What do I do if I cannot access a website hosted on an instance? - Elastic Compute Service

This topic explains how to diagnose and resolve issues preventing access to a website hosted on an Elastic Compute Service (ECS) instance.

Problem description

When attempting to access a website hosted on an ECS instance using a browser, you may encounter symptoms such as:

Messages indicating the website lacks an ICP filing, is not connected, or the content does not match the filing information.
Numeric error codes from the browser, such as 403, 404, 502, or 503.
The website is newly built and cannot be accessed.
The website has been running for a while and suddenly becomes inaccessible.
The website cannot be accessed through the associated Server Load Balancer (SLB) instance.
The website, accelerated by Content Delivery Network (CDN), cannot be accessed.
The website, protected by Web Application Firewall (WAF), cannot be accessed.

Causes

Inaccessibility of a website on an ECS instance can be due to various factors. To identify the cause, follow these troubleshooting steps:

TCP port 80 is not available.
The web service is not available.
The website does not have an ICP filing.
There is an exception in the website's resources or backend services.
The website is not properly built.
There is an issue with the website.

Note

There are many potential factors and symptoms that can cause website access issues. For detailed information about the causes of website access issues on ECS instances, see Troubleshooting and guidance for ECS instance access issues.

Troubleshooting methods

To troubleshoot the issue of an inaccessible website hosted on an ECS instance, consider the following methods:

Troubleshoot by using a flowchart

Follow the step-by-step process outlined in the flowchart below.

Select a solution based on the symptom

Choose a solution corresponding to the specific symptom you're experiencing.

Message about lacking an ICP filing or content not matching the filing information.

Do not launch your website before obtaining an ICP filing, whether it's accessible via an IP address or a domain name. For more information, see General website ICP filing.
Numeric error code from the browser.

Numeric error codes typically indicate that the network between the client and the server is functioning, but there's an issue with the website's resources or backend services.
First-time website build inaccessible.

Make sure that you follow the standard website building procedure to build the website. For more information about the website building procedure, see Website building from scratch.
Website suddenly becomes inaccessible after running for a period.

Check if the web service and backend database are operational. If not, review the logs for error messages and address the issues accordingly.
Note
- Web service logs are typically named access.log or error.log. Visit the web service's official website for more information.
- Exceptions in backend services like PHP, Java, Tomcat, or the database can cause website access failures. In such cases, contact your website administrator.
Website inaccessible through the associated SLB instance.

If an SLB instance is in use, the problem may be due to an abnormal listener policy. For more information, see Cannot access the website hosted on an ECS instance through Server Load Balancer (SLB).
Website accelerated by CDN is inaccessible.

First, determine if the issue is with the website itself. For troubleshooting steps, see Troubleshooting steps for websites that cannot be accessed after being accelerated by CDN.
Website protected by WAF is inaccessible.

First, determine if the issue is with the website itself, then check for a false positive from WAF. For more information, see Cannot access the website protected by Web Application Firewall (WAF).

Solutions

This section provides solutions for website access failure caused by unavailable TCP port 80 or an unavailable web service:

TCP port 80 and web service are unavailable, causing the website hosted on a Linux instance to be inaccessible

Note

This section uses a CentOS 7 ECS instance as an example. Steps may vary depending on your instance's operating system.

TCP port 80 is unavailable

Connect to the Linux ECS instance.

For more information, see Overview of ECS connection methods.
Run the following command to check if the web service is listening on TCP port 80.
```
netstat -an | grep 80
```
The sample command output below indicates that the web service is enabled and listening on TCP port 80. If an exception occurs, refer to Web service is unavailable for troubleshooting.
```
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN # Listen to all IP addresses
```
```
tcp        0      0 127.0.0.1:80            0.0.0.0:*               LISTEN # Listen to local IP address
```
Note
If the web service listens only to 127.0.0.1 on TCP port 80, external devices cannot access it. Configure the web service to listen on all IP addresses on TCP port 80.
Check if TCP port 80 is open and reachable.
1. Verify that the instance's security group allows traffic on TCP port 80. If not, add a security group rule. For more information, see Add a security group rule.
2. Verify if the operating system's firewall on the instance is active. If active, it is advisable to disable the firewall and utilize security groups for protection. For more information, see how to enable or disable the Linux system firewall.
3. Use the telnet and traceroute commands to verify connectivity to TCP port 80. For more information, see the troubleshooting method for a server that can be pinged but has an unreachable port.
Check if the instance has sufficient bandwidth.

