Problems trying to use FortiGate as a reverse proxy
I have multiple backend servers and services, all running on different servers, VLANs and services. At the moment HAProxy is used to proxy internal and external requests to those services. HAProxy also provides some load balancing where a hosted service is run across one or more servers.
I am trying to replace the HAProxy VMs with the built-in FortiGate LBs/reverse proxy service, but I'm struggling to get Fortigate to proxy the connection to my backend server(s).
The goal at the moment is to get a proof-of-concept running where internally I can do an HTTP request to a DNS entry and have the Fortigate proxy the request and send it to the backend server(s)/service(s). To do this on HAProxy, I would map the DNS entry to the IP address of the HAProxy server, make the HTTP request and HAProxy would proxy the request to the correct backend by reading the `Host: api.example.local` (remember I have multiple services).
In FortiGate I am trying to replicate this, and so I set up a Virtual Server:
Virtual service IP: 0.0.0.0
Virtual service port: 44444
Load balancing method: HTTP Host
IPv4 address: 172.16.0.10
Max connections: 0
HTTP host: api.example. local
I then create a proxy-based policy for the Virtual server. And map `api.example.local` to the IP address of the FortiGate appliance (e.g. 172.16.0.1).
When I visit `https://api.example.local:44444`, however, I am getting `ERR_EMPTY_RESPONSE`. I try the same request proxied through HAProxy, and it works as designed.
I've tried this over and over multiple times, and the behaviour remains the same. I know the FortiGate appliance can reach the backend service because I've also tried setting up HealthChecks and they're all working as designed.
Can someone help walk me through how to configure what I'm trying to achieve? And, how to troubleshoot?
DNS entry `api.example.local` points to the IP address I use to access the FortiGate dashboard (e.g. 172.16.0.1). Should I be using a Virtual IP?
When I used Virtual IPs in the past, it was to create a pinhole to HAProxy. In my current use case, I want to use FortiGate as the Load Balancer so it's not clear what sort of Virtual IP I should create, and what to put in the "Map to IPv4 address/range" (remembering, we want to eventually proxy multiple DNS entries/web services).
No need for a VIP here. So if 172.16.0.1 is your FortiGate LAN Interface IP, I suggest you use a new IP in that subnet for your Virtual Server IP Address (so you don't step on the FortiGate's web ports, etc). You can use any IP that's not currently in use or in an existing DHCP scope.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.