Below xml content shows firewalld rules I created. There are two rules with status "REJECT" are means to avoid the ssh connection to the server. But it is not working. It is allowing the connection.
I did firewall-cmd reload. The other icmp rule works fine but not sure what gone wrong with ssh.
Please help.
<?xml version="1.0" encoding="utf-8"?>
<direct>
<rule priority="0" table="filter" ipv="ipv4" chain="INPUT">-p all --state RELATED,ESTABLISHED -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT</rule>
<rule priority="0" table="filter" ipv="ipv4" chain="INPUT">-p icmp -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT</rule>
<rule priority="0" table="filter" ipv="ipv4" chain="INPUT">-p all -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT</rule>
<rule priority="0" table="filter" ipv="ipv4" chain="INPUT">-p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 --dport 22 -j REJECT</rule>
<rule priority="0" table="filter" ipv="ipv6" chain="INPUT">-p all --state RELATED,ESTABLISHED -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT</rule>
<rule priority="0" table="filter" ipv="ipv6" chain="INPUT">-p icmp -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT</rule>
<rule priority="0" table="filter" ipv="ipv6" chain="INPUT">-p all -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT</rule>
<rule priority="0" table="filter" ipv="ipv6" chain="INPUT">-p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 --dport 22 -j REJECT</rule>
</direct>
The reason being the port was not open for sshd service.
In sshd_config file I added below line,
Port 5670
Then ran below commands
firewall-cmd --add-port=5670/tcp --permanent
systemctl restart sshd
Related
I am trying to set up a one master and one node k8s cluster; however, when joining my node to my cluster via:
kubeadm join 10.1.3.238:6443 --token 2xm3il.sqjbsq7ebn5yaz4x \
--discovery-token-ca-cert-hash sha256:7fb7e9ca3ee452928fd413bc3ecb4cb8bc50a99d52b73a39a5c758d240054c4e
it gives this output:
[WARNING Hostname]: hostname "k8s-node1" could not be reached
[WARNING Hostname]: hostname "k8s-node1": lookup k8s-node1 on 10.1.0.2:53: no such host
I have tried setting the hostname of the instances to k8s-master and k8s-node1 and I also added them to the etc/hosts file. When I : cat etc/hosts on my master I get:
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
ip-10-1-3-16 k8s-node1
ip-10-1-3-16 k8s-master
and when I : cat etc/hosts on my worker I get:
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
ip-10-1-3-16 k8s-node1
ip-10-1-3-16 k8s-master
I running a single instance application (i.e.: NOT using a load balancer) on Elastic Beanstalk and I want to enable HTTPS on it. It is a simple Flask application. In order to do this, I need to install an SSL certificate.
I tried following this article but unfortunately, I am running into this error:
PluginError: Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80.
Please see the logfiles in /var/log/letsencrypt for more details.
Here is my 00_apache_ssl.config file:
Resources:
sslSecurityGroupIngress:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]}
IpProtocol: tcp
ToPort: 443
FromPort: 443
CidrIp: 0.0.0.0/0
files:
/etc/httpd/conf.d/ssl.pre:
mode: "000644"
owner: root
group: root
content: |
LoadModule ssl_module modules/mod_ssl.so
Listen 443
<VirtualHost *:80>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</VirtualHost>
<VirtualHost *:443>
<Directory /opt/python/current/app/build/static>
Order deny,allow
Allow from all
</Directory>
SSLEngine on
SSLCertificateFile "/etc/letsencrypt/live/EB_INSTANCE_DOMAIN_NAME/fullchain.pem"
SSLCertificateKeyFile "/etc/letsencrypt/live/EB_INSTANCE_DOMAIN_NAME/privkey.pem"
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLSessionTickets Off
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
ProxyPass / http://localhost:80/ retry=0
ProxyPassReverse / http://localhost:80/
ProxyPreserveHost on
RequestHeader set X-Forwarded-Proto "https" early
# If you have pages that may take awhile to
# respond, add a ProxyTimeout:
# ProxyTimeout seconds
</VirtualHost>
/tmp/renew_cert_cron:
mode: "000777"
owner: root
group: root
content: |
# renew Lets encrypt cert with certbot command
0 1,13 * * * /tmp/certbot-auto renew
packages:
yum:
epel-release: []
mod24_ssl : []
# Steps here
# 1. Install certbot
# 2. Get cert (stop apache before grabbing)
# 3. Link certs where Apache can grab
# 4. Get the Apache config in place
# 5. Move certbot-auto into tmp folder
container_commands:
10_installcertbot:
command: "wget https://dl.eff.org/certbot-auto;chmod a+x certbot-auto"
20_getcert:
command: "sudo ./certbot-auto certonly --debug --non-interactive --email MY_EMAIL --agree-tos --debug --apache --domains EB_INSTANCE_DOMAIN_NAME --keep-until-expiring"
30_link:
command: "sudo ln -sf /etc/letsencrypt/live/EB_INSTANCE_DOMAIN_NAME"
40_config:
command: "sudo mv /etc/httpd/conf.d/ssl.pre /etc/httpd/conf.d/ssl.conf"
50_mv_certbot_to_temp_for_cron_renew:
command: "sudo mv ./certbot-auto /tmp"
60_create_cert_crontab:
command: "sudo crontab /tmp/renew_cert_cron"
70_delete_cronjob_file:
command: "sudo rm /tmp/renew_cert_cron"
As you can see I tried adding a virtual host on port 80 but it did not work. I also tried changing the Listen value to port 80 too.