For more information, see Query and analyze the system load of a Linux instance.

If the bandwidth is insufficient, consider upgrading the instance's bandwidth. For more information, see or Modify bandwidth configurations.

Web service is unavailable

Connect to the Linux ECS instance.

For more information, see an overview of ECS connection methods.
View the logs of the web service.
- Run the following command to view the error logs of Apache.
  
  Analyze and troubleshoot the issue based on the error logs.
  - CentOS or Alinux:
```
less /var/log/httpd/error_log
```
  - Ubuntu:
```
less /var/log/apache2/error.log
```
- Run the following command to view the error logs of NGINX.
  
  Analyze and troubleshoot the issue based on the error logs.
```
less /var/log/nginx/error_log
```
Run the top command to view the operational status of the instance.

Check whether processes are running as expected. The following figure shows a sample command output.

The load average values 0.01, 0.02, and 0.03 represent the average system load over the past 1 minute, 5 minutes, and 15 minutes, respectively. Normally, if the load average divided by the number of logical CPUs is greater than 5, the CPU is considered overloaded. This benchmark may vary depending on the CPU capabilities and system usage. In such cases, check the %CPU value of the process with a high PID in the process list to locate the abnormal process, identified by the COMMAND value. Then, address the issue according to your system conditions.
View the monitoring data of the instance in the ECS console.

For more information, see View Instance Monitoring Information.
- Check if the CPU and memory of the instance are sufficient. If not, refer to Troubleshooting ideas for high CPU usage on ECS Linux instances for solutions.
- Check if the instance's bandwidth is sufficient. If it is insufficient, consider upgrading the bandwidth. For more information, see or Modify bandwidth configurations.
Run the following command to check if the number of TCP connections to port 80 on the instance exceeds the upper limit.
```
netstat -anp |grep 80 |grep tcp
```
The following figure shows a sample command output.
Run the following command to check the number of TCP connections:
```
netstat -anp |grep tcp |wc -l
```
Compare the number of TCP connections with the maximum value of the net.ipv4.tcp_max_tw_buckets parameter in the /etc/sysctl.conf file. If the number of connections exceeds the maximum, perform the following steps:
1. Edit the /etc/sysctl.conf file by running the vi /etc/sysctl.conf command and locate the net.ipv4.tcp_max_tw_buckets parameter.
  
  If the number of TCP connections is high and frequently hits the limit, increase the net.ipv4.tcp_max_tw_buckets value as needed.
2. Apply the changes by running the sysctl -p command.

TCP port 80 and web service are unavailable, causing the website hosted on a Windows instance to be inaccessible

Note

This section uses an ECS instance running Windows Server 2012 R2. Operations may vary depending on your instance's operating system.

