Skip to main content
robert_skywalker
robert_skywalker
New Member
December 26, 2015
Question

SSL offloading without caching?

  • December 26, 2015
  • 1 reply
  • 6936 views

Hi!

I’ve got two webservers behind a FG-200D serving lots of subdomains/vhosts of the same second-level-domain. For both webservers I have a dedicated external IP that I NAT 1:1 to the internal IP of the corresponding webserver. (no load balancing)

Currently I only offer the pages in http but would like to offer https too, by offloading SSL with the fortigate. I want to install a wildcard certificate for this on the fortigate. I don’t want the fortigate to cache any requests, neither http nor https. (That’s because the content is very dynamic - not just php, but also jpgs of webcams which expire very fast - and because I need to be able to still count all traffic with the webservers.) I also don’t want to do any load balancing, as each webserver is only responsible for its own subdomains/vhosts.

Is this a possible scenario?  All configuration examples I found just have one webserver and also do webcaching.

Thanks!

1 reply

boneyard
boneyard
Valued Contributor
January 3, 2016

this should be quite simple and possible, which examples have you found so far? i can point out what you need to skip.

robert_skywalker
robert_skywalkerAuthor
New Member
January 4, 2016

thanks for your reply!

This is, what I copied from examples:

 

config wanopt ssl-server     edit "webserver"         set ip 192.168.1.123         set port 443         set ssl-mode half         set mapped-port 80         set ssl-cert "mydomain.com"     next end

 

(I added mapped-port, which I did not found in any example, because the system compains, that it can't be 0 after typing "end")

 

Now I'm not sure how to tell the policy that matches the incoming https traffic to apply the offloading. This is, what I've tried:

 

config firewall policy     edit 17         set uuid xxxx         set srcintf "wan1"         set dstintf "lan"         set srcaddr "all"         set dstaddr "webserver_extern"         set action accept         set schedule "always"         set service "HTTPS"         set utm-status enable         set wanopt enable         set ips-sensor "webserver_linux"         set application-list "default"         set profile-protocol-options "default"         set wanopt-profile "default"     next end

 

config wanopt profile     edit "default"         set comments "Default WANopt profile."             config http                 set status enable                 set ssl enable             end     next end

 

I can see at the packet counter, that at least the rule matches incoming https, but it doesn't seem to "convert" the https to the http server.

vivianwu_FTNT
Staff
vivianwu_FTNT
Staff
January 12, 2016

you can use Fortigate load balance to do ssl offloading only on client and Fortigate side.

 

Client <---------------> FortiGate <-------------->Server

          ssl offloading                      clear text

 

Here is the sample config for half mode SSL offloading

 

 config firewall vip

  edit Vserver-ssl-offload

     set type server-load-balance

     set server-type https

     set ldb-method round-robin

     set extip 172.20.120.30

     set extintf wan1

     set extport 443

     set persistence ssl-session-id

     set ssl-mode half

     set ssl-certificate my-cert

     set monitor tcp-mon-1

     config realservers

             edit 1

               set ip 10.31.101.30

               set port 443

           next

           edit 2

                 set ip 10.31.101.40

                 set port 443

           end

end

 

more detail info can be found at http://docs.fortinet.com/...igate-load-balancing-2

Terms & ConditionsAccessibility statement