Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

CLI Reference

config load-balance content-rewriting

Use this command to configure content rewriting rules.

You might rewrite the HTTP headers for various reasons, including the following:

  • Redirect HTTP to HTTPS—You can use the content rewriting feature to send redirects when the requested resource requires a secure connection. For example, create a rule that matches requests to http://example.com/resource with an action to send a redirect that has the secure URL in the Location header: https://example.com/resource.
  • External-to-internal URL translation—It is standard for web servers to have external and internal domain names. You can use content-based routing to forward HTTP requests to example.com to a server pool that includes server1.example.com, server2.example.com, and server3.example.com. When you use content routing like this, you should also rewrite the Location header in the HTTP response so that the client receives HTTP with example.com in the header and not the internal domain server1.example.com. Create a rule that matches the regular expression server.*\.example\.com in the Location header of the HTTP response with an action to rewrite the Location header with the public URL http://example.com.
  • Other security reasons—Another use case for external-to-internal URL translation involves masking pathnames that give attackers information about your web applications. For example, the unmasked URL for a blog might be http://www.example.com/wordpress/?feed=rss2, which exposes that the blog is a wordpress application. In this case, you want to publish an external URL that does not have clues of the underlying technology. For example, in your web pages, you create links to http://www.example.com/blog. On FortiADC, you create a rule that matches requests to http://www.example.com/resource2 with an action to rewrite the URL to the internal URL http://www.example.com/wordpress/?feed=rss2. For the return traffic, you create another rule that matches http://www.example.com/wordpress/?feed=rss2 in the Location header of the HTTP response with an action to rewrite it with the public URL http://www.example.com/blog.

Table 7 summarizes the HTTP header fields that can be rewritten.

HTTP header rewriting

Direction HTTP Header

HTTP Request

Host

Referer

HTTP Redirect

Location

HTTP Response

Location

The first line of an HTTP request includes the HTTP method, relative URL, and HTTP version. The next lines are headers that communicate additional information. The following example shows the HTTP request for the URL http://www.example.com/index.html:

GET /index.html HTTP/1.1

Host: www.example.com

Referer: http://www.google.com

The following is an example of an HTTP redirect including the HTTP Location header:

HTTP/1.1 302 Found

Location: http://www.iana.org/domains/example/

You can use literal strings or regular expressions to match traffic to rules. To match a request URL such as http://www.example.com/index, you create two match conditions: one for the Host header www.example.com and another for the relative URL that is in the GET line: /index.html.

For HTTP redirect rules, you can specify the rewritten location as a literal string or as a regular expression. For all other types or rules, you must specify the complete URL as a literal string.

Before you begin:

  • You must have a good understanding of HTTP header fields.
  • You must have a good understanding of Perl-compatible regular expressions (PCRE) if you want to use them in rule matching or rewriting.
  • You must have read-write permission for load balancing settings.

After you have configured a content rewriting rule, you can select it in the virtual server configuration.

Note: You can select multiple content rewriting rules in the virtual server configuration. Rules you add to that configuration are consulted from top to bottom. The first to match is applied. If the traffic does not match any of the content rewriting rule conditions, the header is not rewritten.

Syntax

config load-balance content-rewriting

edit <name>

set action-type {request|response>

set action {add_http_header | delete_http_header | redirect | rewrite_http_header | rewrite_http_location | send-403-forbidden}

set header-name [string/regular express]

set header-value [string/regular express]

set redirect <string>

set host-status {enable|disable}

set host <string>

set referer-status {enable|disable}

set referer <string>

set url-status {enable|disable}

set url <string>

set location <string>

set comments <string>

config match-condition

edit <No.>

set content <string>

set object {http-host-header | http-location-header | http-referer-header | http-request-url | ip-source-address}

set reverse {enable|disable}

set type {string | regular-expression}

set ignore-case {enable | disable}

next

end

next

end

action-type

Specify whether to rewrite the HTTP request or HTTP response.

action

If you configure a rule based on the HTTP request, you can specify the following actions:

  • add_http_header
  • delete_http_header
  • rewrite_http_header
  • redirect
  • send-403-forbidden

If you configure a rule based on the HTTP response, you can specify the following action:

  • rewrite_http_location

header-name

Creates a new header or deletes an existing header with the header name.

