Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mhdganji
Contributor II

Redirect HTTP to HTTPS and publish an HTTP site

Hi,

For now I just need to make sure the following scenario is completely feasible through a Fortigate with FortiOS version 7.0.X with no FortiWeb, other services like TMG, Nginx Reverse Proxy, etc. And if yes, a few general guides to accomplish it.

 

There is an internal HTTP published site. Internet (external users) are accessing it and the web server cannot service HTTPS requests because of some limitations. So, to make it a little more secure, We're going to:

 

1- Receive HTTP requests from the external clients and redirect it to HTTPS. (Return the request to the originating client and ask to use HTTPS instead)

 

2- Get an SSL certificate from a third party with the internal site name on it and install it on the Fortigate so the connection from external client is established to the device by HTTPS with no error or warning.

 

3- Send the HTTPS received request downside to the internal server using HTTP, getting the answer and return it to the outside client on HTTPS.

 

Is that all possible without a device such as FortiWeb? Any better idea or consideration maybe?

 

Regards,

M. Ganji, Network & Security Expert.
M. Ganji, Network & Security Expert.
7 REPLIES 7
gfleming
Staff
Staff

Yes this is possible. You want to use a Virtual Server object for this.

 

https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/713497/virtual-server-load-b...

 

And when you are configuring SSL Offloading make sure you just select "Client<->Fortigate" and not "Full" since the downstream connection won't be SSL enabled:

 

Screenshot 2023-03-23 at 15.08.56.png

 

 

Cheers,
Graham
mhdganji

Thanks Graham,

 

But please make me sure that the first part (Redirect outside client HTTP request to HTTPS is also feasible cause I think the document you shared is about the SSL offloading (i.e. Process SSL (HTTPS connections) on the firewall itself and send them downstream to HTTP servers)

 

Regards,

M. Ganji, Network & Security Expert.
M. Ganji, Network & Security Expert.
gfleming

That would have to be taken care of by your web server. I'm fairly certain the FortiGate does not have the capability to do the HTTP->HTTPS redirect for downstream servers.

Cheers,
Graham
mhdganji

I need HTTP to HTTPS redirect for outside clients

and

HTTPS --> HTTP from firewall to downstream servers

 

Still sure that these cannot be achieved by  Fortigate?

 

Regards,

M. Ganji, Network & Security Expert.
M. Ganji, Network & Security Expert.
gfleming

yes you can do this all natively on the FGT i just found this doc:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Convert-HTTP-client-request-to-HTTPS/ta-p/...

Cheers,
Graham
mhdganji
Contributor II

Seems there are different opinions in this regard,

I will check it and post my experience and results here.

M. Ganji, Network & Security Expert.
M. Ganji, Network & Security Expert.
gfleming

What are the different opinions?

 

I have posted documentation outlining how this is done. It's not really an "opinion".

Cheers,
Graham
Labels
Top Kudoed Authors