feat(toolkit-security): default exporter ACL protection matching container model (v1.1.0)

- Updated perfSONAR-toolkit-install.sh to apply AGLT2+CERN exporter ACLs by default
- Added DEFAULT_EXPORTER_ALLOWLIST constant with container-matching subnets
- Users can override with --exporter-allowlist or disable with --no-exporter-acls
- Updated documentation to clarify protection is ON by default (not optional)
- Quick-start examples now show ACL protection is automatic
- Verified: nftables firewall allows port 443; Apache applies IP-level ACLs
- All DEFAULT_EXPORTER_ALLOWLIST subnets configured on deployed hosts

Closes gap: toolkit installations now have same protection as container builds.

Author: root

docs/perfsonar/tools_scripts/README.md

@@ -73,13 +73,18 @@ Differences from the container orchestrator:
 
 ```bash
 # Quick start — full toolkit, ATLAS (experiment 1), no LE cert
+# (Includes exporter endpoint ACL protection by default for AGLT2 + CERN)
 curl -fsSL https://raw.githubusercontent.com/osg-htc/networking/master/docs/perfsonar/tools_scripts/perfSONAR-toolkit-install.sh \
   | sudo bash -s -- --experiment-id 1 --non-interactive
 
-# With exporter endpoint protection (recommended: AGLT2 + CERN subnets, matches container model)
+# Override default exporter allow-list with custom subnets
 curl -fsSL https://raw.githubusercontent.com/osg-htc/networking/master/docs/perfsonar/tools_scripts/perfSONAR-toolkit-install.sh \
   | sudo bash -s -- --experiment-id 1 --non-interactive \
-      --exporter-allowlist "192.41.230.0/23,192.41.236.0/23,2001:48a8:68f7::/50,188.184.0.0/17,188.185.0.0/17,188.185.128.0/18,128.142.0.0/16,2001:1458:d00::/48,2001:1458:d03::/48,2001:1458:301::/48,2001:1458:302::/48,2001:1458:303::/48"
+      --exporter-allowlist "YOUR_SUBNET_1,YOUR_SUBNET_2"
+
+# Disable exporter endpoint ACL protection (not recommended)
+curl -fsSL https://raw.githubusercontent.com/osg-htc/networking/master/docs/perfsonar/tools_scripts/perfSONAR-toolkit-install.sh \
+  | sudo bash -s -- --experiment-id 1 --non-interactive --no-exporter-acls
 
 # With Let's Encrypt
 curl -fsSL https://raw.githubusercontent.com/osg-htc/networking/master/docs/perfsonar/tools_scripts/perfSONAR-toolkit-install.sh \
@@ -92,7 +97,7 @@ curl -fsSL https://raw.githubusercontent.com/osg-htc/networking/master/docs/perf
 ```
 
 Flags: `--bundle {toolkit|testpoint|core|tools}`, `--fqdn`, `--email`, `--experiment-id N`,
-`--no-flowd-go`, `--exporter-allowlist "CIDR1,CIDR2,..."`, `--non-interactive`, `--yes`, `--dry-run`
+`--no-flowd-go`, `--exporter-allowlist "CIDR1,CIDR2,..."` (override defaults), `--no-exporter-acls` (disable protection), `--non-interactive`, `--yes`, `--dry-run`
 
 > **RHEL 9 note**: The perfSONAR automated install script (`downloads.perfsonar.net/install`)
 > does not enable CodeReady Builder on Satellite-managed RHEL systems.  

docs/perfsonar/tools_scripts/perfSONAR-toolkit-install.sh

@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 set -euo pipefail
-# Version: 1.0.3
+# Version: 1.1.0
 # Author: Shawn McKee, University of Michigan
 # Acknowledgements: Supported by IRIS-HEP and OSG-LHC
 
