How do I troubleshoot an unresponsive website hosted on my EC2 instance?

Last updated: 2021-05-06

I can't connect to my public website hosted on my Amazon Elastic Compute Cloud (Amazon EC2) instance. How do I resolve this?

Short description

Websites running on an EC2 instance might become unreachable for multiple reasons. Check the following to make sure that the configuration settings on the instance are correct:

  • Verify that the instance is running and passing both status checks.
  • Verify that the instance boots correctly.
  • Verify the instance's security group and network access control list (ACL) configuration.
  • Verify that the instance has the correct DNS configuration.
  • Verify that the web server is running and that there are no OS-level firewalls blocking access to ports.

Note: If you enabled EC2 Serial Console for Linux, you can use it to troubleshoot supported Nitro-based instance types. The serial console helps you troubleshoot boot issues, network configuration, and SSH configuration issues. The serial console connects to your instance without the need for a working network connection. You can access the serial console using the Amazon EC2 console or the AWS Command Line Interface (AWS CLI).

Before using the serial console, grant access to it at the account level. Then, create AWS Identity and Access Management (IAM) policies granting access to your IAM users. Also, every instance using the serial console must include at least one password-based user. If your instance is unreachable and you haven’t configured access to the serial console, follow the instructions in Method 2, 3, or 4. For information on configuring the EC2 Serial Console for Linux, see Configure access to the EC2 Serial Console.

Note: If you receive errors when running AWS CLI commands, make sure that you’re using the most recent version of the AWS CLI.

Resolution

Verify that the instance is running and passing both status checks

Make sure that the instance is listed as running in the Amazon EC2 console.

For information on resolving status check issues, see Why is my EC2 Linux instance unreachable and failing one or both of its status checks?

Verify that the instance boots correctly

Verify the instance's security group and network ACL configuration

Verify that the instance has the correct DNS configuration

Verify that the web server is running and that there are no OS-level firewalls blocking access to ports

Network ports are the communication endpoints that various services send requests to. These requests include users' website connection requests. Web servers generally listen on port 80 for HTTP traffic and use port 443 for traffic encrypted with TLS/SSL. If the web server isn't running, or firewalls block these ports, then users can't connect to your website.

1.    Remotely connect to the instance through SSH.

2.    Run the systemctl status httpd command to verify the web server's status. The web server must be listening on port 80 or port 443. In the following example, the command returns information that the web server is inactive.

$ sudo systemctl status httpd
httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)
Active: inactive (dead)

3.    To restart the web server, run the following command:

$ sudo systemctl restart  httpd

4.    Run the following command to verify that the web server is now running:

$ sudo systemctl status httpd
 httpd.service - The Apache HTTP Server
 Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)
 Active: active (running) since Thu 2020-11-19 14:40:15 UTC; 42s ago

Note: For older Linux systems running SystemV, use the following command to verify web server status:

$ sudo service httpd status
httpd is stopped

To restart a stopped web server on SystemV, use the following command:

$ sudo service httpd restart
Stopping httpd:                                            [FAILED]
Starting httpd:                                            [  OK  ]

5.    Run the following command to confirm that the web server is listening on port 80 or 443 for incoming connection requests from users:

$ sudo netstat -tulpn | grep httpd
tcp        0      0 :::80                       :::*                        LISTEN      2961/httpd

6.    Verify the status of OS-level firewalls. If you find an active firewall, make sure that it allows requests on ports 80 and 443:

Amazon Linux, CentOS, and RHEL:

1.    Run the following command to verify that the iptables rules block incoming requests on ports 80 and 443:

$ sudo iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

2.    Run the following command to allow port 80 to accept incoming HTTP connection requests:

$ sudo iptables -A INPUT -p tcp --dport 80 --syn -m conntrack --ctstate NEW -j ACCEPT

3.    Run the following command to allow port 443 to accept incoming HTTPS connection requests:

$ sudo iptables -A INPUT -p tcp --dport 443 --syn -m conntrack --ctstate NEW -j ACCEPT

Amazon Linux 2 and RHEL 7 and above:

1.    Run the following command to verify that firewalld is running:

$ sudo firewall-cmd --state
running

2.    If firewalld is running, then run the following commands to configure it to allow connections on ports 80 and 443. The last command in the following example reloads the service so that the new rules take effect:

$ sudo firewall-cmd --add-service=http --permanent
success
$ sudo firewall-cmd --add-service=https --permanent
success
$ sudo firewall-cmd --reload
success

Debian and Ubuntu servers:

1.    Run the following command to check for a UFW firewall:

$ sudo ufw status verbose
Status: active

2.    If UFW is running, use the following command to allowing incoming connection requests on ports 80 and port 443:

$ sudo ufw allow in 80/tcp
Rule added
Rule added (v6)
$ sudo ufw allow 443/tcp
Rule added
Rule added (v6)

Check your web server access error logs for issues. Web server logs are generally located at /var/log. This location might change, depending on your server configuration. The following are default web server log locations:

  • Amazon Linux and RHEL: /var/log/httpd
  • Debian and Ubuntu: /var/log/apache2

Did this article help?


Do you need billing or technical support?