- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SSL offloading without caching?
Hi!
I’ve got two webservers behind a FG-200D serving lots of subdomains/vhosts of the same second-level-domain. For both webservers I have a dedicated external IP that I NAT 1:1 to the internal IP of the corresponding webserver. (no load balancing)
Currently I only offer the pages in http but would like to offer https too, by offloading SSL with the fortigate. I want to install a wildcard certificate for this on the fortigate. I don’t want the fortigate to cache any requests, neither http nor https. (That’s because the content is very dynamic - not just php, but also jpgs of webcams which expire very fast - and because I need to be able to still count all traffic with the webservers.) I also don’t want to do any load balancing, as each webserver is only responsible for its own subdomains/vhosts.
Is this a possible scenario? All configuration examples I found just have one webserver and also do webcaching.
Thanks!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
this should be quite simple and possible, which examples have you found so far? i can point out what you need to skip.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks for your reply!
This is, what I copied from examples:
config wanopt ssl-server edit "webserver" set ip 192.168.1.123 set port 443 set ssl-mode half set mapped-port 80 set ssl-cert "mydomain.com" next end
(I added mapped-port, which I did not found in any example, because the system compains, that it can't be 0 after typing "end")
Now I'm not sure how to tell the policy that matches the incoming https traffic to apply the offloading. This is, what I've tried:
config firewall policy edit 17 set uuid xxxx set srcintf "wan1" set dstintf "lan" set srcaddr "all" set dstaddr "webserver_extern" set action accept set schedule "always" set service "HTTPS" set utm-status enable set wanopt enable set ips-sensor "webserver_linux" set application-list "default" set profile-protocol-options "default" set wanopt-profile "default" next end
config wanopt profile edit "default" set comments "Default WANopt profile." config http set status enable set ssl enable end next end
I can see at the packet counter, that at least the rule matches incoming https, but it doesn't seem to "convert" the https to the http server.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you can use Fortigate load balance to do ssl offloading only on client and Fortigate side.
Client <---------------> FortiGate <-------------->Server
ssl offloading clear text
Here is the sample config for half mode SSL offloading
config firewall vip
edit Vserver-ssl-offload
set type server-load-balance
set server-type https
set ldb-method round-robin
set extip 172.20.120.30
set extintf wan1
set extport 443
set persistence ssl-session-id
set ssl-mode half
set ssl-certificate my-cert
set monitor tcp-mon-1
config realservers
edit 1
set ip 10.31.101.30
set port 443
next
edit 2
set ip 10.31.101.40
set port 443
end
end
more detail info can be found at http://docs.fortinet.com/...igate-load-balancing-2
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks
