I have an ec2 instance on which i login as:
ssh -L 5001:localhost:5000 sumit#<public DNS>
I have an application (superset) which I run as:
2020-04-01 08:18:24,531:INFO:root:logging was configured successfully
2020-04-01 08:18:24,620:INFO:root:Configured event logger of type <class 'superset.utils.log.DBEventLogger'>
* Environment: production
WARNING: This is a development server. Do not use it in a production deployment.
Use a production WSGI server instead.
* Debug mode: off
2020-04-01 08:18:25,600:INFO:werkzeug: * Running on http://127.0.0.1:5000/ (Press CTRL+C to quit)
Now when I open my browser and type, then it works:
http://127.0.0.1:5001/
I already have setup all http and https traffic:
Now when I change 127.0.0.1 to the aws public dns address it doesn't work. Please let me know what am I missing?
You method is using something call Port Forwarding.
This command:
ssh -L 5001:localhost:5000 sumit#<public DNS>
is saying: "Please SSH into the instance, and also forward port 5001 on this computer to the other computer, and ask it to send the traffic to localhost:5000."
Therefore, any traffic sent to port 5001 on your computer will be forwarded to port 5001 on the target computer. This is a good way of preventing other people from being able to access port 5000 on that computer, unless they are able to SSH into the instance (presumably using a private key).
Accessing http://127.0.0.1:5001/ means it will go to port 5001 on your computer. It would be the same as going to http://localhost:5001 on your own computer.
The flow is: 127.0.0.1:5001 -> via SSH connection -> localhost:5000 on other computer
Changing it to http://DNS-NAME:5001 will try to connect to port 5001 on the destination computer, which is not a port that is in use. You could try changing it to connect to http://DNS-NAME:5000 (which is the port where the application seems to be running) and opening the Security Group to allow port 5000, but that would probably violate the security that somebody probably wanted to put in place.
Related
I created an Ubuntu EC2 instance. I then am running a node.js express server on port 3000. Doing a curl to http://localhost:3000 gives me the HTML string I expect.
However when I try to access from the browser with the Public DNS (IPv4) which is ec2-18-221-209-77.us-east-2.compute.amazonaws.com. It is not loading. The browser spins forever at http://ec2-18-221-209-77.us-east-2.compute.amazonaws.com:3000.
I did put in my security group inbound rules, 3000 for Custom TCP and I set the source to anywhere. screenshot - https://i.imgur.com/2U24qUn.png
I also did netstat -tulnp and it seems :::3000 is open but only on tcp6, do I need it in TCP too? How can I do this? Screenshot - https://i.imgur.com/9jZVZH0.png
What I'm trying to do is access my webserver on my EC2 from the outside.
Here's what I've done so far:
I've opened all Incoming Traffic to anywhere both for IPv4 and IPv6 in the EC2's Security group
Disabled the firewall from the Control Panel in the EC2 for both public and private
Started my webserver on port 80
From outside the ec2:
I can ping the EC2 succesfully
If I run telnet <my ec2 ip> 80 I get telnet: Unable to connect to remote host: Connection refused
If I run nmap <my ec2 ip> port 80 is not listed
From inside the ec2:
I was able to connect from localhost:80 in EC2's browser
If I ran netstat -aon it shows it is listening on port 80
Make sure that your web server is bound to the external network interface.
Using 0.0.0.0 will ensure that connections can be made from any interface. On the other hand, using 127.0.0.1 (localhost) would have behavior like what you describe, where you can connect to the web server locally, you can reach the host externally (e.g. via ping) but cannot connect to the web server externally.
Is your EC2 instance in a custom VPC? If so, look at attaching an Internet Gateway to the VPC and update the route tables associated with the subnet in which your instance is running.
For this answer I am assuming that you are using IIS as your web server.
1) Start Internet Information Services (IIS) Manager.
2) Expand the left hand panel "Connections" and locate your web server under "Sites".
3) Select your web site. In the right hand panel click on "Bindings".
4) A "Site Bindings" dialog box will open.
5) Under the tab "IP Address" make sure that an asterisk displays so that the server binds to all network interfaces on startup.
5) In the right hand panel under "Manage Website" click "Restart".
I have a webapp that I run on port 8000. So i start it with the command:
> smtweb
Performing system checks...
System check identified no issues (0 silenced).
October 12, 2017 - 11:25:27
Django version 1.8.18, using settings None
Starting development server at http://127.0.0.1:8000/
Quit the server with CONTROL-C.
Then I try to access the webapp as follows through the public elastic IP that I've associated with the running instance:
http://34.XXX.XXX.XXX:8000/
(I've omitted parts of the IP for my own safety, through XXX)
However, Chrome throws the following error:
34.XXX.XXX.XXX refused the connection.
