2.4.3 Ensure keepalive_timeout is 10 seconds or less, but not 0

Information

Persistent connections are leveraged by all modern browsers to facilitate greater web performance. The keep-alive timeout limits the time a persistent connection may remain open. Setting the keep-alive timeout allows this timeout to be controlled on the server side.

Rationale:

Setting a keep-alive timeout on the server side helps mitigate denial of service attacks that establish too many persistent connections, exhausting server resources.

Solution

Find the HTTP or server block of your nginx configuration, and add the keepalive_timeout directive. Set it to 10 seconds or less, but not 0. This example command sets it to 10 seconds:

keepalive_timeout 10;

Default Value:

By default, this timeout is dictated by the user agent and varies. It is not set on the server side by default.

See Also

https://workbench.cisecurity.org/benchmarks/17381

Item Details

Category: SYSTEM AND SERVICES ACQUISITION

References: 800-53|SA-3, CSCv7|18.1

Plugin: Unix

Control ID: 6570b7b1bdd85585d5d62fee9975ec2cf73cdbc68eb0ba64ae6d2d828a69a263