UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The Apache web server must not be a proxy server.


Overview

Finding ID Version Rule ID IA Controls Severity
V-92643 AS24-U1-000260 SV-102731r2_rule Medium
Description
A web server should be primarily a web server or a proxy server but not both, for the same reasons that other multi-use servers are not recommended. Scanning for web servers that will also proxy requests into an otherwise protected network is a very common attack, making the attack anonymous.
STIG Date
Apache Server 2.4 UNIX Server Security Technical Implementation Guide 2020-06-17

Details

Check Text ( C-91947r2_chk )
If the server is a proxy server and not a web server, this check is Not Applicable.

In a command line, run "httpd -M | sort" to view a list of installed modules.

If any of the following modules are present, this is a finding:

proxy_module
proxy_ajp_module
proxy_balancer_module
proxy_ftp_module
proxy_http_module
proxy_connect_module
Determine the location of the "HTTPD_ROOT" directory and the "httpd.conf" file:
# httpd -V | egrep -i 'httpd_root|server_config_file'
-D HTTPD_ROOT="/etc/httpd"
-D SERVER_CONFIG_FILE="conf/httpd.conf"

Search for the directive "ProxyRequest" in the "httpd.conf" file.
If the ProxyRequest directive is set to “On”, this is a finding.
Fix Text (F-98885r2_fix)
Determine where the proxy modules are located by running the following command:

grep -rl "proxy_module" <'INSTALL PATH'>

Edit the file and comment out the following modules:

proxy_module
proxy_ajp_module
proxy_balancer_module
proxy_ftp_module
proxy_http_module
proxy_connect_module
Comment out the ProxyRequext directive in the httpd.conf file.

Restart Apache: apachectl restart