For reference, my .ebextensions folder contains:
00_apache_ssl.config
wsgi_custom.config
And the contents of wsgi_custom.config are:
files:
"/etc/httpd/conf.d/wsgi_custom.conf":
mode: "000644"
owner: root
group: root
content: |
WSGIPassAuthorization On
Any ideas?
Have the same problem as yours and I just figured it out recently.
Certbot can't verify the domain if port 80 would redirect to https. Try adding
RewriteCond %{REQUEST_URI} !\.well-known/acme-challenge
in your virtualhost for port 80, right before the rewrite rule. This tells the Apache to exclude \.well-known/acme-challenge from redirection. This url is what certbot tries to retrieve while doing an HTTP-01 challenge.
Your new rewrite rule would look like this
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteCond %{REQUEST_URI} !\.well-known/acme-challenge
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
I receive this error every time that I need to add a new environment variable from AWS EBS panel:
AWS Beanstalk events:
2018-02-16 14:49:21 UTC-0200 INFO The environment was reverted to the previous configuration setting.
2018-02-16 14:48:49 UTC-0200 ERROR During an aborted deployment, some instances may have deployed the new application version. To ensure all instances are running the same version, re-deploy the appropriate application version.
2018-02-16 14:48:49 UTC-0200 ERROR Failed to deploy configuration.
2018-02-16 14:48:49 UTC-0200 ERROR Unsuccessful command execution on instance id(s) 'i-xxxxxxxxxxxxxx'. Aborting the operation.
2018-02-16 14:48:49 UTC-0200 INFO Command execution completed on all instances. Summary: [Successful: 0, Failed: 1].
eb-activity.log:
Successfully execute hooks in directory /opt/elasticbeanstalk/hooks/configdeploy/enact.
[2018-02-16T16:21:18.921Z] INFO [8550] – [Configuration update app-0_0_10-180216_141535#104/ConfigDeployStage1/ConfigDeployPostHook] : Starting activity…
[2018-02-16T16:21:18.921Z] INFO [8550] – [Configuration update app-0_0_10-180216_141535#104/ConfigDeployStage1/ConfigDeployPostHook/99_kill_default_nginx.sh] : Starting activity…
[2018-02-16T16:21:19.164Z] INFO [8550] – [Configuration update app-0_0_10-180216_141535#104/ConfigDeployStage1/ConfigDeployPostHook/99_kill_default_nginx.sh] : Activity execution failed, because: + rm -f /etc/nginx/conf.d/00_elastic_beanstalk_proxy.conf
+ service nginx stop
Stopping nginx: /sbin/service: line 66: 8986 Killed env -i PATH=”$PATH” TERM=”$TERM” “${SERVICEDIR}/${SERVICE}” ${OPTIONS} (ElasticBeanstalk::ExternalInvocationError)
caused by: + rm -f /etc/nginx/conf.d/00_elastic_beanstalk_proxy.conf
+ service nginx stop
Stopping nginx: /sbin/service: line 66: 8986 Killed env -i PATH=”$PATH” TERM=”$TERM” “${SERVICEDIR}/${SERVICE}” ${OPTIONS} (Executor::NonZeroExitStatus)
[2018-02-16T16:21:19.164Z] INFO [8550] – [Configuration update app-0_0_10-180216_141535#104/ConfigDeployStage1/ConfigDeployPostHook/99_kill_default_nginx.sh] : Activity failed.
