英文:
Unable to connect to AWS EC2 instance via http and https
问题
I've been fighting this one for a bit. This was meant to be a test so I know how to configure my ec2 for hosting my personal website. I created a test ec2 instance to set up a react web app. I am able to ssh into the instance via the AWS Console and via PuTTY (I am on a Windows machine).
Configuration
我已经为所有的IPv4出站流量和IPv4任何地方的入站流量(ssh、http、https)配置了我的VPC、子网、acl等。Ec2有一个弹性公共IP。因此,我不需要NAT网关(正确吗?)。
Main Issue
但是,当我尝试运行 sudo apt update 时,我收到了以下消息:
更新失败,出现了101错误代码。正如您下面所看到的,我觉得我的出站连接应该是开放的。
入站规则 - 子网
| 类型 | 协议 | 端口范围 | 源 |
|---|---|---|---|
| HTTP | TCP | 80 | 0.0.0.0/0 |
| SSH | TCP | 22 | 0.0.0.0/0 |
| HTTPS | TCP | 443 | 0.0.0.0/0 |
出站规则 - 子网
| 类型 | 协议 | 端口范围 | 源 |
|---|---|---|---|
| 所有流量 | TCP | 所有 | 0.0.0.0/0 |
路由表
我的路由表也有两个路由:
| 目标 | 目标 |
|---|---|
| 0.0.0.0/0 | IGW ID |
| CIDR | 本地 |
ACL - 入站
| 规则编号 | 类型 | 协议 | 端口范围 | 源 | 允许/拒绝 |
|---|---|---|---|---|---|
| 1 | HTTP | TCP | 80 | 0.0.0.0/0 | 允许 |
| 2 | SSH | TCP | 22 | 0.0.0.0/0 | 允许 |
| 100 | HTTPS | TCP | 443 | 0.0.0.0/0 | 允许 |
| * | 所有流量 | 所有 | 所有 | 0.0.0.0/0 | 拒绝 |
ACL - 出站
| 规则编号 | 类型 | 协议 | 端口范围 | 源 | 允许/拒绝 |
|---|---|---|---|---|---|
| 100 | 所有流量 | 所有 | 所有 | 0.0.0.0/0 | 允许 |
| * | 所有流量 | 所有 | 所有 | 0.0.0.0/0 | 拒绝 |
我还将弹性IP附加到实例上,因为我认为这将有助于入站流量的可达性。
我已经检查并通过 sudo ufw disable 禁用了Ubuntu防火墙。
此外
我无法ping通任何http或https地址。它们返回不可达。
我对一个 sudo apt update 中的失败端点的IP运行了可达性测试,结果是可达的。
我现在对任何建议都持开放态度(当然是关于安全的哈哈)。但我对VPC是新手,所以可能是我漏掉了一些基本的东西。然而,我要说的是,我已经在互联网上搜索了好几天,似乎没有什么能解决我的问题。或者至少已经推动我到了现在的位置。
总体目标是拥有一个公共IP,您可以通过https访问它,并查看一个托管的React应用程序示例。我不需要关于React的帮助 - 在这方面我没问题。主要关心的是连接性方面。
英文:
I've been fighting this one for a bit. This was meant to be a test so I know how to configure my ec2 for hosting my personal website. I created a test ec2 instance to set up a react web app. I am able to ssh into the instance via the AWS Console and via PuTTY (I am on a Windows machine).
Configuration
I have configured my VPC, subnet, acl, etc. for all outbound traffic on any IPv4 and inbound (ssh, http, https) traffic anywhere IPv4. Ec2 has an Elastic public IP. Therefore I do not need a NAT Gateway (Correct?).
Main Issue
Yet still when I try to run sudo apt update I am welcomed with:
The update fails with a 101 error code. As you can see below I feel like my outbound connection should be open.
Inbound Rules - Subnet
| Type | Protocol | Port Range | Source |
|---|---|---|---|
| HTTP | TCP | 80 | 0.0.0.0/0 |
| SSH | TCP | 22 | 0.0.0.0/0 |
| HTTPS | TCP | 443 | 0.0.0.0/0 |
Outbound Rules - Subnet
| Type | Protocol | Port Range | Source |
|---|---|---|---|
| All Traffic | TCP | All | 0.0.0.0/0 |
Routing Table
My routing table also has two routes:
| Destination | Target |
|---|---|
| 0.0.0.0/0 | IGW ID |
| CIDR | Local |
ACL - Inbound
| Rule Number | Type | Protocol | Port Range | Source | Allow/Deny |
|---|---|---|---|---|---|
| 1 | HTTP | TCP | 80 | 0.0.0.0/0 | Allow |
| 2 | SSH | TCP | 22 | 0.0.0.0/0 | Allow |
| 100 | HTTPS | TCP | 443 | 0.0.0.0/0 | Allow |
| * | All Traffic | All | All | 0.0.0.0/0 | Deny |
ACL - Outbound
| Rule Number | Type | Protocol | Port Range | Source | Allow/Deny |
|---|---|---|---|---|---|
| 100 | All Traffic | All | All | 0.0.0.0/0 | Allow |
| * | All Traffic | All | All | 0.0.0.0/0 | Deny |
I have also attached an elastic IP to the instance as I figured that would help the reachability of inbound traffic.
I have checked and disabled the Ubuntu firewall via sudo ufw disable
Additionally
I am unable to ping any http or https addresses. They come back as unreachable.
I ran a reachability test to the IP of one of the failed endpoints in sudo apt update and what do you know.. it is reachable.
I am open to anything at this point (with regard to safety obviously haha). But I am new to VPC's so it is possible that I am missing something fundamental. However, I will say I have been scrounging the internet for days and nothing seems to fit my issue. Or it has at least pushed me to where I am now.
The overall outcome is to have a public IP that you can access via https and view a host react app example. I am not looking for assistance with the react stuff - I am fine in that regard. Mostly concerned with the connectivity aspect.
答案1
得分: 1
当发送HTTP请求时,请求是从您自己计算机上的随机端口发出的(在本例中为Amazon EC2实例)。虽然请求发送到端口80或端口443,但请求实际来自与特定请求相关联的端口号。
远程计算机将向该端口号发送响应。
例如,如果您向google.com发出请求,它可能来自端口12345。然后,Google将响应发送回您的IP地址和端口12345。
然而,您的NACL规则配置明确禁止此入站流量。因此,响应被阻止了。
解决方法: 您应该将NACL设置保持为"允许所有",无论是入站还是出站流量。很少需要在NACL中限制流量,相反,使用安全组来限制对资源的访问更为合适。
此外,我不建议使用PING来测试网络。它只会告诉您PING是否正常工作,不利于诊断其他问题。而且,安全组和NACL都需要允许ICMP协议才能正常工作(而您的不允许)。相反,集中精力使HTTP正常工作,因为那才是您实际需要的。
英文:
When an HTTP request is sent, the request comes from a random port on your own computer (in this case, the Amazon EC2 instance). While the request is sent TO port 80 or port 443, the request comes from a port number that is tied to the specific request being made.
The remote computer will send a response to that port number.
For example, if you make a request to google.com, it might come from port 12345. Google will then send the respond back to your IP address and port 12345.
However, your configuration of the NACL rules specifically disallows this incoming traffic. Thus, the responses are being blocked.
Resolution: You should leave NACL settings as "Allow All" for both inbound and outbound traffic. There is rarely a need to limit traffic in NACLS -- instead, use Security Groups to restrict access to resources.
Also, I do not recommend PING as a test of the network. All it does is tell you if PING is working and doesn't help for diagnosing other problems. Also, the security group and the NACL would both need to allow ICMP protocol for it to work (and yours don't). Instead, concentrate on getting HTTP to work, since that is what you actually want.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论