Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
vasilisgogos
New Contributor III

FortiWEB full URL Rewriting

Hello Team,

I am trying to rewrite  https://exapmle.in.com to https://exapmle2.out.net (URL are fake).

I have tried HTTP header rewriting ( without success) and body rewriting 9 the URL was redirecting to the new URL, which is not our case).

We need to keep the traffic to Fortiweb and not redirect the traffic to the end URL.

Bello the config

 

config waf url-rewrite url-rewrite-rule

edit "ASK-AI-REWRITING"
set host-status enable
set host exapmle.in.com
config header-insert
end
config response-header-insert
end
config header-removal
end
config response-header-removal
end
set request-remove-duplicate-headers disable
config match-condition
edit 1
set reg-exp exapmle2.out.net
set HTTP-protocol https
next
end
next
end

config waf url-rewrite url-rewrite-rule
edit "ASK-AI-REWRITING-2"
set action http-response-header-rewrite
set location_replace $0exapmle.in.com$1
set location-status enable
config header-insert
end
config response-header-insert
end
config header-removal
end
config response-header-removal
end
set response-replace-existing-headers enable
config match-condition
edit 1
set object http-location
set reg-exp (.*)exapmle2.out.net(.*)
next
end
next
end

 

Attached the URL RULE.

The problem is that the end Application Server is not accepting Requests that done not have exapmle2.out.net in HTTP HEADER( body).

 

 

 

 

Senior Network Security Engineer
Senior Network Security Engineer
1 Solution
vasilisgogos
New Contributor III

Hello, 

We found the solution.

Request Action

1- Request action should match HTTP Host (whole URL- URL1))
2- Replacement URL  - select Host - the backend URL (URL2)

Response action

1- Match both HTTP location with syntax (/*)URL2(/*)

    and HTTP Host with syntax (.*)URL2(.*)

2- Replacement String: Location - URL1

3- HTTP header Insertion enabled with Replace existing header and syntax  $0URL1$1

4- HTTP Header Removal enabled (remove Duplicate Headers) 

 

Also, the backend service should match the frontend service (HTTPs-->HTTPs or HTTP-->HTTP) 

Senior Network Security Engineer

View solution in original post

Senior Network Security Engineer
12 REPLIES 12
vasilisgogos
New Contributor III

URL-Policy.png

URL Policy

Senior Network Security Engineer
Senior Network Security Engineer
mokelvo2
New Contributor

So in the first KB link I posted there is a section titled "Example: Full host name/URL translation", so I experimented with variations on this (too many to list if I'm being honest) without much luck. Then I tried using a regex debugger for testing but didn't get very far with that before the end of my work day. Left it so that the full .com URL redirects to the .co.uk TLD, which Is easy enough but not what the business wants, sadly.

https://19216811.cam/ https://1921681001.id/
AEK
SuperUser
SuperUser

Hi Vasili

Can you pose a screenshot of the rule (from the WebUI)?

AEK
AEK
vasilisgogos
New Contributor III

hello,

Bellow the screenshots 

request.pngresponse.png

Senior Network Security Engineer
Senior Network Security Engineer
AEK
SuperUser
SuperUser

Hi Vasili

In URL rewrite condition you select HTTP Host, and you write example.in.com.

And in Replacement URL you enable only Host (not URL) and you write example2.out.net.

AEK
AEK
vasilisgogos
New Contributor III

Hello,

This is not our case.

If Host rewriting is selected, the traffic will be redirected to the new URL and not maintained to the original URL, and we can not monitor or block any attack.

 

 

Senior Network Security Engineer
Senior Network Security Engineer
vasilisgogos
New Contributor III

.

imagesss.png

Senior Network Security Engineer
Senior Network Security Engineer
AEK
SuperUser
SuperUser

Hi Vasili

I don't fully agree.

Here I mean the action is "Rewrite HTTP Header" and not redirection.

When you rewrite the "Host" HTTP header in the request, the back-end server can see the requested host is example2.out.net and not exapmle.in.com. And here there is no redirection done.

AEK
AEK
vasilisgogos
New Contributor III

Hello,

The traffic is permanently moved ( HTTP code 301 - from the above pic).
The real server sees it with the new header (only traffic with the backend server is permitted in our case), but the traffic is moved to the new URL, unfortunately.

 

Senior Network Security Engineer
Senior Network Security Engineer
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors