Fortinet black logo

User Guide

Home FortiWeb Cloud User Guide

Rewriting Requests

Copy Link
Copy Doc ID 2ffc9903-bcb4-11e9-8977-00505692583a:105115
Download PDF

Rewriting Requests

Rewriting URLs and headers allows changing the structure of the request from clients before forwarding them to the web application.

Some web applications need to know the IP address of the client where the request originated in order to log or analyze it. Thus, you need to enable FortiWeb Cloud to add or append to an X-Forwarded-For: or X-Real-IP: header. The web server can instead use this HTTP-layer header to find the public source IP and path of the IP-layer session from the original client.

To configure Rewriting Requests, you must have already enabled this module in Add Modules. See How to add or remove a module.

Add X-Forwarded-For

Enable to include the X-Forwarded-For: HTTP header in requests forwarded to your web servers.

If the HTTP client or web proxy does not provide the header, FortiWeb Cloud adds it, using the source IP address of the connection.

If the HTTP client or web proxy already provides the header, it appends the source IP address to the header's list of IP addresses.

This option can be useful if your web servers log or analyze clients’ public IP addresses, if they support the X-Forwarded-For: header. If they do not, disable this option to improve performance.

Add Source Port

If enabled, the X-Forwarded-For: header will record the connection's source port as well as the source IP.

Add X-Forwarded-Port

If enabled, an X-Forwarded-Port: header will be added to record the connection's original destination port.
Add X-Real-IP

Enable to include the X-Real-IP: HTTP header on requests forwarded to your web servers. Behavior varies by the header already provided by the HTTP client or web proxy, if any, see Add X-Forwarded-For.

Like X-Forwarded-For:, this header is also used by some proxies and web servers to trace the path, log, or analyze based upon the packet’s original source IP address.

Use X-Header to Identify Original Client's IP

If you have a front-end load balancer or proxy, enable this option to derive the original clients’ IP from the X-Header, rather than from the connection's source IP. FortiWeb Cloud will detect violations and report logs based on the IP derived from X-Header.

To configure a rewriting rule

  1. Go to APPLICATION DELIVERY > Rewriting Requests.
  2. Click +Add Rule.
  3. Configure these settings.

    Name

    Type a name that can be referenced by other parts of the configuration.

    Action

    Select the item that this rule will rewrite HTTP requests from clients.

    • Rewrite Host
      Rewrite the Host: field in the header of an HTTP request.
    • Rewrite URL
      Rewrite the URL line in the header of an HTTP request.
    • Rewrite Referer
      Rewrite the Referer: field in the header of an HTTP request.
    • Insert Header
      In Header Name and Header Value, insert the name of the header field that you want to insert to a request, and the value of the header field accordingly.
    • Redirect URL (301 Permanently)
      Type a URL, such as /catalog/item1, to which a client will be redirected to. It is used in the 301 Moved Permanently response.
    • Redirect Host (301 Permanently)
      Type either a host name or IP address (e.g. http://store.example.com or https://2.2.2.2), to which a client will be redirected. It is used in the 301 Moved Permanently response.

    Note: Only literal form is supported for the Rewrite/Redirect To field, but regular expression is supported for the Rewrite/Redirect From field.
    For example, the following configuration can redirect "a.com" to "www.a.com":

    • Redirect From: ^a\.com$

    • Redirect To: https://www.a.com

    To achieve the opposite effect, you can use the following configuration to redirect from "www.a.com" to "a.com", excluding the "www":

    • Redirect From: ^www\.a\.com$

    • Redirect To: https://a.com

    For both examples above, the Action would be set to "Rewrite Host".

    Action: Rewrite HTTP Header Advanced

    This action enables FortiWeb Cloud to rewrite HTTP header when multiple conditions are met.

    Rewriting Condition:

    Specify one or more conditions that the HTTP request must match. The conditions are in an "AND" relationship.

    • Match Host: Enter the value of the Host: field to match.

    • Match URL: Enter the URL to match.

    • Match Referer: Enter the value of Referer: field to match.

    • Protocol Filter: Select the protocol if you want to restrict the condition only for either HTTP or HTTPS.

