More Info:

Load Balancer global url maps should be configured to block HTTP connection and allow only HTTPS connections.

Risk Level

High

Address

Security

Compliance Standards

GDPR, PCIDSS, NIST

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration of Load Balancer Global Urlmaps should accept HTTPS connections in GCP, you can follow the below steps:
  1. Login to your GCP console and select the project where the misconfiguration exists.
  2. Go to the Navigation menu and select Networking -> Network services -> Load balancing.
  3. Select the Load balancer where the misconfiguration exists.
  4. Click on the Edit button at the top of the page.
  5. In the Edit Load Balancer page, scroll down to the Backend configuration section.
  6. Click on the Backend services link.
  7. Select the backend service where the misconfiguration exists.
  8. In the Backend service page, scroll down to the Backend configuration section.
  9. Click on the Edit button next to the backend configuration.
  10. In the Edit backend configuration page, scroll down to the Protocol section.
  11. Select the HTTPS option from the dropdown list.
  12. Click on the Save button to save the changes.
Once the above steps are completed, the Load Balancer Global Urlmaps will accept HTTPS connections.

To remediate the misconfiguration “Load Balancer Global Urlmaps Should Accept Https Connections” in GCP using GCP CLI, follow the below steps:
  1. Open the Cloud Shell in the GCP Console.
  2. Run the following command to get the list of all the URL maps in the project: 
    gcloud compute url-maps list
  3. Identify the URL map that needs to be modified and note down its name.
  4. Run the following command to update the URL map to accept HTTPS connections: 
    gcloud compute url-maps update [URL_MAP_NAME] --default-service [SERVICE_NAME] --ssl-certificates [SSL_CERTIFICATE_NAME]
    Replace [URL_MAP_NAME] with the name of the URL map that needs to be modified, [SERVICE_NAME] with the name of the default service associated with the URL map, and [SSL_CERTIFICATE_NAME] with the name of the SSL certificate to be used for HTTPS connections.
  5. After running the above command, the URL map will be updated to accept HTTPS connections. You can verify the changes by running the following command: 
    gcloud compute url-maps describe [URL_MAP_NAME]
    This command will display the updated configuration of the URL map.
Note: Before running the above commands, make sure you have the necessary permissions to modify the URL maps in the project.
To remediate the misconfiguration of Load Balancer Global Urlmaps not accepting HTTPS connections in GCP using Python, follow the steps below:
  1. Import the necessary libraries:
from google.cloud import compute_v1
from google.protobuf.json_format import MessageToDict
  1. Authenticate to the GCP project:
compute_client = compute_v1.ComputeClient()
project = "your-project-id"
  1. Get the list of URL maps:
urlmaps = compute_client.url_maps().list(project=project).execute()
  1. Loop through the URL maps and check if HTTPS is enabled:
for urlmap in urlmaps.get("items", []):
    urlmap_name = urlmap["name"]
    urlmap = compute_client.url_maps().get(project=project, urlMap=urlmap_name).execute()
    urlmap_dict = MessageToDict(urlmap, preserving_proto_field_name=True)
    if urlmap_dict.get("hostRules"):
        for host_rule in urlmap_dict["hostRules"]:
            if host_rule.get("pathMatcher"):
                path_matcher = host_rule["pathMatcher"]
                if path_matcher.get("defaultService"):
                    default_service = path_matcher["defaultService"]
                    if default_service.startswith("https://"):
                        print(f"HTTPS is enabled for URL map {urlmap_name}")
                    else:
                        print(f"HTTPS is not enabled for URL map {urlmap_name}")
                else:
                    print(f"No default service found for path matcher in URL map {urlmap_name}")
            else:
                print(f"No path matcher found for host rule in URL map {urlmap_name}")
    else:
        print(f"No host rules found in URL map {urlmap_name}")
  1. If HTTPS is not enabled, update the URL map to accept HTTPS connections:
urlmap_name = "your-url-map-name"
urlmap = compute_client.url_maps().get(project=project, urlMap=urlmap_name).execute()
urlmap_dict = MessageToDict(urlmap, preserving_proto_field_name=True)
if urlmap_dict.get("hostRules"):
    for host_rule in urlmap_dict["hostRules"]:
        if host_rule.get("pathMatcher"):
            path_matcher = host_rule["pathMatcher"]
            if path_matcher.get("defaultService"):
                default_service = path_matcher["defaultService"]
                if default_service.startswith("http://"):
                    path_matcher["defaultService"] = default_service.replace("http://", "https://")
                    urlmap_body = {"hostRules": urlmap_dict["hostRules"]}
                    compute_client.url_maps().patch(project=project, urlMap=urlmap_name, body=urlmap_body).execute()
                    print(f"HTTPS enabled for URL map {urlmap_name}")
                else:
                    print(f"HTTPS already enabled for URL map {urlmap_name}")
            else:
                print(f"No default service found for path matcher in URL map {urlmap_name}")
        else:
            print(f"No path matcher found for host rule in URL map {urlmap_name}")
else:
    print(f"No host rules found in URL map {urlmap_name}")
Note: Replace “your-project-id” and “your-url-map-name” with the actual project ID and URL map name in the code. Also, make sure you have the necessary permissions to update the URL map.

Additional Reading: