By using AWS re:Post, you agree to the AWS re:Post Terms of Use

Why can't I connect to a website that is hosted on my EC2 instance?

8 minute read
0

I can't connect to a public website that is hosted on my Amazon Elastic Compute Cloud (Amazon EC2) instance.

Short description

To resolve an unreachable website error, check that the configuration settings on your EC2 instance are correct. For example, if your instance doesn't have the right DNS configurations, then you can't connect to any website hosted on that instance.

Resolution

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

Use SSH or SSM Session Manager to connect to the instance. If neither method is available, then use the EC2 Serial Console to connect to instances built on the Nitro System.

Check that the instance is running and passing both status checks

Make sure that the instance is running in the Amazon EC2 console. If you have a status check issue, follow the steps in why is my EC2 Linux instance unreachable and failing its status checks? Check that the instance boots correctly. For more information, see Instance console output or Capture a screenshot of an unreachable instance.

Check the instance's system logs for boot errors.

Use the following methods to check for boot errors:

Check the instance's security group and network ACL configuration

Use the following methods to check your instance's configuration:

Check that the instance has the correct DNS configuration

Use the following methods to check your instance's configuration:

Check that the web server is running and that there are no OS-level firewalls blocking access to ports

Network ports are the communication endpoints that various services send requests to. These requests include users' website connection requests. Web servers listen on port 80 for HTTP traffic and use port 443 for traffic encrypted with TLS/SSL. If the web server isn't running or firewalls block these ports, then users can't connect to your website. Complete the following steps:

  1. To check if the website is running locally, run the following command from within the EC2 instance hosting website:

    curl https://localhost

    -or-

    curl http://localhost:443

    Connect to your instance using SSH, SSM Session Manager or EC2 Serial Console.

  2. Check the web server service status.
    For RHEL, CentOS, Fedora, and Amazon Linux systems, run the command systemctl status httpd to check the web server's status. The command returns information that the web server is inactive:

    $ sudo systemctl status httpd.service
     
    The Apache HTTP Server
    Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset:
    disabled)
    Active: inactive (dead)

    For Debian or Ubuntu systems, run the command systemctl status apache2 to check the web server's status. The web server must be listening on port 80 or 443. The command returns information that the web server is inactive:

    $ sudo systemctl status apache2.service
    The Apache HTTP ServerLoaded: loaded (/lib/systemd/system/apache2.service; disabled; vendor 
    preset: disabled)
    Active: inactive (dead)
  3. To start the web server and activate the service to start at boot, run the following commands:
    For RHEL, CentOS, Fedora, and Amazon Linux systems:

    $ sudo systemctl start httpd; sudo systemctl enable httpd

    For Debian or Ubuntu systems:

    $ sudo systemctl start apache2; sudo systemctl enable apache2
  4. Verify that the web server service is running and activated:
    For RHEL, CentOS, Fedora and Amazon Linux systems, run the following command:

    $ sudo systemctl status httpd.service
    The Apache HTTP ServerLoaded: loaded (/usr/lib/systemd/system/httpd.service;
    enabled; vendor preset: disabled)Active: active (running)

    For Debian or Ubuntu systems, run the following command:

    $ sudo systemctl status apache2.service
    The Apache HTTP ServerLoaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled)Active: active (running)

    Note: For Linux systems running SystemV, run the following command to check the web server status.
    For Debian or Ubuntu systems, you must replace httpd with apache2:

    $ sudo service httpd statushttpd is stopped

    To start a stopped web server service on SystemV, run the following command:

    $ sudo service httpd start
    Starting httpd:                                            [  OK  ]
  5. To confirm that the web server is listening on port 80 or 443 for incoming connection requests from users, run the following command:

    $ sudo netstat -tulpn | grep -iP 'httpd|apache2'
    tcp        0      0 :::80               :::*                     LISTEN
          2961/httpd

    Note: If there are multiple interfaces running, then confirm that the web server is listening on all IP addresses and then run the following command:

    cat /etc/httpd/conf/httpd.conf  | grep Listen

    The following are example outputs:

    Listen *:80

    -or-

    Listen *:443
  6. Verify the status of OS-level firewalls. If you find an active firewall, then make sure that it allows requests on ports 80 and 443.
    To check that the iptables rules block incoming requests on ports 80 and 443, run the following command:

    $ sudo iptables -vnL
    Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
     pkts bytes target     prot opt in     out     source               destination
       35 10863 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
        0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
        0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
        0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

    The output of the preceding IPTables command, shows that only ICMP, localhost and port 22/TCP (SSH) is allowed. This means that inbound connections to port 80/TCP and 443/TCP are blocked or rejected.
    To allow port 80 and 443 to accept incoming HTTP and HTTPS connection requests, run the following command:

    $ iptables -I INPUT -p tcp --match multiport --dports 80,443 -j ACCEPT

    The following output shows that the multiport rule is added to the web server service ports, 80/TCP and 443/TCP.

    Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
     pkts bytes target     prot opt in     out     source               destination
        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 80,443
      486  104K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
        0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
        0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
        0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

For Amazon Linux 2023, Amazon Linux 2 and RHEL 7 and later

To confirm whether the firewalld service is running, run the following command:

$ sudo firewall-cmd --staterunning

If the firewalld service is running, then run the following commands to allow connections on ports 80/TCP and 443/TCP. The last command in the example reloads the service to bring the newly added rules into effect:

$ sudo firewall-cmd --add-service=http --permanent
success
$ sudo firewall-cmd --add-service=https --permanent
success
$ sudo firewall-cmd --reload
success

For Debian and Ubuntu servers

Complete the following steps:

  1. To check for an Uncomplicated Firewall (UFW), run the following command: 

    $ sudo ufw status verbose 
    Status:  active
  2. If a UFW is running, then use the following command to allow incoming connection requests on ports 80/TCP and port 443/:

    $ sudo ufw allow in 80/tcp
    Rule added
    Rule added (v6)
    $ sudo ufw allow 443/tcp
    Rule added
    Rule added (v6)

Check your web server access error logs for issues. Web server logs are located at /var/log. The following are the default web server log locations:

  • Amazon Linux and RHEL: /var/log/httpd
  • Debian and Ubuntu: /var/log/apache2

Note: The web server log location depends on your server configuration.

Related information

How do I troubleshoot slow connections to a website hosted on my EC2 instance?

AWS OFFICIAL
AWS OFFICIALUpdated 3 months ago
2 Comments

I have tried everything mentioned in this article. My server stopped responding to web server request on port 80 by itself.

My Web Server responds to CURL from within the server but not from external servers. I am able to connect to SSH port and also ping the server. Their is no firewall on my ubuntu. It is inactive. My Security Groups are configured correctly and unchanged from the time when it was working. There is no Network ACL or firewall configured on AWS side.

replied a year ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
EXPERT
replied a year ago