Check: NGNX-APP-003060
F5 NGINX STIG:
NGNX-APP-003060
(in version v1 r1)
Title
NGINX must separate API maintenance sessions from other network sessions within the system by logically separated communications paths. (Cat II impact)
Discussion
Nonlocal maintenance and diagnostic activities are conducted by individuals who communicate through either an external or internal network. Communications paths can be logically separated using encryption. Satisfies: SRG-APP-000880, SRG-APP-000039
Check Content
If not using the NGINX API, this is Not Applicable. Determine path to NGINX config file: # nginx -qT | grep "# configuration" # configuration file /etc/nginx/nginx.conf: Note: The default NGINX configuration is "/etc/nginx/nginx.conf", though various files may also be included. Check that the nginx.conf file contains the API directive and a separate listen address: http { server { listen 192.168.0.1:80; location / { proxy_pass http://backend; } location /api { api write=on; } } } If the API is running on the same network as production traffic, this is a finding.
Fix Text
Configure the API directive to use a separate listen address from production traffic: http { server { listen 192.168.0.1:80; location / { proxy_pass http://backend; } } server { listen 10.0.0.1:80; location /api { api write=on; } } } After saving the updated config, restart NGINX: nginx -s reload.
Additional Identifiers
Rule ID: SV-278409r1171979_rule
Vulnerability ID: V-278409
Group Title: SRG-APP-000880
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-001414 |
Enforce approved authorizations for controlling the flow of information between connected systems based on organization-defined information flow control policies. |
| CCI-004192 |
Protect nonlocal maintenance sessions by separating the maintenance session from other network sessions with the system by logically separated communications paths. |