config : waf url-rewrite url-rewrite-rule
 
waf url-rewrite url-rewrite-rule
Use this command to configure URL rewrite rules or to redirect requests.
Rewriting or redirecting HTTP requests and responses is popular, and can be done for many reasons.
Similar to error message cloaking, URL rewriting can prevent the disclosure of underlying technology or web site structures to HTTP clients.
For example, when visiting a blog web page, its URL might be:
http://www.example.com/wordpress/?feed=rss2
Simply knowing the file name, that the blog uses PHP, its compatible database types, and the names of parameters via the URL could help an attacker to craft an appropriate attack for that platform. By rewriting the URL to something more human-readable and less platform-specific, the details can be hidden:
http://www.example.com/rss2
Aside from for security, rewriting and redirects can be for aesthetics or business reasons. Financial institutions can transparently redirect customers that accidentally request HTTP:
http://bank.example.com/login
to authenticate and do transactions on their secured HTTPS site:
https://bank.example.com/login
Additional uses could include:
During maintenance windows, requests can be redirected to a read-only server.
International customers can use global URLs, with no need to configure the back-end web servers to respond to additional HTTP virtual host names.
Shorter URLs with easy-to-remember phrases and formatting are easier for customers to understand, remember, and return to.
Much more than their name implies, “URL rewriting rules” can do all of those things, and more:
redirect HTTP requests to HTTPS
rewrite the URL line in the header of an HTTP request
rewrite the Host: field in the header of an HTTP request
rewrite the Referer: field in the header of an HTTP request
redirect requests to another web site
send a 403 Forbidden response to a matching HTTP requests
rewrite the HTTP location line in the header of a matching redirect response from the web server
rewrite the body of an HTTP response from the web server
 
Rewrites/redirects are not supported in all modes. See the FortiWeb Administration Guide.
To use a URL rewriting rule, add it to a policy. For details, see “config waf url-rewrite url-rewrite-policy”.
To use this command, your administrator account’s access control profile must have either w or rw permission to the wafgrp area. For more information, see “Permissions”.
Syntax
config waf url-rewrite url-rewrite-rule
edit <url-rewrite-rule_name>
set action {403‑forbidden | redirect | redirect‑301 | http‑body‑rewrite | http-header‑rewrite | location-rewrite}
set host {<server_fqdn> | <server_ipv4> | <host_pattern>}
set host-status {enable | disable}
set host-use-pserver {enable | disable}
set url <replacement-url_str>
set url-status {enable | disable}
set location <location_str>
set location_replace <location_str>
set referer-status {enable | disable}
set referer <referer-url_str>
set referer-use-pserver {enable | disable}
set body_replace <replacement_str>
config match-condition
edit <entry_index>
set content-filter {enable | disable}
set content-type-set {text/html text/plain text/javascript application/xml(or)text/xml application/javascript application/soap+xml application/x-javascript}
set HTTP-protocol {http | https}
set is-essential {yes | no}
set object {http-host | http-reference | http-url}
set protocol-filter {enable | disable}
set reg-exp <object_pattern>
set reverse-match {yes | no}
next
end
next
end
Variable
Description
Default
<url-rewrite-rule_name>
Type the name of a new or existing rule. The maximum length is 35 characters.
To display the list of existing rules, type:
edit ?
No default.
action {403‑forbidden | redirect | redirect‑301 | http‑body‑rewrite | http-header‑rewrite | location-rewrite}
Select either:
403-forbidden — Send a 403 (Forbidden) response to the client.
redirect — Send a 302 (Moved Temporarily) response to the client, with a new Location: field in the HTTP header.
redirect-301 — Send a 301 (Moved Permanently) response to the client, with a new Location: field in the HTTP header.
http-body-rewrite — Replace the specific HTTP content in the body of responses.
http-header-rewrite — Rewrite the host, referer and request URL fields in HTTP header.
location-rewrite — Rewrite the location string in a 302 redirect.
http-header-rewrite
host {<server_fqdn> | <server_ipv4> | <host_pattern>}
Type the FQDN of the host, such as store.example.com, to which the request will be redirected. The maximum length is 255 characters.
This option is available only when host-status is enabled and action is http-header‑rewrite.
This field supports back references such as $0 to the parts of the original request that matched any capture groups that you entered in reg-exp <object_pattern> for each object in the condition table. (A capture group is a regular expression, or part of one, surrounded in parentheses.)
Use $n (0 <= n <= 9) to invoke a substring, where n is the order of appearance of the regular expression, from left to right, from outside to inside, then from top to bottom.
For example, regular expressions in the condition table in this order:
(a)(b)(c(d))(e)
(f)
would result in invokable variables with the following values:
$0 — a
$1 — b
$2 — cd
$3 — d
$4 — e
$5 — f
No default.
host-status {enable | disable}
Enable to rewrite the Host: field or host name part of the Referer: field.
When disabled, the FortiWeb appliance preserves the value from the client’s request when rewriting it.
This option is available only when action is http-header‑rewrite.
disable
host-use-pserver {enable | disable}
Enable this when you have a server farm for server balance or content routing. In this case you do not know which server in the server farm the FortiWeb appliance will use. When FortiWeb processes the request, it sets the value for the actual host.
