Skip to Content

How to modify location header received from server’s response

By: Author Alex Lim

Posted on

Categories Troubleshooting

This article describes how to modify the location header obtained from the backend server’s response before sending it to the client.

For example, if the location header is sending the redirected domain but the URL is using HTTP and only HTTPS is allowed.

Scope

FortiWeb

Solution

Step 1: Create an url-rewrite rule matching the location header when HTTP is used and changing it to HTTPS:

config waf url-rewrite url-rewrite-rule
edit "Modify_location"
set action http-response-header-rewrite
set location_replace https:$1
set location-status enable
config match-condition
edit 1
set object http-location
set reg-exp ^(http:)(.*)$
next
end
next
end

Step 2: Add the url-rewrite rule to a url-rewrite policy:

Add the url-rewrite rule to a url-rewrite policy.

Step 3: Add the url-rewrite policy to the web protection profile used by the server-policy:

Add the url-rewrite policy to the web protection profile used by the server-policy.

Step 4: After testing, it is possible to see that the received header is using HTTP:

Without url-rewriting rule:

curl -vk https://mymailserver.local
* Trying 10.10.10.10:443...
* Connected to mymailserver.local (10.10.10.10) port 443 (#0)
* schannel: disabled automatic use of client certificate
* ALPN: offers http/1.1
* ALPN: server accepted http/1.1
* using HTTP/1.1
> GET / HTTP/1.1
> Host: mymailserver.local
> User-Agent: curl/8.0.1
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Location: http://mytestserver.local < ----------Location header is using http
< Content-Length: 98
< Content-Type: text/html
< Set-Cookie: cookiesession1=678A3E0EFD7FDA47CEF1FAE02513FD4D;Expires=Fri, 08 Aug 2025 14:14:58 GMT;Path=/;HttpOnly
<
<head><title>Object moved permanently</title></head><body><h1>Object Moved Permanently</h1></body>* Connection #0 to host mymailserver.local left intact

Step 5: With the url-rewriting rule:

curl -vk https://mymailserver.local
* Trying 10.10.10.10:443...
* Connected to mymailserver.local (10.10.10.10) port 443 (#0)
* schannel: disabled automatic use of client certificate
* ALPN: offers http/1.1
* ALPN: server accepted http/1.1
* using HTTP/1.1
> GET / HTTP/1.1
> Host: mymailserver.local
> User-Agent: curl/8.0.1
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Location: http://mytestserver.local < ----------Location header is using https
< Content-Length: 98
< Content-Type: text/html
< Set-Cookie: cookiesession1=678A3E0EFD7FDA47CEF1FAE02513FD4D;Expires=Fri, 08 Aug 2025 14:14:58 GMT;Path=/;HttpOnly
<
<head><title>Object moved permanently</title></head><body><h1>Object Moved Permanently</h1></body>* Connection #0 to host mymailserver.local left intact