Skip to content

Setting up a new Nginx server (Oracle Free Tier)

Jump to bottom
Daisho Komiyama edited this page Dec 31, 2021 · 2 revisions

Setup VPS server (Oracle Free Tier)

Lack of RAM

Oracle Free Tier comes with very small RAM. As it is, you can't even complete npm install. There's a way to increase RAM (virtually). It's creating swap file. I followed this article I increased 2G.

Before, I couldn't run npm install. Not a chance for Github actions too. This is the reason I went back to DigitalOcean VPS.

But after creating the swap file, npm install runs easily and Github actions also works! My DigitalOcean VPS can't do this at this point due to lack of memory. The idea of ditching the DigitalOcean and move everything to Oracle becoming realistic. I pay about $7 CAD (it's $5 USD) monthly for DigitalOcean with only 2.5GB disk space left whereas with Oracle, I have 43GB of disk space available and it's FREE forever (no time limit). This is a real luxury.

Enabling firewall

By using ufw, you don't need to use iptables. Its syntax is terribly unfriendly.

iptables -p tcp --dport 80 -j ACCEPT
# don't use this

Run these commands to start ufw

sudo ufw status # This won't work if ufw is not enabled yet
sudo ufw enable
sudo ufw start
sudo ufw allow 'Nginx Full'

You should see something like this

     To                         Action      From
     --                         ------      ----
[ 1] 22/tcp                     ALLOW IN    Anywhere
[ 2] Nginx Full                 ALLOW IN    Anywhere
[ 3] 22/tcp (v6)                ALLOW IN    Anywhere (v6)
[ 4] Nginx Full (v6)            ALLOW IN    Anywhere (v6)

Miscellaneous

List ports with number

sudo ufw status numbered

Delete a port

sudo delete <number>

Reject port 80

sudo ufw reject http

Troubleshoot: stuck with SSL (443) set up

After everything is set up. Only 443 port is not available. I get 522 then it escalated to 523 as I attempted so many times. I can reach out to port 80 which is not secure. Without SSL, reCaptcha doesn't work. Sending message keeps failing even there's reCaptcha status (icon) seemed active. I managed to get it to work after a few hours of trying & errors. With working 443 port, sending the message has been successfully accepted. It's true that reCaptcha requires SSL.

For setting up the certbot, I followed the guide on the official website, but I discard everything later on, as I suspected this was the root cause of all issues with SSL. Then I switched to following this guide from DigitalOcean Hindsight: the initial setup might have been correct though.

But, be careful. Enabling cert modifies your nginx conf file (e.g. /etc/nginx/sites-available/daishodesign.com) wrongly. Certbot inserts listen 80; in the second block of the server, but this is just wrong. Read the working file shown below and do just like it does. This is the trickiest part of all issues I had.

Possible solutions

I tried many things, but these actions possibly fixed the issue. I am not sure which one was actually needed or even all needed.

Add ingress rules to Oracle Cloud.

  • I'm pretty sure this was required. There's a youtube video
  • I added ingress rule for 80 in Subnet: subnet-20211214-2050 using GUI provided by Oracle Cloud
  • But I didn't add ingress rule for 443. So I added it too.

Redo UFW setup

I've set this up, but I might have screwed at some point. So I redo it.

  • I once add manually 443 to UFW, but I removed it later since there's already "Nginx Full". Maybe this is the wrong move.
  • Once I removed (or maybe I applied "deny"), I can't set allow again, according to a website below.

    Finally, one of the less friendly aspects of ufw is how the deny rules usually trump allow rules. For example, you cannot set everything to deny and then set ports to allow. All ports will still be blocked. See here for more info. (https://itectec.com/ubuntu/ubuntu-ufw-is-blocking-all-even-when-i-set-rules-to-allow/)

  • So I dumped my ufw setup, and setting it up again as follows;
sudo ufw reset

Initially I've set it up using "Nginx Full", but this time I did more explicitly as below;

sudo ufw allow 22/tcp
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp

Add listen 80;

  • I had to add listen 80; to /etc/nginx/site-available/quebec3.com, at top of the file.
  • So this is the working file.
server {
	listen 80; # <------- this line is the key!!!
	listen [::]:80;

	root /home/ubuntu/actions-runner/deploy/quebec3-v2/quebec3-v2;
  index index.html index.htm;

  server_name quebec3.com www.quebec3.com;

  location / {
		proxy_pass http://localhost:9000;
		proxy_http_version 1.1;
		proxy_set_header Upgrade $http_upgrade;
		proxy_set_header Connection 'upgrade';
		proxy_set_header Host $host;
		proxy_cache_bypass $http_upgrade;

		# try_files $uri $uri/ =404;
  }

  listen [::]:443 ssl; # managed by Certbot
  listen 443 ssl; # managed by Certbot

  ssl_certificate /etc/letsencrypt/live/quebec3.com/fullchain.pem; # managed by Certbot
  ssl_certificate_key /etc/letsencrypt/live/quebec3.com/privkey.pem; # managed by Certbot
	include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
	ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

server {
	if ($host = www.quebec3.com) {
		return 301 https://$host$request_uri;
	} # managed by Certbot

	if ($host = quebec3.com) {
		return 301 https://$host$request_uri;
	} # managed by Certbot

	return 404; # managed by Certbot
}

What strange is that I didn't need to add the line (listen 80;) for the same file in DigitalOcean server (Ubuntu 18.04).

Menu

Clone this wiki locally