[2018-02-16T16:21:19.165Z] INFO [8550] – [Configuration update app-0_0_10-180216_141535#104/ConfigDeployStage1/ConfigDeployPostHook] : Activity failed.
[2018-02-16T16:21:19.165Z] INFO [8550] – [Configuration update app-0_0_10-180216_141535#104/ConfigDeployStage1] : Activity failed.
[2018-02-16T16:21:19.165Z] INFO [8550] – [Configuration update app-0_0_10-180216_141535#104] : Completed activity. Result:
Configuration update – Command CMD-ConfigDeploy failed
Edit: Added stack-https.config file
eb-activity.log:
Command 01_copy_conf_file] : Activity execution failed, because: (ElasticBeanstalk::ExternalInvocationError
Starting activity...
[2018-02-16T20:38:30.476Z] INFO [2536] - [Application deployment app-0_0_10-1-gb633-180216_175029#124/StartupStage0/EbExtensionPostBuild/Infra-EmbeddedPostBuild/postbuild_0_paneladm_api_stack_SampleApplication_W4FJ8W83X64B] : Starting activity...
[2018-02-16T20:38:32.456Z] INFO [2536] - [Application deployment app-0_0_10-1-gb633-180216_175029#124/StartupStage0/EbExtensionPostBuild/Infra-EmbeddedPostBuild/postbuild_0_paneladm_api_stack_SampleApplication_W4FJ8W83X64B/Command 00_removeconfig] : Starting activity...
[2018-02-16T20:38:32.463Z] INFO [2536] - [Application deployment app-0_0_10-1-gb633-180216_175029#124/StartupStage0/EbExtensionPostBuild/Infra-EmbeddedPostBuild/postbuild_0_paneladm_api_stack_SampleApplication_W4FJ8W83X64B/Command 00_removeconfig] : Completed activity.
[2018-02-16T20:38:34.493Z] INFO [2536] - [Application deployment app-0_0_10-1-gb633-180216_175029#124/StartupStage0/EbExtensionPostBuild/Infra-EmbeddedPostBuild/postbuild_0_paneladm_api_stack_SampleApplication_W4FJ8W83X64B/Command 01_copy_conf_file] : Starting activity...
[2018-02-16T20:38:34.538Z] INFO [2536] - [Application deployment app-0_0_10-1-gb633-180216_175029#124/StartupStage0/EbExtensionPostBuild/Infra-EmbeddedPostBuild/postbuild_0_paneladm_api_stack_SampleApplication_W4FJ8W83X64B/Command 01_copy_conf_file] : Activity execution failed, because: (ElasticBeanstalk::ExternalInvocationError)
I don't know if the problem is because I previous removed the default elastic_beanstalk_proxy.conf file with my commands as below:
Resources:
sslSecurityGroupIngress:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]}
IpProtocol: tcp
ToPort: 443
FromPort: 443
CidrIp: 0.0.0.0/0
files:
/etc/letsencrypt/configs/http_proxy.pre:
mode: "000644"
owner: root
group: root
content: |
# Elastic Beanstalk Managed
upstream nodejs {
server 127.0.0.1:8081;
keepalive 256;
}
server {
listen 8080;
access_log /var/log/nginx/access.log main;
location /.well-known {
allow all;
root /usr/share/nginx/html;
}
# Redirect non-https traffic to https.
location / {
if ($scheme != "https") {
return 301 https://$host$request_uri;
} # managed by Certbot
}
}
# The Nginx config forces https, and is meant as an example only.
/etc/letsencrypt/configs/https_custom.pos:
mode: "000644"
owner: root
group: root
content: |
# HTTPS server
server {
listen 443 default ssl;
server_name localhost;
error_page 497 https://$host$request_uri;
ssl_certificate /etc/letsencrypt/live/ebcert/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/ebcert/privkey.pem;
ssl_session_timeout 5m;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_prefer_server_ciphers on;
if ($ssl_protocol = "") {
rewrite ^ https://$host$request_uri? permanent;
}
location / {
proxy_pass http://nodejs;
proxy_set_header Connection "";
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
gzip on;
gzip_comp_level 4;
gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript;
}
/etc/letsencrypt/configs/generate-cert.sh:
mode: "000664"
owner: root
group: root
content: |
#!/bin/sh
_EMAIL=
_DOMAIN=
while getopts ":e:d:" OPTION;
do
case "${OPTION}" in
"e") _EMAIL="${OPTARG}";;
"d") _DOMAIN="${OPTARG}";;
esac
done
if [ -z "${_EMAIL}" ]; then
echo "Param email isn't specified!"
fi
if [ -z "${_DOMAIN}" ]; then
echo "Param domain isn't specified!"
fi
if [ -n "$_EMAIL" ] && [ -n "$_DOMAIN" ]; then
cd /opt/certbot/
./certbot-auto certonly \
--debug --non-interactive --email ${_EMAIL} \
--webroot -w /usr/share/nginx/html --agree-tos -d ${_DOMAIN} --keep-until-expiring
fi
if [ $? -ne 0 ]
then
ERRORLOG="/var/log/letsencrypt/letsencrypt.log"
echo "The Let's Encrypt cert has not been renewed!\n" >> $ERRORLOG
else
/etc/init.d/nginx reload
fi
exit 0
/opt/elasticbeanstalk/hooks/configdeploy/post/99_kill_default_nginx.sh:
mode: "000755"
owner: root
group: root
content: |
#!/bin/bash -xe
rm -f /etc/nginx/conf.d/00_elastic_beanstalk_proxy.conf
service nginx stop
service nginx start
packages:
yum:
epel-release: []
container_commands:
00_removeconfig:
command: "rm -f /tmp/deployment/config/#etc#nginx#conf.d#00_elastic_beanstalk_proxy.conf /etc/nginx/conf.d/00_elastic_beanstalk_proxy.conf"
01_copy_conf_file:
command: "cp /etc/letsencrypt/configs/http_proxy.pre /etc/nginx/conf.d/http_proxy.conf; /etc/init.d/nginx reload"
02_createdir:
command: "mkdir /opt/certbot || true"
03_installcertbot:
command: "wget https://dl.eff.org/certbot-auto -O /opt/certbot/certbot-auto"
04_permission:
command: "chmod a+x /opt/certbot/certbot-auto"
05_getcert:
command: "sudo sh /etc/letsencrypt/configs/generate-cert.sh -e ${CERT_EMAIL} -d ${CERT_DOMAIN}"
06_link:
command: "ln -sf /etc/letsencrypt/live/${CERT_DOMAIN} /etc/letsencrypt/live/ebcert"
07_copy_ssl_conf_file:
command: "cp /etc/letsencrypt/configs/https_custom.pos /etc/nginx/conf.d/https_custom.conf; /etc/init.d/nginx reload"
08_cronjob_renew:
command: "sudo sh /etc/letsencrypt/configs/generate-cert.sh -e ${CERT_EMAIL} -d ${CERT_DOMAIN}"
I'm doing this because I replace this file to my own proxy.conf file.
Please I need your help.
References:
awslabs/elastic-beanstalk-sampes/https-redirect-nodejs.config
AWS EBS - Environment Properties and Other Software Settings
I had this problem as well and Amazon acknowledged the error in the documentation. This is a working restart script that you can use in your .ebextensions config file.
/opt/elasticbeanstalk/hooks/configdeploy/post/99_kill_default_nginx.sh:
mode: "000755"
owner: root
group: root
content: |
#!/bin/bash -xe
rm -f /etc/nginx/conf.d/00_elastic_beanstalk_proxy.conf
status=`/sbin/status nginx`
if [[ $status = *"start/running"* ]]; then
echo "stopping nginx..."
stop nginx
echo "starting nginx..."
start nginx
else
echo "nginx is not running... starting it..."
start nginx
fi
I am using neo4j-enterprise-3.0.4 in cluster on AWS with bolt protocol. I'm using HAproxy to know who's master and who are the slaves in the HA cluster.
