I found this statement in the PCI requirements:
“2.2.1 Implement only one primary function per server to prevent functions that require different security levels from co-existing on the same server. (For example, web servers, database servers, and DNS should be implemented on separate servers.)
Note: Where virtualization technologies are in use, implement only one primary function per virtual system component.”
4D’s web server exists on the same machine as the database server.
Our configuration has nginx in front of 4D’s web server doing SSL termination, and preventing many invalid requests from coming into 4D Server.
I may be able to demonstrate that the combination of nginx and 4D’s web server functionality, prevent access to resources outside the default web folder, which in this case only has static content.
Please chime in if you are familiar with this requirement.