waf url-rewrite url-rewrite-rule
Use this command to configure URL rewrite rules or to redirect requests.
Rewriting or redirecting HTTP requests and responses is popular, and can be done for many reasons.
Similar to error message cloaking, URL rewriting can prevent the disclosure of underlying technology or website structures to HTTP clients.
For example, when visiting a blog web page, its URL might be:
http://www.example.com/wordpress/?feed=rss2
Simply knowing the file name, that the blog uses PHP, its compatible database types, and the names of parameters via the URL could help an attacker to craft an appropriate attack for that platform. By rewriting the URL to something more human-readable and less platform-specific, the details can be hidden:
http://www.example.com/rss2
Aside from for security, rewriting and redirects can be for aesthetics or business reasons. Financial institutions can transparently redirect customers that accidentally request HTTP:
http://bank.example.com/login
to authenticate and do transactions on their secured HTTPS site:
https://bank.example.com/login
Additional uses could include:
- During maintenance windows, requests can be redirected to a read-only server.
- International customers can use global URLs, with no need to configure the back-end web servers to respond to additional HTTP virtual host names.
- Shorter URLs with easy-to-remember phrases and formatting are easier for customers to understand, remember, and return to.
Much more than their name implies, “URL rewriting rules” can do all of those things, and more:
- Redirect HTTP requests to HTTPS
- Rewrite the URL line in the header of an HTTP request
- Rewrite the
Host:field in the header of an HTTP request - Rewrite the
Referer:field in the header of an HTTP request - Redirect requests to another website
- Send a
403 Forbiddenresponse to a matching HTTP requests - Rewrite the HTTP location line in the header of a matching redirect response from the web server
- Rewrite the body of an HTTP response from the web server
|
Rewrites/redirects are not supported in all modes. For details, see the FortiWeb Administration Guide: |
To use a URL rewriting rule, add it to a policy. For details, see waf url-rewrite url-rewrite-policy.
To use this command, your administrator account’s access control profile must have either w or rw permission to the wafgrp area. For details, see Permissions.
Syntax
config waf url-rewrite url-rewrite-rule
edit "<url-rewrite-rule_name>"
set header-name "<header-name_str>"
set header-status {enable | disable}
set header-value "<header-value_str>"
set host {<server_fqdn> | <server_ipv4> | <host_pattern>}
set host-status {enable | disable}
set host-use-pserver {enable | disable}
set url "<replacement-url_str>"
set url-status {enable | disable}
set location_replace "<location_str>"
set referer-status {enable | disable}
set referer "<referer-url_str>"
set referer-use-pserver {enable | disable}
set body_replace "<replacement_str>"
config match-condition
edit <entry_index>
set content-filter {enable | disable}
set HTTP-protocol {http | https}
set object {http-host | http-reference | http-url}
set protocol-filter {enable | disable}
set reg-exp "<object_pattern>"
next
end
next
end
| Variable | Description | Default |
|
Enter the name of a new or existing rule. The maximum length is 63 characters. To display the list of existing rules, enter:
|
No default. | |
|
action {403-forbidden | redirect | redirect-301 | http-body-rewrite | http-header-rewrite | location-rewrite} |
Specify one of the following values:
|
http-header-rewrite
|
Enter the name of the header field that you want to insert to a
request, such as "Myheader." |
No default. | |
| Enable to insert the specified header and value to the matched HTTP requests. Specifies the header name and header value through header-name "<header-name_str>" and header-value "<header-value_str>", respectively. |
disable
|
|
Enter the value of the header field that you specified in header-name "<header-name_str>", such as "123." Then, the customized header Myheader: 123
will be inserted to the matched HTTP requests. |
No default. | |
|
Type the FQDN of the host, such as This option is available only when host-status {enable | disable} is enabled and action {403-forbidden | redirect | redirect-301 | http-body-rewrite | http-header-rewrite | location-rewrite} is This field supports back references such as Use For example, regular expressions in the condition table in this order:
would result in invokable variables with the following values:
|
No default. | |
|
Enable to rewrite the When disabled, the FortiWeb appliance preserves the value from the client’s request when rewriting it. This option is available only when action {403-forbidden | redirect | redirect-301 | http-body-rewrite | http-header-rewrite | location-rewrite} is |
disable
|
|
|
