server-policy http-content-routing-policy
Use this command to configure HTTP header-based routing.
Instead of dynamically routing requests to a server pool simply based upon load or connection distribution at the TCP/IP layers, as basic load balancing does, you can forward them based on headers in the HTTP layer.
HTTP header-based routes define how FortiWeb routes requests to server pools. They are based on one or more of the following HTTP header elements:
- Host
- URL
- Parameter
- Referer
- Cookie
- Header
- Source IP
- X.509 certificate
- Geo IP
This type of routing can be useful if, for example, a specific web server or group of servers on the back end support specific web applications, functions, or host names. That is, your web servers or server pools are not identical, but specialized. For example:
- 192.0.2.1—Hosts the website and blog
- 192.0.2.2 and 192.0.2.3—Host movie clips and multimedia
- 192.0.2.4 and 192.0.2.5—Host the shopping cart
If you have configured request rewriting, configure HTTP content-based routing using the original request URL and/or Host:
name, as it appears before FortiWeb has rewritten it. For details about rewriting, see waf url-rewrite url-rewrite-policy.
To apply your HTTP-based routes, select them when you configure the server policy. For details, see server-policy policy.
To use this command, your administrator account’s access control profile must have either w
or rw
permission to the traroutegrp
area. For details, see Permissions.
Syntax
config server-policy http-content-routing-policy
set server-pool "<server-pool_name>"
set http-content-routing-id <http-content-routing-id_str>
config content-routing-match-list
edit <entry_index>
set x509-subject-name {E | CN | OU | O | L | ST | C}
set match-expression "<match-expression_str>"
set name-match-condition {match-begin | match-end | match-sub | match-reg | equal}
set value-match-condition {match-begin | match-end | match-sub | match-reg | equal}
set reverse {enable | disable}
set country-list <country-list_str>
next
end
next
end
Variable | Description | Default |
Enter the name of the HTTP content routing policy. The maximum length is 63 characters. To display the list of existing policies, enter:
|
No default. | |
Enter the name of the server pool to which FortiWeb forwards traffic when the traffic matches rules in this policy. For details, see server-policy server-pool. |
No default. | |
Enter the index number of the individual rule in the table. The valid range is 1–9,999,999,999,999,999,999. | No default. | |
Enter a HTTP content routing policy sequence number. |
No default. |
|
match-object {http-host | http-request | url-parameter | http-referer | http-cookie | http-header | source-ip | x509-certificate-Subject | x509-certificate-Extension | https-sni | geo-ip} |
Enter the type of object that FortiWeb examines for matching values:
|
No default. |
match-condition {match-begin | match-end | match-sub | match-domain | match-dir | match-reg | ip-range | ip-range6 | equal | ip-list} |
Enter the type of value to match. Values can be a literal value that appears in the object or a regular expression. The value of match-object {http-host | http-request | url-parameter | http-referer | http-cookie | http-header | source-ip | x509-certificate-Subject | x509-certificate-Extension | https-sni | geo-ip} determines which content types you can specify. If
|
No default. |
If
If
If
If
|
No default. | |
Enter the attribute type to match. Available when match-object {http-host | http-request | url-parameter | http-referer | http-cookie | http-header | source-ip | x509-certificate-Subject | x509-certificate-Extension | https-sni | geo-ip} is x509-certificate-Subject . |
No default. | |
Enter a value to match in the object element specified by match-object {http-host
| http-request
| url-parameter
| http-referer
| http-cookie
| http-header
| source-ip
| x509-certificate-Subject | x509-certificate-Extension | https-sni | geo-ip} and Examples:
Tip: When you enter a regular expression using the web UI, you can validate its syntax. |
No default. | |
Enter the name of the object to match. The value can be a literal value or a regular expression. For example, the name of a cookie embedded by traffic controller software on one of the servers. Available only if match-object {http-host
| http-request
| url-parameter
| http-referer
| http-cookie
| http-header
| source-ip
| x509-certificate-Subject | x509-certificate-Extension | https-sni | geo-ip} is |
No default. | |
name-match-condition {match-begin | match-end | match-sub | match-reg | equal} |
Enter the type of value to match. The value is specified by
|
No default. |
Enter the object value to match. The value can be a literal value or a regular expression. Available if match-object {http-host
| http-request
| url-parameter
| http-referer
| http-cookie
| http-header
| source-ip
| x509-certificate-Subject | x509-certificate-Extension | https-sni | geo-ip} is |
No default. | |
value-match-condition {match-begin | match-end | match-sub | match-reg | equal} |
Enter the type of value to match. The value is specified by
|
No default. |
Enter the first IP address in a range of IP addresses. Available if match-condition {match-begin | match-end | match-sub | match-domain | match-dir | match-reg | ip-range | ip-range6 | equal | ip-list} is |
No default. | |
Enter the last IP address in a range of IP addresses. Available if match-object {http-host
| http-request
| url-parameter
| http-referer
| http-cookie
| http-header
| source-ip
| x509-certificate-Subject | x509-certificate-Extension | https-sni | geo-ip} is |
No default. | |
reverse {enable | disable} | When enabled, FortiWeb will route requests to the server pool that do not match the specified values for the Match Object. |
disable
|
country-list <country-list_str> |
Select countries where the IP addresses originate. |
No default. |
Select either:
|
and
|
|
Enter multiple IPs or IP range. |
No default. |
Example
This HTTP content routing policy routes requests for www.example.com/school
to the server pool school-site
.
The content routing has three rules: one matches the host (www.example.com
), a second matches the sessid
cookie, and a third matches the /school URL. In combination, the first and third rules match the request for www.example.com/school
.
config server-policy http-content-routing-policy
edit "content_routing_policy1"
set server-pool school-site
config content-routing-match-list
edit 1
set match-condition match-reg
set match-expression "www.example.com "
next
edit 2
set match-object http-cookie
set name sessid
set value "hash[a-fA-F0-7]*"
set name-match-condition match-reg
set value-match-condition match-reg
next
edit 3
set match-object http-request
set match-expression "/school"
next
end
next
end