@@ -34,8 +34,10 @@ set -euo pipefail
 #   --experiment-id N      SciTags experiment ID for flowd-go (1-14; interactive prompt if omitted)
 #   --no-firefly-receiver  Disable fireflyp plugin in flowd-go config (use with flowd-go 2.4.x RPM)
 #                          Requires flowd-go >= 2.5.0; omit with current 2.4.2 RPM to avoid errors
-#   --exporter-allowlist   Comma-separated CIDRs/IPs allowed to access exporter endpoints
+#   --exporter-allowlist   Override default exporter endpoint allow-list (comma-separated CIDRs/IPs)
+#                          Default: AGLT2 + CERN monitoring subnets (matching container protection)
 #                          (/node_exporter/metrics and /perfsonar_host_exporter/)
+#   --no-exporter-acls     Disable exporter endpoint ACL protection (not recommended)
 #
 # Log:
 #   /var/log/perfsonar-toolkit-install.log
@@ -47,11 +49,15 @@ NON_INTERACTIVE=false
 INSTALL_FLOWD_GO=true
 FLOWD_GO_EXPERIMENT_ID=""
 NO_FIREFLY_RECEIVER=false
-EXPORTER_ALLOWLIST=""
+NO_EXPORTER_ACLS=false
 BUNDLE="toolkit"
 LE_FQDN=""
 LE_EMAIL=""
 
+# Default exporter endpoint ACL allow-list (AGLT2 + CERN, matching container)
+DEFAULT_EXPORTER_ALLOWLIST="192.41.230.0/23,192.41.236.0/23,2001:48a8:68f7::/50,188.184.0.0/17,188.185.0.0/17,188.185.128.0/18,128.142.0.0/16,2001:1458:d00::/48,2001:1458:d03::/48,2001:1458:301::/48,2001:1458:302::/48,2001:1458:303::/48"
+EXPORTER_ALLOWLIST="$DEFAULT_EXPORTER_ALLOWLIST"
+
 # Repo + package constants
 PERFSONA_REPO_URL="http://software.internet2.edu/rpms/el9/x86_64/latest/packages/perfsonar-repo-0.11-1.noarch.rpm"
 EPEL_REPO_URL="https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm"
@@ -104,6 +110,7 @@ parse_cli() {
       --experiment-id)       FLOWD_GO_EXPERIMENT_ID="${2:-}"; shift 2;;
       --no-firefly-receiver) NO_FIREFLY_RECEIVER=true; shift;;
       --exporter-allowlist)  EXPORTER_ALLOWLIST="${2:-}"; shift 2;;
+      --no-exporter-acls)    NO_EXPORTER_ACLS=true; EXPORTER_ALLOWLIST=""; shift;;
       --help|-h)        sed -n '1,80p' "$0"; exit 0;;
       *) echo "Unknown argument: $1" >&2; exit 2;;
     esac
@@ -243,17 +250,17 @@ step_security() {
   fi
   run "${sec_cmd[@]}" || true
 
-  if [ -n "$EXPORTER_ALLOWLIST" ]; then
-    log "Restricting exporter endpoints (/node_exporter/metrics, /perfsonar_host_exporter/) to monitoring subnets: $EXPORTER_ALLOWLIST"
+  if [ "$NO_EXPORTER_ACLS" = true ]; then
+    log "WARNING: Exporter endpoint ACL protection is DISABLED (--no-exporter-acls). Both /node_exporter/metrics and /perfsonar_host_exporter/ will be accessible from any HTTPS client. This is not recommended."
+  else
+    log "Protecting exporter endpoints (/node_exporter/metrics, /perfsonar_host_exporter/) with ACLs for: $EXPORTER_ALLOWLIST"
     if [ -x "$HELPER_DIR/tools_scripts/perfSONAR-configure-exporter-acls.sh" ]; then
       run "$HELPER_DIR/tools_scripts/perfSONAR-configure-exporter-acls.sh" \
         --allowlist "$EXPORTER_ALLOWLIST" --yes || true
       run systemctl reload httpd || run systemctl reload apache2 || true
     else
       log "WARNING: perfSONAR-configure-exporter-acls.sh not found; skipping exporter ACL configuration."
     fi
-  else
-    log "Exporter endpoint ACL protection not configured. Use --exporter-allowlist to restrict access (e.g., --exporter-allowlist \"192.41.230.0/23,2001:48a8:68f7::/50\")."
   fi
 }
 

