Practical application of the FreeACS server for servicing Mikrotik devices using the TR-069 protocol (part 1)

This article is a logical continuation

experimenting with the FreeACS test server

… Then I fell in love with this tool, and promised a few commentators to bring the matter to production. So, today we will install the server, configure it to a working state and screw the ssl certificate. And in the second part, we will analyze the settings and modes, run the main working scenarios for servicing Mikrotik devices and slightly touch on the auto-configuration of IP phones.

Before starting, I want to briefly recall the main postulates:
1. TR-069 protocol used by tens of millions of devices, and, de facto, is the standard for software updates, diagnostics and configuration of network equipment. In the FreeACS documentation, the required system requirements for a server start at 50,000 serviced devices and end at 2 million. This is a powerful specialized tool.

2. Configuration management systems (SCM), such as Ansible, can be used, inter alia, for remote execution of commands and scripts in RouterOS, but are not an alternative to ACS.

3. TR-069 security issues are briefly described here, and are that the protocol assumes the use of encryption, but does not oblige. Therefore, 80% of devices transmit data openly, and some use self-signed certificates. Do not do like this.

Part 1. Installing FreeACS + SSL

0. Preparation

Resources

: Minimum 4 GB RAM, 10 GB HDD, Centos 7/8

Domain

: The server will be accessible from the Internet, so you need to buy a domain or add a subdomain DNS record pointing to the external IP address of FreeACS. And adjust the FQDN hostname accordingly.

Certificate

: If you already have a working domain and some of the certificate authentication methods are available, you can immediately issue the certificate. I used the cheapest

Sectigo Positive SSL

, available everywhere for 500-1000 rubles / year

If there is no working domain, we will issue the certificate after installing the server, with verification by the hash file. Ideas with Letsencrypt and others like it – “saving on matches”.

1. Installing FreeACS

As in the previous article, the easiest way to do this is with a script.

wget https://raw.githubusercontent.com/freeacs/freeacs/master/scripts/install_centos.sh
chmod +x install_centos.sh
./ install_centos.sh

The script will install everything you need. Only a little bit of work remains to be done.

# Установить часовой пояс 
timedatectl set-timezone Asia/Novosibirsk
# Установить Xorg-fonts. Без этого, в веб-интерфейсе не будет графиков
yum -y install xorg-x11-fonts-misc
# MySQL часовой пояс и лимиты. Без этого в веб-интерфейсе будет UTC и файлы не загрузятся
# /etc/my.cnf
default-time-zone="+07:00"
max_allowed_packet=32M
innodb_buffer_pool_size=1024M

Check the operation of the web interface via http: //, change the default password and you can go further

2. Nginx

It’s time to set up Nginx. If you have not received a certificate yet, let’s get and confirm it.

For example, you bought the mydomain.ru domain, configured the acs DNS record and ordered a certificate for acs.mydomain.ru with proof of ownership by the hash file.

The supplier will provide information such as:

Хеш файл должен быть доступен по адресу:
http://mydomain.ru/.well-known/pki-validation/5C7E984684D01FAF787171DB395A6F4A.txt
Содержимое файла:
75D5AB94B09B408A2A7DD93696BA69B736CA8A5E0DFD80DBB45186EF70AB1A77
comodoca.com

Those. verification of the acs subdomain certificate goes through confirmation of ownership of the 2nd level domain, and if you already have a web resource on it, then the file must be placed there.

If this is not the case, then the hash file can be placed on the server with FreeACS, having previously changed the mydomain.ru DNS record. You need to create a directory with this file:

mkdir -p /var/www/.well-known/pki-validation
vi /var/www/.well-known/pki-validation/5C7E984684D01FAF787171DB395A6F4A.txt
#сюда аккуратно скопировать содержимое

And add an additional server section in the Nginx config. It is convenient to make a non-standard port so that you can then open only what you need to the outside via http

 # /etc/nginx.conf
...
 server {
    listen       8044;
    server_name  mydomain.ru;

    location /.well-known/pki-validation/ {
    root /var/www/;
     }
...

