The Apache web server must not be a proxy server.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-214241 | AS24-U1-000260 | SV-214241r1051280_rule | Medium |
| Description |
| A web server should be primarily a web server or a proxy server but not both, for the same reasons that other multiuse servers are not recommended. Scanning for web servers that will also proxy requests into an otherwise protected network is a very common attack, making the attack anonymous. |
| STIG | Date |
| Apache Server 2.4 UNIX Server Security Technical Implementation Guide | 2024-12-04 |
Details
| Check Text (C-15455r1051278_chk) |
| If the server has been approved to be a proxy server, this requirement is Not Applicable. Determine the location of the "HTTPD_ROOT" directory and the "httpd.conf" file: # apachectl -V | egrep -i 'httpd_root|server_config_file' -D HTTPD_ROOT="/etc/httpd" -D SERVER_CONFIG_FILE="conf/httpd.conf" Note: The apachectl front end is the preferred method for locating the Apache httpd file. For some Linux distributions, "apache2ctl -V" or "httpd -V" can also be used. Search for the directive "ProxyRequests" in the "httpd.conf" file. If the ProxyRequests directive is set to "On", this is a finding. |
| Fix Text (F-15453r1051279_fix) |
| Determine the location of the "HTTPD_ROOT" directory and the "httpd.conf" file: # apachectl -V | egrep -i 'httpd_root|server_config_file' -D HTTPD_ROOT="/etc/httpd" -D SERVER_CONFIG_FILE="conf/httpd.conf" Edit the file and comment out the ProxyRequests directive in the httpd.conf file. Restart Apache: apachectl restart |