Fortiadc DG Apache

FortiADC™ Deployment Guide
Load Balancing Apache Web Server

FORTINET DOCUMENT LIBRARY
http://docs.fortinet.com
FORTINET VIDEO GUIDE
http://video.fortinet.com
FORTINET BLOG
https://blog.fortinet.com
CUSTOMER SERVICE & SUPPORT
https://support.fortinet.com
FORTIGATE COOKBOOK
http://cookbook.fortinet.com
FORTINET TRAINING SERVICES
http://www.fortinet.com/training
FORTIGUARD CENTER
http://www.fortiguard.com
END USER LICENSE AGREEMENT

http://www.fortinet.com/doc/legal/EULA.pdf
FEEDBACK
Email: techdocs@fortinet.com
November 19, 2015
FortiADC Deployment Guide: Load Balancing Apache Web Server
Revision 1
TABLE OF CONTENTS
Change Log 4
Introduction 5
Solution benefits 5
The FortiADC difference 6
Deployment topologies 7
Router Mode 7
One-Arm Mode 8
Hardware and software used in this example 9
Apache Web Server Configuration 10
Step 1: Download and install the Apache Web Servers 10
Step 2: Configure Apache Web Server logging 10
FortiADC Configuration 13
Basic Configuration 13
Step 1: Configure network interfaces and a static route 13
Step 2: Configure health checks 15
Step 3: Configure the Real Server Pool 16
Step 4: Configuring the virtual servers 19
Advanced Features Configuration 22
Persistence 22
Scripts 23
Advanced profile options 25
SSL offloading 26
Caching 29
Compression 31
Binding profiles to the virtual server 33
Advanced virtual server configuration summary 34
Verification 36
Troubleshooting 37
Appendix A: FortiADC Configuration 38
Basic server load balancing 38
Advanced features 39
Change Log
Change Log
Date Change Description
2015-11-19 Initial release.
FortiADC Deployment Guide 4
Fortinet Technologies Inc.
Introduction
Introduction
The Apache Web Server is the world's most used web server software. Apache played a key role in the initial
growth of the World Wide Web, and has remained most popular since April 1996. In 2009, it became the first web
server software to serve more than 100 million websites.
Apache is developed and maintained by an open community of developers under the auspices of the Apache
Software Foundation. Apache is free and open-source software.
The FortiADC deployment enables load balancing for server availability, quality of experience (QoE)
improvement for fast response-time, and best ROI with cost reduction (CAPEX and OPEX).
Solution benefits
l Delivers 99.999% application uptime with intelligent server load balancing and global server load balancing
l Optimizes applications and improves user QoE (Quality of Experience)
l Reduces CAPEX and OPEX by doing server offload with SSL acceleration and TCP multiplexing.
l Secures Apache Web Server with web application firewall and distributed denial-of-server (DDoS) prevention.
5 FortiADC Deployment Guide
The FortiADC difference
The FortiADC difference
There are a number of hardware load balancing products available on the market with a wide range of features
and capabilities. FortiADC differentiates itself by providing superior value, high performance, reliability, advanced
acceleration features, and security from a market leader.
FortiADC not only load balances Internet service requests across multiple servers, but also accelerates
application performance and provides application-aware features that monitor server load and improve server
response times – by as much as 25%. In addition to basic load balancing, FortiADC provides:
n Automatic server and application health monitoring.

n Intelligent, application-aware load balancing policies (least connections, fastest response time, static weight, and
round robin).
n Redundant high availability (HA) configurations.
n Intuitive Layer 7 policy-based routing that can dynamically rewrite content to support complex applications and
server configurations.
n Hardware and software-based SSL offloading that reduces the performance impact on your server infrastructure.
n Content caching that dynamically stores popular application content, such as images, videos, HTML files, and other
types to alleviate server resources and accelerate overall application performance.
n Web Application Firewall that protects against application layer attacks.
n IP Reputation service that protects your applications against automated web attacks by identifying access from
botnets and other malicious sources.
n Global Server Load Balancing that distributes traffic across multiple geographical locations for disaster recovery.
n Link Load Balancing that distributes traffic over multiple ISPs to increase resilience and reduce the need for costly
bandwidth upgrades.
n Authentication offloading that speeds user authentication for secure applications.
n Scripting for custom load balancing and content rewriting rules.
n Virtual domains (VDOMs) that enable administrators to divide a FortiADC into two or more virtual FortiADC devices,
each operating as an independent application delivery controller.
For more information on how FortiADC can make your applications work better, faster, and more economically,
please visit http://www.fortinet.com/products/fortiadc/index.html.
Deployment topologies Router Mode
Deployment topologies
This section shows the most common deployment topologies for load balancing Apache Web Servers. It includes
the following information:
l Router Mode
l One-Arm Mode
The example configurations in this deployment guide are for a Router Mode deployment.
Router Mode
Figure 1 shows the Router Mode deployment topology. In this mode:

