When I am running an open source application "atwork" (https://github.com/ritenv/atwork) on an ec2 machine instance on port 80, I get server responses with forbidden codes (403):
AtWork running at 0.0.0.0:80
GET / 304 3.802 ms - -
GET /users/notifications 403 3.972 ms - 9
GET /posts?limitComments=true 403 0.956 ms - 9
GET /chats 403 1.289 ms - 9
GET /streams?subscribed=true 403 0.708 ms - 9
GET /streams?unsubscribed=true 403 0.859 ms - 9
GET /users/me 403 0.847 ms - 9
GET /system-settings 304 4.803 ms - -
GET /favicon.ico 304 0.453 ms - -
GET /system-settings 304 2.766 ms - -
GET /favicon.ico 304 0.322 ms - -
However, when I run it on another port (8080), I get the following 200 messages from
the server:
AtWork running at 0.0.0.0:8080
GET / 200 4.219 ms - 6412
GET /users/notifications 304 12.189 ms - -
GET /posts?limitComments=true 304 5.162 ms - -
GET /chats 304 4.344 ms - -
GET /streams?unsubscribed=true 304 5.429 ms - -
GET /streams?subscribed=true 304 5.495 ms - -
GET /users/me 200 3.478 ms - 882
GET /system-settings 304 4.809 ms - -
Kirill A Novik is online.
GET /favicon.ico 304 0.795 ms - -
I have tried the following (However, none of it worked):
Modify firewall options in the security groups on the AWS console allowing all tcp traffic on all ports.
Run iptable like this:
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -A INPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
Please help me to understand what I am doing wrong, and how I could make port 80 behave like other ports.
Thank you.
There is 2 possibilities to fix this issue.
First, is to give the root permissions for ec2 machine's user, who runs the application. But it can be a security risk - running application as root.
The seconds is, the one i i prefer:
running nodejs application as limited user, but behind reverse proxy.
Application can listen on ports > 1000 - like 8080 one.
And you can run NGINX as revers proxy. It will listen on 80 or 443 port, and transfer requests to your nodejs application.
You can use nginx configs like this - https://github.com/vodolaz095/hunt/blob/master/examples/serverConfigsExamples/nginx.conf
Related
I know there are lots of resources on this topic, but I think I've done everything correctly and I still can't connect to my server.
I've started a simple node.js server on port 80.
sudo netstat -tnlp | grep 80
tcp 0 0 127.0.0.1:80 0.0.0.0:* LISTEN 3657/node
curl localhost:80
Welcome Node.js
I've configured the Security group for this instance as well as the VPC to allow traffic.
I've made sure there is no local firewall and that the VPC ACL is not blocking traffic (not that I expected it, since this is a completely new instance.)
service iptables status
Redirecting to /bin/systemctl status iptables.service
Unit iptables.service could not be found.
The output when I try to connect from my local machine:
curl 3.xxx.xxx.xxx
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- 0:00:03 --:--:-- 0
curl: (7) Failed to connect to 3.xxx.xxx.xxx port 80: Connection refused
Are there any other ideas on what to check next?
The answer to my problem was https://stackoverflow.com/a/14045163/2369000. The boilerplate code that I copied used a method to only listen to requests that originated from localhost. This could have been detected from the netstat output, which said 127.0.0.1:80 for the listening address. The answer was to use .listen(80, "0.0.0.0") or just .listen(80) since the default behavior is to listen for requests from any IP address.
I've been struggling with a strange problem on Ubuntu 18.04. I cannot reach services exposed by containers. I will show you on an example with nginx.
Starting the container:
sudo docker run -it --rm -d -p 8080:80 --name web nginx
docker ps shows:
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
f09c71db299a nginx "/docker-entrypoint.…" 10 minutes ago Up 10 minutes 0.0.0.0:8080->80/tcp web
listening is on 0.0.0.0:8080 as expected
But curl throws "Connection reset by peer":
$ curl -4 -i -v localhost:8080
* Rebuilt URL to: localhost:8080/
* Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 8080 (#0)
> GET / HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/7.58.0
> Accept: */*
>
* Recv failure: Connection reset by peer
* stopped the pause stream!
* Closing connection 0
curl: (56) Recv failure: Connection reset by peer
I used tshark to inspect a network traffic:
$ sudo tshark -i any
66 7.442606878 127.0.0.1 → 127.0.0.1 TCP 68 8080 → 47430 [ACK] Seq=1 Ack=79 Win=65408 Len=0 TSval=4125875840 TSecr=4125875840
67 7.442679088 172.16.100.2 → 172.16.100.1 TCP 56 80 → 37906 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
68 7.442784223 127.0.0.1 → 127.0.0.1 TCP 68 8080 → 47430 [RST, ACK] Seq=1 Ack=79 Win=65536 Len=0 TSval=4125875840 TSecr=4125875840
I see RST within the container(?). I have never had such an issue and I'm a bit lost how to solve it. Can someone help me out?
UPDATE: I used docker inspect f09c71db299a and it shows that:
"Gateway": "172.16.100.1"
"IPAddress": "172.16.100.2"
172.16.100.1 it's my docker0 IP address. It looks it rejects traffic from the container, right?
