Right now I am trying to run a daemon on port 8080, but because of the software I am installing with the daemon, I cannot start it unless the port 8080 is open. It's because the daemon needs to have port 8080 open to communicate to the other part of the software (the panel).
I have obviously tried allowing inbound rules on the security group assigned to my instance, and going to my VPC panel and going to NACL's and trying to add the ports, but nothing has worked.
However, the ports that a have preset in the rules editor (such as default ports like HTTP) do work. I know this because I am running a webserver off of port 80 (HTTP).
I have looked across all the Stack Overflow posts I could find and most of them said the solution of adding inbound rules to the security group which I have done lol. However, I came across this post, that had the solution of adding a range of ports for when you have a custom VCP, and it worked! I did this but long story short I got another error and I just made a new instance. I got to the point where I needed the port 8080 to be open, but sadly I got the error that I needed port 8080 to be open, even when I had that solution from the linked post. Basically it stopped working. I read the docs in the linked post that the answer gave me and I couldn't really get any use out of it.
Here is a picture of my ALC inbound rules, if you read this doc about ephemeral ports you will understand more.
I have no idea why I can't open custom TCP ports but I can open default ports like 80, 22, 3306, etc. I can't get my daemon running for it to even listen on port 8080.
Is there a solution to all this?
EDIT:
Security Group: Inbound Rules Outbound Rules
ACL: Inbound Rules Outbound Rules
Related
When I try to run server on gce with a command like npm run start on port 80,
I see this message
Port 80 is taken; using 40363 instead ...
I tried to find any process that is using port 80, but I can't find anything.
Tried sudo lsof -i : 80, netstat -lntp... nothing...
Can't I use port 80 on GCE?
Thanks for asking this up. There can be several reasons this might be happening.
A small note on Port 80: The Port 80 is used for HTTP communication and Port 443 is for HTTPS communication. For some reason, the VM is not allowing your program to start up in Port 80.
Listing down the areas to check and resolve this issue.
1. Check your basic VM firewall
While creating the VM, you might have forgot to tick the HTTP/HTTPS traffic boxes. To edit it again, stop the VM, click edit and tick the boxes as shown below.
2. Check if there is any firewall override
If you have added custom tags to the VM and applied additional firewall rules in the Firewall section of GCP, it might also lead to this scenario.
3. Other apps on this port (Ruled out)
Since you have mentioned no other apps are running in that port, this might not be applicable.
4. If none works, try creating a External IP
There are cases where an external IP was required to help the VM expose port 80 for HTTP communication for external visitors.
i got to see something and did not able to understand and so asking relating AWS NACL. I created one public subnet and associated with an NACL. I created rules in NACL where 80 and 443 allowed for both inbound and outbound. Now created an EC2 instance in the subnet. When i tried yum update it did not work. I reattached the subnet to a default NACL where it allows all and yum update worked. If i am not wrong yum does download packages by http or https. my NACL had these rules and still yum update did not work. I also tried to curl the http://packages.ap-southeast-1.amazonaws.com and did not work. Is there something i am missing in NACL rules.
your answers will clear my fundamentals. please suggest.
Thanks,
You can use a NACL to restrict Inbound ports, but you'll probably have a problem restricting Outbound ports.
The way it works is:
The remote site connects to your Amazon EC2 instance on port 80. It also includes a 'return port' identifier saying which port to send the response to.
The EC2 instance receives the request on port 80, generates a response and sends it back to the originating IP address, to the port requested (which will not be port 80).
The originating system receives the response.
Ports are one-way. You only receive content on a port. You don't send from the same port. This way, if you have made multiple requests, each request is received on a different port and can be matched back to which to the original request.
So, the problem with your NACL is that it is only allowing outbound traffic to 80 and 443, which is not the port that the originating system is requesting to receive the traffic. You would need to open up the range of outbound ports.
It's worth mentioning the the use-case for using NACLs is normally to block specific protocols. If you simply wish to limit access to ports 80 and 443 on your EC2 instance, you should use Security Groups. Security Groups are stateful, so you really only need to open the Inbound connection and outbound responses will be permitted.
Oh, and presumably you also opened Port 22, otherwise you wouldn't be able to login to the instance.
I am relatively new to AWS and I've been looking at quite a few tutorials for the past couple of days trying to figure out how to make my AWS ubuntu instance accessible from the browser.
What I've done:
1st: I configured security groups to accept all traffic for ssh, http, https just to see if the public DNS listed in the instance is accessible.
2nd: I changed the IP of my instance to an elastic IP
3rd: I wrote a simple node.js file that listens on port: 9000 and console.logs 'hello world'
For some reason ssh works, and I can run my node.js file, but agina I cannot access the remote instance from the browser.
Any help would be greatly appreciated since I've been on this for a couple of days
Thanks!
Thank you everyone for the quick responses!
