Fortinet black logo

CLI Reference

waf url-rewrite url-rewrite-rule

Use this command to configure URL rewrite rules or to redirect requests.

Rewriting or redirecting HTTP requests and responses is popular, and can be done for many reasons.

Similar to error message cloaking, URL rewriting can prevent the disclosure of underlying technology or website structures to HTTP clients.

For example, when visiting a blog web page, its URL might be:

http://www.example.com/wordpress/?feed=rss2

Simply knowing the file name, that the blog uses PHP, its compatible database types, and the names of parameters via the URL could help an attacker to craft an appropriate attack for that platform. By rewriting the URL to something more human-readable and less platform-specific, the details can be hidden:

http://www.example.com/rss2

Aside from for security, rewriting and redirects can be for aesthetics or business reasons. Financial institutions can transparently redirect customers that accidentally request HTTP:

http://bank.example.com/login

to authenticate and do transactions on their secured HTTPS site:

HTTPs://bank.example.com/login

Additional uses could include:

  • During maintenance windows, requests can be redirected to a read-only server.
  • International customers can use global URLs, with no need to configure the back-end web servers to respond to additional HTTP virtual host names.
  • Shorter URLs with easy-to-remember phrases and formatting are easier for customers to understand, remember, and return to.

Much more than their name implies, “URL rewriting rules” can do all of those things, and more:

  • Redirect HTTP requests to HTTPS
  • Rewrite the URL line in the header of an HTTP request
  • Rewrite the Host: field in the header of an HTTP request
  • Rewrite the Referer: field in the header of an HTTP request
  • Redirect requests to another website
  • Send a 403 Forbidden response to a matching HTTP requests
  • Rewrite the HTTP location line in the header of a matching redirect response from the web server
  • Rewrite the body of an HTTP response from the web server

Rewrites/redirects are not supported in all modes. For details, see the FortiWeb Administration Guide:

https://docs.fortinet.com/fortiweb/admin-guides

To use a URL rewriting rule, add it to a policy. For details, see waf url-rewrite url-rewrite-policy.

To use this command, your administrator account’s access control profile must have either w or rw permission to the wafgrp area. For details, see Permissions.

Syntax

config waf url-rewrite url-rewrite-rule

edit "<url-rewrite-rule_name>"

set action {403-forbidden | redirect | redirect-301 | HTTP-request-body-rewrite | HTTP-response-body-rewrite | HTTP-header-rewrite | HTTP-response-header-rewrite}

set host {<server_fqdn> | <server_ipv4> | <host_pattern>}

set host-status {enable | disable}

set host-use-pserver {enable | disable}

set url "<replacement-url_str>"

set url-status {enable | disable}

set referer-status {enable | disable}

set referer "<referer-url_str>"

set referer-use-pserver {enable | disable}

set http-method-status {enable | disable}

set http-method <string>

set status-code-status {enable | disable}

set status-code <int>

set request-replace-existing-headers {enable | disable}

set response-replace-existing-headers {enable | disable}

set request-remove-duplicate-headers {enable | disable}

set response-remove-duplicate-headers {enable | disable}

config header-insert

edit <entry_index>

set header-name "<header-name_str>"

set header-value "<header-value_str>"

next

end

set http-request-body-rewrite <string>

set waf url-rewrite url-rewrite-rule

set location "<location_str>"

set location-status {enable | disable}

set location_replace "<location_str>"

set header-response-status {enable | disable}

config response-header-removal

edit <entry_index>

set response-removel-header-name <string>

next

end

config response-header-insert

edit <entry_index>

set response-header-name <string>

set response-header-value <string>

next

end

config match-condition

edit <entry_index>

set object {HTTP-host | HTTP-reference | HTTP-url}

set protocol-filter {enable | disable}

set protocol {HTTP | HTTPS}

set reg-exp "<object_pattern>"

set reverse-match {yes | no}

set content-filter {enable | disable}

set content-type-set {text/html text/plain text/javascript application/xml(or)text/xml application/javascript application/soap+xml application/x-javascript}

set is-essential {yes | no}

next

end

next

end

next

end

Variable Description Default

"<url-rewrite-rule_name>"

Enter the name of a new or existing rule. The maximum length is 63 characters.

To display the list of existing rules, enter:

edit ?

