Example: HTTPS Proxy Action with an HTTP Content Action

This example shows how to configure an HTTPS proxy with an HTTP content action to direct inbound requests to different internal web servers based on the content of the HTTP host header and the path in the decrypted HTTP request. This type of routing is sometimes referred to as host header redirect.

In this example, content inspection is enabled in the HTTPS-Server proxy action. To use content actions with the HTTPS proxy, you must enable content inspection. To route HTTPS requests based on the domain without content inspection, you can configure domain name rules in the proxy action. For an example, go to Example: HTTPS Proxy Action with Domain Name Rules.

The Firebox must have the correct certificates to decrypt and route incoming HTTPS requests to different internal web servers based on the content of the HTTP host header and path. Make sure you have imported the certificates and private keys from all the internal web servers into the Firebox as proxy server certificates.

This example does not include all steps required to configure a content action. For detailed configuration steps, go to Configure HTTP Content Actions.

In this example, an organization has two web servers on the private network and they want to use a single public IP address for inbound HTTPS connections both servers.

Diagram of a Firebox with two web servers on the private network

In this example:

  • Videos are on the web server at 10.1.5.32
  • Main web portal is on the web server at 10.1.5.80

The example configuration uses an HTTP content action to redirect decrypted HTTP requests based on the domain in the HTTP host header and path in the HTTP request. All requests that do not match a content rule go to the IP address specified in an SNAT action in the HTTPS proxy policy.

For this example, the content action is configured with these content rules:

Content Rule Name Pattern Match Value Routing Action
Videos *.blog.example.com/videos/* 10.1.5.32
Action to take if no rule above is matched N/A

Use Policy Default

(10.1.5.80)

The configuration includes an HTTP content action.

Screen shot of the HTTP Content Action Settings page for this example

The content action contains a content rule to route traffic to the video server based on a pattern match to the domain and path.

Screen shot of the Edit Rule dialog box for the content rule in Fireware Web UI

If the domain and path in an HTTP request do not match the content rule, the content action routes the request to the destination specified in the policy.

Screen shot of the Action to take if no rule above is matched setting

The HTTPS proxy uses an HTTPS-Server proxy action with content inspection enabled.

Screenshot of Fireware Web UI Proxy Action tab with content inspection enabled

No domain name rules are configured in the proxy action, because this example uses a content action to route based on the content of the decrypted HTTP host header. The proxy action specifies the Inspect action and the configured content action.

Screen shot of the Action to Take settings

In the HTTPS proxy policy, the default destination is a SNAT action that routes HTTPS requests to the main web server at 10.1.5.80.

Screen shot of an HTTPS Proxy policy, Settings tab with an SNAT action configured

The SNAT action is used only when the content action specifies Use Policy Default. In this example, the SNAT action is used when a request does not match the content rule configured in the content action.

If you did not want to encrypt the traffic between the Firebox and the video server, you could enable TLS/SSL Offloading in the content rule in the content action. This reduces CPU load on the Firebox and the web server. For more information about TLS/SSL Offloading, go to Use an HTTP Content Action for TLS/SSL Offloading.

Related Topics

About the HTTPS-Proxy

About Content Actions

HTTPS-Proxy: Content Inspection

Configure HTTP Content Actions