docs(toolkit-security): clarify exporter ACL protection is being applied, not optional

- Changed section heading from 'Optional: Restrict...' to 'Restricting...'
- Updated language to 'We are protecting these endpoints' to emphasize ACLs
- Added recommended default AGLT2+CERN subnets to quick-start examples
- Clarified that toolkit provides same protection mechanism as container
- Added guidance on customizing/modifying IP allow-lists
- Updated toolkit installer log messages to be clearer about ACL application
- Updated tools README quick-start to show recommended default subnets

This ensures documentation clearly conveys that exporter endpoints ARE
protected (when --exporter-allowlist is specified), matching the container
deployment model. Users can modify the IP allow-list as needed.

Author: root

docs/perfsonar/tools_scripts/README.md

@@ -76,10 +76,10 @@ Differences from the container orchestrator:
 curl -fsSL https://raw.githubusercontent.com/osg-htc/networking/master/docs/perfsonar/tools_scripts/perfSONAR-toolkit-install.sh \
   | sudo bash -s -- --experiment-id 1 --non-interactive
 
-# Restrict exporter endpoints to monitoring CIDRs
+# With exporter endpoint protection (recommended: AGLT2 + CERN subnets, matches container model)
 curl -fsSL https://raw.githubusercontent.com/osg-htc/networking/master/docs/perfsonar/tools_scripts/perfSONAR-toolkit-install.sh \
   | sudo bash -s -- --experiment-id 1 --non-interactive \
-      --exporter-allowlist "192.41.230.0/23,192.41.236.0/23,2001:48a8:68f7::/50"
+      --exporter-allowlist "192.41.230.0/23,192.41.236.0/23,2001:48a8:68f7::/50,188.184.0.0/17,188.185.0.0/17,188.185.128.0/18,128.142.0.0/16,2001:1458:d00::/48,2001:1458:d03::/48,2001:1458:301::/48,2001:1458:302::/48,2001:1458:303::/48"
 
 # With Let's Encrypt
 curl -fsSL https://raw.githubusercontent.com/osg-htc/networking/master/docs/perfsonar/tools_scripts/perfSONAR-toolkit-install.sh \

docs/perfsonar/tools_scripts/perfSONAR-toolkit-install.sh

@@ -244,7 +244,7 @@ step_security() {
   run "${sec_cmd[@]}" || true
 
   if [ -n "$EXPORTER_ALLOWLIST" ]; then
-    log "Applying exporter endpoint ACLs to Apache using allow-list: $EXPORTER_ALLOWLIST"
+    log "Restricting exporter endpoints (/node_exporter/metrics, /perfsonar_host_exporter/) to monitoring subnets: $EXPORTER_ALLOWLIST"
     if [ -x "$HELPER_DIR/tools_scripts/perfSONAR-configure-exporter-acls.sh" ]; then
       run "$HELPER_DIR/tools_scripts/perfSONAR-configure-exporter-acls.sh" \
         --allowlist "$EXPORTER_ALLOWLIST" --yes || true
@@ -253,7 +253,7 @@ step_security() {
       log "WARNING: perfSONAR-configure-exporter-acls.sh not found; skipping exporter ACL configuration."
     fi
   else
-    log "Exporter ACL hardening not requested (use --exporter-allowlist to restrict exporter endpoints)."
+    log "Exporter endpoint ACL protection not configured. Use --exporter-allowlist to restrict access (e.g., --exporter-allowlist \"192.41.230.0/23,2001:48a8:68f7::/50\")."
   fi
 }
 

docs/perfsonar/tools_scripts/perfSONAR-toolkit-install.sh.sha256

@@ -1 +1 @@
-42abd64fffbb2b45731bfe2d6bc14e144bdd8b2b127f612afc8058c9527f4687  perfSONAR-toolkit-install.sh
+a5d25fbac56fd79a0bdd8c11b5504a1136ff87c0d174f21b6120b3aa054c4eb8  perfSONAR-toolkit-install.sh