Use this command only if action is set to add_http_header or delete_http_header.

header-value

Creates a new header or deletes an existing header with the header value.

Use this command only if action is set to add_http_header or delete_http_header.

redirect

Sends a redirect with the URL you specify in the HTTP Location header field.

For Redirect rules, specify an absolute URL. For example: https://example.com/content/index.html

Use this command only if action is set to redirect.

Note: The rewrite string can be a literal string or a regular expression.

host-status

Enable/disable rewriting the Host header by replacing the hostname with the string you specify.

Use this command only if action is set to rewrite_http_header.

host

Rewrites the Host header by replacing the hostname with the string you specify. For Host rules, specify a replacement domain and/or port.

Use this command only if action is set to rewrite_http_header.

Note: The rewrite string is a literal string. Regular expression syntax is not supported.

referer-status

Enable/disable rewriting the Referer header with the URL you specify.

Use this command only if action is set to rewrite_http_header.

referer

Rewrites the Referer header with the URL you specify. For Referer rules, you must specify an absolute URL.

Note: The rewrite string is a literal string. Regular expression syntax is not supported.

url-status

Enable/disable rewriting the Host header by replacing the whole URL with the string you specify.

url

Rewrites the request URL and Host header using the string you specify. For URL rules, specify a URL in one of the following formats:

  • Absolute URL — https://example.com/content/index.html
  • Relative URL — content/index.html

If you specify a relative URL, the host header is not rewritten.

Note: The rewrite string is a literal string. Regular expression syntax is not supported.

location

For Location rules, specify an absolute URL. For example: https://example.com/content/index.html

Note: The rewrite string is a literal string. Regular expression syntax is not supported.

comments

Optional administrator note.

config match-condition

content

Specify the string or regular expression syntax.

object

Specify content matching conditions based on the following parameters:

  • http-host-header
  • http-location-header
  • http-referer-header
  • http-request-url
  • ip-source-address

Note: When you add multiple conditions, FortiADC joins them with an AND operator. For example, if you specify both a HTTP Host Header and HTTP Request URL to match, the rule is a match only for traffic that meets both conditions.

reverse

Rule matches if traffic does not match the expression.

type

  • string
  • regular-expression

ignore case

If the match rule is case sensitive, it will ignore case.

Example

The following example creates a configuration to rewrite a literal string:

FortiADC-VM # config load-balance content-rewriting

FortiADC-VM (content-rewrit~n) # edit c-rewrite-0

Add new entry 'c-rewrite-0' for node 1737

 

FortiADC-VM (c-rewrite-0) # set action redirect

FortiADC-VM (c-rewrite-0) # set redirect https://example.com/resource

FortiADC-VM (c-rewrite-0) # set comments http-to-https

 

FortiADC-VM (c-rewrite-0) # config match-condition

FortiADC-VM (match-condition) # edit 1

FortiADC-VM (1) # set type string

FortiADC-VM (1) # set object http-host-header

FortiADC-VM (1) # set content www.example.com

FortiADC-VM (1) # next

 

FortiADC-VM (match-condition) # edit 2

FortiADC-VM (2) # set type string

FortiADC-VM (2) # set object http-request-url

FortiADC-VM (2) # set content /resource

FortiADC-VM (2) # end

 

The following example creates a configuration to rewrite using a regular expression:

FortiADC-VM (content-rewrit~n) # edit c-rewrite-1

 

FortiADC-VM (c-rewrite-1) # set action redirect

FortiADC-VM (c-rewrite-1) # set redirect https://$0/$1

FortiADC-VM (c-rewrite-1) # set comments http-to-https

 

FortiADC-VM (c-rewrite-1) # config match-condition

 

FortiADC-VM (match-condition) # edit 1

FortiADC-VM (1) # set type regular-expression

FortiADC-VM (1) # set object http-host-header

FortiADC-VM (1) # set content (.*)

FortiADC-VM (1) # next

 

FortiADC-VM (match-condition) # edit 2

FortiADC-VM (2) # set type regular-expression

FortiADC-VM (2) # set object http-request-url

FortiADC-VM (2) # set content ^/(.*)$

FortiADC-VM (2) # end

 

config load-balance content-rewriting

Use this command to configure content rewriting rules.