No default.

action {403-forbidden | redirect | redirect-301 | HTTP-request-body-rewrite | HTTP-response-body-rewrite | HTTP-header-rewrite | HTTP-response-header-rewrite}

Specify one of the following values:

  • 403-forbidden—Send a 403 (Forbidden) response to the client.
  • redirect—Send a 302 (Moved Temporarily) response to the client, with a new Location: field in the HTTP header.
  • redirect-301—Send a 301 (Moved Permanently) response to the client, with a new Location: field in the HTTP header.
  • HTTP-request-body-rewrite—Replace the specific HTTP content in the body of requests.
  • HTTP-response-body-rewrite—Replace the specific HTTP content in the body of responses.
  • HTTP-header-rewrite—Rewrite the host, referer and request URL fields in HTTP header.
  • HTTP-response-header-rewrite—Rewrite the HTTP header or body in the response packet.

The following rows list the configurations when different actions are selected.

HTTP-header-rewrite

HTTP-header-rewrite

header-name "<header-name_str>"

Enter the name of the header field that you want to insert to a request, such as "Myheader."
  • You can add up to 10 headers in the insertion list.
  • No default.

    header-value "<header-value_str>"

    Enter the value of the header field that you specified in header-name "<header-name_str>", such as "123." Then, the customized header Myheader: 123 will be inserted to the matched HTTP requests. No default.

    host {<server_fqdn> | <server_ipv4> | <host_pattern>}

    Type the FQDN of the host, such as store.example.com, to which the request will be redirected. The maximum length is 256 characters.

    This option is available only when host-status {enable | disable} is enabled.

    This field supports back references such as $0 to the parts of the original request that matched any capture groups that you entered in reg-exp "<object_pattern>" for each object in the condition table. (A capture group is a regular expression, or part of one, surrounded in parentheses.)

    Use $n (0 <= n <= 9) to invoke a substring, where n is the order of appearance of the regular expression, from left to right, from outside to inside, then from top to bottom.

    For example, regular expressions in the condition table in this order:

    (a)(b)(c(d))(e)

    (f)

    would result in invokable variables with the following values:

    • $0—a
    • $1—b
    • $2—cd
    • $3—d
    • $4—e
    • $5—f
    No default.

    host-status {enable | disable}

    Enable to rewrite the Host: field or host name part of the Referer: field.

    When disabled, the FortiWeb appliance preserves the value from the client’s request when rewriting it.

    disable

    host-use-pserver {enable | disable}

    Enable this when you have a server farm for server balance or content routing. In this case you do not know which server in the server farm the FortiWeb appliance will use. When FortiWeb processes the request, it sets the value for the actual host.

    This option is available only when host-status {enable | disable} is enabled. Any setting you make for host is ignored.

    disable

    url "<replacement-url_str>"

    Enter the string, such as /catalog/item1, that will replace the request URL. The maximum length is 256 characters.

    This option is available only when url-status {enable | disable} is enabled.

    Do not include the name of the web host, such as www.example.com, nor the protocol, which are configured separately in host {<server_fqdn> | <server_ipv4> | <host_pattern>}.

    Like host, this field supports back references such as $0 to the parts reg-exp "<object_pattern>" for each object in the condition table.

    For an example, see the FortiWeb Administration Guide:

    https://docs.fortinet.com/fortiweb/admin-guides

    No default.

    url-status {enable | disable}

    Enable to rewrite the URL part of the request URL.

    If you disable this option, the FortiWeb appliance preserves the value from the client’s request when it rewrites it.

    disable

    referer-status {enable | disable}

    Enable to rewrite the Referer: field in the HTML header. Also configure referer "<referer-url_str>" and referer-use-pserver {enable | disable}. disable

    referer-use-pserver {enable | disable}

    Enable this when you have a server farm for server balance or content routing. In this case you do not know which server in the server farm the FortiWeb appliance will use. When FortiWeb processes the request, it sets the value for the actual referrer.

    This option is available only when referer-status {enable | disable} is enabled. Any setting you make for referer "<referer-url_str>" is ignored.

    disable

    referer "<referer-url_str>"

    Enter the replacement value for the Referer: field in the HTML header. The maximum length is 256 characters.

    This option is available only when referer-status {enable | disable} is enabled.

