Cannot connect to an EC2 instance through web sockets - amazon-ec2

I am running an Akka HTTP service on port 8080 in my EC2 instance. It expects web socket connections, but normal HTTP should return 400 bad request.
I use this code to start Akka service:
Http().bindAndHandle(route, "localhost", 8080)
From the remote terminal I have this expected behavior, but not from outside.
$ wget ec2-XX-XXX-XX-XXX.compute-1.amazonaws.com:8080
--2017-10-01 15:27:31-- http://ec2-XX-XXX-XX-XXX.compute-1.amazonaws.com:8080/
Resolving ec2-XX-XXX-XX-XXX.compute-1.amazonaws.com... XX.XXX.XX.XXX
Connecting to ec2-XX-XXX-XX-XXX.compute-1.amazonaws.com|XX.XXX.XX.XXX|:8080... failed: Connection refused.
Here is my inbound rules configuration:
If I do netstat --listen -p the port 8080 does not appear.
Thanks!

I found out the problem. I should be binding the service to the private IP address of the EC2 instance.

Related

How to set proxy for connecting of MQTT bridge?

I have a mosquitto broker run on a linux behind my company proxy.
I have been configured a bridge to AWS same following: (mosquitto.conf)
connection bridge
address ec2-xxx-xxx-xxx-xxx.ap-northeast-1.compute.amazonaws.com:8089
remote_username admin
remote_password password
topic abc/raspi01 both 0
bridge_cafile /etc/pki/tls/certs/nginx-selfsigned.crt
bridge_insecure false
But when I start mosquitto service with command:
service mosquitto restart
In log file, There are some errors:
1554356888: mosquitto version 1.5.5 starting
1554356888: Config loaded from /etc/mosquitto/mosquitto.conf.
1554356888: Opening ipv4 listen socket on port 1883.
1554356888: Opening ipv6 listen socket on port 1883.
1554356888: Warning: Address family not supported by protocol
1554356888: Connecting bridge bridge (ec2-xxx-xxx-xxx-xxx.ap-northeast-1.compute.amazonaws.com:8089)
1554356888: Error creating bridge: Name or service not known.
1554356888: Warning: Unable to connect to bridge bridge.
1554356901: New connection from 127.0.0.1 on port 1883.
1554356901: New connection from 127.0.0.1 on port 1883.
1554356901: New client connected from 127.0.0.1 as mqtt_fd05fada.b70918 (c1, k60).
1554356901: New client connected from 127.0.0.1 as mqtt_2a3a025d.6c941e (c1, k60).
1554356919: Connecting bridge bridge (ec2-xxx-xxx-xxx-xxx.ap-northeast-1.compute.amazonaws.com:8089)
1554356919: Error creating bridge: Name or service not known.
1554356950: Connecting bridge bridge (ec2-xxx-xxx-xxx-xxx.ap-northeast-1.compute.amazonaws.com:8089)
1554356950: Error creating bridge: Name or service not known.
I things the cause is my company proxy.
I have tried with settings in mosquitto.service, but it not resolve.
[Unit]
Description=Mosquitto MQTT v3.1/v3.1.1 Broker
Documentation=man:mosquitto.conf(5) man:mosquitto(8)
After=network-online.target
Wants=network-online.target
[Service]
Type=notify
NotifyAccess=main
ExecStart=/usr/sbin/mosquitto -c /etc/mosquitto/mosquitto.conf
Environment="HTTPS_PROXY=http://user:pass#proxyhost:8800"
Environment="HTTP_PROXY=http://user:pass#proxyhost:8800"
Environment="NO_PROXY=127.0.0.1,localhost"
Restart=on-failure
[Install]
WantedBy=multi-user.target
Can any body help me? Thank so much.
You can not use a HTTP proxy for MQTT bridge connection (or any native MQTT connection). MQTT is a totally different protocol.
Only MQTT over Websockets would work via a HTTP proxy, but you can not configure mosquitto to run a bridge with MQTT over Websockets.
If one uses HTTP CONNECT before sending connect
in net_mosq.c
rc = connect(*sock, rp->ai_addr, rp->ai_addrlen);
One can accomplish this.
HTTP CONNECT is protocol agnostic, it works on underlying TCP protocol.

Access Docker Containers Host by DNS name

From my Spring Boot application deployed as a Docker container I need to be able to access the parent node (within a Swarm) by some kind of docker-exposed DNS name so that I can add it to a configuration file and was wondering if there was a DNS name exposed automatically by Docker for this purpose?
Another container that is scheduled on the same host running in "network_mode: host" is running Consul and advertising on port 8500 (real IP is 192.168.1.233).
If I run netstat on the Swarm node (ip 192.168.1.233) I can see it's listening on port 8500:
# netstat -anp | grep 8500
tcp6 0 0 :::8500 :::* LISTEN 25010/docker-proxy
I want to be able to define a connection string as configuration in the Spring Boot app on the swarm node to the local instance of Consul sheduled on the same physical host as the Spring Boot app.
If I refer to "localhost" within the Spring Boot container then there's nothing listening on the 8500 port, proven by running this after shelling into the Spring Boot container (using a sample Consul API call)
# wget http://localhost:8500/v1/status/leader
Connecting to localhost:8500 (127.0.0.1:8500)
wget: can't connect to remote host (127.0.0.1): Connection refused
I've also tried using "host.docker.internal" but that doesn't work:
# ping host.docker.internal
ping: bad address 'host.docker.internal'
The hosts are all Centos 7 hosts, and Docker version 18.09.1, build 4c52b90.
The firewalld service is disabled on all hosts.

Can't connect to remote PHP WebSocket server (Wrench) : ERR_CONNECTION_REFUSED

I'm trying to connect to a WebSocket server (PHP / Wrench) running on my webserver.
The configuration of the server looks like this:
$server = new \Wrench\Server("wss://localhost:8443");
$server->registerApplication('app',
new \Wrench\Application\EchoApplication());
$server->run();
I'm using port 8443 because I can't use 80 or 443 (Permission denied). The domain uses HTTPS so I have to use the wss: protocol.
I have no problem connecting to the PHP server when I run the script on my local machine (I just have to replace wss: by ws:).
When I run the server via SSH on my remote webserver, it seems to run correctly, but trying to connect to it via JS with the following call doesn't work:
var ws = new WebSocket("wss://dev.mydomain.net:8443/app");
I get an "Error in connection establishment: net::ERR_CONNECTION_REFUSED."
On my webserver panel control, the 8443 port (TCP) is open (in and out). When the PHP server is running, the command netstat -a | grep 8443 gives the following output, which I think should confirm it's open:
tcp 0 0 localhost:8443 *:* LISTEN
Is there an obvious detail I'm missing here?
I finally found a solution: instead of setting the URI of the server to localhost, I had to use 0.0.0.0. Now it works perfectly when I'm using HTTP (there's another problem when using HTTPS, but at least I have more information at this point).

