Skip to Content.
Sympa Menu

perfsonar-user - Re: [perfsonar-user] Security guidance and http(s)

Subject: perfSONAR User Q&A and Other Discussion

List archive

Re: [perfsonar-user] Security guidance and http(s)


Chronological Thread 
    < Chronological >      < Thread >
  • From: Andrew Lake <>
  • To: Tim Chown <>, perfsonar-user <>
  • Subject: Re: [perfsonar-user] Security guidance and http(s)
  • Date: Wed, 22 May 2024 19:55:59 +0000
Hi Tim,

I don’t think I realized that page existed. It seems to be pulled straight from an older version of this page: https://docs.perfsonar.net/manage_security.html

It seems to address your questions (no more port 80 and 443 is attributed to pscheduler). We should probably redirect to the docs page so there is a single source of truth and they don’t get out of sync. 

If a site blocks 443 and wants external tests then reverse throughout tests will be most affected since the remote pscheduler will kickoff the test. Other tests like latency should work fine assuming nothing else is blocked. Another option is to run pscheduler on a non-standard port...which then requires additional configuration when defining the test in psconfig. See https://docs.perfsonar.net/psconfig_templates_advanced.html#using-non-standard-pscheduler-ports-and-addresses

Yet another option is to run a tespoint with 443 open and an archive + Grafana UI with 443 blocked in 5.1.0 if they just don’t want to expose the web pages. 

Thanks,
Andy


On May 22, 2024 at 7:04:41 AM, Tim Chown () wrote:

Hi,

 

We’ve had some queries about firewall settings for perfSONAR, in particular for http(s).

 

I believe the current relevant guidance is at https://www.perfsonar.net/deployment_security.html, which lists ports 80 and 443 as “management interfaces”.

 

A couple of questions from that. The first is whether port 80 is needed any more. Is all web activity now on 443?

 

And secondly, what specifically is 443 used for? There’s access to the “toolkit” page, there’s also presumably pscheduler’s negotiation of tests and their scheduling, and subsequent retrieval of measurement results?  What else is 443 required for?

 

It might be nice to be explicit in what the “management” is, given it seems a common question.

 

We have had some sites ask whether they can keep web access / port 443 internal only, to have just an internal toolkit view, is that possible if tests are configured via a remote configuration file that’s pulled down and rersults are sent to a remote archive?

 

Thanks,

Tim

--
To unsubscribe from this list: https://lists.internet2.edu/sympa/signoff/perfsonar-user

Archive powered by MHonArc 2.6.24.

Top of Page