Hey Guys,
So I' ve been told by Fortinet Support that http-location-conversion does not actually change the host header from http to https. I am about to blow my top. I' ve been working on this fix for a loooooong time and support is now trying to tell me that the following doesn' t actually mean that the FGT is suppose to reply with https:
" Select to replace http with https in the reply’s Location HTTP header field. For example, in the reply, Location: http://example.com/ would be converted to Location: https://example.com/ .
This option appears only if type is server-load-balance and server-type is https."
I just don' t understand how they can do this. I' ll post the end of the thread here because it just seems completely backwards. Especially the part about them telling me this would be a feature request. I' m still completely confused as to what they are saying http-location-conversion is suppose to do. Can anyone clear this up for me?
Also, if anyone can answer my question that is in bold (that has still not been answered by Fortinet Support) I would be forever in debt.
Support thread starts here.......
Thanks Nelson.
I tried the header check and got very inconsistant results. https:// requests failed on almost every request that I tried. Including well known working sites.
I understand that you are saying that http-location-conversion doesn' t do a http to https redirect. However, replying with https as the header will replace https in the browser and then the browser will request on port 443.
One question i desperately need answered:
How do I use any server/hardware/service behind the FGT to redirect to HTTPS when the FGT is providing the certificate and ONLY accepting traffic on port 443? As far as I can tell there is no way for traffic on port 80 to get past the FGT in order to allow me to use any other tool to redirect from port 80 (http) to port 443 (https).
Please, please, please, please answer that question because with that information I can troubleshoot and purchase something that will effectively do what we need.
I' m still very unsure that this " feature" doesn' t already exist. If the FGT is an acting load balancer with SSL offloading, then the real servers will never, ever, ever, handle anything on port 443 which is in fact, https. Using the real servers on port 443 with their own certificate would completely disregard the need for SSL Offloading in general.
I would love for these above questions to be answered or at least addressed, but I understand that this is being regarded a feature request. Fact is, the other users on the forum have stated that they have things working exactly as they should with the configuration we have been working on. This is why I don' t believe that this feature doesn' t already exist. I' d like to know what http-location-conversion is actually used for if it is not used to reply to the browser to use https instead of http.
Thanks again for sticking with me through all of this. However, I would really like it noted that I don' t think things are working as the manual states they should. The " reply" is simply not working.
Nick.
2/17/2012 12:44:00 PM Nelson Paredes
Hi Nick,
I' m sorry for the late reply. I' ve been researching and trying to clarify what the setting is supposed to do. I' ve looked at our documentation and wanted to share the option to use WCCP to redirect traffic to a proxy (IIS server with proxy enable). The only thing is that you either need to fortigates so that one works as the WCCP (client) and another one as the WCCP (server) while keeping your existing configuration for load balancing using the virtual IP' s. The second KB article uses a squid proxy as an example. I' ve gone through our documentation in detail as there are no clear statements or procedures that could confirm that the fortigate can do redirects from http to https using the " set ssl-http-location-conversion" . We have another device called fortiweb that protects web servers and it does have the functionality to do http redirects on the other hand.
I' d like to suggest looking at the following KB articles and tell me if this is something that would meet your requirements.
Sample configuration of FortiGate WCCP server and client (traffic redirector and transparent proxy)
http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD32926&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=29443176&stateId=0%200%2029441390
Configuring WCCP interception of HTTP traffic to a squid proxy using GRE tunneling (in your case you have IIS and it would require you to enable the proxy option)
http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD30096&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=29443202&stateId=0%200%2029441419
These two KB articles are some thouhgts as an alternative solution. Please see below about the difference between location conversion and redirection:
This is what the CLI states:
ssl-http-location-conversion {enable | disable}
Select to replace http with https in the reply’s Location HTTP header field. For example, in the reply, Location: http://example.com/ would be converted to Location: https://example.com/ . This option appears only if type is server-load-balance and server-type is https.
My understanding is that the http conversion parameter should change the location of the request to https and then the web server redirect from http to https. I' ve consulted with senior engineering about this feature and it' s not supposed to redirect traffic but to replace the location. The documentation does not specify that the fortigate will redirect http to https traffic.
This is what I would expect to happen when you do the request if a web server does the redirection:
1. The client types http://myportal.mcnallysmith.edu in the address bar
2. The browser assumes HTTP protocol and sends a GET call to http://myportal.mcnallysmith.edu
3.http://myportal.mcnallysmith.edu responds with a moved status code and gives the new location: ---> task performed by a web server in general
HTTP/1.1 301 Moved Permanently
Location: https://myportal.mcnallysmith.edu
4. The browser reads this location and knows that it must now start a SSL connection.
5. The browser and the server exchange multiple messages until the secure connection is established such as client hello, Server Hello, Change Cipher Spec, Encrypted Handshake Message TLSv1, etc.
If you install a SSL certificate you must make sure that your client is redirected from HTTP to HTTPS. That is accomplished from the server configurations. Normally from web servers such as:
IIS, Apache, SunOne, iPlanet, etc.
The functionality of the redirection can be noticed when sniffing the traffic to a secure site as you will see in a packet capture when looking at the http.request call. The location changes to https and it tells you the name of the application that did the redirect.
Example redirection:
GET / HTTP/1.1
Host: www.example.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/535.1 (KHTML, like Gecko) Ubuntu/10.10 Chromium/13.0.782.112 Chrome/13.0.782.112 Safari/535.1
HTTP/1.1 301 Moved Permanently ----------> web server transparently responds with this message while doing the redirection
Server: Sun-ONE-Web-Server/6.1 ----------> web server that does the redirection from http to https
Date: Fri, 17 Feb 2012 18:51:21 GMT
Content-length: 0
Content-type: text/html
Location: https://example.com/ ----> you can see in this example that the location is replaced with the location as https.
Another example is online shopping websites, you can browse via http but as soon as you add an item to the shopping cart and do a checkout, you get redirected to a https URL and can see the server as Microsoft-IIS/6.0 as an example.
A financial institution as another example will redirect you from http to https as they install the ssl certificate on their web host. Let me know if this clarifies what the setting' s function is expected to do. In regards to the SSL Offloading options, this is the expected functionality of the fortigate: (The KB refers to client to fortigate or ssl-mode = half and client -> fortigate -> server or ssl-mode = full)
http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=13652&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=29447316&stateId=0%200%2029445590
Regards,
Nelson
Fortinet TAC Americas
M-F 12-9pm EST
1-866-648-4638
https://support.fortinet.com
2/21/2012 7:14:00 AM Nick Kaihoi
Thanks Nelson,
Also, thanks for the detail however I still don' t have my main question answered. How I would use IIS to redirect when the VIP only allows traffic on port 443?
If the VIP will not allow http traffic to get to IIS (or apache) to redirect to https, I cannot use any of the solutions above. This is the problem, if I use SSL offloading, the external port on the VIP needs to be 443. This means port 80 traffic will never get to the IIS server to redirect because the VIP is not listening for it.
If there is no solution to this, please tell me. I will be posting this information to the forums for additional assistance because the users were able to get this working in the manor that I need.
Nick.