Fortinet white logo
Fortinet white logo

CLI Reference

waf url-rewrite url-rewrite-rule

waf url-rewrite url-rewrite-rule

Use this command to configure URL rewrite rules or to redirect requests.

Rewriting or redirecting HTTP requests and responses is popular, and can be done for many reasons.

Similar to error message cloaking, URL rewriting can prevent the disclosure of underlying technology or website structures to HTTP clients.

For example, when visiting a blog web page, its URL might be:

http://www.example.com/wordpress/?feed=rss2

Simply knowing the file name, that the blog uses PHP, its compatible database types, and the names of parameters via the URL could help an attacker to craft an appropriate attack for that platform. By rewriting the URL to something more human-readable and less platform-specific, the details can be hidden:

http://www.example.com/rss2

Aside from for security, rewriting and redirects can be for aesthetics or business reasons. Financial institutions can transparently redirect customers that accidentally request HTTP:

http://bank.example.com/login

to authenticate and do transactions on their secured HTTPS site:

https://bank.example.com/login

Additional uses could include:

  • During maintenance windows, requests can be redirected to a read-only server.
  • International customers can use global URLs, with no need to configure the back-end web servers to respond to additional HTTP virtual host names.
  • Shorter URLs with easy-to-remember phrases and formatting are easier for customers to understand, remember, and return to.

Much more than their name implies, “URL rewriting rules” can do all of those things, and more:

  • Redirect HTTP requests to HTTPS
  • Rewrite the URL line in the header of an HTTP request
  • Rewrite the Host: field in the header of an HTTP request
  • Rewrite the Referer: field in the header of an HTTP request
  • Redirect requests to another website
  • Send a 403 Forbidden response to a matching HTTP requests
  • Rewrite the HTTP location line in the header of a matching redirect response from the web server
  • Rewrite the body of an HTTP response from the web server

Rewrites/redirects are not supported in all modes. For details, see the FortiWeb Administration Guide:

https://docs.fortinet.com/fortiweb/admin-guides

To use a URL rewriting rule, add it to a policy. For details, see waf url-rewrite url-rewrite-policy.

To use this command, your administrator account’s access control profile must have either w or rw permission to the wafgrp area. For details, see Permissions.

Syntax

config waf url-rewrite url-rewrite-rule

edit "<url-rewrite-rule_name>"

set action {403-forbidden | redirect | redirect-301 | http-body-rewrite | http-header-rewrite | location-rewrite}

set header-name "<header-name_str>"

set header-status {enable | disable}

set header-value "<header-value_str>"

set host {<server_fqdn> | <server_ipv4> | <host_pattern>}

set host-status {enable | disable}

set host-use-pserver {enable | disable}

set url "<replacement-url_str>"

set url-status {enable | disable}

set location "<location_str>"

set location_replace "<location_str>"

set referer-status {enable | disable}

set referer "<referer-url_str>"

set referer-use-pserver {enable | disable}

set body_replace "<replacement_str>"

config match-condition

edit <entry_index>

set content-filter {enable | disable}

set content-type-set {text/html text/plain text/javascript application/xml(or)text/xml application/javascript application/soap+xml application/x-javascript}

set HTTP-protocol {http | https}

set is-essential {yes | no}

set object {http-host | http-reference | http-url}

set protocol-filter {enable | disable}

set reg-exp "<object_pattern>"

set reverse-match {yes | no}

next

end

next

end

Variable Description Default

"<url-rewrite-rule_name>"

Enter the name of a new or existing rule. The maximum length is 63 characters.

To display the list of existing rules, enter:

edit ?

No default.

action {403-forbidden | redirect | redirect-301 | http-body-rewrite | http-header-rewrite | location-rewrite}

Specify one of the following values:

  • 403-forbidden—Send a 403 (Forbidden) response to the client.
  • redirect—Send a 302 (Moved Temporarily) response to the client, with a new Location: field in the HTTP header.
  • redirect-301—Send a 301 (Moved Permanently) response to the client, with a new Location: field in the HTTP header.
  • http-body-rewrite—Replace the specific HTTP content in the body of responses.
  • http-header-rewrite—Rewrite the host, referer and request URL fields in HTTP header.
  • location-rewrite—Rewrite the location string in a 302 redirect.
http-header-rewrite

header-name "<header-name_str>"

