Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Why can't I connect to a website that's hosted on my EC2 instance?

7 minute read
1

I can't connect to a public website that's hosted on my Amazon Elastic Compute Cloud (Amazon EC2) instance.

Short description

To resolve unreachable website issues, verify that you correctly configured your EC2 instance's website configuration. Incorrect web server settings on your instance block access to all websites hosted on it.

Resolution

Verify that the instance is running and passes both status checks

Check the Amazon EC2 console to verify that the instance is running. To troubleshoot status check issues, see Why is my EC2 Linux instance unreachable and failing its status checks?

Also, use the instance console output and a screenshot of the instance to check whether the instance boots correctly.

Check the instance's security group and network ACL configuration

Verify the following instance configurations:

Verify that the website has the correct DNS configuration

Verify the following DNS configurations for your website:

Verify that the web server is running and that no OS firewalls block access to ports

To check your network port configuration and web server, complete the following steps:

  1. Use SSH or Session Manager, a capability of AWS Systems Manager, to connect to the instance. If you can't use SSH or Session Manager to connect to instances built on the AWS Nitro System, then use the EC2 Serial Console.

  2. To check whether the website is running locally, run the following command from within the EC2 instance host website:

    curl https://localhost

    -or-

    curl http://localhost:443

    Note: If you encounter issues when you use curl, then check for issues with the instance's web server and application configuration.

  3. To check the web server service status, run the following command based on the operating system (OS) that you run.
    Red Hat Enterprise Linux (RHEL), CentOS, Fedora, and Amazon Linux:

    sudo systemctl status httpd.service

    Example output:

    The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset:
disabled)
Active: inactive (dead)

    Debian and Ubuntu:

    sudo systemctl status apache2.service

    Example output:

    The Apache HTTP Server
Loaded: loaded (/lib/systemd/system/apache2.service; disabled; vendor 
preset: disabled)
Active: inactive (dead)

    In the command output, check for the inactive (dead) status.
    If your Linux systems runs System V, then run the following command to check the web server status:

    sudo service httpd status

    Note: If you run Debian or Ubuntu, then replace httpd with apache2.
    Example output:

    httpd is stopped

  4. To start the web server and set the service to start at boot, run the following commands based on your OS:
    RHEL, CentOS, Fedora, and Amazon Linux:

    sudo systemctl start httpd; sudo systemctl enable httpd

    Debian or Ubuntu:

    sudo systemctl start apache2; sudo systemctl enable apache2

  5. To verify that the web server service is running and activated, run the following commands based on your OS:
    RHEL, CentOS, Fedora, and Amazon Linux:

    sudo systemctl status httpd.service

    Example output:

    The Apache HTTP ServerLoaded: loaded (/usr/lib/systemd/system/httpd.service;
enabled; vendor preset: disabled)
Active: active (running)

    Debian or Ubuntu:

    sudo systemctl status apache2.service

    Example output:

    The Apache HTTP ServerLoaded: loaded (/lib/systemd/system/apache2.service;
enabled; vendor preset: enabled)
Active: active (running)

    To start a stopped web server service for systems that run on System V, run the following command:

    sudo service httpd start

    Example output:

    Starting httpd:                                            [  OK  ]

  6. To confirm that the web server is listening for inbound user connection requests, run the following command:

    sudo netstat -tulpn|grep -i :80
tcp6       0      0 :::80                   :::*                    LISTEN      11993/httpd

    Note: Run the preceding command twice. The second time, replace 80 with 443. Web servers listen on port 80 for HTTP traffic and port 443 for traffic encrypted with TLS/SSL.
    If you run multiple interfaces, then run the following command to confirm that the web server is listening on all IP addresses:

    cat /etc/httpd/conf/httpd.conf  | grep Listen

    Example outputs:

    Listen *:80
    Listen *:443

  7. If you use an OS firewall, then make sure that it allows requests on ports 80 and 443.

  8. (Optional) To verify that the iptables rules allow inbound requests on ports 80 and 443, run the following command:

    sudo iptables -vnL

    Example output:

    Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
   35 10863 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

    In the preceding example output, the rules allow only Internet Control Message Protocol (ICMP), localhost, and port 22/TCP (SSH). The rules block inbound connections to TCP port 80 or 443.

  9. To configure iptables rules to allow port 80 and 443 to accept inbound HTTP and HTTPS connection requests, run the following command:

    iptables -I INPUT -p tcp --match multiport --dports 80,443 -j ACCEPT

    Example output:

    Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 80,443
  486  104K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Check configurations for AL2023, AL2, and RHEL 7 and later

For Amazon Linux 2023 (AL2023), Amazon Linux 2 (AL2), and RHEL instances, run the following command to check whether the firewalld service is running:

sudo firewall-cmd --state

Example output:

running

If the firewalld service is running, then run the following commands to allow connections on TCP ports 80 and 443:

sudo firewall-cmd --add-service=http --permanent
sudo firewall-cmd --add-service=https --permanent
sudo firewall-cmd --reload

Note: If you previously added rules, then the reload command reloads the service and brings the rules into effect.

For each command, verify that the output is similar to the following example:

success

Check configurations for Debian and Ubuntu servers

Complete the following steps:

  1. To check for an Uncomplicated Firewall (UFW), run the following command:

    sudo ufw status verbose

    Example output:

    Status:  active

  2. If you're running a UFW, then use the following command to allow inbound connection requests on the required TCP ports:
    TCP port 80:

    sudo ufw allow in 80/tcp

    TCP port 443:

    sudo ufw allow 443/tcp

  3. For each command, verify that the output is similar to the following example:

    Rule added
Rule added (v6)

To troubleshoot further, check your web server access error logs at /var/log for issues. Use the following default web server log locations:

  • For Amazon Linux and RHEL, use /var/log/httpd.
  • For Debian and Ubuntu, use /var/log/apache2.

Note: The web server log location depends on your server configuration.

Related information

How do I troubleshoot slow connections to a website hosted on my EC2 instance?

Topics
Compute
Tags
Amazon EC2Linux
Language
English

Related videos

Watch Siddhesh’s video to learn more (6:23)
Watch Siddhesh’s video to learn more (6:23)
AWS OFFICIALUpdated 2 months ago
4 Comments

I have tried everything mentioned in this article. My server stopped responding to web server request on port 80 by itself.

My Web Server responds to CURL from within the server but not from external servers. I am able to connect to SSH port and also ping the server. Their is no firewall on my ubuntu. It is inactive. My Security Groups are configured correctly and unchanged from the time when it was working. There is no Network ACL or firewall configured on AWS side.

replied 2 years ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

AWS
EXPERT
replied 2 years ago

Step 1 does not say what to do if curl fails.

Also, what if iptables is not installed on my EC2 instance?

replied 5 months ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

AWS
MODERATOR
replied 5 months ago

Relevant content