OCI-Networking-Load-Balancer-HTTPS-Only
Severity : Medium
Description: This control ensures that public load balancer ]configure HTTP listeners for end-to-end TLS connection and doesn’t allow HTTP. The HTTPS listener allows the clients to use TLS for all the communication and security purpose. This should only be done if the client application is configured to query HTTPS directly and not rely on a redirect from HTTP.
Remediation Steps:
Perform following to update listener for load balancer:
Login to the OCI console at Cloud Sign In.
In the navigation, click Networking.
Select the Compartment.
Click Load Balancers.
Select the Load balancer for which listener should needs to update.
Click Listeners under Resources.
Click  Create Listener.
Enter the new listener information
Name, Hostname, Port
Protocol : Enter HTTP
Use SSL Check this box for HTTPS, Certificate Resource, Verify Peer Certificate, Verify Depth
Backend Set, Idle Timeout in Seconds, Routing Policy
Show Advanced Options, Advanced SSLÂ for CA Bundle, Certificate Authority
TLSÂ Version 1.2 is recommended version, Select Cipher Suite
Click Create Listener.
Once new HTTPS listener is created, in the list list of listener, click on the action and select to remove the old listener from the load balancer.
Important:
Reference:
https://docs.oracle.com/en-us/iaas/Content/Security/Reference/networking_security.htm
https://docs.oracle.com/en-us/iaas/Content/Balance/Tasks/managinglisteners.htm#create
Â
Blue Hexagon Proprietary