Web cache configuration
Forwarding URLs to forwarding servers and exempting web sites from web caching
You can go to Network > Explicit Proxy and use the URL match list to forward URL patterns to forwarding servers and create a list of URLs that are exempt from web caching.
Forwarding URLs and URL patterns to forwarding servers
As part of configuring the explicit web proxy you can configure proxy chaining by adding web proxy forwarding servers. See Proxy chaining (web proxy forwarding servers) .
You can then use the URL match list to always forward explicit web proxy traffic destined for configured URLs or URL patterns to one of these forwarding servers. For example, you might want to forward all traffic for a specific country to a proxy server located in that country.
To forward traffic destined for a URL to a forwarding server that you have already added, go to Network > Explicit Proxy and select Create New. Add a name for the URL match entry and enter the URL or URL pattern. You can use wildcards such as * and ? and you can use a numeric IP address. Select Forward to Server and select a web proxy forwarding server from the list.
You can also exempt the URL or URL pattern from web caching.
Use the following command to forward all .ca traffic to a proxy server and all .com traffic to another proxy server.
config web-proxy url-match edit “com” set forward-server “server-commercial” set url-pattern “com”
next edit “ca” set forward-server “server-canada” set url-pattern “ca”
next
edit “www.google.ca” set cache-exemption enable set url-pattern “www.google.ca”
next
end
Exempting web sites from web caching
You may want to exempt some URLs from web caching for a number of reasons. For example, if your users access websites that are not compatible with FortiGate web caching you can add the URLs of these web sites to the web caching exempt list. You can add URLs and numeric IP addresses to the web cache exempt list.
You can also add URLs to the web cache exempt list by going to Network > Explicit Proxy, going to the URL Match List
Web cache configuration Forwarding URLs to forwarding servers and exempting web sites from web caching
and selecting Create New. Add a URL pattern to be exempt and select Exempt from Cache.
You can also add URLs and addresses to be exempt from caching using the CLI. Enter the following command to add www.example.com to the web cache exempt list:
config web-proxy url-match set cache-exemption enable set url-pattern www.example.com
end
Exempting specific files from caching
You can exempt files from being cached, so long as you specify its full URL. Enter the following command to add the URL, with the file extension (in this example, .exe), to the web cache exempt list:
config web-proxy url-match edit “exe” set url-pattern “iavs9x.u.avast.com/custom/iavs9x/20160613t1237z/avast_free_ antivirus_setup_online.exe”
set cache-exemption enable
next end
Monitoring web caching performance
The web cache monitor shows the percentage of web cache requests that retrieved content from the cache (hits) and the percentage that did not receive content from the cache (misses). A higher the number of hits usually indicates that the web cache is being more effective at reducing WAN traffic.
The web cache monitor also shows a graph of web traffic on the WAN and LAN. A lower WAN line on the graph indicates the web cache is reducing traffic on the WAN. The web cache monitor also displays the total number of web requests processed by the web cache.
To view the web cache monitor, go to Monitor > Cache Monitor.
Web cache monitor
Example web caching of HTTP and HTTPS Internet content for users on an internal network
This example describes how to configure web caching of HTTP and HTTPS for users on a private network connecting to the Internet.
Network topology and assumptions
This example includes a client network with subnet address 10.31.101.0 connecting to web servers on the
Internet. All of the users on the private network access the Internet though a single general security policy on the FortiGate unit that accepts all sessions connecting to the Internet. Web caching for HTTP and HTTPS traffic is added to this security policy.
Since users on the private network have unrestricted access to the Internet and can be accessing many web servers the webcache-https is set to any and users may see error messages on their web browsers when accessing HTTPS content.
The GUI is less versatile than the CLI so the example instructions for the GUI give settings for one port for each protocol, while the CLI example shows how to use multiple ports.
