STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 3 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to F5 NGINX Security Technical Implementation Guide

V-278406

CAT II (Medium)

NGINX must be configured to use Online Certificate Status Protocol (OCSP) for certificate path validation and revocation. (OCSP is the preferred configuration.)

Rule ID

SV-278406r1171970_rule

STIG

F5 NGINX Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-000185CCI-004068

Discussion

A certificate's certification path is the path from the end entity certificate to a trusted root certification authority (CA). Certification path validation is necessary for a relying party to make an informed decision regarding acceptance of an end entity certificate. Certification path validation includes checks such as certificate issuer trust, time validity, and revocation status for each certificate in the certification path. Revocation status information for CA and subject certificates in a certification path is commonly provided via certificate revocation lists (CRLs) or OCSP responses. Satisfies: SRG-APP-000605, SRG-APP-000875

Check Content

If using CRL for certificate revocation, this requirement is Not Applicable.

Determine the path to NGINX config file(s):

# nginx -qT | grep "# configuration"
# configuration file /etc/nginx/nginx.conf:

Note: The default NGINX configuration is "/etc/nginx/nginx.conf", though various files may also be included.

# cat <path to config>

Check the http { blocks for the following example:

http {
    server {
        listen 443 ssl;
        server_name example.com;

        ssl_certificate /etc/nginx/ssl/server.crt;
        ssl_certificate_key /etc/nginx/ssl/server.key;

        ssl_client_certificate /etc/nginx/ssl/ca.crt;

        ssl_verify_client on;

        ssl_crl /etc/nginx/ssl/crl.pem;

        ssl_ocsp on;
        ssl_ocsp_responder http://ocsp.disa.mil;

ssl_stapling on;
ssl_stapling_verify on;
ssl_stapling_file /etc/nginx/ssl/ocsp_cache.pem;
ssl_stapling_responder_timeout 3s;  # Timeout for OCSP responder queries
ssl_stapling_responder_error_cache_time 300s;  # Cache time for responder errors

        location / {
            proxy_pass http://backend;
        }
    }
}             

Check for certificate path validation. If "ssl_verify_client on" is not in the configuration, this is a finding.

Check if OCSP is enabled. If "ssl_ocsp on" is not in the configuration, this is a finding.

Check if OCSP Stapling is configured. If "ssl_stapling on" or "ssl_stapling_verify on" is not in the configuration, this is a finding.

If "ssl_stapling_file <file>" is not present in the configuration, this is a finding.

Fix Text

Edit the NGINX configuration file.

Set "ssl_verify_client on", "ssl_ocsp on", ssl_stapling_verify on", and "ssl_stapling on" as shown in the example below.

Create a local cache for OCSP responses:

touch /etc/nginx/ssl/ocsp_cache.pem 
chmod 600 /etc/nginx/ssl/ocsp_cache.pem

Set the "ssl_stapling_file" directive with the file created as shown in the example below.

http {
    server {
        listen 443 ssl;
        server_name example.com;

        ssl_certificate /etc/nginx/ssl/server.crt;
        ssl_certificate_key /etc/nginx/ssl/server.key;

        ssl_client_certificate /etc/nginx/ssl/ca.crt;

        ssl_verify_client on;

        ssl_crl /etc/nginx/ssl/crl.pem;

        ssl_ocsp on;
        ssl_ocsp_responder https://ocsp.disa.mil;

ssl_stapling on;
ssl_stapling_verify on;
ssl_stapling_file /etc/nginx/ssl/ocsp_cache.pem;
ssl_stapling_responder_timeout 3s;  # Timeout for OCSP responder queries
ssl_stapling_responder_error_cache_time 300s;  # Cache time for responder errors

        location / {
            proxy_pass http://backend;
        }
    }
}