The MetalVPS website is served by a tiny, but heroic Oracle Cloud Free Tier VPS The specs are:

VM.Standard.E2.1.Micro.
OCPU count: 1
Memory (GB): 1
Boot Volume Size: 47 GB
Network bandwidth (Gbps): 0.48
Launched: Sun, Jul 17, 2022, 23:25:22 UTC

The instance has been up the best part of a year:

[opc@instance-20220717-1620 ~]$ uptime
 15:27:35 up 301 days, 16:01,  1 user,  load average: 0.06, 0.08, 0.02
[opc@instance-20220717-1620 ~]$ 

Recent Downtime Alerts From Hetrix Tools

Recently I started receiving alerts from Hetrix Tools about the MetalVPS website being down briefly, just a few minutes at a time, but repeatedly. I confirmed that I couldn't access the website from my Chromebook during the periods when Hetrix said the site was down. Additionally, my ssh connection to the instance stopped working when Hetrix said the site was down. Luckily, I had redundant backups, so all the files were safe.

Checking the logs suggested that periodic DNF updates were causing the tiny, but valiant VPS to run out of memory. When there was no memory, the web server and the ssh server couldn't work. After the OOM killer decided it was time to kill the DNF update, then the web server and the ssh server could serve again.

Just for fun, I repeatedly ran free -h during a manually initiated dnf upgrade to see what happened. Watch the swap go all the way down to zero:

Swap Drops To Zero During DNF Upgrade

chronos@penguin:~/servers/oracle/metalvps$ ssh m
Activate the web console with: systemctl enable --now cockpit.socket

Last login: Fri May  5 01:56:22 2023 from 187.189.238.1
[opc@instance-20220717-1620 ~]$ free -h
              total        used        free      shared  buff/cache   available
Mem:          680Mi       189Mi       364Mi       1.0Mi       126Mi       384Mi
Swap:         1.3Gi       463Mi       896Mi
[opc@instance-20220717-1620 ~]$ free -h
              total        used        free      shared  buff/cache   available
Mem:          680Mi       244Mi       236Mi       1.0Mi       199Mi       329Mi
Swap:         1.3Gi       460Mi       899Mi
[opc@instance-20220717-1620 ~]$ free -h
              total        used        free      shared  buff/cache   available
Mem:          680Mi       258Mi        50Mi       1.0Mi       371Mi       316Mi
Swap:         1.3Gi       460Mi       899Mi
[opc@instance-20220717-1620 ~]$ free -h
              total        used        free      shared  buff/cache   available
Mem:          680Mi       397Mi        50Mi       1.0Mi       231Mi       176Mi
Swap:         1.3Gi       460Mi       899Mi
[opc@instance-20220717-1620 ~]$ free -h
              total        used        free      shared  buff/cache   available
Mem:          680Mi       583Mi        47Mi       0.0Ki        49Mi        21Mi
Swap:         1.3Gi       546Mi       813Mi
[opc@instance-20220717-1620 ~]$ free -h
              total        used        free      shared  buff/cache   available
Mem:          680Mi       576Mi        46Mi       0.0Ki        56Mi        24Mi
Swap:         1.3Gi       719Mi       640Mi
[opc@instance-20220717-1620 ~]$ free -h
              total        used        free      shared  buff/cache   available
Mem:          680Mi       552Mi        57Mi       0.0Ki        70Mi        42Mi
Swap:         1.3Gi       870Mi       489Mi
[opc@instance-20220717-1620 ~]$ free -h
              total        used        free      shared  buff/cache   available
Mem:          680Mi       563Mi        42Mi       0.0Ki        74Mi        29Mi
Swap:         1.3Gi       1.0Gi       289Mi
[opc@instance-20220717-1620 ~]$ free -h
              total        used        free      shared  buff/cache   available
Mem:          680Mi       559Mi        58Mi       0.0Ki        62Mi        39Mi
Swap:         1.3Gi       1.2Gi       123Mi
[opc@instance-20220717-1620 ~]$ free -h
              total        used        free      shared  buff/cache   available
Mem:          680Mi       604Mi        31Mi       0.0Ki        43Mi       3.0Mi
Swap:         1.3Gi       1.3Gi       0.0Ki

