Forum Discussion

Andreia's avatar
Andreia
Icon for Cirrus rankCirrus
Feb 13, 2023

NGINX vs. iRule - Client certificate validation based on URI and other things

Hi everyone!

I need help to "translate" an NGINX configuration to an iRule:

If the request is /auth, there is no client certificate validation, but the request is redirected to https://api-dev.acme.com/acme/xyz/abc/auth.
NGINX code snippet:
location /auth {
proxy_pass https://api-dev.acme.com/acme/xyz/abc/auth;

I also need to pass this $http_authorization:
NGINX code snippet:
proxy_set_header "X-acme-blueprint-AUTH" $http_authorization;

When the request is for "/" I need to validate the client's certificate:
NGINX code snippet:
location / {

if ($ssl_client_verify !="SUCCESS") { return 403; }

proxy_pass https://api-dev.acme.com;
ssl_client_certificate /etc/nginx/certs/cas.pem;
ssl_verify_client optional;

I made this iRule, but obviously it's not working:

when CLIENTSSL_HANDSHAKE {
set subject_dn [X509::subject [SSL::cert 0]]
set cert_issuer [X509::issuer [SSL::cert 0]]
set subject_dn_legacy [X509::subject [SSL::cert 0]]
set cert_issuer_legacy [X509::issuer [SSL::cert 0]]
set ssl_client_serial [X509::serial_number [SSL::cert 0]]
}

when HTTP_REQUEST {
switch -glob [HTTP::uri] {
"/auth*" {
HTTP::uri [string map -nocase {"/auth" "/xyz/abc/transmitter/auth"}[HTTP::uri]]
pool pool_api-dev_HTTPS
log local2. "request to /auth - Source IP: [IP::remote_addr] - uri: https://[HTTP::host][HTTP::uri]"
}
"/*" {
HTTP::collect
SSL::session invalidate
SSL::authenticate always
SSL::authenticate depth 3
SSL::cert mode require
SSL::renegotiate
pool pool_api-dev_HTTPS
log local2. "Request - Source IP: [IP::remote_addr] - uri: https://[HTTP::host][HTTP::uri]"
}
}
HTTP::header insert Access-Control-Allow-Origin "*"
HTTP::header insert Access-Control-Allow-Credentials "true"
HTTP::header insert Access-Control-Allow-Methods "GET;POST;PUT;DELETE;OPTIONS"
HTTP::header insert Access-Control-Allow-Headers "Accept;Authorization;Cache-Control;Content-Type;DNT;If-Modified-Since;Keep-Alive;Origin;User-Agent;X-Requested-With"
HTTP::header insert x-debug-client-cert-i-dn $cert_issuer
HTTP::header insert x-debug-client-cert-i-dn-legacy $cert_issuer
HTTP::header insert x-debug-client-s-dn $subject_dn
HTTP::header insert x-debug-client-s-dn-legacy $subject_dn
}
when HTTP_RESPONSE {
HTTP::header insert X-SSL-I-DN $cert_issuer
HTTP::header insert X-SSL-S-DN $subject_dn
HTTP::header insert X-SSL-SERIAL $ssl_client_serial
}

Can you help me?
The complete NGINX code is in the attachment

Thanks!