secure-linux-web-hosting

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

Secure Linux Web Hosting

Linux Web 托管安全配置

Overview

概述

Use this skill to turn a Linux cloud host into a safely reachable web host without leaning on stale distro-specific memory or outdated Debian-10-era tutorials.

This skill keeps the familiar teaching arc of a beginner-friendly server guide, but turns it into a reusable operator workflow:

Intake and routing
Prerequisites
Secure access
Firewall and exposure
Web server setup
Static site or app proxy
HTTPS
Validation
Optional advanced tuning

Before giving actionable commands, identify the distro family and verify the current package names, service units, config paths, and ACME-client guidance against official documentation for the user's distro and chosen tools.

Open

references/workflow-map.md

first for the phase sequence, then open the narrower reference file you need.

本技能可帮助你将Linux云主机转变为可安全访问的Web主机，无需依赖过时的发行版特定经验或Debian 10时代的旧教程。

本技能保留了面向初学者的服务器指南的友好教学逻辑，但将其转化为可复用的运维工作流：

需求收集与路径规划
前置准备
安全访问配置
防火墙与端口暴露
Web服务器搭建
静态站点或应用代理配置
HTTPS配置
验证环节
可选高级调优

在提供可执行命令前，需先识别发行版家族，并对照用户所使用发行版及所选工具的官方文档，确认当前的包名、服务单元、配置路径以及ACME客户端的使用指南。

请先查看

references/workflow-map.md

了解阶段顺序，再根据需求查看更细分的参考文件。

When to Use

适用场景

Use this skill when the user mentions any of the following:

a Linux VPS, VM, droplet, or cloud server they want to use for hosting
connecting a domain or DNS A/AAAA record to a server
SSH login, SSH hardening, root login, keys, ports, or firewall setup
installing or configuring Nginx for a website
serving a simple static site from Linux
putting a small app behind Nginx as a reverse proxy
HTTPS, Let's Encrypt, Certbot,
```
acme.sh
```
, certificate renewal, or redirecting HTTP to HTTPS
optional post-setup performance or network tuning such as BBR

Do not use this skill for:

Kubernetes, PaaS, or full container-orchestrator deployment design
application-specific build or CI/CD questions where Linux hosting is not the actual problem
Windows or macOS host administration
public multi-tenant production architecture reviews that need a broader SRE or platform-design treatment

当用户提及以下任一需求时，可使用本技能：

希望将Linux VPS、虚拟机、Droplet或云服务器用于托管服务
需将域名或DNS A/AAAA记录指向服务器
SSH登录、SSH加固、root登录、密钥、端口或防火墙设置相关需求
安装或配置Nginx以搭建网站
从Linux服务器提供简单静态站点服务
将小型应用部署在Nginx反向代理之后
HTTPS、Let's Encrypt、Certbot、
```
acme.sh
```
、证书续期或HTTP转HTTPS重定向相关配置
可选的上线后性能或网络调优（如BBR）

本技能不适用于以下场景：

Kubernetes、PaaS或完整容器编排平台的部署设计
以Linux托管为次要问题的应用特定构建或CI/CD相关问题
Windows或macOS主机的管理
需要更全面SRE或平台设计方案的公共多租户生产架构审查

Workflow

工作流

1. Intake and classify the current state

1. 需求收集与当前状态分类

Start by identifying:

distro family or image name
whether the user has root access, an admin user, or only one live SSH session
whether DNS already points at the host
whether the goal is a static site or an app reverse proxy
whether ports are already exposed
whether HTTPS is already partially configured

If the distro is unknown, ask for it or have the user inspect

/etc/os-release

before giving concrete package or service commands.

首先需明确：

发行版家族或镜像名称
用户是否拥有root权限、管理员用户，或仅存在一个活跃的SSH会话
DNS是否已指向该主机
目标是搭建静态站点还是应用反向代理
端口是否已暴露
HTTPS是否已完成部分配置

若发行版未知，需先询问用户，或让用户查看

/etc/os-release

文件，再提供具体的包或服务命令。

2. Verify current docs before actionable commands

2. 提供可执行命令前先验证官方文档

Use bundled references for routing, then verify details against live official docs before giving commands that depend on current distro behavior.

Always verify:

package manager commands and package names
firewall tooling and service names
SSH service unit names and config include paths
Nginx package and config layout
the chosen ACME client's current instructions

If you cannot verify a detail, say so and give high-level guidance instead of pretending the old Debian tutorial path is universal.