You might rewrite the HTTP headers for various reasons, including the following:

  • Redirect HTTP to HTTPS—You can use the content rewriting feature to send redirects when the requested resource requires a secure connection. For example, create a rule that matches requests to http://example.com/resource with an action to send a redirect that has the secure URL in the Location header: https://example.com/resource.
  • External-to-internal URL translation—It is standard for web servers to have external and internal domain names. You can use content-based routing to forward HTTP requests to example.com to a server pool that includes server1.example.com, server2.example.com, and server3.example.com. When you use content routing like this, you should also rewrite the Location header in the HTTP response so that the client receives HTTP with example.com in the header and not the internal domain server1.example.com. Create a rule that matches the regular expression server.*\.example\.com in the Location header of the HTTP response with an action to rewrite the Location header with the public URL http://example.com.
  • Other security reasons—Another use case for external-to-internal URL translation involves masking pathnames that give attackers information about your web applications. For example, the unmasked URL for a blog might be http://www.example.com/wordpress/?feed=rss2, which exposes that the blog is a wordpress application. In this case, you want to publish an external URL that does not have clues of the underlying technology. For example, in your web pages, you create links to http://www.example.com/blog. On FortiADC, you create a rule that matches requests to http://www.example.com/resource2 with an action to rewrite the URL to the internal URL http://www.example.com/wordpress/?feed=rss2. For the return traffic, you create another rule that matches http://www.example.com/wordpress/?feed=rss2 in the Location header of the HTTP response with an action to rewrite it with the public URL http://www.example.com/blog.

Table 7 summarizes the HTTP header fields that can be rewritten.

HTTP header rewriting

Direction HTTP Header

HTTP Request

Host

Referer

HTTP Redirect

Location

HTTP Response

Location

The first line of an HTTP request includes the HTTP method, relative URL, and HTTP version. The next lines are headers that communicate additional information. The following example shows the HTTP request for the URL http://www.example.com/index.html:

GET /index.html HTTP/1.1

Host: www.example.com

Referer: http://www.google.com

The following is an example of an HTTP redirect including the HTTP Location header:

HTTP/1.1 302 Found

Location: http://www.iana.org/domains/example/

You can use literal strings or regular expressions to match traffic to rules. To match a request URL such as http://www.example.com/index, you create two match conditions: one for the Host header www.example.com and another for the relative URL that is in the GET line: /index.html.

For HTTP redirect rules, you can specify the rewritten location as a literal string or as a regular expression. For all other types or rules, you must specify the complete URL as a literal string.

Before you begin:

  • You must have a good understanding of HTTP header fields.
  • You must have a good understanding of Perl-compatible regular expressions (PCRE) if you want to use them in rule matching or rewriting.
  • You must have read-write permission for load balancing settings.

After you have configured a content rewriting rule, you can select it in the virtual server configuration.

Note: You can select multiple content rewriting rules in the virtual server configuration. Rules you add to that configuration are consulted from top to bottom. The first to match is applied. If the traffic does not match any of the content rewriting rule conditions, the header is not rewritten.

Syntax

config load-balance content-rewriting

edit <name>

set action-type {request|response>

set action {add_http_header | delete_http_header | redirect | rewrite_http_header | rewrite_http_location | send-403-forbidden}

set header-name [string/regular express]

set header-value [string/regular express]

set redirect <string>

set host-status {enable|disable}

set host <string>

set referer-status {enable|disable}

set referer <string>

set url-status {enable|disable}

set url <string>

set location <string>

set comments <string>

config match-condition

edit <No.>

set content <string>

set object {http-host-header | http-location-header | http-referer-header | http-request-url | ip-source-address}

set reverse {enable|disable}

set type {string | regular-expression}

set ignore-case {enable | disable}

next

end

next

end

action-type

Specify whether to rewrite the HTTP request or HTTP response.

action

If you configure a rule based on the HTTP request, you can specify the following actions:

  • add_http_header
  • delete_http_header
  • rewrite_http_header
  • redirect
  • send-403-forbidden

If you configure a rule based on the HTTP response, you can specify the following action:

  • rewrite_http_location

header-name

Creates a new header or deletes an existing header with the header name.

