Applicable to:
- Plesk for Linux
Symptoms
- If Nginx is enabled, all sites return the following error:
CONFIG_TEXT: 504 Gateway Timeout error
CONFIG_TEXT: 502 Bad gateway
- Fail2ban is not installed or disabled;
- Apache and nginx services are running;
- There are the following records in
/var/log/httpd/error_log
:CONFIG_TEXT: upstream timed out (110: Connection timed out) while reading response header from upstream
CONFIG_TEXT: AH00072: make_sock: could not bind to address 127.0.0.1:7080
- There are the following records in
/var/www/vhosts/example.com/logs/proxy_error_log
:CONFIG_TEXT: [error] 18625#0: *8 connect() failed (111: Connection refused) while connecting to upstream
CONFIG_TEXT: curl: (28) Failed to connect to 203.0.113.2 port 7081 after 129871 ms: Connection timed out
Cause
Firewall rules block local connection on port 7080 and 7081, or some rules block the server's IP Address, so Nginx is unable to connect to Apache.
Resolution
Check the Plesk firewall or "iptables" utility and remove rules that block access to 7080 or 7081 ports or block access from the server's IP addresses
Click on a section to expand
- Install Plesk Firewall if it is not installed How to install Plesk Firewall
- Go to Plesk > Tools & Settings > Firewall > Modify Plesk Firewall Rules >Add Custom Rule and allow 7080/7081 ports for all internal IP addresses for Incoming/Outgoing.
Click on a section to expand
- To do this manually, connect to the server via SSH
Note: if direct SSH access to the server is not possible, contact server administrator for further assistance.
- Add rules using the commands below:
# iptables -A INPUT -s 10.10.10.10 -p tcp -m tcp --dport 7081 -j ACCEPT
# iptables -A INPUT -s 10.10.10.10 -p tcp -m tcp --dport 7080 -j ACCEPT
# iptables -A OUTPUT -s 10.10.10.10 -p tcp -m tcp --sport 7081 -j ACCEPT
# iptables -A OUTPUT -s 10.10.10.10 -p tcp -m tcp --sport 7080 -j ACCEPT
NOTE: In addition, check any other similar tools and extensions installed on the server like Imunify360, DDoS Deflate Interface, or Bitninja for example if there are similar rules forbidding needed ports or blocking the server's IP addresses
Comments
1 comment
Issue should be heighted in a more strong way. Is this configuration, coming as a default "built in" Fire Wall rule, or still it's not coming?
Could it be better explained, what were circumstances bringing the Fire Wall to block those two ports to begin with?
Please sign in to leave a comment.