Envoy must drop connections to disconnected clients.

An XCCDF Rule

Description

<VulnDiscussion>Envoy client connections that are established but no longer connected can consume resources that might otherwise be required by active connections. It is a best practice to terminate connections that are no longer connected to an active client. Envoy is hard coded to drop connections after three minutes of idle time. The absence of any "tcpKeepAliveTimeSec" settings means this default is in effect. This configuration must be verified and maintained.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-256737r889149_rule
Severity: Medium
References: CCI-000054
Updated: 8 months ago

Navigate to and open: 
 
/etc/vmware-rhttpproxy/config.xml 
 
Locate the <config>/<envoy>/<L4Filter> block and configure <tcpKeepAliveTimeSec> as follows: 
 <tcpKeepAliveTimeSec>180</tcpKeepAliveTimeSec> 
 
Restart the service for changes to take effect. 
 
# vmon-cli --restart rhttpproxy

Envoy must drop connections to disconnected clients.

Description

Remediation - Manual Procedure