Connection to a webapp running on AWS being refused - amazon-web-services

I have a webapp that I run on port 8000. So i start it with the command:
> smtweb
Performing system checks...
System check identified no issues (0 silenced).
October 12, 2017 - 11:25:27
Django version 1.8.18, using settings None
Starting development server at http://127.0.0.1:8000/
Quit the server with CONTROL-C.
Then I try to access the webapp as follows through the public elastic IP that I've associated with the running instance:
http://34.XXX.XXX.XXX:8000/
(I've omitted parts of the IP for my own safety, through XXX)
However, Chrome throws the following error:
34.XXX.XXX.XXX refused the connection.
ERR_CONNECTION_REFUSED
So the connection is refused, even tough I've associated the machine with a security group that has the following rule:
Type: Custom TCP Rule
Protocol: TCP
Port Range: 8000
Source: 0.0.0.0/0
Now, I'm not sure if I have to configure something more in the AWS Tools. It seems that I've done everything there. What I'm asking myself is:
Does the app have some restrictions by itself?
I have an Ubuntu image: Do I have to adjust some more firewall settings there?
Do you have an idea what I could try next?

ERR_CONNECTION_REFUSED means that there is no port open and NOT that the port is blocked by a security group rule. The TCP/IP stack has rejected the connection request.
Double check that you really have port 8000 configured for the interface that you are assigning the EIP.
Try to access your app from the same machine using the destination IP of both the local IP address and EIP.
If the local IP works and the EIP does not, check your network configuration. Your web app might not be binding to the interface assigned to the EIP and might still be configured for the old public IP address or not configured at all.
If both IP addresses work, then the problem is most likely not with your web application. Look at iprules, firewalls, etc. running on your local machine.

Related

Can't run GCP VM on public IP with SSH

I am setting up a Virtual Machine node.js server at Google Cloud Platform. I have set up SSH keys so that I can log into my VM. I can successfully log into my VM using SSH-in-browser and start my server.
I can't access my public IP address through Chrome. I get this message:
This site can’t provide a secure connection.
When I try to connect to the IP within SSH-in-browser, I get the following:
$ curl -vso /dev/null --connect-timeout 5 34.68.254.120:8080
* Trying 34.68.254.120:8080...
* connect to 34.68.254.120 port 8080 failed: Connection refused
* Failed to connect to 34.68.254.120 port 8080: Connection refused
* Closing connection 0
I'm new at this. Any ideas would be appreciated. Thanks!
Edit1: Some more details --
Linux VM
port 8080 ingress is open on the firewall
I'm using OSLogin (`enable-oslogin = TRUE' 'enable-oslogin-sk = FALSE')
I can successfully log into console with both SSH-in-Browser and PuTTY, and I can start my server on port 8080
In both, I get the error above when I try to connect to the IP address
EDIT:
Follow below steps to fix “This Site Can’t Provide a Secure Connection” Error :
This error typically indicates a problem with either your browser’s configuration or the SSL certificate on your site.
1) Your local environment doesn’t have an SSL certificate.
2) Outdated SSL caches in the browser : (This is one of the more popular causes. Web browsers store SSL certificates in a cache, much
like other data. This means they don’t have to verify the certificate
every time you visit a site, which speeds up browsing. However, if
your SSL certificate changes and the browser is still loading an
older, cached version, it can cause this error to pop up).
3) Incorrect time and date settings on your computer.
4) Rogue browser extensions.
5) Overzealous antivirus software.
6) An invalid or expired SSL certificate.
If your firewall rules prevent external access:
Check your firewall rules with the following command: gcloud compute firewall-rules list with this, you can review the VPC where
the VM instance was migrated; and if it has allowed the Ingress TCP:
22 Port.
If this firewall rule is missing, you can add the firewall rule in the GCP console -> VPC Networks ->select your VPC network _Click on
the firewall rules to double check that the tcp: 22 port is allowed.
If the issue still is ongoing after checking the firewall rules, you
can follow this guide to start troubleshooting SSH connection.

Simply getting a new EC2 windows instance up and running hosting a simple Hello World web app, and unable to connect to it from any other machine

