Help
FortiWeb
A FortiWeb can be configured to join a Security Fabric through the root or downstream FortiGate.
okhatab
Staff
Staff

Created on ‎08-08-2024 07:40 AM Edited on ‎08-08-2024 07:58 AM By Community Manager

Article Id 331577

Technical Tip: How to modify location header received from server's response

 

Description

This article describes how to modify the location header obtained from the backend server’s response before sending it to the client.

For example, if the location header is sending the redirected domain but the URL is using HTTP and only HTTPS is allowed.
Scope FortiWeb.
Solution
  1. Create an url-rewrite rule matching the location header when HTTP is used and changing it to HTTPS:

    config waf url-rewrite url-rewrite-rule

        edit "Modify_location"

            set action http-response-header-rewrite

            set location_replace https:$1

            set location-status enable

                config  match-condition

                    edit 1

                        set object http-location

                        set reg-exp ^(http:)(.*)$

                    next

                end

        next

    end

  2. Add the url-rewrite rule to a url-rewrite policy:

    image.png 
  3. Add the url-rewrite policy to the web protection profile used by the server-policy:

    image.png 

After testing, it is possible to see that the received header is using HTTP:

  • Without url-rewriting rule:

    curl -vk https://mymailserver.local

    *   Trying 10.10.10.10:443...

    * Connected to mymailserver.local (10.10.10.10) port 443 (#0)

    * schannel: disabled automatic use of client certificate

    * ALPN: offers http/1.1

    * ALPN: server accepted http/1.1

    * using HTTP/1.1

    > GET / HTTP/1.1

    > Host: mymailserver.local

    > User-Agent: curl/8.0.1

    > Accept: */*

    < HTTP/1.1 301 Moved Permanently

    < Location: http://mytestserver.local < ------- Location header is using http

    < Content-Length: 98

    < Content-Type: text/html

    < Set-Cookie: cookiesession1=678A3E0E24E0E8A33F324CA2088F5610;Expires=Fri, 08 Aug 2025 14:49:34 GMT;Path=/;HttpOnly

    <head><title>Object moved permanently</title></head><body><h1>Object Moved Permanently</h1></body>* Connection #0 to host mymailserver.local left intact

     

  • With the url-rewriting rule:

    curl -vk https://mymailserver.local

    *   Trying 10.10.10.10:443...

    * Connected to mymailserver.local (10.10.10.10) port 443 (#0)

    * schannel: disabled automatic use of client certificate

    * ALPN: offers http/1.1

    * ALPN: server accepted http/1.1

    * using HTTP/1.1

    > GET / HTTP/1.1

    > Host: mymailserver.local

    > User-Agent: curl/8.0.1

    > Accept: */*

    < HTTP/1.1 301 Moved Permanently

    < Location: https://mytestserver.local < ------- Location header is using https

    < Content-Length: 98

    < Content-Type: text/html

    < Set-Cookie: cookiesession1=678A3E0E70710E19488A14E33767A691;Expires=Fri, 08 Aug 2025 14:52:25 GMT;Path=/;HttpOnly

    <head><title>Object moved permanently</title></head><body><h1>Object Moved Permanently</h1></body>* Connection #0 to host mymailserver.local left intact

     

Related document: 
Rewriting & redirecting 

 

546
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.