NGINX must separate API maintenance sessions from other network sessions within the system by logically separated communications paths.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-278409 | NGNX-APP-003060 | SV-278409r1171979_rule | CCI-004192 | medium |
| Description | ||||
| Nonlocal maintenance and diagnostic activities are conducted by individuals who communicate through either an external or internal network. Communications paths can be logically separated using encryption. Satisfies: SRG-APP-000880, SRG-APP-000039 | ||||
| STIG | Date | |||
| F5 NGINX Security Technical Implementation Guide | 2026-01-07 | |||
Details
Check Text (C-278409r1171979_chk)
If not using the NGINX API, this is Not Applicable.
Determine path to NGINX config file:
# nginx -qT | grep "# configuration"
# configuration file /etc/nginx/nginx.conf:
Note: The default NGINX configuration is "/etc/nginx/nginx.conf", though various files may also be included.
Check that the nginx.conf file contains the API directive and a separate listen address:
http {
server {
listen 192.168.0.1:80;
location / {
proxy_pass http://backend;
}
location /api {
api write=on;
}
}
}
If the API is running on the same network as production traffic, this is a finding.
Fix Text (F-82848r1171978_fix)
Configure the API directive to use a separate listen address from production traffic:
http {
server {
listen 192.168.0.1:80;
location / {
proxy_pass http://backend;
}
}
server {
listen 10.0.0.1:80;
location /api {
api write=on;
}
}
}
After saving the updated config, restart NGINX:
nginx -s reload.