How do I troubleshoot an unresponsive website hosted on my EC2 instance?
Last updated: 2020-12-07
I can't connect to my public website hosted on my Amazon Elastic Compute Cloud (Amazon EC2) instance. How do I resolve this?
Short description
Websites running on an EC2 instance might become unreachable for multiple reasons. Check the following to make sure that the configuration settings on the instance are correct:
- Verify that the instance is running and passing both status checks.
- Verify that the instance boots correctly.
- Verify the instance's security group and network access control list (ACL) configuration.
- Verify that the instance has the correct DNS configuration.
- Verify that the web server is running and that there are no OS-level firewalls blocking access to ports.
Resolution
Verify that the instance is running and passing both status checks
Make sure that the instance is listed as running in the Amazon EC2 console.
For information on resolving status check issues, see Why is my EC2 Linux instance unreachable and failing one or both of its status checks?
Verify that the instance boots correctly
Check the instance's system logs for boot errors.
- For kernel panic errors, see I'm receiving a "Kernel panic" error after I've upgraded the kernel or tried to reboot my EC2 Linux instance. How can I fix this?
- For other operating system errors, see My EC2 Linux instance failed the instance status check due to operating system issues. How do I troubleshoot this?
Verify the instance's security group and network ACL configuration
- Make sure that the instance's associated security group and network ACL allow traffic on port 80 and 443.
- Make sure that the route table in the instance's subnet has a default route to an internet gateway.
Verify that the instance has the correct DNS configuration
- If your website uses Route 53 DNS service, verify that you've configured the DNS records correctly.
- Make sure that the instance has an Elastic IP address assigned to it. If you stop and start your instance, the Elastic IP address remains associated with the instance.
- Make sure to map the Public IP address or Elastic IP address to an A-record.
Verify that the web server is running and that there are no OS-level firewalls blocking access to ports
Network ports are the communication endpoints that various services send requests to. These requests include users' website connection requests. Web servers generally listen on port 80 for HTTP traffic and use port 443 for traffic encrypted with TLS/SSL. If the web server isn't running, or firewalls block these ports, users can't connect to your website.
1. Remotely connect to the instance through SSH.
2. Run the systemctl status httpd command to verify the web server's status. The web server should be listening on port 80 or port 443. In the following example, the command returns information that the web server is inactive.
$ sudo systemctl status httpd
httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)
Active: inactive (dead)3. To restart the web server, run the following command:
$ sudo systemctl restart httpd4. Run the following command to verify that the web server is now running:
$ sudo systemctl status httpd
httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)
Active: active (running) since Thu 2020-11-19 14:40:15 UTC; 42s agoNote: For older Linux systems running SystemV, use the following command to verify web server status:
$ sudo service httpd status
httpd is stoppedTo restart a stopped web server on SystemV, use the following command:
$ sudo service httpd restart
Stopping httpd: [FAILED]
Starting httpd: [ OK ]5. Run the following command to confirm that the web server is listening on port 80 or 443 for incoming connection requests from users:
$ sudo netstat -tulpn | grep httpd
tcp 0 0 :::80 :::* LISTEN 2961/httpd6. Verify the status of OS-level firewalls. If you find an active firewall, make sure it allows requests on ports 80 and 443:
Amazon Linux, CentOS, and RHEL:
1. Run the following command to verify that the iptables rules block incoming requests on ports 80 and 443:
$ sudo iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination2. Run the following command to allow port 80 to accept incoming HTTP connection requests:
$ sudo iptables -A INPUT -p tcp --dport 80 --syn -m conntrack --ctstate NEW -j ACCEPT3. Run the following command to allow port 443 to accept incoming HTTPS connection requests:
$ sudo iptables -A INPUT -p tcp --dport 443 --syn -m conntrack --ctstate NEW -j ACCEPTAmazon Linux 2 and RHEL 7 and above:
1. Run the following command to verify that firewalld is running:
$ sudo firewall-cmd --state
running2. If firewalld is running, run the following commands to configure it to allow connections on ports 80 and 443. The last command in the following example reloads the service so that the new rules take effect:
$ sudo firewall-cmd --add-service=http --permanent
success
$ sudo firewall-cmd --add-service=https --permanent
success
$ sudo firewall-cmd --reload
successDebian and Ubuntu servers:
1. Run the following command to check for a UFW firewall:
$ sudo ufw status verbose
Status: active2. If UFW is running, use the following command to allowing incoming connection requests on ports 80 and port 443:
$ sudo ufw allow in 80/tcp
Rule added
Rule added (v6)
$ sudo ufw allow 443/tcp
Rule added
Rule added (v6)Check your web server access error logs for issues. Web server logs are generally located at /var/log. This location might change, depending on your server configuration. The following are default web server log locations:
- Amazon Linux and RHEL: /var/log/httpd
- Debian and Ubuntu: /var/log/apache2
Related information
Did this article help?
Do you need billing or technical support?