After OOM

[opc@instance-20220717-1620 ~]$ free -h
              total        used        free      shared  buff/cache   available
Mem:          680Mi       166Mi       433Mi       0.0Ki        80Mi       422Mi
Swap:         1.3Gi       484Mi       875Mi
[opc@instance-20220717-1620 ~]$ 

Memory Issues Fixed By Adding Swap

The memory issues seem to have been fixed by adding additional swap. Here's a link to a tutorial which I found helpful: https://www.cyberciti.biz/faq/linux-add-a-swap-file-howto/

The Oracle install already had a swap file, but I added a second, larger swap file. Note that these swap files are within the partition on which the OS is located, not on separate partitions as usually is the case for swap.

Back in the old days, I always could set up machines with plenty of swap. Nowadays, on the clouds, often the VMs come without swap. On HN, I read that swap might be less popular these days since swap could present a security issue. Swap could contain private data which needs protection.

But, by adding a swap file, some tiny VPSes can do big jobs! I seem to remember compiling a ton of software out of pkgsrc on a different, but also tiny Oracle VPS running CentOS. Was it all just a matter of adding some swap and then eating dinner and sleeping while pkgsrc reliably finished its enormous workload on the tiny Oracle VPS?

Here's what the terminal output looked like during the addition of extra swap space followed by a successful dnf upgrade.

[opc@instance-20220717-1620 ~]$ swapon -s
Filename                                Type            Size    Used    Priority
/.swapfile                              file            1392636 461880  -2
[opc@instance-20220717-1620 ~]$ ls -lh /.swapfile 
-rw-------. 1 root root 1.4G Jul 17  2022 /.swapfile
[opc@instance-20220717-1620 ~]$ sudo su -
Last login: Sat May 13 04:36:56 GMT 2023 on pts/0
[root@instance-20220717-1620 ~]# cd /
[root@instance-20220717-1620 /]# df -h .
Filesystem                  Size  Used Avail Use% Mounted on
/dev/mapper/ocivolume-root   36G   11G   25G  31% /
[root@instance-20220717-1620 /]# dd if=/dev/zero of=/.swapfile1 bs=1024 count=2093152
2093152+0 records in
2093152+0 records out
2143387648 bytes (2.1 GB, 2.0 GiB) copied, 39.7653 s, 53.9 MB/s
[root@instance-20220717-1620 /]# ls -l .swapfile*
-rw-------. 1 root root 1426063360 Jul 17  2022 .swapfile
-rw-r--r--. 1 root root 2143387648 May 13 21:22 .swapfile1
[root@instance-20220717-1620 /]# chmod 0600 .swapfile1
[root@instance-20220717-1620 /]# ls -l .swapfile*
-rw-------. 1 root root 1426063360 Jul 17  2022 .swapfile
-rw-------. 1 root root 2143387648 May 13 21:22 .swapfile1
[root@instance-20220717-1620 /]# mkswap /.swapfile1
Setting up swapspace version 1, size = 2 GiB (2143383552 bytes)
[ . . . ]
[root@instance-20220717-1620 /]# swapon /.swapfile1
[root@instance-20220717-1620 /]# swapon -s
Filename                                Type            Size    Used    Priority
/.swapfile                              file            1392636 461528  -2
/.swapfile1                             file            2093148 0       -3
[root@instance-20220717-1620 /]# date -u
Sat May 13 21:30:53 UTC 2023
[root@instance-20220717-1620 /]# dnf upgrade
Oracle Linux 8 BaseOS Latest (x86_64)                          4.9 kB/s | 3.6 kB     00:00    
Oracle Linux 8 Application Stream (x86_64)                     149 kB/s | 3.9 kB     00:00    
Oracle Linux 8 Addons (x86_64)                                  57 kB/s | 3.0 kB     00:00    
Latest Unbreakable Enterprise Kernel Release 6 for Oracle Linu  83 kB/s | 3.0 kB     00:00    
Last metadata expiration check: 0:00:01 ago on Sat 13 May 2023 08:17:46 PM GMT.
Dependencies resolved.
===============================================================================================
 Package                Architecture Version                            Repository        Size
===============================================================================================
Installing:
 kernel-uek             x86_64       5.4.17-2136.318.7.2.el8uek         ol8_UEKR6        112 M
 kernel-uek-devel       x86_64       5.4.17-2136.318.7.2.el8uek         ol8_UEKR6         19 M
Removing:
 kernel-uek             x86_64       5.4.17-2136.317.5.5.el8uek         @ol8_UEKR6       136 M
 kernel-uek-devel       x86_64       5.4.17-2136.317.5.5.el8uek         @ol8_UEKR6        75 M