Web cache configuration Example web caching of HTTP and HTTPS Internet content for users on an internal network
The example also describes how to configure the security policy to cache HTTP traffic on port 80 and 8080 in the CLI, by adding a proxy options profile that looks for HTTP traffic on TCP ports 80 and 8080. The example also describes how to configure the security policy to cache HTTPS traffic on port 443 and 8443 using the same proxy options profile.
Example web caching topology
General configuration steps
This section breaks down the configuration for this example into smaller procedures. For best results, follow the procedures in the order given:
- Add HTTP web caching to the security policy that all users on the private network use to connect to the Internet.
- Add HTTPS web caching.
- Add a protocol options profile to look for HTTP traffic on ports 80 and 8080 and HTTPS traffic on ports 443 and 8443 and add this protocol options profile to the security policy.
If you perform any additional actions between procedures, your configuration may have different results.
Configuration steps – web-based manager
Use the following steps to configure the example configuration from the FortiGate web-based manager.
To add HTTP web caching to a security policy
- Go to Policy & Objects > IPv4 Policyand add a security policy that allows all users on the internal network to access the Internet.
Incoming Interface | Internal |
Outgoing Interface | wan1 |
Source | all |
Destination | all |
Schedule | always |
Service | ALL |
Action | ACCEPT |
- Toggle NAT to enabled, and select Use Outgoing Interface Address.
- Turn on Web cache.
- Select OK.
Example web caching of HTTP and HTTPS Internet content for users on an internal network Web cache configuration
To add HTTPS web caching
- From the CLI enter the following command to add HTTPS web caching to the policy.
Assume the index number of the policy is 5.
config firewall policy edit 5 set webcache-https any
end
To cache HTTP traffic on port 80 and HTTPS on 8443
- Go to Network > Explicit Proxy and edit the Explicit Proxy options profile. 2. Under Explicit Web Proxy , l For the HTTP port, enter 80.
l For HTTPS port, select Specify and enter 8443 in the field.
- Click on Apply.
Configuration steps – CLI
Use the following steps to configure the example configuration from the FortiGate CLI.
To add HTTP and HTTPS web caching to a security policy
- Enter the following command to add a security policy that allows all users on the internal network to access the Internet and that includes web caching of HTTP and HTTPS traffic.
config firewall policy edit 0 set srcintf internal set srcaddr all set dstintf wan1 set distinf all set schedule always set service ANY set action accept set nat enable set webcache enable set webcache-https any
end
To cache HTTP traffic on port 80 and 8080 and HTTPS traffic on ports 443 and 8443
- Enter the following command to edit the default proxy options profile to configure it to look for HTTP traffic on ports 80 and 8080:
config firewall profile-protocol-options edit default config http set status enable set ports 80 8080
Web cache Example reverse proxy web caching and SSL offloading for an Internet web server using a static configuration one-to-one virtual IP
end
- Enter the following command to edit the certification-inspection SSL SSH options profile to configure it to look for HTTPS traffic on ports 443 and 8443:
config firewall ssl-ssh-profile edit certificate-inspection config https set status certificate-inspection
set ports 443 8443 end
- Enter the following command to add the default proxy options profile and the certificate-inspection SSL SSH profile to the firewall policy.
config firewall policy edit 5 set utm-status enable set profile-protocol-options default set ssl-ssh-profile certificate-inspection end
Example reverse proxy web caching and SSL offloading for an Internet web server using a static one-to-one virtual IP
This section describes configuring SSL offloading for a reverse proxy web caching configuration using a static one-to-one firewall virtual IP (VIP). While the static one-to-one configuration described in this example is valid, its also common to change the destination port of the unencrypted HTTPS traffic to a commonly used HTTP port such as 8080 using a port forwarding virtual IP.
Network topology and assumptions
In this configuration, clients on the Internet use HTTP and HTTPS to browse to a web server that is behind a FortiGate unit. A policy added to the FortiGate unit forwards the HTTP traffic to the web server. The policy also offloads HTTPS decryption and encryption from the web server so the web server only sees HTTP traffic.
