Forum Discussion
CirrusNGINX vs. iRule - Client certificate validation based on URI and other things
Hi everyone!
I need help to "translate" an NGINX configuration to an iRule:
If the request is /auth, there is no client certificate validation, but the request is redirected to https://api-dev.acme.com/acme/xyz/abc/auth.
NGINX code snippet:
location /auth {
proxy_pass https://api-dev.acme.com/acme/xyz/abc/auth;
I also need to pass this $http_authorization:
NGINX code snippet:
proxy_set_header "X-acme-blueprint-AUTH" $http_authorization;
When the request is for "/" I need to validate the client's certificate:
NGINX code snippet:
location / {
if ($ssl_client_verify !="SUCCESS") { return 403; }
proxy_pass https://api-dev.acme.com;
ssl_client_certificate /etc/nginx/certs/cas.pem;
ssl_verify_client optional;
I made this iRule, but obviously it's not working:
when CLIENTSSL_HANDSHAKE {
set subject_dn [X509::subject [SSL::cert 0]]
set cert_issuer [X509::issuer [SSL::cert 0]]
set subject_dn_legacy [X509::subject [SSL::cert 0]]
set cert_issuer_legacy [X509::issuer [SSL::cert 0]]
set ssl_client_serial [X509::serial_number [SSL::cert 0]]
}
when HTTP_REQUEST {
switch -glob [HTTP::uri] {
"/auth*" {
HTTP::uri [string map -nocase {"/auth" "/xyz/abc/transmitter/auth"}[HTTP::uri]]
pool pool_api-dev_HTTPS
log local2. "request to /auth - Source IP: [IP::remote_addr] - uri: https://[HTTP::host][HTTP::uri]"
}
"/*" {
HTTP::collect
SSL::session invalidate
SSL::authenticate always
SSL::authenticate depth 3
SSL::cert mode require
SSL::renegotiate
pool pool_api-dev_HTTPS
log local2. "Request - Source IP: [IP::remote_addr] - uri: https://[HTTP::host][HTTP::uri]"
}
}
HTTP::header insert Access-Control-Allow-Origin "*"
HTTP::header insert Access-Control-Allow-Credentials "true"
HTTP::header insert Access-Control-Allow-Methods "GET;POST;PUT;DELETE;OPTIONS"
HTTP::header insert Access-Control-Allow-Headers "Accept;Authorization;Cache-Control;Content-Type;DNT;If-Modified-Since;Keep-Alive;Origin;User-Agent;X-Requested-With"
HTTP::header insert x-debug-client-cert-i-dn $cert_issuer
HTTP::header insert x-debug-client-cert-i-dn-legacy $cert_issuer
HTTP::header insert x-debug-client-s-dn $subject_dn
HTTP::header insert x-debug-client-s-dn-legacy $subject_dn
}
when HTTP_RESPONSE {
HTTP::header insert X-SSL-I-DN $cert_issuer
HTTP::header insert X-SSL-S-DN $subject_dn
HTTP::header insert X-SSL-SERIAL $ssl_client_serial
}
Can you help me?
The complete NGINX code is in the attachment
Thanks!
6 Replies
- Andreia
Hello Mihaic!
Thank you for your help.
I'm not getting good support for these questions.
Unfortunately, I'm afraid these links don't solve my queries, as I need the iRule code more than NGINX.
But thanks anyway.
Hey Andreia - were you able to figure it out? I've sent this thread to a colleague to see if they can offer some help.
- Andreia
Ih, Leslie_Hubertus.
I have read every possible article on the subject, but I have not been able to solve it.
I quote the NGINX code because there it is very simple to do "If URI /auth, then validates the client's certificate, any other URI does not."
In BIG-IP it is being a bad experience. Enriching, but bad.
The iRule works, but I have a problem with the list of client certificates. Because I need to validate ANY client certificate data. And not just DNs, or Issuers, or serial, etc. that I can put in a list or datagroup.
I need to read the "Trusted Certificate Authorities" in the SSL Client Profile, but through an IRule. It is possible?Thank you!
Hi Andreia,
Just to simplify it down and make sure I have the right idea: you want to proxy / auth to an auth server, but for a request to /, you want to validate the client certificate?
