CirrusHi,
We have an NGINX that works as a reverse proxy to do mTLS with clients and that is also validated (mTLS) by the API that receives requests from this reverse proxy.
I need to create a Virtual Server on BIG-IP that handles requests in the same way as NGINX:
client -<-----(mtls)----> BIG-IP <----(mtls)----> api-dev.acme.com
Attached is the example of the config in NGINX.
Can you help?
Thank you very much in advance
MVPhii,
you need create a vs but for CLI or automate a script for that?
Regards!
CirrusHi! Thanks for answering!
In fact, the mTLS part with the client I managed to do by making an iRule that validates the client's certificate data and configuring the SSL Profile Client to require the client's certificate. My problem is in these " proxy_set_header X-SSL-I-DN $ssl_client_i_dn;", for example, "add_header x-debug-client-cert-i-dn $ssl_client_i_dn always;, I have no idea how to implement this via iRule. A part that competes certificates and SSL Profile client is OK I believe.
But that "proxy_pass https://api-dev.acme.com;" what would it be? A redirect? And how do I make it so that, when BIG-IP does this redirect, the API validates the BIG-IP certificate? I thought of configuring this in the SSL Profile Server, but that would only make sense if I put the API address in a pool, which is not the case if the "proxy_pass" is indeed a redirect....so how does the API Would you validate the data from auth-test-dev.acme.com.br?
I believe it is not a complex thing, but the pressure is great to implement it. 😞
MVPI am in no way Nginx expert but proxy_pass is more like F5 Rewrite profile that changes the URI to the real one without redirection and the reply is changed in reverse " Local Traffic > Profiles > Services > Rewrite".
For the SSL you will need to extract the data and send it in HTTP header to the servers (maybe theX509::subject irule command gives the SSL distinguished name/DN you are looking for to send to the backend servers). See the links below:
https://clouddocs.f5.com/api/irules/HTTP__header.html
https://clouddocs.f5.com/api/irules/HTTP_RESPONSE.html
https://clouddocs.f5.com/api/irules/CLIENTSSL_CLIENTCERT.html
https://support.f5.com/csp/article/K41600007
Nice article with extra link articles about adding the SNI to a http header:
https://support.f5.com/csp/article/K41600007
https://support.f5.com/csp/article/K39408450
https://support.f5.com/csp/article/K14204621
Outside of that for F5 to be like Nginx an APM module with API protection profile is the best:
https://www.youtube.com/watch?v=-2ndGH9Dp1Q&t=308s
You will have to play arround and it will take time no matter what the IT boss that has no real tech knowedge is saying. Good luck!
CirrusHi! Thank you for replying!
check this link https://www.nginx.com/blog/migrating-layer7-logic-f5-irules-citrix-policies-nginx-plus/
It seams that proxy_pass act as pool's behavior.
CirrusHi!
I've tried ssl offloading using tls secret but not mtls.
You can refer the below link and search mtls.
https://docs.nginx.com/nginx-ingress-controller/configuration/policy-resource/
I hope it helps.
CirrusHi, everyone!
I just can't find out how to write this NGINX's code
add_header "Access-Control-Allow-Origin" "*" always;
add_header "Access-Control-Allow-Credentials" "true" always;
add_header "Access-Control-Allow-Methods" "GET, POST, PUT, DELETE, OPTIONS" always;
add_header "Access-Control-Allow-Headers" "Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Requested-With" always;
add_header x-debug-client-cert-i-dn $ssl_client_i_dn always;
add_header x-debug-client-cert-i-dn-legacy $ssl_client_i_dn_legacy always;
add_header x-debug-client-s-dn $ssl_client_s_dn always;
add_header x-debug-client-s-dn-legacy $ssl_client_s_dn_legacy always;
On an iRule! 😞
Can someone help me? I've found CORS's documentation but this is not helping me out.
Thanks!
MVPIf you are going to support F5 better ask your managment for training on irules that is my advice:
https://support.f5.com/csp/article/K73819494
https://community.f5.com/t5/technical-articles/irules-101-01-introduction-to-irules/ta-p/283452