Running FreeIPA behind HAproxy

If you ever run into situation, when you have multiple replicas of FreeIPA running behind a HAproxy LoadBalancer, you may run into situations like this:

Your session has expired. Please re-login

Or like this:

Missing HTTP referer. <br/> You have to configure your browser to send HTTP referer header.

If your situation is that your FreeIPA runs on https://ipa.mydomain.com/, and your two (or more) backend servers run at https://ipa.inside.mydomain.com/, with a little help on what is going on from Jan Pazdziora, you can do this with HAproxy:

backend ipa-web-backend
 mode http
 balance roundrobin
 cookie SERVERID insert indirect nocache httponly secure
 acl hdr_ipa01 res.hdr(Cookie) -m sub SERVERID= cookieipa01
 acl hdr_ipa02 res.hdr(Cookie) -m sub SERVERID= cookieipa02
 http-request replace-header Referer ^https://ipa\.mydomain\.com(.*)$ https://ipa01\.inside\.mydomain\.com\1 if hdr_ipa01
 http-request replace-header Referer ^https://ipa\.mydomain\.com(.*)$ https://ipa02\.inside\.mydomain\.com\1 if hdr_ipa02
acl hdr_set_cookie_dom res.hdr(Set-cookie) -m sub Domain= ipa02.inside.mydomain.com
rspirep ^(Set-Cookie:.*)\ Domain=ipa02.inside.mydomain.com(.*) \1\ Domain=ipa.inside.mydomain.com\2 if hdr_set_cookie_dom
acl hdr_set_cookie_dom2 res.hdr(Set-cookie) -m sub Domain= ipa01.inside.mydomain.com
rspirep ^(Set-Cookie:.*)\ Domain=ipa01.inside.mydomain.com(.*) \1\ Domain=ipa.inside.mydomain.com\2 if hdr_set_cookie_dom2
server ipa01.inside.mydomain.com 10.12.16.31:443 check port 443 inter 2000 rise 2 fall 5 cookie cookieipa01 check ssl verify none
server ipa02.inside.mydomain.com 10.12.16.32:443 check port 443 inter 2000 rise 2 fall 5 cookie cookieipa02 check ssl verify none

And voila, your IPA installation should work now.