Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
timothyd
New Contributor II

Problems trying to use FortiGate as a reverse proxy

I have multiple backend servers and services, all running on different servers, VLANs and services. At the moment HAProxy is used to proxy internal and external requests to those services. HAProxy also provides some load balancing where a hosted service is run across one or more servers.

 

I am trying to replace the HAProxy VMs with the built-in FortiGate LBs/reverse proxy service, but I'm struggling to get Fortigate to proxy the connection to my backend server(s).

 

The goal at the moment is to get a proof-of-concept running where internally I can do an HTTP request to a DNS entry and have the Fortigate proxy the request and send it to the backend server(s)/service(s). To do this on HAProxy, I would map the DNS entry to the IP address of the HAProxy server, make the HTTP request and HAProxy would proxy the request to the correct backend by reading the `Host: api.example.local` (remember I have multiple services).

 

In FortiGate I am trying to replicate this, and so I set up a Virtual Server:

  • Type: HTTPS
  • Interface: LAN
  • Virtual service IP: 0.0.0.0
  • Virtual service port: 44444
  • Load balancing method: HTTP Host
  • Real servers:
    • IPv4 address: 172.16.0.10
    • Port: 443
    • Max connections: 0
    • HTTP host: api.example. local
    • Mode: Active

I then create a proxy-based policy for the Virtual server. And map `api.example.local` to the IP address of the FortiGate appliance (e.g. 172.16.0.1).

 

When I visit `https://api.example.local:44444`, however, I am getting `ERR_EMPTY_RESPONSE`.  I try the same request proxied through HAProxy, and it works as designed.

 

I've tried this over and over multiple times, and the behaviour remains the same. I know the FortiGate appliance can reach the backend service because I've also tried setting up HealthChecks and they're all working as designed.

 

Can someone help walk me through how to configure what I'm trying to achieve? And, how to troubleshoot?

Timothy
Timothy
6 REPLIES 6
gfleming
Staff
Staff

AFAIK this is not possible with FGT. You would need FortiADC or FortiWAF for this functionality. FGT does not route based on domain.

 

You can use the server load balancer in FGT but you'd still need something on the backend to route based on host name, either your web server (i.e. Nginx) or HAProxy...

Cheers,
Graham
timothyd
New Contributor II

Timothy
gfleming

OK i think you meant to link this page? https://docs.fortinet.com/document/fortigate/6.0.0/handbook/824987/http-host-based-load-balancing

 

Does api.example.local point to the Virtual Server IP on your Fortigate? I'm not sure 0.0.0.0 will work...

Cheers,
Graham
timothyd
New Contributor II

Yes. That's the correct page.

 

DNS entry `api.example.local` points to the IP address I use to access the FortiGate dashboard (e.g. 172.16.0.1). Should I be using a Virtual IP?

 

When I used Virtual IPs in the past, it was to create a pinhole to HAProxy. In my current use case, I want to use FortiGate as the Load Balancer so it's not clear what sort of Virtual IP I should create, and what to put in the "Map to IPv4 address/range" (remembering, we want to eventually proxy multiple DNS entries/web services).

 

Timothy
Timothy
gfleming

No need for a VIP here. So if 172.16.0.1 is your FortiGate LAN Interface IP, I suggest you use a new IP in that subnet for your Virtual Server IP Address (so you don't step on the FortiGate's web ports, etc). You can use any IP that's not currently in use or in an existing DHCP scope.

Cheers,
Graham
timothyd
New Contributor II

Hi Graham

 

I am new to Fortinet products, so I am so sorry if I am misunderstanding the documentation, but I found the following article which made me feel that the feature was available in from FortiGate 6.0.0:

 

http://docs.fortinet.com/document/fortigate/6.0.0/handbook/824987/http-host-based-load-balancing

 

To be clear, I wanted to create on FortiGate the equivalent of an HAProxy `frontend` where using "HTTP host-based load balancing" I route a request to one or more real servers.

 

The goal is to replace HAProxy with the FortiGate appliance built-in load balancer. 

 

 

Timothy
Timothy
Labels
Top Kudoed Authors