Enable this when you have a server farm for server balance or content routing. In this case you do not know which server in the server farm the FortiWeb appliance will use. When FortiWeb processes the request, it sets the value for the actual host. This option is available only when host-status {enable | disable} is enabled and action {403-forbidden | redirect | redirect-301 | http-body-rewrite | http-header-rewrite | location-rewrite} is |
disable
|
|
|
Enter the string, such as This option is available only when url-status {enable | disable} is enabled and action {403-forbidden | redirect | redirect-301 | http-body-rewrite | http-header-rewrite | location-rewrite} is Do not include the name of the web host, such as Like For an example, see the FortiWeb Administration Guide: |
No default. | |
|
Enable to rewrite the URL part of the request URL. If you disable this option, the FortiWeb appliance preserves the value from the client’s request when it rewrites it. This option is available only when action {403-forbidden | redirect | redirect-301 | http-body-rewrite | http-header-rewrite | location-rewrite} is |
disable
|
|
|
Enter the replacement value for the This option is available only when action {403-forbidden | redirect | redirect-301 | http-body-rewrite | http-header-rewrite | location-rewrite} is |
No default. | |
|
Enter the URL string that provides a location for use in a 302 HTTP redirect response from a web server connected to FortiWeb. The maximum length is 256 characters. This option is available only when action {403-forbidden | redirect | redirect-301 | http-body-rewrite | http-header-rewrite | location-rewrite} is |
No default. | |
Enable to rewrite the Referer: field in the HTML header. Also configure referer "<referer-url_str>" and referer-use-pserver {enable | disable}. |
disable
|
|
|
Enter the replacement value for the This option is available only when referer-status {enable | disable} is enabled. |
No default. | |
|
Enable this when you have a server farm for server balance or content routing. In this case you do not know which server in the server farm the FortiWeb appliance will use. When FortiWeb processes the request, it sets the value for the actual referrer. This option is available only when referer-status {enable | disable} is enabled and action {403-forbidden | redirect | redirect-301 | http-body-rewrite | http-header-rewrite | location-rewrite} is |
disable
|
|
|
Enter the value that will replace matching HTTP content in the body of responses. The maximum is 256 characters. For an example, see the FortiWeb Administration Guide: https://docs.fortinet.com/fortiweb/admin-guides This option is available only when action {403-forbidden | redirect | redirect-301 | http-body-rewrite | http-header-rewrite | location-rewrite} is |
No default. | |
| Enter the index number of the individual entry in the table. The valid range is 1–9,999,999,999,999,999,999. | No default. | |
Enable if you want to match this condition only for specific HTTP content types (also called Internet or MIME file types) such as text/html, as indicated in the Content-Type: HTTP header. Also configure content-type-set {text/html text/plain text/javascript application/xml(or)text/xml application/javascript application/soap+xml application/x-javascript}. |
disable
|
|
|
content-type-set {text/html text/plain text/javascript application/xml(or)text/xml application/javascript application/soap+xml application/x-javascript} |
Enter the HTTP content types that you want to match in a space-delimited list, such as: set content-type-set text/html text/plain |
No default. |
|
Select which protocol will match this condition, either HTTP or HTTPS. This option is applicable only if protocol-filter {enable | disable} is set to |
http
|
|
|
Select what to do if there is no
Requests can lack a This option appears only if object {http-host | http-reference | http-url} is |
yes
|
|
|
Select which part of the HTTP request to test for a match:
If the request must match multiple conditions (for example, it must contain both a matching |
http-host
|
|
|
Enable if you want to match this condition only for either HTTP or HTTPS. Also configure HTTP-protocol {http | https}. For example, you could redirect clients that accidentally request the login page by HTTP to a more secure HTTPS channel—but the redirect is not necessary for HTTPS requests. As another example, if URLs in HTTPS requests should be exempt from rewriting, you could configure the rewriting rule to apply only to HTTP requests. |
disable
|
|
|
Depending on your selection in object {http-host | http-reference | http-url} and reverse-match {yes | no}, type a regular expression that defines either all matching or all non-matching For example, for the URL rewriting rule to match all URLs that begin with The pattern is not required to begin with a slash ( / ). The maximum length is 256 characters. Note: Regular expressions beginning with an exclamation point ( |
No default. | |
|
Indicate how to use reg-exp "<object_pattern>"when determining whether or not this URL rewriting condition has been met.
If all conditions are met, the FortiWeb appliance will do your selected action {403-forbidden | redirect | redirect-301 | http-body-rewrite | http-header-rewrite | location-rewrite}. |
no
|