l FortiADC is the default gateway of the servers, so all traffic will be sent through the FortiADC.
l Clients send HTTP requests to the FortiADC virtual server IP address (ex. 10.10.10.10), and FortiADC load
balances the traffic between the Web Servers.
Figure 1: Router Mode topology
The following tables show the source/destination addresses received and sent from the FortiADC.
One-Arm Mode Deployment topologies
One-Arm Mode
Figure 2 shows the One-Arm Mode deployment topology. In this mode:

l FortiGate is the default gateway of the servers. Only load balancing traffic is sent to the FortiADC.
l Clients send HTTP requests to the FortiADC virtual server IP address (ex. 10.10.10.10). FortiADC acts as a reverse
proxy: it NATs the source address, opens new HTTP connections, and load balances the traffic between the Web
Servers.
l You can configure a FortiADC profile option to write the original source IP address to the X-Forwarded-For header.
You can configure Apache Web Server logs to write the X-Forwarded-For field.
Figure 2: One-Arm Mode topology
The following source/destination tables show the NAT translation.
Hardware and software used in this example One-Arm Mode
Hardware and software used in this example
The following hardware and software were used in testing this example:
l FortiADC VM
l FortiADC OS Version 4.3.1
l Apache Web Server Version 2.2
l Custom client/server hardware running VMware ESX 4 (Ubuntu 13.3)
Important: This guide is written only for the FortiADC D-series platform. The instructions included within are not
designed to be used with the FortiADC E-series platform application delivery controllers.
Step 1: Download and install the Apache Web Servers Apache Web Server Configuration
Apache Web Server Configuration
This section provides configuration guidelines for Apache Web Servers. It includes the following topics:
Step 1: Download and install the Apache Web Servers

Step 2: Configure Apache Web Server logging
Step 1: Download and install the Apache Web Servers
Basic steps
1. Download the latest server installer from http://httpd.apache.org/download.cgi.

2. Install the server according to the Apache documentation:
l Unix/Linux: http://httpd.apache.org/docs/2.0/install.html
l Microsoft Windows: http://httpd.apache.org/docs/2.0/platform/windows.html
After you complete the installation, the httpd daemon starts automatically with the default port 80. (You can
change port settings in the httpd.conf file.)
3. Verify installation was successful by opening http://localhost in the server's browser. Figure 3 shows the
messages that are displayed when the installation is successful.
Figure 3: Apache server
Step 2: Configure Apache Web Server logging
If FortiADC performs source NAT (due to a one-arm deployment or other requirements), you can configure
FortiADC to write the original source IP address to the X-Forwarded-For header. Figure 4 shows the profile
configuration page where you set this behavior.
Apache Web Server Configuration Step 2: Configure Apache Web Server logging
Figure 4: HTTP/HTTPS profile option X-Forwarded-For
On the Apache Web Server, you configure the web server to log the X-Forwarded-For header.
The following httpd.conf configuration file lines are the default log format for logs that are to contain the X-
Forwarded-For header:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\""

combined
CustomLog logs/access_log combined
The following example shows changes you must make to the default format in order to log the X-Forwarded-For
client IP address or the real client IP address if the X-Forwarded-For header does not exist:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\""

combined
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%

{User-Agent}i\"" proxy
SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
CustomLog "logs/access_log" combined env=!forwarded
CustomLog "logs/access_log" proxy env=forwarded
Step 2: Configure Apache Web Server logging Apache Web Server Configuration
If you use advanced FortiADC load balancing features like SSL offloading and
compression offloading, you would disable those Apache Web Server settings.
See http://www.apache.org/ for information on configuring Apace Web Server.
FortiADC Configuration Basic Configuration
FortiADC Configuration
This section provides configuration guidelines for load balancing Apache Web Servers when FortiADC is deployed
in Router Mode. It includes the following topics:
Basic Configuration
Advanced Features Configuration
Basic Configuration
This section provides the basic procedures for getting started with Layer 4 load balancing. It includes the
following steps:
Step 1: Configure network interfaces and a static route

