It doesn’t have to be http, it could be https. I’d recommend not doing https though because, where I suspect you’re using the Digium Phones Add-On for FreePBX (this is not the same thing as “DPMA”) it doesn’t do any in-lining of any privately-signed server certificates, which means https is going to fail (unless the server has a valid, publicly-signed SSL certificate) with all phone firmwares newer than 2_3_4 (not D80) or 1_5_2 (D80) unless allow_insecure_ssl is set, which isn’t something that the Digium Phones Add-On sets…but can be set individually on each telephone from the phone’s boot config menu under the option “Allow Dangerous Insecure SSL?”
It doesn’t have to be port 80, but most people don’t run http on anything other than port 80. If a port isn’t defined, port 80 is assumed. The phone doesn’t care, it’ll connect to whatever port you tell it to use.
If you’re not using the Digium Phones Add-on for FreePBX, or if you’re handy enough to hack things yourself, DPMA versions 2.2 and greater (https://wiki.asterisk.org/wiki/display/DIGIUM/Changes#Changes-Changesfor2.2) allow file_url_prefix prefixed options, like the firmware file from the firmware type, to be replaced with a full URL instead of just the relative / local file name/path. That’d allow for individual control over the firmware location as opposed to any other DPMA file_url_prefix-controlled item.