Can't connect to public IP for EC2 instance

I have an EC2 instance which is running with the following security groups:
HTTP - TCP - 80 - 0.0.0.0/0
Custom UDP Rule - UDP - 1194 - 0.0.0.0/0
SSH - TCP - 22 - 0.0.0.0/0
Custom TCP Rule - TCP - 943 - 0.0.0.0/0
HTTPS - TCP - 443 - 0.0.0.0/0
However, when I try to access http://{PUBLIC_IP} or https://{PUBLIC_IP} in the browser, I get a "{IP} refused to connect" error. I'm new to AWS. Am I missing something here? What should I do to debug?
One way to debug this particular class of problem is to use netcat in order to determine where the problem lies.
If you run netcat against port 80 on the public IP address of your instance and just get a hang (no output at all), then most likely your security group isn't allowing traffic through. Here is an example from an EC2 instance that is in a security group that doesn't allow port 80 traffic inbound:
% nc -v 55.35.300.45 80
<just hangs>
Whereas if the security group is changed to allow port 80, but the EC2 instance doesn't have any process listening on port 80, you'll get the following:
% nc -v 55.35.300.45 80
nc: connectx to 52.38.300.43 port 80 (tcp) failed: Connection refused
Given that your browser gave you a similar "connection refused", most likely the problem is that there is no web server running on your instance. You can verify this by ssh'ing into the instance and seeing if you can connect to port 80 there:
ssh ec2-user#55.35.300.45
% nc -v localhost 80
nc: connect to localhost port 80 (tcp) failed: Connection refused
If you get something like the above, you're definitely not running a webserver.
I'm not sure if it's too late to help but I was stuck with a similar issue with my test server
SG Inbound: ssh -> 22
HTTP -> 80
NACL: default allow/deny settings
but still couldn't ping to the server from my browser, then I realize there's nothing running on the server that can serve the request, and I started httpd server (webserver) and it worked.
sudo yum -y install httpd
sudo service httpd start
this way you can test the connectivity if you are playing with SGs and NACLs and of course it's not the only way, just an example if you're figuring your System N/W out.
Have you installed webserver(ngingx/apache) to serve your requests. If so please share your the config files. (So that it will help to troubleshoot)
I think the reason is probably that you did not set up a web server for your EC2 instance, because if you try to access http://{PUBLIC_IP} or https://{PUBLIC_IP}, you need to have a background server to serve the http request as #Niranj Rajasekaran said.
By the way, by simply pinging the {PUBLIC_IP}, you could see if your connection to your EC2 instance is normal or not.
In command prompt or terminal, type
ping {PUBLIC_IP}
In my case, the server was running but available on just 127.0.0.1 so it refused connections from external hosts. To see if this is your situation, you can run
netstat -an | grep <port number>
If it says 127.0.0.1:<port number> instead of 0.0.0.0:<port number>, you have this problem.
Usually there's a flag or an argument in your server code somewhere to set the host to 0.0.0.0:
app.run(host='0.0.0.0') # flask example
However, in my case, I had already set this so I thought that couldn't possibly be the issue, which is how I ended up on this thread, which asks more generally about the problem. Unfortunately, I was using docker, and had set 0.0.0.0 on the container but was mapping that explicitly to 127.0.0.1 on the host in the docker-compose port-mapping:
ports:
- "127.0.0.1:<port number>:<port number>"
Changing that line to remove the host IP specification fixed the problem upon re-deploy:
ports:
- "<port number>:<port number>"

How to configure direct http access to EC2 instance?

