Technical Forum
Ask questions. Discover Answers.
cancel
Showing results for 
Search instead for 
Did you mean: 
Custom Alert Banner

How to "Convert" NGINX to iRules?

Andreia
Cirrus
Cirrus

Hi,

We have an NGINX that works as a reverse proxy to do mTLS with clients and that is also validated (mTLS) by the API that receives requests from this reverse proxy.
I need to create a Virtual Server on BIG-IP that handles requests in the same way as NGINX:
client -<-----(mtls)----> BIG-IP <----(mtls)----> api-dev.acme.com

Attached is the example of the config in NGINX.
Can you help?

Thank you very much in advance

8 REPLIES 8

JoseLabra
Altocumulus
Altocumulus

hii,
you need create a vs but for CLI or automate a script for that?

Regards!

Andreia
Cirrus
Cirrus

Hi! Thanks for answering!
In fact, the mTLS part with the client I managed to do by making an iRule that validates the client's certificate data and configuring the SSL Profile Client to require the client's certificate. My problem is in these " proxy_set_header X-SSL-I-DN $ssl_client_i_dn;", for example, "add_header x-debug-client-cert-i-dn $ssl_client_i_dn always;, I have no idea how to implement this via iRule. A part that competes certificates and SSL Profile client is OK I believe.
But that "proxy_pass https://api-dev.acme.com;" what would it be? A redirect? And how do I make it so that, when BIG-IP does this redirect, the API validates the BIG-IP certificate? I thought of configuring this in the SSL Profile Server, but that would only make sense if I put the API address in a pool, which is not the case if the "proxy_pass" is indeed a redirect....so how does the API Would you validate the data from auth-test-dev.acme.com.br?
I believe it is not a complex thing, but the pressure is great to implement it. 😞

I am in no way Nginx expert but proxy_pass is more like F5 Rewrite profile that changes the URI to the real one without redirection and the reply is changed in reverse " Local Traffic > Profiles > Services > Rewrite".

 

For the SSL you will need to extract the data and send it in HTTP header to the servers (maybe theX509::subject irule command gives the SSL distinguished name/DN you are looking for to send to the backend servers). See the links below:

https://clouddocs.f5.com/api/irules/HTTP__header.html

https://clouddocs.f5.com/api/irules/HTTP_RESPONSE.html

https://clouddocs.f5.com/api/irules/CLIENTSSL_CLIENTCERT.html

https://support.f5.com/csp/article/K41600007

 

Nice article with extra link articles about adding the SNI to a http header:

 

https://support.f5.com/csp/article/K41600007

https://support.f5.com/csp/article/K39408450

https://support.f5.com/csp/article/K14204621

 

Outside of that for F5 to be like Nginx an APM module with API protection profile is the best:

https://www.youtube.com/watch?v=-2ndGH9Dp1Q&t=308s

 

 

You will have to play arround and it will take time no matter what the IT boss that has no real tech knowedge is saying. Good luck!

 

 

Hi! Thank you for replying!

check this link https://www.nginx.com/blog/migrating-layer7-logic-f5-irules-citrix-policies-nginx-plus/

It seams that proxy_pass act as pool's behavior.

 

Test it but I think Nginx by default also changes the URI before sending it to the backend servers (similar to F5 wit pool and rewrite profile or F5 APM API protection that I recommend for real API authentication and security) but I  can't be 100%.

 

Also be carefull about F5 SNAT Automap and One connect as in Ngnix I can't renember if source ip translation is by default enabled or if multiplexing, connection pooling, connection reuse, or OneConnect is by default enabled.

@Andreia 

Hi!

I've tried ssl offloading using tls secret but not mtls.

You can refer the below link and search mtls.

https://docs.nginx.com/nginx-ingress-controller/configuration/policy-resource/

I hope it helps.

 

Andreia
Cirrus
Cirrus

Hi, everyone!

I just can't find out how to write this NGINX's code

add_header "Access-Control-Allow-Origin" "*" always;
add_header "Access-Control-Allow-Credentials" "true" always;
add_header "Access-Control-Allow-Methods" "GET, POST, PUT, DELETE, OPTIONS" always;
add_header "Access-Control-Allow-Headers" "Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Requested-With" always;

add_header x-debug-client-cert-i-dn $ssl_client_i_dn always;
add_header x-debug-client-cert-i-dn-legacy $ssl_client_i_dn_legacy always;
add_header x-debug-client-s-dn $ssl_client_s_dn always;
add_header x-debug-client-s-dn-legacy $ssl_client_s_dn_legacy always;

On an iRule! 😞

Can someone help me? I've found CORS's documentation but this is not helping me out.

 

Thanks!