Score:2

Can't open port 443 on AWS EC2 fresh instance

fr flag

I created a fresh EC2 instance, this is the setup:

Security Group

Inbound Rules

Inbound rules

IP version Type Protocol Port Range Source
IPv4 HTTP TCP 80 0.0.0.0/0
IPv6 HTTPS TCP 443 ::/0
IPv6 HTTP TCP 80 ::/0
IPv4 SSH TCP 22 0.0.0.0/0
IPv4 HTTPS TCP 443 0.0.0.0/0

Oubound rules

IP version Type Protocol Port Range Source
IPv4 All traffic All All 0.0.0.0/0

Network ACL

Inbound rules

Rule number Type Protocol Port range Source Allow/Deny
100 All traffic All All 0.0.0.0/0 Allow

Outbound rules

Rule number Type Protocol Port range Source Allow/Deny
100 All traffic All All 0.0.0.0/0 Allow

I can SSH to the instance

I have a Docker container listening to 80 and 443 ports

I can reach my services with http, but not with https

Here are the commands I run inside the EC2 instance to diagnose

$ netstat -lntu
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp6 0 0 :::443 :::* LISTEN
tcp6 0 0 :::80 :::* LISTEN
tcp6 0 0 :::22 :::* LISTEN
$ sudo lsof -i            
COMMAND      PID            USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
systemd-n    458 systemd-network   19u  IPv4 787779      0t0  UDP ip-172-31-61-243.us-west-2.compute.internal:bootpc 
systemd-r    461 systemd-resolve   12u  IPv4  18575      0t0  UDP localhost:domain 
systemd-r    461 systemd-resolve   13u  IPv4  18576      0t0  TCP localhost:domain (LISTEN)
sshd         729            root    3u  IPv4  22237      0t0  TCP *:ssh (LISTEN)
sshd         729            root    4u  IPv6  22248      0t0  TCP *:ssh (LISTEN)
docker-pr    935            root    4u  IPv4  24209      0t0  TCP *:https (LISTEN)
docker-pr    946            root    4u  IPv6  23196      0t0  TCP *:https (LISTEN)
docker-pr    958            root    4u  IPv4  24260      0t0  TCP *:http (LISTEN)
docker-pr    965            root    4u  IPv6  24266      0t0  TCP *:http (LISTEN)
docker-pr  48173            root    4u  IPv4 118713      0t0  TCP *:mysql (LISTEN)
docker-pr  48178            root    4u  IPv6 118719      0t0  TCP *:mysql (LISTEN)

NO FIREWALLS in my instance

$ sudo service ufw status
● ufw.service - Uncomplicated firewall
     Loaded: loaded (/lib/systemd/system/ufw.service; enabled; vendor preset: enabled)
     Active: inactive (dead) since Mon 2021-08-02 16:53:17 UTC; 53min ago

$ sudo service iptables status
Unit iptables.service could not be found.

$ sudo service firewalld status
Unit firewalld.service could not be found.

And from my local computer

$ nmap -p 443,22,80 44.234.254.49
Starting Nmap 7.80 ( https://nmap.org ) at 2021-08-02 14:31 CDT
Nmap scan report for ec2-44-234-254-49.us-west-2.compute.amazonaws.com (44.234.254.49)
Host is up (0.099s latency).

PORT    STATE  SERVICE
22/tcp  open   ssh
80/tcp  open   http
443/tcp closed https

$ nc -zv <dns>.us-west-2.compute.amazonaws.com 443
nc: connect to <dns>.us-west-2.compute.amazonaws.com port 443 (tcp) failed: Connection refused 

Any suggestion? I can run the commands you suggest to diagnose

fr flag
Here are some FlowLogs @Tim s3://nxtagrovpclogs/AWSLogs/182358426106/vpcflowlogs/us-west-2/2021/08/02/182358426106_vpcflowlogs_us-west-2_fl-0adec760df5bec8a8_20210802T1950Z_375a1b70.log.gz And other s3://nxtagrovpclogs/AWSLogs/182358426106/vpcflowlogs/us-west-2/2021/08/02/182358426106_vpcflowlogs_us-west-2_fl-0adec760df5bec8a8_20210802T1955Z_dd172778.log.gz
Tim avatar
gp flag
Tim
You said you had problems reaching your docker container, which is what I mean by Container. You will need to analyse your own flow logs or pay someone to do it, it's quite time consuming. By reaching those ports I mean use EC2 to ping your container, connect on port 80 / 443 with curl or similar
fr flag
@Tim Thanks for the insights
Tim avatar
gp flag
Tim
Security groups look good. I'd look at your home PC firewall, and see if you can curl to the https site from EC2
Amon avatar
in flag
did you ever find the issue? I can't seem to open this port either even though I have my inbound rules allowing it
fr flag
@Amon I think it was a problem with my reverse-proxy, not my inbound rules or security groups. Sorry
Amon avatar
in flag
@Ralexrdz I actually figured out the issue. The port was open but there was no service running on it. Thank you for the reply though
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.