After restarting Nginx and forwarding external port 80 to port 8044 of the FreeACS host, the file .http: //mydomain.ru/.well-known/pki-validation/5C7E984684D01FAF787171DB395A6F4A.txt should be visible from the Internet. This means that, as soon as the verification passes, the supplier will issue you a certificate, a chain of intermediate certificates and a private key. There will be something like acs_mydomain_ru.crt, acs_mydomain_ru.ca-bundle and 11005566.key

For Nginx, certificates need to be stitched, the key must be renamed, and both files must be put in / etc / pki 

cat acs_mydomain_ru.crt acs_mydomain_ru.ca-bundle > acs_mydomain_ru.chained.crt
mv 11005566.key acs_mydomain_ru.key
cp acs_mydomain_ru.chained.crt /etc/pki
cp acs_mydomain_ru.key /etc/pki

Now let’s add ssl to the Nginx config. The port for proxying TR-069 will also be non-standard 8099.
At this stage, the entire config will look something like this: 

events {
  worker_connections  19000;
}

http {

client_max_body_size 32m;

  server {
    listen       8099 ssl;
    server_name  acs.mydomain.ru;

        # SSL
        ssl_certificate /etc/pki/acs_mydomain_ru.chained.crt ;
        ssl_certificate_key /etc/pki/acs_mydomain_ru.key;
        ssl_session_cache shared:SSL:10m;
        ssl_session_timeout 10m;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers on;

        #ssl connections for CPE

      location /tr069/ {        
      proxy_set_header Host      $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_set_header HTTPS YES;
      proxy_headers_hash_max_size 512;
      proxy_headers_hash_bucket_size 128;
      proxy_pass http://localhost:8085/tr069/;
   }

}
  server {
    #SSL hash check
    listen       8044;
    server_name  mydomain.ru;
    
    location /.well-known/pki-validation/ {
      root /var/www/;
     }
}

  server {
    listen       80;
    server_name  10.110.0.117;

    location = / {
      return 301 /web/index;
      proxy_headers_hash_max_size 512;
      proxy_headers_hash_bucket_size 128;
    }
    location /tr069/ {
      proxy_set_header Host      $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_headers_hash_max_size 512;
      proxy_headers_hash_bucket_size 128;
      proxy_pass http://localhost:8085/tr069/;
    }
    location /web/ {
      proxy_pass http://localhost:8081/web/;
      proxy_headers_hash_max_size 512;
      proxy_headers_hash_bucket_size 128;
    }
    location /monitor/ {
      proxy_pass http://localhost:8090/monitor/;
    }
    location /webservice/ {
      proxy_pass http://localhost:8088/webservice/;
    }
    location /syslog/ {
      proxy_pass http://localhost:8086/syslog/;
    }
    location /core/ {
      proxy_pass http://localhost:8083/core/;
    }
    location /stun/ {
      proxy_pass http://localhost:8087/stun/;
    }
  }
}

Restart Nginx. We forward 8099 to the host with FreeACS. We now have a server that can serve TR-069 clients at: .https: //acs.mydomain.ru: 8099 / tr069 / prov

Open this address in a browser from the Internet. If a 404 with a valid certificate is returned in response, then it’s time to try to connect devices.

First you need to enable auto-detection of device models. 

#/opt/freeacs-tr069/config/application-config.conf 
# Discovery Mode can be set to true if you want to automatically add a new
# unittype and unit. This mode is violating the security of the system,
# because it allows unknown units to connect and then changes will be performed
# in the database. So use this option with caution, preferably when you want to
# add a new unittype to the system. Default is false.
#discovery.mode = false
discovery.mode = true

Then this option can be disabled, a second server can be started to train new models, and then transferred to prod via export / import, but for a start it is very useful.

On your trial Mikrotik, you need to import the certificate that we made for Nginx – acs_mydomain_ru.chained.crt v System / Certificates / Import
Then install the tr069-client package and specify the ACS URL: .https: //acs.mydomain.ru: 8099 / tr069 / prov Username: . And you’re done.
By clicking Apply, the device will connect to the server via https, the Periodic inform interval will change in the window, and a new Unit type and, accordingly, Unit will appear on the server

This concludes the first part. We have a working autoconfiguration server serving devices over a secure connection on a separate port that is easy to monitor. The second part will contain pictures, scripts and combat experience with devices.

Thanks to everyone who read. Any comments and corrections will be welcome.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *