feat(toolkit-security): add exporter endpoint ACL hardening for toolkit installs

root · root · commit d23bd97b9269 · 2026-03-02T09:37:01.000-05:00
- add perfSONAR-configure-exporter-acls.sh to enforce Apache CIDR allow-lists
  on /node_exporter/metrics and /perfsonar_host_exporter/
- add --exporter-allowlist to perfSONAR-toolkit-install.sh and wire it into
  step_security
- include new helper in install_tools_scripts bootstrap list
- update toolkit docs/README with hardening guidance and examples
- refresh scripts.sha256 for updated and new helper scripts
diff --git a/docs/perfsonar/tools_scripts/README.md b/docs/perfsonar/tools_scripts/README.md
@@ -27,6 +27,7 @@ for your site — they are not interchangeable:
 | **install_tools_scripts.sh** | — | Bulk installer for all scripts | [Installation](#installation) |
 | **install-systemd-service.sh** | — | Container auto-start on boot | [Container Management](#container-management) |
 | **perfSONAR-install-flowd-go.sh** | v1.1.0 | SciTags flowd-go installer | [SciTags & Fireflies](../scitags-fireflies.md) |
+| **perfSONAR-configure-exporter-acls.sh** | v0.1.0 | Restrict exporter endpoints to monitoring CIDRs | [RPM toolkit deployment](#rpm-toolkit-installer) |
 
 **Latest Updates**: v1.0.0 (Feb 2026) adds `perfSONAR-toolkit-install.sh` for RPM-based toolkit deployments.
 
@@ -75,6 +76,11 @@ Differences from the container orchestrator:
 curl -fsSL https://raw.githubusercontent.com/osg-htc/networking/master/docs/perfsonar/tools_scripts/perfSONAR-toolkit-install.sh \
   | sudo bash -s -- --experiment-id 1 --non-interactive
 
+# Restrict exporter endpoints to monitoring CIDRs
+curl -fsSL https://raw.githubusercontent.com/osg-htc/networking/master/docs/perfsonar/tools_scripts/perfSONAR-toolkit-install.sh \
+  | sudo bash -s -- --experiment-id 1 --non-interactive \
+      --exporter-allowlist "192.41.230.0/23,192.41.236.0/23,2001:48a8:68f7::/50"
+
 # With Let's Encrypt
 curl -fsSL https://raw.githubusercontent.com/osg-htc/networking/master/docs/perfsonar/tools_scripts/perfSONAR-toolkit-install.sh \
   | sudo bash -s -- --fqdn ps.example.org --email admin@example.org \
@@ -86,7 +92,7 @@ curl -fsSL https://raw.githubusercontent.com/osg-htc/networking/master/docs/perf
 ```
 
 Flags: `--bundle {toolkit|testpoint|core|tools}`, `--fqdn`, `--email`, `--experiment-id N`,
-`--no-flowd-go`, `--non-interactive`, `--yes`, `--dry-run`
+`--no-flowd-go`, `--exporter-allowlist "CIDR1,CIDR2,..."`, `--non-interactive`, `--yes`, `--dry-run`
 
 > **RHEL 9 note**: The perfSONAR automated install script (`downloads.perfsonar.net/install`)
 > does not enable CodeReady Builder on Satellite-managed RHEL systems.  
diff --git a/docs/perfsonar/tools_scripts/install_tools_scripts.sh b/docs/perfsonar/tools_scripts/install_tools_scripts.sh
@@ -5,6 +5,8 @@ set -euo pipefail
 # Purpose: Ensure the perfSONAR testpoint repository is cloned and the tools_scripts
 #          directory is present under /opt/perfsonar-tp/tools_scripts.
 #
+# Version: 1.0.7 - 2026-03-02
+#   - Add perfSONAR-configure-exporter-acls.sh to download list for toolkit/container exporter ACL hardening.
