Hello everybody,
we are actually using on a Fortigate (running 7.0.x OS) the SSL Offloading Feature for checking inbound-Traffic (!) to an Web-Server located in our dmz:
config firewall vip
edit "Loadbalancer SSL www.example.org"
set comment "for IPS on SSL"
set type server-load-balance
set extip 1.2.3.4
set extintf "wan1"
set server-type https
set monitor "192.168.1.22"
set extport 443
config realservers
edit 1
set ip 192.168.1.22
set port 443
next
end
set ssl-mode full
set ssl-certificate "www_example_org 03-23"
set ssl-client-renegotiation deny
set ssl-client-session-state-type disable
next
end
config firewall policy
edit 99
set srcintf "wan1"
set dstintf "dmz"
set action accept
set srcaddr "all"
set dstaddr "Loadbalancer SSL www.example.org"
set schedule "always"
set service "HTTPS" "HTTP"
set utm-status enable
set inspection-mode proxy
set ssl-ssh-profile "my_certificate-inspection"
set ips-sensor "my_protect_server"
set application-list "my_app_protect_server"
set logtraffic all
next
end
The "www_example_org 03-23" is an officially issued certificate for my website ("www.example.org").
Ths configuration is realized in this way because I want the Fortigate to inspect the traffic (see my_app_protect_server and my_protect_server). Therefore the Fortigate needs to "crack" the connection and re-encrypt it using the official certificate.
Up to here everything is fine and working.
My goal is to host multiple websites on one public ip (in the example 1.2.3.4) - e.g. www.example1.org, www.example2.org and so on. I need this because of limited public IPs on my wan-side.
Therefore I need to use SNI - but I do not have either an idea if this is possible with the Fortigate nor how to configure this. Simply using more than one "realserver" will not solve the problem, I can only use one certificate for re-encrypt the traffic (set ssl-certificate "www_example_org 03-23").
I have found this: https://community.fortinet.com/t5/Support-Forum/server-load-balancing-finally-works-since-FOS-6-4/m-...
At the missing features "SNI" is mentioned - is this right? Is it also true for the latest FortiOS versions?
Can anybody assist me here?
Sebastian
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello,
This can be achieved with "set ldb-method http-host" and setting "set http-host your.fqdn" in your VIP object config.
example:
config firewall vip
edit "SNI_based_virtual_hosts"
set type server-load-balance
set extintf "wan1"
set server-type https
set ldb-method http-host <---
set persistence http-cookie <---
set extport 443
config realservers
edit 1
set ip 10.0.0.1
set port 443
set http-host "a.fqdn.com" <---
next
edit 2
set ip 10.0.0.2
set port 443
set http-host "b.fqdn.com" <---
next
end
set ssl-mode full
set ssl-certificate "wildcard_or_san.fqdn.com"
set ssl-server-algorithm high
set ssl-server-min-version tls-1.1
set ssl-server-max-version tls-1.2
next
end
note:
The only issue here is the certificate.
It should either be a wildcard certificate for the CN of the whole domain, i.e. *.fdqn.com
Or it needs to include all the SNIs as SAN objects (subject alternative names), i.e. a.fqdn.com, b.fqdn.com, etc
Regards
Hi Yes, SNI field is supported in version 7.0 onwards. You can modify the SSL-SSH profile to have SNI.
config firewall ssl-ssh-profile edit "multi-cert" set server-cert-mode replace set server-cert "bbb" "aaa" next end
For more details you can look below article.
Hi!
this did not work, my backend Server complains about a mismatch between SNI und HTTP-Header:
Hostname www.example1.org provided via SNI and hostname www.example2.org provided via HTTP are different
The method @lol described has worked.
But it´s not a complete SNI - I would expect the Fortigate sets both (SNI und HTTP Post header) correctly?
When interested I can supply complete config-snippets.