Step 2: Configure health checks
Step 3: Configure the Real Server Pool
Step 4: Configuring the virtual servers
Step 1: Configure network interfaces and a static route

You configure two network interfaces for deployment:
l port1—External network (WAN)

l port2—Internal network (LAN)
To configure network interfaces, go to Networking > Interface. Figure 5 shows the configuration for port1.
Basic Configuration FortiADC Configuration
Figure 5: Network interface configuration page
To create a static route, go to Networking > Routing. Figure 6 shows the static route configuration page.
Figure 6: Static route
Step 2: Configure health checks

Health checks test gateway or server availability so the server load balancer can exclude unavailable servers from
the active server pool. In this deployment, we use HTTP health checks to verify Apache Web Server availability.
To configure a health check, go to System > Shared Resources > Health Check. Table 1 summarizes the health
check configuration for this example. Figure 7 shows the HTTP health check configuration page.
Table 1: Health check configuration summary
Settings Values Notes
Name HC-HTTP-Apache80
Type HTTP
Port 80 Tests an HTTP GET request to the Apache Web

Server port 80.
Method GET
Send String / URL to get.
Status Code 200 A successful test returns HTTP 200.
Figure 7: Health check configuration page
Step 3: Configure the Real Server Pool

The FortiADC server load balancing (SLB) feature is used to load balance traffic on port 80 to a pool of Apache
Web Servers. Select the health check configured in the previous step and configure a member pool.
To configure real server pools, go to Server Load Balance > Real Server. Table 2 summarizes the real server pool
configuration for this example. Figure 8 through Figure 10 show the configuration pages.
Table 2: Real Server pool configuration summary
Name Web-Group
Health Check
Health Check Rela- OR Server is deemed available if any of the specified health
tionship checks is successful. In this case, we have only one
health check, so there is no distinction between the two
possible settings.
Health Check Con- HC-HTTP-Apache80 The health check configured in the previous step.
figuration Objects
Member
IP Address 192.168.100
192.168.101
192.168.102
Port 80
Health Check Inherit Enabled
Figure 8: SLB real server pool initial configuration page
Figure 9: Real Server Pool Member configuration page
Figure 10: Real Server Pool complete configuration
Step 4: Configuring the virtual servers

In the basic deployment, the FortiADC virtual servers are Layer 4 virtual servers. Layer 4 virtual servers are useful
when not using advanced features (such as content routing, SSL, compression, caching, WAF, and so on).
In the virtual server configuration, you select from predefined and user defined configuration objects. You created
the required user-defined configuration objects in the previous steps.
To configure virtual servers, go to Server Load Balance > Virtual Server. Table 3 summarizes the virtual server
configuration for this example. Figure 11 shows the configuration summary page.
Table 3: Virtual Server configuration summary
Name Web_VIP
Type Layer 4
Packet Forwarding Method DNAT When DNAT is selected FortiADC rewrites

the destination IP address in the client
request. The selected real server
IP address replaces the virtual server IP
address.
In a One-Arm Mode deployment, you would

select Full-NAT so that both source and
destination are translated. You would also
configure and select a source NAT address
pool.
IP address 10.10.10.10
Port 80
Network Interface port2
Profile LB_PROF_TCP Predefined profile.
Persistence None selected Traffic for some applications, like e-commerce

transactions or SIP voice calls, are transactions
that depend on an established client-server ses-
sion. If your application requires this, select a
predefined or user-defined persistence method.
Method LB_METHOD_ROUND_ Predefined method.

