port 443 is not available on operating system blueprints

[missinglink]

Hi!

Firstly, apologies if this isn't the right repo to report this, there aren't many options to contact aws to provide developer feedback to help improve their services.

There is an ongoing thread over at terraform-provider-aws about the partial support for lightsail in terraform, particularly the missing features of firewall and block storage.

I noticed on your lightsail docs that port 443 is enabled by default on application blueprints but not operating system blueprints.

Is there a reason for this? the internet has moved away from 80 and almost all sites are now required to use SSL on 443.
It seems an odd decision to include 80 but not 443, I could see a reason to have neither or both, but it seems unusual to only have 80.

I've also been searching for the source code for the lightsail blueprints (to see what's installed in the application blueprints), where are these published?

Thanks!

[wjramos]

Note: I'm not a representative of Lightsail or AWS

From my understanding, OS blueprints are not assumed to be for the purpose of serving web traffic and 80 is open for the purposes of heath checks. terraform-provider-aws is a community provider not maintained by AWS, so there are quite a few features not implemented in it

[missinglink]

Thanks @wjramos that's an interesting perspective.

What makes you think "OS blueprints are not assumed to be for the purpose of serving web traffic and 80 is open for the purposes of heath checks"?

My understanding of the lightsail product is that it's specifically aimed at hosting web applications (basically a Digital Ocean clone).

I couldn't imagine why someone would use lightsail for any other task as the balance of the product is low CPU but high bandwidth allowances.

Why would you need a healthcheck API for something that isn't a web server, I'm not familiar with software that does that, particularly not within the domain that Lightsail seems to be targeting?

[wjramos]

@missinglink it can also be used analogously to Elastic Beanstalk. For example, I could be running a private Node + Linux compute service that listens to an SQS queue and processes that information in some manner and posts to a database. In a case like this I wouldn't want this service to be publicly accessible.

Blueprints that aren't explicitly for web applications are more restrictive out of the box because they don't assume the use-case. After an instance is created from a blueprint (with its default ports), they can be updated using CLI open-instance-public-ports

[rlatino]

Hi @missinglink ,

For the application blueprints (WordPress, Joomla, Drupal, etc.), ports 80 and 443 are open by default because we anticipate that the app will handle web traffic. Those ports are not open by default on OS-only blueprints because we can't anticipate what customers will be doing with those instances.

If you create an Amazon Linux instance, and then decide to use it as part of a LAMP stack, you can open the necessary ports using the Lightsail console (see this doc) or using the AWS CLI as Jordan stated.

[missinglink]

Hi @rlatino, I think you're assuming 80 is closed on OS-blueprints, which it isn't?

My question is why have 80 open and not 443?

If they're not intended for web traffic then why is 80 open?

If they are intended for web traffic then why is 443 closed?

[olliefr]

Hi @rlatino,

Your explanation is great, and totally makes sense, and that would have been it... but the OS-only blueprints does have port 80 open! I've just tested Ubuntu 20 for this purpose.

This is what the firewall set up looks like in Ubuntu 20 blueprint, right after the instance had been created:

I agree with @missinglink that if the web traffic is a major use case, then both 80 and 443 must be open. Please advise.

[rlatino]

You're correct - port 80 is open for OS-only blueprints by default, but not port 443. @olliefr You can open port 443 (and/or close it) at any time by choosing Add rule in the firewall of your instance on the Lightsail console. Lightsail gives you control of your instance firewall ports. For the steps to edit your instance firewall ports, go to this guide. Regardless, I have passed your feedback to the Lightsail team and have had discussions about this with the product managers. If a change is made, we will update the Lightsail documentation accordingly. I'm closing this issue but if you have additional feedback, please go ahead and open another issue. Thank you!