Re: Using haproxy together with NFS

Thu, 02 Aug 2018 09:41:14 -0700 

I indeed removed the send-proxy - then I had to put the IP of haproxy in the 
NFS exports file instead to be able to mount the share (which makes sense seen 
from a NFS perspective).

Making the NFS server support proxy protocol, isn't something I think will 
happen - I rely on the upstream packages (CentOS 7 packages in this case).

And using transparency mode - I think relying on stuff going via haproxy for 
routing won't be a possibility in this case - so I guess I have to drop my wish 
about haproxy + NFS in this case, I'd like something that is fairly standard 
without too much modifications on the current NFS infrastructure (since it 
would introduce more complexity).

Thanks for your replies both of you!

Best Regards,

On 02/08/2018, 18.09, "Willy Tarreau" <[email protected]> wrote:

    On Thu, Aug 02, 2018 at 04:05:24AM +0000, Lucas Rolff wrote:
    > Hi michael,
    > 
    > Without the send-proxy, the client IP in the export would have to be the
    > haproxy server in that case right?
    
    That's it. But Michael is absolutely right, your NFS server doesn't support
    the proxy protocol, and the lines it emits below indicate it :
    
      Aug 01 21:44:44 nfs-server-f8209dc4-a1a6-4baf-86fa-eba0b0254bc9 kernel: 
RPC: fragment too large: 1347571544
      Aug 01 21:44:44 nfs-server-f8209dc4-a1a6-4baf-86fa-eba0b0254bc9 kernel: 
RPC: fragment too large: 1347571544          
      Aug 01 21:44:44 nfs-server-f8209dc4-a1a6-4baf-86fa-eba0b0254bc9 kernel: 
RPC: fragment too large: 1347571544
      Aug 01 21:44:45 nfs-server-f8209dc4-a1a6-4baf-86fa-eba0b0254bc9 kernel: 
RPC: fragment too large: 1347571544
    
    This fragment size (1347571544) is "PROX" encoded in big endian, which are
    the first 4 chars of the proxy protocol header :-)
    
    > The issue there is then, that I end up with all clients having access to
    > haproxy can suddenly mount all shares in nfs, which I would like to 
prevent
    
    Maybe you can modify your NFS server to support the proxy protocol, that
    could possibly make sense for your use case ? Otherwise on Linux you may
    be able to configure haproxy to work in transparent mode using "source
    0.0.0.0 usesrc clientip" but beware that it requires some specific iptables
    rules to divert the traffic and send it back to haproxy. It will also 
require
    that all your NFS servers route the clients via haproxy for the response
    traffic. This is not always very convenient.
    
    Regards,
    Willy

Reply via email to