ROBIN
Real Server Pool Web_Group The pool configured in the previous step.
Log Enable Enables traffic logs.
Figure 11: Virtual server configuration page
Advanced Features Configuration FortiADC Configuration
Advanced Features Configuration
Some advanced features are bound directly to the virtual server and some are bound to the profile selected for
the virtual server.
This section describes configuration for the following advanced features:
l Persistence
l Scripts
l Advanced profile options
Persistence
You bind persistence rules to the virtual server configuration. Persistence rules determine traffic that is not load
balanced but rather is dispatched to the same server as an existing connection. Typically, you configure
persistence rules to support server transactions that depend on an established client-server session.
This example uses persistence based on cookies. The backend server sends a cookie. If subsequent packets
received by FortiADC match the cookie, they are forwarded to the original backend server and load balancing
rules are not applicable.
To configure persistence rules, go to Server Load Balancing > Virtual Server > Persistence. Figure 12 shows the
configuration for this example. Figure 13 shows where to select the configuration object in the virtual server
configuration page.
Figure 12: Persistence configuration page
FortiADC Configuration Advanced Features Configuration
Figure 13: Virtual server configuration page - Persistence
Scripts
You bind scripts to the virtual server configuration. Scripts enable you to use predefined Lua script commands and
variables to manipulate the HTTP request/response or select a content route.
For example, you could use a script to redirect HTTP requests to the HTTPS location for the web site:
when HTTP_REQUEST {
Host = HTTP:header_get_value("host")
Path = HTTP:path_get()
HTTP:redirect("https://%s%s", Host, Path)

}
To configure scripts, go to System > Shared Resources > Scripting. Figure 14 shows the configuration for this
example. Figure 15 shows where to select the script in the virtual server configuration page.
Figure 14: Scripting configuration page
Figure 15: Virtual Server configuration page - Scripting
Advanced profile options

You bind profiles to the virtual server configuration. Profiles contain settings that affect protocol traffic for the
client-side connection (between the client and the FortiADC). Advanced profile options support offloading server
functions, such as SSL negotiation, HTTP caching, and Gzip compression.
This section includes example configurations for the following advanced profile options:
l SSL offloading
l Caching
l Compression
SSL offloading
Clients can use SSL or TLS to connect to HTTPS virtual servers.
When you use FortiADC as a proxy for SSL operations normally performed on the backend real servers, you must
import the X.509 v3 server certificates and private keys the backend servers would ordinarily use, as well as any
certificate authority (CA) or intermediate CA certificates that are used to complete the chain of trust between your
clients and your servers.
The FortiADC system supports all of the TLS/SSL administration methods commonly used by HTTPS servers,
including:
l Server name indication (SNI) - You can require clients to use the TLS extension to include the server hostname in
the TLS client hello message. Then, the FortiADC system can select the appropriate local server certificate to
present to the client.
l Local certificate store - A certificate store for the X.509 v3 server certificates and private keys the backend servers
would ordinarily use.
l Certificate Authorities (CAs) store - A store for the CA certificates that the backend servers would ordinarily use to
verify the CA signature in the client certificate.
l Intermediate CAs store - A store for Intermediate CAs that the backend servers would ordinarily use to complete the
chain between the client certificate and the server certificate. HTTPS transactions use intermediate CAs when the
server certificate is signed by an intermediate certificate authority (CA) rather than a root CA.
l OCSP - Use Online Certificate Status Protocol (OCSP) to obtain the revocation status of certificates.
l CRL - Use a certificate revocation list (CRL) to obtain the revocation status of certificates.
l Certificate validation policy - You can configure certificate validation policies that use OCSP or CRL. These policies
can be associated with load balancing profiles.
Basic Steps
1. Import the certificates and keys. If necessary, generate a CSR and submit it to a CA. When you receive your
certificate from the CA, you can import it.
Go to System > Certificate > Manage Certificates > Local Certificate. Figure 16 shows the Import Local
Certificate page. Figure 17 shows the Generate CSR page.
2. Create a certificate group.
Go to System > Certificate > Manage Certificates > Local Certificate Group. Figure 18 shows the Certificate
Group configuration page.
3. Create an HTTPS profile and bind the certificate group to it.
Go to Server Load Balance > Profile. Figure 19 shows where to select the configuration object in the profile
configuration page.
Figure 16: Import Certificate page
Figure 17: Generate CSR page
Figure 18: Certificate Group configuration page
Figure 19: Profile configuration page - Certificate Group
Caching
FortiADC can store HTTP content. The system can serve subsequent HTTP requests for that content without
forwarding the requests to the backend servers, thereby reducing the load on the backend servers.
In general, the RAM cache conforms to the cache requirements described in RFC 2616.
If caching is enabled for the profile that is applied to traffic processing, the system evaluates HTTP responses to
determine whether or not to cache the content. HTTP responses with status codes 200, 203, 300, 301, 400 can
be cached.
To configure caching, go to Server Load Balance > Profile > Caching.
Figure 20 shows the configuration for this example. Figure 21 shows where to select the configuration object in
the profile configuration page.
Figure 20: Caching configuration page
Figure 21: Profile configuration page - Caching
Compression
Compression offers the greatest performance improvements for Apache Web Server when applied to URLs
whose media types include repetitive text such as tagged HTML and JavaScript. Files that already contain
efficient compression such as GIF images usually should not be compressed, as the CPU usage and time spent
compressing them will result in an increased delay rather than network throughput improvement.
To configure compression, go to Server Load Balance > Profile > Compression.
Figure 22 shows the configuration for this example. Figure 23 shows where to select the configuration object in
the profile configuration page.
Figure 22: Compression configuration page
Figure 23: Virtual server configuration page - Compression
Binding profiles to the virtual server