Transaction Summary
===============================================================================================
Install  2 Packages
Remove   2 Packages

Total download size: 131 M
Is this ok [y/N]: y
Downloading Packages:
(1/2): kernel-uek-devel-5.4.17-2136.318.7.2.el8uek.x86_64.rpm   19 MB/s |  19 MB     00:01    
(2/2): kernel-uek-5.4.17-2136.318.7.2.el8uek.x86_64.rpm         30 MB/s | 112 MB     00:03    
-----------------------------------------------------------------------------------------------
Total                                                           35 MB/s | 131 MB     00:03     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                                       1/1 
  Installing       : kernel-uek-devel-5.4.17-2136.318.7.2.el8uek.x86_64                    1/4 
  Running scriptlet: kernel-uek-devel-5.4.17-2136.318.7.2.el8uek.x86_64                    1/4 
  Running scriptlet: kernel-uek-5.4.17-2136.318.7.2.el8uek.x86_64                          2/4 
  Installing       : kernel-uek-5.4.17-2136.318.7.2.el8uek.x86_64                          2/4 
  Running scriptlet: kernel-uek-5.4.17-2136.318.7.2.el8uek.x86_64                          2/4 
  Erasing          : kernel-uek-devel-5.4.17-2136.317.5.5.el8uek.x86_64                    3/4 
  Running scriptlet: kernel-uek-5.4.17-2136.317.5.5.el8uek.x86_64                          4/4 
  Erasing          : kernel-uek-5.4.17-2136.317.5.5.el8uek.x86_64                          4/4 
  Running scriptlet: kernel-uek-5.4.17-2136.317.5.5.el8uek.x86_64                          4/4 
  Running scriptlet: kernel-uek-5.4.17-2136.318.7.2.el8uek.x86_64                          4/4 
  Running scriptlet: kernel-uek-5.4.17-2136.317.5.5.el8uek.x86_64                          4/4 
  Verifying        : kernel-uek-5.4.17-2136.318.7.2.el8uek.x86_64                          1/4 
  Verifying        : kernel-uek-devel-5.4.17-2136.318.7.2.el8uek.x86_64                    2/4 
  Verifying        : kernel-uek-5.4.17-2136.317.5.5.el8uek.x86_64                          3/4 
  Verifying        : kernel-uek-devel-5.4.17-2136.317.5.5.el8uek.x86_64                    4/4 

Installed:
  kernel-uek-5.4.17-2136.318.7.2.el8uek.x86_64                                                 
  kernel-uek-devel-5.4.17-2136.318.7.2.el8uek.x86_64                                           
Removed:
  kernel-uek-5.4.17-2136.317.5.5.el8uek.x86_64                                                 
  kernel-uek-devel-5.4.17-2136.317.5.5.el8uek.x86_64                                           

