By using AWS re:Post, you agree to the AWS re:Post Terms of Use

External users can't access my App running on a EC2 instance. The EC2 Instance can access the internet.

1

As described by the title I cant access the App running on the EC2 instance using a browser even from inside the EC2, while that same EC2 instance-based browser can access the internet. DETAIlS: My instrance id is: i-0989810f3193abc99 Elastic IP Address: 18.190.43.222 SecgroupId: sg-029a9328d665c40fa 1 outbound rule: All traffic to 0.0.0.0 8 inbound IPv4 rules

  • ICMP source my dev station
  • HTPPS - source 0.0.0.0
  • HTTP source 0.0.0.0
  • PostgreSQL source: 0.0.0.0
  • RDP source: 0.0.0.0
  • 5901 source: 0.0.0.0 -SSH source my dev station
  • 8080 source: 0.0.0.0 VPC ID: vpc-0dd57250d729c6caf - Routes show destination 0.0.0.0 target the igw and destination 17.31.0.0/16 target local - connected to an internet gateway: igw-0c3d2c47b998e13ff

command route -n shows: Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 172.31.16.1 0.0.0.0 UG 100 0 0 eth0 172.31.0.2 172.31.16.1 255.255.255.255 UGH 100 0 0 eth0 172.31.16.0 0.0.0.0 255.255.240.0 U 100 0 0 eth0 172.31.16.1 0.0.0.0 255.255.255.255 UH 100 0 0 eth0

sudo ufw show listening command shows: tcp: 22 * (sshd) [ 4] allow 22/tcp

80 * (nginx) [ 3] allow 'Nginx Full' [ 5] allow 80/tcp

tcp6: 22 * (sshd) [11] allow 22/tcp

3389 * (xrdp) [14] allow 3000:4000/tcp

80 * (nginx) [10] allow 'Nginx Full' [12] allow 80/tcp

udp: 41155 * (avahi-daemon) 5353 224.0.0.251 (chrome) 5353 * (avahi-daemon) 631 * (cups-browsed) 68 172.31.28.68 (systemd-networkd) udp6: 49119 * (avahi-daemon) 5353 * (avahi-daemon)

I can't find anything wrong with this. Clearly something is not right but I can't see it. Your help woudl be most appreciated

-Umberto

asked a year ago642 views
3 Answers
0
Accepted Answer

Open port 443 in ufw.

I can hit your public IP on port 80 (HTTP) which shows your routing table is alright, but not 443 (HTTPS).

Enter image description here

Enter image description here

profile picture
EXPERT
answered a year ago
profile picture
EXPERT
reviewed a year ago
  • Hi, I hadn't opened 443 as I am testing the App. But I just did i just to see if it would make any difference. Unfortunately it did not in terms of letting data into the App. I can tell traffic is getting to nginx and from there to Gunicorn but somehow can't make it to the App. Some stupid mistake along the way, I'm sure

0

Is there anything wrong with the path setting for the Gunicorn application?
In "settings.py", there is a setting called "chdir", but I was wondering what kind of setting it is.
Also, I think you need to set up a reverse proxy to access Gunicorn from Nginx, have you done so?
https://docs.gunicorn.org/en/latest/deploy.html

profile picture
EXPERT
answered a year ago
  • Hi Riku. Thank you for your thoughts. To answer your question about Gunicorn, yes I have set up the configuration in Nginx and Gunicorn to work in tandem. However, let me look at the conf file you sent to see if it is equivalent to what I have done. About the "chdir" setting in "settings.py", do youi mean setup.py to create the wheel file? I am not aware of a "settings/py" script. Please elaborate.

  • The official documentation is below. The default file name is "gunicorn.conf.py". https://docs.gunicorn.org/en/stable/settings.html

  • Hi Riku. Thanks for the link. I see what you are talking about. My Gunicorn setup is as follows:

    [Unit] Description=Gunicorn instance to serve merysol_advisor After=network.target

    [Service] User=ubuntu Group=www-data WorkingDirectory=/home/ubuntu/merysol_advisor Environment="PATH=/home/ubuntu/m/erysol_advisor/venv/bin" ExecStart=/home/ubuntu/merysol_advisor/venv/bin/gunicorn --workers 3 --bind unix:merysol_advisor.sock -m 007 wsgi:app

    [Install] WantedBy=multi-user.target

    And, my nginx configuration is:

    server { listen 80; listen 443; server_name merysol.com www.merysol.com;

    location / {
        include proxy_params;
        proxy_pass http://unix:/home/ubuntu/merysol_advisor/merysol_advisor.sock;
    }
    

    }

    When I run the command nginx -t , I get good feedback so I think the configuration is correct.
    I will go through some of the testing options in the unicorn.conf link you sent me to see if I can find the problem -Umberto

  • While sending you Riku my last comment, I realized I had a typo in the Gunicorn configuration. I had : Environment="PATH=/home/ubuntu/m/erysol_advisor/venv/bin"

    I fixed it and restarted the Gunicorn service and nginx but there was no change in the behavior. I also notice that trying to acces nginx using https fails with ERR_SSL_PROTOCOL_ERROR in Chrome. This usually means that it is being blocked by the firewall. But I certainly have rules to allow 443 both in the security group and in the ufw.

  • Thank you for sharing the detailed configuration. ERR_SSL_PROTOCOL_ERROR" can occur if the SSL certificate is incorrectly configured. Looking at the Nginx configuration, it appears that the SSL certificate is not configured, where is the SSL certificate configured?

0

Hi Riku, Yes the SSL Certificate is missing. Somehow I managed to delete it when I terminated my EC2 Instance and created a new one. I am in the process of getting a new one and creating a Load Balancer with proper security groups' listeners and routing. I think this is the root cause of the issues but we shall soon see.

Domo Arigato Riku

answered a year ago
  • Hi again Riku, Well I have added a new SSL Certificate to the app and configured the AWS Load Balancer to send HTTP and HTTPS traffic ot he App. Howeverm the openssl command still doesn't show the certificate. Is there some additional magic to associate the certificate to the App in AWS? This things is certianly frustrating. Isn't it? -Umberto

  • If you have ALB, you may not need to set up certificates in EC2. I think we can set up an SSL certificate in ACM for the ALB and set up an HTTPS listener. https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html
    Also, am I correct in understanding that EC2 is listening on HTTPS? In that case, I think you need to set the listener protocol to HTTPS in the target group settings, is it set?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions