8.2 Understanding HTTP Content Rewrite
8.2.1 How HTTP Content Rewrite Works
When a company places the FortiBalancer appliance in front of the application servers, users can access the applications through FortiBalancer. However, the Web pages that the applications generate contain links with private IP addresses or internal domain names. So if the user fetches the pages with those internal links through FortiBalancer, the browser will not be able to retrieve the images and other objects on the HTML page since the HTML links pointing to them do not point back to the FortiBalancer appliance.
Figure 8-1 Users Failed to Access Internal Web Pages
The solution to the above problems is to rewrite contents of the HTML pages before it is sent to the client. To be more precise, the contents of every HTML page will be processed and all the HTML links will be found and rewritten so that the end user can access the pages via a browser. In addition, the rewritten pages can be cached by the FortiBalancer appliance so that FortiBalancer does not need to rewrite the same pages over and over again.
Upon receiving the responses from the real server, the FortiBalancer appliance will communicate with the uproxy module to read the response data that needs to be rewritten, and send these data to the rewrite module for rewriting. The IP addresses and domain names in the files that need rewriting according to configured rules will be rewritten. Finally the FortiBalancer appliance responds the rewritten data to the end user, and further caches the rewritten data.
Figure 8-2 HTTP Content Rewrite Working Mechanism
- The end user sends an HTTP request to the real server via the FortiBalancer appliance.
- The response data coming from the real server reaches the FortiBalancer appliance.
- The FortiBalancer sends the data to the rewrite module.
- The rewrite module reads the data that needs rewriting, and rewrites the data.
- The FortiBalancer appliance sends the rewritten data to the end user, and caches the data.
8.2.2 Advantages of HTTP Content Rewrite
Improve the user experience
The HTTP Content Rewrite help external end users from visiting the internal real server hidden behind the FortiBalancer appliance. It rewrites the Web page file into the valid format to end users. The FortiBalancer appliance also supports to rewrite the multi-byte character files such as Chinese and Japanese.
Reduce the effect to the performance
Comparing with the URL rewrite method, the HTTP Content Rewrite feature causes less communication with the real server to reduce the effect to the performance.
Decrease the response time
In addition, the rewritten pages can be cached by the FortiBalancer appliance so that FortiBalancer does not need to rewrite the same pages over and over again. When the client requests the real server for the same Web page, the FortiBalancer appliance will respond the client with the cached data to decrease the response time. Easy to maintain
The HTTP Content Rewrite feature helps enterprise decrease the cost of the human resource. The administrator needs less monitoring because the HTTP Content Rewrite feature rewrites the Web page file by the rewrite driver and the rewrite module automatically.
8.2.3 Working Principles of HTTP Content Rewrite
The following introduces the working principles of HTTP Content Rewrite:
Global or per virtual service content rewrite
The administrator can enable/disable the HTTP content rewrite globally or per virtual service.
Note:
- By default, the HTTP content rewrite function is disabled globally, while enabled per virtual service.
- Only with the global HTTP content rewrite enabled, will the per virtual service HTTP content rewrite enabling and configurations take effect.
Define the global content rewrite rule
The HTTP content rewrite function allows administrators to define global rewrite rules to rewrite the IP addresses, domain names or other strings in the Web page files into new strings as pre-defined.
Two kinds of rewrite rules are supported:
- ProxyHTMLURLMap
Only rewrite the URLs inside the HTML tags. The other strings will not be rewritten. This kind of rewrite rules can only be applied to rewriting of HTML and XHTML files.
For example:
The source Web page file:
<p><a href=”10.3.129.1″>10.3.129.1</a></p>
<p><a href=”http://10.3.129.1/”>http://10.3.129.1</a></p> <p><a href=”https://10.3.129.1/”>https://10.3.129.1</a></p>
The rewritten Web page file:
<p><a href=”172.16.85.74″>10.3.129.1</a></p>
<p><a href=”http://172.16.85.74/”>http://10.3.129.1</a></p>
<p><a href=”https://172.16.85.74/”>https://10.3.129.1</a></p>
The IP address “10.3.129.1” in the URLs inside the HTML tags has been rewritten into “172.16.85.74”, while others remain unchanged.
- Substitute
Rewrite URLs inside and outside the HTML tags.
For example:
The source Web page file:
<p><a href=”10.3.129.1″>10.3.129.1</a></p>
<p><a href=”http://10.3.129.1/”>http://10.3.129.1</a></p> <p><a href=”https://10.3.129.1/”>https://10.3.129.1</a></p>
The rewritten Web page file:
<p><a href=”172.16.85.74″>172.16.85.74</a></p>
<p><a href=”http://172.16.85.74/”>http://172.16.85.74</a></p> <p><a href=”https://172.16.85.74/”>https://172.16.85.74</a></p>
All the “10.3.129.1” strings have been rewritten into “172.16.85.74”.
Note:
- The configuration strings of the parameter “rule” must be framed in double quotes.
- The configuration strings of “ProxyHTMLURLMap” and “Substitute” are strictly case-sensitive.
- When both “ProxyHTMLURLMap” and “Substitute” rules are configured, the
“ProxyHTMLURLMap” rules will be applied first, and then the “Substitute” rules. If the “ProxyHTMLURLMap” and “Substitute” rules have been configured to map to the same regex, the “Substitute” rules will overwrite the “ProxyHTMLURLMap” rules.
- To change the rewrite rules, the currently running rewrite operations will fail, and FortiBalancer will reset the related connections. Therefore, it is suggested not change the rewrite rules while the FortiBalancer appliance is processing network traffic.
- If the HTTP content rewrite function is enabled and content rewrite rules are configured, the length of each line in responses cannot be greater than 1MB; otherwise, the
FortiBalancer appliance will send a RST packet to the client to abort the TCP connection.
- Specify the type of the files to be rewritten
The HTTP Content Rewrite function allows administrators to specify the type of the files to be rewritten. The following are the supported file types:
- text/html
- text/plain
- text/richtext
- text/xml
- application/xml
- application/xhtml+xml
- text/css
- text/javascript
- application/javascript
By default, only the files in “text/html” type are allowed to be rewritten.
- Define the URL regex for per virtual service HTTP content rewrite
The administrator can define the URL regex to permit or deny rewriting of the files that match the URL regex per virtual service.
To specify the URL regex, the administrator should first define a URL list, and then add URL regexes into the URL list. The URL regex can be defined as the extension name, the file content or a part of the file name. Then the administrator need to associate the URL list with a virtual service through a permit/deny rule. After all these are done, the files that match any URL regex in the URL list will be rewritten according to the associated permit/deny rules.
Multiple URL regexes can be added into a URL list, in “OR” relationship. That is to say, the permit/deny rule will work as long as any of the extension name, file name or file contents matches the URL regex.
- Define the HTTP response status code
The HTTP Content Rewrite function also supports rewriting the Web page files that contain specific HTTP response status code. The “200” HTTP response status code is supported by default. That is to say, the FortiBalancer appliance will only rewrite the Web page files with the “200” HTTP response status code by default.
Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!