This is a settings of my HAproxy haproxy.cfg
global
log 127.0.0.1 local0
log 127.0.0.1 local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
maxconn 256
defaults
log global
mode tcp
option tcplog
option dontlognull
timeout connect 30s
timeout client 2h
timeout server 2h
frontend http-in
bind *:81
acl write_method method POST DELETE PUT
acl write_hdr hdr_val(X-Write) eq 1
acl write_payload payload(0,0) -m reg -i CREATE|MERGE|SET|DELETE|REMOVE
acl tx_cypher_endpoint path_beg /db/data/transaction
http-request set-var(txn.tx_cypher_endpoint) bool(true) if tx_cypher_endpoint
use_backend neo4j-master if write_hdr
use_backend neo4j-master if tx_cypher_endpoint write_payload
use_backend neo4j-all if tx_cypher_endpoint
use_backend neo4j-master if write_method
default_backend neo4j-all
backend neo4j-all
option httpchk GET /db/manage/server/ha/available HTTP/1.0\r\nAuthorization:\ Basic\ [code]
acl tx_cypher_endpoint var(txn.tx_cypher_endpoint),bool
stick-table type integer size 1k expire 70s # slightly higher with org.neo4j.server.transaction.timeout
stick match path,word(4,/) if tx_cypher_endpoint
stick store-response hdr(Location),word(6,/) if tx_cypher_endpoint
server neo4j-1 192.0.0.250:7687 check port 7474
server neo4j-2 192.0.0.251:7687 check port 7474
server neo4j-3 192.0.0.252:7687 check port 7474
backend neo4j-master
option httpchk GET /db/manage/server/ha/master HTTP/1.0\r\nAuthorization:\ Basic\ [code]
server neo4j-1 192.0.0.250:7687 check port 7474
server neo4j-2 192.0.0.251:7687 check port 7474
server neo4j-3 192.0.0.252:7687 check port 7474
listen admin
bind *:82
mode http
stats enable
stats uri /haproxy?stats
stats realm Haproxy\ Statistics
stats auth admin:admin
Sometimes I get this when I want to use cypher in browser
"errors": [
{
"code": "Neo.ClientError.Transaction.TransactionNotFound",
"message": "Unrecognized transaction id. Transaction may have timed out and been rolled back."
}
]
Also I tried with this HAproxy configuration but I still have a same problem. This is a settings of my second HAproxy haproxy.cfg
global
log 127.0.0.1 local0
log 127.0.0.1 local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
maxconn 256
defaults
log global
mode tcp
option tcplog
option dontlognull
timeout connect 30s
timeout client 2h
timeout server 2h
frontend http-in
bind *:81
acl write_method method POST DELETE PUT
acl write_hdr hdr_val(X-Write) eq 1
acl write_payload payload(0,0) -m reg -i CREATE|MERGE|SET|DELETE|REMOVE
acl tx_cypher_endpoint path_beg /db/data/transaction
http-request set-var(txn.tx_cypher_endpoint) bool(true) if tx_cypher_endpoint
use_backend neo4j-master if write_hdr
use_backend neo4j-master if tx_cypher_endpoint write_payload
use_backend neo4j-all if tx_cypher_endpoint
use_backend neo4j-master if write_method
default_backend neo4j-all
backend neo4j-all
option httpchk GET /db/manage/server/ha/master HTTP/1.0\r\nAuthorization:\ Basic\ [code]
acl tx_cypher_endpoint var(txn.tx_cypher_endpoint),bool
stick-table type integer size 1k expire 70s # slightly higher with org.neo4j.server.transaction.timeout
stick match path,word(4,/) if tx_cypher_endpoint
stick store-response hdr(Location),word(6,/) if tx_cypher_endpoint
server neo4j-1 192.0.0.250:7687 check port 7474
server neo4j-2 192.0.0.251:7687 check port 7474
server neo4j-3 192.0.0.252:7687 check port 7474
backend neo4j-master
option httpchk GET /db/manage/server/ha/slave HTTP/1.0\r\nAuthorization:\ Basic\ [code]
server neo4j-1 192.0.0.250:7687 check port 7474
server neo4j-2 192.0.0.251:7687 check port 7474
server neo4j-3 192.0.0.252:7687 check port 7474
listen admin
bind *:82
mode http
stats enable
stats uri /haproxy?stats
stats realm Haproxy\ Statistics
stats auth admin:admin
So I am not sure why is this happening. Is this because HAproxy or AWS or Bolt. When I switch protocol on http everything is working well and I do not have error.
