Forum Discussion
Andreia
Cirrus
CirrusHow to "Convert" NGINX to iRules?
Hi, We have an NGINX that works as a reverse proxy to do mTLS with clients and that is also validated (mTLS) by the API that receives requests from this reverse proxy. I need to create a Virtual Se...
AndreiaCirrus
CirrusHi! Thanks for answering!
In fact, the mTLS part with the client I managed to do by making an iRule that validates the client's certificate data and configuring the SSL Profile Client to require the client's certificate. My problem is in these " proxy_set_header X-SSL-I-DN $ssl_client_i_dn;", for example, "add_header x-debug-client-cert-i-dn $ssl_client_i_dn always;, I have no idea how to implement this via iRule. A part that competes certificates and SSL Profile client is OK I believe.
But that "proxy_pass https://api-dev.acme.com;" what would it be? A redirect? And how do I make it so that, when BIG-IP does this redirect, the API validates the BIG-IP certificate? I thought of configuring this in the SSL Profile Server, but that would only make sense if I put the API address in a pool, which is not the case if the "proxy_pass" is indeed a redirect....so how does the API Would you validate the data from auth-test-dev.acme.com.br?
I believe it is not a complex thing, but the pressure is great to implement it. 😞
- Nikoolayy1
MVP
I am in no way Nginx expert but proxy_pass is more like F5 Rewrite profile that changes the URI to the real one without redirection and the reply is changed in reverse " Local Traffic > Profiles > Services > Rewrite".
For the SSL you will need to extract the data and send it in HTTP header to the servers (maybe theX509::subject irule command gives the SSL distinguished name/DN you are looking for to send to the backend servers). See the links below:
https://clouddocs.f5.com/api/irules/HTTP__header.html
https://clouddocs.f5.com/api/irules/HTTP_RESPONSE.html
https://clouddocs.f5.com/api/irules/CLIENTSSL_CLIENTCERT.html
https://support.f5.com/csp/article/K41600007
Nice article with extra link articles about adding the SNI to a http header:
https://support.f5.com/csp/article/K41600007
https://support.f5.com/csp/article/K39408450
https://support.f5.com/csp/article/K14204621
Outside of that for F5 to be like Nginx an APM module with API protection profile is the best:
https://www.youtube.com/watch?v=-2ndGH9Dp1Q&t=308s
You will have to play arround and it will take time no matter what the IT boss that has no real tech knowedge is saying. Good luck!
- Andreia
Hi! Thank you for replying!
check this link https://www.nginx.com/blog/migrating-layer7-logic-f5-irules-citrix-policies-nginx-plus/It seams that proxy_pass act as pool's behavior.
- Nikoolayy1
Test it but I think Nginx by default also changes the URI before sending it to the backend servers (similar to F5 wit pool and rewrite profile or F5 APM API protection that I recommend for real API authentication and security) but I can't be 100%.
Also be carefull about F5 SNAT Automap and One connect as in Ngnix I can't renember if source ip translation is by default enabled or if multiplexing, connection pooling, connection reuse, or OneConnect is by default enabled.
Hooni_LHi!
I've tried ssl offloading using tls secret but not mtls.
You can refer the below link and search mtls.
https://docs.nginx.com/nginx-ingress-controller/configuration/policy-resource/
I hope it helps.