This option is available only when host-status is enabled and action is http-header‑rewrite. Any setting you make for host is ignored.
disable
url <replacement-url_str>
Type the string, such as /catalog/item1, that will replace the request URL. The maximum length is 255 characters.
This option is available only when url-status is enabled and action is http-header‑rewrite.
Do not include the name of the web host, such as www.example.com, nor the protocol, which are configured separately in host {<server_fqdn> | <server_ipv4> | <host_pattern>}.
Like host, this field supports back references such as $0 to the parts reg-exp <object_pattern> for each object in the condition table.
For an example, see the FortiWeb Administration Guide.
No default.
url-status {enable | disable}
Enable to rewrite the URL part of the request URL.
If you disable this option, the FortiWeb appliance preserves the value from the client’s request when it rewrites it.
This option is available only when action is http-header‑rewrite.
disable
location <location_str>
Enter the replacement value for the Location: field in the HTTP header for the 302 response. The maximum length is 255 characters.
This option is available only when action is redirect.
No default.
location_replace <location_str>
Type the URL string that provides a location for use in a 302 HTTP redirect response from a web server connected to FortiWeb. The maximum length is 255 characters.
This option is available only when action is location-rewrite.
No default.
referer-status {enable | disable}
Enable to rewrite the Referer: field in the HTML header. Also configure referer <referer-url_str> and referer-use-pserver {enable | disable}.
disable
referer <referer-url_str>
Type the replacement value for the Referer: field in the HTML header. The maximum length is 255 characters.
This option is available only when referer-status is enabled.
No default.
referer-use-pserver {enable | disable}
Enable this when you have a server farm for server balance or content routing. In this case you do not know which server in the server farm the FortiWeb appliance will use. When FortiWeb processes the request, it sets the value for the actual referer.
This option is available only when referer-status is enabled and action is http-header‑rewrite. Any setting you make for referer is ignored.
disable
body_replace <replacement_str>
Type the value that will replace matching HTTP content in the body of responses. The maximum is 255 characters.
For an example, see the FortiWeb Administration Guide.
This option is available only when action is http-body-rewrite.
No default.
<entry_index>
Type the index number of the individual entry in the table. The valid range is from 1 to 9,999,999,999,999,999,999.
No default.
content-filter {enable | disable}
Enable if you want to match this condition only for specific HTTP content types (also called Internet or MIME file types) such as text/html, as indicated in the Content-Type: HTTP header. Also configure content-type-set {text/html text/plain text/javascript application/xml(or)text/xml application/javascript application/soap+xml application/x-javascript}.
disable
content-type-set {text/html text/plain text/javascript application/xml(or)text/xml application/javascript application/soap+xml application/x-javascript}
Type the HTTP content types that you want to match in a space-delimited list, such as:
set content-type-set text/html text/plain
No default.
HTTP-protocol {http | https}
Select which protocol will match this condition, either HTTP or HTTPS.
This option is applicable only if protocol-filter is set to enable.
http
is-essential {yes | no}
Select what to do if there is no Referer: field, either:
no — Meet this condition.
yes — Do not meet this condition.
Requests can lack a Referer: field for several reasons, such as if the user manually types the URL, and the request does not result from a hyperlink from another web site, or if the URL resulted from an HTTPS connection. (See the RFC 2616 section on the Referer: field.) In those cases, the field cannot be tested for a matching value.
This option appears only if object is http-reference.
yes
object {http-host | http-reference | http-url}
Select which part of the HTTP request to test for a match:
http-host
http-url
http-reference (the Referer: field)
If the request must match multiple conditions (for example, it must contain both a matching Host: field and a matching URL), add each object match condition to the condition table separately.
http-host
protocol-filter {enable | disable}
Enable if you want to match this condition only for either HTTP or HTTPS. Also configure HTTP-protocol {http | https}.
For example, you could redirect clients that accidentally request the login page by HTTP to a more secure HTTPS channel — but the redirect is not necessary for HTTPS requests.
As another example, if URLs in HTTPS requests should be exempt from rewriting, you could configure the rewriting rule to apply only to HTTP requests.
disable
reg-exp <object_pattern>
Depending on your selection in object {http-host | http-reference | http-url} and reverse-match {yes | no}, type a regular expression that defines either all matching or all non-matching Host: fields, URLs, or Referer: fields. Then, also configure reverse-match {yes | no}.
For example, for the URL rewriting rule to match all URLs that begin with /wordpress, you could enter ^/wordpress, then, in reverse-match {yes | no}, select no.
The pattern is not required to begin with a slash ( / ). The maximum length is 255 characters.
Note: Regular expressions beginning with an exclamation point ( ! ) are not supported. Instead, use reverse-match {yes | no}.
No default.
reverse-match {yes | no}
Indicate how to use reg-exp <object_pattern> when determining whether or not this URL rewriting condition has been met.
no — If the regular expression does match the request object, the condition is met.
yes — If the regular expression does not match the request object, the condition is met.
The effect is equivalent to preceding a regular expression with an exclamation point ( ! ).
If all conditions are met, the FortiWeb appliance will do your selected action.
no
Related topics
config waf url-rewrite url-rewrite-policy