FreeIPA behind HAProxy

haproxy.cfg

frontend ft_ipa
  mode http
  bind 0.0.0.0:80
  bind 0.0.0.0:443 ssl crt /etc/haproxy/ssl/ipa.example.org.pem

  redirect scheme https if !{ ssl_fc }

  use_backend bk_ipa

backend bk_ipa
  mode http
  balance roundrobin

  server lt_ipa_1 localhost:8080 check
  server lt_ipa_2 localhost:8081 check backup

listen lt_ipa_1
  mode http
  bind localhost:8080

  http-request set-header Referer https://ipa1.example.org/ipa/
  acl hdr_set_cookie_dom res.hdr(Set-cookie) -m sub Domain= ipa.example.org
  rspirep ^(Set-Cookie:.*)\ Domain=ipa1.example.org(.*) \1\ Domain=ipa.example.org\2

  server ipa1.example.org-ipa ipa1.example.org:80 check

listen lt_ipa_2
  mode http
  bind localhost:8081

  http-request set-header Referer https://ipa2.example.org/ipa/
  acl hdr_set_cookie_dom res.hdr(Set-cookie) -m sub Domain= ipa.example.org
  rspirep ^(Set-Cookie:.*)\ Domain=ipa2.example.org(.*) \1\ Domain=ipa.example.org\2

  server ipa2.example.org-ipa ipa2.example.org:80 check

httpd-ipa-rewrite.conf

# VERSION 6 - DO NOT REMOVE THIS LINE

RewriteEngine on

# By default forward all requests to /ipa. If you don't want IPA
# to be the default on your web server comment this line out.
RewriteRule ^/$ /ipa/ui [L,NC,R=301]

# Rewrite for plugin index, make it like it's a static file
RewriteRule ^/ipa/ui/js/freeipa/plugins.js$    /ipa/wsgi/plugins.py [PT]