Description
This article explains a basic scenario for configuring a VIP load-balance with HTTP-header check, also known as a reverse proxy.
This helps set up a scenario where the Public IP is mapped to different real servers based on the request in the HTTP header (URL accessed by the customer).
Solution
Note the following prerequisites for a VIP load-balance:
- the firewall must be running in proxy-based mode.
- if the intended mode is HTTPS, then the hardware must support SSL offloading.
Focus on the following specific scenario:
Firewall VIP configuration to achieve this:
# config firewall vip
edit " Vserver-HTTPS-LB"
set type server-load-balance
set extip 123.45.67.89
set extintf "wan1"
set server-type https
set ldb-method http-host
set extport 45678
# config realservers
edit 1
set ip 192.168.1.1
set port 443
set http-host "test1.clientdomain.com"
next
edit 2
set ip 192.168.1.2
set port 443
set http-host "test2.clientdomain.com"
next
edit 3
set ip 192.168.1.3
set port 443
set http-host "test3.clientdomain.com"
next
end
set ssl-mode full
set ssl-certificate "clientdomain_certificate"
next
end
Sample firewall policy to allow traffic:
# config firewall policy
edit 0
set name "VIP-LB-policy"
set inspection-mode proxy
set srcintf "wan1"
set dstintf "internal"
set srcaddr "all"
set dstaddr "Vserver-HTTPS-LB"
set action accept
set schedule "always"
set service "ALL"
next
end
Note: The 3 servers in this setup are all connected to the 'internal' switch of the FortiGate (and all the server ports are part of this switch), or can be connected to a single port to a local switch.
Therefore, one condition must be observed:
- Prior to FortiOS 6.2: all the real servers must be on the same subnet.
FortiOS 6.2 and newer: the real servers may be on different subnets, as long as (s)NAT is disabled on the firewall policy (set nat disable)
This scenario is not possible prior to FortiOS 6.2:
Related document.
https://docs.fortinet.com/document/fortigate/6.2.3/cookbook/713497/virtual-server
Related Articles
Technical Tip: Active-Standby Virtual Servers (Server Load balancing)
Technical Note: How to configure Load Balance VIP using health monitor in SLBC environment