    No default.

    http-method-status {enable | disable}

    Enable to replace the original HTTP methods in a request with the specified method.

    disable

    http-method <string>

    Specify the HTTP method to replace the original one.

    Please avoid changing the method on the fly unless absolutely necessary. It is important to consider the potential implications and ensure that the server can handle the new method correctly.

    get

    status-code-status {enable | disable}

    Enable to replace the original status code in a response with the specified code.

    disable

    status-code <int>

  • Enter a status code to replace the original one in HTTP response.
  • 404

    request-replace-existing-headers {enable | disable}

  • If there is already a header with the same name existing in the request, enabling this option will overwrite the value of the existing header with your specified header value. On the other hand, if this option is disabled, the system will insert the header directly without checking if there is an existing header with the same header name.
  • disable

    response-replace-existing-headers {enable | disable}

  • If there is already a header with the same name existing in the response, enabling this option will overwrite the value of the existing header with your specified header value. On the other hand, if this option is disabled, the system will insert the header directly without checking if there is an existing header with the same header name.
  • disable

    request-remove-duplicate-headers {enable | disable}

    If the system finds multiple items in the HTTP request that match your specified header name, enabling this option will remove all of them. However, if this option is disabled, only the first matching item will be removed.

    enable

    response-remove-duplicate-headers {enable | disable}

    If the system finds multiple items in the HTTP response that match your specified header name, enabling this option will remove all of them. However, if this option is disabled, only the first matching item will be removed.

    enable

    redirect | redirect-301

    location "<location_str>"

    Enter the URL string that provides a location for use in a 301 or 302 HTTP redirection when the HTTP request matches. The maximum length is 256 characters.

    No default.

    HTTP-response-header-rewrite

    location-status {enable | disable}

    Enable to configure the location_replace.

    disable

    location_replace "<location_str>"

    Enter the replacement value for the Location: field in the HTTP header for the response. The maximum length is 256 characters.

    No default.

    header-response-status {enable | disable}

    Enable to configure HTTP header insertion when the HTTP response matches.

    disable

    response-header-name <string>

    Type the Header name that you want to insert into the HTTP response. You can add up to 10 headers in the insertion list.

    No default.

    response-header-value <string>

    Type the value of the Header field.

    No default.

    <entry_index>

    The index number of the header removal item.

    No default.

    response-removel-header-name <string>

    The name of the header that you want to remove. Up to 10 header names can be added in the removal list.

    No default.

    HTTP-resquest-body-rewrite

    http-request-body-rewrite <string>

    Enter the value that will replace matching HTTP content in the body of requests. The maximum is 256 characters.

    No default.

    HTTP-request-body-rewrite

    http-response-body-rewrite <string>

    Enter the value that will replace matching HTTP content in the body of responses. The maximum is 256 characters.

    No default.

    Match Conditions

    <entry_index>

    Enter the index number of the individual entry in the table. The valid range is 1–9,999,999,999,999,999,999. No default.

    object {HTTP-host | HTTP-reference | HTTP-url}

    Select which part of the HTTP request to test for a match:

    • HTTP-host
    • HTTP-url
    • HTTP-reference (the Referer: field)

    If the request must match multiple conditions (for example, it must contain both a matching Host: field and a matching URL), add each object match condition to the condition table separately.

    HTTP-host

    protocol-filter {enable | disable}

    Enable if you want to match this condition only for either HTTP or HTTPS. Also configure waf url-rewrite url-rewrite-rule.

    For example, you could redirect clients that accidentally request the login page by HTTP to a more secure HTTPS channel—but the redirect is not necessary for HTTPS requests.

    As another example, if URLs in HTTPS requests should be exempt from rewriting, you could configure the rewriting rule to apply only to HTTP requests.

    disable

    protocol {HTTP | HTTPS}

    Select the protocol to use.

    HTTP

    reg-exp "<object_pattern>"

    Depending on your selection in object {HTTP-host | HTTP-reference | HTTP-url} and reverse-match {yes | no}, type a regular expression that defines either all matching or all non-matching Host: fields, URLs, or Referer: fields. Then, also configure reverse-match {yes | no}.

    For example, for the URL rewriting rule to match all URLs that begin with /wordpress, you could enter ^/wordpress, then, in reverse-match {yes | no}, select no.

    The pattern is not required to begin with a slash ( / ). The maximum length is 256 characters.

