From 795c659f7a4ac79a4f5895131b8054b1e84e384b Mon Sep 17 00:00:00 2001
From: Patrick Uiterwijk <puiterwijk@redhat.com>
Date: Tue, 20 Dec 2016 05:50:43 +0000
Subject: [PATCH] Only use IPA01 for API access since sessions are not
 synchronized

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
---
 playbooks/include/proxies-reverseproxy.yml                 | 2 +-
 roles/haproxy/templates/haproxy.cfg                        | 7 +++++++
 .../reverseproxy/templates/reversepassproxy.00-ipa.conf    | 3 ---
 3 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/playbooks/include/proxies-reverseproxy.yml b/playbooks/include/proxies-reverseproxy.yml
index fafde9a455..c01e0eb165 100644
--- a/playbooks/include/proxies-reverseproxy.yml
+++ b/playbooks/include/proxies-reverseproxy.yml
@@ -179,7 +179,7 @@
     destname: 00-ipa
     remotepath: /ipa
     localpath: /ipa
-    proxyurl: http://localhost:10053
+    proxyurl: http://localhost:10061
     when: env == "staging"
 
   - role: httpd/reverseproxy
diff --git a/roles/haproxy/templates/haproxy.cfg b/roles/haproxy/templates/haproxy.cfg
index eac30d46cd..43c883a629 100644
--- a/roles/haproxy/templates/haproxy.cfg
+++ b/roles/haproxy/templates/haproxy.cfg
@@ -395,6 +395,13 @@ listen armkoji 0.0.0.0:10060
     server arm-koji01.qa.fedoraproject.org arm-koji01.qa.fedoraproject.org:80 check inter 10s rise 1 fall 2
     option httpchk GET /
 
+# This is an endpoint using only ipa01. This is used for API access, since sessions
+# are not synchronized.
+listen  ipa01 0.0.0.0:10061
+    balance hdr(appserver)
+    server  ipa01 ipa01:443 check inter 10s rise 1 fall 2 ssl verify required ca-file /etc/haproxy/ipa.pem
+    option  httpchk GET /ipa/ui/
+
 {% endif %}
 # Apache doesn't handle the initial connection here like the other proxy
 # entries.  This proxy also doesn't use the http mode like the others.
diff --git a/roles/httpd/reverseproxy/templates/reversepassproxy.00-ipa.conf b/roles/httpd/reverseproxy/templates/reversepassproxy.00-ipa.conf
index 0bf488ad45..d5f700df97 100644
--- a/roles/httpd/reverseproxy/templates/reversepassproxy.00-ipa.conf
+++ b/roles/httpd/reverseproxy/templates/reversepassproxy.00-ipa.conf
@@ -1,7 +1,4 @@
 ProxyPassReverseCookieDomain ipa01{{env_suffix}}.phx2.fedoraproject.org id{{env_suffix}}.fedoraproject.org
-{% if env == "production" %}
-ProxyPassReverseCookieDomain ipa02.phx2.fedoraproject.org id.fedoraproject.org
-{% endif %}
 
 ProxyPass {{ localpath }} {{ proxyurl }}{{remotepath}}
 ProxyPassReverse {{ localpath }} {{ proxyurl }}{{remotepath}}