HAProxy vcac frontend must be bound to ports 80 and 443.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-89201 | VRAU-HA-000400 | SV-99851r1_rule | Medium |
| Description |
|---|
| Web servers provide numerous processes, features, and functionalities that utilize TCP/IP ports. Some of these processes may be deemed unnecessary or too unsecure to run on a production system. The HAProxy load balancer in the vRA appliance listens to ports 80 and 443 on behalf of the vcac service. |
| STIG | Date |
|---|---|
| VMW vRealize Automation 7.x HA Proxy Security Technical Implementation Guide | 2018-10-12 |
Details
| Check Text ( C-88893r1_chk ) |
|---|
| At the command prompt, execute the following command: grep 'bind' /etc/haproxy/conf.d/20-vcac.cfg If two lines are not returned, this is a finding. If the values for bind are not set to "80" and to "443", this is a finding. |
| Fix Text (F-95943r1_fix) |
|---|
| Navigate to and open /etc/haproxy/conf.d/20-vcac.cfg Navigate to and configure the "frontend https-in" section with the following two values: bind 0.0.0.0:80 bind 0.0.0.0:443 ssl crt /etc/apache2/server.pem ciphers FIPS:+3DES:!aNULL no-sslv3 |