Technical Forum
Ask questions. Discover Answers.
Showing results for 
Search instead for 
Did you mean: 
Custom Alert Banner

NGINX vs. iRule - Client certificate validation based on URI and other things


Hi everyone!

I need help to "translate" an NGINX configuration to an iRule:

If the request is /auth, there is no client certificate validation, but the request is redirected to
NGINX code snippet:
location /auth {

I also need to pass this $http_authorization:
NGINX code snippet:
proxy_set_header "X-acme-blueprint-AUTH" $http_authorization;

When the request is for "/" I need to validate the client's certificate:
NGINX code snippet:
location / {

if ($ssl_client_verify !="SUCCESS") { return 403; }

ssl_client_certificate /etc/nginx/certs/cas.pem;
ssl_verify_client optional;

I made this iRule, but obviously it's not working:

set subject_dn [X509::subject [SSL::cert 0]]
set cert_issuer [X509::issuer [SSL::cert 0]]
set subject_dn_legacy [X509::subject [SSL::cert 0]]
set cert_issuer_legacy [X509::issuer [SSL::cert 0]]
set ssl_client_serial [X509::serial_number [SSL::cert 0]]

switch -glob [HTTP::uri] {
"/auth*" {
HTTP::uri [string map -nocase {"/auth" "/xyz/abc/transmitter/auth"}[HTTP::uri]]
pool pool_api-dev_HTTPS
log local2. "request to /auth - Source IP: [IP::remote_addr] - uri: https://[HTTP::host][HTTP::uri]"
"/*" {
SSL::session invalidate
SSL::authenticate always
SSL::authenticate depth 3
SSL::cert mode require
pool pool_api-dev_HTTPS
log local2. "Request - Source IP: [IP::remote_addr] - uri: https://[HTTP::host][HTTP::uri]"
HTTP::header insert Access-Control-Allow-Origin "*"
HTTP::header insert Access-Control-Allow-Credentials "true"
HTTP::header insert Access-Control-Allow-Methods "GET;POST;PUT;DELETE;OPTIONS"
HTTP::header insert Access-Control-Allow-Headers "Accept;Authorization;Cache-Control;Content-Type;DNT;If-Modified-Since;Keep-Alive;Origin;User-Agent;X-Requested-With"
HTTP::header insert x-debug-client-cert-i-dn $cert_issuer
HTTP::header insert x-debug-client-cert-i-dn-legacy $cert_issuer
HTTP::header insert x-debug-client-s-dn $subject_dn
HTTP::header insert x-debug-client-s-dn-legacy $subject_dn
HTTP::header insert X-SSL-I-DN $cert_issuer
HTTP::header insert X-SSL-S-DN $subject_dn
HTTP::header insert X-SSL-SERIAL $ssl_client_serial

Can you help me?
The complete NGINX code is in the attachment



Hello Mihaic!

Thank you for your help.

I'm not getting good support for these questions.

Unfortunately, I'm afraid these links don't solve my queries, as I need the iRule code more than NGINX.

But thanks anyway.


Community Manager
Community Manager

Hey @Andreia  - were you able to figure it out? I've sent this thread to a colleague to see if they can offer some help.

Ih, @Leslie_Hubertus.

I have read every possible article on the subject, but I have not been able to solve it.

I quote the NGINX code because there it is very simple to do "If URI /auth, then validates the client's certificate, any other URI does not."

In BIG-IP it is being a bad experience. Enriching, but bad.

The iRule works, but I have a problem with the list of client certificates. Because I need to validate ANY client certificate data. And not just DNs, or Issuers, or serial, etc. that I can put in a list or datagroup.
I need to read the "Trusted Certificate Authorities" in the SSL Client Profile, but through an IRule. It is possible?

Thank you!


Legacy Employee
Legacy Employee

Hi   Andreia,

Just to simplify it down and make sure I have the right idea:  you want to proxy / auth to an auth server, but for a request to  /, you want to validate the client certificate?




Legacy Employee
Legacy Employee