4.1.10 Ensure the upstream traffic server certificate is trusted

Information

The NGINX server should be configured to validate the identity of the upstream server it is sending information to.

Rationale:

Configuring NGINX to validate the identity of the upstream server helps mitigate the risk of a man in the middle attack occurring against your server.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Obtain the full certificate chain of the upstream server in .pem format. Then reference that file in the location block as part of the proxy_ssl_trusted_certificate directive. Implement the proxy_ssl_trusted_certificate and proxy_ssl_verify directives as shown below as part of the location block you are using to send traffic to your upstream server.

proxy_ssl_trusted_certificate /etc/nginx/trusted_ca_cert.crt;
proxy_ssl_verify on;

Default Value:

This is not set up by default.

See Also

https://workbench.cisecurity.org/files/4212