I can't connect to a public website that's hosted on my Amazon Elastic Compute Cloud (Amazon EC2) instance.
Short description
To resolve unreachable website issues, verify that you correctly configured your EC2 instance's website configuration. Incorrect web server settings on your instance block access to all websites hosted on it.
Resolution
Verify that the instance is running and passes both status checks
Check the Amazon EC2 console to verify that the instance is running. To troubleshoot status check issues, see Why is my EC2 Linux instance unreachable and failing its status checks?
Also, use the instance console output and a screenshot of the instance to check whether the instance boots correctly.
Check the instance's security group and network ACL configuration
Verify the following instance configurations:
Verify that the website has the correct DNS configuration
Verify the following DNS configurations for your website:
Verify that the web server is running and that no OS firewalls block access to ports
To check your network port configuration and web server, complete the following steps:
-
Use SSH or Session Manager, a capability of AWS Systems Manager, to connect to the instance. If you can't use SSH or Session Manager to connect to instances built on the AWS Nitro System, then use the EC2 Serial Console.
-
To check whether the website is running locally, run the following command from within the EC2 instance host website:
curl https://localhost
-or-
curl http://localhost:443
Note: If you encounter issues when you use curl, then check for issues with the instance's web server and application configuration.
-
To check the web server service status, run the following command based on the operating system (OS) that you run.
Red Hat Enterprise Linux (RHEL), CentOS, Fedora, and Amazon Linux:
sudo systemctl status httpd.service
Example output:
The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset:
disabled)
Active: inactive (dead)
Debian and Ubuntu:
sudo systemctl status apache2.service
Example output:
The Apache HTTP Server
Loaded: loaded (/lib/systemd/system/apache2.service; disabled; vendor
preset: disabled)
Active: inactive (dead)
In the command output, check for the inactive (dead) status.
If your Linux systems runs System V, then run the following command to check the web server status:
sudo service httpd status
Note: If you run Debian or Ubuntu, then replace httpd with apache2.
Example output:
httpd is stopped
-
To start the web server and set the service to start at boot, run the following commands based on your OS:
RHEL, CentOS, Fedora, and Amazon Linux:
sudo systemctl start httpd; sudo systemctl enable httpd
Debian or Ubuntu:
sudo systemctl start apache2; sudo systemctl enable apache2
-
To verify that the web server service is running and activated, run the following commands based on your OS:
RHEL, CentOS, Fedora, and Amazon Linux:
sudo systemctl status httpd.service
Example output:
The Apache HTTP ServerLoaded: loaded (/usr/lib/systemd/system/httpd.service;
enabled; vendor preset: disabled)
Active: active (running)
Debian or Ubuntu:
sudo systemctl status apache2.service
Example output:
The Apache HTTP ServerLoaded: loaded (/lib/systemd/system/apache2.service;
enabled; vendor preset: enabled)
Active: active (running)
To start a stopped web server service for systems that run on System V, run the following command:
sudo service httpd start
Example output:
Starting httpd: [ OK ]
-
To confirm that the web server is listening for inbound user connection requests, run the following command:
sudo netstat -tulpn|grep -i :80
tcp6 0 0 :::80 :::* LISTEN 11993/httpd
Note: Run the preceding command twice. The second time, replace 80 with 443. Web servers listen on port 80 for HTTP traffic and port 443 for traffic encrypted with TLS/SSL.
If you run multiple interfaces, then run the following command to confirm that the web server is listening on all IP addresses:
cat /etc/httpd/conf/httpd.conf | grep Listen
Example outputs:
Listen *:80
Listen *:443
-
If you use an OS firewall, then make sure that it allows requests on ports 80 and 443.
-
(Optional) To verify that the iptables rules allow inbound requests on ports 80 and 443, run the following command:
sudo iptables -vnL
Example output:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
35 10863 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
In the preceding example output, the rules allow only Internet Control Message Protocol (ICMP), localhost, and port 22/TCP (SSH). The rules block inbound connections to TCP port 80 or 443.
-
To configure iptables rules to allow port 80 and 443 to accept inbound HTTP and HTTPS connection requests, run the following command:
iptables -I INPUT -p tcp --match multiport --dports 80,443 -j ACCEPT
Example output:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443
486 104K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Check configurations for AL2023, AL2, and RHEL 7 and later
For Amazon Linux 2023 (AL2023), Amazon Linux 2 (AL2), and RHEL instances, run the following command to check whether the firewalld service is running:
sudo firewall-cmd --state
Example output:
running
If the firewalld service is running, then run the following commands to allow connections on TCP ports 80 and 443:
sudo firewall-cmd --add-service=http --permanent
sudo firewall-cmd --add-service=https --permanent
sudo firewall-cmd --reload
Note: If you previously added rules, then the reload command reloads the service and brings the rules into effect.
For each command, verify that the output is similar to the following example:
success
Check configurations for Debian and Ubuntu servers
Complete the following steps:
-
To check for an Uncomplicated Firewall (UFW), run the following command:
sudo ufw status verbose
Example output:
Status: active
-
If you're running a UFW, then use the following command to allow inbound connection requests on the required TCP ports:
TCP port 80:
sudo ufw allow in 80/tcp
TCP port 443:
sudo ufw allow 443/tcp
-
For each command, verify that the output is similar to the following example:
Rule added
Rule added (v6)
To troubleshoot further, check your web server access error logs at /var/log for issues. Use the following default web server log locations:
- For Amazon Linux and RHEL, use /var/log/httpd.
- For Debian and Ubuntu, use /var/log/apache2.
Note: The web server log location depends on your server configuration.
Related information
How do I troubleshoot slow connections to a website hosted on my EC2 instance?