server-policy http-content-routing-policy

Use this command to configure HTTP header-based routing.

Instead of dynamically routing requests to a server pool simply based upon load or connection distribution at the TCP/IP layers, as basic load balancing does, you can forward them based on headers in the HTTP layer.

HTTP header-based routes define how FortiWeb routes requests to server pools. They are based on one or more of the following HTTP header elements:

Host
URL
Parameter
Referer
Cookie
Header
Source IP
X.509 certificate
Geo IP

This type of routing can be useful if, for example, a specific web server or group of servers on the back end support specific web applications, functions, or host names. That is, your web servers or server pools are not identical, but specialized. For example:

192.0.2.1—Hosts the website and blog
192.0.2.2 and 192.0.2.3—Host movie clips and multimedia
192.0.2.4 and 192.0.2.5—Host the shopping cart

If you have configured request rewriting, configure HTTP content-based routing using the original request URL and/or Host: name, as it appears before FortiWeb has rewritten it. For details about rewriting, see waf url-rewrite url-rewrite-policy.

To apply your HTTP-based routes, select them when you configure the server policy. For details, see server-policy policy.

To use this command, your administrator account’s access control profile must have either w or rw permission to the traroutegrp area. For details, see Permissions.

Syntax

config server-policy HTTP-content-routing-policy

edit "<routing-policy_name>"

set server-pool "<server-pool_name>"

set HTTP-content-routing-id <HTTP-content-routing-id_str>

config content-routing-match-list

edit <entry_index>

set match-object {HTTP-host | HTTP-request | url-parameter | HTTP-referer | HTTP-cookie | HTTP-header | source-ip | x509-certificate-Subject | x509-certificate-Extension | HTTPS-sni | geo-ip | ztna-ems-tags}

set match-condition {match-begin | match-end | match-sub | match-domain | match-dir | match-reg | ip-range | ip-range6 | equal | ip-list}

set x509-subject-name {E | CN | OU | O | L | ST | C}

set match-expression "<match-expression_str>"

set

set name "<name_str>"

set name-match-condition {match-begin | match-end | match-sub | match-reg | equal}

set value "<value_str>"

set value-match-condition {match-begin | match-end | match-sub | match-reg | equal}

set start-ip "<start_ip>"

set end-ip "<end_ip>"

