What do I do if I cannot access a website hosted on an instance? - Elastic Compute Service

This topic describes how to troubleshoot the issue that a website hosted on an Elastic Compute Service (ECS) instance cannot be accessed.

Problem description

When you use a browser to access a website that is hosted on an ECS instance, you may encounter the following symptoms:

You are prompted that the website does not have an ICP filing or is not connected or that website content does not conform to the filing information.
The browser returns a numeric error code, such as a 403, 404, 502, or 503.
This is the first time that you build a website and the website cannot be accessed.
The website runs for an extended period of time and suddenly becomes inaccessible.
The Server Load Balancer (SLB) instance that is associated with the ECS instance cannot be used to access the website.
The website is accelerated by Content Delivery Network (CDN) and cannot be accessed.
The website is protected by Web Application Firewall (WAF) and cannot be accessed.

Causes

A website on an ECS instance may be inaccessible due to various reasons, including the following common reasons. Perform troubleshooting operations to identify the causes of the issue.

TCP port 80 is unavailable.
The web service is unavailable.
The website does not have an ICP filing.
An exception occurs in the resources or backend services of the website.
The website is not properly built.
An issue occurs on the website.

Note

Other factors may also lead to website access failures and exhibit different symptoms. For information about other causes of website access failures on ECS instances, see Troubleshoot the exceptions that occur when you access an ECS instance.

Troubleshooting methods

You can use one of the following methods to troubleshoot the issue.

Troubleshoot the issue based on the flowchart

You can troubleshoot the issue step by step, as shown in the following figure.

Troubleshoot the issue based on the symptom

You can select a solution based on the symptom.

You are prompted that the website does not have an ICP filing or is not connected or that website content does not conform to the filing information.
Do not launch your website online before you obtain an ICP filing for it, regardless of whether your website can be accessed by using an IP address or a domain name. Apply for an ICP filing for the IP address or domain name of your website. For more information, see ICP filing requirements for a regular website.
The browser returns a numeric error code, such as a 403, 404, 502, or 503.
In most cases, if the browser returns a numeric error code, the network between the client and the server runs as expected but an exception occurred in the resources or backend services of the website. For information about how to to troubleshoot the issue, see Analysis of common status code to websites running on an ECS instance.
This is the first time that you build a website and the website cannot be accessed.
Make sure that you follow the standard website building procedure to build the website. For more information about the procedure, see Quick start.
The website runs for an extended period of time and suddenly becomes inaccessible.
Check whether the web service and the backend database of the website are running. If the web service or the backend database is not running, check the relevant logs for error messages and resolve the issue based on the error messages.
Note
- In most cases, the log file of the web service is named access.log or error.log. For more information, go to the official website of the web service.
- Exceptions in the backend services of the website, such as PHP, Java, Tomcat, and database, can also result in website access failures. In this case, contact your website administrator.
The SLB instance that is associated with the ECS instance cannot be used to access the website.
If the ECS instance that hosts the website is associated with an SLB instance, the website access failure may be caused by exceptions in listener policies of the SLB instance. For information about how to troubleshoot the issue, see Why am I unable to access an SLB instance?
The website is accelerated by CDN and cannot be accessed.
Check whether the access failure is caused by the settings of the website and whether the website is accelerated by CDN. For information about how to troubleshoot the issue, see Troubleshoot unreachable websites after using Alibaba Cloud Content Delivery Network Acceleration.
The website is protected by WAF and cannot be accessed.
Check whether the access failure is caused by the settings of the website and whether traffic to the website is blocked by WAF. For information about how to troubleshoot the issue, see How do I troubleshoot website access exceptions?

Solutions

This section describes how to resolve the website access failure that is caused by unavailable TCP port 80 or by an unavailable web service.

Unavailable TCP port 80 or unavailable web service causes a website hosted on a Linux instance to be inaccessible

Note

In this section, an ECS instance that runs CentOS 7 is used. The operations that you must perform may vary based on the operating system of your instance.