Enter the name of the header field that you want to insert to a request, such as "Myheader." No default.

header-status {enable | disable}

Enable to insert the specified header and value to the matched HTTP requests. Specifies the header name and header value through header-name "<header-name_str>" and header-value "<header-value_str>", respectively. disable

header-value "<header-value_str>"

Enter the value of the header field that you specified in header-name "<header-name_str>", such as "123." Then, the customized header Myheader: 123 will be inserted to the matched HTTP requests. No default.

host {<server_fqdn> | <server_ipv4> | <host_pattern>}

Type the FQDN of the host, such as store.example.com, to which the request will be redirected. The maximum length is 256 characters.

This option is available only when host-status {enable | disable} is enabled and action {403-forbidden | redirect | redirect-301 | http-body-rewrite | http-header-rewrite | location-rewrite} is http-header-rewrite.

This field supports back references such as $0 to the parts of the original request that matched any capture groups that you entered in reg-exp "<object_pattern>" for each object in the condition table. (A capture group is a regular expression, or part of one, surrounded in parentheses.)

Use $n (0 <= n <= 9) to invoke a substring, where n is the order of appearance of the regular expression, from left to right, from outside to inside, then from top to bottom.

For example, regular expressions in the condition table in this order:

(a)(b)(c(d))(e)

(f)

would result in invokable variables with the following values:

  • $0—a
  • $1—b
  • $2—cd
  • $3—d
  • $4—e
  • $5—f
No default.

host-status {enable | disable}

Enable to rewrite the Host: field or host name part of the Referer: field.

When disabled, the FortiWeb appliance preserves the value from the client’s request when rewriting it.

This option is available only when action {403-forbidden | redirect | redirect-301 | http-body-rewrite | http-header-rewrite | location-rewrite} is http-header-rewrite.

disable

host-use-pserver {enable | disable}

Enable this when you have a server farm for server balance or content routing. In this case you do not know which server in the server farm the FortiWeb appliance will use. When FortiWeb processes the request, it sets the value for the actual host.

This option is available only when host-status {enable | disable} is enabled and action {403-forbidden | redirect | redirect-301 | http-body-rewrite | http-header-rewrite | location-rewrite} is http-header-rewrite. Any setting you make for host is ignored.

disable

url "<replacement-url_str>"

Enter the string, such as /catalog/item1, that will replace the request URL. The maximum length is 256 characters.

This option is available only when url-status {enable | disable} is enabled and action {403-forbidden | redirect | redirect-301 | http-body-rewrite | http-header-rewrite | location-rewrite} is http-header-rewrite.

Do not include the name of the web host, such as www.example.com, nor the protocol, which are configured separately in host {<server_fqdn> | <server_ipv4> | <host_pattern>}.

Like host, this field supports back references such as $0 to the parts reg-exp "<object_pattern>" for each object in the condition table.

For an example, see the FortiWeb Administration Guide:

https://docs.fortinet.com/fortiweb/admin-guides

No default.

url-status {enable | disable}

Enable to rewrite the URL part of the request URL.

If you disable this option, the FortiWeb appliance preserves the value from the client’s request when it rewrites it.

This option is available only when action {403-forbidden | redirect | redirect-301 | http-body-rewrite | http-header-rewrite | location-rewrite} is http-header-rewrite.

disable

location "<location_str>"

Enter the replacement value for the Location: field in the HTTP header for the 302 response. The maximum length is 256 characters.

This option is available only when action {403-forbidden | redirect | redirect-301 | http-body-rewrite | http-header-rewrite | location-rewrite} is redirect.

No default.

location_replace "<location_str>"

Enter the URL string that provides a location for use in a 302 HTTP redirect response from a web server connected to FortiWeb. The maximum length is 256 characters.

This option is available only when action {403-forbidden | redirect | redirect-301 | http-body-rewrite | http-header-rewrite | location-rewrite} is location-rewrite.

No default.

referer-status {enable | disable}

Enable to rewrite the Referer: field in the HTML header. Also configure referer "<referer-url_str>" and referer-use-pserver {enable | disable}. disable

referer "<referer-url_str>"

Enter the replacement value for the Referer: field in the HTML header. The maximum length is 256 characters.

