STIGQter: STIG Summary: Apache Server 2.4 UNIX Server Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 22 Jan 2021:

The Apache web server must not be a proxy server.

DISA Rule

SV-214241r612240_rule

Vulnerability Number

V-214241

Group Title

SRG-APP-000141-WSR-000076

Rule Version

AS24-U1-000260

Severity

CAT II

CCI(s)

CCI-000381 - The organization configures the information system to provide only essential capabilities.

Weight

Fix Recommendation

Determine where the proxy modules are located by running the following command:

grep -rl "proxy_module" <'INSTALL PATH'>

Edit the file and comment out the following modules:

proxy_module
proxy_ajp_module
proxy_balancer_module
proxy_ftp_module
proxy_http_module
proxy_connect_module
Comment out the ProxyRequext directive in the httpd.conf file.

Restart Apache: apachectl restart

Check Contents

If the server is a proxy server and not a web server, this check is Not Applicable.

In a command line, run "httpd -M | sort" to view a list of installed modules.

If any of the following modules are present, this is a finding:

proxy_module
proxy_ajp_module
proxy_balancer_module
proxy_ftp_module
proxy_http_module
proxy_connect_module
Determine the location of the "HTTPD_ROOT" directory and the "httpd.conf" file:
# httpd -V | egrep -i 'httpd_root|server_config_file'
-D HTTPD_ROOT="/etc/httpd"
-D SERVER_CONFIG_FILE="conf/httpd.conf"

Search for the directive "ProxyRequest" in the "httpd.conf" file.
If the ProxyRequest directive is set to “On”, this is a finding.

The Apache web server must not be a proxy server.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments