Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiProxy 7.4.3 Administration Guide
    7.4.3
    7.6.0
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.0
    7.0.19
    7.0.17
    7.0.0
    2.0.0
    1.2.0
    1.1.0
    1.0.0

    Forward HTTPS requests to a web server without the need for an HTTP CONNECT message

    Forward HTTPS requests to a web server without the need for an HTTP CONNECT message

    An explicit web proxy can forward HTTPS requests to a web server without the need for an HTTP CONNECT message. The FortiProxy explicit web proxy can be configured to detect the HTTPS scheme in the request line of a plain text HTTP request and forward it as an HTTPS request to the web server. This allows applications that cannot use the CONNECT message for sending an HTTPS request to communicate with the web server through an explicit web proxy.

    config firewall policy
    edit <id>
        set detect-https-in-http-request {enable | disable}
    next
end

    Example

    Based on the following topology, an HTTPS request is sent to a web server through an explicit web proxy.

    To enable detection of HTTPS in an HTTP request:

    1. Configure the explicit web proxy:

      config web-proxy explicit-proxy
    set status enable
    set interface "any"
    set http-incoming-port 8080
    set https-incoming-port 8080
    set unknown-http-version best-effort
end

    2. Enable the explicit web proxy on port1:

      config system interface  
    edit "port1"
        set ip 10.80.1.217 255.255.255.0
        set explicit-web-proxy enable
    next
end

    3. Configure the firewall policy:

      config firewall policy
    edit 4
        set type explicit-web
	 set name "expp"
	 set uuid 6461ddca-d87f-51ec-d47a-ceb0934db42e
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
	 set service "webproxy"
	 set explicit-web-proxy "web-proxy"
	 set utm-status enable
	 set logtraffic all
	 set log-http-transaction all
	 set extended-log enable
        set ssl-ssh-profile "deep-inspection"
        set av-profile "default"
        set detect-https-in-http-request enable
    next
end

      An SSL-SSH profile with deep inspection must be applied in order to decrypt the server response in HTTPS and forward the response to the client by HTTP.

    4. Using Telnet, send an HTTP request with an HTTPS scheme as follows:

      telnet 10.80.1.217 8080
Trying 10.80.1.217...
Connected to 10.80.1.217.
Escape character is '^]'.
POST https://172.18.20.220/ HTTP/1.1
Host: 172.18.20.220
User-Agent: curl/7.68.0
Accept: */*
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
 
HTTP/1.1 200 OK

    5. Verify the traffic log. The HTTP request is forwarded to the server successfully by HTTPS:

      # execute log filter category 3
...
2: date=2024-04-23 time=10:01:34 eventtime=1713891694636926727 tz="-0700" logid="0000000010" type="traffic" subtype="forward" level="notice" vd="root" srcip=10.80.1.57 srcport=46486 srcintf="port1" srcintfrole="undefined" dstcountry="Reserved" srccountry="Reserved" dstip=172.18.20.220 dstport=443 dstintf="port1" dstintfrole="undefined" sessionid=1035953713 service="
HTTPS" proxyapptype="web-proxy" proto=6 action="accept" policyid=4 policytype="proxy-policy" poluuid="6461ddca-d87f-51ec-d47a-ceb0934db42e" policyname="expp" trandisp="snat" transip=10.80.1.217 transport=20300 clientip=10.80.1.57 duration=123121 wanin=12791 rcvdbyte=12791 wanout=773 lanin=172 sentbyte=172 lanout=11229 appcat="unscanned" utmaction="allow"
    Previous
    Next

    Forward HTTPS requests to a web server without the need for an HTTP CONNECT message

    Forward HTTPS requests to a web server without the need for an HTTP CONNECT message

    An explicit web proxy can forward HTTPS requests to a web server without the need for an HTTP CONNECT message. The FortiProxy explicit web proxy can be configured to detect the HTTPS scheme in the request line of a plain text HTTP request and forward it as an HTTPS request to the web server. This allows applications that cannot use the CONNECT message for sending an HTTPS request to communicate with the web server through an explicit web proxy.

    config firewall policy
    edit <id>
        set detect-https-in-http-request {enable | disable}
    next
end

    Example

    Based on the following topology, an HTTPS request is sent to a web server through an explicit web proxy.

    To enable detection of HTTPS in an HTTP request:

    1. Configure the explicit web proxy:

      config web-proxy explicit-proxy
    set status enable
    set interface "any"
    set http-incoming-port 8080
    set https-incoming-port 8080
    set unknown-http-version best-effort
end

    2. Enable the explicit web proxy on port1:

      config system interface  
    edit "port1"
        set ip 10.80.1.217 255.255.255.0
        set explicit-web-proxy enable
    next
end

    3. Configure the firewall policy:

      config firewall policy
    edit 4
        set type explicit-web
	 set name "expp"
	 set uuid 6461ddca-d87f-51ec-d47a-ceb0934db42e
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
	 set service "webproxy"
	 set explicit-web-proxy "web-proxy"
	 set utm-status enable
	 set logtraffic all
	 set log-http-transaction all
	 set extended-log enable
        set ssl-ssh-profile "deep-inspection"
        set av-profile "default"
        set detect-https-in-http-request enable
    next
end

      An SSL-SSH profile with deep inspection must be applied in order to decrypt the server response in HTTPS and forward the response to the client by HTTP.

    4. Using Telnet, send an HTTP request with an HTTPS scheme as follows:

      telnet 10.80.1.217 8080
Trying 10.80.1.217...
Connected to 10.80.1.217.
Escape character is '^]'.
POST https://172.18.20.220/ HTTP/1.1
Host: 172.18.20.220
User-Agent: curl/7.68.0
Accept: */*
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
 
HTTP/1.1 200 OK

    5. Verify the traffic log. The HTTP request is forwarded to the server successfully by HTTPS:

      # execute log filter category 3
...
2: date=2024-04-23 time=10:01:34 eventtime=1713891694636926727 tz="-0700" logid="0000000010" type="traffic" subtype="forward" level="notice" vd="root" srcip=10.80.1.57 srcport=46486 srcintf="port1" srcintfrole="undefined" dstcountry="Reserved" srccountry="Reserved" dstip=172.18.20.220 dstport=443 dstintf="port1" dstintfrole="undefined" sessionid=1035953713 service="
HTTPS" proxyapptype="web-proxy" proto=6 action="accept" policyid=4 policytype="proxy-policy" poluuid="6461ddca-d87f-51ec-d47a-ceb0934db42e" policyname="expp" trandisp="snat" transip=10.80.1.217 transport=20300 clientip=10.80.1.57 duration=123121 wanin=12791 rcvdbyte=12791 wanout=773 lanin=172 sentbyte=172 lanout=11229 appcat="unscanned" utmaction="allow"
    Previous
    Next