This option is available only when referer-status {enable | disable} is enabled.

No default.

referer-use-pserver {enable | disable}

Enable this when you have a server farm for server balance or content routing. In this case you do not know which server in the server farm the FortiWeb appliance will use. When FortiWeb processes the request, it sets the value for the actual referrer.

This option is available only when referer-status {enable | disable} is enabled and action {403-forbidden | redirect | redirect-301 | http-body-rewrite | http-header-rewrite | location-rewrite} is http-header-rewrite. Any setting you make for referer "<referer-url_str>" is ignored.

disable

body_replace "<replacement_str>"

Enter the value that will replace matching HTTP content in the body of responses. The maximum is 256 characters.

For an example, see the FortiWeb Administration Guide:

https://docs.fortinet.com/fortiweb/admin-guides

This option is available only when action {403-forbidden | redirect | redirect-301 | http-body-rewrite | http-header-rewrite | location-rewrite} is http-body-rewrite.

No default.

<entry_index>

Enter the index number of the individual entry in the table. The valid range is 1–9,999,999,999,999,999,999. No default.

content-filter {enable | disable}

Enable if you want to match this condition only for specific HTTP content types (also called Internet or MIME file types) such as text/html, as indicated in the Content-Type: HTTP header. Also configure content-type-set {text/html text/plain text/javascript application/xml(or)text/xml application/javascript application/soap+xml application/x-javascript}. disable

content-type-set {text/html text/plain text/javascript application/xml(or)text/xml application/javascript application/soap+xml application/x-javascript}

Enter the HTTP content types that you want to match in a space-delimited list, such as:

set content-type-set text/html text/plain

No default.

HTTP-protocol {http | https}

Select which protocol will match this condition, either HTTP or HTTPS.

This option is applicable only if protocol-filter {enable | disable} is set to enable.

http

is-essential {yes | no}

Select what to do if there is no Referer: field, either:

  • no—Meet this condition.
  • yes—Do not meet this condition.

Requests can lack a Referer: field for several reasons, such as if the user manually types the URL, and the request does not result from a hyperlink from another website, or if the URL resulted from an HTTPS connection. In those cases, the field cannot be tested for a matching value. For details, see the RFC 2616 section on the Referer: field (http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html).

This option appears only if object {http-host | http-reference | http-url} is http-reference.

yes

object {http-host | http-reference | http-url}

Select which part of the HTTP request to test for a match:

  • http-host
  • http-url
  • http-reference (the Referer: field)

If the request must match multiple conditions (for example, it must contain both a matching Host: field and a matching URL), add each object match condition to the condition table separately.

http-host

protocol-filter {enable | disable}

Enable if you want to match this condition only for either HTTP or HTTPS. Also configure HTTP-protocol {http | https}.

For example, you could redirect clients that accidentally request the login page by HTTP to a more secure HTTPS channel—but the redirect is not necessary for HTTPS requests.

As another example, if URLs in HTTPS requests should be exempt from rewriting, you could configure the rewriting rule to apply only to HTTP requests.

disable

reg-exp "<object_pattern>"

Depending on your selection in object {http-host | http-reference | http-url} and reverse-match {yes | no}, type a regular expression that defines either all matching or all non-matching Host: fields, URLs, or Referer: fields. Then, also configure reverse-match {yes | no}.

For example, for the URL rewriting rule to match all URLs that begin with /wordpress, you could enter ^/wordpress, then, in reverse-match {yes | no}, select no.

The pattern is not required to begin with a slash ( / ). The maximum length is 256 characters.

Note: Regular expressions beginning with an exclamation point ( ! ) are not supported. Instead, use reverse-match {yes | no}.

No default.

reverse-match {yes | no}

Indicate how to use reg-exp "<object_pattern>"when determining whether or not this URL rewriting condition has been met.

  • no—If the regular expression does match the request object, the condition is met.
  • yes—If the regular expression does not match the request object, the condition is met.
    The effect is equivalent to preceding a regular expression with an exclamation point ( ! ).

