Skip to main content
CUI

STIG Rule - V-278400

Back to STIG Browser

V-278400

SV-278400r1172752_rule

CAT II

NGINX must accept Personal Identity Verification (PIV) credentials.

From: F5 NGINX Security Technical Implementation Guide (V1R1)

Description

<VulnDiscussion>Using PIV credentials facilitates standardization and reduces the risk of unauthorized access. DOD has mandated using the CAC to support identity management and personal authentication for systems covered under HSPD 12, as well as a primary component of layered protection for national security systems. Satisfies: SRG-APP-000391, SRG-APP-000392, SRG-APP-000402, SRG-APP-000403</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Check Procedure

Determine path to NGINX config file: # nginx -qT | grep "# configuration" # configuration file /etc/nginx/nginx.conf: Note: The default NGINX configuration is "/etc/nginx/nginx.conf", though various files may also be included. Check that the nginx.conf file has the SSL Certificate/Key installed, the SSL Client Certificate is present, and SSL Verify is configured. server { listen 443 ssl; server_name example.com; ssl_certificate /etc/nginx/ssl/server_cert.pem; ssl_certificate_key /etc/nginx/ssl/server_key.pem; # Enable client certificate verification ssl_client_certificate /etc/nginx/ca_cert.pem; ssl_verify_client on; # Optional: Set verification depth for client certificates ssl_verify_depth 2; location / { proxy_pass http://backend_service; # Restrict access to valid PIV credentials if ($ssl_client_verify != SUCCESS) { return 403; } } } If the certificates are not configured and ssl_verify is not enabled, this is a finding.

Fix Text

NGINX installs OpenSSL by default. If not installed, follow the OS documentation. Include the following lines in the server {} block of nginx.conf: ssl_certificate /etc/nginx/ssl/server_cert.pem; ssl_certificate_key /etc/nginx/ssl/server_key.pem; # Enable client certificate verification ssl_client_certificate /etc/nginx/ca_cert.pem; ssl_verify_client on; # Optional: Set verification depth for client certificates ssl_verify_depth 2; location / { proxy_pass http://backend_service; # Restrict access to valid PIV credentials if ($ssl_client_verify != SUCCESS) { return 403; } } Save and exit. Restart NGINX after modifying the configuration: # nginx -s reload

CCI Reference

CCI-001953,CCI-001954,CCI-002009,CCI-002010
Created
2026-04-07 20:08:15
Last Updated
2026-04-07 20:08:15
Back to Browse
CUI