Google Cloud Firewall: Port is blocked - google-cloud-platform

I am trying to set up a simple web server in Google Cloud Platform on a Debian machine.
When running a port scan (https://www.ipvoid.com/port-scan/) without any firewall rules, all ports are shown as filtered. When setting up a rule for port 80, the scan gives back that the port is blocked. Am I doing something wrong with the firewall settings?
Thanks in advance!

I re-built your issue on my Gcloud console, 80 port will be blocked if I don't select the firewall options as picture during creating an instance.
The firewall rule will auto set up if I select these firewall options.
You also can verify your firewall settings in Debian, View the full list of application profiles by running:
$ sudo ufw app list
The WWW profiles are used to manage ports used by web servers:
Output
Available applications:
. . .
WWW
WWW Cache
WWW Full
WWW Secure
. . .
If you inspect the WWW Full profile, it shows that it enables traffic to ports 80 and 443:
$ sudo ufw app info "WWW Full"
Output
Profile: WWW Full
Title: Web Server (HTTP,HTTPS)
Description: Web Server (HTTP,HTTPS)
Ports:
80,443/tcp
Allow incoming HTTP and HTTPS traffic for this profile:
$sudo ufw allow in "WWW Full"

Related

How to redirect traffic from port 80 to 8080 - Load balancer - Cloud DNS

I have a requirement similar to this post,
Google cloud load balancer port 80, to VM instances serving port 9000
I like one of the answers (not the accepted), but how to do it ? or is there an alternate way ?
" If your app is HTTP-based (looks like it), then please have a look
at the new HTTP load balancing announced in June. It can take incoming
traffic at port 80 and forward to a user-specified port (eg. port
9000) on the backend. The doc link for the command is here:
https://developers.google.com/compute/docs/load-balancing/http/backend-service#creating_a_backend_service"
I dont want to create statis IP after static IP and loose track
Scenario:
A Compute Engine with an application running on port 8080 or 8043 (firewall open for 8080 and 8443 , has static IP )
Now I want to hook it a domain.
Problem:
I have to specify port number - like http://mywebsite:8080
Goal: Allow use like http://mywebsite
Please can I ask how Cloud DNS and Load Balancer work. Are both needed for my scenario? help me connect the dots.
Thanks
Note: Application works on 8080 only (wont run on 80)
DNS knows nothing about port numbers (except for special record types). DNS is a hostname to IP address translation service.
You can either use a proxy/load-balancer to proxy port 80 to 8080 or configure your app to run on port 80.
Port 80 requires permission to use. For Linux this means configuring your application to run with system privileges or starting the application with sudo.
Most applications that run on non-standard ports have a web server in front of them such as Apache or Nginx. The web server proxies port 80 to 8080 and provides a more resilient Internet facing service.
I don't want to create static IP after static IP and lose track
Unfortunately, you will need to manage your services and their resources. If you deploy a load balancer, then you can usually use private IP addresses for the compute instances. Only the load balancer requires a public IP address. The load balancer will proxy port 80 to 8080.
However, assuming that your requirements are small, you can assign a public IP address to the instance, install Apache or Nginx, and run your application on port 8080.
Today, it is rare that Internet-facing web services do not support HTTPS (port 443). Using a load balancer simplifies configuring TLS and certificate management. You can also configure TLS in Apache/Nginx and Let's Encrypt. That removes the requirement that your app supports TLS directly on something like port 8443.
I found this article and it works - https://eladnava.com/binding-nodejs-port-80-using-nginx/
Steps: (sudo apt-get update)
sudo apt-get install nginx
remove default
sudo rm /etc/nginx/sites-enabled/default
create new - node folder
sudo nano /etc/nginx/sites-available/node
<<<<<< add this to the file update domain name , port of your app ...8080 or other>>>>>
server {
listen 80;
server_name somedomain.co.uk;
location / {
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $http_host;
proxy_pass "http://127.0.0.1:8080";
}
}
create a symbolic link:
sudo ln -s /etc/nginx/sites-available/node /etc/nginx/sites-enabled/node
Restart nginx
sudo service nginx restart
Credits to original author - Elad Nava

AWS Load Balancer with ECS. How do I troubleshoot health checks failing?