If all conditions are met, the FortiWeb appliance will do your selected action {403-forbidden | redirect | redirect-301 | http-body-rewrite | http-header-rewrite | location-rewrite}.

no

Related topics

waf url-rewrite url-rewrite-rule

waf url-rewrite url-rewrite-rule

Use this command to configure URL rewrite rules or to redirect requests.

Rewriting or redirecting HTTP requests and responses is popular, and can be done for many reasons.

Similar to error message cloaking, URL rewriting can prevent the disclosure of underlying technology or website structures to HTTP clients.

For example, when visiting a blog web page, its URL might be:

http://www.example.com/wordpress/?feed=rss2

Simply knowing the file name, that the blog uses PHP, its compatible database types, and the names of parameters via the URL could help an attacker to craft an appropriate attack for that platform. By rewriting the URL to something more human-readable and less platform-specific, the details can be hidden:

http://www.example.com/rss2

Aside from for security, rewriting and redirects can be for aesthetics or business reasons. Financial institutions can transparently redirect customers that accidentally request HTTP:

http://bank.example.com/login

to authenticate and do transactions on their secured HTTPS site:

https://bank.example.com/login

Additional uses could include:

  • During maintenance windows, requests can be redirected to a read-only server.
  • International customers can use global URLs, with no need to configure the back-end web servers to respond to additional HTTP virtual host names.
  • Shorter URLs with easy-to-remember phrases and formatting are easier for customers to understand, remember, and return to.

Much more than their name implies, “URL rewriting rules” can do all of those things, and more:

  • Redirect HTTP requests to HTTPS
  • Rewrite the URL line in the header of an HTTP request
  • Rewrite the Host: field in the header of an HTTP request
  • Rewrite the Referer: field in the header of an HTTP request
  • Redirect requests to another website
  • Send a 403 Forbidden response to a matching HTTP requests
  • Rewrite the HTTP location line in the header of a matching redirect response from the web server
  • Rewrite the body of an HTTP response from the web server

Rewrites/redirects are not supported in all modes. For details, see the FortiWeb Administration Guide:

https://docs.fortinet.com/fortiweb/admin-guides

To use a URL rewriting rule, add it to a policy. For details, see waf url-rewrite url-rewrite-policy.

To use this command, your administrator account’s access control profile must have either w or rw permission to the wafgrp area. For details, see Permissions.

Syntax

config waf url-rewrite url-rewrite-rule

edit "<url-rewrite-rule_name>"

set action {403-forbidden | redirect | redirect-301 | http-body-rewrite | http-header-rewrite | location-rewrite}

set header-name "<header-name_str>"

set header-status {enable | disable}

set header-value "<header-value_str>"

set host {<server_fqdn> | <server_ipv4> | <host_pattern>}

set host-status {enable | disable}

set host-use-pserver {enable | disable}

set url "<replacement-url_str>"

set url-status {enable | disable}

set location "<location_str>"

set location_replace "<location_str>"

set referer-status {enable | disable}

set referer "<referer-url_str>"

set referer-use-pserver {enable | disable}

set body_replace "<replacement_str>"

config match-condition

edit <entry_index>

set content-filter {enable | disable}

set content-type-set {text/html text/plain text/javascript application/xml(or)text/xml application/javascript application/soap+xml application/x-javascript}

set HTTP-protocol {http | https}

set is-essential {yes | no}

set object {http-host | http-reference | http-url}

set protocol-filter {enable | disable}

set reg-exp "<object_pattern>"

set reverse-match {yes | no}

next

end

next

end

Variable Description Default

"<url-rewrite-rule_name>"

Enter the name of a new or existing rule. The maximum length is 63 characters.

To display the list of existing rules, enter:

edit ?

No default.

action {403-forbidden | redirect | redirect-301 | http-body-rewrite | http-header-rewrite | location-rewrite}

Specify one of the following values:

  • 403-forbidden—Send a 403 (Forbidden) response to the client.
  • redirect—Send a 302 (Moved Temporarily) response to the client, with a new Location: field in the HTTP header.
  • redirect-301—Send a 301 (Moved Permanently) response to the client, with a new Location: field in the HTTP header.
  • http-body-rewrite—Replace the specific HTTP content in the body of responses.
  • http-header-rewrite—Rewrite the host, referer and request URL fields in HTTP header.
  • location-rewrite—Rewrite the location string in a 302 redirect.
http-header-rewrite

header-name "<header-name_str>"

