OHS must have the LoadModule proxy_module directive disabled.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-221397	OH12-1X-000150	SV-221397r539631_rule		Medium

Description
A web server should be primarily a web server or a proxy server but not both, for the same reasons that other multi-use servers are not recommended. Scanning for web servers that will also proxy requests into an otherwise protected network is a very common attack making the attack anonymous.

STIG	Date
Oracle HTTP Server 12.1.3 Security Technical Implementation Guide	2021-12-29

Details

Check Text ( C-23112r539630_chk )
If the AO-approved system security plan for the web server configuration specifies using proxy_module directive in order to meet application architecture requirements, this requirement is NA. 1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS//httpd.conf with an editor. 2. Search for the "LoadModule proxy_module" directive at the OHS server configuration scope. 3. If the directive exists and is not commented out, this is a finding.

Check Text ( C-23112r539630_chk )

If the AO-approved system security plan for the web server configuration specifies using proxy_module directive in order to meet application architecture requirements, this requirement is NA.

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS//httpd.conf with an editor.

2. Search for the "LoadModule proxy_module" directive at the OHS server configuration scope.

3. If the directive exists and is not commented out, this is a finding.

Fix Text (F-23101r457160_fix)
1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS//httpd.conf with an editor. 2. Search for the "LoadModule proxy_module" directive at the OHS server configuration scope. 3. Comment out the "LoadModule proxy_module" directive if it exists.