跳至内容
一个人的小基础设施:主域放站点,子域挂服务

一个人的小基础设施:主域放站点,子域挂服务

July 12, 2026

个人服务器发展到一定阶段,常见乱象是:主页临时、API/面板/代理各占公网端口、证书规则散落。最值得先做的不是再装软件,而是统一入口

主域与子域经 Nginx 统一出口

1. 推荐拓扑(与我们现网一致)

主机名职责后端
example.com内容站 / 文章静态目录 /var/www/html
api.example.comAPI / 模型网关127.0.0.1:3000
relay.example.com中继业务127.0.0.1:3090
proxy.example.com面板127.0.0.1:9091

原则:公网只开 80/443;业务容器只绑 127.0.0.1 或 Docker 内网。

2. 主站:静态站 + HTTPS

# /etc/nginx/sites-available/main.conf
server {
    listen 80;
    listen [::]:80;
    server_name outsider-studio.cloud www.outsider-studio.cloud;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name outsider-studio.cloud www.outsider-studio.cloud;

    ssl_certificate     /etc/letsencrypt/live/outsider-studio.cloud/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/outsider-studio.cloud/privkey.pem;
    add_header Strict-Transport-Security "max-age=31536000" always;

    root /var/www/html;
    index index.html;

    location / {
        try_files $uri $uri/ =404;
    }
}

Hugo 发布仍走「构建到临时目录 → rsync」即可,和反代层解耦。

3. 子域:反代到本机端口

# /etc/nginx/conf.d/api.conf
server {
    listen 443 ssl http2;
    server_name api.outsider-studio.cloud;

    ssl_certificate     /etc/letsencrypt/live/outsider-studio.cloud/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/outsider-studio.cloud/privkey.pem;

    location / {
        proxy_pass http://127.0.0.1:3000;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        # 若有 WebSocket / SSE:
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
        proxy_read_timeout 3600s;
        proxy_buffering off;
    }
}

http 块里补 map(只加一次):

map $http_upgrade $connection_upgrade {
    default upgrade;
    ''      close;
}

4. Docker 端口务必绑本机

# 错误:0.0.0.0:3000 直接暴露公网
# 正确:
services:
  new-api:
    ports:
      - "127.0.0.1:3000:3000"

检查:

ss -tulnp | grep -E ':3000|:3090|:9091'
# 期望看到 127.0.0.1,而不是 0.0.0.0(除非你有意公开)

5. 证书:一次申请多 SAN

certbot --nginx \
  -d outsider-studio.cloud -d www.outsider-studio.cloud \
  -d api.outsider-studio.cloud \
  -d relay.outsider-studio.cloud \
  -d proxy.outsider-studio.cloud

续期:

certbot renew --dry-run
systemctl status certbot.timer

6. 案例:从「端口说明书」到「域名说明书」

改造前分享给同事:

API: http://IP:3000
面板: http://IP:9091
站点: http://IP/

改造后:

https://outsider-studio.cloud/
https://api.outsider-studio.cloud/
https://proxy.outsider-studio.cloud/

容器换端口、迁移机器,对外 URL 不变;HTTPS 与 HSTS 一次收口。这就是小基础设施的复利。

7. 安全基线清单

# UFW 示例(按需开启)
ufw default deny incoming
ufw allow 22/tcp
ufw allow 80/tcp
ufw allow 443/tcp
# ufw enable   # 确认 SSH 规则无误再开
  • 管理面板与内容站分域,避免 Cookie 混用
  • fail2ban 护 SSH
  • 备份:Nginx 配置、/etc/letsencrypt、Docker 卷、Hugo 源码

一个人的基础设施不追求大而全,但一定要边界清楚:主域讲故事,子域跑服务,443 当唯一大门。