The FortiGate unit also caches HTTP and HTTPS pages from the web server so when users access cached pages the web server does not see the traffic. Replies to HTTPS sessions are encrypted by the FortiGate unit before returning to the clients.
In this configuration, the FortiGate unit is operating as a web cache in reverse proxy mode. Reverse proxy caches can be placed directly in front of a web server. Web caching on the FortiGate unit reduces the number of requests that the web server must handle, therefore leaving it free to process new requests that it has not serviced before.
Using a reverse proxy configuration:
l avoids the capital expense of additional web servers by increasing the capacity of existing servers l serves more requests for static content from web servers l serves more requests for dynamic content from web servers l reduces operating expenses including the cost of bandwidth required to serve content l accelerates the response time of web servers and of page download times to end users.
Example reverse proxy web caching and SSL offloading for an Internet web server using a static one-to-one virtual IP | Web cache configuration |
When planning a reverse proxy implementation, the web server’s content should be written so that it is “cache aware” to take full advantage of the reverse proxy cache.
In reverse proxy mode, the FortiGate unit functions more like a web server for clients on the Internet. Replicated content is delivered from the proxy cache to the external client without exposing the web server or the private network residing safely behind the firewall.
In this example, the site URL translates to IP address 192.168.10.1, which is the port2 IP address of the FortiGate unit. The port2 interface is connected to the Internet.
This example assumes that all HTTP traffic uses port 80 and all HTTPS traffic uses port 443.
The FortiGate unit includes the web server CA and an SSL server configuration for IP address 172.10.20.30 and port to 443. The name of the file containing the CA is Rev_Proxy_Cert_1.crt.
The destination address of incoming HTTP and HTTPS sessions is translated to the IP address of the web server using a static one-to-one virtual IP that performs destination address translation (DNAT) for the HTTP packets. The DNAT translates the destination address of the packets from 192.168.10.1 to 172.10.20.30 but does not change the destination port number.
When the SSL server on the FortiGate unit decrypts the HTTPS packets their destination port is changed to port 80.
Reverse proxy web caching and SSL offloading for an Internet web server using static one-to-one virtual IPs
General configuration steps
This section breaks down the configuration for this example into smaller procedures. For best results, follow the procedures in the order given:
- Configure the FortiGate unit as a reverse proxy web cache server.
- Configure the FortiGate unit for SSL offloading of HTTPS traffic.
- Add an SSL server to offload SSL encryption and decryption for the web server.
Also note that if you perform any additional actions between procedures, your configuration may have different results.
Web cache
configuration |
Example reverse proxy web caching and SSL offloading for an Internet web server using a static one-to-one virtual IP |
Configuration steps – web-based manager
To configure the FortiGate unit as a reverse proxy web cache server
- Go to Policy & Objects > Virtual IPsand select Create New to add a static NAT virtual IP that translates destination IP addresses from 192.168.10.1 to 172.10.20.30 (and does not translate destination ports):
VIP Type | IPv4 |
Name | Reverse_proxy_VIP |
Interface | port2 |
Type | Static NAT |
Optional Filters | Do not select. |
External IP Address/Range | 192.168.10.1 |
Mapped IP Address/Range | 172.10.20.30 |
Port Forwarding | Do not select. |
- Select OK.
- Go to Policy & Objects > IPv4 Policy and select Create New to add a port2 to port1 security policy that accepts HTTP and HTTPS traffic from the Internet.
Do not select security profiles. Set the destination address to the virtual IP. You do not have to enable NAT.
Incoming Interface | port2 |
Outgoing Interface | port1 |
Source | all |
Destination | Reverse_proxy_VIP |
Schedule | always |
Service | HTTP HTTPS |
Action | ACCEPT |
- Turn on Web Cache.
- Select OK.