先使用内置参考文件规划路径，再对照最新官方文档验证细节，然后提供依赖当前发行版行为的命令。

需始终验证以下内容：

包管理器命令及包名
防火墙工具及服务名称
SSH服务单元名称及配置包含路径
Nginx包及配置结构
所选ACME客户端的最新使用说明

若无法验证某一细节，需明确告知用户，并提供高层级指导，而非沿用旧Debian教程的通用步骤。

3. Keep the phases in order

3. 按顺序执行各阶段

Walk through the phases in this order unless the user is explicitly asking for review or remediation of an existing setup:

prerequisites
secure access
firewall and exposure
web server
choose one hosting branch: static site or app proxy
HTTPS
validation
optional advanced tuning

Do not collapse the static-site branch and reverse-proxy branch into one default answer. Pick the branch that matches the user's goal.

除非用户明确要求审查或修复现有配置，否则请按以下顺序执行各阶段：

前置准备
安全访问配置
防火墙与端口暴露
Web服务器搭建
选择托管分支：静态站点或应用代理
HTTPS配置
验证环节
可选高级调优

请勿将静态站点分支与反向代理分支合并为一个默认方案，需根据用户目标选择对应分支。

4. Enforce the safety gates

4. 严格执行安全校验

Treat these as hard stop checks:

Do not recommend changing SSH port, disabling password auth, or disabling root SSH login until key-based login works in a second SSH session.
Do not recommend certificate issuance until DNS resolves to the intended host and the HTTP site or proxy path works as expected.
Do not force an HTTP-to-HTTPS redirect until HTTPS loads cleanly.
Do not suggest BBR or similar tuning until secure hosting is already working.

Always distinguish:

local-machine actions: SSH, DNS checks, browser tests
server actions: package install, config edits, service reloads, firewall rules

以下为必须执行的安全检查：

仅当基于密钥的登录在第二个SSH会话中正常工作后，才可建议修改SSH端口、禁用密码认证或禁用root SSH登录。
仅当DNS解析指向目标主机且HTTP站点或代理路径正常工作后，才可建议签发证书。
仅当HTTPS可正常加载后，才可强制执行HTTP转HTTPS重定向。
仅当安全托管已正常运行后，才可建议使用BBR或类似调优方案。

需始终区分：

本地机器操作：SSH、DNS检查、浏览器测试
服务器端操作：包安装、配置编辑、服务重载、防火墙规则配置

Output Expectations

输出规范

For a fresh setup, provide:

a brief diagnosis of the current state
the current phase and why it comes next
local-machine steps separate from server steps
concrete commands or config snippets only after doc verification
a verification step after each risky change
a short "if this fails, check X" branch for the likely mistake at that phase

For a hardening or troubleshooting review, provide:

the most likely risk or breakage first
a prioritized remediation sequence
the first safe verification step before the next config change

对于全新搭建场景，需提供：

当前状态的简要诊断
当前阶段及执行顺序的原因
本地机器操作与服务器端操作的区分说明
经文档验证后的具体命令或配置片段
每一项高风险修改后的验证步骤
针对该阶段常见错误的“若失败，请检查X”的引导

对于加固或故障排查场景，需提供：

最可能存在的风险或问题
按优先级排序的修复步骤
执行下一配置修改前的首个安全验证步骤

Common Mistakes

常见错误

treating Debian-specific commands from an old article as Linux-universal
hardening SSH in the only active session and locking the user out
opening application ports directly instead of keeping the app on loopback
mixing static-file hosting guidance and reverse-proxy guidance in one config
attempting ACME issuance before DNS or HTTP is actually correct
forcing redirects before HTTPS is proven
treating BBR as part of the core setup instead of an optional later step
ignoring SELinux or AppArmor differences when Nginx can read files on one distro but not another

将旧文章中的Debian特定命令视为Linux通用命令
在唯一活跃的SSH会话中加固SSH配置导致用户被锁定
直接暴露应用端口而非让应用仅监听回环地址
在同一配置中混合静态文件托管与反向代理的指导内容
DNS或HTTP配置未正确完成前尝试ACME证书签发
HTTPS未验证通过前强制执行重定向
将BBR视为核心搭建步骤而非可选的后续调优
忽略SELinux或AppArmor差异，导致Nginx在某一发行版中可读取文件但在另一发行版中无法读取

Reference Usage

参考文件使用说明

Use

references/workflow-map.md

for the phase map, branching logic, and validation order.

Use

references/distro-routing.md

when distro family, package manager, firewall tooling, or config layout matters.

Use

references/nginx-patterns.md

when the user needs the static-site branch or the reverse-proxy branch.

Use

references/security-and-tls.md

for SSH hardening sequence, firewall posture, certificate issuance, renewal, and redirect timing.

使用

references/workflow-map.md

查看阶段映射、分支逻辑及验证顺序。

当发行版家族、包管理器、防火墙工具或配置结构存在差异时，使用

references/distro-routing.md

。

当用户需要静态站点或反向代理分支的配置指导时，使用

references/nginx-patterns.md

。

SSH加固顺序、防火墙策略、证书签发、续期及重定向时机相关内容，请查看

references/security-and-tls.md

。