Articles in this section

Plesk websites are inaccessible with 504 Gateway Timeout with enabled firewall: : Connection timed out

Sergey Senko
Updated
Plesk for Linux kb: technical ABT: Group B

Applicable to:

  • Plesk for Linux

Symptoms

  • If Nginx is enabled, all sites return the following error:

      CONFIG_TEXT: 504 Gateway Timeout error

      CONFIG_TEXT: 502 Bad gateway

  • Fail2ban is not installed or disabled;
  • Apache and nginx services are running;
  • There are the following records in /var/log/httpd/error_log:

    CONFIG_TEXT: upstream timed out (110: Connection timed out) while reading response header from upstream

    CONFIG_TEXT: AH00072: make_sock: could not bind to address 127.0.0.1:7080

  • There are the following records in /var/www/vhosts/example.com/logs/proxy_error_log:

    CONFIG_TEXT: [error] 18625#0: *8 connect() failed (111: Connection refused) while connecting to upstream

    CONFIG_TEXT: curl: (28) Failed to connect to 203.0.113.2 port 7081 after 129871 ms: Connection timed out

Cause

Firewall rules block local connection on port 7080 and 7081, or some rules block the server's IP Address, so Nginx is unable to connect to Apache.

Resolution

Check the Plesk firewall or "iptables"  utility and remove rules that block access to 7080 or 7081 ports or block access from the server's IP addresses

Click on a section to expand

Manage rules via Plesk Firewall
  1. Install Plesk Firewall if it is not installed How to install Plesk Firewall
  2. Go to Plesk > Tools & Settings > Firewall > Modify Plesk Firewall Rules >Add Custom Rule and allow 7080/7081 ports for all internal IP addresses for Incoming/Outgoing.
    2.png

Click on a section to expand

Adding rules directly from the server
  1. To do this manually, connect to the server via SSH

    Note: if direct SSH access to the server is not possible, contact server administrator for further assistance.

  2. Add rules using the commands below:

    # iptables -A INPUT -s 10.10.10.10 -p tcp -m tcp --dport 7081 -j ACCEPT
    # iptables -A INPUT -s 10.10.10.10 -p tcp -m tcp --dport 7080 -j ACCEPT
    # iptables -A OUTPUT -s 10.10.10.10 -p tcp -m tcp --sport 7081 -j ACCEPT
    # iptables -A OUTPUT -s 10.10.10.10 -p tcp -m tcp --sport 7080 -j ACCEPT

 

NOTE: In addition, check any other similar tools and extensions installed on the server like Imunify360, DDoS Deflate Interface, or Bitninja for example if there are similar rules forbidding needed ports or blocking the server's IP addresses

Was this article helpful?

Comments

0 comments

Please sign in to leave a comment.