Disabling port 80

Hi there,

We’re going through SoC2 certification. We still use Rack v2.

Convox documentation says:

The Convox router listens on ports 80 and 443 and handles SSL termination for you. You will need to define the port on which your application is listening.

and I can confirm this by looking at the relevant ALB and in CloudFormation too:

image1429×272 29.1 KB

However, this is incompatible with the following AWS Config rule used in evidence collection (for SoC2):

The rule is NON_COMPLIANT if a listener is not configured with SSL or HTTPS.

It seems that having HTTP and HTTPs makes it NON_COMPLIANT, even if HTTP merely redirects to HTTPS (well, I guess it does make sense).

My question is - how can we disable port 80 altogether in the ALB?

@Nick-Convox is the app parameter RedirectHttps relevant? I tried setting it to No but it did not do anything that I could see.

Reading the code, it seems like it would actually enable HTTP instead of doing a permanent redirect. But even a permanent redirect is a risk, as cookies or other secrets might be exposed, not to mention enabling HTTP.

Is there an option to disable HTTP altogether?

Hello @alon

RedirectHttps does just that:
Set to No to allow the app to listen on HTTP rather than the default behavior of having all HTTP requests automatically redirected to HTTPS - docs

As for the ability to completely disable HTTP/80 from the LB we currently don’t offer this option; however, seeing as you are running into it for compliance purposes I can see the potential value in having this added as a feature.

I have gone ahead and created an internal feature request ticket to talk about at the next sprint planning meeting. I will be sure to update this post once I have any additional information.

Regards,
Nick

Thank you. I am hoping it is a simple feature to add, “DisableHttp”=yes/no, just updating the CloudFormation template.

And indeed, it is critical for certification.

Will wait for your update, thanks again!