Complete!
[root@instance-20220717-1620 /]# date
Sat May 13 21:44:31 GMT 2023
[root@instance-20220717-1620 /]# uname -r
5.4.17-2136.308.9.el8uek.x86_64
[root@instance-20220717-1620 /]# cat /etc/os-release 
NAME="Oracle Linux Server"
VERSION="8.7"
ID="ol"
ID_LIKE="fedora"
VARIANT="Server"
VARIANT_ID="server"
VERSION_ID="8.7"
PLATFORM_ID="platform:el8"
PRETTY_NAME="Oracle Linux Server 8.7"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:oracle:linux:8:7:server"
HOME_URL="https://linux.oracle.com/"
BUG_REPORT_URL="https://bugzilla.oracle.com/"

ORACLE_BUGZILLA_PRODUCT="Oracle Linux 8"
ORACLE_BUGZILLA_PRODUCT_VERSION=8.7
ORACLE_SUPPORT_PRODUCT="Oracle Linux"
ORACLE_SUPPORT_PRODUCT_VERSION=8.7
[root@instance-20220717-1620 /]# 

There have been no more downtime alerts from Hetrix since the extra swap was added.

Additional Steps

At least a couple more things might need to be done.

• First, to persist past reboots, the extra swap needs to be added to /etc/fstab and/or synced with whatever systemd might contribute.

• Second, the running kernel (5.4.17-2136.308.9.el8uek.x86_64) doesn't seem to be quite the same as the most recently installed kernel (5.4.17-2136.318.7.2.el8uek.x86_64). So maybe a reboot is needed?

The Bigger Picture

I don't understand why this problem happened. Also, I don't understand why this problem happened at the time it happened, rather than sooner or later.

• Could it be that the tiny but heroic VM specs are too small to expect dnf to work?

• Did I misconfigure something or make some other mistake which caused dnf to run out of space?

• Was the current dnf upgrade unusually big, such that it required more space than expected.

• Was the problem caused by something else other than dnf?

• Was it correct to add a second swap file? Should there be only one? I could have replaced the existing swap file with another, larger swap file, thus keeping only one swap file.

• Maybe /etc/fstab still is meaningful in systemd distros?

• Maybe the VPS will survive a reboot?

• How applicable is all this to other guys running tiny, but heroic Oracle Free Tier VPSes? Are they all fated to run out of memory after a while?

• What about other tiny VPSes on providers other than Oracle and running OSes other than Oracle Linux?

Over the next days, maybe I will get to understand more. Thanks again to Oracle for the nifty, heroic free VPS!

Best wishes! I hope everyone gets the server he wants! 🤩

An error occurred while updating Akismet Anti-Spam: Could not create directory.

I have applied following permission on files and folders.

sudo chown -R nginx:nginx /var/www/mysite/html
sudo find /var/www/mysite/html -type d -exec chmod 755 {} \;
sudo find /var/www/mysite/html -type f -exec chmod 644 {} \;

I have another WordPress site on VirMach VPS with same permission and there it updates fine. Here's result of ls -l

[opc@arm html]$ ls -l
total 212
-rw-r--r--  1 nginx nginx   405 Feb  6  2020 index.php
-rw-r--r--  1 nginx nginx 19915 Jan  1  2022 license.txt
-rw-r--r--  1 nginx nginx  7401 Mar 22 21:11 readme.html
-rw-r--r--  1 nginx nginx  7165 Jan 21  2021 wp-activate.php
drwxr-xr-x  9 nginx nginx  4096 Jul 12 16:16 wp-admin
-rw-r--r--  1 nginx nginx   351 Feb  6  2020 wp-blog-header.php
-rw-r--r--  1 nginx nginx  2338 Nov  9  2021 wp-comments-post.php
-rw-r--r--  1 nginx nginx  3230 Aug 18 17:53 wp-config.php
drwxr-xr-x  4 nginx nginx    52 Jul 12 16:16 wp-content
-rw-r--r--  1 nginx nginx  3943 Apr 28 09:49 wp-cron.php
drwxr-xr-x 26 nginx nginx 12288 Jul 12 16:16 wp-includes
-rw-r--r--  1 nginx nginx  2494 Mar 19 20:31 wp-links-opml.php
-rw-r--r--  1 nginx nginx  3973 Apr 12 01:47 wp-load.php
-rw-r--r--  1 nginx nginx 48498 Apr 29 14:36 wp-login.php
-rw-r--r--  1 nginx nginx  8577 Mar 22 16:25 wp-mail.php
-rw-r--r--  1 nginx nginx 23706 Apr 12 09:26 wp-settings.php
-rw-r--r--  1 nginx nginx 32051 Apr 11 11:42 wp-signup.php
-rw-r--r--  1 nginx nginx  4748 Apr 11 11:42 wp-trackback.php
-rw-r--r--  1 nginx nginx  3236 Jun  8  2020 xmlrpc.php

