My question is around authentication when using boot, chain, kernel, initrd etc. My use case is if I have an url that returns a boot image that needs an API key header or an OAuth token.
http://ipxe.org/cmd/kernel - From what I understand here, I can pass a timeout, a name, and other arguments that go straight to the image. How do I pass authentication headers?
Additionally, I have a question about best practices regarding secrets as well. What's the alternative to keeping them in the ipxe script in plaintext? I'm actually fine with that but would be useful to know best practices.
I would like to think that kernel works the same as chain, which means that:
http://ipxe.org/cmd/login
Should work for kernel as well, that is not api keys, so if you want it to be server, then you should have to have in an iPXE
that iPXE script itself could be protected from outside download by some kind of other secret or login.
Thanks, could you potentially point me to an example using http headers? It's not clear to me how to use them in conjunction with boot, etc.?
You can not control headers, more than via the standard http basic auth, the examples that exists is on the linked page
I can see the benefit to adding something similar to the curl -H parameter (add arbitrary HTTP header) to the chain command, but unsure how complicated it would be. That would allow all sorts of different interaction, including setting the Authorization header for token-based authentication.
Thanks for the insights. I'm currently struggling with designing a boot system from an iPXE usb and the OS I'm loading has potentially sensitive information/ binaries on it. Do you know an example security architecture in conjunction with iPXE boot that seems to be the standard?
The most standard is basic http authentiocation as described above and on the iPXE login page,
Actual implementation on the server depends on what you are running there, but a search for ".htaccess password" would show how to set up apache for these kind of things, but there is many other ways as well.
annother option is to use iPXEs params and do a normal http POST to a webserver with a script that does the authentication.
Thanks, I appreciate the follow-upw on this.