Figure 24 shows where the profile is selected in the virtual server configuration.
Figure 24: Virtual Server configuration page - Profiles
Advanced virtual server configuration summary

Table 4 summarizes the advanced configuration to support client traffic over HTTPS to Apache Web Servers. SSL
negotiation, caching, and compression processes are offloaded from the Apache Web Servers to the FortiADC
virtual server.
Table 4: Advanced virtual Server configuration summary
Name Web_VIP
Type Layer 7
Packet Forwarding Not applicable for Layer 7 virtual servers.

Method
IP address 10.10.10.10
Port 443 HTTPS port.
Network Interface port2
Profile HTTPS-Profile The profile configured in the previous step. This

profile includes SSL offloading, caching, and
compression settings.
Persistence Cookie_Persistence The persistence method configured in the pre-

vious step.
Method LB_METHOD_ROUND_ Predefined method.

ROBIN
Real Server Pool Web_Group The pool configured in the previous step.
Log Enable Enables traffic logs.
Advanced Features Configuration Verification
Verification
You can use the FortiADC monitoring graphs and logs to verify that traffic is indeed cached and packet flow is
working as expected.
To display the dashboard for real server pool statistics, go to Dashboard > Virtual Server > Real Server.
Figure 25: Real Server dashboard
To display logs for Layer 4 virtual servers, go to Log & Report > Traffic Log > SLB Layer 4.
Figure 26: Layer 4 virtual server logs
Troubleshooting Advanced Features Configuration
Troubleshooting
The FortiADC web user interface includes a tcpdump packet capture utility that can be helpful troubleshooting
expected behavior.
To configure packet capture settings and filters, go to Networking > Packet Capture.This page also has controls
to start/stop and download the packet captures.
Figure 27: Packet capture settings for the internal interface
Figure 28: Packet capture settings for the external interface
Basic server load balancing Appendix A: FortiADC Configuration
Appendix A: FortiADC Configuration
The following configuration file samples show the FortiADC configuration:
l Basic server load balancing

l Advanced features
Basic server load balancing
config system global

set hostname FortiADC-VM
end
config system interface
edit "port1"
set vdom root
set ip 10.10.10.1/24
set allowaccess https ping ssh http
config ha-node-ip-list
end
next
edit "port2"
set vdom root
set ip 192.168.1.1/24
end
config system health-check
edit "HC-HTTP-Apache80"
set type http
set port 80
set method-type http_get
next
end
config load-balance pool
edit "Web_Group"
set health-check-ctrl enable
set health-check-list HC-HTTP-Apache80
config pool_member
edit 1
set ip 192.168.1.100
next
edit 2
set ip 192.168.1.101
next
edit 3
set ip 192.168.1.102
next
end
next
end
config load-balance method
Appendix A: FortiADC Configuration Advanced features
end
config load-balance persistence
end
config load-balance content-rewriting
end
config load-balance content-routing
end
config user local
end
config user user-group
end
config load-balance auth-policy
end
config load-balance virtual-server
edit "Web_VIP"
set interface port2
set ip 10.10.10.10
set load-balance-profile LB_PROF_TCP
set load-balance-method LB_METHOD_ROUND_ROBIN
set load-balance-pool Web_Group
set traffic-log enable
set id 1
next
end
Advanced features
config system global