- From the CLI enter the following command to add HTTPS web caching to the security policy
Assume the index number of the policy is 5.
config firewall policy edit 5 set webcache-https ssl-server
Example reverse proxy web caching and SSL offloading for an Internet web server using a static Web cache one-to-one virtual IP configuration
end
To configure the FortiGate unit to offload SSL encryption and cache HTTPS content
- Go to System > Certificates and select Import to import the web server’s CA.
For Type, select Local Certificate. Select the Browse button to locate the file (example file name: Rev_Proxy_
Cert_1.crt).
The certificate key size must be 1024 or 2048 bits. 4096-bit keys are not supported.
- Select OK to import the certificate.
- From the CLI, enter the following command to add the SSL server and to add the server’s certificate to the SSL server.
The SSL server ip must match the destination address of the SSL traffic after being translated by the virtual IP (172.10.20.30) and the SSL server port must match the destination port of the SSL traffic (443). The SSL server operates in half mode since it performs a single-step conversion (HTTPS to HTTP or HTTP to HTTPS).
config firewall ssl-server edit rev_proxy_server set ip 172.10.20.30 set port 443 set ssl-mode half set ssl-cert Rev_Proxy_Cert_1 end
Configuration steps – CLI
To configure the FortiGate unit as a reverse proxy web cache server
- Enter the following command to add a static NAT virtual IP that translates destination IP addresses from 192.168.10.1 to 172.10.20.30 (and does not translate destination ports):
config firewall vip edit Reverse_proxy_VIP set extintf port2 set type static-nat set extip 192.168.10.1 set mappedip 172.10.20.30
end
- Enter the following command to add a port2 to port1 security policy that accepts HTTP and HTTPS traffic from the Internet. Enable web caching and HTTPS web caching.
Do not select security profiles. Set the destination address to the virtual IP. You do not have to enable NAT.
config firewall policy edit 0 set srcintf port2 set srcaddr all set dstintf port1 set dstaddr Reverse_proxy_VIP set schedule always set service HTTP HTTPS set action accept
set webcache enable set webcache-https ssl-server
end
To add an SSL server to offload SSL encryption and decryption for the web server
- Place a copy of the web server’s CA (file name Rev_Proxy_Cert_1.crt) in the root folder of a TFTP server.
- Enter the following command to import the web server’s CA from a TFTP server. The IP address of the TFTP server is 10.31.101.30:
execute vpn certificate local import tftp Rev_Proxy_Cert_1.crt 10.31.101.30 The certificate key size must be 1024 or 2048 bits. 4096-bit keys are not supported.
- From the CLI, enter the following command to add the SSL server.
The SSL server ip must match the destination address of the SSL traffic after being translated by the virtual IP (172.10.20.30) and the SSL server port must match the destination port of the SSL traffic (443). The SSL server operates in half mode since it performs a single-step conversion (HTTPS to HTTP or HTTP to HTTPS).
config firewall ssl-server edit rev_proxy_server set ip 172.10.20.30 set port 443 set ssl-mode half set ssl-cert Rev_Proxy_Cert_1
end
- Configure other ssl-server settings that you may require for your configuration.
Using a FortiCache as a cache service
Some FortiGate devices don’t have sufficient memory or disk space to run a cache service. This feature allows a FortiGate to connect to a FortiCache that has a higher cache capability than most FortiGates.
Syntax:
config wanopt remote-storage set status {enable|disable} set local-cache-id <name ID for connection> set remote-cache-id <ID of the remote device> set remote-cache-ip <IP address of the remote device> end
Option | Description |
status | Enable or disable whether the FortiGate uses a remote caching device as web-cache storage. If disabled, uses local disk(s) as web storage. |
localcache-id | ID that this device uses to connect to the remote caching device |
Option | Description |
remotecache-id | ID of the remote caching device that this FortiGate connects to |
remotecache-ip | IP address of the remote caching device that this FortiGate connects to. |