Enter the name of the header field that you want to insert to a request, such as "Myheader." No default.

header-status {enable | disable}

Enable to insert the specified header and value to the matched HTTP requests. Specifies the header name and header value through header-name "<header-name_str>" and header-value "<header-value_str>", respectively. disable

header-value "<header-value_str>"

Enter the value of the header field that you specified in header-name "<header-name_str>", such as "123." Then, the customized header Myheader: 123 will be inserted to the matched HTTP requests. No default.

host {<server_fqdn> | <server_ipv4> | <host_pattern>}

Type the FQDN of the host, such as store.example.com, to which the request will be redirected. The maximum length is 256 characters.

This option is available only when host-status {enable | disable} is enabled and action {403-forbidden | redirect | redirect-301 | http-body-rewrite | http-header-rewrite | location-rewrite} is http-header-rewrite.

This field supports back references such as $0 to the parts of the original request that matched any capture groups that you entered in reg-exp "<object_pattern>" for each object in the condition table. (A capture group is a regular expression, or part of one, surrounded in parentheses.)

Use $n (0 <= n <= 9) to invoke a substring, where n is the order of appearance of the regular expression, from left to right, from outside to inside, then from top to bottom.

For example, regular expressions in the condition table in this order:

(a)(b)(c(d))(e)

(f)

would result in invokable variables with the following values:

  • $0—a
  • $1—b
  • $2—cd
  • $3—d
  • $4—e
  • $5—f
No default.

host-status {enable | disable}

Enable to rewrite the Host: field or host name part of the Referer: field.

When disabled, the FortiWeb appliance preserves the value from the client’s request when rewriting it.

This option is available only when action {403-forbidden | redirect | redirect-301 | http-body-rewrite | http-header-rewrite | location-rewrite} is http-header-rewrite.

disable

host-use-pserver {enable | disable}

Enable this when you have a server farm for server balance or content routing. In this case you do not know which server in the server farm the FortiWeb appliance will use. When FortiWeb processes the request, it sets the value for the actual host.

This option is available only when host-status {enable | disable} is enabled and action {403-forbidden | redirect | redirect-301 | http-body-rewrite | http-header-rewrite | location-rewrite} is http-header-rewrite. Any setting you make for host is ignored.

disable

url "<replacement-url_str>"

Enter the string, such as /catalog/item1, that will replace the request URL. The maximum length is 256 characters.

This option is available only when url-status {enable | disable} is enabled and action {403-forbidden | redirect | redirect-301 | http-body-rewrite | http-header-rewrite | location-rewrite} is http-header-rewrite.

Do not include the name of the web host, such as www.example.com, nor the protocol, which are configured separately in host {<server_fqdn> | <server_ipv4> | <host_pattern>}.

Like host, this field supports back references such as $0 to the parts reg-exp "<object_pattern>" for each object in the condition table.

For an example, see the FortiWeb Administration Guide:

https://docs.fortinet.com/fortiweb/admin-guides

No default.

url-status {enable | disable}

Enable to rewrite the URL part of the request URL.

If you disable this option, the FortiWeb appliance preserves the value from the client’s request when it rewrites it.

This option is available only when action {403-forbidden | redirect | redirect-301 | http-body-rewrite | http-header-rewrite | location-rewrite} is http-header-rewrite.

disable

location "<location_str>"

Enter the replacement value for the Location: field in the HTTP header for the 302 response. The maximum length is 256 characters.

This option is available only when action {403-forbidden | redirect | redirect-301 | http-body-rewrite | http-header-rewrite | location-rewrite} is redirect.

No default.

location_replace "<location_str>"

Enter the URL string that provides a location for use in a 302 HTTP redirect response from a web server connected to FortiWeb. The maximum length is 256 characters.

This option is available only when action {403-forbidden | redirect | redirect-301 | http-body-rewrite | http-header-rewrite | location-rewrite} is location-rewrite.

No default.

referer-status {enable | disable}

Enable to rewrite the Referer: field in the HTML header. Also configure referer "<referer-url_str>" and referer-use-pserver {enable | disable}. disable

referer "<referer-url_str>"

Enter the replacement value for the Referer: field in the HTML header. The maximum length is 256 characters.

