#我希望创建一个自动化脚本，用于在新的服务器上部署我的 v2ray 网络代理服务，以下是大概步骤，给出你的方案

1.  安装 v2ray，通过脚本 bash <(curl -L https://raw.githubusercontent.com/v2fly/fhs-install-v2ray/master/install-release.sh) 和
    bash <(curl -L https://raw.githubusercontent.com/v2fly/fhs-install-v2ray/master/install-dat-release.sh)

2.  安装 nginx 和 cerbot

sudo apt install -y nginx certbot python3-certbot-nginx
sudo systemctl enable --now nginx

3. 放一个伪装首页

sudo mkdir -p /var/www/bwh-site
echo '<h1>Hello from sydney.zyj.best</h1>' | sudo tee /var/www/bwh-site/index.html
sudo chown -R www-data:www-data /var/www/bwh-site

4. 写入 HTTP 站点（80） —— 仅用于申请证书

sudo tee /etc/nginx/sites-available/sydney.zyj.best <<'EOF'
server {
listen 80;
listen [::]:80;
server_name bwh.zyj.best;

    root /var/www/bwh-site;
    index index.html;

    # 允许 ACME 挑战
    location ~ /.well-known/acme-challenge/ {
        allow all;
    }

    # 其他全部跳转到 HTTPS
    location / { return 301 https://$host$request_uri; }

}
EOF

sudo ln -s /etc/nginx/sites-available/bwh.zyj.best /etc/nginx/sites-enabled/
sudo nginx -t && sudo systemctl reload nginx

5. 一键签发 Let’s Encrypt 证书（443）

sudo certbot --nginx -d sydney.zyj.best --agree-tos -m you@example.com --redirect

6. 更新 v2ray 配置

# ================= Clash Meta 配置 =================

port: 7890 # HTTP 代理
socks-port: 7891 # SOCKS5 代理
redir-port: 7892 # 透明代理 (Linux 可注释)
mode: rule # rule / global / direct
allow-lan: false # 局域网访问
bind-address: 127.0.0.1
log-level: info

external-controller: 127.0.0.1:9090
external-ui: dashboard

######### DNS #########
dns:
enable: true
listen: 127.0.0.1:53 # 避免占用系统 53
ipv6: false
enhanced-mode: redir-host
nameserver: - https://dns.cloudflare.com/dns-query - https://dns.google/dns-query - 223.5.5.5
fallback: - https://1.0.0.1/dns-query - tls://8.8.4.4:853 - 8.8.4.4
fallback-filter:
geoip: true
geoip-code: CN

######### 代理 #########
proxies:

- name: "Bwh"
  type: vmess
  server: bwh.zyj.best
  port: 443
  uuid: 81c5bd30-21c0-ba05-f711-47e11c659598
  alterId: 0
  cipher: auto
  network: ws
  tls: true
  servername: bwh.zyj.best
  skip-cert-verify: false
  udp: true
  ws-opts:
  path: "/mysecretpath-221667"
  headers:
  Host: bwh.zyj.best

######### 代理组 #########
proxy-groups:

# 主出站

- name: "🚀 PROXY"
  type: select
  proxies:
  - "Bwh"
  - DIRECT

# 流媒体分流

- name: "🎥 Streaming"
  type: select
  proxies:
  - "Bwh"
  - DIRECT

# 广告拦截后去向

- name: "🆎 AdBlock"
  type: select
  proxies:
  - REJECT
  - DIRECT

######### 规则提供器 #########
rule-providers:
ads:
type: http
behavior: domain
url: "https://raw.githubusercontent.com/Loyalsoldier/clash-rules/release/reject.txt"
path: ./ruleset/ads.list
interval: 86400

mainland:
type: http
behavior: domain
url: "https://raw.githubusercontent.com/Loyalsoldier/clash-rules/release/direct.txt"
path: ./ruleset/mainland.list
interval: 86400

gfwlist:
type: http
behavior: domain
url: "https://raw.githubusercontent.com/Loyalsoldier/clash-rules/release/proxy.txt"
path: ./ruleset/gfwlist.list
interval: 86400

cn_ip:
type: http
behavior: ipcidr
url: "https://raw.githubusercontent.com/Loyalsoldier/clash-rules/release/cncidr.txt"
path: ./ruleset/cn_ip.list
interval: 86400

######### 分流规则 #########
rules:

# 1) 广告拦截

- RULE-SET,ads,🆎 AdBlock

# 2) 内网及局域网

- RULE-SET,cn_ip,DIRECT

# 3) 中国域名直连

- RULE-SET,mainland,DIRECT

# 4) 流媒体示例 (可按需追加 geosite:netflix 等)

# - GEOSITE,netflix,🎥 Streaming

# - GEOSITE,youtube,🎥 Streaming

# 5) GFW / 其他国外域名走代理

- RULE-SET,gfwlist,🚀 PROXY

# 6) 默认

- MATCH,🚀 PROXY

7. 更新 nginx 配置

##

# 站点：bwh.zyj.best

# 模式：伪装静态站 + V2Ray WebSocket‑over‑TLS（同端口 443）

# 文件：/etc/nginx/sites-available/bwh.zyj.best

##

############################

# HTTPS 443 伪装站 + 代理

############################
server {
server_name bwh.zyj.best;

