To enhance game server security, we plan to limit the ports that can be used for HttpService, and would like to give you enough time to prepare for the changes.
Today, HttpService allows you to use any port for http requests. Internet standards, however, reserve certain ports for specific services, most of which are below 1024. For example, http and https requests typically use port 80 and 443, respectively. More information can be found here.
The use of arbitrary ports are not ideal because it allows http and https access to ports reserved for other services. We will begin restricting HttpService connections from using the standard reserved ports.
Below are the ports that we plan to start blocking on November 15, 2021:
All ports below 1024, except 80 and 443
Port 1194
Note you will still be able to freely use any other port with HttpService, namely 80, 443, 1024 - 65535 except 1194. We understand this may be a breaking change to some of the experiences, so we plan to continue supporting all ports until November 15, as mentioned above.
Note: We will attempt to contact you if you are using any of the ports that will be blocked.
We encourage you to update your code as soon as possible to minimize any potential impact. Please let us know if you have additional questions.
Sincerely,
The Roblox Team
FAQ
Will this affect Studio plug-ins like Rojo?
No, this will only affect requests sending from game servers using HttpService. Studio Plug-ins usually run in your local computer and won’t be impacted.
I don’t really think this is a good idea, especially given that some free servers only let you run apps listening on non-standard ports. Will there be some sort of accomodation for people that have a genuine use for those ports?
Yeah. I’m familiar with Studio API Services, but I’m a novice at scripting, so I have no idea how HttpsService works, and what this announcement means.
I’m not for this change as some developers may not have the resources to properly allocate “commonly used” ports for each service they expose. Please consider the following alternative:
by default, block ports which are not commonly used for “http(s)” requests
under Game Settings or HttpService, allow developers to either remove this restriction or whitelist certain ports to meet their development needs
This still enchants security by default while providing developers flexibility to work within the resource restrictions they may have imposed on them.
If a use case is necessary, I have a homelab and self host a lot of my services. Due to the nature of residential ISPs, we only get one IP. I already have to do tricks such as reverse proxies in order to expose multiple services running off different VMs, and other hacks such as setting up VPSes in public cloud and a VPN back into my network to give myself “more IPs”. This is costly when I could just use a lesser commonly used port instead of having to work around this restriction.
Depends on what solution they’re using to host their web application. Not everyone can afford to purchase a VPS and may use services such as glitch or heroku which may require the use of non-standard ports. Mine is more of a unique use case, but provided as an example as to why a whitelist or option to disable this entirely should be provided.
The standard ports for HTTP requests and HTTPS are 80 and 443, respectively, which will not be blocked. All ports below number 1024 require root level permissions in order to launch something. Generally speaking, these port below 1024 should not run any servers as it may cause some risks. Many services will go as low as 6 dollars in order to launch a VPS and host a server on it, say t2.nano EC2 instance from AWS. I don’t think you will afford a cheap solution, especially if you have a high base of players, in order to to something. Even if you have a lower base of players, there still are some solutions in order to accommodate all your needs.
EDIT: Most programs allow you to change the port, say Rojo, and above all, it runs on a port higher than 1024, so it shouldn’t cause any problems.
And you can - TCP ports go until 65535. Only ports below 1024 (0-1023, except, obvs, 80 and 443) are blocked.
Ports 1024-65535 (except 1194) are free* for you to pick as you wish
*Some are being used by client sockets, but those are generally in the range of port 50000 and above. This probably depends on the OS you’re running.
Rojo runs on port 34872 and it is not going to be blocked.
I’m not saying that I run Rojo on these ports, all I’m saying is that it doesn’t affect Rojo at all. Many services allow you to change the port as you please, having configurations by default for them.
Ah, wait maybe I did misread it, as long as it means I don’t have to reconfigure projects I’m fine with it. I personally do think its better to block certain ports as it is a security risk.
I’m sort of confused by the difference? The only way to do http requests is via HttpService - so effectively yes.
@Reinitialized I sort of suspect this is to prevent abuse via Roblox servers; doubt it has anything to do with making Roblox’s servers more secure.A whitelist system would defeat the point of that.
