Support User Manuals

Fortinet 5.0 Patch 6 Microscope & Magnifier User Manual

Open as PDF

of 705

Fortinet 373 FortiWeb 5.0 Patch 6 Administration Guide

9. If you selected HTTP Referer from Object, also configure the following:

10.Click OK.

11.Repeat the previous two steps until you have defined all matching HTTP requests or

responses that should be rewritten as defined in this rule.

12.Group the URL rewrite rule in a URL rewriting policy (see “Grouping rewriting & redirection

rules” on page 385).

13.If you are rewriting a response from the web server, and it is compressed, configure a

decompression rule so that FortiWeb will be able to rewrite. See “Configuring

decompression to enable scanning & rewriting” on page 460.

See also

• Grouping rewriting & redirection rules

• Example: HTTP-to-HTTPS redirect

• Example: Full host name/URL translation

• Example: Sanitizing poisoned HTML

• Example: Rewriting URLs using regular expressions

• Example: Rewriting URLs using variables

• Regular expression syntax

• What are back-references?

• Cookbook regular expressions

Example: HTTP-to-HTTPS redirect

Example.com is a business-oriented social media provider. Its clients require that attackers

cannot fraudulently post comments. If an attacker can post while disguised as originating from

the client’s business, as this could enable an attacker to ruin a business’s reputation.

To provide clients with protection from HTTP session hijacking tools such as Firesheep,

Example.com w

ants to automatically redirect all HTTP requests to HTTPS. This way, before the

client attempts to log in and exposes both their credentials and HTTP session ID to an

eavesd

ropper, the response and subsequent requests are SSL/TLS encrypted, and thereby

protected.

To do this, example.com will apply a rewriting rule that matches

all HTTP requests, regardless of

host name variations or URL, such as:

http://www.example.com/login

http://www.example.co.jp/

Sett

ing

name

Description

If no

Referer

field in

HTTP

header

Select either:

• Do not meet this condition

• Meet this condition

Requests can lack a Referer: field for several reasons, such as if the user

manually types the URL, and the request does not result from a hyperlink

from another web site, or if the URL resulted from an HTTPS connection. (See

the RFC 2616 section on the Referer: field.) In those cases, the field cannot

be tested for a matching value.

This option appears only if Object is HTTP Referer.

previous next