Hello,
I have modified the script:
Code:
#!gpxe
login
shell
chain http://${username:uristring}:${password:uristring}@server.com/menu.c32 menu.php
In the shell
Code:
echo "${username}"
martin
echo "${password}"
test123
then I entered the "chain" command on the commandline. This is what I get from tcpdump
Code:
$.-.GET /netboot/public/menu.c32 HTTP/1.1
User-Agent: iPXE/1.0.0+ (64dc)
Host: server.com
HTTP/1.1 200 OK
Date: Tue, 02 Sep 2014 11:30:39 GMT
Server: Apache/2.2.10 (Linux/SUSE)
Last-Modified: Mon, 08 Jun 2009 11:56:03 GMT
ETag: "f5e319-dfb4-46bd4ed297ac0"
Accept-Ranges: bytes
Content-Length: 57268
Content-Type: text/plain
And afterwards the generated pxelinux menu is the one for "not authorized" case.
After reading through the source I have added a "private/forbidden" section on the server
with htpasswd/htaccess.
The url now is:
Code:
chain http://${username:uristring}:${password:uristring}@server.com/private/a.txt
and a.txt contains a sample pxelinux menu.
The captured tcpdump now contains:
Code:
GET /netboot/private/a.txt HTTP/1.1
User-Agent: iPXE/1.0.0+ (64dc)
Host: server.com
HTTP/1.1 401 Authorization Required
Date: Tue, 02 Sep 2014 11:41:15 GMT
Server: Apache/2.2.10 (Linux/SUSE)
WWW-Authenticate: Basic realm="Restricted Files"
Vary: accept-language,accept-charset
Accept-Ranges: bytes
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1
Content-Language: en
User-Agent: iPXE/1.0.0+ (64dc)
Host: server.com
Authorization: Basic c2xnOnRlc3QxMjM
So here the Basic authorisation works, the a.txt files is delivered,
after the first GET command fails with "401".
As a result I would say:
The old gpxe code always send the Basic Auth, reagardless if the
server "needs" is or not.
The new ipxe code needs a 401, before it adds the authorisation.
I now have modified the php script and added a
Code:
if (! authenticated() ) {
header ("HTTP/1.1 401 Unauthorized",TRUE,401);
exit(0);
}
But now it looks that the menu.c32 is active, because it does not
send the "Basic Auth" in a second attempt. There is no second
attempt at all.
It looks that if I'm using COMBOOT and http://${username}:${password}/
ipxe must always send the Basic Auth.
Maybe this can be done as a config option?
For example in a script
which then sets a global setting.
I think I must prepare a patch for this.
regards,
Martin