set reverse {enable | disable}

set concatenate {and | or}

set country-list <country-list_str>

set ip-list <ip-list_str>

end

Variable	Description	Default
"<routing-policy_name>"	Enter the name of the HTTP content routing policy. The maximum length is 63 characters. To display the list of existing policies, enter: `edit ?`	No default.
server-pool "<server-pool_name>"	Enter the name of the server pool to which FortiWeb forwards traffic when the traffic matches rules in this policy. For details, see server-policy server-pool.	No default.
<entry_index>	Enter the index number of the individual rule in the table. The valid range is 1–9,999,999,999,999,999,999.	No default.
HTTP-content-routing-id <HTTP-content-routing-id_str>	Enter a HTTP content routing policy sequence number.	No default.
match-object {HTTP-host \| HTTP-request \| url-parameter \| HTTP-referer \| HTTP-cookie \| HTTP-header \| source-ip \| x509-certificate-Subject \| x509-certificate-Extension \| HTTPS-sni \| geo-ip \| ztna-ems-tags}	Enter the type of object that FortiWeb examines for matching values: `HTTP-host`—`Host:` field HTTP-request—A URL url-parameter—A URL parameter and value HTTP-referer—`Referer:` field HTTP-cookie—A cookie name and value HTTP-header—A header name and value source-ip—An IPv4 address or address range or IPv6 address or address range x509-certificate-Subject—A specified Relative Distinguished Name (RDN) in the X509 certificate `Subject` field. Also specify `x509-subject-name`. x509-certificate-Extension—Additional fields that the extensions field adds to the X509 certificate `HTTPS-sni`— Select this option so that FortiWeb will forward requests based on the SNI in the SSL handshake. `geo-ip`— Select this option so that FortiWeb matches against the IP addresses from specified countries. `ztna-ems-tags`— Select this option so that FortiWeb matches against the ZTNA tags.	No default.
match-condition {match-begin \| match-end \| match-sub \| match-domain \| match-dir \| match-reg \| ip-range \| ip-range6 \| equal \| ip-list}	Enter the type of value to match. Values can be a literal value that appears in the object or a regular expression. The value of match-object {HTTP-host \| HTTP-request \| url-parameter \| HTTP-referer \| HTTP-cookie \| HTTP-header \| source-ip \| x509-certificate-Subject \| x509-certificate-Extension \| HTTPS-sni \| geo-ip \| ztna-ems-tags} determines which content types you can specify. If `match-object` is `HTTP-host`, `HTTP-request`, `HTTP-referer`, or `x509-certificate-Extension`: match-begin—The object to match begins with the specified string. match-end—The object to match ends with the specified string. match-sub—The object to match contains the specified string. match-domain—The host to match contains the specified string between the periods in a domain name. ip-list—The IPs to match.	No default.
	If `match-object` is `HTTP-host` only: match-domain—The object to match contains the specified string between the periods in a domain name. For example, if `match-expression` is `abc`, the condition matches the following hostnames: `dname1.abc.com` `dname1.dname2.abc.com` However, the same Match Simple String value does not match the following hostnames: `abc.com` `dname.abc` If `match-object` is `HTTP-request`: match-dir—The object to match contains the specified string between delimiting characters (slash) in a domain name. For example, if `match-expression` is `abc`, the condition matches the following hostnames: `test.com/abc/` `test.com/dir1/abc/` However, the same `match-string` value does not match the following hostnames: `test.com/abc` `test.abc.com` If `match-object` is `source-ip`: ip-range—The source IP to match is an IPv4 IP address or within a range of IPv4 IP addresses. ip-range6—The source IP to match is an IPv6 IP address or within a range of IPv6 IP addresses. If `match-object` is `HTTP-host`, `HTTP-request`, `HTTP-referer`, `source-ip`, or `x509-certificate-Extension`: match-reg—The object to match has a value that matches the specified regular expression.	No default.
ztna-ems-tag <tag_name>	If `match-object` is `ztna-ems-tags`, enter the tag names.	No default.
ztna-ems-tag-combine {and \| or}	Available only if `match-object` is `ztna-ems-tags`. and means the request only matches if it has all tags specified; or means the request matches if it has any of the tags specified. Note: For ZTNA tags, when Reverse is on, it means all the request will be matched except the ones that meet the or or and condition. For example, if Tag_A and Tag_B are specified, and the Reverse is on, the matching logic will be: When ztna-ems-tag-combine is or, all the request will be matched except the ones having any of the Tag_A and Tag_B tags. When ztna-ems-tag-combine is and, all the requests will be matched except the ones having both Tag_A and Tag_B tags.	and
x509-subject-name {E \| CN \| OU \| O \| L \| ST \| C}	Enter the attribute type to match. Available when match-object {HTTP-host \| HTTP-request \| url-parameter \| HTTP-referer \| HTTP-cookie \| HTTP-header \| source-ip \| x509-certificate-Subject \| x509-certificate-Extension \| HTTPS-sni \| geo-ip \| ztna-ems-tags} is `x509-certificate-Subject`.	No default.
