STIGQter: STIG Summary: VMW vRealize Automation 7.x HA Proxy Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 28 Sep 2018:

HAProxy must restrict inbound connections from nonsecure zones.

DISA Rule

SV-99837r1_rule

Vulnerability Number

V-89187

Group Title

SRG-APP-000315-WSR-000004

Rule Version

VRAU-HA-000340

Severity

CAT II

CCI(s)

CCI-002314 - The information system controls remote access methods.

Weight

Fix Recommendation

Navigate to and open /etc/haproxy/conf.d/20-vcac.cfg

Navigate to and configure the "frontend https-in" section with the following three values:

bind 0.0.0.0:80
bind 0.0.0.0:443 ssl crt /etc/apache2/server.pem ciphers FIPS:+3DES:!aNULL no-sslv3
redirect scheme https if !{ ssl_fc }

Note: Ensure the redirection statement appears before all 'acl' statements.

Check Contents

Navigate to and open /etc/haproxy/conf.d/20-vcac.cfg

Navigate to the "frontend https-in" section.

Review the "frontend https-in" section.

Verify that the port 443 binding has the "ssl" keyword.

Verify that port 80 is binded.

Verify that non-ssl traffic is redirected to port 443.

Note: Ports are binded with this statement: 'bind 0.0.0.0:<port>', where <port> is the binded port.

Note: Non-ssl traffic is redirected with this statement: 'redirect scheme https if !{ ssl_fc }'

Note: Ensure the redirection statement appears before all 'acl' statements.

If the port 443 binding is missing the "ssl" keyword, OR port 80 is NOT binded, OR non-ssl traffic is NOT being redirected to port 443, this is a finding.

HAProxy must restrict inbound connections from nonsecure zones.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments