My express server seems okay in the host. But I try to access an endpoint using IP:PORT/something. I didn't get nothing. Even I didn't get any 500 error.
POSTMON says
How do I fix this error?
From the image you have uploaded, it looks like your server is hosted on AWS EC2. Since you are not even able to reach your node server, it looks like you haven't added that port(on which it is hosted) in the inbound rules of your EC2 security group.
You need to open that port for all IPs (if you want it to access form anywhere) or specific IP, if you want to access only from your specific IP.
Please read it in detail here
Update
If you are using Digital Ocean, you can open the access to that port in the firewall rules.
To open a custom Port for inbound access, you need to add custom Rules in firewall.
From official Docs
Protocol. You can choose either TCP or UDP. Because ICMP has no port
abstraction, to allow ICMP traffic, you select it directly from the
New rule dropdown.
Port Range. For the TCP and UDP protocols, you can specify:
A single port.
A range of ports by entering the starting and ending ports separated by a dash - with no spaces, e.g. 3000-4000. To open
multiple non-sequential ports, create a separate rule for each.
All ports by leaving the field blank.
Sources for inbound rules, which
lets you restrict the source of incoming connections.
Destinations for outbound rules, which lets you restrict the
destination of outgoing connections.
You can limit the sources/destinations to:
Droplets, chosen by name, IP address, or tag DigitalOcean Load
Balancers, chosen by name, IP address, or tag Non-DigitalOcean servers
by IP addresses, subnets, or CIDR ranges.
Please read about how to configure firewall rules in Digital Ocean, in their official Documentation
If you directly want to jump to Adding Custom Rules, read here
Related
my domain "https://example.com forwards to my webserver IP eg "0.0.0.1".
Is it possible that when I call the domain like "tcp://example.com:1234" to forward the request to a different IP like "0.0.0.2:1234"? Or is the only way to use a subdomain?
Thank You!
It's about a self-host or a shared host on a service provider?
If it's a self-host:
Someone receives your internet connection, in the business environment we usually use a firewall, so you just need to create/configure (on the firewall) your "nat rules" to work as you need with specific ports and IP.
If it's a service provider:
You must do check if they allow nat configuration (can be called port forward or publish rules)
I'm trying to set an one IP adresss (dynamic) as the source of inbound ssh rules for azure VM. But when its set to "any" works perfectly but given my local dynamic IP doesn't work(connection timed out).
Also tried giving CIDR block for source, but still confused as to why a single IP doesn't work.
Most 'Whats my IP' sites will give you your Public IP address that you can use for you NSG.
http://www.hazelnest.com/IPproject/MyIP/ip.php
But i believe the issue you are having is one i have seen in very large company networks, the IP you get from site is not really the IP for RDP/SSH.
Easiest and guaranteed way is to contact you networking guys to provide you with the information.
Another way is to check the IP you get on the RDP/SSH logs when you connect without restricting NSG. Then use that IP on the NSG, not that depending on the network this might change.
Linux:
Check the auth.log under the \var\log
IMAGE 1
Windows:
In the VM's Event Viewer, navigate to path below and check the event 22, that should have information.
Applications and Services Logs\Microsoft\Windows\TerminalServices-LocalSessionManager
IMAGE 2
I have 2 VMs (CentOS), running in the same VNET (and subnet).
They both have a static public IP.
I have a Network Security Group which defines inbound and outbound rules, attached to both NICs as well as to the VNET.
One of the inbound rules is the default-allow-ssh rule.
All good so far, using SSH, I can access both VMs from outside Azure, from my own computer from anywhere on the web.
On 1 of the VMs I'm running a webserver.
Exposing the webserver on port 80 and adding a new NSG inbound security rule on port 80 (src: any, src port range: *, dest: any, port: 80, protocol: any) allows met to access the webserver from anywhere: from my pc from anywhere on the web, from my other VM within Azure, so just as I was expecting.
Now when I change the port of the webserver from 80 to for example 7181:
I can still do "curl http://[PUBLIC_IP]:7181" from the server I'm hosting the webserver on AS WELL AS from the other CentOS server sitting in the same VNET (subnet) BUT no longer from my pc or any pc outside the Azure realm (the web).
Firewalld is not running on the webserver, nor do I have iptables set, only NSG rules define inbound and outbound traffic.
The host of the webserver is always accessible from anywhere outside Azure, using ssh. The webservice itself, on port 80, including a proper inbound NSG rule, also works just fine from anywhere out- and inside Azure. The custom port, configured identically as port 80 or 22 in the NSG (except for the port number of course), is accessible only from inside the same VNET.
Anyone?
(the error I get is the well-known: ERR_CONNECTION_REFUSED)
NSG screenshot:
enter image description here
Reboot of the VM instance solved the problem. So it looks like adding/updating NSG rules on-the-fly does not affect running instances immediately or something else takes a lot of time sync and to take effect. I must have forgotten about my early Windows days, where reboots were pretty standard when changing configuration or installing new things. Anyway, thank you all for your time and effort on this question.
