How do I troubleshoot an unresponsive website hosted on my EC2 instance?
Last updated: 2021-05-06
I can't connect to my public website hosted on my Amazon Elastic Compute Cloud (Amazon EC2) instance. How do I resolve this?
Websites running on an EC2 instance might become unreachable for multiple reasons. Check the following to make sure that the configuration settings on the instance are correct:
- Verify that the instance is running and passing both status checks.
- Verify that the instance boots correctly.
- Verify the instance's security group and network access control list (ACL) configuration.
- Verify that the instance has the correct DNS configuration.
- Verify that the web server is running and that there are no OS-level firewalls blocking access to ports.
Note: If you enabled EC2 Serial Console for Linux, you can use it to troubleshoot supported Nitro-based instance types. The serial console helps you troubleshoot boot issues, network configuration, and SSH configuration issues. The serial console connects to your instance without the need for a working network connection. You can access the serial console using the Amazon EC2 console or the AWS Command Line Interface (AWS CLI).
Before using the serial console, grant access to it at the account level. Then, create AWS Identity and Access Management (IAM) policies granting access to your IAM users. Also, every instance using the serial console must include at least one password-based user. If your instance is unreachable and you haven’t configured access to the serial console, follow the instructions in Method 2, 3, or 4. For information on configuring the EC2 Serial Console for Linux, see Configure access to the EC2 Serial Console.
Note: If you receive errors when running AWS CLI commands, make sure that you’re using the most recent version of the AWS CLI.
Verify that the instance is running and passing both status checks
Make sure that the instance is listed as running in the Amazon EC2 console.
For information on resolving status check issues, see Why is my EC2 Linux instance unreachable and failing one or both of its status checks?
Verify that the instance boots correctly
Check the instance's system logs for boot errors.
- For kernel panic errors, see I'm receiving a "Kernel panic" error after I've upgraded the kernel or tried to reboot my EC2 Linux instance. How can I fix this?
- For other operating system errors, see My EC2 Linux instance failed the instance status check due to operating system issues. How do I troubleshoot this?
Verify the instance's security group and network ACL configuration
- Make sure that the instance's associated security group and network ACL allow traffic on port 80 and 443.
- Make sure that the route table in the instance's subnet has a default route to an internet gateway.
Verify that the instance has the correct DNS configuration
- If your website uses Route 53 DNS service, verify that you've configured the DNS records correctly.
- Make sure that the instance has an Elastic IP address assigned to it. If you stop and start your instance, the Elastic IP address remains associated with the instance.
- Make sure to map the public IP address or Elastic IP address to an A-record.
Verify that the web server is running and that there are no OS-level firewalls blocking access to ports
Network ports are the communication endpoints that various services send requests to. These requests include users' website connection requests. Web servers generally listen on port 80 for HTTP traffic and use port 443 for traffic encrypted with TLS/SSL. If the web server isn't running, or firewalls block these ports, then users can't connect to your website.
2. Run the systemctl status httpd command to verify the web server's status. The web server must be listening on port 80 or port 443. In the following example, the command returns information that the web server is inactive.
$ sudo systemctl status httpd httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled) Active: inactive (dead)
3. To restart the web server, run the following command:
$ sudo systemctl restart httpd
4. Run the following command to verify that the web server is now running:
$ sudo systemctl status httpd httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled) Active: active (running) since Thu 2020-11-19 14:40:15 UTC; 42s ago
Note: For older Linux systems running SystemV, use the following command to verify web server status:
$ sudo service httpd status httpd is stopped
To restart a stopped web server on SystemV, use the following command:
$ sudo service httpd restart Stopping httpd: [FAILED] Starting httpd: [ OK ]
5. Run the following command to confirm that the web server is listening on port 80 or 443 for incoming connection requests from users:
$ sudo netstat -tulpn | grep httpd tcp 0 0 :::80 :::* LISTEN 2961/httpd
6. Verify the status of OS-level firewalls. If you find an active firewall, make sure that it allows requests on ports 80 and 443:
Amazon Linux, CentOS, and RHEL:
1. Run the following command to verify that the iptables rules block incoming requests on ports 80 and 443:
$ sudo iptables -nvL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
2. Run the following command to allow port 80 to accept incoming HTTP connection requests:
$ sudo iptables -A INPUT -p tcp --dport 80 --syn -m conntrack --ctstate NEW -j ACCEPT
3. Run the following command to allow port 443 to accept incoming HTTPS connection requests:
$ sudo iptables -A INPUT -p tcp --dport 443 --syn -m conntrack --ctstate NEW -j ACCEPT
Amazon Linux 2 and RHEL 7 and above:
1. Run the following command to verify that firewalld is running:
$ sudo firewall-cmd --state running
2. If firewalld is running, then run the following commands to configure it to allow connections on ports 80 and 443. The last command in the following example reloads the service so that the new rules take effect:
$ sudo firewall-cmd --add-service=http --permanent success $ sudo firewall-cmd --add-service=https --permanent success $ sudo firewall-cmd --reload success
Debian and Ubuntu servers:
1. Run the following command to check for a UFW firewall:
$ sudo ufw status verbose Status: active
2. If UFW is running, use the following command to allowing incoming connection requests on ports 80 and port 443:
$ sudo ufw allow in 80/tcp Rule added Rule added (v6) $ sudo ufw allow 443/tcp Rule added Rule added (v6)
Check your web server access error logs for issues. Web server logs are generally located at /var/log. This location might change, depending on your server configuration. The following are default web server log locations:
- Amazon Linux and RHEL: /var/log/httpd
- Debian and Ubuntu: /var/log/apache2