My issue was I did not include a TCP rule to my specific port. Now I am able to access that port via ec2-DNSNAME:9123.
And, just to clarify, if I want to host that DNS for all traffic I should specify 'anywhere' for the TCP rule, correct?
I configured security groups to accept all traffic for ssh, http, https
In security groups, "HTTP" does not mean "HTTP on any port"... it means "any traffic on TCP port 80" -- 80 being the standard IANA assigned port for HTTP.
Security groups are not aware of the type of traffic you are passing, only the IP protocol (e.g. TCP, UDP, ICMP, GRE, etc.) and port number (for protocols that use port numbers) and any protocol specific information (ICMP message types).
You need a rule allowing traffic to port 9000.
Firstly go to your EC2 and see if curl http://localhost works..
Also, if you are exposing your nodejs on port 9000 ; did u open 9000 also on security groups or not ?
Few things to check:
Security groups
Subnet NACLS (these can function as a subnet level
firewall, but unless you've messed with these they should allow all
traffic.)
On the server if you run netstat -na | grep <PORT> do you see your
application listening on the correct ports?
You may also check your system for a firewalls that could be short circuiting the requests.
If the above doesn't point you towards where your issue is you can grab tcpdump and filter it just for requests coming from your web browser (e.g after installing tcpdump -vvn host 10.20.30.40 port 8000 Substitute your ip and port). This will let you know if you're running into a network issue (Packets aren't reaching the server) or if its something with the app.
I'd also recommend using IP addresses while doing your initial troubleshooting. That way we can establish it is not network/server configuration before going into DNS.
I'm not sure why my browser is timing out when I try to connect to my AWS Ubuntu Instance squid proxy
I want to have my AWS Ubuntu instance act as a proxy for my python requests. The requests I make in my program will hit my AWS proxy and my proxy will return to me the webpage. The proxy is acting as a middleman. I am running squid in this Ubuntu instance. This instance is also within a VPC.
The VPC security group inbound traffic is currently set to
HTTP, TCP, 80, 0.0.0.0/0
SSH, TCP, 22, 0.0.0.0/0
RDP, TCP, 3389, 0.0.0.0/0
HTTPS, TCP, 443, 0.0.0.0/0
and outbound traffic is open to all traffic
This is my current squid configuration is the default squid.conf except that I changed one line to
http_access allow all meaning traffic is open to all.
However when I changed my mozilla browser to use the Ubuntu instance's Public IP and squid.conf default port of 3128, I cannot see any traffic going through my proxy using this command on the ubuntu instance
tail -f /var/log/squid/access.log
My browser actually times out when I try to connect to a website such as google.com. I am following this tutorial but I cannot get the traffic logs that his person is getting.
HTTP/S as shown in security group settings actually has nothing whatsoever to do with HTTP/S.
Many port numbers have assigned names. When you see "HTTP," here, it's only an alias that means "whatever stuff happens on TCP port 80." The list of values only inludes common services and the names aren't always precise compared the official port names, but the whole point is to give neophytes a word that nakes sense.
What should I change? I always thought I should be leaving HTTP/S ports to their default values.
That is not at all what this does. As already inferable from above, changing an "HTTP" rule from port 80 to something else does not change the value for the HTTP port on instances behind it. Changing the port value makes the rule no longer be an "HTTP" rule, since HTTP is just a friendly label which means "this rule is for TCP port 80."
You need a custom TCP rule allowing port 3128 from your IP, and that's it.
You need to add 3128 as custom TCP in your SG. This will allow Squid to send/ receive traffic.
Also as a best practice, make SSH accessible from your own IP rather than public.
I have been dealing with a very messy problem which is that I need a new open port in my EC2 instance.
I have a node.js application running in this instance. To make that happen I had to open the port 3000 through adding a new inbound rule in the security groups, which worked perfectly.
Now, I need another port opened so I can send data from an external IP to that port.
I tried opening the port adding a new inbound rule as well, but with not success. The port gets opened but just in the localhost, not in the public or private IP, so I can not telnet to the port.
I have tried adding it to the firewall iptables as well using the Ubuntu shell but I have no success on it.
I would really appreciate any help, any response. Thank you!!
I should do comment to get something clear from you but due to low reputation i can't.
So, just ignore reputation or scoring lets consider learning.
Here are complete tutorial to add new ports in an AWS instance:
Open the Amazon EC2 console at EC2 Console
In the navigation pane, choose Security Groups. Select the security
group for your instance.
Choose Inbound, Edit, Add Rule.
For Type, choose choose accordingly.
Now it comes "Secure Filed" it decides that which system can access
this port. So, if you want that only your or some other specific
systems could access this machine give their IPs e.g. in IPV-6
format. Or you want this port open publicly just enter 0.0.0.0 as IP
here.
Choose Save.
Please follow this tutorial, I am sure it would work, in your case I think you are missing "Secure Field" thing.