How to Fix Apache Connection Refused on AWS EC2
1. The Root Cause
On AWS EC2, “Connection Refused” typically indicates that the network request is being blocked at a layer before the Apache process can respond, or Apache itself is not running or listening correctly. The most frequent culprits are restrictive AWS Security Group rules preventing inbound traffic on the expected ports (e.g., 80/443) or the Apache HTTP server daemon being stopped or misconfigured to listen only on the loopback interface (127.0.0.1).
2. Quick Fix (CLI)
These commands address common on-instance issues like a stopped Apache service or an internal firewall block.
# 1. Check Apache service status (for RHEL/CentOS/Amazon Linux)
sudo systemctl status httpd
# (Alternatively for Debian/Ubuntu)
# sudo systemctl status apache2
# 2. If Apache is stopped, start it
sudo systemctl start httpd
# (Alternatively for Debian/Ubuntu)
# sudo systemctl start apache2
# 3. Enable Apache to start on boot automatically
sudo systemctl enable httpd
# (Alternatively for Debian/Ubuntu)
# sudo systemctl enable apache2
# 4. If Apache is running but still exhibiting issues, restart it
sudo systemctl restart httpd
# (Alternatively for Debian/Ubuntu)
# sudo systemctl restart apache2
# 5. Check instance's internal firewall (e.g., firewalld on RHEL/CentOS/Amazon Linux)
sudo firewall-cmd --list-all
# If port 80 or 443 is not listed, add it:
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --reload
# (Alternatively for UFW on Debian/Ubuntu)
# sudo ufw status
# If 'Status: active' and 80/443 are blocked:
# sudo ufw allow 'Apache Full'
# Or specifically:
# sudo ufw allow 80/tcp
# sudo ufw allow 443/tcp3. Configuration Check
Review Apache’s main configuration file to ensure it’s listening on the correct network interfaces and ports.
-
File to edit:
- For RHEL/CentOS/Amazon Linux:
/etc/httpd/conf/httpd.conf - For Debian/Ubuntu:
/etc/apache2/ports.confor/etc/apache2/apache2.conf
- For RHEL/CentOS/Amazon Linux:
-
Lines to change: Locate the
Listendirectives. Ensure Apache is configured to listen on all available network interfaces for the relevant ports (80 for HTTP, 443 for HTTPS). If it’s configured to listen only on127.0.0.1, external connections will be refused.# Example snippet from httpd.conf or ports.conf: # Make sure these lines are present and uncommented: Listen 80 Listen 443 # If you find 'Listen 127.0.0.1:80', change it to 'Listen 80' or 'Listen 0.0.0.0:80' # The '0.0.0.0' explicitly binds to all IPv4 interfaces. # After any changes, always validate configuration syntax: sudo apachectl configtest # Then restart Apache: sudo systemctl restart httpd # or sudo systemctl restart apache2
4. Verification
After applying fixes, verify Apache is running and accessible.
# 1. Confirm Apache service is active
sudo systemctl status httpd
# Expected output includes 'Active: active (running)'
# 2. Verify Apache is listening on the expected ports
sudo ss -tuln | grep -E '80|443'
# Expected output should show apache2 or httpd listening on 0.0.0.0:80, 0.0.0.0:443 etc.
# Example: LISTEN 0 511 0.0.0.0:80 0.0.0.0:* users:(("httpd",pid=1234,fd=4))
# 3. Test connectivity from the EC2 instance itself
curl http://localhost/
# Expected: HTML content of your default Apache page or application.
# 4. Test connectivity from an external machine (e.g., your local workstation)
# Replace <EC2_Public_IP> with your instance's public IPv4 address or Public DNS.
curl http://<EC2_Public_IP>/
# Expected: HTML content. If still connection refused, re-check AWS Security Group rules
# to ensure inbound traffic on port 80 (and 443 for HTTPS) is allowed from your IP or 0.0.0.0/0.