Sebastian
Hello,
This can be achieved with "set ldb-method http-host" and setting "set http-host your.fqdn" in your VIP object config.
example:
config firewall vip
edit "SNI_based_virtual_hosts"
set type server-load-balance
set extintf "wan1"
set server-type https
set ldb-method http-host <---
set persistence http-cookie <---
set extport 443
config realservers
edit 1
set ip 10.0.0.1
set port 443
set http-host "a.fqdn.com" <---
next
edit 2
set ip 10.0.0.2
set port 443
set http-host "b.fqdn.com" <---
next
end
set ssl-mode full
set ssl-certificate "wildcard_or_san.fqdn.com"
set ssl-server-algorithm high
set ssl-server-min-version tls-1.1
set ssl-server-max-version tls-1.2
next
end
note:
The only issue here is the certificate.
It should either be a wildcard certificate for the CN of the whole domain, i.e. *.fdqn.com
Or it needs to include all the SNIs as SAN objects (subject alternative names), i.e. a.fqdn.com, b.fqdn.com, etc
Regards
Hi!
Thanks a lot, that works. I have to use two internal IP-adresses - but that´s not the problem. The problem - only using one external adress - was solved.
The SSL-Certificate was a Wildcard-Cert - so, this was fine.
I guess this is the only way to solve this (see above post from @rosatechnocrat) ? Are there any plans to implement SNI "fully"? Or is it a feature fo which FortiWeb must be used.
Thanks again,
Sebastian
Is it possible to use this configuration always pointing to the same private IP???
and make the firewall work as a real reverse proxy.
without having to assign an IP for each third level domain ????
I don't think so, which is quite disappointing. Any basic reverse proxy can do this:
1. One public IP with many FQDN, with each their own certificate →
2. Use SNI to send the correct certificate to the client. (Fortigate can do this, with cert replace) →
3. but then forward or even load balance traffic to whatever backend hosts you want based on the SNI information. Fortigate can not do this it seems (Fortiweb can). It can load balance traffic based on host headers in one virtual server, but a virtual server can only have the one certificate
Created on 10-11-2024 01:13 AM Edited on 10-11-2024 06:58 AM
Hi ¡¡¡ I would like to know your opinion on reverse proxy (I think) I have configured.
I want to use Fortigate as a reverse proxy to connect to internal servers. I've ceated 2 virtual servers, each of them with different SSLOFFLOAD and both with load balancing method HTTPhost. I have published a public IP (in the example 1.1.1.1) with some public DNS records (test.testdomain.com and test2.testdomain.com).
If I connect to "https://test.testdomain.com or https://test2.testdomain.com" on Internet using a browser it works fine, I connect to final servers configured using their real private IP and private IP port. I have configured a certificate *testdomain.com on the virtual sever.
Afther that, I've configured a policy, with the virtual server attached, deep inspection (https/ips) and the same certificate used in the virtual server.
The most important for me is that the TCP connection to the real server, is not made by the end internet user. That's a reverse proxy for me. I want that fortigate creates one TCP connection with the end user and another tcp connection to the real server for security purposes.
client<-->TCP SESSION 1<-->Fortigate (Reverse proxy)<--> TCP SESSION 2<-->REAL SERVER.
Some servers need conection to their HTTPS port and doesn't works with plain connection. Thats is why I have configured 2 virtual servers:
Virtual server 1)-->SSL OFFLOAD MODE client<-->Fortigate. This one used when connection to real servers are not to 443 port.
Virtual server 2-->SSL OFFLOAD MODE Full mode. This one used when connection to real servers are to 443 port.
Now my doubts:
1)In both cases the connection to the real server is stablished from Fortigate? I have doubts about "full mode". I don't want in any case direct connections from internet to my real servers (real servers are not in DMZ).
2)Why is it necessary to configure the certificate on the virtual server if you configure it, too , in the policy?
Thanks for your help, I attach you an image fof one of the 2 virtual servers. In this case for plain connections (ssl offload not full). Are the 2 cases a reverse proxy connection (not direct to the real servers from internet) or not?
Hi there! Using SSL offloading for inbound traffic to your web server sounds like a smart approach Blog Buzzz for security. If you have any specific questions or need assistance with configuration.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1705 | |
1093 | |
752 | |
446 | |
230 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.