Digital Ocean Load Balancers

Load balancers Not Using HTTPS

Risk Level: Medium

Description

This plugin ensures the redirection of non-HTTPS traffic to HTTPS for load balancer instances. The load balancer may be set up to accept only HTTPS connections or reroute HTTPS connections to HTTPS for optimum security.

About the Service

Digital Ocean Load Balancers:

Load Balancers let you distribute traffic between multiple Droplets and are a good way to horizontally scale your app. They’re fully managed by DigitalOcean no setup or configuration is required.

Impact

When the load balancer does not use HTTPS the security can be comprised. In order to ensure optimum security, it is essential for the load balancers to use HTTPS.

Steps to Reproduce

Using Digital Ocean Console-

In order to ensure or determine, if your Digital Ocean Service Load Balancers are configured to encrypt web traffic, follow the steps mentioned below:

  1. Firstly use the administrator account for signing in to Digital Ocean Console. A dashboard will appear on the screen.
  2. Now, from the left Navigation Panel select the name of the Project you want to investigate in.
  3. After selecting the Project, under the Manage section in the left navigation panel, click on the Networking blade.
  4. A Networking page will appear on the screen, select the Load Balancers tab from the top navigation bar.
  5. A Load Balancer Dashboard will appear on the screen with a list of all the Load Balancers available in the current project.
  6. Click on the name of the load balancer you want to investigate in. A new Load Balancer Page with all the details will appear on the screen. Click on the Settings Tab in it
  7. There will be columns listed among which find the Columns for Forwarding Rules and SSL. Check for the conditions if the Forwarding Rule column says HTTP Protocol instead of HTTPS Protocol. Also, if SSL Columns says No Redirect
  8. If the conditions in Step 7 are true, this shows that the web traffic for the same load balancer is not encrypted via HTTPS, hence the communication between clients and the load balancer is unprotected or not secured. 
  9. You may repeat the above steps for other load balancers in your Digital Ocean Projects.

Steps for Remediation

In order to enable to reconfigure HTTPS for your GCP load balancers or to encrypt the web traffic between the Digital Ocean load balancer and client, follow the steps mentioned below:

  1. Firstly use the administrator account for signing in to Digital Ocean Console. A dashboard will appear on the screen.
  2. Now, from the left Navigation Panel select the name of the Project you want to investigate in.
  3. After selecting the Project, under the Manage section in the left navigation panel, click on the Networking blade.
  4. A Networking page will appear on the screen, select the Load Balancers tab from the top navigation bar.
  5. A Load Balancer Dashboard will appear on the screen with a list of all the Load Balancers available in the current project.
  6. Click on the name of the load balancer you want to investigate in. A new Load Balancer Page with all the details will appear on the screen. Click on the Settings Tab in it.
  7. There will be columns listed among which find the Columns for Forwarding Rules and SSL. Check for the conditions if the Forwarding Rule column says HTTP Protocol instead of HTTPS Protocol. Also, if SSL Columns says No Redirect
  8. If the conditions in Step 7 are true, this shows that the web traffic for the same load balancer is not encrypted via HTTPS, hence the communication between clients and the load balancer is unprotected or not secured. 
  9. Now, click on the Edit button available at the right of the Forwarding Rules column.
  10. Click on the Protocols dropdown menu and select HTTPS/HTTP2 from the dropdown list.
  11. Now click on the Certificate dropdown menu and select the name of the Certificate then link it. Do this for all the rules available in your Digital Ocean Firewall settings.
  12. After updating the settings click on the Save button available in the Forwarding Rules Column.
  13. Now go to the SSL Column, and click on the Edit option available at the right of the row.
  14. Check the box next to Redirect HTTP to HTTPS and click the SAVE button.
  15. You may repeat steps 7-14 for other load balancers in your Digital Ocean Project.
  16. You may repeat the above-mentioned steps to check for the other Digital Ocean projects/folders in your organization.