The Apache web server must not be a proxy server.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-214320 | AS24-W1-000260 | SV-214320r1051286_rule | Medium |
| Description |
| A web server should be primarily a web server or a proxy server but not both, for the same reasons that other multiuse servers are not recommended. Scanning for web servers that will also proxy requests into an otherwise protected network is a very common attack, making the attack anonymous. |
| STIG | Date |
| Apache Server 2.4 Windows Server Security Technical Implementation Guide | 2025-02-12 |
Details
| Check Text (C-15532r1051284_chk) |
| If the server has been approved to be a proxy server, this requirement is Not Applicable. Open the <'INSTALL PATH'>\conf\httpd.conf file with an editor and search for the following directive: ProxyRequests If the ProxyRequests directive is set to "On", this is a finding. |
| Fix Text (F-15530r1051285_fix) |
| Open the <'INSTALL PATH'>\conf\httpd.conf file with an editor and search for the following directive: ProxyRequests Set the directive to a value of "off". Restart the Apache service. |