...
The Client Certificate check is optional, so the connection will always be forwarded but the certificate is only added when a valid certificate has been sent. Additionally, the WebSocket Upgrade must be supported.
F5 BIG-IP configuration example:
Path dependent forwarding configuration must be supported. The NGINX Reverse Proxy supports this type. The listing shows a configuration for the WebSocket endpoint which requires the Client Certificate, add it to the http header and add the WebSocket Upgrade header. See also, NGINX: Example Configuration for as Reverse Proxy in IGEL OS with SSL Offloading .
The other configuration is required for the onboarding endpoint.
NGINX configuration example:
Code Block # Configuration for WebSocket Endpoints location~/device-connector/device/(ws-connect|portforwarding) { proxy_pass https://umsserver; proxy_set_header X-SSL-CERT $ssl_client_escaped_cert;# client certificate in current connection proxy_set_header Upgrade $http_upgrade; #Set upgrade header proxy_set_header Connection $connection_upgrade; } #Configuration for all other endpoints location / { proxy_pass https//umsserver; proxy_ssl_trusted_certificate ssl/ssl-cert-chain.cer; proxy_ssl_protocols TLSv1.3; }Configuration of two endpoints (that is, two Virtual Servers / Listeners) on the Reverse Proxy / Loadbalancer. One endpoint is configured for the device onboarding and another one for the WebSocket connection.
...