I can't connect to a public website that is hosted on my Amazon Elastic Compute Cloud (Amazon EC2) instance.
Short description
To resolve an unreachable website error, check that the configuration settings on your EC2 instance are correct. For example, if your instance doesn't have the right DNS configurations, then you can't connect to any website hosted on that instance.
Resolution
Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.
Use SSH or SSM Session Manager to connect to the instance. If neither method is available, then use the EC2 Serial Console to connect to instances built on the Nitro System.
Check that the instance is running and passing both status checks
Make sure that the instance is running in the Amazon EC2 console. If you have a status check issue, follow the steps in why is my EC2 Linux instance unreachable and failing its status checks? Check that the instance boots correctly. For more information, see Instance console output or Capture a screenshot of an unreachable instance.
Check the instance's system logs for boot errors.
Use the following methods to check for boot errors:
Check the instance's security group and network ACL configuration
Use the following methods to check your instance's configuration:
Check that the instance has the correct DNS configuration
Use the following methods to check your instance's configuration:
Check that the web server is running and that there are no OS-level firewalls blocking access to ports
Network ports are the communication endpoints that various services send requests to. These requests include users' website connection requests. Web servers listen on port 80 for HTTP traffic and use port 443 for traffic encrypted with TLS/SSL. If the web server isn't running or firewalls block these ports, then users can't connect to your website. Complete the following steps:
-
To check if the website is running locally, run the following command from within the EC2 instance hosting website:
curl https://localhost
-or-
curl http://localhost:443
Connect to your instance using SSH, SSM Session Manager or EC2 Serial Console.
-
Check the web server service status.
For RHEL, CentOS, Fedora, and Amazon Linux systems, run the command systemctl status httpd to check the web server's status. The command returns information that the web server is inactive:
$ sudo systemctl status httpd.service
The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset:
disabled)
Active: inactive (dead)
For Debian or Ubuntu systems, run the command systemctl status apache2 to check the web server's status. The web server must be listening on port 80 or 443. The command returns information that the web server is inactive:
$ sudo systemctl status apache2.service
The Apache HTTP ServerLoaded: loaded (/lib/systemd/system/apache2.service; disabled; vendor
preset: disabled)
Active: inactive (dead)
-
To start the web server and activate the service to start at boot, run the following commands:
For RHEL, CentOS, Fedora, and Amazon Linux systems:
$ sudo systemctl start httpd; sudo systemctl enable httpd
For Debian or Ubuntu systems:
$ sudo systemctl start apache2; sudo systemctl enable apache2
-
Verify that the web server service is running and activated:
For RHEL, CentOS, Fedora and Amazon Linux systems, run the following command:
$ sudo systemctl status httpd.service
The Apache HTTP ServerLoaded: loaded (/usr/lib/systemd/system/httpd.service;
enabled; vendor preset: disabled)Active: active (running)
For Debian or Ubuntu systems, run the following command:
$ sudo systemctl status apache2.service
The Apache HTTP ServerLoaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled)Active: active (running)
Note: For Linux systems running SystemV, run the following command to check the web server status.
For Debian or Ubuntu systems, you must replace httpd with apache2:
$ sudo service httpd statushttpd is stopped
To start a stopped web server service on SystemV, run the following command:
$ sudo service httpd start
Starting httpd: [ OK ]
-
To confirm that the web server is listening on port 80 or 443 for incoming connection requests from users, run the following command:
$ sudo netstat -tulpn | grep -iP 'httpd|apache2'
tcp 0 0 :::80 :::* LISTEN
2961/httpd
Note: If there are multiple interfaces running, then confirm that the web server is listening on all IP addresses and then run the following command:
cat /etc/httpd/conf/httpd.conf | grep Listen
The following are example outputs:
Listen *:80
-or-
Listen *:443
-
Verify the status of OS-level firewalls. If you find an active firewall, then make sure that it allows requests on ports 80 and 443.
To check that the iptables rules block incoming requests on ports 80 and 443, run the following command:
$ sudo iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
35 10863 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
The output of the preceding IPTables command, shows that only ICMP, localhost and port 22/TCP (SSH) is allowed. This means that inbound connections to port 80/TCP and 443/TCP are blocked or rejected.
To allow port 80 and 443 to accept incoming HTTP and HTTPS connection requests, run the following command:
$ iptables -I INPUT -p tcp --match multiport --dports 80,443 -j ACCEPT
The following output shows that the multiport rule is added to the web server service ports, 80/TCP and 443/TCP.
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443
486 104K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
For Amazon Linux 2023, Amazon Linux 2 and RHEL 7 and later
To confirm whether the firewalld service is running, run the following command:
$ sudo firewall-cmd --staterunning
If the firewalld service is running, then run the following commands to allow connections on ports 80/TCP and 443/TCP. The last command in the example reloads the service to bring the newly added rules into effect:
$ sudo firewall-cmd --add-service=http --permanent
success
$ sudo firewall-cmd --add-service=https --permanent
success
$ sudo firewall-cmd --reload
success
For Debian and Ubuntu servers
Complete the following steps:
-
To check for an Uncomplicated Firewall (UFW), run the following command:
$ sudo ufw status verbose
Status: active
-
If a UFW is running, then use the following command to allow incoming connection requests on ports 80/TCP and port 443/:
$ sudo ufw allow in 80/tcp
Rule added
Rule added (v6)
$ sudo ufw allow 443/tcp
Rule added
Rule added (v6)
Check your web server access error logs for issues. Web server logs are located at /var/log. The following are the default web server log locations:
- Amazon Linux and RHEL: /var/log/httpd
- Debian and Ubuntu: /var/log/apache2
Note: The web server log location depends on your server configuration.
Related information
How do I troubleshoot slow connections to a website hosted on my EC2 instance?