Scribd
Upload
2 views

FTG-xff add

This document provides a technical guide on how to add X-forwarded headers to HTTP(S) traffic directed towards a webserver protected by a FortiGate unit. It outlines the necessary prerequisites, configuration steps, and verification methods for implementing SSL offloading and adding the X-forwarded-for and X-forwarded-proto headers. Additionally, it notes that units with 2GB of RAM or less will not support proxy features starting from FortiOS 7.4.4.

Uploaded by

saidov19
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
2 views

FTG-xff add

This document provides a technical guide on how to add X-forwarded headers to HTTP(S) traffic directed towards a webserver protected by a FortiGate unit. It outlines the necessary prerequisites, configuration steps, and verification methods for implementing SSL offloading and adding the X-forwarded-for and X-forwarded-proto headers. Additionally, it notes that units with 2GB of RAM or less will not support proxy features starting from FortiOS 7.4.4.

Uploaded by

saidov19
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 5

Technical Tip: How to add X-forwarded headers to the traffic

towards protected Webserver behind FortiGate


Description

This article explains how to add X-fowarded-for and X-forwarded-proto headers to HTTP(S)
traffic towards a webserver protected by the FortiGate unit (Virtual IP).

Diagram

Scope

Note : Since FortiOS 7.4.4, units with 2GB of RAM or less will no longer support
proxy features. Option "config web-proxy profile" will no longer be available to
configure.

The solution below is designed to keep in mind the following prerequisites are met:
1. The web server is protected by FortiGate unit and listening for requests on HTTP port
80.

2. Administrator must import a valid SSL certificate (including the private key) for the
webserver on to FortiGate unit for SSL offloading.

3. The solution will using a Virtual IP on the FortiGate, and it will perform SSL offloading
in HALF mode. See the attached diagram for SSL half mode example.

4. The traffic between the client PC > FortiGate should be HTTPS.

5. FortiGate unit will perform SSL offload using the certificate imported by the
Administrator.

6. Once the traffic is offloaded (decrypted) FortiGate will add the x-forwarded HTTP
headers to the plain text HTTP traffic, additional UTM inspection can be also
performed on the traffic.

7. Traffic will be sent to the Webserver in the protected network in plain text HTTP.

Note: The load balance Virtual server (Layer 7 VIP) doesn't support x-forwarded-
proto header.

Configuration:

1. Use FortiGate's GUI to import the Webserver's SSL certificate.

Login to the GUI -> System Certificates -> Import -> Local Certificate.

Select Type PKCS #12 certificate: the certificate in PKCS format is available.

If public and private key files for the certificate are available, select Type as “Certificate”
and select the public key and private key files.

For more information, refer to Fortinet's Knowledge Base articles:

 Technical Note: How to split PKCS#12 Certificates into Public and Private Key files
 Technical Note: Import a Microsoft IIS Server Certificate into FortiOS

2. Configure Virtual IP as follows:


Note : If the Virtual IP is already configured on the FortiGate unit, skip this
step and proceed to step 3.

The FortiGate unit GUI can also be used to add a Virtual IP:
'Login to GUI -> Policy & Objects -> Virtual IPs'.

However, this article will use the CLI configuration example.

config firewall vip


edit "example.com"
set extip x.x.x.x
set extintf "external_interface_connected_to_internet"
set mappedip y.y.y.y
next
end

3. Configure Web-Proxy Profile as follows:

config web-proxy profile


edit "1"
set header-x-forwarded-for add <- To add the x-forwarded-for
header.
next
end

4. Create a URL filter table as follows:

config webfilter urlfilter


edit 1
set name "example.com"
config entries
edit 1
set url www.example.com
set action monitor
set web-proxy-profile "1" <- Webproxy profile configured in step 3.
next
end
next
end

Note: This should match the hostname used by clients on the Internet.

If there are multiple host names used by the webserver, multiple entries need to be added.
The web-proxy profile must be set for each URL entry.

5. Create a webfilter profile and select the URL filter table in webfilter profile as follows:

config webfilter profile


edit "example.com"
config web
set urlfilter-table 1
end
end

6. SSL-server configuration is as follows:

config firewall ssl-server


edit "example.com"
set ip y.y.y.y
set ssl-mode half
set url-rewrite enable
set add-header-x-forwarded-proto enable <- Enabled by default.
set ssl-cert "example.com"
next
end

7. Configure the SSL-SSH Profile as follows:

config firewall ssl-ssh-profile


edit "example.com"
set server-cert-mode re-sign
set use-ssl-server enable
next
end

8. Configure firewall policy as follows:

config firewall policy


edit <id>
set srcintf "external_interface_connected_to_internet"
set dstintf "interface_connected_to_webserver"
set srcaddr "all"
set dstaddr "example.com" <- VIP created in step 2.
set action accept
set schedule "always"
set service "ALL"
set utm-status enable
set webfilter-profile "example.com" <- webfilter profile created in
step 5.
set profile-protocol-options "default"
set ssl-ssh-profile "example.com" <- ssl-ssh profile in step 7.
next
end

Verification
HTTP request on received on the server:

GET / HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134
Accept-Language: en-US
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Upgrade-Insecure-Requests: 1
Accept-Encoding: gzip, deflate, br
Host: example.com
Connection: Keep-Alive
X-Forwarded-Proto: https
X-Forwarded-For: 200.200.12.54

You might also like