Example: HTTPS Proxy Action with Domain Name Rules
This example shows how to configure an HTTPS proxy with domain name rules to redirect inbound HTTPS requests to different internal web servers based on the subdomain. Content inspection is not enabled for this example. Domain name rules in the proxy action specify the routing actions based on the server domain in the SNI (Server Name Indication) extension for TLS, or in the server certificate as the CN (Common Name).
In an HTTPS proxy action, you can add domain name rules that specify an action to take when the server domain in an HTTPS request matches a specified pattern. This example does not include all steps required to configure domain name rules. For detailed configuration steps, go to HTTPS-Proxy: Domain Name Rules.
For this example, an organization has three servers on the private network and they want to use a single public IP address for inbound HTTPS connections to all servers.
For this example:
- A blog is hosted on the web server at 10.1.5.8
- A registration site is on the web server at 10.1.5.13
- The organization's website is on the web server at 10.1.5.80
You can configure an HTTPS proxy action with domain name rules to allow inbound connections to all of these servers at the same public IP address. The domain name rules redirect HTTPS requests to specific internal servers, based on the domain name. All other HTTPS requests go to the main web server specified in the SNAT action in the policy destination.
Domain name rules must match a domain name and cannot contain a path.
For this example, the content action contains domain name rules with these settings:
Domain Name Rule | Pattern Match Value | Routing Action |
---|---|---|
Blog | blog.example.com | 10.1.5.8 |
Registration | registration.example.com | 10.1.5.13 |
Action to take if no rule above is matched | N/A | Use Policy Default (10.1.5.80) |
In the HTTPS proxy action, domain name rules are configured to route traffic to the blog and registration servers. The proxy action is configured to route traffic to the policy default destination if no rules are matched. This directs all other web traffic to the default server specified in the SNAT action in the policy. All rules use port 443, the default port for HTTPS.
In the HTTP proxy policy, the default destination is an SNAT action that routes HTTP requests to the main web server at 10.1.5.80.
The SNAT action is used only when the domain name rules specify Use Policy Default.