I have multiple backend servers and services, all running on different servers, VLANs and services. At the moment HAProxy is used to proxy internal and external requests to those services. HAProxy also provides some load balancing where a hosted service is run across one or more servers.
I am trying to replace the HAProxy VMs with the built-in FortiGate LBs/reverse proxy service, but I'm struggling to get Fortigate to proxy the connection to my backend server(s).
The goal at the moment is to get a proof-of-concept running where internally I can do an HTTP request to a DNS entry and have the Fortigate proxy the request and send it to the backend server(s)/service(s). To do this on HAProxy, I would map the DNS entry to the IP address of the HAProxy server, make the HTTP request and HAProxy would proxy the request to the correct backend by reading the `Host: api.example.local` (remember I have multiple services).
In FortiGate I am trying to replicate this, and so I set up a Virtual Server:
I then create a proxy-based policy for the Virtual server. And map `api.example.local` to the IP address of the FortiGate appliance (e.g. 172.16.0.1).
When I visit `https://api.example.local:44444`, however, I am getting `ERR_EMPTY_RESPONSE`. I try the same request proxied through HAProxy, and it works as designed.
I've tried this over and over multiple times, and the behaviour remains the same. I know the FortiGate appliance can reach the backend service because I've also tried setting up HealthChecks and they're all working as designed.
Can someone help walk me through how to configure what I'm trying to achieve? And, how to troubleshoot?
AFAIK this is not possible with FGT. You would need FortiADC or FortiWAF for this functionality. FGT does not route based on domain.
You can use the server load balancer in FGT but you'd still need something on the backend to route based on host name, either your web server (i.e. Nginx) or HAProxy...
Wasn't this feature introduced in FortiGate 6.0.0?
Created on 10-31-2022 12:44 PM Edited on 10-31-2022 12:51 PM
OK i think you meant to link this page? https://docs.fortinet.com/document/fortigate/6.0.0/handbook/824987/http-host-based-load-balancing
Does api.example.local point to the Virtual Server IP on your Fortigate? I'm not sure 0.0.0.0 will work...
Yes. That's the correct page.
DNS entry `api.example.local` points to the IP address I use to access the FortiGate dashboard (e.g. 172.16.0.1). Should I be using a Virtual IP?
When I used Virtual IPs in the past, it was to create a pinhole to HAProxy. In my current use case, I want to use FortiGate as the Load Balancer so it's not clear what sort of Virtual IP I should create, and what to put in the "Map to IPv4 address/range" (remembering, we want to eventually proxy multiple DNS entries/web services).
Created on 10-31-2022 02:21 PM Edited on 10-31-2022 02:21 PM
No need for a VIP here. So if 172.16.0.1 is your FortiGate LAN Interface IP, I suggest you use a new IP in that subnet for your Virtual Server IP Address (so you don't step on the FortiGate's web ports, etc). You can use any IP that's not currently in use or in an existing DHCP scope.
Hi Graham
I am new to Fortinet products, so I am so sorry if I am misunderstanding the documentation, but I found the following article which made me feel that the feature was available in from FortiGate 6.0.0:
http://docs.fortinet.com/document/fortigate/6.0.0/handbook/824987/http-host-based-load-balancing
To be clear, I wanted to create on FortiGate the equivalent of an HAProxy `frontend` where using "HTTP host-based load balancing" I route a request to one or more real servers.
The goal is to replace HAProxy with the FortiGate appliance built-in load balancer.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.