Setting up a new Nginx server (Oracle Free Tier)
Oracle Free Tier comes with very small RAM. As it is, you can't even complete npm install. There's a way to increase RAM (virtually). It's creating swap file. I followed this article I increased 2G.
Before, I couldn't run npm install
. Not a chance for Github actions too. This is the reason I went
back to DigitalOcean VPS.
But after creating the swap file, npm install runs easily and Github actions also works! My DigitalOcean VPS can't do this at this point due to lack of memory. The idea of ditching the DigitalOcean and move everything to Oracle becoming realistic. I pay about $7 CAD (it's $5 USD) monthly for DigitalOcean with only 2.5GB disk space left whereas with Oracle, I have 43GB of disk space available and it's FREE forever (no time limit). This is a real luxury.
By using ufw, you don't need to use iptables. Its syntax is terribly unfriendly.
iptables -p tcp --dport 80 -j ACCEPT
# don't use this
Run these commands to start ufw
sudo ufw status # This won't work if ufw is not enabled yet
sudo ufw enable
sudo ufw start
sudo ufw allow 'Nginx Full'
You should see something like this
To Action From
-- ------ ----
[ 1] 22/tcp ALLOW IN Anywhere
[ 2] Nginx Full ALLOW IN Anywhere
[ 3] 22/tcp (v6) ALLOW IN Anywhere (v6)
[ 4] Nginx Full (v6) ALLOW IN Anywhere (v6)
sudo ufw status numbered
sudo delete <number>
sudo ufw reject http
After everything is set up. Only 443 port is not available. I get 522 then it escalated to 523 as I attempted so many times. I can reach out to port 80 which is not secure. Without SSL, reCaptcha doesn't work. Sending message keeps failing even there's reCaptcha status (icon) seemed active. I managed to get it to work after a few hours of trying & errors. With working 443 port, sending the message has been successfully accepted. It's true that reCaptcha requires SSL.
For setting up the certbot, I followed the guide on the official website, but I discard everything later on, as I suspected this was the root cause of all issues with SSL. Then I switched to following this guide from DigitalOcean Hindsight: the initial setup might have been correct though.
But, be careful. Enabling cert modifies your nginx conf file (e.g. /etc/nginx/sites-available/daishodesign.com
) wrongly. Certbot inserts listen 80;
in the second block of the server, but this is just wrong. Read the working file shown below and do just like it does. This is the trickiest part of all issues I had.
I tried many things, but these actions possibly fixed the issue. I am not sure which one was actually needed or even all needed.
- I'm pretty sure this was required. There's a youtube video
- I added ingress rule for 80 in Subnet: subnet-20211214-2050 using GUI provided by Oracle Cloud
- But I didn't add ingress rule for 443. So I added it too.
I've set this up, but I might have screwed at some point. So I redo it.
- I once add manually 443 to UFW, but I removed it later since there's already "Nginx Full". Maybe this is the wrong move.
- Once I removed (or maybe I applied "deny"), I can't set allow again, according to a website below.
Finally, one of the less friendly aspects of ufw is how the deny rules usually trump allow rules. For example, you cannot set everything to deny and then set ports to allow. All ports will still be blocked. See here for more info. (https://itectec.com/ubuntu/ubuntu-ufw-is-blocking-all-even-when-i-set-rules-to-allow/)
- So I dumped my ufw setup, and setting it up again as follows;
sudo ufw reset
Initially I've set it up using "Nginx Full", but this time I did more explicitly as below;
sudo ufw allow 22/tcp
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
- I had to add
listen 80;
to /etc/nginx/site-available/quebec3.com, at top of the file. - So this is the working file.
server {
listen 80; # <------- this line is the key!!!
listen [::]:80;
root /home/ubuntu/actions-runner/deploy/quebec3-v2/quebec3-v2;
index index.html index.htm;
server_name quebec3.com www.quebec3.com;
location / {
proxy_pass http://localhost:9000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
# try_files $uri $uri/ =404;
}
listen [::]:443 ssl; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/quebec3.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/quebec3.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = www.quebec3.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = quebec3.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
return 404; # managed by Certbot
}
What strange is that I didn't need to add the line (listen 80;) for the same file in DigitalOcean server (Ubuntu 18.04).