An HTTP content action enables the Firebox to route inbound HTTP requests or decrypted HTTPS requests to different internal web servers based on the content of the HTTP host header and HTTP request. Use a content action when you want to reduce the number of public IP addresses required for connections to public web servers behind the Firebox or if you want to offload TLS/SSL encryption from an internal web server to the Firebox.
HTTP content actions have two main functions:
Host Header Redirect
A content action can route inbound HTTP requests to different internal web servers based on the combination of the domain in the HTTP host header and the path in the HTTP request. In a content action you can create content rules to route inbound requests to each internal server. This enables you to use the same public IP address for more than one server protected by the Firebox.
If you enable TLS/SSL Offload in a content action, and then use that content action for content inspection in an HTTPS proxy action, the Firebox decrypts the inbound requests, and then sends unencrypted traffic to the internal web server. This eliminates the need for the internal web server to encrypt and decrypt TLS and SSL connections.
You can use content actions in inbound HTTP proxy and HTTPS proxy policies.
To redirect HTTPS requests based on the domain name without content inspection, you can specify a routing action in a domain name rule in the HTTPS server proxy action. For more information, see HTTPS-Proxy: Domain Name Rules.
For examples of how to use content actions and domain name rules in proxy policies, see HTTP Content Action and Domain Name Rule Examples.
About Content Rules
In a content action you specify content rules for HTTP requests to each internal server. In the content rule you specify a pattern to match in the HTTP host header and HTTP request. In each content rule you also specify a routing action to send the request to a specific internal server, or to use the NAT settings in the proxy policy.
If the domain and path of a request matches a pattern in a content rule, the content action takes the specified action. If the domain and path of a request does not match a content rule, the content action takes the default action configured in the content action.
Routes specified in the content action override the NAT settings configured in the policy. When you configure a proxy policy to use a content action, the NAT settings configured in the policy are not used unless you specify Use Policy Default in the content action.
For information about how to configure an HTTP content action, see Configure HTTP Content Actions
After you configure a content action, you can use it in an HTTP proxy policy or in an HTTPS proxy action for content inspection.
About HTTP Requests
When a user browses to a URL, the browser sends the URL as an HTTP request. The HTTP request includes a request method that specifies the path and a host header that contains the domain name. For example, if you browse to the Support section of watchguard.com, the HTTP request includes this information:
GET /wgrd-support/overview HTTP/1.1
In a content rule, you can specify a pattern to match the domain in the host header, the path in the request, or both.