Description
This article explains how to add x-forwarded-proto header in HTTP.
Scope
FortiGate.
Solution
The x-forwarded-proto field can only be added when using SSL-offload with web cache in half mode. When using SSL-offload with web cache, the SSL-offload settings are not configured in vip object but in wanopt ssl-server. In the firewall policy, webcache must be enabled with webcache-https ssl-server.
Example
config firewall vip
edit "VIP"
set extip 118.69.217.185
set extintf "wan1"
set mappedip 192.168.7.195
next
end
config wanopt ssl-server
edit "test"
set ip 192.168.7.195
set port 443
set ssl-mode half -> make sure it is in half mode
set add-header-x-forwarded-proto enable -> add X-Forwarded-Proto header
set url-rewrite enable
set mapped-port 80
set ssl-cert <ssl-cert>
set ssl-algorithm high
set ssl-client-renegotiation deny
set ssl-min-version tls-1.0
next
end
config firewall policy
edit <policy-id>
set srcintf "wan1"
set dstintf "CNTT"
set srcaddr "All"
set dstaddr "VIP"
set action accept
set schedule "always"
set service "PING" "HTTPS"
set webcache enable -> enable webcache
set webcache-https ssl-server -> webcache ssl-server
next
end