This option is available only when referer-status {enable | disable} is enabled.

No default.

referer-use-pserver {enable | disable}

Enable this when you have a server farm for server balance or content routing. In this case you do not know which server in the server farm the FortiWeb appliance will use. When FortiWeb processes the request, it sets the value for the actual referrer.

This option is available only when referer-status {enable | disable} is enabled and action {403-forbidden | redirect | redirect-301 | http-body-rewrite | http-header-rewrite | location-rewrite} is http-header-rewrite. Any setting you make for referer "<referer-url_str>" is ignored.

disable

body_replace "<replacement_str>"

Enter the value that will replace matching HTTP content in the body of responses. The maximum is 256 characters.

For an example, see the FortiWeb Administration Guide:

https://docs.fortinet.com/fortiweb/admin-guides

This option is available only when action {403-forbidden | redirect | redirect-301 | http-body-rewrite | http-header-rewrite | location-rewrite} is http-body-rewrite.

No default.

<entry_index>

Enter the index number of the individual entry in the table. The valid range is 1–9,999,999,999,999,999,999. No default.

content-filter {enable | disable}

Enable if you want to match this condition only for specific HTTP content types (also called Internet or MIME file types) such as text/html, as indicated in the Content-Type: HTTP header. Also configure content-type-set {text/html text/plain text/javascript application/xml(or)text/xml application/javascript application/soap+xml application/x-javascript}. disable

content-type-set {text/html text/plain text/javascript application/xml(or)text/xml application/javascript application/soap+xml application/x-javascript}

Enter the HTTP content types that you want to match in a space-delimited list, such as:

set content-type-set text/html text/plain

No default.

HTTP-protocol {http | https}

Select which protocol will match this condition, either HTTP or HTTPS.

This option is applicable only if protocol-filter {enable | disable} is set to enable.

http

is-essential {yes | no}

Select what to do if there is no Referer: field, either:

  • no—Meet this condition.
  • yes—Do not meet this condition.

Requests can lack a Referer: field for several reasons, such as if the user manually types the URL, and the request does not result from a hyperlink from another website, or if the URL resulted from an HTTPS connection. In those cases, the field cannot be tested for a matching value. For details, see the RFC 2616 section on the Referer: field (http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html).

This option appears only if object {http-host | http-reference | http-url} is http-reference.

yes

object {http-host | http-reference | http-url}

Select which part of the HTTP request to test for a match:

  • http-host
  • http-url
  • http-reference (the Referer: field)

If the request must match multiple conditions (for example, it must contain both a matching Host: field and a matching URL), add each object match condition to the condition table separately.

http-host

protocol-filter {enable | disable}

Enable if you want to match this condition only for either HTTP or HTTPS. Also configure HTTP-protocol {http | https}.

For example, you could redirect clients that accidentally request the login page by HTTP to a more secure HTTPS channel—but the redirect is not necessary for HTTPS requests.

As another example, if URLs in HTTPS requests should be exempt from rewriting, you could configure the rewriting rule to apply only to HTTP requests.

disable

reg-exp "<object_pattern>"

Depending on your selection in object {http-host | http-reference | http-url} and reverse-match {yes | no}, type a regular expression that defines either all matching or all non-matching Host: fields, URLs, or Referer: fields. Then, also configure reverse-match {yes | no}.

For example, for the URL rewriting rule to match all URLs that begin with /wordpress, you could enter ^/wordpress, then, in reverse-match {yes | no}, select no.

The pattern is not required to begin with a slash ( / ). The maximum length is 256 characters.

Note: Regular expressions beginning with an exclamation point ( ! ) are not supported. Instead, use reverse-match {yes | no}.

No default.

reverse-match {yes | no}

Indicate how to use reg-exp "<object_pattern>"when determining whether or not this URL rewriting condition has been met.

  • no—If the regular expression does match the request object, the condition is met.
  • yes—If the regular expression does not match the request object, the condition is met.
    The effect is equivalent to preceding a regular expression with an exclamation point ( ! ).

If all conditions are met, the FortiWeb appliance will do your selected action {403-forbidden | redirect | redirect-301 | http-body-rewrite | http-header-rewrite | location-rewrite}.

no

Related topics