set hostname FortiADC
end
config system interface
edit "port1"
set vdom root
set ip 10.10.10.1/24
set allowaccess https ping ssh http
end
next
edit "port2"
set vdom root
set ip 192.168.1.1/24
end
config system dns
set primary 208.91.112.53
set secondary 208.91.112.52
end
config system certificate local
edit "Cert-CSR"
set password ENC PG/0zS-
coADkZqk8elD637OWnbn-
nMHQKtCd/IfnclgzQneXAry7wMKmIYf4lK5wGs2bimX5lOuJ1lE6F/xNkbAGgeWGdnShCj96pYjuNL3T3HtAGQ
set private-key "-----BEGIN ENCRYPTED PRIVATE KEY-----
Advanced features Appendix A: FortiADC Configuration
MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQI1MVDWOX4NCsCAggA
MBQGCCqGSIb3DQMHBAjLJVfgVPxzCASCBMi+OEweUbBScuSI3wOeLiJzihJ5gEQ1
NpKPfdlmdizM8zmlB9CDpj6qvh6/1Jr2fR/n3y/7mgxm6HmYwaejTP/zq3ahNxoV
geO83oYo4hmXw0HWd9gESZ2JsDcZYFnKGQOBh/8+hU0Dk54kk15We/pQax0yndog
iF9TI+YU52jWiHuGFSz7SgwxD7hnWIT0/TYJoYmRYCWEw/we2fK2E1cUiBbUhdoG
DR7+Wx5ZMqtEIFlFZfGEbDL0Ajvn9Ch0V9nxELKtrik5f4oV4MMWMIN+DLe/hhLP
wpnVUEvtxxPNmYQtz0pDSINutACqS6HRDvgt751JUueYMobkuP/dE2KZ8dAFNRji
4aFwELJKfWL9lEcUwTwA48VgLMoag2sJw1u2ZdoHQQS+IP+Y+XNNToyzpnS8cXLj
j69UjJWKvufdZ8emFU5dOHtaWUCXFk+mSvXdhVKyNlPu369EFwqn5NzqMPZZZNo8
LVDmU9ROleDQzZUGFTp2X30NrHFVO5D90XR96mndjuJtSzJHmDcSUUiaTTAzLURn
BlaVRfrJJXGDeBmylI86te7ZbvF1StVAqN701NzPDOh+Ixa73xtkFV1BnZ9AzLlC
6OzuKptofOTiLY001IkpDsd0vr3odJ5aRBZ8rxB2XhNq89iuzmV/ylDRA3JBi48m
ihTBfV8XTEb5fDTV0tEf9Ov6yPgXKR2/JSM1F9EqKjGx/1zEIW5jRZh/+RHGYBgr
U7sj1F3CrShCcgiQfxCJ+DlBPFi3Od7Rpx3Sk3NpE6j228C/2EheXka27I/Z1V9O
04nR0VyptLm/lF0XeXUgytLjJCXp+dE184u4OCNn6fycXOJENzWL12KUYeuhrZOA
bTYhV2hSkt00R6V93XhuLf7mgwF+A/DR741LdxixUl+lMtEbvfjJ5ojQZO8YmW/d
ERmF3R6YGar7U2wz+54EJLSWwTMAt+nqgsrlQefSmajAW9rOHrJ2giXzNrsLjkxP
RLl/k6LZzrGFSkkKLu9+msYc2P+KE0eVIqqVFTrduuuArdw/l37VN4cG55ZteLEJ
k04EuKWumPjOdXPRpO3flWfUERVhVuEZrMkpraCjsdf+9EUo9/tGifI1pfgn/ERp
0y+VlYOhjwCJt89F2T5w5gVsjyT2XT4F8IwRKFCz7thAgclj9EMe7a5s7tnBYBJ4
ISFBPVO4alg1bSqzQuISqw0s269gKz3WQebFm6yQaBOluf1TFFvRo8Yhp557OQ//
rzWnEFI/PgG1i6j0Z/aE1JONQLg3BKmEPGw/O5CjmN+o9CO+U0Ss6LcYAyFk4Vcm
sZDD6k4lF6CrSbRFAzNXgh1SuZ3MqlB2V45urBCoUGwXyyj7HLjwZkwDZz6NuQ9G
ffk9eMpILRzrYOhv3Z4Mc0f5hVGfzpcUHfoxm2n0JJ/YTXkGrnlbZWHLvBwbLhmc
CYpPXMzfWMxJHsAGMk95pFRRlU5mX7LZ+D3BW/ydxBv7FUcCy4l0HMliPx9m5CV6
03XILOYXbFabZcHE75CZX0CuzikTrBdfEzvX3r+fL0mnIeA6fSvc++Jb56fZiivs
sVV/GBtYP1BU6xN8JI+K+06kgTMHCbwwnTeRQ/fsAhuiV3AMqekSfr1j9YihZ3qS
1HI=
-----END ENCRYPTED PRIVATE KEY-----
"
set csr "-----BEGIN CERTIFICATE REQUEST-----
MIIC3jCCAcYCAQAwgYUxCzAJBgNVBAYTAkhSMQswCQYDVQQIEwJJTDELMAkGA1UE
BxMCSUwxDDAKBgNVBAoTA2FkYzERMA8GA1UECxMIZm9ydGlhZGMxGTAXBgNVBAMT
EHd3dy5mb3J0aWFkYy5jb20xIDAeBgkqhkiG9w0BCQEWEWFtaXRAZm9ydGluZXQu
Y29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtuJCqyGVvPvxOfeh
UCczs1N5B+21d5vdQg90bjsIoBltOGStoN6nexx1yXHmvyqTmVFxky5bTkA8+7sS
C6hTqvIvUNeAF6BmU3FzqUsEsvGZF4jD2HYQ0xFW7QYU+ZmvvUPEtzWyrxIHkzph
u8O+LP7O4P1raw2MDDfzY5Yx8sHtlb1bTzGc+iJsnAXJvv/RLu/hj4zMuIMXVbZc
wFDj5kJtKLb1SvSPRagawIWHIbrpyyGlLCkalN0Bye3yI/2eMxeZv4EFezdgWiu1
QsqtgM/Fs5noolzqk10ZhbNj4199uwjklxk5GxVr6dWr8M0PD+m8ozSYqEK2dwlO
