Here is an example configuration for HAProxy with sticky sessions to a Shibboleth Identity Provider (IdP):
global
log stdout local0 debug
maxconn 2000
tune.ssl.default-dh-param 2048
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5s
timeout client 20s
timeout server 20s
retries 3
frontend shib_frontend
bind *:443 ssl crt /path/to/cert.pem
mode http
default_backend shib_backend
backend shib_backend
mode http
balance roundrobin
option httpchk GET /Shibboleth.sso/Session
cookie SERVERID insert indirect nocache
server idp1 idp1.linux-server-admin.com:443 cookie idp1 check
server idp2 idp2.linux-server-admin.com:443 cookie idp2 check
Explanation:
global section sets global parameters, such as logging and connection limits.defaults section sets default parameters for all backends and frontends.frontend section defines the front-facing SSL listener on port 443, and redirects traffic to the shib_backend backend.backend section defines the backend servers that HAProxy will load balance traffic to.balance option sets the load balancing algorithm to round-robin.option httpchk option specifies the health check URL for the Shibboleth IdP server, which is used to determine whether a server is up or down.cookie option inserts a cookie in the HTTP response that tells the client which server to stick to. The indirect option uses a second cookie to detect when the first cookie is missing or corrupt.server lines define the IdP servers and their IP addresses, and use the cookie option to assign a cookie to each server. The check option enables health checks on the servers.This configuration assumes that you have installed Shibboleth IdP on two servers, idp1.linux-server-admin.com and idp2.linux-server-admin.com, and that you have obtained an SSL certificate for your domain and placed it at /path/to/cert.pem. You may need to adjust the configuration based on your specific setup.