    Note: Regular expressions beginning with an exclamation point ( ! ) are not supported. Instead, use reverse-match {yes | no}.

    No default.

    reverse-match {yes | no}

    Indicate how to use reg-exp "<object_pattern>"when determining whether or not this URL rewriting condition has been met.

    • no—If the regular expression does match the request object, the condition is met.
    • yes—If the regular expression does not match the request object, the condition is met.
      The effect is equivalent to preceding a regular expression with an exclamation point ( ! ).

    If all conditions are met, the FortiWeb appliance will do your selected action {403-forbidden | redirect | redirect-301 | HTTP-request-body-rewrite | HTTP-response-body-rewrite | HTTP-header-rewrite | HTTP-response-header-rewrite}.

    no

    content-filter {enable | disable}

    Enable if you want to match this condition only for specific HTTP content types (also called Internet or MIME file types) such as text/html, as indicated in the Content-Type: HTTP header. Also configure content-type-set {text/html | text/plain | text/javascript | application/xml(or)text/xml | application/javascript | application/soap+xml | application/x-javascript | application/json | application/rss+xml | multipart/form-data | application/x-www-form-urlencoded}. disable

    content-type-set {text/html | text/plain | text/javascript | application/xml(or)text/xml | application/javascript | application/soap+xml | application/x-javascript | application/json | application/rss+xml | multipart/form-data | application/x-www-form-urlencoded}

    Enter the HTTP content types that you want to match in a space-delimited list, such as:

    set content-type-set text/html text/plain

    No default.

    is-essential {yes | no}

    Select what to do if there is no Referer: field, either:

    • no—Meet this condition.
    • yes—Do not meet this condition.

    Requests can lack a Referer: field for several reasons, such as if the user manually types the URL, and the request does not result from a hyperlink from another website, or if the URL resulted from an HTTPS connection. In those cases, the field cannot be tested for a matching value. For details, see the RFC 2616 section on the Referer: field (http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html).

    This option appears only if object {HTTP-host | HTTP-reference | HTTP-url} is HTTP-reference.

    yes

    Related topics

    Use this command to configure URL rewrite rules or to redirect requests.

    Rewriting or redirecting HTTP requests and responses is popular, and can be done for many reasons.

    Similar to error message cloaking, URL rewriting can prevent the disclosure of underlying technology or website structures to HTTP clients.

    For example, when visiting a blog web page, its URL might be:

    http://www.example.com/wordpress/?feed=rss2

    Simply knowing the file name, that the blog uses PHP, its compatible database types, and the names of parameters via the URL could help an attacker to craft an appropriate attack for that platform. By rewriting the URL to something more human-readable and less platform-specific, the details can be hidden:

    http://www.example.com/rss2

    Aside from for security, rewriting and redirects can be for aesthetics or business reasons. Financial institutions can transparently redirect customers that accidentally request HTTP:

    http://bank.example.com/login

    to authenticate and do transactions on their secured HTTPS site:

    HTTPs://bank.example.com/login

    Additional uses could include:

    • During maintenance windows, requests can be redirected to a read-only server.
    • International customers can use global URLs, with no need to configure the back-end web servers to respond to additional HTTP virtual host names.
    • Shorter URLs with easy-to-remember phrases and formatting are easier for customers to understand, remember, and return to.

    Much more than their name implies, “URL rewriting rules” can do all of those things, and more:

    • Redirect HTTP requests to HTTPS
    • Rewrite the URL line in the header of an HTTP request
    • Rewrite the Host: field in the header of an HTTP request
    • Rewrite the Referer: field in the header of an HTTP request
    • Redirect requests to another website
    • Send a 403 Forbidden response to a matching HTTP requests
    • Rewrite the HTTP location line in the header of a matching redirect response from the web server
    • Rewrite the body of an HTTP response from the web server

    Rewrites/redirects are not supported in all modes. For details, see the FortiWeb Administration Guide:

    https://docs.fortinet.com/fortiweb/admin-guides

    To use a URL rewriting rule, add it to a policy. For details, see waf url-rewrite url-rewrite-policy.

    To use this command, your administrator account’s access control profile must have either w or rw permission to the wafgrp area. For details, see Permissions.

