Modify Apache default page for testpoint bundle

[szymontrocha]

(I don't knwo which repo should this be assigned to, please relocate if necessary)

Some user complained about leaving deafult Apache page accessible to the public for perfsonar-testpoint bundle installation. Security audits by CERT complain about this. "that default page as these indicate to the public that something, maybe in other places also have default settings. Shows that admins don't know what they are doing or they don't care. Also defaults create unwanted interested what we want to avoid."

Can we put a simple web page instead of the default? Like simple webpage should saying either that this is a perfSONAR tespoint site or saying that this page is intentionally left blank (both with maybe a perfSONAR logo). This should be a simple change

[mfeit-internet2]

It is a simple change, but doing it by default comes with the risk of clobbering something else that was put in place on purpose.

[szymontrocha]

So can you as developers assess it? I'm just passing what user says that it seems like a strong objection for his CERT team. We may accept such RFE or not but let's be clear on the impact of doing or not doing it.

[mfeit-internet2]

There are three things we could do:

First would be to unconditionally force a home page onto the system. This is bull-in-a-china-shop behavior that will cause aggravation for people whose systems aren't perfSONAR-exclusive and have installed a custom home page and would do so during installation and every upgrade.

Second would be to develop a package that can detect the stock home pages on the distributions we support and replace them with something else. This is a reasonably-safe option but is yet another thing we have to keep on top of that isn't relevant to perfSONAR. If the distribution changes the page contents or the way it's configured across an upgrade and we don't notice it, the default home page will end up in place and we'll get security complaints about it.

Third is the solution I favor: do nothing.

With the exception of the Docker container, perfSONAR is not provided as a turnkey system and has not been since we stopped distributing the ISO last year. What we provide is a set of packages that installs, configures and secures what's necessary for perfSONAR to function and touches nothing else. This is a system hygiene problem. If a site's security regime includes disabling unused services and firewalling ports that shouldn't be accessed from the outside, adding an appropriate Apache home page deemed appropriate should fall into the same category. Many of our users do this sort of thing.

[timchown]

Maybe we need two builds, one is a testpoint build for a standalone testpoint, which can then also do the firewall (and other?) stuff that the toolkit does, and another which is a 'testpoint on a shared server' build which does nothing but install the testpoint. We'd certainly like a standalone testpoint build.

[mfeit-internet2]

We could probably restructure the bundles so testpoint installs everything plus the home page and shared-testpoint excludes it.

[timchown]

Sounds good. We'd like to encourage deployment of light-weight, simple testpoints (where we can offer the config, archive and grafana views) and having the nodes configured for just that task would be great.