Description
This article explains a basic scenario for configuring a VIP load-balance with HTTP-header check, also known as a reverse proxy.
This helps set up a scenario where the Public IP is mapped to different real servers based on the request in the HTTP header (URL accessed by the customer).
Solution
Note the following prerequisites for a VIP load-balance:
- the firewall must be running in proxy-based mode.
- if the intended mode is HTTPS, then the hardware must support SSL offloading.
Focus on the following specific scenario:
Firewall VIP configuration to achieve this:
config firewall vip
edit " Vserver-HTTPS-LB"
set type server-load-balance
set extip 123.45.67.89
set extintf "wan1"
set server-type https
set ldb-method http-host
set extport 45678
config realservers
edit 1
set ip 192.168.1.1
set port 443
set http-host "test1.clientdomain.com"
next
edit 2
set ip 192.168.1.2
set port 443
set http-host "test2.clientdomain.com"
next
edit 3
set ip 192.168.1.3
set port 443
set http-host "test3.clientdomain.com"
next
end
set ssl-mode full
set ssl-certificate "clientdomain_certificate"
next
end
Sample firewall policy to allow traffic:
config firewall policy
edit 0
set name "VIP-LB-policy"
set inspection-mode proxy
set srcintf "wan1"
set dstintf "internal"
set srcaddr "all"
set dstaddr "Vserver-HTTPS-LB"
set action accept
set schedule "always"
set service "ALL"
next
end
Note: The 3 servers in this setup are all connected to the 'internal' switch of the FortiGate (and all the server ports are part of this switch), or can be connected to a single port to a local switch.
Therefore, one condition must be observed:
- Prior to FortiOS 6.2: all the real servers must be on the same subnet.
FortiOS 6.2 and newer: the real servers may be on different subnets, as long as (s)NAT is disabled on the firewall policy (set nat disable)
- It is important to note that there is a limitation for the number of real servers which can be configured under every VIP, check for the platform and FortiOS version used, by using the command '
print tablesize' or check the
Maximum Values Table portal. Look for the parameter '
firewall.vip:realservers' which will show how many real servers can be configured for every VIP object. For example for 100E and FortiOS 7.2.4, the value for '
firewall.vip:realservers' is 16 which means 16 real servers for every VIP can be configured.
This scenario is not possible prior to FortiOS 6.2:
Related document:
https://docs.fortinet.com/document/fortigate/6.2.3/cookbook/713497/virtual-server
Related Articles:
Technical Tip: Active-Standby Virtual Servers (Server Load balancing)
Technical Note: How to configure Load Balance VIP using health monitor in SLBC environment
Maximum Values Table