I have created an Amazon EC2 instance. Via SSH, I've pulled my git repository and started my node server. I can see it has started correctly. My node server is listening on port 8080.
I then went to Security Groups and added a HTTP rule. This would only allow me to use port 80. When I go to the .compute.amazonaws.com:8080, the request times out. Do I need to change the HTTP rule to port 8080. If so, how do i do this? Its not allowing me...
Add a custom TCP / 8080 rule to your SG.
When you are editing the Security Group inbound rules, instead of choosing HTTP under the 'Type', choose 'Custom TCP Rule'. You will notice that when you select HTTP, the Protocol is TCP. Choosing 'Custom TCP Rule' also uses 'TCP' protocol, but then it will allow you to change the port.
Related
I'm creating a website and need to set up some boxes on AWS and create security groups for them. When creating a security group rule, I'm faced with the following options (abridged):
Type
Custom TCP Rule
...
HTTPS
...
So I'm wondering, what is the difference between setting a custom TCP rule on port 443 and setting a HTTPS rule (which is on port 443 by default)?
No difference. HTTPS is a short cut which translates to TCP/443. Suppose your HTTPS server uses a non-standard port, then you can use the custom TCP port to specify the non standard port.
It is not the same thing. TCP is layer 4 and HTTPS is layer 7.
You can see this try connecting SSL site without https as show below.
http://www.google.com:443
You canĀ“t connect because you try TCP connection on port 443 although
using port 443 (SSL port).
If you change the http to https on site above you can connect it.
But if you select "SSL (secure TCP)" on port 443 you can connect it.
regards,
I run a tomcat7 in ubuntu in aws. not use apache.
and my site use default tomcat port 8080.
I don't want to open port except 8080 so I'm setting in aws security group.
inbound
8080 TCP anywhere
and outbound allTraffic.
but I try to rest call to
http://my_aws_ip:8080/test.do
but it doesn't work.
What should I open the port?
Does tomcat7 use a some port?
Tomcat uses whatever port or ports and protocols you configure it to use. By default it listens for HTTP requests on tcp/8080, AJP requests on tcp/8009, and service management requests on tcp/8005.
This is configured in Connector elements in $CATALINA_HOME/conf/server.xml:
https://tomcat.apache.org/tomcat-7.0-doc/config/http.html
You should reconfigure Tomcat to listen on standard ports like tcp/80 for HTTP and tcp/443 for HTTPS. Non-standard ports are a ready indication of a novice deployment.
The AWS Security Group should be configured to allow HTTP, HTTPS, pr both depending on your need. I highly recommend using HTTPS unless the information being transferred is public domain or has no value.
You can check what ports Tomcat is using on your EC2 instance with netstat -anpt. It will show all active and listen ports and the programs that have bound them (including java or tomcat for your Tomcat ports).
Unless you really need root access to the OS, you might want to consider using Amazon Elastic Beanstalk as it manages all that cruft for you.
I have a Node.js server listening on port 9000
Internally I can run "curl localhost:9000"
And it can retrieve the GET request.
But when I try and connect to the IP from the outside on port 9000, it doesnt work.
Do I need to open the port publicly?
Its an Amazon EC2 instance.
What do I need to do?
SOLVED:
had to add tcp inbound into security groups. Thank you very much
VALUES:
Custom TCP Rule
TCP
0 - 9000
0.0.0.0/0
Sounds like a firewall issue. There are two things to look for, first is IPTABLES, which will show you the firewall rules on the local server. https://help.ubuntu.com/community/IptablesHowTo
With AWS instances, they also belong to Security Groups, and you will have to edit this security group to allow traffic on port 9000 as well. http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html
I am trying to use nodejs and socket.io to deliver a webapp, which use websocket on port 3000.
I have opened port 3000 on my EC2 instance in my management console by adding the inbound TCP rule to the relevant security group, however I still can't access it via public dns on my browser.
sudo netstat -tulpn doesn't show it as an open port.
What am I missing? Is there some service I need to restart or a command line I need to push to get it running?
Thanks
sudo netstat -tulpn doesn't show it as an open port.
netstat command will show what all ports that are being listened by "some" process. So in this case as you have mentioned, It seems like you application is not listening on port 3000.
First, fix your application and ensure that it is listening on port 3000.
Also, netstat has nothing to do with whether a port is opend/closed from firewall perspective. It will tell you whether a given port is in LISTENING mode by some process.
