0

Relative newbie to AWS having recently migrated servers. Everything was working fine yesterday, but today when I try to go to the site (enablie.co.uk) I receive a 504 error. Domain is registered with 123-reg, but everything else is configured in AWS (EC2, Classic LB, Route 53, AWS SSL certificate).

I also cannot SSH into the instance (again - this was fine yesterday), but I do not get an error message - it just seems to hang (so can write more text, but not actually connected as a ec2-user). Have tried with both public DNS and IP as IP seemed to work for some users, but no luck.

The only difference I have noticed with the site is that yesterday it said it was partially secure (grey exclamation mark on Chrome) and today it looks fully secure (green padlock on chrome).

I have followed the 504 steps I can, but most of them seem to require access to the instance to update various settings (e.g. disabling TCP_DEFER_ACCEPT).

I have run server diagnostics which suggests the servier is slower than average, but doesn't seem to point any obvious issues.

I assume it's an error in my configuration, but don't know where to start looking given it's a new error.

UPDATE

EC2 security groups (Launch-Wizard-3): Inbound: HTTP TCP 80 0.0.0.0/0
HTTP TCP 80 ::/0
SSH TCP 22 <>
HTTPS TCP 443 0.0.0.0/0
HTTPS TCP 443 ::/0

Outbound: All traffic All All 0.0.0.0/0

Loadbalancer security groups: sg-1a518b72, launch-wizard-3 (as above) launch-wizard-3 created 2017-11-17T10:51:21.644+00:00 sg-36df045e, default default VPC security group sg-bedf04d6, launch-wizard-1 launch-wizard-1 created 2017-11-16T10:45:07.276+00:00

default inbound: All traffic All All sg-36df045e (default)

Outbound: All traffic All All 0.0.0.0/0

Launch-wizard-1

Inbound: HTTP TCP 80 0.0.0.0/0
HTTP TCP 80 ::/0
SSH TCP 22 0.0.0.0/0
Custom TCP Rule TCP 20 - 21 0.0.0.0/0
Custom TCP Rule TCP 20 - 21 ::/0
Custom TCP Rule TCP 1024 - 1048 0.0.0.0/0
Custom TCP Rule TCP 1024 - 1048 ::/0
HTTPS TCP 443 0.0.0.0/0
HTTPS TCP 443 ::/0

Outbound:

All traffic All All 0.0.0.0/0

Loadbalancer listeners: HTTP : 80 arn...7b8328a1e9739fe6 N/A N/A Default: forwarding to enabliecouk

HTTPS : 443 arn...22d722bdd042040a ELBSecurityPolicy-2016-08 Default: daff3a00-ff9e-40c2-a4b7-95499cd8b250 (ACM) Default: forwarding to enabliecouk

Healthcheck: Protocol HTTP Path / Port traffic port Healthy threshold 5 Unhealthy threshold 2 Timeout 5 Interval 30 Success codes 200

When I use ssh -v I get the following:

OpenSSH_7.5p1, LibreSSL 2.5.4 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 52: Applying options for * ssh: Could not resolve hostname enabliecouk.pem: nodename nor servname provided, or not known

UPDATE 2 Without changing any settings (though admittedly had set up the bastion host and removed unnecessary security groups from load balancer- not sure these would have made a difference as they hadn't done originally)both site and SSH were working again. However, 30 mins later I am getting the 504 error again. Is this a common problem with AWS/just bad luck or would the above changes have made it temporarily work?

Lisa J
  • 27
  • 8
  • Have you checked that your IP is whitelisted in the AWS security group? – TidyDev Nov 20 '17 at 14:40
  • 1
    Can I check what security group you mean? I haven't specifically whitelisted it in the security groups option, but did try adding it to the Network ACLs and it didn't make a difference. Should I be adding it to the security group? – Lisa J Nov 20 '17 at 14:46
  • To check that you are allowed through the AWS firewall to SSH into the ECO, go to EC2 > Security Groups. From here port 22 should be whitelisted for your IP address for inbound traffic. – TidyDev Nov 20 '17 at 14:52
  • Thanks - have just updated that, but still hanging. – Lisa J Nov 20 '17 at 14:57
  • It sounds like your security groups are probably not setup correctly. Please edit your question to list the rules in the security group assigned to the EC2 instance(s) and the rules in the security group assigned to the load balancer. Also information about your load balancer's listener configuration and the load balancer's health check status for each target instance would be helpful. – Mark B Nov 20 '17 at 14:59
  • Updated above - thanks. – Lisa J Nov 20 '17 at 15:14
  • Although you've given a lot more info there are many many possibilities of different configuration options that could lead to different problems. I'd probably start by ssh'ing to the public IP address of the server. If that didn't work I'd set up a separate ssh bastion host (google it) and use that to connect to the private IP of the host. – Vorsprung Nov 20 '17 at 16:24
  • Had already tried with public IP and no luck. Have just set up ssh bastion host and getting hte dame problem - it's jsaying ssh: connect to host 172.31.0.0 port 22: Operation timed out – Lisa J Nov 20 '17 at 16:53
  • This is the message I get when I use ssh -v: OpenSSH_7.5p1, LibreSSL 2.5.4 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 52: Applying options for * ssh: Could not resolve hostname enabliecouk.pem: nodename nor servname provided, or not known – Lisa J Nov 20 '17 at 17:04

0 Answers0