UCF STIG Viewer Logo

The Apache web server must not be a proxy server.


Overview

Finding ID Version Rule ID IA Controls Severity
V-92643 AS24-U1-000260 SV-102731r1_rule Medium
Description
A web server should be primarily a web server or a proxy server but not both, for the same reasons that other multi-use servers are not recommended. Scanning for web servers that will also proxy requests into an otherwise protected network is a very common attack, making the attack anonymous.
STIG Date
Apache Server 2.4 UNIX Server Security Technical Implementation Guide 2019-09-30

Details

Check Text ( C-91947r1_chk )
If the server is a proxy server and not a web server, this check is Not Applicable.

In a command line, run "httpd -M | sort" to view a list of installed modules.

If any of the following modules are present, this is a finding:

proxy_module
proxy_ajp_module
proxy_balancer_module
proxy_ftp_module
proxy_http_module
proxy_connect_module
Fix Text (F-98885r1_fix)
Determine where the proxy modules are located by running the following command:

grep -rl "proxy_module" <'INSTALL PATH'>

Edit the file and comment out the following modules:

proxy_module
proxy_ajp_module
proxy_balancer_module
proxy_ftp_module
proxy_http_module
proxy_connect_module

Restart Apache: apachectl restart