    # ----------------- 静态网站 -----------------
    root  /var/www/bwh-site;
    index index.html;

    # ----------------- WebSocket 反向代理 -----------------
    # 与 V2Ray streamSettings.wsSettings.path 完全一致
    location /mysecretpath-221667 {
        # 非 WebSocket 请求直接 404，可防扫描
        if ($http_upgrade != "websocket") { return 404; }

        proxy_pass         http://127.0.0.1:10086;   # V2Ray 本地监听
        proxy_http_version 1.1;
        proxy_set_header   Upgrade    $http_upgrade;
        proxy_set_header   Connection "upgrade";
        proxy_set_header   Host       $host;
        proxy_set_header   X-Real-IP  $remote_addr;
        proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header   Origin "";
    }

    # ----------------- 其他静态资源 -----------------
    # 直接按 root 目录查找文件
    location / {
        try_files $uri $uri/ =404;
    }

    # ----------------- ACME HTTP‑01 回调 -----------------
    location ~ /.well-known/acme-challenge/ {
        allow all;
    }

    # ----------------- SSL 设置（Certbot 自动管理） -----------------
    listen 443 ssl http2;
    listen [::]:443 ssl http2 ipv6only=on;

    ssl_certificate      /etc/letsencrypt/live/bwh.zyj.best/fullchain.pem;  # managed by Certbot
    ssl_certificate_key  /etc/letsencrypt/live/bwh.zyj.best/privkey.pem;    # managed by Certbot
    include              /etc/letsencrypt/options-ssl-nginx.conf;           # managed by Certbot
    ssl_dhparam          /etc/letsencrypt/ssl-dhparams.pem;                 # managed by Certbot

}

############################

# HTTP 80 → HTTPS 重定向

############################
server {
listen 80;
listen [::]:80;

    server_name bwh.zyj.best;

    # ACME HTTP‑01 挑战
    location ~ /.well-known/acme-challenge/ {
        allow all;
        root /var/www/bwh-site;
    }

    # 其余全部 301 到 HTTPS
    location / {
        return 301 https://$host$request_uri;
    }

}

8. 生成 clash 订阅 文件

# ================= Clash Meta 配置 =================

port: 7890 # HTTP 代理
socks-port: 7891 # SOCKS5 代理
redir-port: 7892 # 透明代理 (Linux 可注释)
mode: rule # rule / global / direct
allow-lan: false # 局域网访问
bind-address: 127.0.0.1
log-level: info

external-controller: 127.0.0.1:9090
external-ui: dashboard

######### DNS #########
dns:
enable: true
listen: 127.0.0.1:53 # 避免占用系统 53
ipv6: false
enhanced-mode: redir-host
nameserver: - https://dns.cloudflare.com/dns-query - https://dns.google/dns-query - 223.5.5.5
fallback: - https://1.0.0.1/dns-query - tls://8.8.4.4:853 - 8.8.4.4
fallback-filter:
geoip: true
geoip-code: CN

######### 代理 #########
proxies:

- name: "Bwh"
  type: vmess
  server: bwh.zyj.best
  port: 443
  uuid: 81c5bd30-21c0-ba05-f711-47e11c659598
  alterId: 0
  cipher: auto
  network: ws
  tls: true
  servername: bwh.zyj.best
  skip-cert-verify: false
  udp: true
  ws-opts:
  path: "/mysecretpath-221667"
  headers:
  Host: bwh.zyj.best

######### 代理组 #########
proxy-groups:

# 主出站

- name: "🚀 PROXY"
  type: select
  proxies:
  - "Bwh"
  - DIRECT

# 流媒体分流

- name: "🎥 Streaming"
  type: select
  proxies:
  - "Bwh"
  - DIRECT

# 广告拦截后去向

- name: "🆎 AdBlock"
  type: select
  proxies:
  - REJECT
  - DIRECT

######### 规则提供器 #########
rule-providers:
ads:
type: http
behavior: domain
url: "https://raw.githubusercontent.com/Loyalsoldier/clash-rules/release/reject.txt"
path: ./ruleset/ads.list
interval: 86400

mainland:
type: http
behavior: domain
url: "https://raw.githubusercontent.com/Loyalsoldier/clash-rules/release/direct.txt"
path: ./ruleset/mainland.list
interval: 86400

gfwlist:
type: http
behavior: domain
url: "https://raw.githubusercontent.com/Loyalsoldier/clash-rules/release/proxy.txt"
path: ./ruleset/gfwlist.list
interval: 86400

cn_ip:
type: http
behavior: ipcidr
url: "https://raw.githubusercontent.com/Loyalsoldier/clash-rules/release/cncidr.txt"
path: ./ruleset/cn_ip.list
interval: 86400

######### 分流规则 #########
rules:

# 1) 广告拦截

- RULE-SET,ads,🆎 AdBlock

# 2) 内网及局域网

- RULE-SET,cn_ip,DIRECT

# 3) 中国域名直连

- RULE-SET,mainland,DIRECT

# 4) 流媒体示例 (可按需追加 geosite:netflix 等)

# - GEOSITE,netflix,🎥 Streaming

# - GEOSITE,youtube,🎥 Streaming

# 5) GFW / 其他国外域名走代理

- RULE-SET,gfwlist,🚀 PROXY

# 6) 默认

- MATCH,🚀 PROXY