Configuration steps - web‑based manager
To configure the FortiGate unit as a reverse proxy web cache server
1. Go to Firewall Objects > Virtual IP > Virtual IP and select Create New to add a static NAT virtual IP that translates destination IP addresses from 192.168.10.1 to 172.10.20.30 (and does not translate destination ports):
Name | Reverse_proxy_VIP |
External Interface | port2 |
Type | Static NAT |
Source Address Filter | Do not select. |
External IP Address/Range | 192.168.10.1 |
Mapped IP Address/Range | 172.10.20.30 |
Port Forwarding | Do not select. |
2. Select OK.
3. Go to Policy > Policy > Policy and select Create New to add a port2 to port1 security policy that accepts HTTP and HTTPS traffic from the Internet.
Do not select security profiles. Set the destination address to the virtual IP. You do not have to enable NAT.
Policy Type | Firewall |
Policy Subtype | Address |
Incoming Interface | port2 |
Source Address | all |
Outgoing Interface | port1 |
Destination Address | Reverse_proxy_VIP |
Schedule | always |
Service | HTTP HTTPS |
Action | ACCEPT |
4. Select Enable Web cache.
5. Select OK.
To configure the FortiGate unit to offload SSL encryption and cache HTTPS content
1. Go to System > Certificates > Local Certificates and select Import to import the web server’s CA.
For Type, select Local Certificate. Select the Browse button to locate the file Rev_Proxy_Cert_1.crt.
The certificate key size must be 1024 or 2048 bits. 4096-bit keys are not supported.
2. From the CLI enter the following command to add HTTPS web caching to the security policy.
Assume the index number of the policy is 5.
config firewall policy
edit 5
set webcache-https ssl-server
end
3. From the CLI, enter the following command to add the SSL server.
The SSL server ip must match the destination address of the SSL traffic after being translated by the virtual IP (172.10.20.30) and the SSL server port must match the destination port of the SSL traffic (443). The SSL server operates in half mode since it performs a single-step conversion (HTTPS to HTTP or HTTP to HTTPS).
config wanopt ssl-server
edit rev_proxy_server
set ip 172.10.20.30
set port 443
set ssl-mode half
set ssl-cert Rev_Proxy_Cert_1
end