    Syntax

    config waf url-rewrite url-rewrite-rule

    edit "<url-rewrite-rule_name>"

    set action {403-forbidden | redirect | redirect-301 | HTTP-request-body-rewrite | HTTP-response-body-rewrite | HTTP-header-rewrite | HTTP-response-header-rewrite}

    set host {<server_fqdn> | <server_ipv4> | <host_pattern>}

    set host-status {enable | disable}

    set host-use-pserver {enable | disable}

    set url "<replacement-url_str>"

    set url-status {enable | disable}

    set referer-status {enable | disable}

    set referer "<referer-url_str>"

    set referer-use-pserver {enable | disable}

    set http-method-status {enable | disable}

    set http-method <string>

    set status-code-status {enable | disable}

    set status-code <int>

    set request-replace-existing-headers {enable | disable}

    set response-replace-existing-headers {enable | disable}

    set request-remove-duplicate-headers {enable | disable}

    set response-remove-duplicate-headers {enable | disable}

    config header-insert

    edit <entry_index>

    set header-name "<header-name_str>"

    set header-value "<header-value_str>"

    next

    end

    set http-request-body-rewrite <string>

    set waf url-rewrite url-rewrite-rule

    set location "<location_str>"

    set location-status {enable | disable}

    set location_replace "<location_str>"

    set header-response-status {enable | disable}

    config response-header-removal

    edit <entry_index>

    set response-removel-header-name <string>

    next

    end

    config response-header-insert

    edit <entry_index>

    set response-header-name <string>

    set response-header-value <string>

    next

    end

    config match-condition

    edit <entry_index>

    set object {HTTP-host | HTTP-reference | HTTP-url}

    set protocol-filter {enable | disable}

    set protocol {HTTP | HTTPS}

    set reg-exp "<object_pattern>"

    set reverse-match {yes | no}

    set content-filter {enable | disable}

    set content-type-set {text/html text/plain text/javascript application/xml(or)text/xml application/javascript application/soap+xml application/x-javascript}

    set is-essential {yes | no}

    next

    end

    next

    end

    next

    end

    Variable Description Default

    "<url-rewrite-rule_name>"

    Enter the name of a new or existing rule. The maximum length is 63 characters.

    To display the list of existing rules, enter:

    edit ?

    No default.

    action {403-forbidden | redirect | redirect-301 | HTTP-request-body-rewrite | HTTP-response-body-rewrite | HTTP-header-rewrite | HTTP-response-header-rewrite}

    Specify one of the following values:

    • 403-forbidden—Send a 403 (Forbidden) response to the client.
    • redirect—Send a 302 (Moved Temporarily) response to the client, with a new Location: field in the HTTP header.
    • redirect-301—Send a 301 (Moved Permanently) response to the client, with a new Location: field in the HTTP header.
    • HTTP-request-body-rewrite—Replace the specific HTTP content in the body of requests.
    • HTTP-response-body-rewrite—Replace the specific HTTP content in the body of responses.
    • HTTP-header-rewrite—Rewrite the host, referer and request URL fields in HTTP header.
    • HTTP-response-header-rewrite—Rewrite the HTTP header or body in the response packet.

    The following rows list the configurations when different actions are selected.

    HTTP-header-rewrite

    HTTP-header-rewrite

    header-name "<header-name_str>"

    Enter the name of the header field that you want to insert to a request, such as "Myheader."
  • You can add up to 10 headers in the insertion list.
  • No default.

    header-value "<header-value_str>"

    Enter the value of the header field that you specified in header-name "<header-name_str>", such as "123." Then, the customized header Myheader: 123 will be inserted to the matched HTTP requests. No default.

    host {<server_fqdn> | <server_ipv4> | <host_pattern>}

    Type the FQDN of the host, such as store.example.com, to which the request will be redirected. The maximum length is 256 characters.

    This option is available only when host-status {enable | disable} is enabled.

    This field supports back references such as $0 to the parts of the original request that matched any capture groups that you entered in reg-exp "<object_pattern>" for each object in the condition table. (A capture group is a regular expression, or part of one, surrounded in parentheses.)

    Use $n (0 <= n <= 9) to invoke a substring, where n is the order of appearance of the regular expression, from left to right, from outside to inside, then from top to bottom.

