Configuring content rewriting
You can create rules to rewrite the following HTTP header fields:
The Host, Referer, and Location header fields include domain names. For example, the Host field in an HTTP header has the following form:
Host: www.example.com
You might rewrite the HTTP headers for various reasons, including the following:
• Redirect HTTP to HTTPS—You can use the content rewriting feature to send redirects when the requested resource requires a secure connection. For example, create a rule that matches the string http://example.com/resource in the HTTP request URL with an action to send a redirect that has the secure URL in the Location header: https://example.com/resource.
• External-to-internal URL translation—It is standard for web servers to have external and internal domain names. You can use content-based routing to forward HTTP requests to example.com to a server pool that includes server1.example.com, server2.example.com, and server3.example.com. When you use content routing like this, you should also rewrite the Location header in the HTTP response so that the client receives HTTP with example.com in the header and not the internal domain server1.example.com. Create a rule that matches the regular expression server.*\.example\.com in the Location header of the HTTP response with an action to rewrite the Location header with the public URL http://example.com.
• Other security reasons—Another use case for external-to-internal URL translation involves masking pathnames that give attackers information about your web applications. For example, the unmasked URL for a blog might be http://www.example.com/wordpress/?feed=rss2, which exposes that the blog is a wordpress application. In this case, you want to publish an external URL that does not have clues of the underlying technology. For example, in your web pages, you link to http://www.example.com/resource2. On FortiADC, you create a rule that matches traffic that has http://www.example.com/resource2 in the HTTP request URL with an action to rewrite the URL in the host header to the internal URL http://www.example.com/wordpress/?feed=rss2. For the return traffic, you create another rule that matches the string http://www.example.com/wordpress/?feed=rss2 in the Location header of the HTTP response with an action to rewrite the Location header with the public URL http://www.example.com/resource2.
Before you begin:
• You must have Read-Write permission for Load Balance settings.
After you have configured a content rewriting rule, you can select it in the virtual server configuration.
Note: You can select multiple content rewriting rules in the virtual server configuration. Rules you add to that configuration are consulted from top to bottom. The first to match is applied. If the traffic does not match any of the content rewriting rule conditions, the header is not rewritten.
To configure a content rewriting rule:
1. Go to Server Load Balance > Virtual Server.
2. Click the Content Rewriting tab.
3. Click Add to display the configuration editor.
4. Complete the configuration as described in
Table 10.
5. Save the configuration.
Table 10: Content rewriting rule guidelines
Settings | Guidelines |
Name | Unique name. No spaces or special characters. After you initially save the configuration, you cannot edit the name. |
Action Type | Select whether to rewrite the HTTP request or HTTP response. |
HTTP Request Rewrite Actions |
Rewrite HTTP Header | • Host—Rewrites the Host header by replacing the hostname with the string you specify. • URL—Rewrites the Host header by replacing the whole URL with the string you specify. • Referer—Rewrites the Referer header with the URL you specify. Follow the form in the following examples to specify an HTTP Host header string: • Absolute URL — https://example.com/content/index.html • Relative URL — content/index.html Use the format for an absolute URL to specify an HTTP Referer header string. |
Redirect | Sends a redirect with the URL you specify in the HTTP Location header field. Use the format for an absolute URL to specify an HTTP Location header string. |
Send 403 forbidden | Sends a 403 Forbidden response instead of forwarding the request. |
HTTP Response Rewrite Actions |
Rewrite HTTP Location | Rewrites the Location header field with the absolute or relative URL you specify. Use the format for an absolute URL to specify an HTTP Location header string. |
Match Condition |
Object | Select content matching conditions based on the following parameters: • HTTP Host Header • HTTP Location Header • HTTP Referer Header • HTTP Request URL • Source IP Address Note: When you add multiple conditions, FortiADC joins them with an AND operator. For example, if you specify both a HTTP Host Header and HTTP Request URL to match, the rule is a match only for traffic that meets both conditions. |
Type | • String • Regular Expression |
Content | Specify the string or regular expression syntax. |
Reverse | Rule matches if traffic does not match the expression. |