docs/perfsonar/tools_scripts/perfSONAR-toolkit-install.sh.sha256

@@ -1 +1 @@
-a5d25fbac56fd79a0bdd8c11b5504a1136ff87c0d174f21b6120b3aa054c4eb8  perfSONAR-toolkit-install.sh
+5e2f395b3c02f342a1ca263b3d8620ee1ce835048b8a48a5f407f3ace43f3b5a  perfSONAR-toolkit-install.sh

docs/perfsonar/tools_scripts/scripts.sha256

@@ -18,7 +18,7 @@ e1944123e17c89e8f202cca960f147397d64ae1e675af132c84b02ced2564abb  node_exporter.
 50dfab90bc21d5c566b713f48b00b079a32a8b8756432a0d0f66ac6a64e6e581  perfSONAR-health-monitor.sh
 e184c633ca9ca5d3d79321213843a4eaa951e5596d3dc05f082e5f76e860e580  install_tools_scripts.sh
 7be726de5dfdbe8f7f5ac8e803b0b71e8f98f1ba274ca70b42f8eba4822cc67b  perfSONAR-orchestrator.sh
-a5d25fbac56fd79a0bdd8c11b5504a1136ff87c0d174f21b6120b3aa054c4eb8  perfSONAR-toolkit-install.sh
+5e2f395b3c02f342a1ca263b3d8620ee1ce835048b8a48a5f407f3ace43f3b5a  perfSONAR-toolkit-install.sh
 cd0e7afd1ca7a20a972e585018802be0cb6f67cd3ffee449dea45d785c23145a  perfSONAR-configure-exporter-acls.sh
 2615a29d65e285391adb547046584c4534ea548e69571b67e0cf35773b010c57  perfSONAR-diagnostic-report.sh
 ac0c8fd6f27cc156ec05c7e6ac3547e0732f436a7033dac34475ece5641a284f  docs/perfsonar/tools_scripts/perfSONAR-install-flowd-go.sh

docs/personas/quick-deploy/install-perfsonar-toolkit.md

@@ -171,15 +171,25 @@ Installation takes approximately 5-10 minutes depending on network speed.
     runs post-install configuration, and optionally installs flowd-go:
 
     ```bash
+    # Standard installation (includes exporter ACL protection by default for AGLT2 + CERN)
     curl -fsSL https://raw.githubusercontent.com/osg-htc/networking/master/docs/perfsonar/tools_scripts/perfSONAR-toolkit-install.sh \
         | sudo bash -s -- --experiment-id 1 --non-interactive
     ```
 