    For example, regular expressions in the condition table in this order:

    (a)(b)(c(d))(e)

    (f)

    would result in invokable variables with the following values:

    • $0—a
    • $1—b
    • $2—cd
    • $3—d
    • $4—e
    • $5—f
    No default.

    host-status {enable | disable}

    Enable to rewrite the Host: field or host name part of the Referer: field.

    When disabled, the FortiWeb appliance preserves the value from the client’s request when rewriting it.

    disable

    host-use-pserver {enable | disable}

    Enable this when you have a server farm for server balance or content routing. In this case you do not know which server in the server farm the FortiWeb appliance will use. When FortiWeb processes the request, it sets the value for the actual host.

    This option is available only when host-status {enable | disable} is enabled. Any setting you make for host is ignored.

    disable

    url "<replacement-url_str>"

    Enter the string, such as /catalog/item1, that will replace the request URL. The maximum length is 256 characters.

    This option is available only when url-status {enable | disable} is enabled.

    Do not include the name of the web host, such as www.example.com, nor the protocol, which are configured separately in host {<server_fqdn> | <server_ipv4> | <host_pattern>}.

    Like host, this field supports back references such as $0 to the parts reg-exp "<object_pattern>" for each object in the condition table.

    For an example, see the FortiWeb Administration Guide:

    https://docs.fortinet.com/fortiweb/admin-guides

    No default.

    url-status {enable | disable}

    Enable to rewrite the URL part of the request URL.

    If you disable this option, the FortiWeb appliance preserves the value from the client’s request when it rewrites it.

    disable

    referer-status {enable | disable}

    Enable to rewrite the Referer: field in the HTML header. Also configure referer "<referer-url_str>" and referer-use-pserver {enable | disable}. disable

    referer-use-pserver {enable | disable}

    Enable this when you have a server farm for server balance or content routing. In this case you do not know which server in the server farm the FortiWeb appliance will use. When FortiWeb processes the request, it sets the value for the actual referrer.

    This option is available only when referer-status {enable | disable} is enabled. Any setting you make for referer "<referer-url_str>" is ignored.

    disable

    referer "<referer-url_str>"

    Enter the replacement value for the Referer: field in the HTML header. The maximum length is 256 characters.

    This option is available only when referer-status {enable | disable} is enabled.

    No default.

    http-method-status {enable | disable}

    Enable to replace the original HTTP methods in a request with the specified method.

    disable

    http-method <string>

    Specify the HTTP method to replace the original one.

    Please avoid changing the method on the fly unless absolutely necessary. It is important to consider the potential implications and ensure that the server can handle the new method correctly.

    get

    status-code-status {enable | disable}

    Enable to replace the original status code in a response with the specified code.

    disable

    status-code <int>

  • Enter a status code to replace the original one in HTTP response.
  • 404

    request-replace-existing-headers {enable | disable}

  • If there is already a header with the same name existing in the request, enabling this option will overwrite the value of the existing header with your specified header value. On the other hand, if this option is disabled, the system will insert the header directly without checking if there is an existing header with the same header name.
  • disable

    response-replace-existing-headers {enable | disable}

  • If there is already a header with the same name existing in the response, enabling this option will overwrite the value of the existing header with your specified header value. On the other hand, if this option is disabled, the system will insert the header directly without checking if there is an existing header with the same header name.
  • disable

    request-remove-duplicate-headers {enable | disable}

    If the system finds multiple items in the HTTP request that match your specified header name, enabling this option will remove all of them. However, if this option is disabled, only the first matching item will be removed.

    enable

    response-remove-duplicate-headers {enable | disable}

    If the system finds multiple items in the HTTP response that match your specified header name, enabling this option will remove all of them. However, if this option is disabled, only the first matching item will be removed.

    enable

    redirect | redirect-301

    location "<location_str>"

    Enter the URL string that provides a location for use in a 301 or 302 HTTP redirection when the HTTP request matches. The maximum length is 256 characters.

    No default.

    HTTP-response-header-rewrite

    location-status {enable | disable}

    Enable to configure the location_replace.

    disable

    location_replace "<location_str>"

    Enter the replacement value for the Location: field in the HTTP header for the response. The maximum length is 256 characters.

    No default.

    header-response-status {enable | disable}

    Enable to configure HTTP header insertion when the HTTP response matches.

    disable

    response-header-name <string>

    Type the Header name that you want to insert into the HTTP response. You can add up to 10 headers in the insertion list.

