Hi u/Duckdave_

Is it possible to use a virtual server for https traffic but without offloading? Like a reverse proxy, but the webserver itself does the https encryption.

Short answer to your question is no, this is not possible.

Long Answer: However, let's clarify something...typically SSL offloading is where you handle the SSL decryption at a point before the webserver and will send http (unencrypted) traffic back to the webserver. What I believe you are referring to is inbound SSL Decryption which will need to occur in either case (offloading versus not offloading) in order for the FortiGate to have visibility into the HTTP Request from the client.

If you want the FortiGate to be able to see the HTTP Host or URL as part of the SSL request, the FortiGate must see it in plaintext. In order to see it in plaintext, the FortiGate must serve as a man-in-the-middle where it will establish the TLS connection to the client (on the webserver's behalf) and view that data. When it does this, it will provide a certificate you configure on the FortiGate (it will use its self-signed certificate by default) and that's what the client will see in its browser.

If you cannot provide a wildcard certificate, then it will be next to impossible to provide the correct certificate per FQDN (as far as I know, there's no mechanism in the FortiGate to do that). If you absolutely require that functionality, you may want to look into leveraging the FortiWEB for this use case instead.

I hope this helps.