config load-balance : config load-balance content-rewriting
 
config load-balance content-rewriting
Use this command to configure content rewriting rules.
You might rewrite the HTTP headers for various reasons, including the following:
Redirect HTTP to HTTPS—You can use the content rewriting feature to send redirects when the requested resource requires a secure connection. For example, create a rule that matches requests to http://example.com/resource with an action to send a redirect that has the secure URL in the Location header: https://example.com/resource.
External-to-internal URL translationq—It is standard for web servers to have external and internal domain names. You can use content-based routing to forward HTTP requests to example.com to a server pool that includes server1.example.com, server2.example.com, and server3.example.com. When you use content routing like this, you should also rewrite the Location header in the HTTP response so that the client receives HTTP with example.com in the header and not the internal domain server1.example.com. Create a rule that matches the regular expression server.*\.example\.com in the Location header of the HTTP response with an action to rewrite the Location header with the public URL http://example.com.
Other security reasons—Another use case for external-to-internal URL translation involves masking pathnames that give attackers information about your web applications. For example, the unmasked URL for a blog might be http://www.example.com/wordpress/?feed=rss2, which exposes that the blog is a wordpress application. In this case, you want to publish an external URL that does not have clues of the underlying technology. For example, in your web pages, you create links to http://www.example.com/blog. On FortiADC, you create a rule that matches requests to http://www.example.com/resource2 with an action to rewrite the URL to the internal URL http://www.example.com/wordpress/?feed=rss2. For the return traffic, you create another rule that matches http://www.example.com/wordpress/?feed=rss2 in the Location header of the HTTP response with an action to rewrite it with the public URL http://www.example.com/blog.
Table 7 summarizes the HTTP header fields that can be rewritten.
Table 7: HTTP header rewriting
Direction
HTTP Header
HTTP Request
Host
HTTP Redirect
HTTP Response
The first line of an HTTP request includes the HTTP method, relative URL, and HTTP version. The next lines are headers that communicate additional information. The following example shows the HTTP request for the URL http://www.example.com/index.html:
GET /index.html HTTP/1.1
Host: www.example.com
Referer: http://www.google.com
The following is an example of an HTTP redirect including the HTTP Location header:
HTTP/1.1 302 Found
Location: http://www.iana.org/domains/example/
You can use literal strings or regular expressions to match traffic to rules. To match a request URL such as http://www.example.com/index, you create two match conditions: one for the Host header www.example.com and another for the relative URL that is in the GET line: /index.html.
For HTTP redirect rules, you can specify the rewritten location as a literal string or as a regular expression. For all other types or rules, you must specify the complete URL as a literal string.
Before you begin:
You must have a good understanding of HTTP header fields.
You must have a good understanding of Perl-compatible regular expressions (PCRE) if you want to use them in rule matching or rewriting.
You must have read-write permission for load balancing settings.
After you have configured a content rewriting rule, you can select it in the virtual server configuration.
Note: You can select multiple content rewriting rules in the virtual server configuration. Rules you add to that configuration are consulted from top to bottom. The first to match is applied. If the traffic does not match any of the content rewriting rule conditions, the header is not rewritten.
Syntax
config load-balance content-rewriting
edit <name>
set action-type {request|response>
set action {redirect | rewrite_http_header | rewrite_http_location | send-403-forbidden}
set redirect <string>
set host-status {enable|disable}
set host <string>
set referer-status {enable|disable}
set referer <string>
set url-status {enable|disable}
set url <string>
set location <string>
set comments <string>
config match-condition
edit <No.>
set content <string>
set object {http-host-header | http-location-header | http-referer-header | http-request-url | ip-source-address}
set reverse {enable|disable}
set type {string | regular-expression}
next
end
next
end
action-type
Specify whether to rewrite the HTTP request or HTTP response.
action
If you configure a rule based on the HTTP request, you can specify the following actions:
rewrite_http_header
redirect
send-403-forbidden
If you configure a rule based on the HTTP response, you can specify the following action:
rewrite_http_location
redirect
Sends a redirect with the URL you specify in the HTTP Location header field.
For Redirect rules, specify an absolute URL. For example: https://example.com/content/index.html
Note: The rewrite string can be a literal string or a regular expression.
host-status
Enable/disable rewriting the Host header by replacing the hostname with the string you specify.
host
Rewrites the Host header by replacing the hostname with the string you specify. For Host rules, specify a replacement domain and/or port.
Note: The rewrite string is a literal string. Regular expression syntax is not supported.
referer-status
Enable/disable rewriting the Referer header with the URL you specify.
referer
Rewrites the Referer header with the URL you specify. For Referer rules, you must specify an absolute URL.
Note: The rewrite string is a literal string. Regular expression syntax is not supported.
url-status
Enable/disable rewriting the Host header by replacing the whole URL with the string you specify.
url
Rewrites the request URL and Host header using the string you specify. For URL rules, specify a URL in one of the following formats:
Absolute URL — https://example.com/content/index.html
Relative URL — content/index.html
If you specify a relative URL, the host header is not rewritten.
Note: The rewrite string is a literal string. Regular expression syntax is not supported.
location
For Location rules, specify an absolute URL. For example: https://example.com/content/index.html
Note: The rewrite string is a literal string. Regular expression syntax is not supported.
comments
Optional administrator note.
config match-condition
content
Specify the string or regular expression syntax.
object
Specify content matching conditions based on the following parameters:
http-host-header
http-location-header
http-referer-header
http-request-url
ip-source-address
Note: When you add multiple conditions, FortiADC joins them with an AND operator. For example, if you specify both a HTTP Host Header and HTTP Request URL to match, the rule is a match only for traffic that meets both conditions.
reverse
Rule matches if traffic does not match the expression.
type
string
regular-expression
Example
The following example creates a configuration to rewrite a literal string:
FortiADC-VM # config load-balance content-rewriting
FortiADC-VM (content-rewrit~n) # edit c-rewrite-0
Add new entry 'c-rewrite-0' for node 1737
 
FortiADC-VM (c-rewrite-0) # set action redirect
FortiADC-VM (c-rewrite-0) # set redirect https://example.com/resource
FortiADC-VM (c-rewrite-0) # set comments http-to-https
 
FortiADC-VM (c-rewrite-0) # config match-condition
FortiADC-VM (match-condition) # edit 1
FortiADC-VM (1) # set type string
FortiADC-VM (1) # set object http-host-header
FortiADC-VM (1) # set content www.example.com
FortiADC-VM (1) # next
 
FortiADC-VM (match-condition) # edit 2
FortiADC-VM (2) # set type string
FortiADC-VM (2) # set object http-request-url
FortiADC-VM (2) # set content /resource
FortiADC-VM (2) # end
 
The following example creates a configuration to rewrite using a regular expression:
FortiADC-VM (content-rewrit~n) # edit c-rewrite-1
 
FortiADC-VM (c-rewrite-1) # set action redirect
FortiADC-VM (c-rewrite-1) # set redirect https://$0/$1
FortiADC-VM (c-rewrite-1) # set comments http-to-https
 
FortiADC-VM (c-rewrite-1) # config match-condition
 
FortiADC-VM (match-condition) # edit 1
FortiADC-VM (1) # set type regular-expression
FortiADC-VM (1) # set object http-host-header
FortiADC-VM (1) # set content (.*)
FortiADC-VM (1) # next
 
FortiADC-VM (match-condition) # edit 2
FortiADC-VM (2) # set type regular-expression
FortiADC-VM (2) # set object http-request-url
FortiADC-VM (2) # set content ^/(.*)$
FortiADC-VM (2) # end