Can't open port 443 on AWS EC2 fresh instance

Question

I created a fresh EC2 instance, this is the setup:

Security Group

Inbound rules

IP version	Type	Protocol	Port Range	Source
IPv4	HTTP	TCP	80	0.0.0.0/0
IPv6	HTTPS	TCP	443	::/0
IPv6	HTTP	TCP	80	::/0
IPv4	SSH	TCP	22	0.0.0.0/0
IPv4	HTTPS	TCP	443	0.0.0.0/0

Oubound rules

IP version	Type	Protocol	Port Range	Source
IPv4	All traffic	All	All	0.0.0.0/0

Network ACL

Inbound rules

Rule number	Type	Protocol	Port range	Source	Allow/Deny
100	All traffic	All	All	0.0.0.0/0	Allow

Outbound rules

Rule number	Type	Protocol	Port range	Source	Allow/Deny
100	All traffic	All	All	0.0.0.0/0	Allow

I can SSH to the instance

I have a Docker container listening to 80 and 443 ports

I can reach my services with http, but not with https

Here are the commands I run inside the EC2 instance to diagnose

$ netstat -lntu
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp6 0 0 :::443 :::* LISTEN
tcp6 0 0 :::80 :::* LISTEN
tcp6 0 0 :::22 :::* LISTEN

$ sudo lsof -i            
COMMAND      PID            USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
systemd-n    458 systemd-network   19u  IPv4 787779      0t0  UDP ip-172-31-61-243.us-west-2.compute.internal:bootpc 
systemd-r    461 systemd-resolve   12u  IPv4  18575      0t0  UDP localhost:domain 
systemd-r    461 systemd-resolve   13u  IPv4  18576      0t0  TCP localhost:domain (LISTEN)
sshd         729            root    3u  IPv4  22237      0t0  TCP *:ssh (LISTEN)
sshd         729            root    4u  IPv6  22248      0t0  TCP *:ssh (LISTEN)
docker-pr    935            root    4u  IPv4  24209      0t0  TCP *:https (LISTEN)
docker-pr    946            root    4u  IPv6  23196      0t0  TCP *:https (LISTEN)
docker-pr    958            root    4u  IPv4  24260      0t0  TCP *:http (LISTEN)
docker-pr    965            root    4u  IPv6  24266      0t0  TCP *:http (LISTEN)
docker-pr  48173            root    4u  IPv4 118713      0t0  TCP *:mysql (LISTEN)
docker-pr  48178            root    4u  IPv6 118719      0t0  TCP *:mysql (LISTEN)

NO FIREWALLS in my instance

$ sudo service ufw status
● ufw.service - Uncomplicated firewall
     Loaded: loaded (/lib/systemd/system/ufw.service; enabled; vendor preset: enabled)
     Active: inactive (dead) since Mon 2021-08-02 16:53:17 UTC; 53min ago

$ sudo service iptables status
Unit iptables.service could not be found.

$ sudo service firewalld status
Unit firewalld.service could not be found.

And from my local computer

$ nmap -p 443,22,80 44.234.254.49
Starting Nmap 7.80 ( https://nmap.org ) at 2021-08-02 14:31 CDT
Nmap scan report for ec2-44-234-254-49.us-west-2.compute.amazonaws.com (44.234.254.49)
Host is up (0.099s latency).

PORT    STATE  SERVICE
22/tcp  open   ssh
80/tcp  open   http
443/tcp closed https

$ nc -zv <dns>.us-west-2.compute.amazonaws.com 443
nc: connect to <dns>.us-west-2.compute.amazonaws.com port 443 (tcp) failed: Connection refused

Any suggestion? I can run the commands you suggest to diagnose

Here are some FlowLogs @Tim s3://nxtagrovpclogs/AWSLogs/182358426106/vpcflowlogs/us-west-2/2021/08/02/182358426106_vpcflowlogs_us-west-2_fl-0adec760df5bec8a8_20210802T1950Z_375a1b70.log.gz And other s3://nxtagrovpclogs/AWSLogs/182358426106/vpcflowlogs/us-west-2/2021/08/02/182358426106_vpcflowlogs_us-west-2_fl-0adec760df5bec8a8_20210802T1955Z_dd172778.log.gz — Ralexrdz, Aug 02 '21 at 20:00
You said you had problems reaching your docker container, which is what I mean by Container. You will need to analyse your own flow logs or pay someone to do it, it's quite time consuming. By reaching those ports I mean use EC2 to ping your container, connect on port 80 / 443 with curl or similar — Tim, Aug 02 '21 at 20:09
Security groups look good. I'd look at your home PC firewall, and see if you can curl to the https site from EC2 — Tim, Aug 02 '21 at 23:13
did you ever find the issue? I can't seem to open this port either even though I have my inbound rules allowing it — Amon, Feb 24 '22 at 04:44
@Amon I think it was a problem with my reverse-proxy, not my inbound rules or security groups. Sorry — Ralexrdz, Mar 22 '22 at 20:55
@Ralexrdz I actually figured out the issue. The port was open but there was no service running on it. Thank you for the reply though — Amon, Mar 22 '22 at 21:03

Can't open port 443 on AWS EC2 fresh instance

Security Group

Network ACL

0 Answers0