Configuration steps - web‑based manager
To configure the FortiGate unit as a reverse proxy web cache server
1. Go to Policy & Objects > Objects > Virtual IPs and select Create New to add a static NAT virtual IP that translates destination IP addresses from 192.168.10.1 to 172.10.20.30 (and does not translate destination ports):
VIP Type | IPv4 VIP |
Name | Reverse_proxy_VIP |
Interface | port2 |
Type | Static NAT |
Source Address Filter | Do not select. |
External IP Address/Range | 192.168.10.1 |
Mapped IP Address/Range | 172.10.20.30 |
Port Forwarding | Do not select. |
2. Select OK.
3. Go to Policy & Objects > Objects > IPv4 and select Create New to add a port2 to port1 security policy that accepts HTTP and HTTPS traffic from the Internet.
Do not select security profiles. Set the destination address to the virtual IP. You do not have to enable NAT.
Incoming Interface | port2 |
Source Address | all |
Outgoing Interface | port1 |
Destination Address | Reverse_proxy_VIP |
Schedule | always |
Service | HTTP HTTPS |
Action | ACCEPT |
4. Turn on Web Cache.
5. Select OK.
6. From the CLI enter the following command to add HTTPS web caching to the security policy.
Assume the index number of the policy is 5.
config firewall policy
edit 5
set webcache-https ssl-server
end
To configure the FortiGate unit to offload SSL encryption and cache HTTPS content
1. Go to System > Certificates > Local Certificates and select Import to import the web server’s CA.
For Type, select Local Certificate. Select the Browse button to locate the file (example file name: Rev_Proxy_Cert_1.crt).
The certificate key size must be 1024 or 2048 bits. 4096-bit keys are not supported.
2. Select OK to import the certificate.
3. From the CLI, enter the following command to add the SSL server and to add the server’s certificate to the SSL server.
The SSL server ip must match the destination address of the SSL traffic after being translated by the virtual IP (172.10.20.30) and the SSL server port must match the destination port of the SSL traffic (443). The SSL server operates in half mode since it performs a single-step conversion (HTTPS to HTTP or HTTP to HTTPS).
config wanopt ssl-server
edit rev_proxy_server
set ip 172.10.20.30
set port 443
set ssl-mode half
set ssl-cert Rev_Proxy_Cert_1
end