    Rewriting Behavior:

    Replace the corresponding elements in HTTP request with the values specified below. Multiple behaviors will be applied as specified.

    • Rewrite Host: Enter the Host: value to replace with.

    • Rewrite URL: Enter the URL to replace with.

    • Rewrite Referer: Enter the value of Referer: field to replace with.

    • Insert Header: Enter the header name and value to insert into the HTTP request.

    • Remove Header: Remove the header from HTTP request.

    Action: Redirect Advanced (301 Permanently)

    This action enables FortiWeb Cloud to redirect HTTP request when multiple conditions are met.

    Rewriting Condition:

    Specify one or more conditions that the HTTP request must match. The conditions are in an "AND" relationship.

    • Match Host: Enter the value of the Host: field to match.

    • Match URL: Enter the URL to match.

    • Match Referer: Enter the value of Referer: field to match.

    • Protocol Filter: Select the protocol if you want to restrict the condition only for either HTTP or HTTPS.

    Rewriting Behavior:

    Redirect the request to the specified location when the above conditions are met.

    • Rewrite Location: The location can be a URL, a host name, or an IP address.

    URL Translation

    Enable it to keep the URL path while redirecting clients to a new host or IP address in a “301 Permanently” response. For example, clients visiting "www.aaa.com/test.html" can be redirected to "www.bbb.com/test.html".

    Available only if the action is Redirect Host (301 Permanently).

    Protocol Filter

    Enable if you want to match this condition only for either HTTP or HTTPS.

    For example, you could redirect clients that accidentally request the login page by HTTP to a more secure HTTPS channel—but the redirect is not necessary for HTTPS requests.

    As another example, if URLs in HTTPS requests should be exempt from rewriting, you could configure the rewriting rule to apply only to HTTP requests.

    Protocol

    Select which protocol will match this condition, either HTTP or HTTPS.

    This option appears only if Protocol Filter is enabled.

  4. Click OK.
    You can continue creating at most 12 rewriting rules for an application. Please be aware that the rules operate under "OR" conditions. This implies that FortiWeb Cloud will process the request based on the first matching rule, subsequently forwarding the request to the next scan.
Previous
Next

Rewriting Requests

Rewriting URLs and headers allows changing the structure of the request from clients before forwarding them to the web application.

Some web applications need to know the IP address of the client where the request originated in order to log or analyze it. Thus, you need to enable FortiWeb Cloud to add or append to an X-Forwarded-For: or X-Real-IP: header. The web server can instead use this HTTP-layer header to find the public source IP and path of the IP-layer session from the original client.

To configure Rewriting Requests, you must have already enabled this module in Add Modules. See How to add or remove a module.

Add X-Forwarded-For

Enable to include the X-Forwarded-For: HTTP header in requests forwarded to your web servers.

If the HTTP client or web proxy does not provide the header, FortiWeb Cloud adds it, using the source IP address of the connection.

If the HTTP client or web proxy already provides the header, it appends the source IP address to the header's list of IP addresses.

This option can be useful if your web servers log or analyze clients’ public IP addresses, if they support the X-Forwarded-For: header. If they do not, disable this option to improve performance.

Add Source Port

If enabled, the X-Forwarded-For: header will record the connection's source port as well as the source IP.

Add X-Forwarded-Port

If enabled, an X-Forwarded-Port: header will be added to record the connection's original destination port.
Add X-Real-IP

Enable to include the X-Real-IP: HTTP header on requests forwarded to your web servers. Behavior varies by the header already provided by the HTTP client or web proxy, if any, see Add X-Forwarded-For.

Like X-Forwarded-For:, this header is also used by some proxies and web servers to trace the path, log, or analyze based upon the packet’s original source IP address.

Use X-Header to Identify Original Client's IP

If you have a front-end load balancer or proxy, enable this option to derive the original clients’ IP from the X-Header, rather than from the connection's source IP. FortiWeb Cloud will detect violations and report logs based on the IP derived from X-Header.

To configure a rewriting rule

  1. Go to APPLICATION DELIVERY > Rewriting Requests.
  2. Click +Add Rule.
  3. Configure these settings.

    Name

    Type a name that can be referenced by other parts of the configuration.