Site Health in WordPress says:

Shows whether WordPress is able to write to the directories it needs access to.

The main WordPress directory    Not writable
The wp-content directory    Not writable
The uploads directory   Not writable
The plugins directory   Not writable
The themes directory    Not writable

But the other site on VirMach VPS says these folders are writeable.

SELinux is disabled.

Oracle Cloud is a cloud computing service offered by Oracle Corporation.
Oracle Cloud has a generous free tier that offers two "always free" Micro instances with the following specification:

• KVM virtualization
• 1/8 CPU cores (AMD EPYC 7551)
• 1GB memory
• 47GB disk storage
• 1 IPv4 address
• up to 32 IPv6 addresses
• 50Mbps Internet bandwidth

I signed up for Oracle Cloud, so that I can have some more free computing resources to play with.
The sign-up procedure requires a credit card for identity confirmation purpose, but the credit card will not be charged.
During sign-up, there's a choice of home region, which determines the location of VM instances; once selected, it cannot be changed in the future.

A common use case for a virtual machine is to host a website.
Due to the firewalls, hosting a website on Oracle Cloud needs a few more steps.
Here's exactly how to deploy a website in a Oracle Cloud Free Tier VM instance.

UPDATED 2022-01-27:
Oracle Cloud now supports IPv6.
Instructions are updated to enable IPv6 on the web server.

Create a VM Instance

Each Oracle Cloud account is eligible for two Always Free Micro instances.
To create a VM, sign in to the Oracle Cloud console, in "Launch Resources" section click Create a VM instance.
This takes us to the "Create Compute Instance" page.

In "Image and shape" section, select VM.Standard.E2.1.Micro shape and Canonical Ubuntu 20.04 image.
Do not use the "Canonical Ubuntu 20.04 Minimal" image.

In "Configure network" section, select Create new virtual cloud network, and keep other options at their default values.

In "Add SSH keys" section, select Paste public keys, and paste your SSH public key in the text box below.
If you do not have a SSH public key, follow this guide to generate one.

Finally, click the Create button to create the compute VM instance.
Within a few seconds, you should see the "Instance Details" page.

You can SSH into the VM instance using the public IP address and username displayed in the "Instance Access" section.

Enable IPv6

In this year, it is important for websites to support IPv6.
Today, most cellular networks are IPv6 only.
By enabling IPv6, it enables mobile users to access your website more efficiently, because their sessions do not need to go through IPv4 address translation proxies.

Oracle Cloud compute VM instances are initially assigned with only an IPv4 address.
There are 5 steps for enabling IPv6 on the VM:

1. Assign IPv6 CIDR block to the Virtual Cloud Network.
2. Assign IPv6 CIDR block to the Subnet.
3. Configure IPv6 Route Rule.
4. Assign IPv6 Address to the compute VM's VNIC.
5. Configure firewall rules.

We will perform steps 1~4 now, and do step 5 a little later (in "Configure Ingress and Egress Rules" section).

Looking at the "Instance Details" page, click the link next to "Virtual cloud network".
This takes us to the "Virtual Cloud Network Details" page.

Select "CIDR Blocks" tab on the left side "Resources" menu, and then click Add IPv6 CIDR Block button.
You will be asked to confirm that you want to enable IPv6.
When you click Confirm, a /56 block of 4,722,366,482,869,645,213,696 IPv6 addresses are automatically allocated to your Virtual Cloud Network (IPv6 step 1).

