FortiWeb
A FortiWeb can be configured to join a Security Fabric through the root or downstream FortiGate.
goliver
Staff
Staff
Article Id 192896

Description

 

When implementing a FortiWEB as a proxy, there can be a need to replace text in the HTML body so that the HTML from the FortiWEB is presented correctly to the user.

For example, when offloading on the FortiWEB, the server can often return the URL in the form HTTP rather than HTTPS in the HTML as the FortiWeb is connected as HTTP.

 

Scope

 

FortiWeb.


Solution

 

The following steps can be used to enable a rewrite of the HTML body text from http to https:

 

  1. Configure the maximum of cache for the FortiWEB to be able to manipulate the text from the back-end server.
 
config system advanced
  set max-cache-size 1024
end

 

  1. Set up an uncompress rule to enforce that the HTML is received as text and not compressed.  (A common reason why the text is not detected and changed).
 
config waf web-protection-profile inline-protection
  edit "rewrite"
     set http-session-management enable
     [deleted ....]   
  set file-compress-rule CompressZ
  set file-uncompress-rule UnCompressZ
next
end
 
Check the HTML text is readable with the command:
 
diag network sniffer <port> ....
 
  1. Create a URL rewrite rule to have a regex to detect the 'http://' and replace it with the 'https://'.
 
config waf url-rewrite url-rewrite-rule
  edit "rewrite"
    set location http://
    set body_replace https://
    set action http-body-rewrite
    config  match-condition
      edit 1
      set object http-body
      set reg-exp "http:\\/\\/"
      set protocol-filter enable
      set content-type-filter enable
      set content-type-set text/html text/plain text/javascript application/xml(or)text/xml application/javascript application/soap+xml application/x-javascript application/json application/rss+xml
     next
    end
  next
end
 
  1. Create a URL Rewrite Policy and assign the Rule.
 
config waf url-rewrite url-rewrite-policy
  edit "rewrite"
    config  rule
      edit 1
        set url-rewrite-rule-name rewrite
      next
    end
  next
end
 
One can also configure URL rewrite rule and policy from GUI as below:
 
URL rewrtie.png
 
  1. Assign the URL Rewrite Policy to the Web Protection Profile and then to the Server Policy.

 

Note:

When testing the problem it appears not to work because of the Cache of the Browser.