OCI-Networking-Load-Balancer-HTTPS-Only

Severity : Medium

Description: This control ensures that public load balancer ]configure HTTP listeners for end-to-end TLS connection and doesn’t allow HTTP. The HTTPS listener allows the clients to use TLS for all the communication and security purpose. This should only be done if the client application is configured to query HTTPS directly and not rely on a redirect from HTTP.

Remediation Steps:

Perform following to update listener for load balancer:

1. Login to the OCI console at Cloud Sign In.

2. In the navigation, click Networking.

3. Select the Compartment.

4. Click Load Balancers.

5. Select the Load balancer for which listener should needs to update.

6. Click Listeners under Resources.

7. Click  Create Listener.

8. Enter the new listener information

   • Name, Hostname, Port

   • Protocol : Enter HTTP

   • Use SSL Check this box for HTTPS, Certificate Resource, Verify Peer Certificate, Verify Depth

   • Backend Set, Idle Timeout in Seconds, Routing Policy

   • Show Advanced Options, Advanced SSL for CA Bundle, Certificate Authority

   • TLS Version 1.2 is recommended version, Select Cipher Suite

9. Click Create Listener.

10. Once new HTTPS listener is created, in the list list of listener, click on the action and select to remove the old listener from the load balancer.

Important:

Reference:

• Securing Networking: VCN, Load Balancers, and DNS

• Network Load Balancer Management

• Listeners for Load Balancers