Port 80 Websockets on EC2 falls to long polling - linux

I'm using a fresh ubuntu instance and got a sockjs server running on port 80. I can load it on the web browser but then it switches to long polling.
If I switch the port to 81 it all works fine. I even tried running my sockjs server on port 8000 and redirecting traffic from 80 to 8000 using iptables with no luck.
What could be causing this odd behaviour? I'm using EC2 with an Ubuntu 13.04 Linux VM
I have set all the firewall rules to allow traffic through, which it is going through since I can access it in the web browser its just its falling from websockets to using long polling which is really slow.

I did have some problem and add this to iptables to allow Websockets
iptables -I INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
iptables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

Related

How do I access my node.js server via public IP address?

I want to get a response from a remote node.js server by typing my public IP address into my browser. When I type my public IP into my browser on my personal computer, I get "Unable to Connect". My node.js server isn't connected to the World =(
I am running CentOS on a Linode (but I don't think either choice should matter to my question).
Via Terminal on my person computer (a Mac), I can successfully SSH as root into my Linode.
I have installed node.js successfully on my Linode.
I can compile and run a simple server on my Linode.
var http = require('http');//create a server object:
http.createServer(function (req, res) {
res.write('Hello World!'); //write a response
res.end(); //end the response
}).listen(3000, function(){
console.log("server start at port 3000");
});
I've tried:
Setting a hostname.
Changing the "hosts" file on my server.
Changing the port number in my node.js server (3000, 80, 8080, 3001, 0.0.0.0, etc).
Read literally 100 articles today about how to deploy a node.js server.
Searched Google, Stackoverflow, Linode forums, etc for threads that might help me.
I have zero idea what I'm doing wrong and would be so grateful for your help.
I eventually found the answer, thanks to Saddy's suggestion that the problem might be port forwarding.
1. I decided to use ports 3080 and 3443 for my node server.
2. I SSHed into my CentOs instance.
3. I disabled the default firewall, firewalld.
4. I set up port forwarding using iptables with the following commands:
firewalld stop
firewalld disable
iptables -I INPUT 1 -p tcp --dport 80 -j ACCEPT
iptables -I INPUT 1 -p tcp --dport 443 -j ACCEPT
iptables -I INPUT 1 -p tcp --dport 25 -j ACCEPT
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3080
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 3443
iptables-save > /etc/sysconfig/iptables
After this, I was able to access my node server via a browser.

How to access the sails app with AWS EC2 Public IP

I have a sails webapp deployed in Aws EC2 Ubuntu instance. When I lift the sails in production mode(sails lift --prod --verbose) I can access my app by typing ip with port number (xx.xx.xxx.xx:1337). When i am trying to access it with Ec2 Public IP(xx.xx.xxx.xx). It is showing "This Webpage is not available".
Is it possible to access the app from Public IP??
Solved the Issue by editing my iptables to:
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
Open 443 port i.e. HTTPS
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEP

Check if port forwarding worked for node server on AWS machine

I have deployed a node application that listens to port 5000 on a free usage tier ubuntu machine from AWS.
I've followed suggestions from:
How to start node.js on port 80 on a linux server?
and from: Best practices when running Node.js with port 80 (Ubuntu / Linode)
Answers to both these questions suggest port forwarding and I have done the same. But my server still doesn't respond to requests on port 80.
Is there a way I can check if the port forwarding was successful?
The permission settings to listen to HTTP requests have been setup through the AWS console.
Also there is nothing listening to port 80 on the machine as of now. netstat -l | grep :80 comes up empty.
The server runs fine if I access it as: http://<elastic-ip>:5000
You will not see port 80 listening since there is no daemon using that socket; the kernel is performing a packet redirect.
To check how many packets traversed the port forwarding rule you set up, inspect the PREROUTING chain on the nat tables with sudo iptables -t nat -L PREROUTING -n -v. It will show output like:
Chain PREROUTING (policy ACCEPT 15 packets, 1226 bytes)
pkts bytes target prot opt in out source destination
3 180 REDIRECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 3000
If you are testing from localhost, you must also redirect on OUTPUT since PREROUTING isn't used by the loopback interface. Do that with
iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port 3000
And of course, check that port 80 is open to allow external traffic.

node.js on VirtualBox CentOS machine, no connection?