TCP port 80 is unavailable

Connect to the Windows ECS instance.
For more information, see an overview of ECS connection methods.
Start Command Prompt.
1. Click the icon in the lower-left corner of the desktop, and then click the icon.
2. Enter cmd in the search box.
3. Click Command Prompt.
  Enter Command Prompt.
Run the following command to check if the web service listens on TCP port 80.
```
netstat -ano | findstr :80
```
The sample command output below shows that the web service is enabled and listening on TCP port 80. In case of an exception, refer to Web service is unavailable for troubleshooting steps.
```
TCP    0.0.0.0:80           0.0.0.0:0              LISTENING       1172 # Listen to all IP addresses
TCP    127.0.0.1:80         0.0.0.0:0              LISTENING       1172 # Listen to local IP address
```
Note
If the web service only listens to 127.0.0.1 on TCP port 80, external devices cannot access it. Run the netsh http delete iplisten ipaddress=127.0.0.1:80 command to configure the web service to listen on all IP addresses on TCP port 80.
Check if TCP port 80 is open and reachable.
1. Verify that the instance's security group permits traffic on port 80. If it doesn't, you can add a security group rule. For more information, see how to add a security group rule.
2. Verify if the operating system's firewall on the instance is active. If active, it is advisable to disable the firewall and utilize security groups for protection. For more information, see the Windows system firewall policy configuration guide.
3. You can use the telnet and tracert commands to verify connectivity to port 80. For more information, see the troubleshooting method for a server that can be pinged but has an unreachable port.
Check if the instance's bandwidth is sufficient.
For more information, see Troubleshooting High Bandwidth and CPU Usage on Windows Instances.
If the bandwidth is insufficient, you can upgrade the instance's bandwidth. For more information, see or Modify bandwidth configurations.

Web service is unavailable

Connect to the Windows ECS instance.
For more information, see an overview of ECS connection methods.
Examine the web service logs.
- Method 1: Access the logs within the log folder.
  For Windows Server 2008 R2 and later versions, the log path is: C:\inetpub\logs\LogFiles.
- Method 2: Use Internet Information Services (IIS) Manager.
  1. Select > Windows Administrative Tools > Internet Information Services (IIS) Manager.
  2. In the IIS section of the homepage for the web service you want to view, click Logging, then click Browse in the Actions column.
  3. On the Logging page, adjust the log storage path to suit your needs, copy the relevant address, paste it into File Explorer, and press the Enter key.
    You can view the corresponding log folder in File Explorer.
Check the operational status of the instance in Task Manager to identify abnormal processes.
1. Right-click on the desktop and select Task Manager.
2. Click the Processes tab.
  In Task Manager, you can monitor CPU and memory usage to identify abnormal processes.
Review the monitoring data of the instance in the ECS console.
For more information, see View Instance Monitoring Information.
- Ensure that the instance has adequate CPU and memory resources. If resources are insufficient, refer to Troubleshooting high bandwidth and CPU usage on Windows instances for guidance.
- Verify that the instance's bandwidth is sufficient. If not, consider upgrading the instance's bandwidth. For more information, see or Modify bandwidth configurations.
Verify if the number of TCP connections to port 80 on the instance exceeds the upper limit.
1. Start Command Prompt.
  1. Click the icon in the lower-left corner of the desktop, and then click the icon.
  2. Enter cmd in the search box.
  3. Click Command Prompt.
    Enter Command Prompt.
Execute the following commands in sequence to check the numbers of TCP connections in different states:
```
netstat -n |find /i "time_wait" /c
netstat -n |find /i "close_wait" /c
netstat -n |find /i "established" /c
```
The default number of dynamic ports is 16384, ranging from 49152 to 65535. If the number of close_wait connections approaches the number of dynamic ports, it suggests that many close_wait connections are not being released. Proceed to the next step to modify the registry to reduce the Time Wait duration.
Start Registry Editor.
1. Click the icon in the lower-left corner of the desktop, and then click the icon.
2. Enter regedit in the search box.
3. Click regedit.
  Enter Registry Editor.
In Registry Editor, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters and set the TcpTimedWaitDelay registry entry to the decimal value 30.
If the TcpTimedWaitDelay registry entry is missing, you need to create it and then adjust the value data accordingly. The instructions below illustrate the process using the scenario where TcpTimedWaitDelay is absent:
1. Right-click the blank area in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters path, select New > DWORD (32-bit) Value.
2. Type TcpTimedWaitDelay and press the Enter key.
3. Right-click the TcpTimedWaitDelay entry and click Modify.
4. In the dialog box, select Decimal and set the Value Data to 30.
5. Click OK.