Ceph » Orchestrator

When the ceph-ingress service frontends the Ceph-NFS cluster, currently, client addresses are not visible to Ceph-NFS/Ganesha; this prevents the use of client restrictions to be used in Exports. To relay the client's address across the Proxy server, HAProxy supports the use of the PROXY protocol. NFS-Ganesha recently added native support for the PROXY protocol [2]. We need changes to the HAProxy config to enable (or disable) the use of PROXY when setting up ingress for Ceph-NFS. An example configuration is documented on the HAProxy website [3].

When send-proxy-v2 is enabled with ingress, NFS-Ganesha will need to be configured with the "HAProxy_Hosts" configuration option [4] which will allow the parsing of the client address from the header information that the PROXY protocol communication contains.

[1] https://www.haproxy.com/blog/use-the-proxy-protocol-to-preserve-a-clients-ip-address/
[2] https://review.gerrithub.io/c/ffilz/nfs-ganesha/+/548334
[3] https://www.haproxy.com/blog/using-haproxy-with-the-proxy-protocol-to-better-secure-your-database/
[4] https://github.com/nfs-ganesha/nfs-ganesha/blob/91dd6865b71bbe99ad828c9c8bae1827922cd2a6/src/doc/man/ganesha-core-config.rst#L25