Setup Let's Encrypt With Nginx on Ubuntu 16.04

Install Certbot

To obtain a Let's Encrypt SSL certificate, you have to install the Certbot client on your server.

Add the repository. Press the ENTER key when prompted to accept.

add-apt-repository ppa:certbot/certbot

Update the package list.

apt-get update

Proceed by installing Certbot and Certbot's Nginx package.

apt-get -y install python-certbot-nginx

Configuring Nginx

Certbot automatically configures SSL for Nginx, but to do so it needs to find the server block in your Nginx configuration file. It does this by matching the server_name directive in the configuration file with the domain name for which you're requesting a certificate.

If you're using the default configuration file /etc/nginx/sites-available/default open it with a text editor such as nano and find the server_name directive. Replace the underscore, _, with your own domain name(s):

nano /etc/nginx/sites-available/default

After editing the configuration file, the server_name directive should look as follows. In this example, I assume that your domain is example.com and that you're requesting a certificate for example.com and www.example.com.

server_name example.com www.example.com;

Proceed by verifying the syntax of your edits.

nginx -t

If the syntax is correct, restart Nginx to use the new configuration. If you get any error messages, reopen the configuration file and check for any typos, then try again.

systemctl restart nginx

Obtaining a Let's Encrypt SSL certificate

The following command will obtain a certificate for you. Edit your Nginx configuration to use it, and reload Nginx.

certbot --nginx -d example.com -d www.example.com

You can also request an SSL certificate for additional domains. Just add the "-d" option as many times as you like.

certbot --nginx -d example.com -d www.example.com -d example.net -d example.net

In case you only want to obtain the certificate from Let's Encrypt without installing it automatically you can use the following command. This makes temporary changes to your Nginx configuration to obtain the certificate and reverts them once the certificate has been downloaded.

certbot --nginx certonly -d example.com -d www.example.com

@reference_1_vultr.com 

HTTPS/SSL/NGINX/V2RAY

1. Generating a Private Key:
`openssl genrsa -out domainname.com.key 2048`

2. Generating a Certificate Signing Request:
`openssl req -new -key domainname.com.key -out domainname.com.csr`

3. Create a Self-signed certificate (you can share this certificate):
`openssl x509 -req -days 365 -in domainname.com.csr -signkey domainname.com.key -out sinomail.ml.crt`

@reference_1_tutorials.jenkov.com
OpenSSL for Web Servers

@reference_2_stackexchange.com
How do I produce a CA signed public key?

4. Nginx Configration:
`server {
    listen 443 ssl;
    server_name _;

    root /var/www/domainname.com;

    ssl on;
    ssl_certificate     /root/certs/domainname.com.crt;
    ssl_certificate_key /root/certs/domainname.com.key;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;

    location / {
                index Login.html index.html index.htm;
    }

    location /dir1/dir2 {
                 proxy_redirect off;
                 proxy_pass http://127.0.0.1:12345;
                 proxy_http_version 1.1;
                 proxy_set_header Upgrade $http_upgrade;
                 proxy_set_header Connection "upgrade";
                 proxy_set_header Host $http_host;
                 proxy_set_header X-Forwarded-For $proxy_protocol_addr;
    }

}`

@reference_3_nginx.org
Configuring HTTPS servers
@reference_4_theviper24.today
v2ray tips
@reference_5_chrad.ml
使用V2Ray实现科学爱国
-----------------------------
V2Ray server:

    "streamSettings": {
      "network": "ws",
      "wsSettings": {
        "path": "/dir1/dir2"   //该路径可以自定义，但是要在Nginx、客户端中保持一致
      }
    }

Nginx server:

    location /dir1/dir2 //这里要与上面的路径一致
     {
          proxy_redirect off;
          proxy_pass http://127.0.0.1:12345; //端口与上面一致
          proxy_http_version 1.1;
          proxy_set_header Upgrade $http_upgrade;
          proxy_set_header Connection "upgrade";
          proxy_set_header Host $http_host;
      }

V2Ray client:

    "streamSettings": {
      "network": "ws",
      "security": "tls",
      "tlsSettings": {
      "serverName": "domainname.com",  //填入你网站的域名
      "allowInsecure": true
      },
      "wsSettings": {
        "connectionReuse": true,
        "path": "/dir1/dir2",   //与上面的路径一致
        "headers": {
               "Host": "domainname.com",
               "User-Agent": "Mozilla/5.0 **********************************",
               "Accept-Language": "en-US,en;q=0.8",
               "Accept": "image/webp,image/apng,image/*,*/*;q=0.8"
        }
      }

    }

Note that:
如果证书是自签证书或免费证书(如let's encrypt),会出现
x509: certificate signed by unknown authority
需要在client的streamSettings加上
"tlsSettings":{
"allowInsecure": true
}

-------------------------------------------------
V2Ray shadowsocks server:

{
  "method": "aes-256-cfb",
  "password": "***************",
  "network": "tcp"
}


V2Ray shadowsocks client:

{
        "servers": [{
              "address": "domainname.com",
              "port": 443,
              "method": "aes-256-cfb",
              "password": "***************"
        }]
 }

@reference_6_v2ray.com
Shadowsocks

VMESS Client:

  "outbound": {
    "protocol": "vmess",
    "settings": {
        "vnext": [
        {
          "address": "domainname.com",
          "port": 443,
          "users": [
          {
             "id": "23********************************",
             "alterId": 10,
             "security": "auto",
             "level": 0
          }
          ]
       }
      ]
   },

VMESS Server:

{
  "log" : {
    "access": "/var/log/v2ray/access.log",
    "error": "/var/log/v2ray/error.log",
    "loglevel": "warning"
  },
  "inbound": {
    "port": 8080,
    "protocol": "vmess",
    "settings": {
      "clients": [
        {
          "id": "23***********************************",
          "level": 1,
          "alterId": 64
        }
      ]
    },
   
    "streamSettings": {
      "network": "ws",
      "wsSettings": {
        "path": "/dir1/dir2"
       }
    }

  },
  "outbound": {
    "protocol": "freedom",
    "settings": {}
  },
  "outboundDetour": [
    {
      "protocol": "blackhole",
      "settings": {},
      "tag": "blocked"
    }
  ],
  "routing": {
    "strategy": "rules",
    "settings": {
      "rules": [
        {
          "type": "field",
          "ip": ["geoip:private"],
          "outboundTag": "blocked"
        }
      ]
    }
  }
}