I often establish Ubuntu-LAMP environments on which I host a few Drupal web applications that I myself own (I don't provide any hosting services and never done so in the past).
Whenever I establish such an environment, the most fundamental security steps I take are these:
ufw --force enable
ufw allow 22,25,80,443 # All allowed via both TCP/UPD as no restrictions were given;
apt update -y
apt upgrade unattended-upgrades sshguard
After the 2017-2018 W3C/Google (?) reforms regarding browser support in HTTP, requiring or at least encouraging all of us to use TLS encryption confirmed with an SSL certificate for secured HTTP data transfer (HTTPS), I wonder if unsecured HTTP (typically via port 80) is still relevant at all to any of us.
Notes:
- Each of my web apps has its own OpenSSL certificate I create with Certbot.
- The only web utility I use besides websites is either PHPMyAdmin/PHPMiniAdmin.
My question
Is it okay for me to remove port 80 from ufw allow 22,25,80,443
thus making my system even a tiny bit less "vulnerable"?
Update per answers
Answers recommend redirecting from port 80 to port 443 instead just blocking port 80. I think Certbot creates these redirects automatically so I'm covered if I keep port 80 open as recommended in the answers.