NGINX must separate API maintenance sessions from other network sessions within the system by logically separated communications paths.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-278409 | SRG-APP-000880 | NGNX-APP-003060 | SV-278409r1171979_rule | 2026-01-07 | 1 |
Description
Nonlocal maintenance and diagnostic activities are conducted by individuals who communicate through either an external or internal network.
Communications paths can be logically separated using encryption.
Satisfies: SRG-APP-000880, SRG-APP-000039
ℹ️ Check
If not using the NGINX API, this is Not Applicable.
Determine path to NGINX config file:
# nginx -qT | grep "# configuration"
# configuration file /etc/nginx/nginx.conf:
Note: The default NGINX configuration is "/etc/nginx/nginx.conf", though various files may also be included.
Check that the nginx.conf file contains the API directive and a separate listen address:
http {
server {
listen 192.168.0.1:80;
location / {
proxy_pass http://backend;
}
location /api {
api write=on;
}
}
}
If the API is running on the same network as production traffic, this is a finding.
✔️ Fix
Configure the API directive to use a separate listen address from production traffic:
http {
server {
listen 192.168.0.1:80;
location / {
proxy_pass http://backend;
}
}
server {
listen 10.0.0.1:80;
location /api {
api write=on;
}
}
}
After saving the updated config, restart NGINX:
nginx -s reload.