Explain the concept of port 80 blocking.
I often establish Ubuntu-LAMP environments on which I host a few Drupal web applications that I myself own (I don't provide any hosting services and never did so in the past).
Whenever I establish such an environment, the most fundamental security steps I take are these:
ufw --force enable
ufw allow 22,25,80,443 # All allowed via both TCP/UDP as no restrictions were given;
apt update -y
apt upgrade unattended-upgrades sshguard
After the 2017-2018 W3C/Google (?) reforms regarding browser support in HTTP, requiring or at least encouraging all of us to use TLS encryption confirmed with an SSL certificate for secured HTTP data transfer (HTTPS), I wonder if unsecured HTTP (typically via port 80) is still relevant at all to any of us.
Notes:
Each of my web apps has its own OpenSSL certificate I create with Certbot.
The only web utility I use besides websites is either PHPMyAdmin/PHPMiniAdmin.
My question
Is it okay for me to remove port 80 from ufw allowing 22,25,80,443 thus making my system even a tiny bit less "vulnerable"?
Regarding the port 80 blocking - In short: USUALLY, keep it open and use it to redirect everything to HTTPS.
Now onto the complicated stuff: taking away port 80 can stop cookie-thieves that passively look for straggle http://corp.com/some/forgotten/thing requests. The TCP connection does not succeed, the browser does not send the GET and cookies, and the bad guy cannot read them. Sometimes this is a reasonable thing to protect against, especially thinking of corporate environments: legacy apps, HSTS only partially implemented, cookies that may lack the secure flag or path or host restrictions, third-parties hosted or proxied, ...
Now, should you block it? Probably not.
Like others mentioned, that would complicate setting up Let's Encrypt and prevent redirects (including users that just type your.com in the address bar). If you have set domain-wide HSTS, removing redirects may even be considered counterproductive (you may want to risk one plain HTTP connection so it will protect all future ones). Also, note that active attackers will not be stopped (they can make the connection complete artificially, MITM proxy tools may even do this by default), there are corner cases (plain HTTP proxies, delegated domains outside your firewall), and you may just consider the passive attack too complicated for your model. Finally, should you add port 80 to a new server? Well, unless you already have a reason for opening it (see above), no.