I fix this problem by adding to HAproxy .cfg this parameters:
backend neo4j-browser with mode http and option prefer-last-server. Now HAproxy is working as charme and I do not getting error any more.
global
log 127.0.0.1 local0
log 127.0.0.1 local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
maxconn 256
defaults
log global
mode tcp
option tcplog
option dontlognull
timeout connect 30s
timeout client 2h
timeout server 2h
frontend http-in
bind *:81
acl write_method method POST DELETE PUT
acl write_hdr hdr_val(X-Write) eq 1
acl write_payload payload(0,0) -m reg -i CREATE|MERGE|SET|DELETE|REMOVE
acl tx_cypher_endpoint path_beg /db/data/transaction
http-request set-var(txn.tx_cypher_endpoint) bool(true) if tx_cypher_endpoint
use_backend neo4j-master if write_hdr
use_backend neo4j-master if tx_cypher_endpoint write_payload
use_backend neo4j-all if tx_cypher_endpoint
use_backend neo4j-master if write_method
default_backend neo4j-all
frontend http-browse
bind *:83
mode http
default_backend neo4j-browser
backend neo4j-all
option httpchk GET /db/manage/server/ha/available HTTP/1.0\r\nAuthorization:\ Basic\[code]
acl tx_cypher_endpoint var(txn.tx_cypher_endpoint),bool
stick-table type integer size 1k expire 70s # slightly higher with org.neo4j.server.transaction.timeout
stick match path,word(4,/) if tx_cypher_endpoint
stick store-response hdr(Location),word(6,/) if tx_cypher_endpoint
server neo4j-1 192.0.0.250:7687 check port 7474
server neo4j-2 192.0.0.251:7687 check port 7474
server neo4j-3 192.0.0.252:7687 check port 7474
backend neo4j-master
option httpchk GET /db/manage/server/ha/master HTTP/1.0\r\nAuthorization:\ Basic\[code]
server neo4j-1 192.0.0.250:7687 check port 7474
server neo4j-2 192.0.0.251:7687 check port 7474
server neo4j-3 192.0.0.252:7687 check port 7474
backend neo4j-browser
mode http
option prefer-last-server
option httpchk GET /db/manage/server/ha/master HTTP/1.0\r\nAuthorization:\ Basic\ [code]
server neo4j-1 192.0.0.250:7474 check
server neo4j-2 192.0.0.251:7474 check
server neo4j-3 192.0.0.252::7474 check
listen admin
bind *:82
mode http
stats enable
stats uri /haproxy?stats
stats realm Haproxy\ Statistics
stats auth admin:admin
I have a Security Group that has 80, 443, 22, and 8089.
Ports Protocol Source security-group
22 tcp 0.0.0/0 [check]
8089 tcp 0.0.0/0 [check]
80 tcp 0.0.0/0 [check]
443 tcp 0.0.0/0 [check]
However, when I test the connection using a Python program I wrote:
import socket
import sys
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
p = sys.argv[1]
try:
s.connect(('public-dns', int(p)))
print 'Port ' + str(p) + ' is reachable'
except socket.error as e:
print 'Error on connect: %s' % e
s.close()
However, I'm good with all ports but 8089:
python test.py 80
Port 80 is reachable
python test.py 22
Port 22 is reachable
python test.py 443
Port 443 is reachable
python test.py 8089
Error on connect: [Errno 61] Connection refused
The reason why you are able to connect successfully via localhost (127.0.0.1) and not externally is because your server application is listening on the localhost adapter only. This means that only connections originating from the instance itself will be able to connect to that process.
To correct this, you will want to configure your application to listen on either the local IP address of the interface or on all interfaces (0.0.0.0).
This shoes that it is wrong (listening on 127...):
~ $ sudo netstat -tulpn | grep 9966
tcp 0 0 127.0.0.1:9966 0.0.0.0:* LISTEN 4961/python
Here is it working right (using all interfaces):
~ $ sudo netstat -tulpn | grep 9966
tcp 0 0 0.0.0.0:9966 0.0.0.0:* LISTEN 5205/python
Besides the AWS security groups (which look like you have set correctly), you also need to make sure that if there is an internal firewall on the host, that it is also open for all the ports specified.