match-expression "<match-expression_str>"	Enter a value to match in the object element specified by match-object {HTTP-host \| HTTP-request \| url-parameter \| HTTP-referer \| HTTP-cookie \| HTTP-header \| source-ip \| x509-certificate-Subject \| x509-certificate-Extension \| HTTPS-sni \| geo-ip \| ztna-ems-tags} and `match-condition`. Examples: A literal URL, such as `/index.php`, that a matching HTTP request contains. An expression, such as `^/.php`, that matches a URL. Tip:* When you enter a regular expression using the web UI, you can validate its syntax.	No default.
value-match-condition {match-begin \| match-end \| match-sub \| match-reg \| equal}	Enter the type of value to match. The value refers to the `x509-subject-name` and can be a literal value that appears in the object or a regular expression. match-begin—The name to match begins with the specified string. match-end—The name to match ends with the specified string. match-sub—The name to match contains the specified string. equal—The name to match is the specified string. match-reg—The name to match matches the specified regular expression.	No default.
name "<name_str>"	Enter the name of the object to match. The value can be a literal value or a regular expression. For example, the name of a cookie embedded by traffic controller software on one of the servers. Available only if match-object {HTTP-host \| HTTP-request \| url-parameter \| HTTP-referer \| HTTP-cookie \| HTTP-header \| source-ip \| x509-certificate-Subject \| x509-certificate-Extension \| HTTPS-sni \| geo-ip \| ztna-ems-tags} is `url-parameter`, `HTTP-cookie`, or `HTTP-header`.	No default.
name-match-condition {match-begin \| match-end \| match-sub \| match-reg \| equal}	Enter the type of value to match. The value is specified by `name` and can be a literal value that appears in the object or a regular expression. match-begin—The name to match begins with the specified string. match-end—The name to match ends with the specified string. match-sub—The name to match contains the specified string. equal—The name to match is the specified string. match-reg—The name to match matches the specified regular expression.	No default.
value "<value_str>"	Enter the object value to match. The value can be a literal value or a regular expression. Available if match-object {HTTP-host \| HTTP-request \| url-parameter \| HTTP-referer \| HTTP-cookie \| HTTP-header \| source-ip \| x509-certificate-Subject \| x509-certificate-Extension \| HTTPS-sni \| geo-ip \| ztna-ems-tags} is `url-parameter`, `HTTP-cookie`, or `HTTP-header`.	No default.
value-match-condition {match-begin \| match-end \| match-sub \| match-reg \| equal}	Enter the type of value to match. The value is specified by `value` and can be a literal value or a regular expression. match-begin—The value to match begins with the specified string. match-end—The value to match ends with the specified string. match-sub—The value to match contains the specified string. equal—The value to match is the specified string. match-reg—The value to match matches the specified regular expression.	No default.
start-ip "<start_ip>"	Enter the first IP address in a range of IP addresses. Available if match-condition {match-begin \| match-end \| match-sub \| match-domain \| match-dir \| match-reg \| ip-range \| ip-range6 \| equal \| ip-list} is `ip-range` or `ip-range6`.	No default.
end-ip "<end_ip>"	Enter the last IP address in a range of IP addresses. Available if match-object {HTTP-host \| HTTP-request \| url-parameter \| HTTP-referer \| HTTP-cookie \| HTTP-header \| source-ip \| x509-certificate-Subject \| x509-certificate-Extension \| HTTPS-sni \| geo-ip \| ztna-ems-tags} is `source-ip`	No default.
reverse {enable \| disable}	When enabled, FortiWeb will route requests to the server pool that do not match the specified values for the Match Object.	`disable`
country-list <country-list_str>	Select countries where the IP addresses originate.	No default.
concatenate {and \| or}	Select either: `and`—A matching request matches this entry in addition to other entries in the HTTP content routing list. `or`—A matching request matches this entry or other entries in the list.	`and`
ip-list <ip-list_str>	Enter multiple IPs or IP range.	No default.

Example

This HTTP content routing policy routes requests for www.example.com/school to the server pool school-site.

The content routing has three rules: one matches the host (www.example.com), a second matches the sessid cookie, and a third matches the /school URL. In combination, the first and third rules match the request for www.example.com/school.

config server-policy HTTP-content-routing-policy

edit "content_routing_policy1"

set server-pool school-site

config content-routing-match-list

edit 1

set match-condition match-reg

set match-expression "www.example.com "

edit 2

set match-object HTTP-cookie

set name sessid

set value "hash[a-fA-F0-7]*"

set name-match-condition match-reg

set value-match-condition match-reg

edit 3

set match-object HTTP-request

set match-expression "/school"

end