    No default.

    response-header-value <string>

    Type the value of the Header field.

    No default.

    <entry_index>

    The index number of the header removal item.

    No default.

    response-removel-header-name <string>

    The name of the header that you want to remove. Up to 10 header names can be added in the removal list.

    No default.

    HTTP-resquest-body-rewrite

    http-request-body-rewrite <string>

    Enter the value that will replace matching HTTP content in the body of requests. The maximum is 256 characters.

    No default.

    HTTP-request-body-rewrite

    http-response-body-rewrite <string>

    Enter the value that will replace matching HTTP content in the body of responses. The maximum is 256 characters.

    No default.

    Match Conditions

    <entry_index>

    Enter the index number of the individual entry in the table. The valid range is 1–9,999,999,999,999,999,999. No default.

    object {HTTP-host | HTTP-reference | HTTP-url}

    Select which part of the HTTP request to test for a match:

    • HTTP-host
    • HTTP-url
    • HTTP-reference (the Referer: field)

    If the request must match multiple conditions (for example, it must contain both a matching Host: field and a matching URL), add each object match condition to the condition table separately.

    HTTP-host

    protocol-filter {enable | disable}

    Enable if you want to match this condition only for either HTTP or HTTPS. Also configure waf url-rewrite url-rewrite-rule.

    For example, you could redirect clients that accidentally request the login page by HTTP to a more secure HTTPS channel—but the redirect is not necessary for HTTPS requests.

    As another example, if URLs in HTTPS requests should be exempt from rewriting, you could configure the rewriting rule to apply only to HTTP requests.

    disable

    protocol {HTTP | HTTPS}

    Select the protocol to use.

    HTTP

    reg-exp "<object_pattern>"

    Depending on your selection in object {HTTP-host | HTTP-reference | HTTP-url} and reverse-match {yes | no}, type a regular expression that defines either all matching or all non-matching Host: fields, URLs, or Referer: fields. Then, also configure reverse-match {yes | no}.

    For example, for the URL rewriting rule to match all URLs that begin with /wordpress, you could enter ^/wordpress, then, in reverse-match {yes | no}, select no.

    The pattern is not required to begin with a slash ( / ). The maximum length is 256 characters.

    Note: Regular expressions beginning with an exclamation point ( ! ) are not supported. Instead, use reverse-match {yes | no}.

    No default.

    reverse-match {yes | no}

    Indicate how to use reg-exp "<object_pattern>"when determining whether or not this URL rewriting condition has been met.

    • no—If the regular expression does match the request object, the condition is met.
    • yes—If the regular expression does not match the request object, the condition is met.
      The effect is equivalent to preceding a regular expression with an exclamation point ( ! ).

    If all conditions are met, the FortiWeb appliance will do your selected action {403-forbidden | redirect | redirect-301 | HTTP-request-body-rewrite | HTTP-response-body-rewrite | HTTP-header-rewrite | HTTP-response-header-rewrite}.

    no

    content-filter {enable | disable}

    Enable if you want to match this condition only for specific HTTP content types (also called Internet or MIME file types) such as text/html, as indicated in the Content-Type: HTTP header. Also configure content-type-set {text/html | text/plain | text/javascript | application/xml(or)text/xml | application/javascript | application/soap+xml | application/x-javascript | application/json | application/rss+xml | multipart/form-data | application/x-www-form-urlencoded}. disable

    content-type-set {text/html | text/plain | text/javascript | application/xml(or)text/xml | application/javascript | application/soap+xml | application/x-javascript | application/json | application/rss+xml | multipart/form-data | application/x-www-form-urlencoded}

    Enter the HTTP content types that you want to match in a space-delimited list, such as:

    set content-type-set text/html text/plain

    No default.

    is-essential {yes | no}

    Select what to do if there is no Referer: field, either:

    • no—Meet this condition.
    • yes—Do not meet this condition.

    Requests can lack a Referer: field for several reasons, such as if the user manually types the URL, and the request does not result from a hyperlink from another website, or if the URL resulted from an HTTPS connection. In those cases, the field cannot be tested for a matching value. For details, see the RFC 2616 section on the Referer: field (http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html).

    This option appears only if object {HTTP-host | HTTP-reference | HTTP-url} is HTTP-reference.

    yes

    Related topics