We have an NGINX that works as a reverse proxy to do mTLS with clients and that is also validated (mTLS) by the API that receives requests from this reverse proxy.
I need to create a Virtual Server on BIG-IP that handles requests in the same way as NGINX:
client -<-----(mtls)----> BIG-IP <----(mtls)----> api-dev.acme.com
Attached is the example of the config in NGINX.
Can you help?
Thank you very much in advance
Hi! Thanks for answering!
In fact, the mTLS part with the client I managed to do by making an iRule that validates the client's certificate data and configuring the SSL Profile Client to require the client's certificate. My problem is in these " proxy_set_header X-SSL-I-DN $ssl_client_i_dn;", for example, "add_header x-debug-client-cert-i-dn $ssl_client_i_dn always;, I have no idea how to implement this via iRule. A part that competes certificates and SSL Profile client is OK I believe.
But that "proxy_pass https://api-dev.acme.com;" what would it be? A redirect? And how do I make it so that, when BIG-IP does this redirect, the API validates the BIG-IP certificate? I thought of configuring this in the SSL Profile Server, but that would only make sense if I put the API address in a pool, which is not the case if the "proxy_pass" is indeed a redirect....so how does the API Would you validate the data from auth-test-dev.acme.com.br?
I believe it is not a complex thing, but the pressure is great to implement it. 😞
25-Jan-2023 02:56 - edited 25-Jan-2023 03:14
I am in no way Nginx expert but proxy_pass is more like F5 Rewrite profile that changes the URI to the real one without redirection and the reply is changed in reverse " Local Traffic > Profiles > Services > Rewrite".
For the SSL you will need to extract the data and send it in HTTP header to the servers (maybe theX509::subject irule command gives the SSL distinguished name/DN you are looking for to send to the backend servers). See the links below:
Nice article with extra link articles about adding the SNI to a http header:
Outside of that for F5 to be like Nginx an APM module with API protection profile is the best:
You will have to play arround and it will take time no matter what the IT boss that has no real tech knowedge is saying. Good luck!
Hi! Thank you for replying!
check this link https://www.nginx.com/blog/migrating-layer7-logic-f5-irules-citrix-policies-nginx-plus/
It seams that proxy_pass act as pool's behavior.
25-Jan-2023 06:37 - edited 25-Jan-2023 06:40
Test it but I think Nginx by default also changes the URI before sending it to the backend servers (similar to F5 wit pool and rewrite profile or F5 APM API protection that I recommend for real API authentication and security) but I can't be 100%.
Also be carefull about F5 SNAT Automap and One connect as in Ngnix I can't renember if source ip translation is by default enabled or if multiplexing, connection pooling, connection reuse, or OneConnect is by default enabled.
I've tried ssl offloading using tls secret but not mtls.
You can refer the below link and search mtls.
I hope it helps.
I just can't find out how to write this NGINX's code
add_header "Access-Control-Allow-Origin" "*" always;
add_header "Access-Control-Allow-Credentials" "true" always;
add_header "Access-Control-Allow-Methods" "GET, POST, PUT, DELETE, OPTIONS" always;
add_header "Access-Control-Allow-Headers" "Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Requested-With" always;
add_header x-debug-client-cert-i-dn $ssl_client_i_dn always;
add_header x-debug-client-cert-i-dn-legacy $ssl_client_i_dn_legacy always;
add_header x-debug-client-s-dn $ssl_client_s_dn always;
add_header x-debug-client-s-dn-legacy $ssl_client_s_dn_legacy always;
On an iRule! 😞
Can someone help me? I've found CORS's documentation but this is not helping me out.
If you are going to support F5 better ask your managment for training on irules that is my advice: