Эргил Осин

location /.well-known/acme-challenge {
             alias /srv/www/.well-known/acme-challenge;
}

letsencrypt-auto certonly -a webroot --webroot-path /srv/www/ -d domain.ltd --server https://acme-v01.api.letsencrypt.org/directory

location /supervisor/ {
rewrite ^/supervisor(.+)$ $1 break;
proxy_pass http://localhost:9001;
proxy_redirect domain.ru domain.ru/supervisor;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}

add_header Strict-Transport-Security "max-age=31536000";
  add_header X-Frame-Options DENY;
  add_header X-Content-Type-Options nosniff;
  ssl                  on;
  ssl_protocols        TLSv1.2;
  ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL;
  ssl_session_cache    shared:SSL:10m;
  ssl_verify_client    off;
  ssl_session_timeout  5m;
  ssl_prefer_server_ciphers on;
  ssl_ecdh_curve secp521r1;
  ssl_dhparam /path/to/dh.key;
  ssl_certificate /path/to/ssl.crt;
  ssl_certificate_key /path/to/ssl.key;
  ssl_trusted_certificate /path/to/ssl.bundle;
  ssl_stapling on;
  ssl_stapling_verify on;
  ssl_stapling_responder http://ocsp2.wosign.cn/ca2g2/server1/free;
  resolver 8.8.8.8;
  ssl_session_tickets on;
  ssl_session_ticket_key /path/to/ticket.key;