Bug 2176300 - [RFE] Configure Ingress and NFS to support HAProxy's PROXY protocol
Summary: [RFE] Configure Ingress and NFS to support HAProxy's PROXY protocol
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Ceph Storage
Classification: Red Hat Storage
Component: Cephadm
Version: 6.0
Hardware: All
OS: All
unspecified
medium
Target Milestone: ---
: 7.0
Assignee: Adam King
QA Contact: Mohit Bisht
Rivka Pollack
URL:
Whiteboard:
Depends On: 2097490
Blocks: 2237662
TreeView+ depends on / blocked
 
Reported: 2023-03-07 22:52 UTC by Goutham Pacha Ravi
Modified: 2023-12-13 15:20 UTC (History)
11 users (show)

Fixed In Version: ceph-18.2.0-6.el9cp
Doc Type: Enhancement
Doc Text:
.Users can now apply client IP restrictions on the NFS deployment using the HAProxy protocol mode Previously, users could not apply client IP restrictions, while still using HAProxy between the client and NFS. This is because only the HAProxy IP would be recognized by NFS, making proper client IP restriction impossible. With this enhancement, it is possible to deploy an NFS service in HAProxy protocol mode by passing `--ingress-mode=haproxy-protocol` argument in the `ceph nfs cluster create` command or by setting `enable_haproxy_protocol: true` in both the NFS service specification and the corresponding ingress specification. Users can now apply proper client IP restriction on their NFS deployment using the new HAProxy protocol mode in their NFS deployment.
Clone Of:
Environment:
Last Closed: 2023-12-13 15:20:10 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Ceph Project Bug Tracker 58933 0 None None None 2023-03-07 22:52:56 UTC
Github ceph ceph pull 50614 0 None Merged mgr/cephadm: add support for nfs with haproxy protocol 2023-08-22 19:25:02 UTC
Github ceph ceph pull 52410 0 None Merged cephadm: fix issue with limited haproxy_hosts IPs list 2023-08-22 19:25:02 UTC
Github ceph ceph pull 53008 0 None Merged mgr/cephadm: allow ingress services with same frontend port and different VIP 2023-08-22 19:25:02 UTC
Red Hat Issue Tracker RHCEPH-6243 0 None None None 2023-03-07 22:55:08 UTC
Red Hat Product Errata RHBA-2023:7780 0 None None None 2023-12-13 15:20:15 UTC

Description Goutham Pacha Ravi 2023-03-07 22:52:57 UTC 
Description of problem:

When the ceph-ingress service frontends the Ceph-NFS cluster, currently, client addresses are not visible to Ceph-NFS/Ganesha; this prevents the use of client restrictions to be used in Exports. To relay the client's address across the Proxy server, HAProxy supports the use of the PROXY protocol. NFS-Ganesha recently added native support for the PROXY protocol [2]. We need changes to the HAProxy config to enable (or disable) the use of PROXY when setting up ingress for Ceph-NFS. An example configuration is documented on the HAProxy website [3].

When send-proxy-v2 is enabled with ingress, NFS-Ganesha will need to be configured with the "HAProxy_Hosts" configuration option [4] which will allow the parsing of the client address from the header information that the PROXY protocol communication contains.

[1] https://www.haproxy.com/blog/use-the-proxy-protocol-to-preserve-a-clients-ip-address/
[2] https://review.gerrithub.io/c/ffilz/nfs-ganesha/+/548334
[3] https://www.haproxy.com/blog/using-haproxy-with-the-proxy-protocol-to-better-secure-your-database/
[4] https://github.com/nfs-ganesha/nfs-ganesha/blob/91dd6865b71bbe99ad828c9c8bae1827922cd2a6/src/doc/man/ganesha-core-config.rst#L25
Comment 10 errata-xmlrpc 2023-12-13 15:20:10 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Red Hat Ceph Storage 7.0 Bug Fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:7780
Note You need to log in before you can comment on or make changes to this bug.