Configuration steps - web‑based manager

Chapter 23 WAN Optimization, Web Cache, Explicit Proxy, and WCCP : Web caching and SSL offloading : Example: reverse proxy web caching and SSL offloading for an Internet web server using a static one-to-one virtual IP : Configuration steps - web‑based manager

To configure the FortiGate unit as a reverse proxy web cache server

1. Go to Policy & Objects > Objects > Virtual IPs and select Create New to add a static NAT virtual IP that translates destination IP addresses from 192.168.10.1 to 172.10.20.30 (and does not translate destination ports):


VIP Type	IPv4 VIP
Name	Reverse_proxy_VIP
Interface	port2
Type	Static NAT
Source Address Filter	Do not select.
External IP Address/Range	192.168.10.1
Mapped IP Address/Range	172.10.20.30
Port Forwarding	Do not select.

2. Select OK.

3. Go to Policy & Objects > Objects > IPv4 and select Create New to add a port2 to port1 security policy that accepts HTTP and HTTPS traffic from the Internet.

Do not select security profiles. Set the destination address to the virtual IP. You do not have to enable NAT.


Incoming Interface	port2
Source Address	all
Outgoing Interface	port1
Destination Address	Reverse_proxy_VIP
Schedule	always
Service	HTTP HTTPS
Action	ACCEPT

4. Turn on Web Cache.

5. Select OK.

6. From the CLI enter the following command to add HTTPS web caching to the security policy.

Assume the index number of the policy is 5.

config firewall policy

edit 5

set webcache-https ssl-server

end

To configure the FortiGate unit to offload SSL encryption and cache HTTPS content

1. Go to System > Certificates > Local Certificates and select Import to import the web server’s CA.

For Type, select Local Certificate. Select the Browse button to locate the file (example file name: Rev_Proxy_Cert_1.crt).

The certificate key size must be 1024 or 2048 bits. 4096-bit keys are not supported.

2. Select OK to import the certificate.

3. From the CLI, enter the following command to add the SSL server and to add the server’s certificate to the SSL server.

The SSL server ip must match the destination address of the SSL traffic after being translated by the virtual IP (172.10.20.30) and the SSL server port must match the destination port of the SSL traffic (443). The SSL server operates in half mode since it performs a single-step conversion (HTTPS to HTTP or HTTP to HTTPS).

config wanopt ssl-server

edit rev_proxy_server

set ip 172.10.20.30

set port 443

set ssl-mode half

set ssl-cert Rev_Proxy_Cert_1

end