Fortinet 5.0 Patch 6 Rewriting & redirecting

Fortinet 367 FortiWeb 5.0 Patch 6 Administration Guide

Rewriting & redirecting

Rewriting or redirecting HTTP requests and responses is popular, and can be done for many

reasons.

Similar to error message cloaking, URL rewriting can prevent the disclosure of underlying

technology or web site structures to HTTP clients.

For example, when visiting a blog web page, its URL might be:

http://www.example.com/wordpress/?feed=rss2

Simply knowing the file name, that the blog uses PHP

, its compatible database types, and the

names of parameters via the URL could help an attacker to craft an appropriate attack for that

platform. By rewriting the URL to something more human-readable and less platform-specific,

the details can be hidden:

http://www.example.com/rss2

Aside from for security, rewriting and redirects can be for aesthetics or business reasons.

Financial institutions can transparently redirect customers that accidentally request HTTP:

http://bank.example.com/login

to authenticate and do transactions on their secured HTTPS site:

https://bank.example.com/login

Additional uses could include:

• During maintenance windows, requests can be redirected to a read-only server.

• International customers can use global URLs, with no need to configure the back-end web

servers to respond to additional HTTP virtual host names.

• Shorter URLs with easy-to-remember phrases and formatting are easier for customers to

understand, remember, and return to.

Much more than their name implies, “URL rewriting rules” can do all of those things, and more:

• redirect HTTP requests to HTTPS

• rewrite the URL line in the header of an HTTP request

• rewrite the Host: field in the header of an HTTP request

• rewrite the Referer: field in the header of an HTTP request

• redirect requests to another web site

• send a 403 Forbidden response to a matching HTTP requests

• rewrite the HTTP location line in the header of a matching redirect response from the web

server

• rewrite the body of an HTTP response from the web server

Rewrites will work on single requests as well as those that have been fragmented using:

Tranfer-Encoding: chunked

Rewrites/redirects are not supported in all modes. See “Supported features in each operation

mode” on page 62.

FortiWeb cannot rewrite requests that exceed FortiWeb’s buffer size. To block requests that

cannot be rewritten, configure Malformed Request.