perfSONAR User Q&A and Other Discussion

[Tim Chown <>]

Hi Andy,

 

Hi Tim,

 

I don’t think I realized that page existed. It seems to be pulled straight from an older version of this page: https://docs.perfsonar.net/manage_security.html

 

It’s the top hit for googling “perfsonar firewall”, so perhaps delete it if it’s no longer active.

 

It seems to address your questions (no more port 80 and 443 is attributed to pscheduler). We should probably redirect to the docs page so there is a single source of truth and they don’t get out of sync. 

 

That would seem a good idea.

 

If a site blocks 443 and wants external tests then reverse throughout tests will be most affected since the remote pscheduler will kickoff the test. Other tests like latency should work fine assuming nothing else is blocked. Another option is to run pscheduler on a non-standard port...which then requires additional configuration when defining the test in psconfig. See https://docs.perfsonar.net/psconfig_templates_advanced.html#using-non-standard-pscheduler-ports-and-addresses. 

 

Yet another option is to run a tespoint with 443 open and an archive + Grafana UI with 443 blocked in 5.1.0 if they just don’t want to expose the web pages. 

 

I don’t quite follow what you’re saying there.  Port 443 is either open or closed, or do you mean controlled via the limits file configuration?

 

Our most recent example of a question is a site that wishes to have the configuration (toolkit) UI only accessible internally (I think they may have a dedicated management interface on the system) and to have 443 closed externally. Hence the query as to whether if they do that, pull the test config from a remote config server, and archive results remotely, that they can then be in a test mesh and view the mesh results (including theirs) via the Grafana interface on the remote archive server.

 

Tim

 

Thanks,

Andy

 

 

On May 22, 2024 at 7:04:41 AM, Tim Chown () wrote:

Hi,

 

We’ve had some queries about firewall settings for perfSONAR, in particular for http(s).

 

I believe the current relevant guidance is at https://www.perfsonar.net/deployment_security.html, which lists ports 80 and 443 as “management interfaces”.

 

A couple of questions from that. The first is whether port 80 is needed any more. Is all web activity now on 443?

 

And secondly, what specifically is 443 used for? There’s access to the “toolkit” page, there’s also presumably pscheduler’s negotiation of tests and their scheduling, and subsequent retrieval of measurement results?  What else is 443 required for?

 

It might be nice to be explicit in what the “management” is, given it seems a common question.

 

We have had some sites ask whether they can keep web access / port 443 internal only, to have just an internal toolkit view, is that possible if tests are configured via a remote configuration file that’s pulled down and rersults are sent to a remote archive?

 

Thanks,

Tim

--
To unsubscribe from this list: https://lists.internet2.edu/sympa/signoff/perfsonar-user