I am deploying a multi container Flask python app (with gunicorn) to ECS with Docker to my ECS cluster that uses a single t2.small EC2 instance. My app runs on port 8000 and runs fine, I can use my app perfectly when using my EC2 DNS: http://ec2-xx-xxx-xxx-xx.us-east-2.compute.amazonaws.com:8000
I now want to use my own custom domain instead from GoDaddy. I'm using Route 53 for the nameserver registration, and plan to use an alias that points to my instance via a load balancer (Application Load Balancer).
Before setting up the alias, I want to first check my ALB is is successfully allowing me to access my app on port 8000 via HTTP (port 80) using the target group. My ECS service creates fine and I can see my web app running in the logs, but when I put the ALB DNS into my browser I get: 502 Bad Gateway.
I've checked my Target Group and it seems that the registration of my EC2 instance is failing on port 8000 due to "Health checks fail". I can't find any further details on the cause of failure, 'Health status details' just says 'Health checks failed' and describe-target-health returns Target.FailedHealthChecks.
I've tried to troubleshoot myself following these steps: https://www.youtube.com/watch?v=cmRZleI18Yg
When I SSH into my EC2 instance on cmd and run telnet 80, I get a 'Connection refused' error rather than HTTP 200 response. When I try the same using my load balancer DNS, It connects successfully on PORT 80. My current thinking is that for some reason, my EC2 instance is not listening on port 80. I have no idea why and have tried the following already:
Ensured correct set-up of security groups and NACL
Yes, EC2 security group set-up to allow all traffic on port 80 and have added rule for my ALB security group on all ports. NACL accepting all inbound and outbound traffic.
**Ensure no firewall on EC2 blocking HTTP **
Have run sudo service iptables status and got the following:
Redirecting to /bin/systemctl status iptables.service
● iptables.service - IPv4 firewall with iptables
Loaded: loaded (/usr/lib/systemd/system/iptables.service; disabled; vendor preset: disabled)
Active: inactive (dead)
which seems to suggest no firewalls in place?
Confirm web server is actually running on EC2 instance
I'm very open to suggestions here, but I assume it's running from a) being able to see logs in ECS and b) I could use the app successfully when using http://ec2-xx-xxx-xxx-xx.us-east-2.compute.amazonaws.com:8000. Is there anything else I can do to validate this?
Logs from ECS:
Dockerfile
FROM python:3.7.5-slim-buster
RUN apt-get update && apt-get install -qq -y \
build-essential libpq-dev --no-install-recommends
RUN apt-get install libcurl4-openssl-dev libssl-dev -y
ENV INSTALL_PATH /canopact
RUN mkdir -p $INSTALL_PATH
WORKDIR $INSTALL_PATH
COPY requirements.txt requirements.txt
RUN pip install -r requirements.txt
COPY . .
RUN pip install --editable .
CMD gunicorn -c "python:config.gunicorn" "canopact.app:create_app()"
Gunicorn.py
# -*- coding: utf-8 -*-
bind = '0.0.0.0:8000'
keepalive = 120
accesslog = '-'
access_log_format = '%(h)s %(l)s %(u)s %(t)s "%(r)s" %(s)s %(b)s "%(f)s" "%(a)s" in %(D)sµs'
I'm still using the flask config SERVER_NAME as: "ec2-xx-xxx-xxx-xx.us-east-2.compute.amazonaws.com:8000", but I have tried changing it to "0.0.0.0:8000" and getting the same result of healthchecks failing
Questions
I'm really really unsure on what else I can do to troubleshoot this. Am I correct to assume that my healthchecks are failing because of the Connection refused when trying to connect to EC2 instance on PORT 80, or should I be investigating something else? Feels like every stackoverflow post suggests trying the above 3 steps to troubleshoot Connection refused, so I'm not sure what else to try.
I've seen some posts suggesting use of NGINX, but I thought ALB could be used independently on NGINX?
You will get this connection refused error when you try to connect to a port which is not open. As i have seen your Gunicorn.py here you have mentioned 0.0.0.0:8000 which means your server is running on port 8000 and you are trying to connect on port 80. To fix this you need to create a target group for port 8000 and point it to your application. This will resolve your issue.
Had a similar issue but mine was related to problem with the container start-up. This was because in my task definitions, I mistakenly set container memory limit as hard instead of soft.

I cannot connect to my AWS EC2 url and I have a feeling it has something to do with my security group settings

I am very new to coding so trying to figure this out was very hard for me. I'm trying to deploy my code with docker and running my code inside the EC2 cloud. But I can't seem to get the instance's url to work. I set my inbound (security group) HTTP (80) => 0.0.0.0/0, HTTPs (443) => 0.0.0.0/0, and SSH(22) => my ip. I read that setting my SSH to 0.0.0.0/0 was a bad idea, so I went with my ip (there was an option called 'my ip'). Also, I am using ubuntu for my AMI.
While successfully docker using (docker-compose up), I used curl http://localhost:3001 (3001 is my exposed port inside my code) and it works fine. But when I used curl ec2-XX-XXX-XXX-XXX.us-west-1.compute.amazonaws.com, it outputs:
curl: (6) Could not resolve host: ssh and
curl: (7) Failed to connect to ec2-XX-XXX-XXX-XXX.us-west-1.compute.amazonaws.com port 80: Connection refused
Curl ec2-xxx-xx-amazonaws.com send request on port 80 , while you are docker is running at port 3001.
First verify that you have exposed some host port to docker. Something like this should come in docker ps -a
0.0.0.0/3001--> 3001 . the first 3001 can be any host port
Next make sure that the first port whichever you used is there in security group and opened for your ip.
Hopefully if all good at vpc and route tables settings then :3001(use whatever host port you gave if used anything apart of 3001) all should work

Can't access port 8080 on AWS EC2

I just started a new AWS EC2 instance. In the instance's security group I added a new rule to open port 8080 as well as port 80.
I created a docker image and container that runs an apache server as per the aws tutorial.
When I run docker run -p 80:80 hello-world (where hello-world is the apache container image), everything works fine and I can access the server from the public network (using a web browser, or a curl command).
However, when I run docker run -p 8080:80 hello-world and I try to send a GET request (web browser, or curl) I get a connection timeout.
If I login to the host that is running the docker container, the curl command works fine. This tells me that port 8080 isn't really open to the public network, and something is blocking it, what could that be?
I tried to reproduce the thing, and I wasn't able to do it (it worked for me), so things that you should check:
1) Check that security group has indeed opened ports 80 and 8080 to your ip (or 0.0.0.0/0 if this is just a test just to confirm that this is not a firewall issue).
2) check the container is running:
docker ps -a
you should see: 0.0.0.0:8080->80/tcp under ports.
3) check that when you are sending the GET request, you are specifying the port 8080 in the request, so your browser should look something like:
http://your.ip:8080
or curl:
curl http://your.ip:8080
warning: just for testing
For testing: Setting Security Groups can solve the problem.
SecurityGroups > Inbound > Edit inbound rules > Add new rules > All TCP

Amazon EC2 instance of Bitnami MEAN - how to host app on port 80?

I'm running Bitnami MEAN on an EC2 instance. I can host my app just fine on port 3000 or 8080. Currently if I don't specify a port I'm taken to the Bitnami MEAN homepage. I'd like to be able to access my app by directly from my EC2 public dns without specifying a port in the url. How can I accomplish this?
The simple way to do that is Port Forwarding by using below command:
sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080
After logging into the AWS using putty by having private key & with username "bitnami". Type the above command & enter.
Then, you will automatically redirected to your application.
Note : I am assuming, you have already configure port 8080 to security group on AWS
You'll have to open port 80 on the server's firewall, and either run your server on port 80 or forward port 80 to port 8080. You'll need to lookup the instructions for doing that based on what version of Linux you are running, but it is probably going to be an iptables command.
You'll also need to open port 80 on the EC2 server's security group.