{"id":"f692c157-7b5e-4643-83d3-856f2d3fa10a","shortId":"TcypTT","kind":"skill","title":"Secure Linux Web Hosting","tagline":"Skills skill by Xixu Me","description":"## Overview\n\nUse this skill to turn a cloud server into a safely reachable web host\nwithout leaning on stale distro-specific memory or outdated Debian-10-era\ntutorials.\n\nThis skill keeps the familiar teaching arc of a beginner-friendly server guide,\nbut turns it into a reusable operator workflow:\n\n1. Intake and routing\n2. Prerequisites\n3. Secure access\n4. Firewall and exposure\n5. Web server setup\n6. Static site or app proxy\n7. HTTPS\n8. Validation\n9. Optional advanced tuning\n\nBefore giving actionable commands, identify the distro family and verify the\ncurrent package names, service units, config paths, and ACME-client guidance\nagainst official documentation for the user's distro and chosen tools.\n\nOpen [`references/workflow-map.md`](./references/workflow-map.md) first for the\nphase sequence, then open the narrower reference file you need.\n\n## When to Use\n\nUse this skill when the user mentions any of the following:\n\n- a cloud server, VM, droplet, or other Linux host they want to use for hosting\n- connecting a domain or DNS A/AAAA record to a server\n- SSH login, SSH hardening, root login, keys, ports, or firewall setup\n- installing or configuring Nginx for a website\n- serving a simple static site from Linux\n- putting a small app behind Nginx as a reverse proxy\n- HTTPS, Let's Encrypt, Certbot, `acme.sh`, certificate renewal, or redirecting\n  HTTP to HTTPS\n- optional post-setup performance or network tuning such as BBR\n\nDo not use this skill for:\n\n- Kubernetes, PaaS, or full container-orchestrator deployment design\n- application-specific build or CI/CD questions where Linux hosting is not the\n  actual problem\n- Windows or macOS host administration\n- public multi-tenant production architecture reviews that need a broader SRE\n  or platform-design treatment\n\n## Workflow\n\n### 1. Intake and classify the current state\n\nStart by identifying:\n\n- distro family or image name\n- whether the user has root access, an admin user, or only one live SSH session\n- whether DNS already points at the host\n- whether the goal is a static site or an app reverse proxy\n- whether ports are already exposed\n- whether HTTPS is already partially configured\n\nIf the distro is unknown, ask for it or have the user inspect `/etc/os-release`\nbefore giving concrete package or service commands.\n\n### 2. Verify current docs before actionable commands\n\nUse bundled references for routing, then verify details against live official\ndocs before giving commands that depend on current distro behavior.\n\nAlways verify:\n\n- package manager commands and package names\n- firewall tooling and service names\n- SSH service unit names and config include paths\n- Nginx package and config layout\n- the chosen ACME client's current instructions\n\nIf you cannot verify a detail, say so and give high-level guidance instead of\npretending the old Debian tutorial path is universal.\n\n### 3. Keep the phases in order\n\nWalk through the phases in this order unless the user is explicitly asking for\nreview or remediation of an existing setup:\n\n1. prerequisites\n2. secure access\n3. firewall and exposure\n4. web server\n5. choose one hosting branch: static site or app proxy\n6. HTTPS\n7. validation\n8. optional advanced tuning\n\nDo not collapse the static-site branch and reverse-proxy branch into one\ndefault answer. Pick the branch that matches the user's goal.