UPDATE 2: According to NightsWatch's suggestion I checked if the host accepts connection on the 8080. Telnet says:
~$ telnet localhost 8080
Trying ::1...
Connected to localhost.
Escape character is '^]'.
So it looks port is open but the request is blocked :/
I've installed Tomcat 9 on Ubuntu 18.04(VM). I cannot access tomcat using IP address from a browser (or curl)
On the VM, tomcat is running and curl http://1.2.3.4:8080 works.
But the same externally does not..
l-OSX: hal$ curl https://10.51.253.163:8080 -v
* Rebuilt URL to: https://10.51.253.163:8080/
* Trying 10.51.253.163...
* connect to 10.51.253.163 port 8080 failed: Operation timed out
* Failed to connect to 10.51.253.163 port 8080: Operation timed out
Tomcat's server.xml
<Engine name="Catalina" defaultHost="10.51.253.163">
...
<Host name="10.51.253.163" appBase="webapps"
unpackWARs="true" autoDeploy="true">
UFW is Inactive
sudo ufw status verbose`
Status: inactive`
Ping to the VM works
l-OSX: hal$ ping 10.51.253.163
PING 10.51.253.163 (10.51.253.163): 56 data bytes
64 bytes from 10.51.253.163: icmp_seq=0 ttl=58 time=111.914 ms
64 bytes from 10.51.253.163: icmp_seq=1 ttl=58 time=93.793 ms
Appreciate any help on this!
After some research and help from IT Support team, i was able to resolve this as below:
VM > Manage Security
Add Security Rule
Allow Port: 8080 on Protocol: TCP
Able to access Tomcat from browser.
I have 4 fresh Ubuntu 12.04 instances that I am trying to install Cassandra (DataStax Enterprise) on. I have installed and configured everything (from a known good installation procedure) and I am at the point of connecting to OpsCenter and creating a cluster. The OpsCenter agent seems to install fine on 3 out of the 4 nodes, but the one that is actually running OpsCenter (dual-purposed as an OpsCenter and Cassandra node) fails with:
Install Errored: The installed agent doesn't seem to be responding
In the /var/log/opscenter/opscenterd.log I see this:
WARN: HTTP request http://10.1.1.26:61621/alive? failed: 503 Service Unavailable
This is the node with OpsCenter on it. The opscenterd service is running, 61621 is listening and accessible from other nodes and from itself, I tested wget to that URL and it indeed throws a 503. All other nodes respond with a 200. Not sure what to look for... Any suggestions? Let me know if you need more details - I didn't want to clutter the post with too much useless/irrelevant details...
i found same error like you.
I did change rules Iptables , and the issue resolve.
[root#ip-172-xxxxx ~]# iptables -I INPUT -p tcp --dport 61620 -j ACCEPT
[root#ip-172-xxxxx ~]# iptables -I INPUT -p tcp --dport 50031 -j ACCEPT
[root#ip-172-xxxxx ~]# iptables -I OUTPUT -p tcp --dport 50031 -j ACCEPT
[root#ip-172-xxxxx ~]# iptables -I OUTPUT -p tcp --dport 61620 -j ACCEPT
iptables -L
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:61620
ACCEPT tcp -- anywhere anywhere tcp dpt:50031
ACCEPT tcp -- anywhere anywhere tcp dpt:ddi-tcp-1
Lucky!
I created a virtual machine CentOS.
Created end-point in the control panel on port 80 and 443. In CentOS added rules to iptables:
# Generated by iptables-save v1.4.7 on Thu Aug 9 18:07:49 2012
*filter
:INPUT ACCEPT [142:12032]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [146:18544]
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
COMMIT
# Completed on Thu Aug 9 18:07:49 2012
Run the application:
CompilerOracle: exclude jregex/Pretokenizer.next
Listening for transport dt_socket at address: 8000
18:07:05,799 INFO ~ Starting /srv/play-1.2.5/localevent
18:07:05,808 INFO ~ Module .svn is ignored, name starts with a dot
18:07:06,820 WARN ~ You're running Play! in DEV mode
18:07:06,975 INFO ~ Listening for HTTP at /127.0.0.1:80 (Waiting a first request to start) ...
I went to the address: *.сloudapp.net
But the application does not start. In what may be the reason?
#update1
SELinux is disabled. Version of CentOS - 6.2
#update2
For the test was installed Apache. Home Apache displayed.
Added proxy from 80 to 9000 port in httpd.conf. Play was launched at the 9000 port.
Apache returns a 503 error. Wget 127.0.0.1:9000 gets everything right.
AFAIK, you have to add an endpoint to your Azure virtual machine in order to allow to connect to the 80 TCP port.
For instance, see this doc, under the "Expose Redis to the outside" section, by setting your private and public ports to 80.
Looked logs Apache:
[error] (13) Permission denied: proxy: HTTP: attempt to connect to 127.0.0.1:9000 (127.0.0.1) failed
[error] ap_proxy_connect_backend disabling worker for (127.0.0.1)
Solution:
setsebool httpd_can_network_connect 1