EC2 HTTPS connection requests from the instance itself are refused!!!

0

Hello

I get the following error when a https post request is sent from the application to itself: cURL error 7: Failed to connect to lms.3dyazdir.xyz port 443 after 0 ms: Connection refused

It seems EC2 HTTPS connection requests are refused from the instance itself!!! It seems EC2 only accepts requests from other IPs and does not accept requests from itself!

How can I configure the inbound rules of the security groups so the instance can respond to requests coming from the instance itself through its public address?

The current rules of my security group is as follows:

Okhtay
asked 6 months ago489 views
6 Answers
1
Accepted Answer

our application uses the HTTP client (working with CURL) to send a post HTTPS request to itself (server to server request but the requester and the receiver servers are the same), so it actually uses the instance public IP like requests coming from the browser.

Is the EC2 actually trying to connect to itself though? The DNS name being used in the connection is lms.3dyazdir.xyz and doesn't this resolve to the load balancer's public IP address (actually 3 of them), not the EC2's IP.

So if the traffic doesn't stay on the EC2 instance, it has to leave the EC2 instance via (presumably) a route to an Internet Gateway or a NAT Gateway, out onto the public internet, and then back in through the load balancer.

Check the outbound internet access from the EC2, a simple test is check if you can curl https://www.google.com

Then check the security group associated with the load balancer (not the EC2) allows inbound port 80 & 443 from the EC2 instance's public IP (or the NAT Gateway, if that's what's being used). For troubleshooting it might be easier to set it to allow from 0.0.0.0/0 and you can always tighten it up later.

Third, does the EC2 have a certificate bundle installed against which it can validate the certificate that the load balancer is presenting? rpm -qa | grep ^ca-certificates

Also, in previous comments you've shared:

curl --verbose https://lms.3dyazdir.xyz
:   Trying 3.125.46.128:443...
nslookup lms.3dyazdir.xyz
Server: 127.0.0.53
Address: 127.0.0.53#53

Name: lms.3dyazdir.xyz
Address: 3.125.46.128

What is 3.125.46.128 ? It's not the public IP of your EC2 (another screenshot shows that's 3.73.186.172 ) and its not lms.3dyazdir.xyz (this has 3 IPs (presumably it's the load balancer) 3.126.49.188 & 35.157.180.209 & 35.157.194.157 ). Where has 3.125.46.128 come from? Check there isn't anything hard-coded into /etc/hosts

profile picture
EXPERT
Steve_M
answered 6 months ago
  • As Steve said:

    What is 3.125.46.128 ? It's not the public IP of your EC2 (another screenshot shows that's 3.73.186.172 ) and its not lms.3dyazdir.xyz (this has 3 IPs (presumably it's the load balancer) 3.126.49.188 & 35.157.180.209 & 35.157.194.157 ). Where has 3.125.46.128 come from? Check there isn't anything hard-coded into /etc/hosts.

    The problem was caused by the IP/domain mapping in /etc/hosts. I had used the old public IP address (3.125.46.128) there. The problem was resolved by deleting all of them.

    Thank You all including Manoj for answers.

0

Thank you for your reply.

We do not use any private SSL certificate and we use ACM certificate added to the load balancer.

Our Load Balancer has been set up as follows:

Actually, our application uses the HTTP client (working with CURL) to send a post HTTPS request to itself (server to server request but the requester and the receiver servers are the same), so it actually uses the instance public IP like requests coming from the browser.

The application level error is as follows:

The results of

curl --verbose https://lms.3dyazdir.xyz

:

  • Trying 3.125.46.128:443...
  • connect to 3.125.46.128 port 443 failed: Connection refused
  • Failed to connect to lms.3dyazdir.xyz port 443 after 0 ms: Connection refused
  • Closing connection 0 curl: (7) Failed to connect to lms.3dyazdir.xyz port 443 after 0 ms: Connection refused

The instance info are as follows:

Okhtay
answered 6 months ago
  • In the load balancer listener, what is an HTTP and HTTPS listener configured ?

0

Ensure that the DNS resolution for "lms.3dyazdir.xyz" is working correctly. You can use the nslookup or dig command to check the DNS resolution.

nslookup lms.3dyazdir.xyz

or

dig lms.3dyazdir.xyz

also, If you are using HTTPS (port 443), make sure that the SSL/TLS certificate is valid and properly configured on the server. An SSL handshake failure could result in a connection refused error.

try to get more information via curl --verbose https://lms.3dyazdir.xyz

if nothing found here, Identify the SG of instance and then, Add a rule that allows traffic on the desired port(s) for the services you want to access. For example, if you want to allow HTTP (port 80) and HTTPS (port 443), you can add rules like these:

Type: HTTP, Source: 0.0.0.0/0 (Allow traffic from any IP) Type: HTTPS, Source: 0.0.0.0/0 (Allow traffic from any IP) and If you want to allow traffic only from the instance itself, you can use the private IP of the instance or the security group ID as the source.

profile picture
answered 6 months ago
0

Hi again,

The result of

nslookup lms.3dyazdir.xyz

Server: 127.0.0.53 Address: 127.0.0.53#53

Name: lms.3dyazdir.xyz Address: 3.125.46.128

Also I use the following certificate at lms.3dyazdir.xyz :

Okhtay
answered 6 months ago
0

When I run the following CURL request from the server SSH terminal (Self-request), I get the following error:

ubuntu@ip-172-31-18-0:/var/www/nohut/lms$ curl https://lms.3dyazdir.xyz/api/user -H "Accept: application/json"

curl: (7) Failed to connect to lms.3dyazdir.xyz port 443 after 0 ms: Connection refused

But when I run the same CURL request from the terminal of my PC, I get a response!

okhtay@okhtay-Inspiron-24-5410-All-in-One:~$ curl https://lms.3dyazdir.xyz/api/user -H "Accept: application/json"

{"message":"Unauthenticated."}

So, clearly self-requests are blocked by the server. When the server sends requests to itself, the firewall stops the server to respond!

Okhtay
answered 6 months ago
0

Can you use loopback address 127.0.0.1 or localhost as the target in your cURL command ?

ubuntu@ip-172-31-18-0:/var/www/nohut/lms$ curl 127.0.0.1:80/api/user -H "Accept: application/json"

profile picture
answered 6 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions