HTTP to HTTPS redirect for load balancing
Starting with FortiOS 6.2.1, you can configure a virtual server with HTTP to HTTPS redirect enabled. When enabled, a virtual server can convert a client's HTTP requests to HTTPS requests. Through this mandatory conversion, HTTP traffic is converted to HTTPS traffic. This conversion improves the security of the user network.
You can only enable this feature by using the CLI. After you enable this feature, traffic flows as follows:
- When FortiGate receives an HTTP request for an external IP, such as 10.1.100.201 in the following example, FortiGate sends an HTTP 303 response back to the original client and redirects HTTP to HTTPS, instead of forwarding the HTTP request to the real backend servers.
- The client browser restarts the TCP session to HTTPS.
- The HTTPS session comes to the FortiGate where a matching IPv4 policy allows the HTTPS traffic and establishes a secure SSL connection, and then forwards the request to the real backend servers.
To configure virtual server with HTTPS redirect enabled:
- Create a virtual server with
server-type
set tohttp
:config firewall vip
edit "virtual-server-http"
set type server-load-balance
set extip 10.1.100.201
set extintf "wan2"
set server-type http
set ldb-method round-robin
set extport 80
config realservers
edit 1
set ip 172.16.200.44
set port 80
next
edit 2
set ip 172.16.200.55
set port 80
next
end
next
end
- Create a virtual server with
server-type
set tohttps
and with the same external IP address:config firewall vip
edit "virtual-server-https"
set type server-load-balance
set extip 10.1.100.201
set extintf "wan2"
set server-type https
set ldb-method round-robin
set extport 443
config realservers
edit 1 set ip 172.16.200.44
set port 443
next
edit 2
set ip 172.16.200.55
set port 443
next
end
set ssl-certificate "Fortinet_CA_SSL"
next
end
- Enable the
http-redirect
option for the virtual server withserver-type
set tohttp
:config firewall vip
edit "virtual-server-http"
set http-redirect enable
next
end
- Add the two virtual servers to a policy:
config firewall policy
edit 9
set srcintf "wan2"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "virtual-server-http" "virtual-server-https"
set action accept
set schedule "always"
set service "ALL"
set inspection-mode proxy set logtraffic all
set auto-asic-offload disable
set nat enable
next
end