Vzx6UwIDAQABoBMwEQYDVR0TMQoTCENBOkZBTFNFMA0GCSqGSIb3DQEBBQUAA4IB
AQCfSWwkYbAD973U+65KstDKsISzyvK59yF8Ru1QYyXeHYpZLNxDyUF4WcaQqbSO
Bs9C/3ueWfVzKlfGe/2ytju2G9lEVAUGNwi+CvTSSN+SMP4ddZA7ndBQzTpGrmH7
gaO+Jyv4Jd7nq5Hrkvh5ocuAwD4TqptyGQsRDtuTMIU0Hq6qVp/tcG6OA87/rOg2
BmfA1dMplCiAViNHe+9fj2mAV0QlyzB8hM/Enxlfi680bX1RPW9KA9LmPFOkSpLC
Vm+Cq8YuEJ9Tuu+sFTG20mHwmmwitg9EjuGCOAHAKqcVw+c2cSCwtEf/5WW7E8eP
9X02teScIMBP3KCmSeMo2Frk
-----END CERTIFICATE REQUEST-----
"
next
end
config system certificate ca_group
end
config system certificate intermediate_ca
end
config system certificate intermediate_ca_group
Appendix A: FortiADC Configuration Advanced features
end
config system certificate local_cert_group
edit "Cert_Group"
config group_member
edit 1
set local-cert Factory
next
end
next
end
config system scripting
edit "https_redirection"
next
end
config system health-check
edit "HC-HTTP-Apache80"
set type http
set port 80
set method-type http_get
next
end
config load-balance compression
edit "Compression-Policy"
config uri_list
end
config content_types
end
next
end
config load-balance caching
edit "Caching-Policy"
config uri_exclude_list
end
next
end
config load-balance profile
edit "HTTPS-Profile"
set type https
set local-cert-group Cert_Group
set compression Compression-Policy
set caching Caching-Policy
next
end
config load-balance pool
edit "Web_Group"
set health-check-ctrl enable
set health-check-list HC-HTTP-Apache80
config pool_member
edit 1
set ip 192.168.1.100
next
edit 2
set ip 192.168.1.101
next
edit 3
set ip 192.168.1.102
Advanced features Appendix A: FortiADC Configuration
next
end
next
end
config load-balance method
end
config load-balance persistence
edit "Cookie_Presistency"
set type persistent-cookie
next
end
config load-balance virtual-server
edit "Web_VIP"
set type l7-load-balance
set interface port1
set ip 10.10.10.10
set load-balance-profile LB_PROF_HTTP
set id 1
set scripting https_redirection
next
edit "HTTPS_VIP"
set type l7-load-balance
set interface port1
set ip 10.10.10.10
set port 443
set load-balance-profile HTTPS-Profile
set load-balance-persistence Cookie_Presistency
set id 2
next
end
Copyright© 2015 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet,
Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company
names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and
actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein
represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written
contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified
performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For
absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any
commitment related to future deliverables, features, or development, and circumstances may change such that any forward-looking statements herein are not accurate.
Fortinet disclaims in full any covenants, representations,and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify,
transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.

