Fortinet Document Library

Version:


Table of Contents

Cookbook

6.2.0
Download PDF
Copy Link

HTTP to HTTPS redirect for load balancing

Starting with FortiOS 6.2.1, you can configure a virtual server with HTTP to HTTPS redirect enabled. When enabled, a virtual server can convert a client's HTTP requests to HTTPS requests. Through this mandatory conversion, HTTP traffic is converted to HTTPS traffic. This conversion improves the security of the user network.

You can only enable this feature by using the CLI. After you enable this feature, traffic flows as follows: 

  • When FortiGate receives an HTTP request for an external IP, such as 10.1.100.201 in the following example, FortiGate sends an HTTP 303 response back to the original client and redirects HTTP to HTTPS, instead of forwarding the HTTP request to the real backend servers.
  • The client browser restarts the TCP session to HTTPS.
  • The HTTPS session comes to the FortiGate where a matching IPv4 policy allows the HTTPS traffic and establishes a secure SSL connection, and then forwards the request to the real backend servers.
To configure virtual server with HTTPS redirect enabled:
  1. Create a virtual server with server-type set to http:

    config firewall vip

    edit "virtual-server-http"

    set type server-load-balance

    set extip 10.1.100.201

    set extintf "wan2"

    set server-type http

    set ldb-method round-robin

    set extport 80

    config realservers

    edit 1

    set ip 172.16.200.44

    set port 80

    next

    edit 2

    set ip 172.16.200.55

    set port 80

    next

    end

    next

    end

  2. Create a virtual server with server-type set to https and with the same external IP address:

    config firewall vip

    edit "virtual-server-https"

    set type server-load-balance

    set extip 10.1.100.201

    set extintf "wan2"

    set server-type https

    set ldb-method round-robin

    set extport 443

    config realservers

    edit 1 set ip 172.16.200.44

    set port 443

    next

    edit 2

    set ip 172.16.200.55

    set port 443

    next

    end

    set ssl-certificate "Fortinet_CA_SSL"

    next

    end

  3. Enable the http-redirect option for the virtual server with server-type set to http:

    config firewall vip

    edit "virtual-server-http"

    set http-redirect enable

    next

    end

  4. Add the two virtual servers to a policy:

    config firewall policy

    edit 9

    set srcintf "wan2"

    set dstintf "wan1"

    set srcaddr "all"

    set dstaddr "virtual-server-http" "virtual-server-https"

    set action accept

    set schedule "always"

    set service "ALL"

    set inspection-mode proxy set logtraffic all

    set auto-asic-offload disable

    set nat enable

    next

    end

HTTP to HTTPS redirect for load balancing

Starting with FortiOS 6.2.1, you can configure a virtual server with HTTP to HTTPS redirect enabled. When enabled, a virtual server can convert a client's HTTP requests to HTTPS requests. Through this mandatory conversion, HTTP traffic is converted to HTTPS traffic. This conversion improves the security of the user network.

You can only enable this feature by using the CLI. After you enable this feature, traffic flows as follows: 

  • When FortiGate receives an HTTP request for an external IP, such as 10.1.100.201 in the following example, FortiGate sends an HTTP 303 response back to the original client and redirects HTTP to HTTPS, instead of forwarding the HTTP request to the real backend servers.
  • The client browser restarts the TCP session to HTTPS.
  • The HTTPS session comes to the FortiGate where a matching IPv4 policy allows the HTTPS traffic and establishes a secure SSL connection, and then forwards the request to the real backend servers.
To configure virtual server with HTTPS redirect enabled:
  1. Create a virtual server with server-type set to http:

    config firewall vip

    edit "virtual-server-http"

    set type server-load-balance

    set extip 10.1.100.201

    set extintf "wan2"

    set server-type http

    set ldb-method round-robin

    set extport 80

    config realservers

    edit 1

    set ip 172.16.200.44

    set port 80

    next

    edit 2

    set ip 172.16.200.55

    set port 80

    next

    end

    next

    end

  2. Create a virtual server with server-type set to https and with the same external IP address:

    config firewall vip

    edit "virtual-server-https"

    set type server-load-balance

    set extip 10.1.100.201

    set extintf "wan2"

    set server-type https

    set ldb-method round-robin

    set extport 443

    config realservers

    edit 1 set ip 172.16.200.44

    set port 443

    next

    edit 2

    set ip 172.16.200.55

    set port 443

    next

    end

    set ssl-certificate "Fortinet_CA_SSL"

    next

    end

  3. Enable the http-redirect option for the virtual server with server-type set to http:

    config firewall vip

    edit "virtual-server-http"

    set http-redirect enable

    next

    end

  4. Add the two virtual servers to a policy:

    config firewall policy

    edit 9

    set srcintf "wan2"

    set dstintf "wan1"

    set srcaddr "all"

    set dstaddr "virtual-server-http" "virtual-server-https"

    set action accept

    set schedule "always"

    set service "ALL"

    set inspection-mode proxy set logtraffic all

    set auto-asic-offload disable

    set nat enable

    next

    end