Description
This article describes a basic scenario for configuring a VIP load-balance with an HTTP-header check, also known as a reverse proxy.
This helps set up a scenario where the Public IP is mapped to different real servers based on the request in the HTTP header (URL accessed by the customer).
Scope
FortiGate.
Solution
Note the following prerequisites for a VIP load-balance:
- FortiGate must be operating in Profile-based mode.
- The firewall policy for the specific traffic must be in proxy inspection mode.
- If the intended mode is HTTPS, then the hardware must support SSL offloading.
Focus on the following specific scenario:
Firewall VIP configuration to achieve this:
config firewall vip
edit " Vserver-HTTPS-LB"
set type server-load-balance
set extip 123.45.67.89
set extintf "wan1"
set server-type https
set ldb-method http-host
set extport 45678
config realservers
edit 1
set ip 192.168.1.1
set port 443
set http-host "test1.clientdomain.com"
next
edit 2
set ip 192.168.1.2
set port 443
set http-host "test2.clientdomain.com"
next
edit 3
set ip 192.168.1.3
set port 443
set http-host "test3.clientdomain.com"
next
end
set ssl-mode full
set ssl-certificate "clientdomain_certificate"
next
end
edit " Vserver-HTTPS-LB"
set type server-load-balance
set extip 123.45.67.89
set extintf "wan1"
set server-type https
set ldb-method http-host
set extport 45678
config realservers
edit 1
set ip 192.168.1.1
set port 443
set http-host "test1.clientdomain.com"
next
edit 2
set ip 192.168.1.2
set port 443
set http-host "test2.clientdomain.com"
next
edit 3
set ip 192.168.1.3
set port 443
set http-host "test3.clientdomain.com"
next
end
set ssl-mode full
set ssl-certificate "clientdomain_certificate"
next
end
Sample firewall policy to allow traffic:
config firewall policy
edit 0
set name "VIP-LB-policy"
set inspection-mode proxy
set srcintf "wan1"
set dstintf "internal"
set srcaddr "all"
set dstaddr "Vserver-HTTPS-LB"
set action accept
set schedule "always"
set service "ALL"
next
end
edit 0
set name "VIP-LB-policy"
set inspection-mode proxy
set srcintf "wan1"
set dstintf "internal"
set srcaddr "all"
set dstaddr "Vserver-HTTPS-LB"
set action accept
set schedule "always"
set service "ALL"
next
end
Note: The 3 servers in this setup are all connected to the 'internal' switch of the FortiGate (and all the server ports are part of this switch), or can be connected to a single port to a local switch.
Therefore, one condition must be observed:
- Before FortiOS 6.2: all the real servers must be on the same subnet.
FortiOS 6.2 and newer: the real servers may be on different subnets, as long as (s)NAT is disabled on the firewall policy (set nat disable). - It is important to note that there is a limitation for the number of real servers that can be configured under every VIP, check for the platform and FortiOS version used, by using the command 'print tablesize' or check the Maximum Values Table portal. Look for the parameter 'firewall.vip:realservers' which will show how many real servers can be configured for every VIP object. For example for 100E and FortiOS 7.2.4, the value for 'firewall.vip:realservers' is 16 which means 16 real servers for every VIP can be configured.
This scenario is not possible before FortiOS 6.2:
This is possible to configure from the web interface, however, is required to enable the option at 'Feature Visibility':
- In the left panel option, go to System -> Feature Visibility.
-
In the column 'Additional Feature' search for 'Load Balance'.
-
Once enabled, under the section 'Policy and Objects' the new feature is seen as 'Virtual Servers'.
-
Select to create a new Virtual Server, to see the previously mentioned options.
Related document:
Virtual server - FortiGate 6.2.3 cookbook
Related articles:
