Problems trying to use FortiGate as a reverse proxy

Forum|Forum|3 years ago
October 31, 2022
3 replies
5121 views

I have multiple backend servers and services, all running on different servers, VLANs and services. At the moment HAProxy is used to proxy internal and external requests to those services. HAProxy also provides some load balancing where a hosted service is run across one or more servers.

I am trying to replace the HAProxy VMs with the built-in FortiGate LBs/reverse proxy service, but I'm struggling to get Fortigate to proxy the connection to my backend server(s).

The goal at the moment is to get a proof-of-concept running where internally I can do an HTTP request to a DNS entry and have the Fortigate proxy the request and send it to the backend server(s)/service(s). To do this on HAProxy, I would map the DNS entry to the IP address of the HAProxy server, make the HTTP request and HAProxy would proxy the request to the correct backend by reading the `Host: api.example.local` (remember I have multiple services).

In FortiGate I am trying to replicate this, and so I set up a Virtual Server:

Type: HTTPS
Interface: LAN
Virtual service IP: 0.0.0.0
Virtual service port: 44444
Load balancing method: HTTP Host
Real servers:
- IPv4 address: 172.16.0.10
- Port: 443
- Max connections: 0
- HTTP host: api.example. local
- Mode: Active

I then create a proxy-based policy for the Virtual server. And map `api.example.local` to the IP address of the FortiGate appliance (e.g. 172.16.0.1).

When I visit `https://api.example.local:44444`, however, I am getting `ERR_EMPTY_RESPONSE`. I try the same request proxied through HAProxy, and it works as designed.

I've tried this over and over multiple times, and the behaviour remains the same. I know the FortiGate appliance can reach the backend service because I've also tried setting up HealthChecks and they're all working as designed.

Can someone help walk me through how to configure what I'm trying to achieve? And, how to troubleshoot?

FortiGate

gfleming

Staff

AFAIK this is not possible with FGT. You would need FortiADC or FortiWAF for this functionality. FGT does not route based on domain.

You can use the server load balancer in FGT but you'd still need something on the backend to route based on host name, either your web server (i.e. Nginx) or HAProxy...

timothydAuthor

New Member

Wasn't this feature introduced in FortiGate 6.0.0?

https://docs.fortinet.com/document/fortigate/6.0.0/handbook/868528/inside-fortios-server-load-balancing

gfleming

Staff

OK i think you meant to link this page? https://docs.fortinet.com/document/fortigate/6.0.0/handbook/824987/http-host-based-load-balancing

Does api.example.local point to the Virtual Server IP on your Fortigate? I'm not sure 0.0.0.0 will work...

timothydAuthor

New Member

Yes. That's the correct page.

DNS entry `api.example.local` points to the IP address I use to access the FortiGate dashboard (e.g. 172.16.0.1). Should I be using a Virtual IP?

When I used Virtual IPs in the past, it was to create a pinhole to HAProxy. In my current use case, I want to use FortiGate as the Load Balancer so it's not clear what sort of Virtual IP I should create, and what to put in the "Map to IPv4 address/range" (remembering, we want to eventually proxy multiple DNS entries/web services).

timothydAuthor

New Member

Hi Graham

I am new to Fortinet products, so I am so sorry if I am misunderstanding the documentation, but I found the following article which made me feel that the feature was available in from FortiGate 6.0.0:

http://docs.fortinet.com/document/fortigate/6.0.0/handbook/824987/http-host-based-load-balancing

To be clear, I wanted to create on FortiGate the equivalent of an HAProxy `frontend` where using "HTTP host-based load balancing" I route a request to one or more real servers.

The goal is to replace HAProxy with the FortiGate appliance built-in load balancer.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded