Explicit proxy authentication over HTTPS
When a HTTP request requires authentication in an explicit proxy, the authentication can be redirected to a secure HTTPS captive portal. Once authentication is complete, the client can be redirected back to the original destination over HTTP.
Example
A user visits a website via HTTP through the explicit web proxy on a FortiGate. The user is required to authenticate by either basic or form IP-based authentication for the explicit web proxy service. The user credentials need to be transmitted over the networks in a secured method over HTTPS rather than in plain text. The user credentials are protected by redirecting the client to a captive portal of the FortiGate over HTTPS for authentication where the user credentials are encrypted and transmitted over HTTPS.
In this example, explicit proxy authentication over HTTPS is configured with form IP-based authentication. Once configured, you can enable authorization for an explicit web proxy by configuring users or groups in the firewall proxy policy.
To configure explicit proxy authentication over HTTPS:
-
Configure the authentication settings:
config authentication setting set captive-portal-type fqdn set captive-portal "fgt-cp" set auth-https enable end
-
Configure the authentication scheme:
config authentication scheme edit "form" set method form set user-database "local-user-db" next end
-
Configure the authentication rule:
config authentication rule edit "form" set srcaddr "all" set active-auth-method "form" next end
If a session-based basic authentication method is used, enable
web-auth-cookie
. -
Configure the firewall address:
config firewall address edit "fgt-cp" set type fqdn set fqdn "fgt.fortinetqa.local" next end
-
Configure the interface:
config system interface edit "port10" set ip 10.1.100.1 255.255.255.0 set explicit-web-proxy enable set proxy-captive-portal enable next end
-
Configure a firewall proxy policy with users or groups (see Explicit web proxy).
Verification
When a client visits a HTTP website, the client will be redirected to the captive portal for authentication by HTTPS. For example, the client could be redirected to a URL by a HTTP 303 message similar to the following:
HTTP/1.1 303 See Other
Connection: close
Content-Type: text/html
Cache-Control: no-cache
Location: https://fgt.fortinetqa.local:7831/XX/YY/ZZ/cpauth?scheme=http&4Tmthd=0&host=172.16.200.46&port=80&rule=75&uri=Lw==&
Content-Length: 0
The captive portal URL used for authentication is https://fgt.fortinetqa.local:7831/.... Once the authentication is complete with all user credentials protected by HTTPS, the client is redirected to the original HTTP website they intended to visit.