EC2 HTTPS connection requests from the instance itself are refused!!!

Question

Hello

I get the following error when a https post request is sent from the application to itself:
cURL error 7: Failed to connect to lms.3dyazdir.xyz port 443 after 0 ms: Connection refused

It seems EC2 HTTPS connection requests are refused from the instance itself!!!
It seems EC2 only accepts requests from other IPs and does not accept requests from itself!

How can I configure the inbound rules of the security groups so the instance can respond to requests coming from the instance itself through its public address?

The current rules of my security group is as follows:

![](/media/postImages/original/IMc1B7BrzpQt2BcnPWXP7tow)

Accepted Answer

> our application uses the HTTP client (working with CURL) to send a post HTTPS request to itself (server to server request but the requester and the receiver servers are the same), so it actually uses the instance public IP like requests coming from the browser.

Is the EC2  actually trying to connect to itself though? The DNS name being used in the connection is **lms.3dyazdir.xyz** and doesn't this resolve to the load balancer's public IP address (actually 3 of them), not the EC2's IP.

So if the traffic doesn't stay on the EC2 instance, it has to leave the EC2 instance via (presumably) a route to an Internet Gateway or a NAT Gateway, out onto the public internet, and then back in through the load balancer.

Check the outbound internet access from the EC2, a simple test is check if you can `curl https://www.google.com`

Then check the security group associated with the load balancer (not the EC2) allows inbound port 80 & 443 from the EC2 instance's public IP (or the NAT Gateway, if that's what's being used). For troubleshooting it might be easier to set it to allow from 0.0.0.0/0 and you can always tighten it up later.

Third, does the EC2 have a certificate bundle installed against which it can validate the certificate that the load balancer is presenting? `rpm -qa | grep ^ca-certificates`

Also, in previous comments you've shared:
```
curl --verbose https://lms.3dyazdir.xyz
:   Trying 3.125.46.128:443...
```
```
nslookup lms.3dyazdir.xyz
Server: 127.0.0.53
Address: 127.0.0.53#53

Name: lms.3dyazdir.xyz
Address: 3.125.46.128
```
What is **3.125.46.128** ? It's not the public IP of your EC2 (another screenshot shows that's **3.73.186.172** ) and its not **lms.3dyazdir.xyz** (this has 3 IPs (presumably it's the load balancer) **3.126.49.188** & **35.157.180.209** & **35.157.194.157** ). Where has **3.125.46.128** come from? Check there isn't anything hard-coded into **/etc/hosts**

Answer

Hi again,

The result of 
```
nslookup lms.3dyazdir.xyz
```

Server:		127.0.0.53
Address:	127.0.0.53#53

Name:	lms.3dyazdir.xyz
Address: 3.125.46.128

Also I use the following certificate at lms.3dyazdir.xyz :

![](/media/postImages/original/IMDWZdYmOrTaGJmXQzNJvdgg)

Answer

Ensure that the DNS resolution for "lms.3dyazdir.xyz" is working correctly. You can use the nslookup or dig command to check the DNS resolution.

`nslookup lms.3dyazdir.xyz
`

or

`dig lms.3dyazdir.xyz
`

also, If you are using HTTPS (port 443), make sure that the SSL/TLS certificate is valid and properly configured on the server. An SSL handshake failure could result in a connection refused error.

try to get more information via 
`curl --verbose https://lms.3dyazdir.xyz`

if nothing found here, Identify the SG of instance and then, Add a rule that allows traffic on the desired port(s) for the services you want to access. For example, if you want to allow HTTP (port 80) and HTTPS (port 443), you can add rules like these:

Type: HTTP, Source: 0.0.0.0/0 (Allow traffic from any IP)
Type: HTTPS, Source: 0.0.0.0/0 (Allow traffic from any IP)
and If you want to allow traffic only from the instance itself, you can use the private IP of the instance or the security group ID as the source.

Answer

When I run the following CURL request from the server SSH terminal (Self-request), I get the following error:

```
ubuntu@ip-172-31-18-0:/var/www/nohut/lms$ curl https://lms.3dyazdir.xyz/api/user -H "Accept: application/json"
```

`curl: (7) Failed to connect to lms.3dyazdir.xyz port 443 after 0 ms: Connection refused`

But when I run the same CURL request from the terminal of my PC, I get a response!

```
okhtay@okhtay-Inspiron-24-5410-All-in-One:~$ curl https://lms.3dyazdir.xyz/api/user -H "Accept: application/json"
```

`{"message":"Unauthenticated."}`

So, clearly self-requests are blocked by the server. When the server sends requests to itself, the firewall stops the server to respond!

Answer

Can you use  loopback address 127.0.0.1 or localhost as the target in your cURL command ?

`ubuntu@ip-172-31-18-0:/var/www/nohut/lms$ curl 127.0.0.1:80/api/user -H "Accept: application/json"`

Answer

Thank you for your reply.

We do not use any private SSL certificate and we use ACM certificate added to the load balancer.

Our Load Balancer has been set up as follows:

![](/media/postImages/original/IMffr6tLV8QkyQqdD8yOGgfg)

Actually, our application uses the HTTP client (working with CURL) to send a post HTTPS request to itself (server to server request but the requester and the receiver servers are the same), so it actually uses the instance public IP like requests coming from the browser.

The application level error is as follows:
![](/media/postImages/original/IMN96tzhqlSwOhpbVnzd3Ing)

The results of 
```
curl --verbose https://lms.3dyazdir.xyz
```
 :

*   Trying 3.125.46.128:443...
* connect to 3.125.46.128 port 443 failed: Connection refused
* Failed to connect to lms.3dyazdir.xyz port 443 after 0 ms: Connection refused
* Closing connection 0
curl: (7) Failed to connect to lms.3dyazdir.xyz port 443 after 0 ms: Connection refused

The instance info are as follows:

![](/media/postImages/original/IMN0w-vr33RTu3b8nd8ujDWA)

EC2 HTTPS connection requests from the instance itself are refused!!!

Relevant content