Help
FortiWeb
A FortiWeb can be configured to join a Security Fabric through the root or downstream FortiGate.
mtse
Staff
Staff

Created on ‎06-14-2023 02:49 AM

Article Id 260263

Technical Tip: FortiWeb configuration for redirecting HTTP to HTTPS

Description

This article describes two ways where a client’s HTTP request to the web server can be redirected to HTTPS by FortiWeb.
Scope FortiWeb.
Solution

Method 1: Enable 'Redirect HTTP to HTTPS' in Server Policy.

 

This requires that both 'HTTP Service' and 'HTTPS Service' be enabled first in the same Server Policy. For example, in Server Policy below, the HTTPS service is enabled together with the HTTP service. Then the option 'Redirect HTTP to HTTPS' will be displayed. Switch this option on to allow redirection to HTTPS.

 

server-policy-redirect1.PNG

 

Method 2: Create URL Rewriting Policy and Rule.

 

If for some reason, HTTP and HTTPS cannot be enabled in the same Server Policy like in Method 1 above, the option 'Redirect HTTP to HTTPS' therefore is not displayed in the Server Policy. In such case, a URL Rewriting Policy can be created to match the regular expression pattern below in the HTTP GET request and have FortiWeb reply with 'Redirect(301 Permanently)' back to the client browser.

 

2.1) In Application Delivery -> URL Rewriting, create URL Rewriting Policy and Rule.

Note: the regular expression here is an example only. It can be modified to adapt to different requirements in different scenarios.

 

url-rewrite-policy.PNG

 

url-rewrite-rule.PNG

 

The corresponding CLI configuration is as follows.

 

config waf url-rewrite url-rewrite-policy

    edit "test_http_to_https"

        config  rule

           edit 1

               set url-rewrite-rule-name test_rule_http_to_https

           next

        end

    next

end

 

config waf url-rewrite url-rewrite-rule

    edit "test_rule_http_to_https"

        set action redirect-301

        set location https://$0/$1

            config  header-insert

            end

            config  response-header-insert

            end

            config  header-removal

            end

            config  response-header-removal

            end

            config  match-condition

                edit 1

                    set reg-exp (.*)

                    set protocol-filter enable

                next

                edit 2

                    set object http-url

                    set reg-exp ^/(.*)$

                next

            end

    next

end

 

2.2) Assign the URL Rewrite Policy to Web Protection Profile.

 

web-protect-prof.PNG

 

CLI config:

config waf web-protection-profile inline-protection

    edit "clone_recommended"

        set url-rewrite-policy test_http_to_https

 

2.3) Assign the Web Protection Profile to the Server Policy.

 

server-policy-web-prot-prof.PNG

 

CLI config:

 

config server-policy policy

    edit "lab-server-policy"

        set web-protection-profile clone_recommended

 

 

Then FortiWeb will reply '301 Moved Permanently' to HTTP GET request from the client browser.

 

pcap-original-http.PNG

 

pcap-redirected-to-https.PNG

 

Related documents:

- Redirect HTTP to HTTPS:

https://docs.fortinet.com/document/fortiweb/7.2.2/administration-guide/201872/configuring-an-http-se...

 

- Rewriting & redirecting:

https://docs.fortinet.com/document/fortiweb/7.2.2/administration-guide/961303/rewriting-redirecting
2139
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.