Running FreeIPA behind HAproxy
2 min readDec 12, 2016
If you ever run into situation, when you have multiple replicas of FreeIPA running behind a HAproxy LoadBalancer, you may run into situations like this:
Or like this:
If your situation is that your FreeIPA runs on https://ipa.mydomain.com/, and your two (or more) backend servers run at https://ipa.inside.mydomain.com/, with a little help on what is going on from Jan Pazdziora, you can do this with HAproxy:
backend ipa-web-backend
mode http
balance roundrobin
cookie SERVERID insert indirect nocache httponly secure acl hdr_ipa01 res.hdr(Cookie) -m sub SERVERID= cookieipa01
acl hdr_ipa02 res.hdr(Cookie) -m sub SERVERID= cookieipa02 http-request replace-header Referer ^https://ipa\.mydomain\.com(.*)$ https://ipa01\.inside\.mydomain\.com\1 if hdr_ipa01
http-request replace-header Referer ^https://ipa\.mydomain\.com(.*)$ https://ipa02\.inside\.mydomain\.com\1 if hdr_ipa02acl hdr_set_cookie_dom res.hdr(Set-cookie) -m sub Domain= ipa02.inside.mydomain.comrspirep ^(Set-Cookie:.*)\ Domain=ipa02.inside.mydomain.com(.*) \1\ Domain=ipa.inside.mydomain.com\2 if hdr_set_cookie_domacl hdr_set_cookie_dom2 res.hdr(Set-cookie) -m sub Domain= ipa01.inside.mydomain.comrspirep ^(Set-Cookie:.*)\ Domain=ipa01.inside.mydomain.com(.*) \1\ Domain=ipa.inside.mydomain.com\2 if hdr_set_cookie_dom2server ipa01.inside.mydomain.com 10.12.16.31:443 check port 443 inter 2000 rise 2 fall 5 cookie cookieipa01 check ssl verify none
server ipa02.inside.mydomain.com 10.12.16.32:443 check port 443 inter 2000 rise 2 fall 5 cookie cookieipa02 check ssl verify none
And voila, your IPA installation should work now.