Rule ID
SV-278400r1172752_rule
Version
V1R1
Using PIV credentials facilitates standardization and reduces the risk of unauthorized access. DOD has mandated using the CAC to support identity management and personal authentication for systems covered under HSPD 12, as well as a primary component of layered protection for national security systems. Satisfies: SRG-APP-000391, SRG-APP-000392, SRG-APP-000402, SRG-APP-000403
Determine path to NGINX config file:
# nginx -qT | grep "# configuration"
# configuration file /etc/nginx/nginx.conf:
Note: The default NGINX configuration is "/etc/nginx/nginx.conf", though various files may also be included.
Check that the nginx.conf file has the SSL Certificate/Key installed, the SSL Client Certificate is present, and SSL Verify is configured.
server {
listen 443 ssl;
server_name example.com;
ssl_certificate /etc/nginx/ssl/server_cert.pem;
ssl_certificate_key /etc/nginx/ssl/server_key.pem;
# Enable client certificate verification
ssl_client_certificate /etc/nginx/ca_cert.pem;
ssl_verify_client on;
# Optional: Set verification depth for client certificates
ssl_verify_depth 2;
location / {
proxy_pass http://backend_service;
# Restrict access to valid PIV credentials
if ($ssl_client_verify != SUCCESS) {
return 403;
}
}
}
If the certificates are not configured and ssl_verify is not enabled, this is a finding.NGINX installs OpenSSL by default. If not installed, follow the OS documentation.
Include the following lines in the server {} block of nginx.conf:
ssl_certificate /etc/nginx/ssl/server_cert.pem;
ssl_certificate_key /etc/nginx/ssl/server_key.pem;
# Enable client certificate verification
ssl_client_certificate /etc/nginx/ca_cert.pem;
ssl_verify_client on;
# Optional: Set verification depth for client certificates
ssl_verify_depth 2;
location / {
proxy_pass http://backend_service;
# Restrict access to valid PIV credentials
if ($ssl_client_verify != SUCCESS) {
return 403;
}
}
Save and exit. Restart NGINX after modifying the configuration:
# nginx -s reload