docs/perfsonar/tools_scripts/scripts.sha256

@@ -18,7 +18,7 @@ e1944123e17c89e8f202cca960f147397d64ae1e675af132c84b02ced2564abb  node_exporter.
 50dfab90bc21d5c566b713f48b00b079a32a8b8756432a0d0f66ac6a64e6e581  perfSONAR-health-monitor.sh
 e184c633ca9ca5d3d79321213843a4eaa951e5596d3dc05f082e5f76e860e580  install_tools_scripts.sh
 7be726de5dfdbe8f7f5ac8e803b0b71e8f98f1ba274ca70b42f8eba4822cc67b  perfSONAR-orchestrator.sh
-42abd64fffbb2b45731bfe2d6bc14e144bdd8b2b127f612afc8058c9527f4687  perfSONAR-toolkit-install.sh
+a5d25fbac56fd79a0bdd8c11b5504a1136ff87c0d174f21b6120b3aa054c4eb8  perfSONAR-toolkit-install.sh
 cd0e7afd1ca7a20a972e585018802be0cb6f67cd3ffee449dea45d785c23145a  perfSONAR-configure-exporter-acls.sh
 2615a29d65e285391adb547046584c4534ea548e69571b67e0cf35773b010c57  perfSONAR-diagnostic-report.sh
 ac0c8fd6f27cc156ec05c7e6ac3547e0732f436a7033dac34475ece5641a284f  docs/perfsonar/tools_scripts/perfSONAR-install-flowd-go.sh

docs/personas/quick-deploy/install-perfsonar-toolkit.md

@@ -175,11 +175,11 @@ Installation takes approximately 5-10 minutes depending on network speed.
         | sudo bash -s -- --experiment-id 1 --non-interactive
     ```
 
-    To harden exporter endpoints with explicit monitoring subnets at install time:
+    To protect exporter endpoints by restricting access to monitoring subnets (AGLT2 and CERN):
     ```bash
     curl -fsSL https://raw.githubusercontent.com/osg-htc/networking/master/docs/perfsonar/tools_scripts/perfSONAR-toolkit-install.sh \
         | sudo bash -s -- --experiment-id 1 --non-interactive \
-            --exporter-allowlist "192.41.230.0/23,192.41.236.0/23,2001:48a8:68f7::/50"
+            --exporter-allowlist "192.41.230.0/23,192.41.236.0/23,2001:48a8:68f7::/50,188.184.0.0/17,188.185.0.0/17,188.185.128.0/18,128.142.0.0/16,2001:1458:d00::/48,2001:1458:d03::/48,2001:1458:301::/48,2001:1458:302::/48,2001:1458:303::/48"
     ```
 
     See the [tools_scripts README](../../perfsonar/tools_scripts/README.md) for full
@@ -486,22 +486,28 @@ You can use the install script to install the options you want (selinux, fail2ba
 The script writes nftables rules for perfSONAR services, derives SSH allow-lists from `/etc/perfSONAR-multi-nic-
 config.conf`, optionally adjusts SELinux, and enables Fail2ban jails—only if those components are already installed.
 
-### Optional: Restrict exporter endpoints to monitoring subnets
+### Restricting exporter endpoints to monitoring subnets
 
-By default, perfSONAR toolkit Apache configs expose both exporter URLs to any client that can reach HTTPS:
+The toolkit exposes two exporter endpoints via HTTPS:
 
-- `/node_exporter/metrics`
-- `/perfsonar_host_exporter/`
+- `/node_exporter/metrics` (system metrics from Node Exporter, proxied via `localhost:9100`)
+- `/perfsonar_host_exporter/` (host-specific metrics from perfSONAR)
 
-If you want container-style subnet ACL protection for these endpoints, apply explicit allow-lists:
+**We are protecting these endpoints** by allowing access only from designated monitoring subnets, matching the container deployment model. By default, if you specify `--exporter-allowlist` during installation, these endpoints are restricted by Apache `Require ip` rules to the CIDRs you provide.
+
+**Recommended default subnets** (AGLT2 and CERN, matching the container image):
 
 ```bash
 /opt/perfsonar-tp/tools_scripts/perfSONAR-configure-exporter-acls.sh \
-    --allowlist "192.41.230.0/23,192.41.236.0/23,2001:48a8:68f7::/50,2001:1458:d00::/48" --yes
+    --allowlist "192.41.230.0/23,192.41.236.0/23,2001:48a8:68f7::/50,188.184.0.0/17,188.185.0.0/17,188.185.128.0/18,128.142.0.0/16,2001:1458:d00::/48,2001:1458:d03::/48,2001:1458:301::/48,2001:1458:302::/48,2001:1458:303::/48" --yes
 ```
 
-If your site keeps helper scripts under `/opt/perfsonar-toolkit/tools_scripts`, use that path instead.
-This writes `/etc/httpd/conf.d/apache-osg-exporter-restrictions.conf` and reloads Apache.
+**To customize the IPs:** If you want to change or add monitoring subnets, you can either:
+
+1. **At install time:** pass a different `--exporter-allowlist` value to the toolkit installer
+2. **Post-install:** Run the helper script with your custom CIDR list (paths may differ; check where helper scripts are installed)
+
+The helper script writes `/etc/httpd/conf.d/apache-osg-exporter-restrictions.conf` with Apache `<Location>` blocks using `Require ip` directives, and reloads the web server.
 
 ??? info "SSH allow-lists and validation"