Description
When implementing a FortiWEB as a proxy, there can be a need to replace text in the HTML body so that the HTML from the FortiWEB is presented correctly to the user.
For example, when offloading on the FortiWEB, the server can often return the URL in the form HTTP rather than HTTPS in the HTML as the FortiWEB is connected as HTTP.
Scope
FortiWeb
Solution
The following steps can be used to enable a rewrite of the HTML body text from http to https:
1) Configure the maximum of cache for the FortiWEB to be able to manipulate the text from the back-end server.
# config system advanced
set max-cache-size 1024
end
2) Setup an uncompress rule to enforce that the HTML is received as text and not compressed. (A common reason why the text is not detected and changed).
# config waf web-protection-profile inline-protection
edit "rewrite"
set http-session-management enable
[deleted ....]
set file-compress-rule CompressZ
set file-uncompress-rule UnCompressZ
next
end
Check the HTML text is clearly readable with the command:
# diag network sniffer <port> ....
3) Create a URL rewrite rule to have a regex to detect the 'http://' and replace it with the 'https://'.
# config waf url-rewrite url-rewrite-rule
edit "rewrite"
set location http://
set body_replace https://
set action http-body-rewrite
config match-condition
edit 1
set object http-body
set reg-exp "http:\\/\\/"
set protocol-filter enable
set content-type-filter enable
set content-type-set text/html text/plain text/javascript application/xml(or)text/xml application/javascript application/soap+xml application/x-javascript application/json application/rss+xml
next
end
next
end
4) Create a URL Rewrite Policy and assign the Rule.
# config waf url-rewrite url-rewrite-policy
edit "rewrite"
config rule
edit 1
set url-rewrite-rule-name rewrite
next
end
next
end
5) Assign the URL Rewrite Policy to Web Protection Profile and then to the Server Policy.
Note that when testing the problem that it appears not to work because of the Cache of the Browser.