Patrick M. Ryan's picture

   I provisioned the Turnkey image for Ruby on Rails into AWS (EC2 m1.medium).  I got the system initialized successfully.  I am able to ssh into the image as well as bring up the webmin interface.  In AWS, I assigned a security group that includes TCP port 3000 in addition to the other ports needed by Turnkey (22,12320, 12321,80,443). As of now, connections are allowed to those ports from anywhere.  The built-in firewall, iptables, is set to accept everything:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination   

  I upgraded rails, installed my application, and started the Rails server:

admin@rails ~/sample_app$ rails server
=> Booting Puma
=> Rails 5.0.1 application starting in development on http://localhost:3000
=> Run `rails server -h` for more startup options
Puma starting in single mode...
* Version 3.6.2 (ruby 2.3.3-p222), codename: Sleepy Sunday Serenity
* Min threads: 5, max threads: 5
* Environment: development
* Listening on tcp://localhost:3000
Use Ctrl-C to stop

   Despite all of that, connections to port 3000 are being refused:

connecting to ec2-54-89-100-93.compute-1.amazonaws.com on port 3000...
ec2-54-89-100-93.compute-1.amazonaws.com: Connection refused

I also added the MySQL port, 3306.  Same effect.

  Some other entity is restricting access to these ports.  I need help figuring out what's going on.

thanks,

pat

 

 

Forum: 
Jeremy Davis's picture

It looks like it's only listening on localhost! By default that will only allow locally running programs to connect to it and a "connection refused" from a remote connection is expected behaviour. You'll need to tweak the config to make it listen for remote connections. Sorry I can't point you in the right direction there as I'm not sure.

Same is true of MySQL. By default it is bound to localhost as a security measure. Only the stand-alone MySQL appliance allows remote connections by default. Please see the docs on how to adjust that to allow remote connections.

Patrick M. Ryan's picture

Thanks. That was the problem.  I restarted the Rails server like this:

rails server --binding=0.0.0.0

and the server would then accept outside connections.

 

Jeremy Davis's picture

Glad to hear that you got it sorted. Thanks for posting back. Good luck with it and if you have further feedback etc for us (good or bad), please do share. :)
Patrick M. Ryan's picture

  Thanks. I'm still working on getting MySQL to accept outside connections.  The instructions I've followed so far have not resolved the issue.

 

Jeremy Davis's picture

I haven't tested it for a while, but last I did, simply copy/pasting from the docs and it "just worked". I'm pretty sure it's mentioned on the doc page, but you'll need to restart MySQL for the new settings to be applied.

You've possibly already done it, but obviously you'll also need to add a security exception for port 3306.

FWIW I am currently working on the v14.2 release so have a new LAMP server that I have been testing. I just checked and the docs appear to still be relevant.

Default state:

root@lamp ~# netstat -l | grep mysql
tcp        0      0 localhost:mysql         *:*                     LISTEN     
unix  2      [ ACC ]     STREAM     LISTENING     12270    /var/run/mysqld/mysqld.sock

Copy/paste from docs (setting MYSQL_PASS first):

root@lamp ~# MYSQL_PASS="Pa$$w0rd"
root@lamp ~# MYSQL_BATCH="mysql --user=root --password=$MYSQL_PASS --batch"
root@lamp ~# $MYSQL_BATCH --execute "INSERT INTO mysql.user ( Host , User , Password , Select_priv ,
>     Insert_priv , Update_priv , Delete_priv , Create_priv , Drop_priv , Reload_priv , 
>     Shutdown_priv , Process_priv , File_priv , Grant_priv , References_priv , 
>     Index_priv , Alter_priv , Show_db_priv , Super_priv , Create_tmp_table_priv , 
>     Lock_tables_priv , Execute_priv , Repl_slave_priv , Repl_client_priv , 
>     Create_view_priv , Show_view_priv , Create_routine_priv , Alter_routine_priv , 
>     Create_user_priv , ssl_type , max_questions , max_updates , max_connections , 
>     max_user_connections) VALUES ( '%', 'root', '', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y',
>     'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y','Y', 'Y', 'Y', 'Y', 'Y',
>     'Y', 'Y', 'Y', 'Y', '', '0', '0', '0', '0');"
root@lamp ~# service mysql restart

Post tweak state:

root@lamp ~# netstat -l | grep mysql
tcp        0      0 *:mysql                 *:*                     LISTEN     
unix  2      [ ACC ]     STREAM     LISTENING     35586    /var/run/mysqld/mysqld.sock
root@lamp ~# netstat -l --numeric-ports | grep 3306
tcp        0      0 0.0.0.0:3306            0.0.0.0:*               LISTEN

Please note though, that that will allow remote MySQL root user to have remote connections. That's fine for testing and development, but not recommended for production. It is much more secure to only only remote connections via a limited user with tighter permissions.

Patrick M. Ryan's picture

  I eventually got remote access working.  The AWS security group setting was already correct. When I tried to connect using using Sequel Pro, I kept getting "permission denied" when trying to log in as root.  That error told me that I was getting denied my MySQL itself rather than a firewall rule.  I create a new user ('rails') in MySQL, granted the relevant permissions, and was then able to connect remotely.

  I'm thinking there are some extra special rules around remote connections as 'root'.

mysql> select host, user from user;
+-----------+------------------+
| host      | user             |
+-----------+------------------+
| %         | rails            |
| %         | root             |
| 127.0.0.1 | root             |
| ::1       | root             |
| localhost | debian-sys-maint |
| localhost | railsapp         |
| localhost | root             |
+-----------+------------------+
7 rows in set (0.00 sec)
 

Add new comment