Created on
02-01-2019
08:04 AM
Edited on
08-30-2024
08:21 AM
By
Stephen_G
Description
This article explains how to add X-fowarded-for and X-forwarded-proto headers to HTTP(S) traffic towards a webserver protected by the FortiGate unit (Virtual IP).
Diagram
Scope
Note : Since FortiOS 7.4.4, units with 2GB of RAM or less will no longer support proxy features. Option "config web-proxy profile" will no longer be available to configure.
The solution below is designed to keep in mind the following prerequisites are met:
Note: The load balance Virtual server (Layer 7 VIP) doesn't support x-forwarded-proto header.
Configuration:
Login to the GUI -> System Certificates -> Import -> Local Certificate.
Select Type PKCS #12 certificate: the certificate in PKCS format is available.
If public and private key files for the certificate are available, select Type as “Certificate” and select the public key and private key files.
For more information, refer to Fortinet's Knowledge Base articles:
The FortiGate unit GUI can also be used to add a Virtual IP:
'Login to GUI -> Policy & Objects -> Virtual IPs'.
However, this article will use the CLI configuration example.
config firewall vip
edit "example.com"
set extip x.x.x.x
set extintf "external_interface_connected_to_internet"
set mappedip y.y.y.y
next
end
config web-proxy profile
edit "1"
set header-x-forwarded-for add <- To add the x-forwarded-for header.
next
end
config webfilter urlfilter
edit 1
set name "example.com"
config entries
edit 1
set url www.example.com
set action monitor
set web-proxy-profile "1" <- Webproxy profile configured in step 3.
next
end
next
end
Note: This should match the hostname used by clients on the Internet.
If there are multiple host names used by the webserver, multiple entries need to be added. The web-proxy profile must be set for each URL entry.
config webfilter profile
edit "example.com"
config web
set urlfilter-table 1
end
end
config firewall ssl-server
edit "example.com"
set ip y.y.y.y
set ssl-mode half
set url-rewrite enable
set add-header-x-forwarded-proto enable <- Enabled by default.
set ssl-cert "example.com"
next
end
config firewall ssl-ssh-profile
edit "example.com"
set server-cert-mode re-sign
set use-ssl-server enable
next
end
config firewall policy
edit <id>
set srcintf "external_interface_connected_to_internet"
set dstintf "interface_connected_to_webserver"
set srcaddr "all"
set dstaddr "example.com" <- VIP created in step 2.
set action accept
set schedule "always"
set service "ALL"
set utm-status enable
set webfilter-profile "example.com" <- webfilter profile created in step 5.
set profile-protocol-options "default"
set ssl-ssh-profile "example.com" <- ssl-ssh profile in step 7.
next
end
Verification
HTTP request on received on the server:
GET / HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134
Accept-Language: en-US
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Upgrade-Insecure-Requests: 1
Accept-Encoding: gzip, deflate, br
Host: example.com
Connection: Keep-Alive
X-Forwarded-Proto: https
X-Forwarded-For: 200.200.12.54
Related articles:
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.