Aqua CSPM

CLB HTTPS Only

Quick Info

Plugin TitleCLB HTTPS Only
CloudGOOGLE
CategoryCLB
DescriptionEnsures CLBs are configured to only accept connections on HTTPS ports
More InfoFor maximum security, CLBs can be configured to only accept HTTPS connections. Standard HTTP connections will be blocked. This should only be done if the client application is configured to query HTTPS directly and not rely on a redirect from HTTP.
GOOGLE Linkhttps://cloud.google.com/vpc/docs/vpc
Recommended ActionRemove non-HTTPS listeners from the load balancer.

Detailed Remediation Steps

  1. Log into the Google Cloud Platform Console.
  2. Scroll down the left navigation panel and choose the “Network Services” option under the “NETWORKING” and select the “Load balancing.”
  3. On the “Load balancing” page , click on the “Name” as a link option to select the load balancer.
  4. On the “Load balancer details” page, scroll down the page and check the “Protocol” option under the “Fronend.” If it’s set to “HTTP” then the selected “Load balancer” is not a part of GCP best practices.
  5. Repeat steps number 2 - 4 to verify other “Load balancers” in the account.
  6. Navigate to the “Load balancing” option under the “Netowrk Services” of the “NETWORKING”, choose the “load balancer” and click on the “Edit” button at the top.
  7. On the “Edit HTTP(S) load balancer” page, click on the “Frontend configuration” option, click on the pencil icon next to the “Bucket/VM” present in the “Frontend configuration” page.
  8. On the “Frontend configuration” tab, select the “Protocol” as “HTTPS” and select the corresponding certificate and click on the “Done” button.
  9. On the “Edit HTTP(S) load balancer” page, click on the “Update” button to save the changes.
  10. Repeat steps number 6 - 9 to remove non-HTTPS listeners from the load balancer.