I am in no way Nginx expert but proxy_pass is more like F5 Rewrite profile that changes the URI to the real one without redirection and the reply is changed in reverse " Local Traffic > Profiles > Services > Rewrite".
For the SSL you will need to extract the data and send it in HTTP header to the servers (maybe theX509::subject irule command gives the SSL distinguished name/DN you are looking for to send to the backend servers). See the links below:
https://clouddocs.f5.com/api/irules/HTTP__header.html
https://clouddocs.f5.com/api/irules/HTTP_RESPONSE.html
https://clouddocs.f5.com/api/irules/CLIENTSSL_CLIENTCERT.html
https://support.f5.com/csp/article/K41600007
Nice article with extra link articles about adding the SNI to a http header:
https://support.f5.com/csp/article/K41600007
https://support.f5.com/csp/article/K39408450
https://support.f5.com/csp/article/K14204621
Outside of that for F5 to be like Nginx an APM module with API protection profile is the best:
https://www.youtube.com/watch?v=-2ndGH9Dp1Q&t=308s
You will have to play arround and it will take time no matter what the IT boss that has no real tech knowedge is saying. Good luck!