HTTPS-Proxy redirect vdir
hi everyone, I would like to understand if it is possible to do what I describe.
on the public FireboxV site https://cloud.workers.it/
using SNAT (ip public-> 10.0.0.1)
I have a web server (IIS) IP 10.0.0.1 in DMZ with various VDIRs
-> demo.cweb
-> demo.product
-> Client
-> download
-> doc
by calling url https://cloud.workers.it or
https://cloud.workers.it/demo.cweb ../client always replies 10.0.0.1
I can do this
https://cloud.workers.it/demo.cweb (new ip 10.0.0.3)
https://cloud.workers.it/demo.product (old ip 10.0.0.1)
https://cloud.workers.it/doc (new ip 10.0.0.3)
if yes how
0
Sign In to comment.
Comments
You should be able to do this using Content Actions.
Example: HTTPS Proxy Action with an HTTP Content Action
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/proxies/examples/content_action_https.html
Example — HTTP Proxy with an HTTP Content Action
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/proxies/examples/content_action_http.html
Hi Bruce,
I only have to do HTTPS, following the first guide when I try to also enter the "root" site (https://cloud.workers.it/) I have an error on the expired certificate, I can't see anything. my (wild) public certificate installed on both VMs expires 07/2020. why expired?
What is the cert which is showing as expired?
this
released to: https.proxy.nul
released by. Fireware HTTPS Proxy (SN FVE1000000000 2019-11-07) CA
valid from 08/10/2019 the 04/11/2029
Delete the expired certs & reboot your firewall to generate new ones.
Renew or Replace an Expired Certificate on a Firebox
https://watchguardsupport.secure.force.com/publicKB?type=Article&SFDCID=kA10H000000g3XMSAY&lang=en_US
has not expired, expires in 2029..
No idea why it is showing as expired when it is not.
Consider opening a support incident to find out why you are getting an expired cert message.
Have you set up the desired HTTP Content action rules?
You can import your web server cert into the firewall and use that instead.
See this section:
Protect a Private HTTPS Server
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/certificates/cert_https_proxy_resign_c.html
Hi Bruce, with certificate I solved, I imported geo pfx I can use it or it must be pfx of my internal CA.? but new url doesn't work.
The cert that you select will be used to encrypt the packets going from the firewall to your internal web server, so I don't think that it needs to be the cert from your web server.
You should have a HTTPS content inspection entry for an exact match on cloud.workers.it with a HTTP content action.
Verify that your HTTP Content actions are correct.
For example,
1) have an exact match for cloud.workers.it/demo.cweb with IP addr = 10.0.0.3
and
2) have an pattern match for cloud.workers.it/demo.cweb/* with IP addr = 10.0.0.3
Hi Bruce, my mistake was that I put an asterisk too "* cloud.workers.it / demo.cweb / " instead of "cloud.workers.it/demo.cweb/" now all OK, then I decided to do everything like this "cloud.workers.it/demo.*"=10.0.0.3 and this is also functional. Thanks Bruce
Hi Bruce
I have another problem I realized that from the 10.0.3 machine I can't see the url "cloud.workers.it/demo.cweb" or rather from the whole DMZ network instead from other LAN networks, the Internet I have no problems. error on the fw is this:
"pxy 0x5985590-5005735 connect failed Connection timed out 48: 10.0.0.3:55326 -> 80.249.47.20:443 [A t] {X} | 121: 10.0.0.3:55326 -> 10.0.0.3:80 [!B c] {B}[eo] Debug
Deny 10.0.0.3 10.0.0.3 http/tcp 55335 80 Firebox 2-Reserved Denied 52 64 (Unhandled Internal Packet-00) proc_id="firewall" rc="101" msg_id="3000-0148" tcp_info="offset 8 S 2692063806 win 4210" Traffic"
To do this from inside the LAN, set up NAT Loopback on the HTTPS policy.
NAT Loopback and Static NAT (SNAT)
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/nat/nat_loopback_static_c.html