Fortiadc DG Apache

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Fortiadc DG Apache

Загружено:

Авторское право:

Доступные форматы

FortiADC™ Deployment Guide

Load Balancing Apache Web Server

END USER LICENSE AGREEMENT

November 19, 2015

FortiADC Deployment Guide: Load Balancing Apache Web Server

Date Change Description

2015-11-19 Initial release.

The FortiADC difference

n Automatic server and application health monitoring.

Figure 1 shows the Router Mode deployment topology. In this mode:

Figure 2 shows the One-Arm Mode deployment topology. In this mode:

The following source/destination tables show the NAT translation.

Hardware and software used in this example

Apache Web Server Configuration

Step 1: Download and install the Apache Web Servers

Step 1: Download and install the Apache Web Servers

1. Download the latest server installer from http://httpd.apache.org/download.cgi.

l Microsoft Windows: http://httpd.apache.org/docs/2.0/platform/windows.html

Step 2: Configure Apache Web Server logging

Figure 4: HTTP/HTTPS profile option X-Forwarded-For

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\""

CustomLog logs/access_log combined

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\""

LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%

SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded

CustomLog "logs/access_log" combined env=!forwarded

CustomLog "logs/access_log" proxy env=forwarded

See http://www.apache.org/ for information on configuring Apace Web Server.

Step 1: Configure network interfaces and a static route

Step 1: Configure network interfaces and a static route

l port1—External network (WAN)

Figure 5: Network interface configuration page

Figure 6: Static route

Step 2: Configure health checks

Table 1: Health check configuration summary

Settings Values Notes

Port 80 Tests an HTTP GET request to the Apache Web

Send String / URL to get.

Status Code 200 A successful test returns HTTP 200.

Figure 7: Health check configuration page

Step 3: Configure the Real Server Pool

Table 2: Real Server pool configuration summary

Settings Values Notes

Settings Values Notes

Health Check Inherit Enabled

Figure 8: SLB real server pool initial configuration page

Figure 9: Real Server Pool Member configuration page

Figure 10: Real Server Pool complete configuration

Step 4: Configuring the virtual servers

Table 3: Virtual Server configuration summary

Settings Values Notes

Packet Forwarding Method DNAT When DNAT is selected FortiADC rewrites

In a One-Arm Mode deployment, you would

Network Interface port2

Profile LB_PROF_TCP Predefined profile.

Persistence None selected Traffic for some applications, like e-commerce

Method LB_METHOD_ROUND_ Predefined method.

Log Enable Enables traffic logs.

Figure 11: Virtual server configuration page

Advanced Features Configuration

This section describes configuration for the following advanced features:

Figure 12: Persistence configuration page

Figure 13: Virtual server configuration page - Persistence

SetEnvIf X-Forwarded-For "^.\..\..\.." forwarded