This is a very basic Amazon EC2 question, but I'm stumped so here goes.
I want to launch an Amazon EC2 instance and allow access to HTTP on ports 80 and 8888
from anywhere. So far I can't even allow the instance to connect to on those ports using
its own IP address (but it will connect to localhost).
I configured the "default" security group for HTTP using the standard HTTP option on the management console (and also SSH).
I launched my instance in the default security group.
I connected to the instance on SSH port 22 twice and in one window launch an HTTP server
on port 80. In the other window I verify that I can connect to HTTP using the "localhost".
However when I try to access HTTP from the instance (or anywhere else) using either the public DNS or the Private IP address I het "connection refused".
What am I doing wrong, please?
Below is a console fragment showing the wget that succeeds and the two that fail run from the instance itself.
--2012-03-07 15:43:31-- http://localhost/
Resolving localhost... 127.0.0.1
Connecting to localhost|127.0.0.1|:80... connected.
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: /__whiff_directory_listing__ [following]
--2012-03-07 15:43:31-- http://localhost/__whiff_directory_listing__
Connecting to localhost|127.0.0.1|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: “__whiff_directory_listing__”
[ <=>
] 7,512 --.-K/s in 0.03s
2012-03-07 15:43:31 (263 KB/s) - “__whiff_directory_listing__” saved [7512]
[ec2-user#ip-10-195-205-30 tmp]$ wget http://ec2-50-17-2-174.compute-1.amazonaws.com/
--2012-03-07 15:44:17-- http://ec2-50-17-2-174.compute-1.amazonaws.com/
Resolving ec2-50-17-2-174.compute-1.amazonaws.com... 10.195.205.30
Connecting to ec2-50-17-2-174.compute-1.amazonaws.com|10.195.205.30|:80... failed:
Connection refused.
[ec2-user#ip-10-195-205-30 tmp]$ wget http://10.195.205.30/
--2012-03-07 15:46:08-- http://10.195.205.30/
Connecting to 10.195.205.30:80... failed: Connection refused.
[ec2-user#ip-10-195-205-30 tmp]$
The standard tcp sockets interface requires that you bind to a particular IP address when you send or listen. There are a couple of somewhat special addresses: localhost (which you're probably familiar with) which is 127.0.0.1. There's also a special address, 0.0.0.0 or INADDR_ANY (internet protocol, special shorthand for ANY ADDRESS). It's a way to listen on ANY or more commonly, ALL addresses on the host. This is a way to tell the kernel/stack that you're not interested in a particular IP address.
So, when you're setting up a server that listens to "localhost" you're telling the service that you want to use the special reserved address that can only be reached by users of this host, and while it exists on every host, making a connection to localhost will only ever reach the host you're making the request from.
When you want a service to be reachable everywhere (on a local host, on all interfaces, etc.) you can specify 0.0.0.0.
(0) It's silly but the first thing you need to do is to make sure that your web server is running.
(1) You need to edit your Security Group to let incoming HTTP packets access your website. If your website is listening on port 80, you need to edit the Security Group to open access to port 80 as mentioned above. If your website is listening on some other port, then you need to edit the Security Group to access that other port.
(2) If you are running a Linux instance, the iptables firewall may be running by default. You can check that this firewall is active by running
sudo service iptables status
on the command line. If you get output, then the iptables firewall is running. If you get a message "Firewall not running", that's pretty self-explanatory. In general, the iptables firewall is running by default.
You have two options: knock out the firewall or edit the firewall's configuration to let HTTP traffic through. I opted to knock out the firewall as the simpler option (for me).
sudo service iptables stop
There is no real security risk in shutting down iptables because iptables, if active, merely duplicates the functionality of Amazon's firewall, which is using the Security Group to generate its configuration file. We are assuming here that Amazon AWS doesn't misconfigure its firewalls - a very safe assumption.
(3) Now, you can access the URL from your browser.
(4) The Microsoft Windows Servers also run their personal firewalls by default and you'll need to fix the Windows Server's personal firewall, too.
Correction: by AWS default, AWS does not fire up server firewalls such iptables (Centos) or UAF (Ubuntu) when you are ordering the creation of new EC2 instances - That's why EC2 instances that are in the same VPC can ssh into each other and you can "see" the web server that you fired up from another EC2 instance in the same VPC.
Just make sure that your RESTful API is listening on all interfaces i.e. 0.0.0.0:portID
As you are getting connection refused (packets are being rejected) I bet it is iptables causing the problem. Try to run
iptables -I INPUT -p tcp --dport 80 -j ACCEPT
iptables -I INPUT -p tcp --dport 8888 -j ACCEPT
and test the connection.
You will also need to add those rules permanently which you can do by adding the above lines into ie. /etc/sysconfig/iptables if you are running Red Hat.
Apparently I was "binding to localhost" whereas I needed to bind to 0.0.0.0 to respond to port 80 for the all incoming TCP interfaces (?). This is a subtlety of TCP/IP that I don't fully understand yet, but it fixed the problem.
Had to do the following:
1) Enable HTTP access on the instance config, it wasn't on by default only SSH
2) Tried to do nodejs server, so port was bound to 80 -> 3000 did the following commands to fix that
iptables -F
iptables -I INPUT -p tcp --dport 80 -j ACCEPT
sudo service iptables-persistent flush
Amazon support answered it and it worked instantly:
I replicated the issue on my end on a test Ubuntu instance and was able to solve it. The issue was that in order to run Tomcat on a port below 1024 in Ubuntu/Unix, the service needs root privileges which is generally not recommended as running a process on port 80 with root privileges is an unnecessary security risk.
What we recommend is to use a port redirection via iptables :-
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
I hope the above information helps.

Resources