Unavailable TCP port 80

Connect to the Linux instance.
For more information, see Connection methods.
Run the following command to check whether the web service listens on TCP port 80:
```
netstat -an | grep 80
```
The following sample command outputs indicate that the web service is already enabled and listens on TCP port 80. If an exception occurs, perform the operations described in You cannot access websites that run on ECS instances to resolve the exception.
```
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN # Listen to all IP addresses
```
```
tcp        0      0 127.0.0.1:80            0.0.0.0:*               LISTEN # Listen only to the IP address 127.0.0.1 of the instance.
```
Note
If the web service listens only to 127.0.0.1 on TCP port 80, no external devices can access the web service. Configure the web service to listen to all IP addresses on TCP port 80.
Check whether TCP port 80 is open and can be reached.
1. Check whether security groups of the instance allow traffic on TCP port 80. If the security groups do not allow traffic on TCP port 80, add a rule to the security groups to allow traffic on the port. For information about how to add a rule, see Add a security group rule.
2. Check whether the firewall in the operating system of the instance is enabled. If the firewall is enabled, we recommend that you disable the firewall and use security groups instead to control traffic to or from the instance. For information about how to enable or disable the firewall, see Enable or disable the system firewall function for Linux instances.
3. Use the TELNET and traceroute commands to check whether TCP port 80 can be reached. For more information, see What do I do if I can ping an instance but I cannot ping a port of the instance?
Check whether the bandwidth of the instance is sufficient.
For more information, see Troubleshoot and resolve high load issues on Linux instances.
If the bandwidth of the instance is insufficient, upgrade the bandwidth. For more information, see Modify bandwidth configurations.

Unavailable web service

Connect to the Linux instance.
For more information, see Connection methods.
View the logs of the web service.
- Run one of the following commands based on the operating system of the instance to view the error logs of Apache.
  You can analyze and troubleshoot the issue based on the error logs.
  - If the instance runs a CentOS or Alinux operating system, run the following command to view the error logs of Apache:
```
less /var/log/httpd/error_log
```
  - If the instance runs a Ubuntu operating system, run the following command to view the error logs of Apache:
```
less /var/log/apache2/error.log
```
- Run the following command to view the error logs of NGINX.
  You can analyze and troubleshoot the issue based on the error logs.
```
less /var/log/nginx/error_log
```
Run the top command to view the operational status of the instance.
The following figure shows a sample command output. Check whether processes are running as expected.
In the preceding command output, load average has three values: 0.01, 0.02, and 0.03. These values indicate that the load average in the previous minute is 0.01, the load average in the previous 5 minutes is 0.02, and the load average in the previous 15 minutes is 0.03. In normal cases, if the load average value divided by the number of logical CPUs is greater than 5, the CPU is overloaded. This benchmark value may vary based on the actual CPU capabilities and system usage of instances. If the CPU is overloaded, you can find the process IDs (PIDs) that correspond to large %CPU values in the process list, identify the abnormal processes based on the COMMAND values, and then resolve the process exceptions.
View the monitoring data of the instance in the ECS console.
For more information, see View the monitoring information of an ECS instance.
- Check whether the instance has sufficient CPU and memory resources. If the CPU or memory resources of the instance are insufficient, perform the operations described in Resolve the high CPU utilization of a Linux instance.
- Check whether the bandwidth of the instance is sufficient. If the bandwidth of the instance is insufficient, upgrade the bandwidth. For more information, see Modify bandwidth configurations.
Run the following command to check whether the number of TCP connections that are established to port 80 on the instance exceeds the upper limit:
```
netstat -anp |grep 80 |grep tcp
```
The following figure shows a sample command output.
Run the following command to check the number of TCP connections:
```
netstat -anp |grep tcp |wc -l
```
Compare the number of TCP connections with the net.ipv4.tcp_max_tw_buckets value that is configured in the /etc/sysctl.conf file. The net.ipv4.tcp_max_tw_buckets parameter specifies the maximum number of TCP connections that are allowed for the instance. If the number of TCP connections exceeds the net.ipv4.tcp_max_tw_buckets value, perform the following steps:
1. Run the vi /etc/sysctl.conf command to edit the /etc/sysctl.conf file and view the value of net.ipv4.tcp_max_tw_buckets parameter.
  If the number of TCP connections is large and about to exceed the maximum number, increase the value of net.ipv4.tcp_max_tw_buckets based on your business requirements.
2. Run the sysctl -p command to make the configurations take effect.

Unavailable TCP port 80 or unavailable web service causes a website hosted on a Windows instance to be inaccessible

Note

In this section, an ECS instance that runs Windows Server 2012 R2 is used. The operations that you must perform may vary based on the operating system of your instance.

