Port Restrictions for HttpService

Hi developers,

To enhance game server security, we plan to limit the ports that can be used for HttpService, and would like to give you enough time to prepare for the changes.

Today, HttpService allows you to use any port for http requests. Internet standards, however, reserve certain ports for specific services, most of which are below 1024. For example, http and https requests typically use port 80 and 443, respectively. More information can be found here.

The use of arbitrary ports are not ideal because it allows http and https access to ports reserved for other services. We will begin restricting HttpService connections from using the standard reserved ports.

Below are the ports that we plan to start blocking on November 15, 2021:

  • All ports below 1024, except 80 and 443
  • Port 1194

Note you will still be able to freely use any other port with HttpService, namely 80, 443, 1024 - 65535 except 1194. We understand this may be a breaking change to some of the experiences, so we plan to continue supporting all ports until November 15, as mentioned above.

Note: We will attempt to contact you if you are using any of the ports that will be blocked.

We encourage you to update your code as soon as possible to minimize any potential impact. Please let us know if you have additional questions.


Sincerely,
The Roblox Team

FAQ
Will this affect Studio plug-ins like Rojo?

  • No, this will only affect requests sending from game servers using HttpService. Studio Plug-ins usually run in your local computer and won’t be impacted.
133 Likes

This topic was automatically opened after 10 minutes.

I’m honestly not an expert in this kind of stuff. Can someone tell me what this means?

16 Likes

I am also not an expert but I believe it is about sending data and collecting it or something like that.

3 Likes

I don’t really think this is a good idea, especially given that some free servers only let you run apps listening on non-standard ports. Will there be some sort of accomodation for people that have a genuine use for those ports?

27 Likes

Yeah. I’m familiar with Studio API Services, but I’m a novice at scripting, so I have no idea how HttpsService works, and what this announcement means.

Does anyone know?

This allows you to use non-standard ports. Any ports above 1024 are fine to use still.

11 Likes

I’m not for this change as some developers may not have the resources to properly allocate “commonly used” ports for each service they expose. Please consider the following alternative:

  • by default, block ports which are not commonly used for “http(s)” requests
  • under Game Settings or HttpService, allow developers to either remove this restriction or whitelist certain ports to meet their development needs

This still enchants security by default while providing developers flexibility to work within the resource restrictions they may have imposed on them.

If a use case is necessary, I have a homelab and self host a lot of my services. Due to the nature of residential ISPs, we only get one IP. I already have to do tricks such as reverse proxies in order to expose multiple services running off different VMs, and other hacks such as setting up VPSes in public cloud and a VPN back into my network to give myself “more IPs”. This is costly when I could just use a lesser commonly used port instead of having to work around this restriction.

38 Likes

so you’re saying some people can’t use ports properly???

1 Like

Depends on what solution they’re using to host their web application. Not everyone can afford to purchase a VPS and may use services such as glitch or heroku which may require the use of non-standard ports. Mine is more of a unique use case, but provided as an example as to why a whitelist or option to disable this entirely should be provided.

5 Likes

The standard ports for HTTP requests and HTTPS are 80 and 443, respectively, which will not be blocked. All ports below number 1024 require root level permissions in order to launch something. Generally speaking, these port below 1024 should not run any servers as it may cause some risks. Many services will go as low as 6 dollars in order to launch a VPS and host a server on it, say t2.nano EC2 instance from AWS. I don’t think you will afford a cheap solution, especially if you have a high base of players, in order to to something. Even if you have a lower base of players, there still are some solutions in order to accommodate all your needs.

EDIT: Most programs allow you to change the port, say Rojo, and above all, it runs on a port higher than 1024, so it shouldn’t cause any problems.

3 Likes

Y’all getting this wrong.

And you can - TCP ports go until 65535. Only ports below 1024 (0-1023, except, obvs, 80 and 443) are blocked.

Ports 1024-65535 (except 1194) are free* for you to pick as you wish :slight_smile:
*Some are being used by client sockets, but those are generally in the range of port 50000 and above. This probably depends on the OS you’re running.

Rojo runs on port 34872 and it is not going to be blocked.

15 Likes

Correction: anything over 1024 that isn’t afaik 1194 (Rojo already uses something above that but I don’t remember from the top of my head)

4 Likes

This change is doing the reverse. All ports above 1024 will still be allowed. Rojo uses 34872 by default and should be unaffected.

6 Likes

I’m not saying that I run Rojo on these ports, all I’m saying is that it doesn’t affect Rojo at all. Many services allow you to change the port as you please, having configurations by default for them.

1 Like

Ah, wait maybe I did misread it, as long as it means I don’t have to reconfigure projects I’m fine with it. I personally do think its better to block certain ports as it is a security risk.

2 Likes

I think people are misreading this.

Ports 0-1023, and port 1194 will be blocked.
Ports 1024-65535 will not be blocked (with the exception of 1194).

This does not affect Rojo users using the default Rojo settings. Rojo uses port 34872 by default, and is therefore not affected.

Ports 80 and 443 will remain accessible. These are the default ports for “http://” and “https://” connections (including localhost).

26 Likes

Does this mean that these ports will be blocked throughout the platform or just through HttpService?

1 Like

This won’t affect Rojo, as Rojo uses 34872 by default (which is above 1024)

2 Likes

I’m sort of confused by the difference? The only way to do http requests is via HttpService - so effectively yes.

@Reinitialized I sort of suspect this is to prevent abuse via Roblox servers; doubt it has anything to do with making Roblox’s servers more secure.A whitelist system would defeat the point of that.