Rewriting & redirecting
 
Rewriting & redirecting
Rewriting or redirecting HTTP requests and responses is popular, and can be done for many reasons.
Similar to error message cloaking, URL rewriting can prevent the disclosure of underlying technology or web site structures to HTTP clients.
For example, when visiting a blog web page, its URL might be:
http://www.example.com/wordpress/?feed=rss2
Simply knowing the file name, that the blog uses PHP, its compatible database types, and the names of parameters via the URL could help an attacker to craft an appropriate attack for that platform. By rewriting the URL to something more human-readable and less platform-specific, the details can be hidden:
http://www.example.com/rss2
Aside from for security, rewriting and redirects can be for aesthetics or business reasons. Financial institutions can transparently redirect customers that accidentally request HTTP:
http://bank.example.com/login
to authenticate and do transactions on their secured HTTPS site:
https://bank.example.com/login
Additional uses could include:
During maintenance windows, requests can be redirected to a read-only server.
International customers can use global URLs, with no need to configure the back-end web servers to respond to additional HTTP virtual host names.
Shorter URLs with easy-to-remember phrases and formatting are easier for customers to understand, remember, and return to.
Much more than their name implies, “URL rewriting rules” can do all of those things, and more:
redirect HTTP requests to HTTPS
rewrite the URL line in the header of an HTTP request
rewrite the Host: field in the header of an HTTP request
rewrite the Referer: field in the header of an HTTP request
redirect requests to another web site
send a 403 Forbidden response to a matching HTTP requests
rewrite the HTTP location line in the header of a matching redirect response from the web server
rewrite the body of an HTTP response from the web server
 
Rewrites/redirects are not supported in all modes. See “Supported features in each operation mode”.
FortiWeb cannot rewrite requests that exceed FortiWeb’s buffer size. To block requests that cannot be rewritten, configure Malformed Request.
Rewrites will work on single requests as well as those that have been fragmented using:
Tranfer-Encoding: chunked
To configure a rewriting/redirection rule
1. Go to Application Delivery > URL Rewriting Policy > URL Rewriting Rule.
2. Click Create New.
A dialog appears. Its appearance varies by your settings in Action Type, and Request Action or Response Action.
3. In Name, type a name that can be referenced by other parts of the configuration. Do not use spaces or special characters. The maximum length is 35 characters.
4. In Action Type, select whether this rule will rewrite HTTP requests from clients (Request Action) or HTTP responses from the web server (Response Action).
The next step varies by your selection in this step.
5. If you selected Request Action in Action Type, in the Request Action drop-down list, select one of the following:
Rewrite HTTP Header — Rewrites part(s) of the header in the HTTP request before passing it to the web server.
Setting name
Description
Host
Enable then type either a host name, such as store.example.com, or IP address if you want to replace the value of the Host: field in the header of HTTP requests. Requests will be redirected to this web host.
This field supports back references such as $0 to the parts of the original request that matched any capture groups that you entered in Regular Expression for each object in the condition table. (A capture group is a regular expression, or part of one, surrounded in parentheses. See “Regular expression syntax”.)
For an example, see “Example: Rewriting URLs using variables”.
Using Physical Server
Enable to insert the variable FortiWeb_PSERVER in Host.
At the time of each specific HTTP request, FortiWeb will replace this variable with the IP address of the physical server to which it is forwarding the request.
Tip: Use this option when the Deployment Mode option in the server policies using this rule is either Server Balance or HTTP Content Routing. In such cases, by definition of load balancing, HTTP requests will be distributed among multiple web servers, and the specific IP addresses of the physical servers cannot be known in advance.
URL
Enable then type a string, such as /catalog/item1, if you want to replace the URL in the HTTP request.
Do not include the name of the web host, such as www.example.com, nor the protocol.
Like Host, this field supports back references such as $0 to the parts of the original request that matched any capture groups that you entered in Regular Expression for each object in the condition table (see “What are back-references?”).
For an example, see “Example: Rewriting URLs using regular expressions”.
Referer
Enable then type a URI, such as http://www.example.com/index, if you want to rewrite the Referer: field in the HTTP header.
This option is available only if Request Action is Rewrite HTTP Header.
Using Physical Server
Enable to insert the variable FortiWeb_PSERVER in Referer.
At the time of each specific HTTP request, FortiWeb will replace this variable with the IP address of the physical server to which it is forwarding the request.
Tip: Use this option when the Deployment Mode option in the server policies using this rule is either Server Balance or HTTP Content Routing. In such cases, by definition of load balancing, HTTP requests will be distributed among multiple web servers, and the specific IP addresses of the physical servers cannot be known in advance.
Redirect (301 Permanently) or Redirect (302 Temporary) — In Location, type a URI, such as http://www.example.com/new-url, to use in the e 301 Moved Permanently or the 302 Moved Temporarily redirection HTTP response from the FortiWeb appliance. Like Host and URL, this field supports back-references such as $0 (see “What are back-references?”).
Send 403 Forbidden — Return a 403 Forbidden response to the client.
6. If you selected Response Action in Action Type, in the Response Action drop-down list, select one of the following:
Rewrite HTTP Body — In Replacement, type the string that will replace content in the body of HTTP responses (see “What are back-references?” and “Cookbook regular expressions”).
Rewrite HTTP Location — In Location, type a URI, such as http://www.example.com/new-url, to use in the 302 Moved Temporarily redirection when the HTTP response matches. Like Host and URL, this field supports back-references such as $0 (see “What are back-references?”).
7. Click Create New to add match conditions for the rule to URL Rewriting Condition Table.
A dialog appears.
8. Configure these settings:
Setting name
Description
Object
Select which part of the HTTP request will be tested for a match:
HTTP Host — The Host: field in the HTTP header.
This option does not appear if Response Action in step 6 was Rewrite HTTP Body.
HTTP Request URL — The URL in the HTTP header. The URL can be up to 1,024 characters long, unless superseded by HTTP constraints such as Header Line Length.
This option does not appear if Response Action in step 6 was Rewrite HTTP Body.
HTTP Referer — The Referer: field in the HTTP header. This option appears only if Action Type in step 4 was Request Action.
This option does not appear if Response Action in step 6 was Rewrite HTTP Body.
HTTP Body — The content of the request, such as an HTML document.
This option appears only if Response Action in step 6 was Rewrite HTTP Body.
HTTP Location — The Location: field in the header of the request.
This option appears only if Response Action in step 6 was Rewrite HTTP Location.
If the request must meet multiple conditions (for example, it must contain both a matching Host: field and a matching URL), add each condition to the condition table separately.
Regular Expression
Depending on your selection in Object and Meet this condition if, type a regular expression that defines either all matching or all non-matching objects. Also configure Meet this condition if.
 