 # Version: 1.0.6 - 2026-02-27
 #   - Add perfSONAR-install-flowd-go.sh to download list for SciTags/flowd-go integration.
 # Version: 1.0.5 - 2026-02-26
@@ -18,7 +20,7 @@ set -euo pipefail
 # Author: Shawn McKee, University of Michigan
 # Acknowledgements: Supported by IRIS-HEP and OSG-LHC
 
-VERSION="1.0.6"
+VERSION="1.0.7"
 PROG_NAME="$(basename "$0")"
 
 # Check for --version or --help flags
@@ -97,6 +99,7 @@ files=(
     perfSONAR-health-monitor.sh
     perfSONAR-diagnostic-report.sh
     perfSONAR-install-flowd-go.sh
+    perfSONAR-configure-exporter-acls.sh
     seed_testpoint_host_dirs.sh
     update-perfsonar-deployment.sh
     perfSONAR-orchestrator.sh
diff --git a/docs/perfsonar/tools_scripts/perfSONAR-configure-exporter-acls.sh b/docs/perfsonar/tools_scripts/perfSONAR-configure-exporter-acls.sh
@@ -0,0 +1,177 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+VERSION="0.1.0"
+LOG_FILE="/var/log/perfSONAR-configure-exporter-acls.log"
+ACL_FILE="/etc/httpd/conf.d/apache-osg-exporter-restrictions.conf"
+ALLOWLIST=""
+DRY_RUN=false
+AUTO_YES=false
+
+log() {
+  local ts
+  ts="$(date +'%Y-%m-%d %H:%M:%S')"
+  echo "$ts $*" | tee -a "$LOG_FILE"
+}
+
+usage() {
+  cat <<'EOF'
+Usage: perfSONAR-configure-exporter-acls.sh --allowlist "CIDR1,CIDR2,..." [--yes] [--dry-run]
+
+Restrict exporter endpoints exposed by Apache:
+  - /node_exporter/metrics
+  - /perfsonar_host_exporter/
+
+Options:
+  --allowlist CSV   Comma-separated CIDRs/IPs allowed to access exporter endpoints
+  --yes             Skip confirmation prompt
+  --dry-run         Print actions without writing files
+  --help, -h        Show help
+EOF
+}
+
+confirm() {
+  if [ "$AUTO_YES" = true ]; then
+    return 0
+  fi
+  read -r -p "Apply exporter ACL restrictions now? [y/N]: " ans
+  case "${ans:-}" in
+    y|Y|yes|YES) return 0 ;;
+    *) log "Cancelled by user."; return 1 ;;
+  esac
+}
+
+need_root() {
+  if [ "$(id -u)" -ne 0 ]; then
+    echo "Run as root." >&2
+    exit 1
+  fi
+}
+
+run() {
+  log "CMD: $*"
+  if [ "$DRY_RUN" = true ]; then
+    echo "[DRY-RUN] $*"
+    return 0
+  fi
+  "$@"
+}
+
+is_valid_ip_or_cidr() {
+  python3 - "$1" <<'PY'
+import ipaddress
+import sys
+value = sys.argv[1]
+try:
+    if '/' in value:
+        ipaddress.ip_network(value, strict=False)
+    else:
+        ipaddress.ip_address(value)
+except Exception:
+    sys.exit(1)
+sys.exit(0)
+PY
+}
+
+parse_cli() {
+  while [[ $# -gt 0 ]]; do
+    case "$1" in
+      --allowlist) ALLOWLIST="${2:-}"; shift 2 ;;
+      --yes) AUTO_YES=true; shift ;;
+      --dry-run) DRY_RUN=true; shift ;;
+      --help|-h) usage; exit 0 ;;
+      *) echo "Unknown argument: $1" >&2; exit 2 ;;
+    esac
+  done
+}
+
+render_require_lines() {
+  local csv="$1"
+  local item
+  IFS=',' read -r -a entries <<< "$csv"
+
+  printf '    Require ip 127.0.0.1\n'
+  printf '    Require ip ::1\n'
+
+  for item in "${entries[@]}"; do
+    item="${item// /}"
+    [ -z "$item" ] && continue
+    if ! is_valid_ip_or_cidr "$item"; then
+      echo "Invalid IP/CIDR in --allowlist: $item" >&2
+      exit 3
+    fi
+    printf '    Require ip %s\n' "$item"
+  done
+}
+
+write_acl_file() {
+  local tmp_file
+  tmp_file="$(mktemp)"
+  local require_lines
+  require_lines="$(render_require_lines "$ALLOWLIST")"
+
+  cat > "$tmp_file" <<EOF
+# Managed by perfSONAR-configure-exporter-acls.sh v${VERSION}
+# Restricts exporter endpoints to explicit allow-list entries.