ERR_CONNECTION_REFUSED
So the connection is refused, even tough I've associated the machine with a security group that has the following rule:
Type: Custom TCP Rule
Protocol: TCP
Port Range: 8000
Source: 0.0.0.0/0
Now, I'm not sure if I have to configure something more in the AWS Tools. It seems that I've done everything there. What I'm asking myself is:
Does the app have some restrictions by itself?
I have an Ubuntu image: Do I have to adjust some more firewall settings there?
Do you have an idea what I could try next?
ERR_CONNECTION_REFUSED means that there is no port open and NOT that the port is blocked by a security group rule. The TCP/IP stack has rejected the connection request.
Double check that you really have port 8000 configured for the interface that you are assigning the EIP.
Try to access your app from the same machine using the destination IP of both the local IP address and EIP.
If the local IP works and the EIP does not, check your network configuration. Your web app might not be binding to the interface assigned to the EIP and might still be configured for the old public IP address or not configured at all.
If both IP addresses work, then the problem is most likely not with your web application. Look at iprules, firewalls, etc. running on your local machine.
Created an AWS AMI instance.
I can telnet from the instance itself
telnet [Pv4 Public IP] 9200
But not from my pc.
This is my security group
What am I doing wrong?
You can check your Network ACL configurations.
It looks like there is some other firewall in between your PC and server which is blocking you on 9200.
If you can access port 80 via telnet or you're able to SSH in it's likely you have a network ACL in place. If you can not access port 80 via telnet but you can via a browser it's like a local config - maybe AV or a firewall.
EC2 instances use security groups for their firewall
Another test to narrow down the the issue would to see if you could telnet from another instances in the same subenet in the same AZ. Being in the same subnet you should not be affected by a network ACL.
You can have a look at this telnet-to a cloud instance from outside
The solution to problem was "Open the services and make the telnet manual and right click on it and chose start"
As well make sure that the instance is residing in a public VPC
Based on what you've described, there isn't really much else to work with. Your ability to telnet the public IP from the instance implies the server is listening on the external interface and your security group is already set to have the port open to all incoming connections.
Aside from the trivial overlooking of not actually having the instance under the listed security group, the only possibility I can think of now is an active firewall on the instance. In the case of iptables or ufw (which is an interface to iptables), it's trivial to verify whether they are indeed getting in the way:
// List iptables access rules
sudo iptables -L -v
// List access rules via ufw
sudo ufw status
You said: "This is my SG", but...which way? Inbound or outbound?
It can simply be that your host can't reply to your PC.
Try to add a rule which adds outbound TCP ranging from ports 32768 to 65535 (ephemeral ports), so that the telnet server response packets can travel back to your PC.
Otherwise, like the others said, look at one level up, VPC-level (network ACL).
You might have your acceptor process running on 127.0.0.1:9000 which means only local clients can connect. This is not related to your Security Group which could be wide open.
Run lsof -i:9000 if on unix.
If you see something like this under NAME then host IP used to start your acceptor will needs to change from 127.0.0.1 to 0.0.0.0 (and secure via SG/FW).
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
java 2777 ubuntu 148u IPv6 26856 0t0 TCP localhost:afs3-callback (LISTEN)
A Telnet service is not installed by default on an Amazon Linux AMI.
If you wish to use it, you will need to install it yourself, eg: Install and Setup Telnet on EC2 Amazon Linux or CentOS.
However, these days it is recommended to use ssh instead of telnet because it is more secure. See: Telnet on wikipedia
Just a thought, check firewall of your PC.
Need to ensure your SSH key you generated via IAM and attached to the EC2 at launch is added to the login:
ssh-add -K <yourkeyname>.pem
ssh ubuntu#<yourdns or ip>.com == or == ssh ec2-user#<yourdns or ip>
I'm a total newbie when it comes to servers and EC2 but I have an EC2 instance running which was stopped and restarted. Since that I haven't been able to connect via a web-browser to the site but can connect via SSH. Are there any ideas why this could be the case?
Here is the debug checklist:
Check your server, make sure it is up and running in AWS management console.
Check port security setting, from your local machine. If it is close open it in security group.
telnet your_ip 80 # Check http port
telnet your_ip 22 # Check SSH port
Check your web server, Apache, Nginx, etc. If you cannot find your process, start it.
ps -ef | grep -e nginx -e httpd -e apache
Check your virtual host config, make sure you web server is listening to port 80 (http) or 443 (https).
Run chkconfig and make sure your web server will start as a service.
Check the security group in your instance property, it is probably allowing only SSH (default), you may want to add a inbound rule allowing HTTP traffic.