24-Jan-2023 10:48
Hi,
We have an NGINX that works as a reverse proxy to do mTLS with clients and that is also validated (mTLS) by the API that receives requests from this reverse proxy.
I need to create a Virtual Server on BIG-IP that handles requests in the same way as NGINX:
client -<-----(mtls)----> BIG-IP <----(mtls)----> api-dev.acme.com
Attached is the example of the config in NGINX.
Can you help?
Thank you very much in advance
24-Jan-2023 13:09
Hi! Thanks for answering!
In fact, the mTLS part with the client I managed to do by making an iRule that validates the client's certificate data and configuring the SSL Profile Client to require the client's certificate. My problem is in these " proxy_set_header X-SSL-I-DN $ssl_client_i_dn;", for example, "add_header x-debug-client-cert-i-dn $ssl_client_i_dn always;, I have no idea how to implement this via iRule. A part that competes certificates and SSL Profile client is OK I believe.
But that "proxy_pass https://api-dev.acme.com;" what would it be? A redirect? And how do I make it so that, when BIG-IP does this redirect, the API validates the BIG-IP certificate? I thought of configuring this in the SSL Profile Server, but that would only make sense if I put the API address in a pool, which is not the case if the "proxy_pass" is indeed a redirect....so how does the API Would you validate the data from auth-test-dev.acme.com.br?
I believe it is not a complex thing, but the pressure is great to implement it. 😞
25-Jan-2023 02:56 - edited 25-Jan-2023 03:14
I am in no way Nginx expert but proxy_pass is more like F5 Rewrite profile that changes the URI to the real one without redirection and the reply is changed in reverse " Local Traffic > Profiles > Services > Rewrite".
For the SSL you will need to extract the data and send it in HTTP header to the servers (maybe theX509::subject irule command gives the SSL distinguished name/DN you are looking for to send to the backend servers). See the links below:
https://clouddocs.f5.com/api/irules/HTTP__header.html
https://clouddocs.f5.com/api/irules/HTTP_RESPONSE.html
https://clouddocs.f5.com/api/irules/CLIENTSSL_CLIENTCERT.html
https://support.f5.com/csp/article/K41600007
Nice article with extra link articles about adding the SNI to a http header:
https://support.f5.com/csp/article/K41600007
https://support.f5.com/csp/article/K39408450
https://support.f5.com/csp/article/K14204621
Outside of that for F5 to be like Nginx an APM module with API protection profile is the best:
https://www.youtube.com/watch?v=-2ndGH9Dp1Q&t=308s
You will have to play arround and it will take time no matter what the IT boss that has no real tech knowedge is saying. Good luck!
25-Jan-2023 05:49
Hi! Thank you for replying!
check this link https://www.nginx.com/blog/migrating-layer7-logic-f5-irules-citrix-policies-nginx-plus/
It seams that proxy_pass act as pool's behavior.
25-Jan-2023 06:37 - edited 25-Jan-2023 06:40
Test it but I think Nginx by default also changes the URI before sending it to the backend servers (similar to F5 wit pool and rewrite profile or F5 APM API protection that I recommend for real API authentication and security) but I can't be 100%.
Also be carefull about F5 SNAT Automap and One connect as in Ngnix I can't renember if source ip translation is by default enabled or if multiplexing, connection pooling, connection reuse, or OneConnect is by default enabled.
25-Jan-2023 20:51
Hi!
I've tried ssl offloading using tls secret but not mtls.
You can refer the below link and search mtls.
https://docs.nginx.com/nginx-ingress-controller/configuration/policy-resource/
I hope it helps.
27-Jan-2023 08:19
Hi, everyone!
I just can't find out how to write this NGINX's code
add_header "Access-Control-Allow-Origin" "*" always;
add_header "Access-Control-Allow-Credentials" "true" always;
add_header "Access-Control-Allow-Methods" "GET, POST, PUT, DELETE, OPTIONS" always;
add_header "Access-Control-Allow-Headers" "Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Requested-With" always;
add_header x-debug-client-cert-i-dn $ssl_client_i_dn always;
add_header x-debug-client-cert-i-dn-legacy $ssl_client_i_dn_legacy always;
add_header x-debug-client-s-dn $ssl_client_s_dn always;
add_header x-debug-client-s-dn-legacy $ssl_client_s_dn_legacy always;
On an iRule! 😞
Can someone help me? I've found CORS's documentation but this is not helping me out.
Thanks!
30-Jan-2023 00:19
If you are going to support F5 better ask your managment for training on irules that is my advice:
https://support.f5.com/csp/article/K73819494
https://community.f5.com/t5/technical-articles/irules-101-01-introduction-to-irules/ta-p/283452