13

I have a web application that should only be accessible through HTTPS.

  • Is it possible, and a wise idea to close port 80 entirely?
  • Are there any drawbacks to closing port 80, beyond the fact browsers can't hit it in a non-encrypted way?

Search engine visibility is not a priority.

Allyl Isocyanate
  • 299
  • 1
  • 4
  • 9

2 Answers2

12

You can specify that apache only listen on a particular port, for all sites, or just a VirtualHost. See the Listen directive.

If you have a name or ip virtual host for that site, just configure it to only use port 443. It is also good idea to redirect all requests for your site on port 80 to 443. There are a few examples on Wikipedia on how to implement this using HTTP Strict Transport Security, with a vhost example for Apache.

Dana the Sane
  • 828
  • 10
  • 19
  • 5
    One other good approach would be to leave 80 listening, but with just a redirect sending all requests to `https://`. – Shane Madden Aug 30 '11 at 21:12
  • 1
    You're right, I'd say that's basically mandatory. – Dana the Sane Aug 30 '11 at 21:14
  • 3
    Some might argue that an HTTP -> HTTPS redirection is a bad idea from a security perspective. What happens if the site in question has a web for which uses the GET method, and an action that points to the non-https version of the site? If the end user has lowered the security settings of their browser, and your site has an http -> https, redirect, then you may be compromising their security and privzcy. HSTS was partly created because of the issues with http -> https redirection. http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security – Zoredache Aug 30 '11 at 22:35
  • @Zoredache I like that solution, is the support mature? – Dana the Sane Aug 31 '11 at 00:48
  • 2
    It's worth noting that in most cases you'll still need the HTTP->HTTPS redirect since it's not allowed to send the HSTS header over an HTTP (non-secured) connection. However, a conforming browser will never make a second plain HTTP request. Also, IE (as of version 10) and Safari (as of version 6) don't support HSTS, so if you don't want to shut port 80 down altogether, you're still stuck with the redirect. – eaj Feb 14 '13 at 15:51
1

Is it possible, and a wise idea to close port 80 entirely?

Yes it is. You should close those ports that are not used. Though the Linux way of doing things is that a port won't be open if there is no service that is listening on it.

Are there any drawbacks to closing port 80, beyond the fact browsers can't hit it in a non-encrypted way?

None.

karatedog
  • 286
  • 2
  • 10
  • Now I can't remember the previous state, but what was the problem with the formatting? – karatedog Aug 31 '11 at 01:24
  • If you click on the link after the word 'edited', you can see the various versions. It looks to me like the quoted text was changed from a monospaced font to a variable width font. – Slartibartfast Aug 31 '11 at 04:59
  • The quote text was all on one line in a scrolled text field, and not all visible. Using the md quote formatting corrects this. – Dana the Sane Aug 31 '11 at 13:51
  • Good answer, to the point, I got what I came for, have a nice day! – Stephan Henningsen Jan 11 '22 at 22:11
  • The drawback is that a potential visitor that types your URL into the address bar of his browser without the protocol will not be able to reach your site. The majority of browsers don't do HTTPS by default, they will try HTTP and if that fails just show that the site is not reachable. It is better to leave port 80 open and answer with a redirect to HTTPS. – Gerald Schneider Jan 13 '22 at 06:37
  • @GeraldSchneider this drawback has already been thought over by OP although he focused on the non-encrypted nature of the communication and not on the availability issue. – karatedog Jan 28 '22 at 08:24