Follow these steps:
Make sure your application is listening on port 3000:
netstat -anp | grep 3000
also telnet 127.0.0.1 3000
Then make sure that local firewall is configured to allow incoming access to port 3000
OR disable local firewall to do a quick test (service iptables stop). for linux, its usually iptables
Allow incoming access to port 3000 in your AWS security group.
Please follow above 3 points and let us know if you still face the same issue.
in addition to all the steps above, check if you have ufw (uncomplicated firewall) set up.
to check if you have ufw running do:
sudo ufw status
if it is running,
to allow port 3000 simply do the command
sudo ufw allow 3000
this solved the problem for me. i forgot that i had setup ufw a while back, and recently starting using my aws instance again.
I guess you made your changes using the AWS Management console.
But this just means that Amazon's system will allow message on port 3000 through their own security systems to your server.
Your EC2 server (you don't say whether it's Windows or Linux) may have its own firewall system that you have to open port 3000 on. You will have to look at the documentation for your server to what settings you need to change.
I assume you've tried opening a browser on your EC2 instance and you can access the webapp from there.
Also, thinking laterally, if there are no other web servers running on your EC2 server why not change your node.js webapp to use port 80?
Had similar problem, but I was using socketio with SSL
var https = require('https').Server({
key: fs.readFileSync(path.join(__dirname + '../) + 'ssl.key', 'utf8'),
cert: fs.readFileSync(path.join(__dirname + '../') + 'ssl.crt', 'utf8')
}, app);
But the keys were wrong, so even though my AWS security was done, iptables clear and nginx providing with client js file, the request kept closing. So in Firefox I got net::ERR_CONNECTION_CLOSED and finally figured out that it might be the SSL failure.
I hope this helps somebody. I had followed an online tutorial that said I should add a security rule for 3000 TCP and link back to the security group identifier in the source.
That's wrong. Remove that line and just set up two custom TCP for port 3000 for IPv4 and IPv6. That fixed it for me.
Let me put my couple cents here.
Resolved issue by adding 3000 port to Secure groups with IPv4 and IPv6 and setting host in nuxt.config.js to '0.0.0.0'. This value makes Nuxt automatically find "real" ip listen to.
Here is how I was able to fix the problem:
Go to the EC2 instance page
In the "Security" tab, click on the link of the security group associated with the instance
In the Actions menu click "Edit inbound rules"
Add rule with custom tcp
And click "Save rules"
According to the following post, some networks only allow a connection to port 80 and 443:
Socket IO fails to connect within corporate networks
Edit: For clarification, the issue is when the end user is using a browser at work behind a corporate firewall. My server firewall setup is under my control.
I've read about Nginx using proxy_pass to Socket.io listening on another port (which I've read about disadvantages) and also reverse proxy using nodejitsu/node-http-proxy to pass non-node traffic to Nginx (which has other disadvantages). I am interested in considering all possible options.
After much searching, I did not find any discussion about the possibility of socket.io listening to port 443, like this:
var io = require('socket.io').listen(443);
Where the client would connect like this:
var socket = io.connect('http://url:443/', {secure: false, port: '443'});
Aside from forfeiting the use of https on that server, are there any other drawbacks to this? (For example, do corporate networks block non-SSL communications over port 443?)
Non-encrypted traffic on port 443 can work, but if you want compatibility with networks with paranoid and not-quite-competent security policies you should assume that somebody has "secured" themselves against it.
Regardless of silly firewalls you should use SSL-encrypted WebSockets, because WebSocket protocol is not compatible with HTTP (it's masquerading as such, but that's not enough) and will not work reliably with HTTP proxies.
For example O2 UK (and probably many other mobile ISPs) pipes all non-encrypted connections through their proxy to recompress images and censor websites. Their proxy breaks WebSocket connections and the only workaround for it is to use SSL (unless you're happy with Socket.IO falling back to jsonp polling...)
It really depends on what type of firewall is set up. If the ports are just blocked, then pretty much anything can run on ports 80 and 443. I have used this myself to get an ssh session to my home computer over port 80 when stuck behind a firewall at work.
There are a few firewalls that have more advanced filtering options, however. These can filter out traffic based on protocols in addition to the regular port filtering. I have even run up against one firewall in front of a server that would stop https traffic through an ssh tunnel somehow. These advanced filtering techniques are the rare exception by far, so you should be fine with just listening on 443 for most instances.
I think you should read the whole wiki article about Socket.IO and blocked ports (by antiviruses, firewalls etc):
https://github.com/LearnBoost/socket.io/wiki/Socket.IO-and-firewall-software