Select "Subnets" tab on the left side "Resources" menu.
You should see an existing Subnet.
It would have an IPv4 CIDR Block, but the "IPv6 CIDR Block" column is blank.
Click the ⋮ button in the rightmost column, and select "Edit" in the dropdown menu.
Then, check Enable IPv6 CIDR Block box, enter two hexadecimal digits (such as 00) in the box just before "::/64", and click Save Changes (IPv6 step 2).

Select "Route Tables" tab on the left side "Resources" menu, and then click Default Route Table link.
This takes us to the "Route Table Details" pages.
In the "Route Rules" tables, we can see that there's a route rule for destination 0.0.0.0/0 that targets the Internet gateway, which allows IPv4 packets to reach the Internet.
We need a similar route rule for IPv6.
Click Add Route Rules button.
In the popup dialog, enter the following:

• Protocol Version: IPv6
• Target Type: Internet Gateway
• Destination CIDR Block: ::/0
• Target Internet Gateway: Internet gateway vcn-…

Then click Add Route Rules button (IPv6 step 3).

Finally, go back to the "Instance Details" page of the compute VM instance.
To find that page, you can type "Instances" into the search bar and select "Services - Instances (Compute)" in the results.

Select "Attached VNICs" tab on the left side "Resources" menu, and then click the link next to (Primary VNIC).
This opens the "VNIC Details".
Select "IPv6 Addresses" tab on the left side "Resources" menu, and click Assign IPv6 Address button.
In the popup dialog, click Assign button to get a random IPv6 address (IPv6 step 4).

DNS

Now that we have the IP addresses assigned, it is a good time to add DNS records to our compute VM instance, so that we can activate HTTPS later.
Two DNS records are required: an A record for the public IPv4 address and an AAAA record for the public IPv6 address.
You can find both addresses in the "VNIC Details" page, as described above.

Configure Ingress and Egress Rules

Oracle Cloud has a strict firewall that, by default, only allows SSH access.
In order to host a website, it is necessary to configure the firewall so that it allows HTTP traffic.

To access the firewall configuration page, click the "subnet" name in "Primary VNIC" section of "Instance Details" page.
Then, on "Subnet Details" page, click "Default Security List for …" in "Security Lists" section.
Click Add Ingress Rules button, and enter these four rules in the popup dialog:

• Allow HTTP/1.1 and HTTP/2 (IPv4)

  • stateless: no
  • source CIDR: 0.0.0.0/0
  • IP protocol: TCP
  • destination port range: 80,443

• Allow HTTP/1.1 and HTTP/2 (IPv6)

  • stateless: no
  • source CIDR: ::/0
  • IP protocol: TCP
  • destination port range: 80,443

• Allow HTTP/3 (IPv4)

  • stateless: no
  • source CIDR: 0.0.0.0/0
  • IP protocol: UDP
  • destination port range: 443

• Allow HTTP/3 (IPv6)

  • stateless: no
  • source CIDR: ::/0
  • IP protocol: UDP
  • destination port range: 443

After that, you should see the following ingress rules in the table:

You should also add an IPv6 egress rule, so that the VM instance can reach Internet resources over IPv6.
To do that, select "Egress Rules" tab on the left side "Resources" menu.
Click Add Egress Rules button, and enter the following rule in the popup dialog (IPv6 step 5):

• Allow IPv6 Internet access
  • stateless: no
  • destination CIDR: ::/0
  • IP protocol: All Protocols

Install HTTP Server

With the firewall rules in place, we are ready to install an HTTP server.
In this guide, I'm installing Caddy HTTP server along with PHP-FPM.
They can be installed from Caddy package repository and ondrej/php PPA respectively.

