← Back to F5 NGINX Security Technical Implementation Guide

V-278409

CAT II (Medium)

NGINX must separate API maintenance sessions from other network sessions within the system by logically separated communications paths.

Rule ID

SV-278409r1171979_rule

STIG

F5 NGINX Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-004192 CCI-001414

Discussion

Nonlocal maintenance and diagnostic activities are conducted by individuals who communicate through either an external or internal network. Communications paths can be logically separated using encryption. Satisfies: SRG-APP-000880, SRG-APP-000039

Check Content

If not using the NGINX API, this is Not Applicable.

Determine path to NGINX config file:

# nginx -qT | grep "# configuration"
# configuration file /etc/nginx/nginx.conf:

Note: The default NGINX configuration is "/etc/nginx/nginx.conf", though various files may also be included.

Check that the nginx.conf file contains the API directive and a separate listen address:

http {
    server {
        listen 192.168.0.1:80;
        location / {
            proxy_pass http://backend;
        }
        location /api {
            api write=on;
        }
    }
}             

If the API is running on the same network as production traffic, this is a finding.

Fix Text

Configure the API directive to use a separate listen address from production traffic:

http {
    server {
        listen 192.168.0.1:80;
        location / {
            proxy_pass http://backend;
        }
    }
    server {
        listen 10.0.0.1:80;
        location /api {
            api write=on;
        }
    }
}             

After saving the updated config, restart NGINX: 

nginx -s reload.