    Action

    Select the item that this rule will rewrite HTTP requests from clients.

    • Rewrite Host
      Rewrite the Host: field in the header of an HTTP request.
    • Rewrite URL
      Rewrite the URL line in the header of an HTTP request.
    • Rewrite Referer
      Rewrite the Referer: field in the header of an HTTP request.
    • Insert Header
      In Header Name and Header Value, insert the name of the header field that you want to insert to a request, and the value of the header field accordingly.
    • Redirect URL (301 Permanently)
      Type a URL, such as /catalog/item1, to which a client will be redirected to. It is used in the 301 Moved Permanently response.
    • Redirect Host (301 Permanently)
      Type either a host name or IP address (e.g. http://store.example.com or https://2.2.2.2), to which a client will be redirected. It is used in the 301 Moved Permanently response.

    Note: Only literal form is supported for the Rewrite/Redirect To field, but regular expression is supported for the Rewrite/Redirect From field.
    For example, the following configuration can redirect "a.com" to "www.a.com":

    • Redirect From: ^a\.com$

    • Redirect To: https://www.a.com

    To achieve the opposite effect, you can use the following configuration to redirect from "www.a.com" to "a.com", excluding the "www":

    • Redirect From: ^www\.a\.com$

    • Redirect To: https://a.com

    For both examples above, the Action would be set to "Rewrite Host".

    Action: Rewrite HTTP Header Advanced

    This action enables FortiWeb Cloud to rewrite HTTP header when multiple conditions are met.

    Rewriting Condition:

    Specify one or more conditions that the HTTP request must match. The conditions are in an "AND" relationship.

    • Match Host: Enter the value of the Host: field to match.

    • Match URL: Enter the URL to match.

    • Match Referer: Enter the value of Referer: field to match.

    • Protocol Filter: Select the protocol if you want to restrict the condition only for either HTTP or HTTPS.

    Rewriting Behavior:

    Replace the corresponding elements in HTTP request with the values specified below. Multiple behaviors will be applied as specified.

    • Rewrite Host: Enter the Host: value to replace with.

    • Rewrite URL: Enter the URL to replace with.

    • Rewrite Referer: Enter the value of Referer: field to replace with.

    • Insert Header: Enter the header name and value to insert into the HTTP request.

    • Remove Header: Remove the header from HTTP request.

    Action: Redirect Advanced (301 Permanently)

    This action enables FortiWeb Cloud to redirect HTTP request when multiple conditions are met.

    Rewriting Condition:

    Specify one or more conditions that the HTTP request must match. The conditions are in an "AND" relationship.

    • Match Host: Enter the value of the Host: field to match.

    • Match URL: Enter the URL to match.

    • Match Referer: Enter the value of Referer: field to match.

    • Protocol Filter: Select the protocol if you want to restrict the condition only for either HTTP or HTTPS.

    Rewriting Behavior:

    Redirect the request to the specified location when the above conditions are met.

    • Rewrite Location: The location can be a URL, a host name, or an IP address.

    URL Translation

    Enable it to keep the URL path while redirecting clients to a new host or IP address in a “301 Permanently” response. For example, clients visiting "www.aaa.com/test.html" can be redirected to "www.bbb.com/test.html".

    Available only if the action is Redirect Host (301 Permanently).

    Protocol Filter

    Enable if you want to match this condition only for either HTTP or HTTPS.

    For example, you could redirect clients that accidentally request the login page by HTTP to a more secure HTTPS channel—but the redirect is not necessary for HTTPS requests.

    As another example, if URLs in HTTPS requests should be exempt from rewriting, you could configure the rewriting rule to apply only to HTTP requests.

    Protocol

    Select which protocol will match this condition, either HTTP or HTTPS.

    This option appears only if Protocol Filter is enabled.

  4. Click OK.
    You can continue creating at most 12 rewriting rules for an application. Please be aware that the rules operate under "OR" conditions. This implies that FortiWeb Cloud will process the request based on the first matching rule, subsequently forwarding the request to the next scan.
Previous
Next