Running FreeIPA behind HAproxy

Michal Medvecky
Dec 12, 2016 · 2 min read

If you ever run into situation, when you have multiple replicas of FreeIPA running behind a HAproxy LoadBalancer, you may run into situations like this:

Your session has expired. Please re-login

Or like this:

Missing HTTP referer. <br/> You have to configure your browser to send HTTP referer header.

If your situation is that your FreeIPA runs on https://ipa.mydomain.com/, and your two (or more) backend servers run at https://ipa.inside.mydomain.com/, with a little help on what is going on from Jan Pazdziora, you can do this with HAproxy:

backend ipa-web-backend
mode http
balance roundrobin
cookie SERVERID insert indirect nocache httponly secure
acl hdr_ipa01 res.hdr(Cookie) -m sub SERVERID= cookieipa01
acl hdr_ipa02 res.hdr(Cookie) -m sub SERVERID= cookieipa02
http-request replace-header Referer ^https://ipa\.mydomain\.com(.*)$ https://ipa01\.inside\.mydomain\.com\1 if hdr_ipa01
http-request replace-header Referer ^https://ipa\.mydomain\.com(.*)$ https://ipa02\.inside\.mydomain\.com\1 if hdr_ipa02
acl hdr_set_cookie_dom res.hdr(Set-cookie) -m sub Domain= ipa02.inside.mydomain.comrspirep ^(Set-Cookie:.*)\ Domain=ipa02.inside.mydomain.com(.*) \1\ Domain=ipa.inside.mydomain.com\2 if hdr_set_cookie_domacl hdr_set_cookie_dom2 res.hdr(Set-cookie) -m sub Domain= ipa01.inside.mydomain.comrspirep ^(Set-Cookie:.*)\ Domain=ipa01.inside.mydomain.com(.*) \1\ Domain=ipa.inside.mydomain.com\2 if hdr_set_cookie_dom2server ipa01.inside.mydomain.com 10.12.16.31:443 check port 443 inter 2000 rise 2 fall 5 cookie cookieipa01 check ssl verify none
server ipa02.inside.mydomain.com 10.12.16.32:443 check port 443 inter 2000 rise 2 fall 5 cookie cookieipa02 check ssl verify none

And voila, your IPA installation should work now.