Use this command only if action is set to add_http_header or delete_http_header.

header-value

Creates a new header or deletes an existing header with the header value.

Use this command only if action is set to add_http_header or delete_http_header.

redirect

Sends a redirect with the URL you specify in the HTTP Location header field.

For Redirect rules, specify an absolute URL. For example: https://example.com/content/index.html

Use this command only if action is set to redirect.

Note: The rewrite string can be a literal string or a regular expression.

host-status

Enable/disable rewriting the Host header by replacing the hostname with the string you specify.

Use this command only if action is set to rewrite_http_header.

host

Rewrites the Host header by replacing the hostname with the string you specify. For Host rules, specify a replacement domain and/or port.

Use this command only if action is set to rewrite_http_header.

Note: The rewrite string is a literal string. Regular expression syntax is not supported.

referer-status

Enable/disable rewriting the Referer header with the URL you specify.

Use this command only if action is set to rewrite_http_header.

referer

Rewrites the Referer header with the URL you specify. For Referer rules, you must specify an absolute URL.

Note: The rewrite string is a literal string. Regular expression syntax is not supported.

url-status

Enable/disable rewriting the Host header by replacing the whole URL with the string you specify.

url

Rewrites the request URL and Host header using the string you specify. For URL rules, specify a URL in one of the following formats:

  • Absolute URL — https://example.com/content/index.html
  • Relative URL — content/index.html

If you specify a relative URL, the host header is not rewritten.

Note: The rewrite string is a literal string. Regular expression syntax is not supported.

location

For Location rules, specify an absolute URL. For example: https://example.com/content/index.html

Note: The rewrite string is a literal string. Regular expression syntax is not supported.

comments

Optional administrator note.

config match-condition

content

Specify the string or regular expression syntax.

object

Specify content matching conditions based on the following parameters:

  • http-host-header
  • http-location-header
  • http-referer-header
  • http-request-url
  • ip-source-address

Note: When you add multiple conditions, FortiADC joins them with an AND operator. For example, if you specify both a HTTP Host Header and HTTP Request URL to match, the rule is a match only for traffic that meets both conditions.

reverse

Rule matches if traffic does not match the expression.

type

  • string
  • regular-expression

ignore case

If the match rule is case sensitive, it will ignore case.

Example

The following example creates a configuration to rewrite a literal string:

FortiADC-VM # config load-balance content-rewriting

FortiADC-VM (content-rewrit~n) # edit c-rewrite-0

Add new entry 'c-rewrite-0' for node 1737

 

FortiADC-VM (c-rewrite-0) # set action redirect

FortiADC-VM (c-rewrite-0) # set redirect https://example.com/resource

FortiADC-VM (c-rewrite-0) # set comments http-to-https

 

FortiADC-VM (c-rewrite-0) # config match-condition

FortiADC-VM (match-condition) # edit 1

FortiADC-VM (1) # set type string

FortiADC-VM (1) # set object http-host-header

FortiADC-VM (1) # set content www.example.com

FortiADC-VM (1) # next

 

FortiADC-VM (match-condition) # edit 2

FortiADC-VM (2) # set type string

FortiADC-VM (2) # set object http-request-url

FortiADC-VM (2) # set content /resource

FortiADC-VM (2) # end

 

The following example creates a configuration to rewrite using a regular expression:

FortiADC-VM (content-rewrit~n) # edit c-rewrite-1

 

FortiADC-VM (c-rewrite-1) # set action redirect

FortiADC-VM (c-rewrite-1) # set redirect https://$0/$1

FortiADC-VM (c-rewrite-1) # set comments http-to-https

 

FortiADC-VM (c-rewrite-1) # config match-condition

 

FortiADC-VM (match-condition) # edit 1

FortiADC-VM (1) # set type regular-expression

FortiADC-VM (1) # set object http-host-header

FortiADC-VM (1) # set content (.*)

FortiADC-VM (1) # next

 

FortiADC-VM (match-condition) # edit 2

FortiADC-VM (2) # set type regular-expression

FortiADC-VM (2) # set object http-request-url

FortiADC-VM (2) # set content ^/(.*)$

FortiADC-VM (2) # end