+
+<Location /node_exporter/metrics>
+<RequireAny>
+${require_lines}
+</RequireAny>
+</Location>
+
+<Location /perfsonar_host_exporter/>
+<RequireAny>
+${require_lines}
+</RequireAny>
+</Location>
+EOF
+
+  run mkdir -p "$(dirname "$ACL_FILE")"
+  if [ -f "$ACL_FILE" ]; then
+    run cp -a "$ACL_FILE" "${ACL_FILE}.bak.$(date +%s)"
+  fi
+  run cp "$tmp_file" "$ACL_FILE"
+  run chmod 0644 "$ACL_FILE"
+  rm -f "$tmp_file"
+}
+
+verify_httpd_config() {
+  if command -v apachectl >/dev/null 2>&1; then
+    run apachectl configtest
+  elif command -v httpd >/dev/null 2>&1; then
+    run httpd -t
+  else
+    log "Apache config test command not found; skipping syntax validation."
+  fi
+}
+
+reload_httpd() {
+  if command -v systemctl >/dev/null 2>&1; then
+    run systemctl reload httpd || run systemctl reload apache2 || true
+  fi
+}
+
+main() {
+  need_root
+  parse_cli "$@"
+
+  if [ -z "$ALLOWLIST" ]; then
+    echo "--allowlist is required" >&2
+    usage
+    exit 2
+  fi
+
+  log "Starting exporter ACL configuration"
+  log "Allow-list: $ALLOWLIST"
+
+  confirm || exit 0
+  write_acl_file
+  verify_httpd_config
+  reload_httpd
+
+  log "Exporter ACL configuration complete."
+  log "ACL file: $ACL_FILE"
+}
+
+main "$@"
diff --git a/docs/perfsonar/tools_scripts/perfSONAR-toolkit-install.sh b/docs/perfsonar/tools_scripts/perfSONAR-toolkit-install.sh
@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 set -euo pipefail
-# Version: 1.0.2
+# Version: 1.0.3
 # Author: Shawn McKee, University of Michigan
 # Acknowledgements: Supported by IRIS-HEP and OSG-LHC
 
@@ -34,6 +34,8 @@ set -euo pipefail
 #   --experiment-id N      SciTags experiment ID for flowd-go (1-14; interactive prompt if omitted)
 #   --no-firefly-receiver  Disable fireflyp plugin in flowd-go config (use with flowd-go 2.4.x RPM)
 #                          Requires flowd-go >= 2.5.0; omit with current 2.4.2 RPM to avoid errors
+#   --exporter-allowlist   Comma-separated CIDRs/IPs allowed to access exporter endpoints
+#                          (/node_exporter/metrics and /perfsonar_host_exporter/)
 #
 # Log:
 #   /var/log/perfsonar-toolkit-install.log
@@ -45,6 +47,7 @@ NON_INTERACTIVE=false
 INSTALL_FLOWD_GO=true
 FLOWD_GO_EXPERIMENT_ID=""
 NO_FIREFLY_RECEIVER=false
+EXPORTER_ALLOWLIST=""
 BUNDLE="toolkit"
 LE_FQDN=""
 LE_EMAIL=""
@@ -100,6 +103,7 @@ parse_cli() {
       --no-flowd-go)         INSTALL_FLOWD_GO=false; shift;;
       --experiment-id)       FLOWD_GO_EXPERIMENT_ID="${2:-}"; shift 2;;
       --no-firefly-receiver) NO_FIREFLY_RECEIVER=true; shift;;
+      --exporter-allowlist)  EXPORTER_ALLOWLIST="${2:-}"; shift 2;;
       --help|-h)        sed -n '1,80p' "$0"; exit 0;;
       *) echo "Unknown argument: $1" >&2; exit 2;;
     esac
@@ -238,6 +242,19 @@ step_security() {
     sec_cmd+=(--perf-ports 80)
   fi
   run "${sec_cmd[@]}" || true
+
+  if [ -n "$EXPORTER_ALLOWLIST" ]; then
+    log "Applying exporter endpoint ACLs to Apache using allow-list: $EXPORTER_ALLOWLIST"
+    if [ -x "$HELPER_DIR/tools_scripts/perfSONAR-configure-exporter-acls.sh" ]; then
+      run "$HELPER_DIR/tools_scripts/perfSONAR-configure-exporter-acls.sh" \
+        --allowlist "$EXPORTER_ALLOWLIST" --yes || true
+      run systemctl reload httpd || run systemctl reload apache2 || true
+    else
+      log "WARNING: perfSONAR-configure-exporter-acls.sh not found; skipping exporter ACL configuration."
+    fi
+  else
+    log "Exporter ACL hardening not requested (use --exporter-allowlist to restrict exporter endpoints)."