# see "Caddy package repository" link above for how to add Caddy APT repository
sudo add-apt-repository ppa:ondrej/php
sudo apt install caddy php8.1-fpm

Before we can start the HTTP server, there's one more firewall to configure: the local iptables.
Oracle Cloud not only has an external firewall at subnet level, but also blocks traffic in iptables INPUT chain.
We can setup a systemd service to insert iptables rules before Caddy starts:

sudoedit /etc/systemd/system/caddy-iptables.service
  (paste the caddy-iptables.service content)

sudo systemctl daemon-reload
sudo systemctl enable --now caddy-iptables

The systemd unit file caddy-iptables.service should have the following content:

[Unit]
Description=Firewall rules for Caddy
Before=caddy.service

[Service]
ExecStartPre=+/usr/sbin/iptables -I INPUT -p tcp --dport 80 -j ACCEPT
ExecStartPre=+/usr/sbin/iptables -I INPUT -p tcp --dport 443 -j ACCEPT
ExecStartPre=+/usr/sbin/iptables -I INPUT -p udp --dport 443 -j ACCEPT
ExecStartPre=+/usr/sbin/ip6tables -I INPUT -p tcp --dport 80 -j ACCEPT
ExecStartPre=+/usr/sbin/ip6tables -I INPUT -p tcp --dport 443 -j ACCEPT
ExecStartPre=+/usr/sbin/ip6tables -I INPUT -p udp --dport 443 -j ACCEPT
ExecStart=true
RemainAfterExit=yes
ExecStopPost=+/usr/sbin/iptables -D INPUT -p tcp --dport 80 -j ACCEPT
ExecStopPost=+/usr/sbin/iptables -D INPUT -p tcp --dport 443 -j ACCEPT
ExecStopPost=+/usr/sbin/iptables -D INPUT -p udp --dport 443 -j ACCEPT
ExecStopPost=+/usr/sbin/ip6tables -D INPUT -p tcp --dport 80 -j ACCEPT
ExecStopPost=+/usr/sbin/ip6tables -D INPUT -p tcp --dport 443 -j ACCEPT
ExecStopPost=+/usr/sbin/ip6tables -D INPUT -p udp --dport 443 -j ACCEPT

[Install]
RequiredBy=caddy.service

Upload your website content, and make sure the www-data group can access them.
In this example, I'll create two simple files:

sudo mkdir -p /var/www/html
echo '<h1>hello</h1>' | sudo tee /var/www/html/index.html
echo '<?php phpinfo(); ?>' | sudo tee /var/www/html/phpinfo.php
sudo chgrp -R www-data /var/www/html

Edit the Caddyfile (/etc/caddy/Caddyfile), paste the following:
(change the domain name and root directory as appropriate)

{
  servers {
    protocol {
      experimental_http3
    }
  }
}

https://demo.example.com {
  root * /var/www/html
  file_server
  php_fastcgi unix//run/php/php8.1-fpm.sock

  header {
    Strict-Transport-Security max-age=2592000
    X-Frame-Options SAMEORIGIN
    X-Content-Type-Options nosniff
    Referrer-Policy no-referrer-when-downgrade
  }
}

Finally, restart the webserver for the settings to take effect:

sudo systemctl restart caddy
sudo systemctl restart php8.1-fpm

Test the Website

To confirm everything is working, we can visit the index page https://demo.example.com/ and the PHP script https://demo.example.com/phpinfo.php in the browser.

Then, we use the curl command line tool (on a different machine) to check that:

• HTTP-to-HTTPS redirect is working properly.
• The website is served over HTTP/1.0, HTTP/1.1, HTTP/2, and HTTP/3.
• The server is accessible over both IPv4 and IPv6.

