Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mhdganji
Contributor II

Created on ‎03-23-2023 12:47 AM

Redirect HTTP to HTTPS and publish an HTTP site

Hi,

For now I just need to make sure the following scenario is completely feasible through a Fortigate with FortiOS version 7.0.X with no FortiWeb, other services like TMG, Nginx Reverse Proxy, etc. And if yes, a few general guides to accomplish it.

 

There is an internal HTTP published site. Internet (external users) are accessing it and the web server cannot service HTTPS requests because of some limitations. So, to make it a little more secure, We're going to:

 

1- Receive HTTP requests from the external clients and redirect it to HTTPS. (Return the request to the originating client and ask to use HTTPS instead)

 

2- Get an SSL certificate from a third party with the internal site name on it and install it on the Fortigate so the connection from external client is established to the device by HTTPS with no error or warning.

 

3- Send the HTTPS received request downside to the internal server using HTTP, getting the answer and return it to the outside client on HTTPS.

 

Is that all possible without a device such as FortiWeb? Any better idea or consideration maybe?

 

Regards,

M. Ganji, Network & Security Expert.
M. Ganji, Network & Security Expert.
Labels:
3055
0 Kudos
7 REPLIES 7
gfleming
Staff
Staff

Created on ‎03-23-2023 03:09 PM

Yes this is possible. You want to use a Virtual Server object for this.

 

https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/713497/virtual-server-load-b...

 

And when you are configuring SSL Offloading make sure you just select "Client<->Fortigate" and not "Full" since the downstream connection won't be SSL enabled:

 

Screenshot 2023-03-23 at 15.08.56.png

 

 

Cheers,
Graham
3037
0 Kudos
mhdganji
Contributor II
In response to gfleming

Created on ‎03-23-2023 03:23 PM

Thanks Graham,

 

But please make me sure that the first part (Redirect outside client HTTP request to HTTPS is also feasible cause I think the document you shared is about the SSL offloading (i.e. Process SSL (HTTPS connections) on the firewall itself and send them downstream to HTTP servers)

 

Regards,

M. Ganji, Network & Security Expert.
M. Ganji, Network & Security Expert.
3035
0 Kudos
gfleming
Staff
Staff
In response to mhdganji

Created on ‎03-24-2023 09:16 AM

That would have to be taken care of by your web server. I'm fairly certain the FortiGate does not have the capability to do the HTTP->HTTPS redirect for downstream servers.

Cheers,
Graham
3021
0 Kudos
mhdganji
Contributor II
In response to gfleming

Created on ‎03-24-2023 12:13 PM

I need HTTP to HTTPS redirect for outside clients

and

HTTPS --> HTTP from firewall to downstream servers

 

Still sure that these cannot be achieved by  Fortigate?

 

Regards,

M. Ganji, Network & Security Expert.
M. Ganji, Network & Security Expert.
3012
0 Kudos
gfleming
Staff
Staff
In response to mhdganji

Created on ‎03-24-2023 03:04 PM

yes you can do this all natively on the FGT i just found this doc:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Convert-HTTP-client-request-to-HTTPS/ta-p/...

Cheers,
Graham
3006
0 Kudos
mhdganji
Contributor II

Created on ‎03-27-2023 02:21 AM

Seems there are different opinions in this regard,

I will check it and post my experience and results here.

M. Ganji, Network & Security Expert.
M. Ganji, Network & Security Expert.
2959
0 Kudos
gfleming
Staff
Staff
In response to mhdganji

Created on ‎03-27-2023 10:28 AM

What are the different opinions?

 

I have posted documentation outlining how this is done. It's not really an "opinion".

Cheers,
Graham
2946
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.