Technical Tip: Convert HTTP client request to HTTPS
Description
This article describes how to convert HTTP client request to a HTTPS with an enabled virtual server.
Scope
FortiOS 6.2.1 and above.
Solution
When enabled, a virtual server can convert a HTTP client request to a HTTPS request.
Through this mandatory conversion, HTTP traffic is converted to HTTPS traffic.
This conversion improves the security of the user network.
Enable this feature by using the CLI and traffic will flow as follows:
- When the FortiGate receives a HTTP request for an external IP, such as 10.1.200.101 in the following example, FortiGate sends an HTTP 303 response back to the original client and redirects HTTP to HTTPS, instead of forwarding the HTTP request to the real backend servers.
- The client browser restarts the TCP session to HTTPS.
- The HTTPS session comes to the FortiGate where a matching IPv4 policy allows the HTTPS traffic and establishes a secure SSL connection. Then forwards the request to the real back end servers.
To configure virtual server with HTTPS redirect enabled:
1) Create a virtual server with server-type set to http:
2) Create a virtual server with server-type set to HTTPS and with the same external IP address:
3) Enable the 'http-redirect' option for the virtual server with server-type set to HTTP:
This article describes how to convert HTTP client request to a HTTPS with an enabled virtual server.
Scope
FortiOS 6.2.1 and above.
Solution
When enabled, a virtual server can convert a HTTP client request to a HTTPS request.
Through this mandatory conversion, HTTP traffic is converted to HTTPS traffic.
This conversion improves the security of the user network.
Enable this feature by using the CLI and traffic will flow as follows:
- When the FortiGate receives a HTTP request for an external IP, such as 10.1.200.101 in the following example, FortiGate sends an HTTP 303 response back to the original client and redirects HTTP to HTTPS, instead of forwarding the HTTP request to the real backend servers.
- The client browser restarts the TCP session to HTTPS.
- The HTTPS session comes to the FortiGate where a matching IPv4 policy allows the HTTPS traffic and establishes a secure SSL connection. Then forwards the request to the real back end servers.
To configure virtual server with HTTPS redirect enabled:
1) Create a virtual server with server-type set to http:
# config firewall vip
edit "virtual-server-http"
set type server-load-balance
set extip 10.1.200.101
set extintf "wan2"
set server-type http
set ldb-method round-robin
set extport 80
# config realservers
edit 1
set ip 172.16.200.44
set port 80
next
edit 2
set ip 172.16.200.55
set port 80
next
end
next
end
2) Create a virtual server with server-type set to HTTPS and with the same external IP address:
# config firewall vip
edit "virtual-server-https"
set type server-load-balance
set extip 10.1.200.101
set extintf "wan2"
set server-type https
set ldb-method round-robin
set extport 443
# config realservers
edit 1 set ip 172.16.200.44
set port 443
next
edit 2
set ip 172.16.200.55
set port 443
next
end
set ssl-certificate "Fortinet_CA_SSL"
next
end
3) Enable the 'http-redirect' option for the virtual server with server-type set to HTTP:
# config firewall vip4) Add the two virtual servers to a policy:
edit "virtual-server-http"
set http-redirect enable
next
end
# config firewall policy
edit 9
set srcintf "wan2"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "virtual-server-http" "virtual-server-https"
set action accept
set schedule "always"
set service "ALL"
set inspection-mode proxy set logtraffic all
set auto-asic-offload disable
set nat enable
next
end