$ curl -4 --http1.0 -I http://demo.example.com/
HTTP/1.0 308 Permanent Redirect
Connection: close
Location: https://demo.example.com/
Server: Caddy
Date: Fri, 28 Jan 2022 02:16:43 GMT

$ curl -6 --http1.0 -I http://demo.example.com/
HTTP/1.0 308 Permanent Redirect
Connection: close
Location: https://demo.example.com/
Server: Caddy
Date: Fri, 28 Jan 2022 02:16:43 GMT

$ curl -4 --http1.1 -I http://demo.example.com/
HTTP/1.1 308 Permanent Redirect
Connection: close
Location: https://demo.example.com/
Server: Caddy
Date: Fri, 28 Jan 2022 02:16:44 GMT

$ curl -6 --http1.1 -I http://demo.example.com/
HTTP/1.1 308 Permanent Redirect
Connection: close
Location: https://demo.example.com/
Server: Caddy
Date: Fri, 28 Jan 2022 02:16:44 GMT

$ curl -4 --http1.1 -I https://demo.example.com/
HTTP/1.1 200 OK
Accept-Ranges: bytes
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
Content-Length: 15
Content-Type: text/html; charset=utf-8
Etag: "r6edtff"
Last-Modified: Fri, 28 Jan 2022 02:05:39 GMT
Referrer-Policy: no-referrer-when-downgrade
Server: Caddy
Strict-Transport-Security: max-age=2592000
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Date: Fri, 28 Jan 2022 02:16:45 GMT

$ curl -6 --http1.1 -I https://demo.example.com/
HTTP/1.1 200 OK
Accept-Ranges: bytes
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
Content-Length: 15
Content-Type: text/html; charset=utf-8
Etag: "r6edtff"
Last-Modified: Fri, 28 Jan 2022 02:05:39 GMT
Referrer-Policy: no-referrer-when-downgrade
Server: Caddy
Strict-Transport-Security: max-age=2592000
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Date: Fri, 28 Jan 2022 02:16:45 GMT

$ curl -4 --http2 -I https://demo.example.com/
HTTP/2 200
accept-ranges: bytes
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
content-type: text/html; charset=utf-8
etag: "r6edtff"
last-modified: Fri, 28 Jan 2022 02:05:39 GMT
referrer-policy: no-referrer-when-downgrade
server: Caddy
strict-transport-security: max-age=2592000
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
content-length: 15
date: Fri, 28 Jan 2022 02:16:46 GMT

$ curl -6 --http2 -I https://demo.example.com/
HTTP/2 200
accept-ranges: bytes
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
content-type: text/html; charset=utf-8
etag: "r6edtff"
last-modified: Fri, 28 Jan 2022 02:05:39 GMT
referrer-policy: no-referrer-when-downgrade
server: Caddy
strict-transport-security: max-age=2592000
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
content-length: 15
date: Fri, 28 Jan 2022 02:16:46 GMT

$ docker run -t --rm --network host ymuski/curl-http3 curl -4 --http3 -I https://demo.example.com/
HTTP/3 200
server: Caddy
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
x-content-type-options: nosniff
last-modified: Fri, 28 Jan 2022 02:05:39 GMT
content-type: text/html; charset=utf-8
accept-ranges: bytes
content-length: 15
referrer-policy: no-referrer-when-downgrade
strict-transport-security: max-age=2592000
x-frame-options: SAMEORIGIN
etag: "r6edtff"

$ docker run -t --rm --network host ymuski/curl-http3 curl -6 --http3 -I https://demo.example.com/
HTTP/3 200
x-frame-options: SAMEORIGIN
etag: "r6edtff"
accept-ranges: bytes
content-length: 15
server: Caddy
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
referrer-policy: no-referrer-when-downgrade
strict-transport-security: max-age=2592000
x-content-type-options: nosniff
content-type: text/html; charset=utf-8
last-modified: Fri, 28 Jan 2022 02:05:39 GMT

Finally, we use SSL Server Test to verify that TLS certificates and crypto are configured securely, and use Security Headers to check that HTTP Strict Transport Security is setup correctly.

Conclusion

This article explains how to deploy a website in a VM instance on Oracle Cloud Free Tier.
It involves the following steps:

1. Create an always free compute VM instance.
2. Enable IPv6 in the Virtual Cloud Network, subnet, and VM instance.
3. Add ingress and egress rules in the network Security List.
4. Install Caddy HTTP server and PHP.
5. Configure local iptables firewall.
6. Test the website installation.