+  fi
 }
 
 # ---------------------------------------------------------------------------
diff --git a/docs/perfsonar/tools_scripts/scripts.sha256 b/docs/perfsonar/tools_scripts/scripts.sha256
@@ -16,9 +16,10 @@ bedd3dc88debd85605613922d3b35d4b25f5655edfb824e71aacb3d6a9924dc0  repair-state-j
 e1944123e17c89e8f202cca960f147397d64ae1e675af132c84b02ced2564abb  node_exporter.defaults
 76f49ce6e5ee00a0f35026ee6b87b44448355549fe78b3b0873b49bbece1ccf1  testpoint-entrypoint-wrapper.sh
 50dfab90bc21d5c566b713f48b00b079a32a8b8756432a0d0f66ac6a64e6e581  perfSONAR-health-monitor.sh
-d8e3cc4a03725c7fb6e12c13e5036e7c6a3af301a1f1e728690ce9ad3ab8aa96  install_tools_scripts.sh
+e184c633ca9ca5d3d79321213843a4eaa951e5596d3dc05f082e5f76e860e580  install_tools_scripts.sh
 7be726de5dfdbe8f7f5ac8e803b0b71e8f98f1ba274ca70b42f8eba4822cc67b  perfSONAR-orchestrator.sh
-eea859a611996827d36f852a052c1cb48adac969888110b902d3dd00f53ca10f  perfSONAR-toolkit-install.sh
+42abd64fffbb2b45731bfe2d6bc14e144bdd8b2b127f612afc8058c9527f4687  perfSONAR-toolkit-install.sh
+cd0e7afd1ca7a20a972e585018802be0cb6f67cd3ffee449dea45d785c23145a  perfSONAR-configure-exporter-acls.sh
 2615a29d65e285391adb547046584c4534ea548e69571b67e0cf35773b010c57  perfSONAR-diagnostic-report.sh
 ac0c8fd6f27cc156ec05c7e6ac3547e0732f436a7033dac34475ece5641a284f  docs/perfsonar/tools_scripts/perfSONAR-install-flowd-go.sh
 39d226a857eb1a0956003c75ca8b558fcb55c63176286ca9597f031d08cb38a7  docs/perfsonar/tools_scripts/update-perfsonar-deployment.sh
diff --git a/docs/personas/quick-deploy/install-perfsonar-toolkit.md b/docs/personas/quick-deploy/install-perfsonar-toolkit.md
@@ -175,6 +175,13 @@ Installation takes approximately 5-10 minutes depending on network speed.
         | sudo bash -s -- --experiment-id 1 --non-interactive
     ```
 
+    To harden exporter endpoints with explicit monitoring subnets at install time:
+    ```bash
+    curl -fsSL https://raw.githubusercontent.com/osg-htc/networking/master/docs/perfsonar/tools_scripts/perfSONAR-toolkit-install.sh \
+        | sudo bash -s -- --experiment-id 1 --non-interactive \
+            --exporter-allowlist "192.41.230.0/23,192.41.236.0/23,2001:48a8:68f7::/50"
+    ```
+
     See the [tools_scripts README](../../perfsonar/tools_scripts/README.md) for full
     flag documentation and the pre-installation checklist.
 
@@ -479,6 +486,23 @@ You can use the install script to install the options you want (selinux, fail2ba
 The script writes nftables rules for perfSONAR services, derives SSH allow-lists from `/etc/perfSONAR-multi-nic-
 config.conf`, optionally adjusts SELinux, and enables Fail2ban jails—only if those components are already installed.
 
+### Optional: Restrict exporter endpoints to monitoring subnets
+
+By default, perfSONAR toolkit Apache configs expose both exporter URLs to any client that can reach HTTPS:
+
+- `/node_exporter/metrics`
+- `/perfsonar_host_exporter/`
+
+If you want container-style subnet ACL protection for these endpoints, apply explicit allow-lists:
+
+```bash
+/opt/perfsonar-tp/tools_scripts/perfSONAR-configure-exporter-acls.sh \
+    --allowlist "192.41.230.0/23,192.41.236.0/23,2001:48a8:68f7::/50,2001:1458:d00::/48" --yes
+```
+
+If your site keeps helper scripts under `/opt/perfsonar-toolkit/tools_scripts`, use that path instead.
+This writes `/etc/httpd/conf.d/apache-osg-exporter-restrictions.conf` and reloads Apache.
+
 ??? info "SSH allow-lists and validation"
         
     - **Auto-detects current SSH clients:** The script captures the IP address of your current SSH connection (via `$SSH_CONNECTION`) and active SSH connections (via `ss`) to ensure your SSH access is not interrupted when the firewall is applied.
