HTTP Port 80 Closure: Maintaining HTTPS-Only Access on Port 443 for Secure Web Applications


23 views

html

Closing port 80 while keeping port 443 active is not only possible but recommended for security-focused web applications. Here's a technical breakdown:

Nginx configuration:

server {
    listen 80;
    server_name example.com;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl;
    server_name example.com;
    # SSL configuration and other directives
}

Apache configuration:

<VirtualHost *:80>
    ServerName example.com
    Redirect permanent / https://example.com/
</VirtualHost>

<VirtualHost *:443>
    ServerName example.com
    # SSL configuration and other directives
</VirtualHost>

When implementing HTTPS-only access:

  • Ensure HSTS (HTTP Strict Transport Security) is properly configured
  • Implement proper certificate management with Let's Encrypt or other CA
  • Consider using TLS 1.2/1.3 exclusively

While closing port 80 enhances security, consider:

Issue Solution
HTTP->HTTPS redirects Implement at application level if needed
Browser compatibility Ensure all clients support HTTPS
Monitoring challenges Configure alerts for SSL certificate expiration

AWS Security Group configuration for HTTPS-only access:

aws ec2 authorize-security-group-ingress \
    --group-id sg-903004f8 \
    --protocol tcp \
    --port 443 \
    --cidr 0.0.0.0/0

aws ec2 revoke-security-group-ingress \
    --group-id sg-903004f8 \
    --protocol tcp \
    --port 80 \
    --cidr 0.0.0.0/0

Essential monitoring checks for HTTPS-only setups:

#!/bin/bash
# Check SSL certificate expiration
openssl s_client -connect example.com:443 2>&1 | \
openssl x509 -noout -dates

# Verify port 80 is closed
nc -zv example.com 80

html

When hardening web server security, closing port 80 (HTTP) while keeping port 443 (HTTPS) active is technically feasible and increasingly recommended for applications where:

  • No HTTP-to-HTTPS redirection is required
  • All clients can be guaranteed to support HTTPS
  • SEO considerations are irrelevant

For Nginx:

server {
    listen 80;
    server_name example.com;
    return 444; # Close connection immediately
}

server {
    listen 443 ssl;
    server_name example.com;
    # SSL configuration and other directives...
}

For Apache:

<VirtualHost *:80>
    ServerName example.com
    Redirect 403 /
    ErrorDocument 403 "HTTP access disabled"
</VirtualHost>

<VirtualHost *:443>
    # HTTPS configuration
</VirtualHost>

While the security benefits are clear, be aware of these technical consequences:

  • Browser address bar entries defaulting to HTTP won't work
  • Certain API clients may fail without explicit HTTPS URLs
  • Monitoring tools may flag the closed port as a potential issue

For environments requiring more flexibility:

# Minimal HTTP port 80 configuration for redirection only
server {
    listen 80;
    server_name example.com;
    return 301 https://$host$request_uri;
}

For maximum security, combine application configuration with OS-level controls:

# Linux iptables example
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j ACCEPT

After implementation, verify with:

curl -I http://example.com       # Should fail
curl -I https://example.com      # Should succeed
nmap -p 80,443 example.com       # Port scanning verification