\n\n### 4. Enforce the safety gates\n\nTreat these as hard stop checks:\n\n- Do not recommend changing SSH port, disabling password auth, or disabling\n  root SSH login until key-based login works in a second SSH session.\n- Do not recommend certificate issuance until DNS resolves to the intended host\n  and the HTTP site or proxy path works as expected.\n- Do not force an HTTP-to-HTTPS redirect until HTTPS loads cleanly.\n- Do not suggest BBR or similar tuning until secure hosting is already working.\n\nAlways distinguish:\n\n- local-machine actions: SSH, DNS checks, browser tests\n- server actions: package install, config edits, service reloads, firewall rules\n\n## Output Expectations\n\nFor a fresh setup, provide:\n\n- a brief diagnosis of the current state\n- the current phase and why it comes next\n- local-machine steps separate from server steps\n- concrete commands or config snippets only after doc verification\n- a verification step after each risky change\n- a short \"if this fails, check X\" branch for the likely mistake at that phase\n\nFor a hardening or troubleshooting review, provide:\n\n- the most likely risk or breakage first\n- a prioritized remediation sequence\n- the first safe verification step before the next config change\n\n## Common Mistakes\n\n- treating Debian-specific commands from an old article as Linux-universal\n- hardening SSH in the only active session and locking the user out\n- opening application ports directly instead of keeping the app on loopback\n- mixing static-file hosting guidance and reverse-proxy guidance in one config\n- attempting ACME issuance before DNS or HTTP is actually correct\n- forcing redirects before HTTPS is proven\n- treating BBR as part of the core setup instead of an optional later step\n- ignoring SELinux or AppArmor differences when Nginx can read files on one\n  distro but not another\n\n## Reference Usage\n\nUse [`references/workflow-map.md`](./references/workflow-map.md) for the phase map,\nbranching logic, and validation order.\n\nUse [`references/distro-routing.md`](./references/distro-routing.md) when distro\nfamily, package manager, firewall tooling, or config layout matters.\n\nUse [`references/nginx-patterns.md`](./references/nginx-patterns.md) when the user\nneeds the static-site branch or the reverse-proxy branch.\n\nUse [`references/security-and-tls.md`](./references/security-and-tls.md) for SSH\nhardening sequence, firewall posture, certificate issuance, renewal, and\nredirect timing.","tags":["secure","linux","web","hosting","skills","xixu-me"],"capabilities":["skill","source-xixu-me","category-skills"],"categories":["skills"],"synonyms":[],"warnings":[],"endpointUrl":"https://skills.sh/xixu-me/skills/secure-linux-web-hosting","protocol":"skill","transport":"skills-sh","auth":{"type":"none","details":{"install_from":"skills.sh"}},"qualityScore":"0.300","qualityRationale":"deterministic score 0.30 from registry signals: · indexed on skills.sh · published under xixu-me/skills","verified":false,"liveness":"unknown","lastLivenessCheck":null,"agentReviews":{"count":0,"score_avg":null,"cost_usd_avg":null,"success_rate":null,"latency_p50_ms":null,"narrative_summary":null,"summary_updated_at":null},"enrichmentModel":"deterministic:skill:v1","enrichmentVersion":1,"enrichedAt":"2026-04-24T02:40:12.248Z","embedding":null,"createdAt":"2026-04-18T20:23:41.973Z","updatedAt":"2026-04-24T02:40:12.248Z","lastSeenAt":"2026-04-24T02:40:12.248Z","tsv":"'-10':36 '/etc/os-release':366 '/references/distro-routing.md':850 '/references/nginx-patterns.md':864 '/references/security-and-tls.md':882 '/references/workflow-map.md':128,838 '1':61,293,486 '2':65,374,488 '3':67,459,491 '4':70,495,542 '5':74,498 '6':78,508 '7':84,510 '8':86,512 '9':88 'a/aaaa':176 'access':69,313,490 'acm':112,430,789 'acme-cli':111 'acme.sh':221 'action':94,379,631,638 'activ':756 'actual':268,796 'admin':315 'administr':274 'advanc':90,514 'alreadi':325,345,350,624 'alway':402,626 'anoth':833 'answer':532 'app':82,209,339,506,771 'apparmor':821 'applic':256,764 'application-specif':255 'arc':45 'architectur':280 'articl':746 'ask':358,477 'attempt':788 'auth':561 'base':570 'bbr':239,616,805 'beginn':49 'beginner-friend':48 'behavior':401 'behind':210 'branch':502,523,528,535,700,843,873,879 'breakag':720 'brief':655 'broader':285 'browser':635 'build':258 'bundl':382 'cannot':437 'category-skills' 'certbot':220 'certif':222,581,889 'chang':556,692,735 'check':552,634,698 'choos':499 'chosen':124,429 'ci/cd':260 'classifi':296 'clean':612 'client':113,431 'cloud':17,157 'collaps':518 'come':667 'command':95,373,380,395,406,678,742 'common':736 'concret':369,677 'config':108,420,426,641,680,734,787,859 'configur':194,352 'connect':171 'contain':251 'container-orchestr':250 'core':810 'correct':797 'current':103,298,376,399,433,659,662 'debian':35,454,740 'debian-specif':739 'default':531 'depend':397 'deploy':253 'design':254,290 'detail':388,440 'diagnosi':656 'differ':822 'direct':766 'disabl':559,563 'distinguish':627 'distro':30,98,122,303,355,400,830,852 'distro-specif':29 'dns':175,324,584,633,792 'doc':377,392,684 'document':117 'domain':173 'droplet':160 'edit':642 'encrypt':219 'enforc':543 'era':37 'exist':484 'expect':599,648 'explicit':476 'expos':346 'exposur':73,494 'fail':697 'famili':99,304,853 'familiar':43 'file':139,777,827 'firewal':71,190,410,492,645,856,887 'first':129,721,727 'follow':155 'forc':602,798 'fresh':651 'friend':50 'full':249 'gate':546 'give':93,368,394,444 'goal':332,541 'guid':52 'guidanc':114,448,779,784 'hard':550 'harden':184,710,751,885 'high':446 'high-level':445 'host':4,24,164,170,264,273,329,501,589,622,778 'http':226,592,605,794 'http-to-http':604 'https':85,216,228,348,509,607,610,801 'identifi':96,302 'ignor':818 'imag':306 'includ':421 'inspect':365 'instal':192,640 'instead':449,767,812 'instruct':434 'intak':62,294 'intend':588 'issuanc':582,790,890 'keep':41,460,769 'key':187,569 'key-bas':568 'kubernet':246 'later':816 'layout':427,860 'lean':26 'let':217 'level':447 'like':703,717 'linux':2,163,205,263,749 'linux-univers':748 'live':320,390 'load':611 'local':629,670 'local-machin':628,669 'lock':759 'logic':844 'login':182,186,566,571 'loopback':773 'machin':630,671 'maco':272 'manag':405,855 'map':842 'match':537 'matter':861 'memori':32 'mention':151 'mistak':704,737 'mix':774 'multi':277 'multi-ten':276 'name':105,307,409,414,418 'narrow':137 'need':141,283,868 'network':235 'next':668,733 'nginx':195,211,423,824 'offici':116,391 'old':453,745 'one':319,500,530,786,829 'open':126,135,763 'oper':59 'option':89,229,513,815 'orchestr':252 'order':464,471,847 'outdat':34 'output':647 'overview':10 'paa':247 'packag':104,370,404,408,424,639,854 'part':807 'partial':351 'password':560 'path':109,422,456,596 