Professional Documents
Culture Documents
Fortiweb Url Rewrite Howto: Technical Document
Fortiweb Url Rewrite Howto: Technical Document
Fortiweb Url Rewrite Howto: Technical Document
Technical Document
Document Information
Revision 0.1
Revised 4/15/2010
Filename: url_rewrite_howto.docx
Author Information
Kevin Zhang
zhangjw@fortinet.com
1. Introduction .......................................................................................................................................... 4
2. Use Action - URL Rewrite to jump inside one protected server/physical server.................................. 5
3. Use Action - Redirect to jump between two protected servers/physical servers ................................ 8
Similar to error message cloaking, URL rewriting can be useful to prevent the disclosure of
underlying technology or web site structures to HTTP clients.
For example, when visiting a blog web page, its URL might be:
http://www.example.com/wordpress/?feed=rss2
Simply knowing the file name, that the blog uses PHP, its compatible database types, and
the names of parameters via the URL could help an attacker to craft an appropriate attack
for that platform. By rewriting the URL to something more human-readable and less
platform-specific, we hide these details:
http://www.example.com/rss2
Note: URL rewrites are applicable only if the FortiWeb unit is operating in inline protection
mode, or transparent mode for connections without SSL.
FortiWeb unit will take one of following actions when it receives a matching request.
Rewrite URL: Rewrite both the Host and request URL fields in HTTP header.
Redirect: Send a 302 (Moved Temporarily) response to the client, with a new Location
field in the HTTP header.
server/physical server
Objective
Assume we have a FortiWEB setup as following.
One FortiWEB runs at Inline (Reverse Proxy) mode to protect one physical server.
/index.html and /test.html are the two html pages on physical server. Assume /index.html is
under maintenance and we want the users to use /test.html as a short term alternative.
Configuration
In order to do achieve requirement, we need to setup a URL rewriting rule as following.
Action
Select Action to be "Rewrite URL". "Rewrite URL" allow you to rewrite both the Host and
URL fields in HTTP header of incoming HTTP request.
Condition Table
You can create multiple conditions for a single URL rewrite action to check/match different
parts of an incoming HTTP request. For this sample, only one condition will serve the
purpose.
In the "Regular Expression", we input "/index.html" and select "Meet this condition if" as
"Object matches the regular expression". This will make sure the URL rewrite action will be
taken if we see a request to "index.html".
Host
Type the domain or IP of the host, such as store.example.com or 192.168.1.1. The given
string will replace the original value of the Host field in incoming HTTP request.
Most of the time, this configuration is NOT necessary, such as our sample here.
This configuration is ONLY useful if the physical server has the security check that the Host
field in HTTP request MUST match its own IP. If that's the case, you will need to input the
physical server IP as the "Host" value and that IP will replace the incoming request Host field
to satisfy the physical server security check. Here is a sample.
This field supports back references such as $0 to the parts of the original request that
matched any capture groups that you entered in Regular Expression for each object in the
condition table. (A capture group is a regular expression, or part of one, surrounded in
parentheses.)
? $0: a
? $1: b
? $2: cd
? $3: d
? $4: e
? $5: f
URL
Type the string, in our sample, /test.html, that will replace the request URL. Do not include
the name of the web host, such as www.example.com, nor the protocol, which are
configured separately in the Host field and Protocol, respectively.
Like Host, this field supports back references such as $0 to the parts of the original request
that matched any capture groups that you entered in Regular Expression for each object in
the condition table. For an example, see Appendix B for details.
servers/physical servers
Objective
Assume we have a FortiWEB setup as following.
One FortiWEB runs at Inline (Reverse Proxy) mode to protect two physical servers.
The virtual server IP is 10.0.0.2 and physical server IP is 192.168.1.2 for WEB server B with
SSL offloading.
/index.html is a html page on WEB server A and /test.html is a html page on WEB server B.
Assume /index.html of WEB server A is under maintenance and we want the users to use
/test.html of WEB server B as a short term alternative.
Configuration
In order to do achieve requirement, we need to setup a URL rewriting rule as following.
Action
Select Action to be "Redirect". "Rewrite URL" allow you to send a 302 (Moved Temporarily)
response to the client, with a new Location field in the HTTP header.
Condition Table
You can create multiple conditions for a single URL rewrite action to check/match different
parts of an incoming HTTP request. For this sample, only one condition will serve the
purpose.
In the "Regular Expression", we input "/index.html" and select "Meet this condition if" as
"Object matches the regular expression". This will make sure the URL rewrite action will be
taken if we see a request to "index.html".
Protocol
A typical Location field in redirect/302 HTTP header looks like:
Location: https://www.test.com/hello.html
The location field can be divided into three parts: protocol, host and URL.
Here, you choose the protocol to be HTTPS, because WEB server B policy has SSL offloading
turned on.
