After upgrading our DigitalOcean droplet from Ubuntu 16.04 to 18.04.6 LTS (Bionic Beaver), all https traffic suddenly failed, with a ‘website took too long to respond‘ error.
Background: we had an old WordPress site running Bedrock that was proving impossible to move from its 16.04 server, so we decided to upgrade it-situ instead. On DigitalOcean we took a snapshot, then performed the upgrade via SSH. This is the DigitalOcean guide we followed.
Note, we kept our nginx.conf file during the upgrade as it was quite specifically modified.
After it was all upgraded we switched the DNS to point to the new site (this was a staging site so this was fine to do) and the new site showed the ‘website took too long to respond’ error.
There’s a lot of help for this online! There’s a summary of some of things to check at the end of this article
Solution for us:
After contacting DigitalOcean they said:
I see that HTTP/S ports 80 and 443 are showing as ‘filtered’ when performing a nmap scan on these ports on Droplet {droplet name/IP} as shown below:
~ % nmap -Pn -p 80,443 {ip-address}
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-04 17:12 IST
Nmap scan report for {ip-address}
Host is up.
PORT STATE SERVICE
80/tcp filtered http
443/tcp filtered https
Nmap done: 1 IP address (1 host up) scanned in 3.23 seconds
It seems like the firewall is blocking the incoming traffic to your droplet, which is causing the website to be inaccessible and preventing you from logging in via SSH and Droplet Console.
First, I would recommend you to temporarily disable the Cloud firewall applied to your Droplet and check the website functionality.
Next, log in to the Droplet using SSH and run the below command to check your current firewall setting:
iptables -nvL
To allow all incoming HTTP (port 80) connections run these commands:
sudo iptables -A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT sudo iptables -A OUTPUT -p tcp --sport 80 -m conntrack --ctstate ESTABLISHED -j ACCEPT
To allow all incoming HTTPS (port 443) connections run these commands:
sudo iptables -A INPUT -p tcp --dport 443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT sudo iptables -A OUTPUT -p tcp --sport 443 -m conntrack --ctstate ESTABLISHED -j ACCEPT
Note that I tried this without disabling the DO firewall first and it did not work. However, after we followed the steps exactly as above and in order then it did work. We then re-enabled the DO firewall and all was well.
Here’s a few other ideas to checklist, the idea here is to look up each one, I don’t list the details, but hopefully it’s helpful for ideas. Good luck!
Other ideas to check
Check DNS configuration: Verify that the DNS settings for your domain are correctly configured to point to the IP address of your new droplet
Check firewall settings: Ensure that the firewall on your new droplet allows incoming connections on the necessary ports (e.g., port 80 for HTTP or port 443 for HTTPS) – are you using ufw?
Verify web server configuration: Ensure that Nginx is properly configured to listen on the correct IP address and port.
Check web server status: Verify that your web server is running and there are no errors. sudo systemctl status nginx
Test connectivity locally: Try accessing your website using the droplet’s IP address directly from the droplet itself. curl http://localhost
Check network connectivity: Ensure that your droplet has an active network connection. From the droplet try ping 8.8.8.8
Check Nginx configuration: Review your Nginx configuration file (staging.mysite.com.conf) and ensure that it is properly configured.
Check Nginx error logs: Examine the Nginx error logs to see if there are any relevant error messages that could help identify the issue. The error logs are usually located at /var/log/nginx/error.log.
Check DO firewall settings: Ensure that your DigitalOcean droplet’s firewall allows incoming traffic on ports 80 and 443.
Check if Nginx is listening on the correct ports: Confirm that Nginx is listening on the appropriate ports (80 and 443) sudo netstat -tuln | grep LISTEN
Check SSL certificate validity
Restart Nginx – sudo systemctl restart nginx
Check the Nginx access logs: Review the Nginx access logs to see if any requests are being logged when you try to access the website. The access logs are typically located at /var/log/nginx/access.log
Check the website’s document root: Ensure that the root directive in your Nginx configuration file (staging.mysite.com.conf) points to the correct directory where your website files are located.
Check file permissions: Make sure that the files and directories in your website’s document root have the appropriate permissions to be accessed by the Nginx process
Check if Nginx is listening on the correct network interface: Ensure that Nginx is listening on the correct network interface by checking the listen directive in your Nginx configuration file (staging.mysite.com.conf). It should be set to listen 80; and listen 443 ssl; to listen on all available network interfaces.
Check the droplet’s network configuration: Connect to your DigitalOcean droplet via SSH and retrieve its network configuration – ip addr show – This command will display the network interfaces and their associated IP addresses. Verify that the IP address assigned to your droplet is correct and matches the one you expect.
Verify default gateway: Run the following command to check the default gateway: ip route show default
Comments