STIGhubSTIGhub
STIGsSearchCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 3 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to VMware vSphere 7.0 vCenter Appliance RhttpProxy Security Technical Implementation Guide

V-256738

CAT II (Medium)

Envoy must set a limit on established connections.

Rule ID

SV-256738r889152_rule

STIG

VMware vSphere 7.0 vCenter Appliance RhttpProxy Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-000054

Discussion

Envoy client connections must be limited to preserve system resources and continue servicing connections without interruption. Without a limit set, the system would be vulnerable to a trivial denial-of-service attack where connections are created en masse and vCenter resources are entirely consumed. Envoy comes hard coded with a tested and supported value for "maxHttpsConnections" that must be verified and maintained.

Check Content

At the command prompt, run the following command: 
 
# xmllint --xpath '/config/envoy/L4Filter/maxHttpsConnections/text()' /etc/vmware-rhttpproxy/config.xml 
 
Expected result: 
 
2048 
 
or 
 
XPath set is empty 
 
If the output does not match the expected result, this is a finding.

Fix Text

Navigate to and open: 
 
/etc/vmware-rhttpproxy/config.xml 
 
Locate the <config>/<envoy>/<L4Filter> block and configure <maxHttpsConnections> as follows: 
 
<maxHttpsConnections>2048</maxHttpsConnections> 
 
Restart the service for changes to take effect. 
 
# vmon-cli --restart rhttpproxy