Configure HTTP Content Actions
An HTTP content action enables the Firebox to route inbound HTTP requests to different internal web servers based on the content of the HTTP host header and the path in the HTTP request. Because a content action can redirect requests to different servers based on the domain in the host header, this type of routing is sometimes known as host header redirect. You can use an HTTP content action in HTTP proxy policies and for content inspection in an HTTPS server proxy action. For more information, go to About Content Actions.
In a content action, you add content rules with these settings:
- A domain or path to match
- An HTTP proxy action to use
- A routing action, which can be the policy default, or an IP address
- HTTP and HTTPS ports
- TLS/SSL Offload setting
The HTTPS port and TLS/SSL Offload settings apply only when the content action is used in an HTTPS proxy action for content inspection.
You can specify multiple content rules to direct HTTP requests to different internal servers. To determine which content rule to use, the Firebox compares the pattern you specify in the content rule to the domain and path in the HTTP request. The pattern in a content rule can match a domain, a path or both. For example:
- example.com/*
- wiki.example.net/*
- */wiki/*
- blog.example.net/resource/*
There is one predefined content action, HTTP-Content.Standard. This predefined action uses the predefined proxy action HTTP-Server.Standard and uses the policy defaults for routing. You can clone the predefined content action but you cannot delete it. If you edit the predefined content action, you must save it as a clone.
Configure an HTTP Content Action
- Select Firewall > Content Actions.
The list of content actions appears.
- Select a content action.
- To edit the content action, click Edit.
Or, to copy a content action to a new content action that you can edit, click Clone.
The HTTP Content Action Settings page appears.
- In the Name text box, specify a name for the content action, or use the default name.
- In the Description text box, update the description for this content action.
- To add a content rule, click Add.
The Add Rule dialog box appears.
- In the Rule Name text box type a name to identify this rule.
- From the Match Type drop-down list, select one of these options to match with HTTP requests:
- Exact Match — Specify an exact domain or a domain and path.
- Pattern Match — Specify a pattern to match a domain, path, or both.
- Regular Expression — Specify a pattern as a regular expression.
- In the Value text box, type the text to match for this rule. If you selected Pattern Match as the rule setting, use an asterisk (*), a period (.), or a question mark (?) as wildcard characters.
- From the Proxy Action drop-down list, select an HTTP server proxy action to use.
- To route HTTP requests to a specific server IP address, in the Routing Action settings, select Use. In the adjacent text box, type the IP address of the internal server.
To use the NAT settings configured in the policy, select Use Policy Default. - To specify a port for HTTP requests, in the Port settings, select Use. In the adjacent text box type the port number.
- To specify a port for HTTPS requests, in the Port settings, select Use. In the adjacent text box type the port number.
- To enable TLS/SSL offloading for HTTPS requests, select the TLS/SSL Offload check box.
- To create a message for this event in the traffic log, select the Log check box.
- Click OK.
The rule is added to the content action. - Below the list of content rules, configure the action to take if no rule is matched.
These settings are the same as described previously for a content rule.- Proxy Action
- Routing Action
- HTTP Port
- HTTPS Port
- TLS/SSL Offload setting
- Log setting
- Click Save.
- If you edited the predefined content action (HTTP-Content.Standard), specify a name for the cloned content action.
- Select Setup > Actions > Content.
The list of content actions appears.
- Select a content action.
- To edit the content action, click Edit.
Or, to copy a content action to a new content action that you can edit, click Clone.
The HTTP Content Action Configuration page appears.
- In the Name text box, specify a name for the content action, or use the default name.
- To add a content rule, click Add.
The New Content Rule dialog box appears.
- In the Rule Name text box, type a name to identify this rule.
- In the Rule Settings section, select one of these options to match with HTTP requests:
- Exact Match — Specify an exact domain or a domain and path.
- Pattern Match — Specify a pattern to match a domain, path, or both.
- Regular Expression — Specify a pattern as a regular expression.
- In the Value text box, type the text to match for this rule. If you selected Pattern Match as the rule setting, use an asterisk (*), a period (.), or a question mark (?) as wildcard characters.
- From the Proxy Action drop-down list, select an HTTP server proxy action to use.
- To route HTTP requests to a specific server IP address, in the Routing Action settings, select Use. In the adjacent text box, type the IP address of the internal server.
To use the NAT settings configured in the policy, select Use Policy Default. - To specify a port for HTTP requests, in the Port settings, select Use. In the adjacent text box type the port number.
- To specify a port for HTTPS requests, in the Port settings, select Use. In the adjacent text box type the port number.
- To enable TLS/SSL offloading for HTTPS requests, select the TLS/SSL Offload check box.
- To create a message for this event in the traffic log, select the Log check box.
- Click OK.
The rule is added to the content action. - Below the list of content rules, configure the action to take if no rule is matched. These settings are the same as described previously for a content rule.
- Proxy Action
- Routing Action
- HTTP Port
- HTTPS Port
- TLS/SSL Offload setting
- Log setting
- Click OK.
- If you edited the predefined content action (HTTP-Content.Standard), specify a name for the cloned content action.
You can also clone or edit a content action when you select it in an HTTP proxy policy or as the action for content inspection in an HTTPS proxy action.
Use the HTTP Content Action in Proxy Policies
In an HTTP proxy policy, you can select the HTTP content action instead of an HTTP-Server proxy action.
For an example, go to Example — HTTP Proxy with an HTTP Content Action.
Use an HTTP Content Action in an HTTP Proxy Policy
To use an HTTP content action in an HTTP proxy policy:
- Add the HTTP proxy policy to allow connections from the external network.
- In the policy, specify a static NAT action as the policy destination.
The policy uses this static NAT action when a routing action in the content action is set to Use Policy Default. - From the Proxy action or Content action drop-down list, select the HTTP-Content action to use.
An HTTP-proxy policy configured with an SNAT action and an HTTP content action in Policy Manager
HTTP proxy policy routes HTTP requests based on the content rules in the content action.
- If the routing action in the content rule specifies an IP address, the policy routes the HTTP request to that IP address.
- If the routing action in the content rule specifies Use Policy Default, the policy uses the static NAT action in the policy.
Use an HTTP Content Action in an HTTPS Proxy Policy
In an HTTPS proxy policy, you can select the HTTP content action in the HTTPS-Server proxy action. To use an HTTP content action in an HTTPS proxy action, you must enable content inspection and configure a domain name rule with the Inspect action.
For an example, go to Example: HTTPS Proxy Action with an HTTP Content Action.
For more information, go to HTTPS-Proxy: Content Inspection.
HTTPS-Proxy: Content Inspection