Private Repo for IcingaForWindows with Authentication

mdicss · June 18, 2025, 10:16am

Is there a way to use a private repository location that uses authentication. I would like to pass an authentication header to the web requests, that download the needed files. Adding a header with user and password to the Invoke-WebRequest commands in IcingaForWindows.ps1 seems not to work, as the called Start-IcingaForWindowsInstallation.psm1 still wants to download files without authentication header from the repository. I get:

[Notice]: Starting Icinga for Windows installation
[Notice]: Repository “Icinga Stable” is already registered. Forcing override of data.
[Error]: The remote host “https://icingaweb-server/IcingaForWindows/stable/ifw.repo.json” send an exception response “401”: “The remote server returned an error: (401) Unauthorized.”

moreamazingnick · June 18, 2025, 1:49pm

Since this is meant for:
https://packages.icinga.com/IcingaForWindows/stable/ifw.repo.json

which uses no authentification →

not without a feature request since the powershell framework uses webrequests without any credentials

but this seems promising:

github.com/Icinga/icinga-powershell-framework

lib/core/repository/Read-IcingaRepositoryFile.psm1

854ef78f9


      
          if ([string]::IsNullOrEmpty($Repository.LocalPath) -eq $FALSE -And (Test-Path -Path $Repository.LocalPath)) {

which means you can copy the repository to the local machine using your powershell code and authentification and use the local path which can be set in the repository json file.

lorenz · June 20, 2025, 7:45am

Private Repositories do work in general (although it requires some work), but I am not sure about authentication, since the default toolchain works with the assumption that there is no authentication.
@moreamazingnick probably pointed you to the right place which would have to be modified to add authentication (might not be the only one though).

Why do you want authentication anyway?

mdicss · June 20, 2025, 8:23am

Hi
Thank you for the comments.
I have a VM with Icingaweb2 behind an apache2 webserver. I would like to have a private repository behind the same apache webserver and use authentication for security reasons the same way as I use it for Icingaweb2.
As a workaround, I now have to disable authentication for the location with the repo.

mdicss · June 20, 2025, 8:28am

lorenz · June 20, 2025, 8:34am

Well, correct me if I am wrong, but in that repository would only be files which are publicly available anyway?
And the credentials would be one every machine in the network then.

Is it just, that the webserver configuration was easier with authentication before everything?

mdicss · June 20, 2025, 1:15pm

The configuration was easier and it was already there. I wanted to use a readonly user with minimal permissions. The credentials should be used in an installation skript only and not be stored on all machines (e.g. Ansible and an encrypted password).
The idea is not to protect the files in the repository but the rest of the filesystem and the VM.
But you are right, it is probabely not a big security problem.