Forum Discussion

Cirrus

Jan 24, 2023

How to "Convert" NGINX to iRules?

Hi, We have an NGINX that works as a reverse proxy to do mTLS with clients and that is also validated (mTLS) by the API that receives requests from this reverse proxy. I need to create a Virtual Se...

sample_nginx.zip1 KB

devops

Nikoolayy1

MVP

I am in no way Nginx expert but proxy_pass is more like F5 Rewrite profile that changes the URI to the real one without redirection and the reply is changed in reverse " Local Traffic > Profiles > Services > Rewrite".

For the SSL you will need to extract the data and send it in HTTP header to the servers (maybe theX509::subject irule command gives the SSL distinguished name/DN you are looking for to send to the backend servers). See the links below:

https://clouddocs.f5.com/api/irules/HTTP__header.html

https://clouddocs.f5.com/api/irules/HTTP_RESPONSE.html

https://clouddocs.f5.com/api/irules/CLIENTSSL_CLIENTCERT.html

https://support.f5.com/csp/article/K41600007

Nice article with extra link articles about adding the SNI to a http header:

https://support.f5.com/csp/article/K41600007

https://support.f5.com/csp/article/K39408450

https://support.f5.com/csp/article/K14204621

Outside of that for F5 to be like Nginx an APM module with API protection profile is the best:

https://www.youtube.com/watch?v=-2ndGH9Dp1Q&t=308s

You will have to play arround and it will take time no matter what the IT boss that has no real tech knowedge is saying. Good luck!

Andreia

Cirrus

Jan 25, 2023

Hi! Thank you for replying!

check this link https://www.nginx.com/blog/migrating-layer7-logic-f5-irules-citrix-policies-nginx-plus/

It seams that proxy_pass act as pool's behavior.

Nikoolayy1
MVP
Jan 25, 2023
Test it but I think Nginx by default also changes the URI before sending it to the backend servers (similar to F5 wit pool and rewrite profile or F5 APM API protection that I recommend for real API authentication and security) but I can't be 100%.

Also be carefull about F5 SNAT Automap and One connect as in Ngnix I can't renember if source ip translation is by default enabled or if multiplexing, connection pooling, connection reuse, or OneConnect is by default enabled.

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

How to "Convert" NGINX to iRules?

Recent Discussions

Background Tasks

APM with EntraID as idP / request signed

Should config via cli rather than gui?

APM Modern Customization - modify Header in user-common.js and form in user-logon.js

Which process is consuming higher CPU

Related Content

Multiple Ways to Configure Usage Reporting in NGINX

Automating NGINX Certificate Rotation on AWS

Mastering API Architectures Ebook from NGINX

Whats new in NGINX Gateway Fabric 1.2?

Distributed caching of authentication requests with NGINX Ingress Controller

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS