Hi!
I’ve got two webservers behind a FG-200D serving lots of subdomains/vhosts of the same second-level-domain. For both webservers I have a dedicated external IP that I NAT 1:1 to the internal IP of the corresponding webserver. (no load balancing)
Currently I only offer the pages in http but would like to offer https too, by offloading SSL with the fortigate. I want to install a wildcard certificate for this on the fortigate. I don’t want the fortigate to cache any requests, neither http nor https. (That’s because the content is very dynamic - not just php, but also jpgs of webcams which expire very fast - and because I need to be able to still count all traffic with the webservers.) I also don’t want to do any load balancing, as each webserver is only responsible for its own subdomains/vhosts.
Is this a possible scenario? All configuration examples I found just have one webserver and also do webcaching.
Thanks!
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
this should be quite simple and possible, which examples have you found so far? i can point out what you need to skip.
thanks for your reply!
This is, what I copied from examples:
config wanopt ssl-server edit "webserver" set ip 192.168.1.123 set port 443 set ssl-mode half set mapped-port 80 set ssl-cert "mydomain.com" next end
(I added mapped-port, which I did not found in any example, because the system compains, that it can't be 0 after typing "end")
Now I'm not sure how to tell the policy that matches the incoming https traffic to apply the offloading. This is, what I've tried:
config firewall policy edit 17 set uuid xxxx set srcintf "wan1" set dstintf "lan" set srcaddr "all" set dstaddr "webserver_extern" set action accept set schedule "always" set service "HTTPS" set utm-status enable set wanopt enable set ips-sensor "webserver_linux" set application-list "default" set profile-protocol-options "default" set wanopt-profile "default" next end
config wanopt profile edit "default" set comments "Default WANopt profile." config http set status enable set ssl enable end next end
I can see at the packet counter, that at least the rule matches incoming https, but it doesn't seem to "convert" the https to the http server.
you can use Fortigate load balance to do ssl offloading only on client and Fortigate side.
Client <---------------> FortiGate <-------------->Server
ssl offloading clear text
Here is the sample config for half mode SSL offloading
config firewall vip
edit Vserver-ssl-offload
set type server-load-balance
set server-type https
set ldb-method round-robin
set extip 172.20.120.30
set extintf wan1
set extport 443
set persistence ssl-session-id
set ssl-mode half
set ssl-certificate my-cert
set monitor tcp-mon-1
config realservers
edit 1
set ip 10.31.101.30
set port 443
next
edit 2
set ip 10.31.101.40
set port 443
end
end
more detail info can be found at http://docs.fortinet.com/...igate-load-balancing-2
thanks
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1734 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.