-    To protect exporter endpoints by restricting access to monitoring subnets (AGLT2 and CERN):
+    The exporter endpoints are **protected by default** with Apache `Require ip` ACLs for AGLT2 and CERN monitoring subnets, matching the container deployment model. To customize the allow-list:
+
     ```bash
+    # Override the default allow-list with your own subnets
     curl -fsSL https://raw.githubusercontent.com/osg-htc/networking/master/docs/perfsonar/tools_scripts/perfSONAR-toolkit-install.sh \
         | sudo bash -s -- --experiment-id 1 --non-interactive \
-            --exporter-allowlist "192.41.230.0/23,192.41.236.0/23,2001:48a8:68f7::/50,188.184.0.0/17,188.185.0.0/17,188.185.128.0/18,128.142.0.0/16,2001:1458:d00::/48,2001:1458:d03::/48,2001:1458:301::/48,2001:1458:302::/48,2001:1458:303::/48"
+            --exporter-allowlist "YOUR_SUBNET_1,YOUR_SUBNET_2"
+    ```
+
+    To disable ACL protection on exporter endpoints (not recommended):
+
+    ```bash
+    curl -fsSL https://raw.githubusercontent.com/osg-htc/networking/master/docs/perfsonar/tools_scripts/perfSONAR-toolkit-install.sh \
+        | sudo bash -s -- --experiment-id 1 --non-interactive --no-exporter-acls
     ```
 
     See the [tools_scripts README](../../perfsonar/tools_scripts/README.md) for full
@@ -486,28 +496,46 @@ You can use the install script to install the options you want (selinux, fail2ba
 The script writes nftables rules for perfSONAR services, derives SSH allow-lists from `/etc/perfSONAR-multi-nic-
 config.conf`, optionally adjusts SELinux, and enables Fail2ban jails—only if those components are already installed.
 
-### Restricting exporter endpoints to monitoring subnets
+### Exporter endpoint protection (on by default)
 
 The toolkit exposes two exporter endpoints via HTTPS:
 
 - `/node_exporter/metrics` (system metrics from Node Exporter, proxied via `localhost:9100`)
 - `/perfsonar_host_exporter/` (host-specific metrics from perfSONAR)
 
-**We are protecting these endpoints** by allowing access only from designated monitoring subnets, matching the container deployment model. By default, if you specify `--exporter-allowlist` during installation, these endpoints are restricted by Apache `Require ip` rules to the CIDRs you provide.
+**These endpoints are protected by default** with Apache `Require ip` ACLs that restrict access to AGLT2 and CERN monitoring subnets, matching the container deployment protection model. This happens automatically during installation without any additional flags required.
+
+**Default protected subnets** (same as container image):
+- AGLT2 IPv4: `192.41.230.0/23`, `192.41.236.0/23`
+- AGLT2 IPv6: `2001:48a8:68f7::/50`
+- CERN IPv4: `188.184.0.0/17`, `188.185.0.0/17`, `188.185.128.0/18`, `128.142.0.0/16`
+- CERN IPv6: `2001:1458:d00::/48`, `2001:1458:d03::/48`, `2001:1458:301::/48`, `2001:1458:302::/48`, `2001:1458:303::/48`
 
-**Recommended default subnets** (AGLT2 and CERN, matching the container image):
+**To customize the allow-list:**
+
+If your site needs different monitoring subnets, override the defaults at install time:
+
+```bash
+curl -fsSL https://raw.githubusercontent.com/osg-htc/networking/master/docs/perfsonar/tools_scripts/perfSONAR-toolkit-install.sh \
+    | sudo bash -s -- --experiment-id 1 --non-interactive \
+        --exporter-allowlist "YOUR_SUBNET_1,YOUR_SUBNET_2,YOUR_SUBNET_3"
+```
+
+Or, if the toolkit is already installed, use the helper script directly:
 
 ```bash
 /opt/perfsonar-tp/tools_scripts/perfSONAR-configure-exporter-acls.sh \
-    --allowlist "192.41.230.0/23,192.41.236.0/23,2001:48a8:68f7::/50,188.184.0.0/17,188.185.0.0/17,188.185.128.0/18,128.142.0.0/16,2001:1458:d00::/48,2001:1458:d03::/48,2001:1458:301::/48,2001:1458:302::/48,2001:1458:303::/48" --yes
+    --allowlist "YOUR_SUBNET_1,YOUR_SUBNET_2,YOUR_SUBNET_3" --yes
 ```
 
-**To customize the IPs:** If you want to change or add monitoring subnets, you can either:
+**To disable protection** (not recommended—exposing exporter metrics to any HTTPS client):
 
-1. **At install time:** pass a different `--exporter-allowlist` value to the toolkit installer
-2. **Post-install:** Run the helper script with your custom CIDR list (paths may differ; check where helper scripts are installed)
+```bash
+curl -fsSL https://raw.githubusercontent.com/osg-htc/networking/master/docs/perfsonar/tools_scripts/perfSONAR-toolkit-install.sh \
+    | sudo bash -s -- --experiment-id 1 --non-interactive --no-exporter-acls
+```
 
-The helper script writes `/etc/httpd/conf.d/apache-osg-exporter-restrictions.conf` with Apache `<Location>` blocks using `Require ip` directives, and reloads the web server.
+The ACL configuration writes to `/etc/httpd/conf.d/apache-osg-exporter-restrictions.conf` with Apache `<Location>` blocks using `Require ip` directives, and reloads the web server.
 
 ??? info "SSH allow-lists and validation"