This example shows how to configure an HTTPS proxy with an HTTP content action to direct inbound requests to different internal web servers based on the content of the HTTP host header and the path in the decrypted HTTP request. This type of routing is sometimes referred to as host header redirect.
In this example, content inspection is enabled in the HTTPS-Server proxy action. To use content actions with the HTTPS proxy, you must enable content inspection. To route HTTPS requests based on the domain without content inspection, you can configure domain name rules in the proxy action. For an example, go to Example: HTTPS Proxy Action with Domain Name Rules.
The Firebox must have the correct certificates to decrypt and route incoming HTTPS requests to different internal web servers based on the content of the HTTP host header and path. Make sure you have imported the certificates and private keys from all the internal web servers into the Firebox as proxy server certificates.
This example does not include all steps required to configure a content action. For detailed configuration steps, go to Configure HTTP Content Actions.
In this example, an organization has two web servers on the private network and they want to use a single public IP address for inbound HTTPS connections both servers.
In this example:
- Videos are on the web server at 10.1.5.32
- Main web portal is on the web server at 10.1.5.80
The example configuration uses an HTTP content action to redirect decrypted HTTP requests based on the domain in the HTTP host header and path in the HTTP request. All requests that do not match a content rule go to the IP address specified in an SNAT action in the HTTPS proxy policy.
For this example, the content action is configured with these content rules:
| Content Rule Name | Pattern Match Value | Routing Action |
|---|---|---|
| Videos | *.blog.example.com/videos/* | 10.1.5.32 |
| Action to take if no rule above is matched | N/A |
Use Policy Default (10.1.5.80) |
The configuration includes an HTTP content action.
The content action contains a content rule to route traffic to the video server based on a pattern match to the domain and path.
If the domain and path in an HTTP request do not match the content rule, the content action routes the request to the destination specified in the policy.
The HTTPS proxy uses an HTTPS-Server proxy action with content inspection enabled.
No domain name rules are configured in the proxy action, because this example uses a content action to route based on the content of the decrypted HTTP host header. The proxy action specifies the Inspect action and the configured content action.
In the HTTPS proxy policy, the default destination is a SNAT action that routes HTTPS requests to the main web server at 10.1.5.80.
The SNAT action is used only when the content action specifies Use Policy Default. In this example, the SNAT action is used when a request does not match the content rule configured in the content action.
If you did not want to encrypt the traffic between the Firebox and the video server, you could enable TLS/SSL Offloading in the content rule in the content action. This reduces CPU load on the Firebox and the web server. For more information about TLS/SSL Offloading, go to Use an HTTP Content Action for TLS/SSL Offloading.