Host
Type the domain or IP of the host, such as store.example.com or 192.168.1.1. The given
string will be host part of the Location field.
URL
Type the string, in our sample, /test.html, that will replace the request URL. Do not include
the name of the web host, such as www.example.com, nor the protocol, which are
configured separately in the Host field and Protocol, respectively.
Like Host, this field supports back references such as $0 to the parts of the original request
that matched any capture groups that you entered in Regular Expression for each object in
the condition table. For an example, see Appendix B for details.
URL Rewrite HowTo
NOTE: We notice that dividing the Location field into 3 parts even confuses users instead of
making it simple. So in future version, we plan to use a single Location input box to allow
users to input the whole string.
Objective
Assume we have a FortiWEB setup as following.
One FortiWEB runs at Inline (Reverse Proxy) mode to protect one physical server.
/index.html is a html page on WEB server A. Assume /index.html is under maintenance and
we want the users to use /index.html on www.nba.com a short term alternative.
Configuration
In order to do achieve requirement, we need to setup a URL rewriting rule as following.
Action
Select Action to be "Redirect". "Rewrite URL" allow you to send a 302 (Moved Temporarily)
response to the client, with a new Location field in the HTTP header.
Condition Table
You can create multiple conditions for a single URL rewrite action to check/match different
parts of an incoming HTTP request. For this sample, only one condition will serve the
purpose.
In the "Regular Expression", we input "/index.html" and select "Meet this condition if" as
"Object matches the regular expression". This will make sure the URL rewrite action will be
taken if we see a request to "index.html".
Protocol
A typical Location field in redirect/302 HTTP header looks like:
Location: https://www.test.com/hello.html
The location field can be divided into three parts: protocol, host and URL.
Here, you can ignore this seting, because www.nba.com is also running at HTTP.
Host
Type the domain or IP of the host, such as store.example.com or 192.168.1.1. The given
string will be host part of the Location field.
URL
Type the string, in our sample, /index.html, that will replace the request URL. Do not include
the name of the web host, such as www.example.com, nor the protocol, which are
configured separately in the Host field and Protocol, respectively.
Like Host, this field supports back references such as $0 to the parts of the original request
that matched any capture groups that you entered in Regular Expression for each object in
the condition table. For an example, see Appendix B for details.
expressions
Example.edu is a large university. Professors of example.edu use a mixture of WordPress and
Movable Type software for their course web pages to keep students updated. In addition,
the campus bookstore and software store use custom shopping cart software.
The URLs of all of these web applications contain clues about the underlying vendors,
databases and scripting languages.
Because it is a large organization with many mobile users and guests, and an Internet
connection with large bandwidth, the university is therefore a frequent target of attacks. Its
network administrators want to hide the underlying technology to make it more difficult for
attackers to craft platform-specific attacks. Example.edu also wants to make clients’
bookmarked URLs more permanent, so that clients will not need to repair them if the
university switches software vendors.
Because it has so many URLs, the university uses regular expressions to rewrite sets of
similar URLs, rather than configuring rewrites for each URL individually. More specific URL
rewrite rules are selected first in the URL rewriting group, before general ones, due to the
affects of match order on which rewrite rule is applied
Example 1
Regular Expression in URL match condition:
^/cgi/python/ustore/payment.html$
Replace URL:
/store/checkout
/cgi/python/ustore/payment.html
Result:
/store/checkout
Example 2
Regular Expression in URL match condition:
Replace URL:
/store/view
/ustore/viewItem.asp?id=1&img=2
Result:
/store/view
Example 3
Regular Expression in URL match condition:
/Wordpress/(.*)
Replace URL:
/blog/$0
/wordpress/10/11/24
Result:
/blog/10/11/24
Example 4
Regular Expression in URL match condition:
/(.*)\.xml
Replace URL:
/$0
/index.xml
Result:
The administrator does not want to rewrite matching requests into a single URL. Instead, she
wants each rewritten URL to re-use parts of the original request.
To assemble the rewritten URL by re-using the original request’s file path and Host:, the
administrator uses two variables: $0 and $1. Each variable refers to a part of the original
request. The parts are determined by which capture group was matched in the Regular
Expression of each condition table object.
* $0: The text that matched the first capture group (.*). In this case, because the object is
the Host: field, the matching text is the host name, www.example.com.
* $1: The text that matched the second capture group, which is also (.*). In this case,
because the object is the request URL, the matching text is the file path, news/local.
Example 1
Example Request:
www.example.com
Replacement:
Host: $0
Result:
URL Rewrite HowTo
www.example.com
Example 2
Example Request:
/news/local.asp
Replacement:
URL: $1.php
Result:
/news/local.php
All the evasion protections are built in, so we can protect most of these attacks
automatically, and the real attacks will be blocked and logged.