Following the documentation here for dependencies, here for initial setup, then the wiki here for Nginx and SSL, should get you most of the way there. After that, I had a lot of googling to do, the results of which you can find below.
| Filename | Description |
|---|---|
01-install.sh | The installation instructions and commands. |
02-config.json | The genieacs services configuration. |
03-openssl.cnf | The openssl certificate configuration. |
04-.env | The environmental variables for genieacs-gui. |
05-Gemfile | The modification to accomodate the dotenv gem. |
06-nginx.conf | Modified nginx configuration to beef up security. |
07-genieacs.conf | The genieacs web host configuration. |
08-ms-htpasswd | The http_basic auth file for the service endpoints. |
09-genieacs-cwmp.service | The genieacs-cwmp systemd service file. |
10-genieacs-nbi.service | The genieacs-nbi systemd service file. |
11-genieacs-fs.service | The genieacs-fs systemd service file. |
12-genieacs-gui.service | The genieacs-gui systemd service file. |