I've setup a CentOS 6.3 Box in a VirtualBox Machine, installed node.js and npm and wrote an example 'Hello World' Application which listens on port 8080 and IP '192.168.10.132' (this is the IP of the CentOS machine). The server starts correctly, but under 192.168.10.132:8080 on my host machine (Mac OS X 10.0.7) I always get an error.
Did I something wrong?
Generally I run into issues like this because I have not opened the port in iptables.
The following command will add the port to iptables
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 8080 -j ACCEPT -m comment --comment "node.js port"
Then make sure to save your current config.
service iptables save
then you'll need to restart iptables
service iptables restart
For more info, check out the iptables docs here: http://wiki.centos.org/HowTos/Network/IPTables

apache not accepting incoming connections from outside of localhost

I've booted up a CentOS server on rackspace and executed yum install httpd'd. Then services httpd start. So, just the barebones.
I can access its IP address remotely over ssh (22) no problem, so there's no problem with the DNS or anything (I think...), but when I try to connect on port 80 (via a browser or something) I get connection refused.
From localhost, however, I can use telnet (80), or even lynx on itself and get served with no problem. From outside (my house, my school, a local coffee shop, etc...), telnet connects on 22, but not 80.
I use netstat -tulpn (<- I'm not going to lie, I don't understand the -tulpn part, but that's what the internet told me to do...) and see
tcp 0 0 :::80 :::* LISTEN -
as I believe I should. The httpd.conf says Listen 80.
I have services httpd restart'd many a time.
Honestly I have no idea what to do. There is NO way that rackspace has a firewall on incoming port 80 requests. I feel like I'm missing something stupid, but I've booted up a barebones server twice now and have done the absolute minimum to get this functioning thinking I had mucked things up with my tinkering, but neither worked.
Any help is greatly appreciated! (And sorry for the long winded post...)
Edit
I was asked to post the output of iptables -L. So here it is:
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
In case not solved yet. Your iptables say:
state RELATED,ESTABLISHED
Which means that it lets pass only connections already established... that's established by you, not by remote machines. Then you can see exceptions to this in the next rules:
state NEW tcp dpt:ssh
Which counts only for ssh, so you should add a similar rule/line for http, which you can do like this:
state NEW tcp dpt:80
Which you can do like this:
sudo iptables -I INPUT 4 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
(In this case I am choosing to add the new rule in the fourth line)
Remember that after editing the file you should save it like this:
sudo /etc/init.d/iptables save
CentOS 7 uses firewalld by default now. But all the answers focus on iptables. So I wanted to add an answer related to firewalld.
Since firewalld is a "wrapper" for iptables, using antonio-fornie's answer still seems to work but I was unable to "save" that new rule. So I wasn't able to connect to my apache server as soon as a restart of the firewall happened. Luckily it is actually much more straightforward to make an equivalent change with firewalld commands. First check if firewalld is running:
firewall-cmd --state
If it is running the response will simply be one line that says "running".
To allow http (port 80) connections temporarily on the public zone:
sudo firewall-cmd --zone=public --add-service=http
The above will not be "saved", next time the firewalld service is restarted it'll go back to default rules. You should use this temporary rule to test and make sure it solves your connection issue before moving on.
To permanently allow http connections on the public zone:
sudo firewall-cmd --zone=public --permanent --add-service=http
If you do the "permanent" command without doing the "temporary" command as well, you'll need to restart firewalld to get your new default rules (this might be different for non CentOS systems):
sudo systemctl restart firewalld.service
If this hasn't solved your connection issues it may be because your interface isn't in the "public zone". The following link is a great resource for learning about firewalld. It goes over in detail how to check, assign, and configure zones: https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-using-firewalld-on-centos-7
SELinux prevents Apache (and therefore all Apache modules) from making remote connections by default.
# setsebool -P httpd_can_network_connect=1
Try with below setting in iptables.config table
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
Run the below command to restart the iptable service
service iptables restart
change the httpd.config file to
Listen 192.170.2.1:80
re-start the apache.
Try now.
If you are using RHEL/CentOS 7 (the OP was not, but I thought I'd share the solution for my case), then you will need to use firewalld instead of the iptables service mentioned in other answers.
firewall-cmd --zone=public --add-port=80/tcp --permanent
firewall-cmd --reload
And then check that it is running with:
firewall-cmd --permanent --zone=public --list-all
It should list 80/tcp under ports
Search for LISTEN directive in the apache config files (httpd.conf, apache2.conf, listen.conf,...) and if you see localhost, or 127.0.0.1, then you need to overwrite with your public ip.
Try disabling iptables: service iptables stop
If this works, enable TCP port 80 to your firewall rules:
run system-config-selinux from root, and enable TCP port 80 (HTTP) on your firewall.
this would work:
-- for REDHAT
use : cat "/etc/sysconfig/iptables"
iptables -I RH-Firewall-1-INPUT -s 192.168.1.3 -p tcp -m tcp --dport 80 -j ACCEPT
followed by
sudo /etc/init.d/iptables save
this is what worked for us to get the apache accessible from outside:
sudo iptables -I INPUT 4 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
sudo service iptables restart
Set apache to list to a specific interface and port something like below:
Listen 192.170.2.1:80
Also check for Iptables and TCP Wrappers entries that might be interfering on the host with outside hosts accessing that port
Binding Docs For Apache
Disable SELinux
$ sudo setenforce 0

Resources