'perform':233 'phase':132,462,468,663,707,841 'pick':533 'platform':289 'platform-design':288 'point':326 'port':188,343,558,765 'post':231 'post-setup':230 'postur':888 'prerequisit':66,487 'pretend':451 'priorit':723 'problem':269 'product':279 'proven':803 'provid':653,714 'proxi':83,215,341,507,527,595,783,878 'public':275 'put':206 'question':261 'reachabl':22 'read':826 'recommend':555,580 'record':177 'redirect':225,608,799,893 'refer':138,383,834 'references/distro-routing.md':849 'references/nginx-patterns.md':863 'references/security-and-tls.md':881 'references/workflow-map.md':127,837 'reload':644 'remedi':481,724 'renew':223,891 'resolv':585 'reusabl':58 'revers':214,340,526,782,877 'reverse-proxi':525,781,876 'review':281,479,713 'risk':718 'riski':691 'root':185,312,564 'rout':64,385 'rule':646 'safe':21,728 'safeti':545 'say':441 'second':575 'secur':1,68,489,621 'selinux':819 'separ':673 'sequenc':133,725,886 'serv':199 'server':18,51,76,158,180,497,637,675 'servic':106,372,413,416,643 'session':322,577,757 'setup':77,191,232,485,652,811 'short':694 'similar':618 'simpl':201 'site':80,203,336,504,522,593,872 'skill':5,6,13,40,147,244 'small':208 'snippet':681 'source-xixu-me' 'specif':31,257,741 'sre':286 'ssh':181,183,321,415,557,565,576,632,752,884 'stale':28 'start':300 'state':299,660 'static':79,202,335,503,521,776,871 'static-fil':775 'static-sit':520,870 'step':672,676,688,730,817 'stop':551 'suggest':615 'teach':44 'tenant':278 'test':636 'time':894 'tool':125,411,857 'treat':547,738,804 'treatment':291 'troubleshoot':712 'tune':91,236,515,619 'turn':15,54 'tutori':38,455 'unit':107,417 'univers':458,750 'unknown':357 'unless':472 'usag':835 'use':11,144,145,168,242,381,836,848,862,880 'user':120,150,310,316,364,474,539,761,867 'valid':87,511,846 'verif':685,687,729 'verifi':101,375,387,403,438 'vm':159 'walk':465 'want':166 'web':3,23,75,496 'websit':198 'whether':308,323,330,342,347 'window':270 'without':25 'work':572,597,625 'workflow':60,292 'x':699 'xixu':8","prices":[{"id":"40a9b254-44a9-4bf2-a881-6588cbd8f4f2","listingId":"f692c157-7b5e-4643-83d3-856f2d3fa10a","amountUsd":"0","unit":"free","nativeCurrency":null,"nativeAmount":null,"chain":null,"payTo":null,"paymentMethod":"skill-free","isPrimary":true,"details":{"org":"xixu-me","category":"skills","install_from":"skills.sh"},"createdAt":"2026-04-18T20:23:41.973Z"}],"sources":[{"listingId":"f692c157-7b5e-4643-83d3-856f2d3fa10a","source":"github","sourceId":"xixu-me/skills/secure-linux-web-hosting","sourceUrl":"https://github.com/xixu-me/skills/tree/main/skills/secure-linux-web-hosting","isPrimary":false,"firstSeenAt":"2026-04-18T22:19:19.177Z","lastSeenAt":"2026-04-24T00:56:33.992Z"},{"listingId":"f692c157-7b5e-4643-83d3-856f2d3fa10a","source":"skills_sh","sourceId":"xixu-me/skills/secure-linux-web-hosting","sourceUrl":"https://skills.sh/xixu-me/skills/secure-linux-web-hosting","isPrimary":true,"firstSeenAt":"2026-04-18T20:23:41.973Z","lastSeenAt":"2026-04-24T02:40:12.248Z"}],"details":{"listingId":"f692c157-7b5e-4643-83d3-856f2d3fa10a","quickStartSnippet":null,"exampleRequest":null,"exampleResponse":null,"schema":null,"openapiUrl":null,"agentsTxtUrl":null,"citations":[],"useCases":[],"bestFor":[],"notFor":[],"kindDetails":{"org":"xixu-me","slug":"secure-linux-web-hosting","source":"skills_sh","category":"skills","skills_sh_url":"https://skills.sh/xixu-me/skills/secure-linux-web-hosting"},"updatedAt":"2026-04-24T02:40:12.248Z"}}