Ports blocked (Hetzner cloud server)

Hi,

I’m trying to install Discourse on a cloud server from Hetzner but when running ./discourse-setup I get the message that ports are blocked (domain.de is obviously not the real domain):

WARNING: Port 443 of computer does not appear to be accessible using hostname:  discourse.domain.de.
WARNING: Connection to http://discourse.domain.de (port 80) also fails.

As suggested from the setup tool I now want to check if discourse.domain.de resolves to the IP address of the cloud server. When I do dig discourse.domain.de I get the following output:

; <<>> DiG 9.16.1-Ubuntu <<>> discourse.domain.de
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28839
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;discourse.domain.de.	IN	A

;; ANSWER SECTION:
discourse.domain.de. 4134	IN	A	XXX.XXX.XXX.XXX (correct ip address)

;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Sun Apr 24 10:14:44 UTC 2022
;; MSG SIZE  rcvd: 70

Which seems good to me.
The next thing that is suggested is that it could be a firewall issue. I have a firewall with the following ports open:


So I think the firewall is not the reason for the message above. Is it possible that there is something else that is blocking the ports? I’ve read that Apache could cause such a problem but it is not installed on the cloud server.
I tried telnet discourse.domain.de 443 to see if the ports are open and I got

telnet: Unable to connect to remote host: Network is unreachable

Does anyone have an idea how to fix this problem?
Thank you!

EDIT: It’s the same with deactivated firewall.

Have you looked up the DNS using an external service?

Ie. One that is not routing through your cloud host provider?

2 Likes

I have not done that before, thanks for the tip. It shows the correct IPv4 address.

You are getting that message because those ports are being blocked by Hetzner.

5 Likes

Somehow off topic but do you know why Hetzner would block such important and yet trivial ports?

Okay, thank you. I will contact the support of Hetzner.

1 Like

To avoid abuse. https://docs.hetzner.com/cloud/servers/faq/

Unfortunately, email spammers and scammers like to use cloud hosting providers. And we at Hetzner naturally want to prevent this. That’s why we block ports 25 and 465 by default on all cloud servers. This is a very common practice in the cloud hosting industry because it prevents abuse. We want to build trust with our new customers before we unblock these mail ports. Once you have been with us for a month and paid your first invoice, you can create a limit request to unblock these ports for a valid use case. In your request, you can tell us details about your use case. We make decisions on a case-by-case basis.

As an alternative, you can also use port 587 to send emails via external mail delivery services. Port 587 is not blocked and can be used without sending a limit request.

3 Likes

That is common solution and one reason why self hosted email server is close to impossíble.

But OP had issues with ports 80 and 443. Or did I miss something?

3 Likes

You are right. I mixed up two different issues. Apologies for the confusion.

2 Likes

I’ve had a forum search to see if anyone else had encountered a similar issue and found this, though unfortunately not a ‘true solution’ as such:

Could configuring the app.yml manually be an option for you?

1 Like

I’m still confused, but at Digital Ocean firewall must be set up. Clean install doesn’t have any ports open (except for SSH but that is dfferent thing). I don’t know how Hetzner works. And if VPS is behind closed ports, it doesn’t matter what we have on app.yml.

Or am I again missing something?

Manual configuration of app.yml is the solution to the problem for me as well. Thanks!
I also found this thread, but I guess I didn’t read it carefully enough… :see_no_evil:

1 Like

I host three forums on Hetzner and I didn’t encounter this issue ever :thinking:

So Hetzner will open ports for web-server when there is just started VPS? Or do they install nginx or apache as default?

That’s… strange.

1 Like

I think so. When I start a VPS (Ubuntu 20), nginx isn’t installed by default: discourse-setup installs it.
I’ve installed Discourse numerous times on Hetzner VPS without any problem for years (the last time was in February).
That’s why I’m puzzled about this topic.


edit: for some reasons my brain mixed up docker and nginx :sweat_smile:

1 Like

That’s not quite true. It doesn’t install nginx on the OS, but the Discourse docker container includes it.

That’s not my experience. The default Ubuntu LTS does not include a firewall and all ports are open.

1 Like

There is two options: using firewall by Digital Ocean or installing UFW (or similar) after creation of VPS. Any of my installations don’t use theirs so all ports are closed until I open them from UFW.

Anyway — now I/we know when, where and how Nginx is installed. Every day something new (when you/I/someone don’t understand how docker works :smile: )

1 Like