Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

NGINX vs. iRule - Client certificate validation based on URI and other things

Andreia
Cirrus
Cirrus

‎13-Feb-2023 08:18

Hi everyone!

I need help to "translate" an NGINX configuration to an iRule:

If the request is /auth, there is no client certificate validation, but the request is redirected to https://api-dev.acme.com/acme/xyz/abc/auth.
NGINX code snippet:
location /auth {
proxy_pass https://api-dev.acme.com/acme/xyz/abc/auth;

I also need to pass this $http_authorization:
NGINX code snippet:
proxy_set_header "X-acme-blueprint-AUTH" $http_authorization;

When the request is for "/" I need to validate the client's certificate:
NGINX code snippet:
location / {

if ($ssl_client_verify !="SUCCESS") { return 403; }

proxy_pass https://api-dev.acme.com;
ssl_client_certificate /etc/nginx/certs/cas.pem;
ssl_verify_client optional;

I made this iRule, but obviously it's not working:

when CLIENTSSL_HANDSHAKE {
set subject_dn [X509::subject [SSL::cert 0]]
set cert_issuer [X509::issuer [SSL::cert 0]]
set subject_dn_legacy [X509::subject [SSL::cert 0]]
set cert_issuer_legacy [X509::issuer [SSL::cert 0]]
set ssl_client_serial [X509::serial_number [SSL::cert 0]]
}

when HTTP_REQUEST {
switch -glob [HTTP::uri] {
"/auth*" {
HTTP::uri [string map -nocase {"/auth" "/xyz/abc/transmitter/auth"}[HTTP::uri]]
pool pool_api-dev_HTTPS
log local2. "request to /auth - Source IP: [IP::remote_addr] - uri: https://[HTTP::host][HTTP::uri]"
}
"/*" {
HTTP::collect
SSL::session invalidate
SSL::authenticate always
SSL::authenticate depth 3
SSL::cert mode require
SSL::renegotiate
pool pool_api-dev_HTTPS
log local2. "Request - Source IP: [IP::remote_addr] - uri: https://[HTTP::host][HTTP::uri]"
}
}
HTTP::header insert Access-Control-Allow-Origin "*"
HTTP::header insert Access-Control-Allow-Credentials "true"
HTTP::header insert Access-Control-Allow-Methods "GET;POST;PUT;DELETE;OPTIONS"
HTTP::header insert Access-Control-Allow-Headers "Accept;Authorization;Cache-Control;Content-Type;DNT;If-Modified-Since;Keep-Alive;Origin;User-Agent;X-Requested-With"
HTTP::header insert x-debug-client-cert-i-dn $cert_issuer
HTTP::header insert x-debug-client-cert-i-dn-legacy $cert_issuer
HTTP::header insert x-debug-client-s-dn $subject_dn
HTTP::header insert x-debug-client-s-dn-legacy $subject_dn
}
when HTTP_RESPONSE {
HTTP::header insert X-SSL-I-DN $cert_issuer
HTTP::header insert X-SSL-S-DN $subject_dn
HTTP::header insert X-SSL-SERIAL $ssl_client_serial
}

Can you help me?
The complete NGINX code is in the attachment

Thanks!

Labels:
sample_nginx.zip
0 Kudos
6 REPLIES 6

Andreia
Cirrus
Cirrus
In response to mihaic

‎14-Feb-2023 04:56

Hello Mihaic!

Thank you for your help.

I'm not getting good support for these questions.

Unfortunately, I'm afraid these links don't solve my queries, as I need the iRule code more than NGINX.

But thanks anyway.

 
0 Kudos

Leslie_Hubertus
Community Manager
Community Manager

‎27-Feb-2023 16:27

Hey @Andreia  - were you able to figure it out? I've sent this thread to a colleague to see if they can offer some help.

0 Kudos

Andreia
Cirrus
Cirrus
In response to Leslie_Hubertus

‎28-Feb-2023 07:14 - edited ‎28-Feb-2023 07:15

Ih, @Leslie_Hubertus.

I have read every possible article on the subject, but I have not been able to solve it.

I quote the NGINX code because there it is very simple to do "If URI /auth, then validates the client's certificate, any other URI does not."

In BIG-IP it is being a bad experience. Enriching, but bad.

The iRule works, but I have a problem with the list of client certificates. Because I need to validate ANY client certificate data. And not just DNs, or Issuers, or serial, etc. that I can put in a list or datagroup.
I need to read the "Trusted Certificate Authorities" in the SSL Client Profile, but through an IRule. It is possible?

Thank you!

 

0 Kudos

Robert_Haynes
F5 Employee
F5 Employee

‎28-Feb-2023 10:53

Hi   Andreia,

Just to simplify it down and make sure I have the right idea:  you want to proxy / auth to an auth server, but for a request to  /, you want to validate the client certificate?

 

 

 

0 Kudos

Robert_Haynes
F5 Employee
F5 Employee

‎28-Feb-2023 11:50

Does this help? 

Doing mTLS Authentication per URL

 

0 Kudos
Copyright © 2023 Khoros, LLC