Unavailable TCP port 80

Connect to the Windows instance.
For more information, see Connection methods.
Start Command Prompt.
1. In the lower-left corner of the desktop, click the icon and then click the icon.
2. In the search box, enter cmd.
3. Click Command Prompt.
  Open the Command Prompt window.
Run the following command to check whether the web service listens on TCP port 80:
```
netstat -ano | findstr :80
```
The following sample command outputs indicate that the web service is already enabled and listens on TCP port 80. If an exception occurs, perform the operations described in You cannot access websites that run on ECS instances to resolve the exception.
```
TCP    0.0.0.0:80           0.0.0.0:0              LISTENING       1172 # Listen to all IP addresses.
TCP    127.0.0.1:80         0.0.0.0:0              LISTENING       1172 # Listen only to the IP address 127.0.0.1 of the instance.
```
Note
If the web service listens only to 127.0.0.1 on TCP port 80, only the instance can access the web service. Run the netsh http delete iplisten ipaddress= 127.0.0.1:80 command to configure the web service to listen to all IP addresses on TCP port 80.
Check whether TCP port 80 is open and can be reached.
1. Check whether security groups of the instance allow traffic on TCP port 80. If the security groups do not allow traffic on TCP port 80, add a rule to the security groups to allow traffic on the port. For information about how to add a rule, see Add a security group rule.
2. Check whether the firewall in the operating system of the instance is enabled. If the firewall is enabled, we recommend that you disable the firewall and use security groups instead to control traffic to or from the instance. For information about how to enable or disable the firewall, see Configure firewall policies on a Windows Server instance.
3. Use the TELNET and tracert commands to check whether TCP port 80 can be reached . For more information, see What do I do if I can ping an instance but I cannot ping a port of the instance?
Check whether the bandwidth of the instance is sufficient.
For more information, see What do I do if the bandwidth utilization or CPU utilization of a Windows instance is high or reaches 100%?
If the bandwidth of the instance is insufficient, upgrade the bandwidth. For more information, see Modify bandwidth configurations.

Unavailable web service

Connect to the Windows instance.
For more information, see Connection methods.
Use one of the following methods to view the logs of the web service:
- Method 1: View the logs in the log folder.
  In Windows Server 2008 R2 or later, web service logs are stored in the C:\inetpub\logs\LogFiles path.
- Method 2: Use Internet Information Services (IIS) Manager.
  1. Choose > Windows Administrative Tools > Internet Information Services (IIS) Manager.
  2. In the IIS section on the Default Web Site page, click Logging. Then, click Explore in the Actions column.
  3. On the Logging page, set Directory to the actual path where web service logs are stored on your instance, copy the path to File Explorer, and then press the Enter key.
    You can view the log folder in File Explorer.
View the operational status of the instance in Task Manager to identify abnormal processes.
1. Right-click the desktop and select Task Manager.
2. Click the Processes tab.
  You can check the CPU utilization and memory usage of processes in Task Manager and identify abnormal processes.
View the monitoring data of the instance in the ECS console.
For more information, see View the monitoring information of an ECS instance.
- Check whether the instance has sufficient CPU and memory resources. If the CPU or memory resources of the instance are insufficient, perform the operations described in What do I do if the bandwidth utilization or CPU utilization of a Windows instance is high or reaches 100%?.
- Check whether the bandwidth of the instance is sufficient. If the bandwidth of the instance is insufficient, upgrade the bandwidth. For more information, see Modify bandwidth configurations.
Check whether the number of TCP connections that are established to port 80 on the instance exceeds the upper limit.
1. Start Command Prompt.
  1. In the lower-left corner of the desktop, click the icon and then click the icon.
  2. In the search box, enter cmd.
  3. Click Command Prompt.
    Access the Command Prompt window.
Run the following commands in sequence to check the numbers of TCP connections in different states:
```
netstat -n |find /i "time_wait" /c
netstat -n |find /i "close_wait" /c
netstat -n |find /i "established" /c
```
By default, 16,384 dynamic ports in the range of port 49152 to port 65535 are available. If the number of TCP connections in the CLOSE_WAIT state is close to the number of dynamic ports, a large number of TCP connections in the CLOSE_WAIT state are not closed. Proceed to the next step and reduce the value of the TcpTimedWaitDelay registry key. The TcpTimedWaitDelay registry key determines the length of time that a TCP connection stays in the TIME_WAIT state before the connection is closed.
Start Registry Editor.
1. In the lower-left corner of the desktop, click the icon and then click the icon.
2. In the search box, enter regedit.
3. Click regedit.
  Open the Registry Editor window.
Browse to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters path and set the TcpTimedWaitDelay key to the decimal value 30.
If the TcpTimedWaitDelay key does not exist, perform the following operations to create the key and change its value:
1. In the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters path in the Registry Editor window, right-click a blank area in the right-side pane and choose New > DWORD (32-bit) Value.
2. Enter TcpTimedWaitDelay and press the Enter key.
3. Right-click TcpTimedWaitDelay and select Modify.
4. In the dialog box that appears, select Decimal and change the value in the Value data field to 30.
5. Click OK.