For example, for the URL rewriting rule to match all URLs that begin with /wordpress, you could enter ^/wordpress, then, in Meet this condition if, select Object matches the regular expression.
The pattern is not required to begin with a slash ( / ).
When you have finished typing the regular expression, click the >> (test) icon. This opens the Regular Expression Validator window where you can fine-tune the expression (see “Regular expression syntax”, “What are back-references?” and “Cookbook regular expressions”).
Protocol Filter
Enable if you want to match this condition only for either HTTP or HTTPS. Also configure Protocol.
For example, you could redirect clients that accidentally request the login page by HTTP to a more secure HTTPS channel — but the redirect is not necessary for HTTPS requests.
As another example, if URLs in HTTPS requests should be exempt from rewriting, you could configure the rewriting rule to apply only to HTTP requests.
Protocol
Select which protocol will match this condition, either HTTP or HTTPS.
This option appears only if Protocol Filter is enabled.
Content Type Filter
Enable if you want to match this condition only for specific HTTP content types (also called Internet or MIME file types) such as text/html, as indicated in the Content-Type: HTTP header. Also configure Content Type Set.
Content Type Set
In the left text area, select one or more HTTP content types that you want to match this condition, then click the right arrow button to move them into the text area on the right side.
This option is visible only if Content Type Filter is enabled.
Meet this condition if
Indicate how to use Regular Expression when determining whether or not this URL rewriting condition is met.
Object does not match the regular expressionIf the regular expression does not match the request object, the condition is met.
Object matches the regular expression — If the regular expression does match the request object, the condition is met.
If all conditions are met, the FortiWeb appliance executes the Request Action or Response Action, whichever you selected.
9. If you selected HTTP Referer from Object, also configure the following:
Setting name
Description
If no Referer field in HTTP header
Select either:
Do not meet this condition
Meet this condition
Requests can lack a Referer: field for several reasons, such as if the user manually types the URL, and the request does not result from a hyperlink from another web site, or if the URL resulted from an HTTPS connection. (See the RFC 2616 section on the Referer: field.) In those cases, the field cannot be tested for a matching value.
This option appears only if Object is HTTP Referer.
10. Click OK.
11. Repeat the previous two steps until you have defined all matching HTTP requests or responses that should be rewritten as defined in this rule.
12. Go to Application Delivery > URL Rewriting Policy > URL Rewriting Policy.
To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see “Permissions”.
13. Click Create New.
A dialog appears.
14. In Name, type a name that can be referenced by other parts of the configuration. Do not use spaces or special characters. The maximum length is 35 characters.
15. Click OK.
16. Click Create New.
A dialog appears.
17. For Priority, enter the priority for this rule in relation to other defined rules.
Rule order affects rewriting rule matching and behavior. The search begins with the highest Priority number (0 = greatest priority) rule in the list and progresses in order towards the largest number (lowest priority) in the list. Matching rules are determined by comparing the rule and the request. If no rule matches, the request remains unchanged.
18. From the Rewriting Rule Name drop-down list, select the name of an existing rewriting rule to add to the policy.
To view or change the information associated with the rule, click the Detail link. The URL Rewriting Rule dialog appears, where you can view and edit the rules. Use your browser’s Back button to return.
19. Click OK.
20. Repeat the previous steps for each rule you want to add to the rewriting policy.
21. If you are rewriting a response from the web server, and it is compressed, configure a decompression rule so that FortiWeb will be able to rewrite. See “Configuring temporary decompression for scanning & rewriting”.
22. To apply the rewriting policy, select it in an inline protection profile. For details, see “Configuring a protection profile for inline topologies”.
See also
Rewriting & redirecting
Example: HTTP-to-HTTPS redirect
Example: Full host name/URL translation
Example: Sanitizing poisoned HTML
Example: Rewriting URLs using regular expressions
Example: Rewriting URLs using variables
Regular expression syntax
What are back-references?
Cookbook regular expressions