Asking the obious: Have you added a rule for Port 7181 in the NSG?
My tests says: This kind of Error comes from NSG.
A CURL from within the Network might lead to wrong opinions. You should trace the route when connection the IP on Port 7181.
Create separate rules for each port you want to open. As far as I know you cannot specify a list of ports in "port" field. Only single port, port range or *.
FYI: the connection from other machine in VNET is working because there is "AllowVnetInBound" rule.
I am new to this Aws security to deploy in amazon webservice.
When i restrict security groups with some IP address, my application runs dead slow or it may not run also, thats the reason i am getting connection time out when i try to call webservice which is deployed in aws. When i open the IP address restriction in Security groups it works fine.
How to configure my AWS using security groups. so that my application is accessible to only to some restricted networks.
Please help me put on this.
Below are the my security group details
INBOUND
Type Protocol Port range Source
MYSQL TCP 3306 X.X.X.X/X
SSH TCP 22 X.X.X.X/X
HTTP TCP 80 X.X.X.X/X
OUBOUND
Type Protocol Port range Source
MYSQL TCP 3306 0.0.0.0/0
SSH TCP 22 0.0.0.0/0
HTTP TCP 80 0.0.0.0/0
i am using hibernate for DB connection from my web application. But everytime i am getting connection timeout with the above security group. but if i remove the IP address restrictions it works fine.
Note: DB connection works fine from mysql workbench
<property name="hibernate.connection.url">jdbc:mysql://schemaname.amazonDBInsatnce:3306/test</property>
Security Groups will not "slow down" access to an Amazon EC2 instance. They are used to determine which ports are open to a given range of IP addresses. Either the traffic is allowed through, or it is not.
Security Groups can be defined for Inbound and Outbound traffic. By default, all Inbound traffic is denied and all Outbound traffic is permitted.
It is possible that your application is trying to access some external service and is timing-out, hence causing delays. Permitted all Outbound traffic is usually acceptable, so try that first and see if your application performs better.
Also, check the log files that your application is producing to see if any errors are being generated, which will give you a hint as to what might be happening.
One of our client wants to do port forwarding to the crm server , so that users can access the crm from Internet. They are using ZyXel firewall (for port forwarding).
They have mapped 203.xx.xx.xx(public ip) to 192.Xx.xx.xx(local ip) with incoming and outgoing port 5555(default port of our crm server), but it doesn't work. Any suggestions?
I tried to map for rdp and sql report server(web server), these things are able to access.
I have been stuck with this more than a day. Can anyone please help
It's more common to see full IFD implementation with crm 2011, since SSL allows for more security. I do think it's possible to configure CRM to work with just regular port forwarding though, although I have never done it myself.
Take a look here: http://www.mscrmguru.com/2013/05/exposing-microsoft-dynamics-crm-2011.html
Examples of software that can be used for port forwarding includes
Microsoft Forefront Treat Management Gateway (TMG) and Microsoft
Forefront Unified Access Gateway. Basically what it comes down to is
the following:
The user enters an internet address e.g. http://crm.mycompany.com.au
The internet address is recognised and points to the external
registered IP address e.g. 162.123.123.11
The external IP address is redirected to your internal IP address
through your reverse proxy / tunnelling / port forwarding e.g.
10.0.0.10
The user enters username and password and gets authenticated.
The Microsoft Dynamics CRM 2011 pages is displayed to the user.
Finally I solved the issue by binding port 80 to the crm website in IIS. Not sure why 5555 port didnt work, even though the port is opened in the firewall.
You have to add a corresponding Policy Control to pair with the corresponding NAT rule otherwise when the NAT / port forwarding rule is applied, it will be directed to the stateful packet inspection part of the device controlled by the Policy Control rules and be dropped from that point forward.
Policy Control is found by selecting the Configuration menu option (looks like two yellow gear or cogs whatever you call them), then selecting Security Policy, then Policy Control.
The rule structure is similar to NAT, except on this screen you permit or deny traffic based on ZONES that maps to any physical or logical interface configured. In most cases, you want to permit port 5555 traffic coming from the WAN zone from ANY IP address, to the LAN, DMZ or VLAN zones to the IP of the host or object configured in the ZyXEL firewall.
You'll want to ensure that port 5555/TCP or 5555/UDP, whichever is applicable to permit, is configured as a Service Object under the Configuration->Object->Service menu.
Configuring the service before will allow easy setup afterwards when setting your NAT and policy rules, because you'll be able to select the new service object instead of entering ports only. It's also required to set a service object anyways for all Policy Routes.
It feels like the work has been done twice, but NAT and Policy Routes are two different things that have to be configured to allow most kinds of non-standard traffic. You admin might have had an easier time configuring other rules such as HTTP, FTP, SMTP and various common services, because the firewall has built-in objects for those services, which makes configuring rules for services running non-standard high-range ports a little but more tricky.