Fortinet black logo

Handbook

Configuring decompression rules

Configuring decompression rules

If the HTTP/HTTPS request body is compressed, FortiADC cannot pass it to the other functional modules which perform inspection or modification.

To allow FortiADC to pass compressed HTTP/HTTPS client requests to other modules for inspection or modification before forwarding it to the back-end server, you must create a FortiADC decompression policy.

You can configure FortiADC to temporarily decompress the body of a request based on its file type, which can be specified by the HTTP/HTTPS Content‑Type: header. The appliance can then inspect or modify the traffic. If no inspection or modification is needed, it will allow the compressed version of the request to pass to the back-end server.

FortiADC supports HTTP/HTTPS request decompression in either gzip or deflate format. Upon receiving a compressed HTTP/HTTPS request body, FortiADC first extracts the HTTP/HTTPS request body to a temporary buffer and then sends the buffer to the other modules.

Note that, for the current release, decompression only works for Web Application Firewall (WAF) and Scripting functions.

FortiADC supports decompression of the following content-type files:

  • application/javascript
  • application/soap+xml
  • application/x-javascript
  • application/xml
  • text/css
  • text/html
  • text/javascript
  • text/plain
  • text/xml
  • custom

Before you begin:

  • You must have a good understanding of HTTP decompression and knowledge of the content types served from the backend real servers.
  • You must have Read-Write permission for Load Balance settings.

Decompression is not enabled by default. After you have configured a decompression rule, you can select it in the profile configuration. To enable decompression, select the profile when you configure the virtual server.

To configure a decompression rule:
  1. Click Server Load Balance > Application Resources.
  2. Click the Decompression tab.
  3. Click Create New to display the configuration editor.
  4. Complete the configuration as described in Decompression configuration.
  5. Save the configuration.

Decompression configuration

Settings Guidelines

Name

Specify a unique name for the decompression rule. Configuration name. Valid characters are A-Z, a-z, 0-9, _, and -. No spaces. You reference this name in the profile configuration.

Note: After you initially save the configuration, you cannot edit the name.

URI List Type

  • Include— Select this option to create a decompression inclusion rule. HTPP/HTTPS responses that match the URIs and content types specified in this rule will be decompressed by FortiADC before being passed to the client.
  • Exclude—Select this option to create a decompression exclusion rule. HTPP/HTTPS responses that match the URIs and content types specified in this rule will not be decompressed by FortiADC before being passed to the client.

URI List

Click Add and specify URIs to build the list.

Content Types

Click Add and select from the following content types to build the list:

  • application/javascript
  • application/soap+xml
  • application/x-javascript
  • application/xml
  • text/css
  • text/html
  • text/javascript
  • text/plain
  • text/xml
  • custom

Note: The "custom" option allows you to specify almost any content/media type, including image files in .JPG, .PNG, and .BMP formats. The default is */*, which means any content/media type.

You can use the CLI to configure decompression rules:

config load-balance decompression

edit <name>

set cpu-limit {enable | disable}

set max-cpu-usage [1-100]

set uri-list-type {include | exclude}

config uri_list

edit <ID>

set uri <refex_pattern>

next

end

config content-types

edit <ID>

set content-type <types>

{

application/javascript

application/soap+xml

application/x-javascript

application/xml

custom <plain-string>

text/css

text/html

text/javascript

text/plain

text/xml

}

next

end

You can use the CLI to select a decompression rule in a server load balance profile (HTTP):

config load-balance profile

edit <name>

...

set decompression <decompression name>

...

next

end

Using decompression with script data body manipulation

Script data body manipulation can work in tandem with compression or decompression rules in a rather transparent way. When a decompression rule is configured and used with scripting, FortiADC will decompress HTTP data first, then apply script data body manipulation, and then re-compress the data before sending it to clients.

So, if HTTP data is compressed before being sent out from the real server, you must create a decompression rule if you want to access the original data and use it in a script. This can be done either via the GUI or the Console. The following paragraphs show you the basic steps for configuring decompression rules to work with script data body manipulation.

From the GUI

Step 1: Creating a decompression rule
  1. Click Server Load Balance > Application Resources > Decompression.
  2. Click Create New to open the Decompression configuration dialog.
  3. For Name, specify a unique name for the decompression rule.
  4. For URI Rule Type, select Include or Exclude.
  5. Click Save. The dialog closes and the decompression rule appears in the Decompression table.
  6. Double-click the decompression rule (or click the corresponding Edit button) to open it.
  7. In the URI Rule section, make the desired configuration. (Optional)
  8. In the Content Types sections, make the desired configuration. (Optional)
  9. Click Save.
  10. Repeat the above steps to create as many decompression rules as needed.
Step 2: Configuring a load balance profile
  1. Click Server Load Balance > Application Resources > Application Profile.
  2. Click Create New to open the Application Profile configuration dialog.
  3. For Type, click the down arrow and select HTTP or HTTPS from the list menu.
  4. For Decompression, click the down arrow and select a decompression rule from the list menu.
  5. Complete all the other fields required for load-balancing profile configuration.
  6. Click Save.
Step 3: Enabling scripting in virtual server configuration
  1. Click Server Load Balance > Virtual Server > Virtual Server.
  2. Click Add > Advanced Mode.
  3. For Type (under the Basic section), be sure to select Layer 7.
  4. For Profile (under the General section), be sure to select an HTTP or HTTPS profile associated with the decompression rules that you have configured.
  5. For Scripting, be sure to turn it on (enable it), and then select the desired script or scripts.
  6. Complete all the other fields required for virtual server configuration.
  7. Click Save.

From the Console

Use the following example commands as a reference when configuring decompression and script data body manipulation from the Console.

Step 1: Creating a decompression rule

config load-balance decompression

edit "decompress"

set uri-list-type include

config uri_list

edit 1

set uri /

next

end

config content_types

edit 1

set content-type text/html

next

end

next

end

Step 2: Configuring a load balance profile

config load-balance profile

edit "http"

set type http

set decompression decompress

next

end

Step 3: Enabling scripting in virtual server configuration

config load-balance virtual-server

edit "vs"

set load-balance-profile http

set scripting-flag enable

set scripting-list data

next

end

Configuring decompression rules

If the HTTP/HTTPS request body is compressed, FortiADC cannot pass it to the other functional modules which perform inspection or modification.

To allow FortiADC to pass compressed HTTP/HTTPS client requests to other modules for inspection or modification before forwarding it to the back-end server, you must create a FortiADC decompression policy.

You can configure FortiADC to temporarily decompress the body of a request based on its file type, which can be specified by the HTTP/HTTPS Content‑Type: header. The appliance can then inspect or modify the traffic. If no inspection or modification is needed, it will allow the compressed version of the request to pass to the back-end server.

FortiADC supports HTTP/HTTPS request decompression in either gzip or deflate format. Upon receiving a compressed HTTP/HTTPS request body, FortiADC first extracts the HTTP/HTTPS request body to a temporary buffer and then sends the buffer to the other modules.

Note that, for the current release, decompression only works for Web Application Firewall (WAF) and Scripting functions.

FortiADC supports decompression of the following content-type files:

  • application/javascript
  • application/soap+xml
  • application/x-javascript
  • application/xml
  • text/css
  • text/html
  • text/javascript
  • text/plain
  • text/xml
  • custom

Before you begin:

  • You must have a good understanding of HTTP decompression and knowledge of the content types served from the backend real servers.
  • You must have Read-Write permission for Load Balance settings.

Decompression is not enabled by default. After you have configured a decompression rule, you can select it in the profile configuration. To enable decompression, select the profile when you configure the virtual server.

To configure a decompression rule:
  1. Click Server Load Balance > Application Resources.
  2. Click the Decompression tab.
  3. Click Create New to display the configuration editor.
  4. Complete the configuration as described in Decompression configuration.
  5. Save the configuration.

Decompression configuration

Settings Guidelines

Name

Specify a unique name for the decompression rule. Configuration name. Valid characters are A-Z, a-z, 0-9, _, and -. No spaces. You reference this name in the profile configuration.

Note: After you initially save the configuration, you cannot edit the name.

URI List Type

  • Include— Select this option to create a decompression inclusion rule. HTPP/HTTPS responses that match the URIs and content types specified in this rule will be decompressed by FortiADC before being passed to the client.
  • Exclude—Select this option to create a decompression exclusion rule. HTPP/HTTPS responses that match the URIs and content types specified in this rule will not be decompressed by FortiADC before being passed to the client.

URI List

Click Add and specify URIs to build the list.

Content Types

Click Add and select from the following content types to build the list:

  • application/javascript
  • application/soap+xml
  • application/x-javascript
  • application/xml
  • text/css
  • text/html
  • text/javascript
  • text/plain
  • text/xml
  • custom

Note: The "custom" option allows you to specify almost any content/media type, including image files in .JPG, .PNG, and .BMP formats. The default is */*, which means any content/media type.

You can use the CLI to configure decompression rules:

config load-balance decompression

edit <name>

set cpu-limit {enable | disable}

set max-cpu-usage [1-100]

set uri-list-type {include | exclude}

config uri_list

edit <ID>

set uri <refex_pattern>

next

end

config content-types

edit <ID>

set content-type <types>

{

application/javascript

application/soap+xml

application/x-javascript

application/xml

custom <plain-string>

text/css

text/html

text/javascript

text/plain

text/xml

}

next

end

You can use the CLI to select a decompression rule in a server load balance profile (HTTP):

config load-balance profile

edit <name>

...

set decompression <decompression name>

...

next

end

Using decompression with script data body manipulation

Script data body manipulation can work in tandem with compression or decompression rules in a rather transparent way. When a decompression rule is configured and used with scripting, FortiADC will decompress HTTP data first, then apply script data body manipulation, and then re-compress the data before sending it to clients.

So, if HTTP data is compressed before being sent out from the real server, you must create a decompression rule if you want to access the original data and use it in a script. This can be done either via the GUI or the Console. The following paragraphs show you the basic steps for configuring decompression rules to work with script data body manipulation.

From the GUI

Step 1: Creating a decompression rule
  1. Click Server Load Balance > Application Resources > Decompression.
  2. Click Create New to open the Decompression configuration dialog.
  3. For Name, specify a unique name for the decompression rule.
  4. For URI Rule Type, select Include or Exclude.
  5. Click Save. The dialog closes and the decompression rule appears in the Decompression table.
  6. Double-click the decompression rule (or click the corresponding Edit button) to open it.
  7. In the URI Rule section, make the desired configuration. (Optional)
  8. In the Content Types sections, make the desired configuration. (Optional)
  9. Click Save.
  10. Repeat the above steps to create as many decompression rules as needed.
Step 2: Configuring a load balance profile
  1. Click Server Load Balance > Application Resources > Application Profile.
  2. Click Create New to open the Application Profile configuration dialog.
  3. For Type, click the down arrow and select HTTP or HTTPS from the list menu.
  4. For Decompression, click the down arrow and select a decompression rule from the list menu.
  5. Complete all the other fields required for load-balancing profile configuration.
  6. Click Save.
Step 3: Enabling scripting in virtual server configuration
  1. Click Server Load Balance > Virtual Server > Virtual Server.
  2. Click Add > Advanced Mode.
  3. For Type (under the Basic section), be sure to select Layer 7.
  4. For Profile (under the General section), be sure to select an HTTP or HTTPS profile associated with the decompression rules that you have configured.
  5. For Scripting, be sure to turn it on (enable it), and then select the desired script or scripts.
  6. Complete all the other fields required for virtual server configuration.
  7. Click Save.

From the Console

Use the following example commands as a reference when configuring decompression and script data body manipulation from the Console.

Step 1: Creating a decompression rule

config load-balance decompression

edit "decompress"

set uri-list-type include

config uri_list

edit 1

set uri /

next

end

config content_types

edit 1

set content-type text/html

next

end

next

end

Step 2: Configuring a load balance profile

config load-balance profile

edit "http"

set type http

set decompression decompress

next

end

Step 3: Enabling scripting in virtual server configuration

config load-balance virtual-server

edit "vs"

set load-balance-profile http

set scripting-flag enable

set scripting-list data

next

end