nginx reverse proxy securitymetrics warning

James asked:

Hi we get this warning from security metrics PCI complience scan. Is there anyway to fix this issue?

TCP 80 http

Description: HTTP Reverse Proxy Detection

Synopsis: A transparent or reverse HTTP proxy is running on this port.

Impact: This web server is reachable through a reverse HTTP proxy.

Data Received: There might be a caching proxy on the way to this web server: HIT from Backend

Resolution: n/a

Risk Factor: Medium/ CVSS2 Base Score: 5.8

(AV:N/AC:M/Au:N/C:P/I:P/A:N) CVE: CVE-2004-2320 Additional CVEs: CVE-2007-3008 CVE-2005-3498 CVE-2005-3398

My answer:

This warning is silly, and borders on absurd. You can quote me on that. The CVEs given have absolutely no relevance to the situation the warning describes, and what it indicates most to me is the strong possibility that the vendor is incompetent. You can quote me on that, too.

Anyway, the “problem” is that your nginx configuration explicitly adds an apparently unnecessary header which gives a tiny (and almost worthless, unless you’re debugging the server) amount of information about your reverse proxy, fastcgi, or caching configuration. If you search your nginx configs, you will eventually find it:

      add_header X-Cache "HIT from Backend";

Removing that should fix the “problem.”

It’s also a good idea to not copy your server configuration blindly off the Internet without knowing exactly what it does; this particular bit has been very widely copied with absolutely no explanation of its purpose that I could find.

You could also tell the vendor that they need to fix this test, since it’s generating false positives.

View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.