Problem: Simply getting a new EC2 windows instance up and running hosting a simple Hello World web app, and unable to connect to it from any other machine
Ok, I feel foolish asking this, as I've gotten this to work many times for years. But today, for no discernable reason, I am stumped.
New Windows Server 2022 base instance.
Run simple .net web app listening on port 80
Locally browse to http://localhost and it works fine
Turn on Firewall rule to allow port 80
In AWS Security Groups, allow port 80
Test with the public IP: Site cannot be reached
Disable Windows Firewall completely: same result
Use an alternative port, 5001, 8080, allowing them in the firewall, and with AWS security rules: same result
Try from another EC2 instance in the same subnet: same result
Make sure that locally the simple web app is working: yes
As I mentioned I feel like I am missing some critical and obvious thing.
Please be kind, as I have tried many solutions for this and am hitting a wall, and am humbly asking for help, not ridicule.
Here is the firewall of and connecting locally:
Here is the security groups:
Here is the subnet network ACL:
Here is the not connecting:
Found the answer. I was running my aspnet.core app using:
app.Run("http://localhost:5001")
But should have been using:
app.Run("http://0.0.0.0:5002")
The first tells the app to listen ONLY on IP 127.0.0.1, while the second says listen on ALL IP addresses.
After much searching I found the clue here:
https://weblog.west-wind.com/posts/2016/sep/28/external-network-access-to-kestrel-and-iis-express-in-aspnet-core
Specifically this:
In order to expose Kestrel externally you either have to bind to a specific machine name, IP Address or 0.0.0.0 which stands for all IP Addresses (thanks to #DamianEdwards and #BradyMHolt for their help).
So it really is just these threes main things needed:
Windows Firewall allow port
App running on port
AWS Security Rules for port
However, the way the the application binding is made is critical!
This is also helpful:
What is the difference between 0.0.0.0, 127.0.0.1 and localhost?

Deploying a Go app in AWS ec2 got connection refused

I have a compiled Go project that I want to deploy to an AWS EC2 instance. I just simply upload the application and run ./application on the remote server.
In the terminal, the application is running and says he's listening to localhost:3000.
I've already added the 3000 port to the security group.
However, when I tried to access it in my browser using <public-ip>:3000, it always shows connection refused, whether I've run the application or not.
I tried to run the app locally, it does work.
So is it because I deploy it incorrectly?
It is a bit difficult to help you because of no code being shared.
Some reasons why you got connection refused:
Your application is listening only localhost:3000
EC2 security group does not expose port 3000
How to fix:
Most applications are defining the host address on a config file or env variables. If you have access to change it, change it from localhost:3000 to 0.0.0.0:3000 to accepts connection from all IP or to your_ec2_public_ip:3000
If host address is hardcoded and you have access to code, change the code per above
If you don't have access to config or code to change the host address, then add a reverse proxy to route the incoming call to localhost:3000. This is a good link about using Nginx as reverse proxy https://docs.nginx.com/nginx/admin-guide/web-server/reverse-proxy/
Ensure EC2 Security Group allowing inbound connection for the designated port, in this case, is 3000 if you manage to route the incoming to your_ip:3000

How to change localhost to ec2 public dns

I have an ec2 instance on which i login as:
ssh -L 5001:localhost:5000 sumit#<public DNS>
I have an application (superset) which I run as:
2020-04-01 08:18:24,531:INFO:root:logging was configured successfully
2020-04-01 08:18:24,620:INFO:root:Configured event logger of type <class 'superset.utils.log.DBEventLogger'>
* Environment: production
WARNING: This is a development server. Do not use it in a production deployment.
Use a production WSGI server instead.
* Debug mode: off
2020-04-01 08:18:25,600:INFO:werkzeug: * Running on http://127.0.0.1:5000/ (Press CTRL+C to quit)
Now when I open my browser and type, then it works:
http://127.0.0.1:5001/
I already have setup all http and https traffic:
Now when I change 127.0.0.1 to the aws public dns address it doesn't work. Please let me know what am I missing?
You method is using something call Port Forwarding.
This command:
ssh -L 5001:localhost:5000 sumit#<public DNS>
is saying: "Please SSH into the instance, and also forward port 5001 on this computer to the other computer, and ask it to send the traffic to localhost:5000."
Therefore, any traffic sent to port 5001 on your computer will be forwarded to port 5001 on the target computer. This is a good way of preventing other people from being able to access port 5000 on that computer, unless they are able to SSH into the instance (presumably using a private key).
Accessing http://127.0.0.1:5001/ means it will go to port 5001 on your computer. It would be the same as going to http://localhost:5001 on your own computer.
The flow is: 127.0.0.1:5001 -> via SSH connection -> localhost:5000 on other computer
Changing it to http://DNS-NAME:5001 will try to connect to port 5001 on the destination computer, which is not a port that is in use. You could try changing it to connect to http://DNS-NAME:5000 (which is the port where the application seems to be running) and opening the Security Group to allow port 5000, but that would probably violate the security that somebody probably wanted to put in place.

Restarted Database Server can no longer be accessed by webserver

I had to stop then start my ec2 database server running postgresql. Now after it is started, i get the following error message from my django web server
could not connect to server: Connection refused Is the server
running on host "54.235.119.193" and accepting TCP/IP connections on
port 5432?
However because I use elastic IPs and reassigned the same IP (54.235.119.193) I don't think that is the issue. I also am using the same security groups as before, which allow 5432.
I think the only thing that changes when you start/stop is the internal IP but I don't remember using that anywhere in configuration
Any Ideas?
Are you using iptables or selinux? These usually get in the way on restart if not configured properly.