Docker部署OpenClaw并使用Nginx做反向代理
本文档详细介绍了OpenClaw服务在Docker环境下的部署与配置流程。主要内容包括:1) 环境准备工作,列明了所需服务(Docker、Nginx、OpenClaw)的版本和网络配置;2) OpenClaw的容器化部署步骤,提供了docker-compose.yml配置示例和初始化命令;3) 三种访问模式配置方案:内网访问、端口映射和Nginx反向代理,其中重点说明了Nginx的SSL证书生成、
·
环境准备
服务相关
| 服务名称 | 服务版本 | 说明 |
|---|---|---|
| Docker | Docker version 27.3.1 | 需要支持Docker Compose v2 |
| Nginx | nginx:1.28-alpine | docker-compose部署, 网络模式Port |
| OpenClaw | ghcr.io/openclaw/openclaw:2026.3.28 | docker-compose部署, 网络模式host |
网络相关
| IP/域名 | 说明 |
|---|---|
| 172.16.0.2 | Docker宿主机, 部署了Nginx和OpenClaw |
| 172.16.0.2 | OpenClaw容器IP |
| 172.16.0.8 | Nginx容器IP |
| openclaw.wangshui898.top | 公网域名 |
OpenClaw部署
参考部署文档: https://docs.openclaw.ai/install/hetzner
参考配置文档: https://docs.openclaw.ai/gateway/configuration#interactive-wizard
- 注意: 这里网络模式使用
network_mode: host, 否则配置访问会很啰嗦
mkdir -p /data/openclaw/openclaw_data/workspace
cd /data/openclaw
# 目录授权, 先授权UID和GID, 如果启动报错, 再给最大权限
chown 1000:1000 /data/openclaw/openclaw_data -R
chmod 777 /data/openclaw/openclaw_data -R
cat > docker-compose.yml << 'EOF'
services:
openclaw-gateway:
image: ghcr.io/openclaw/openclaw:2026.3.28
restart: unless-stopped
network_mode: host
privileged: true # 对应 --privileged
ipc: host # 对应 --ipc=host
init: true
environment:
- HOME=/home/node
- NODE_ENV=production
- TERM=xterm-256color
volumes:
- /data/openclaw/openclaw_data:/home/node/.openclaw
- /data/openclaw/openclaw_data/workspace:/home/node/.openclaw/workspace
command: openclaw gateway --allow-unconfigured
healthcheck:
test:
[
"CMD",
"node",
"-e",
"fetch('http://127.0.0.1:18789/healthz').then((r)=>process.exit(r.ok?0:1)).catch(()=>process.exit(1))",
]
EOF
# 启动Openclaw
docker compose up -d
初始化设置
# 进入容器
cd /data/openclaw
docker compose exec openclaw-gateway /bin/bash
# 进入配置模式(按照提示配置即可, 网上教程一大把)
openclaw onboard
# 查看openclaw状态
openclaw status
# 获取登录token
openclaw dashboard
几种访问模式
1. 内网访问
- 适用场景: Docker容器部署的OpenClaw, 但容器不在本机
# 设置gateway 为lan模式
openclaw config # 进入配置--> gateway配置--> LAN (All interfaces)模式
# 禁用设备身份检查
openclaw config set gateway.controlUi.dangerouslyDisableDeviceAuth true
# 设置允许跨域IP, 需要重启
openclaw config set gateway.controlUi.allowedOrigins '["http://172.0.0.1:18789","http://localhost:18789","http://172.16.0.2:18789"]'
2. 端口映射
- 适用场景: 内网环境使用Docker部署了OpenClaw, 然后通过路由器做端口映射, 外网通过域名访问本地部署的OpenClaw
# 在LAN模式基础上, 加上如下配置
# 跳过设备配对
openclaw config set gateway.controlUi.allowInsecureAuth true
# 设置跨域IP或者域名, 需要重启
openclaw config set gateway.controlUi.allowedOrigins '["http://172.0.0.1:18789","http://localhost:18789","http://172.16.0.2:18789","http://openclaw.wangshui898.top:18789"]'
# 如果还有提示, 尝试添加信任设备
openclaw devices list
openclaw devices approve <requestId> # <requestId>换成第一条命令之后后看到的requestid
3. Nginx反向代理
- 适用大多数场景, 可以直接使用Nginx的
basic认证, 账号密码登录 - 属于晋级模式, 直接修改配置文件
Nginx部署
mkdir -p /data/nginx/nginx_data/html
mkdir -p /data/nginx/nginx_data/conf
mkdir -p /data/nginx/nginx_data/logs
cd /data/nginx
cat > /data/nginx/nginx_data/nginx.conf << EOF
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log notice;
pid /run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
charset utf-8;
include /etc/nginx/conf.d/*.conf;
}
EOF
生成SSL证书:
openssl req -x509 -newkey rsa:2048 -nodes -sha256 -keyout openclaw.key -out openclaw.crt -days 36500 -subj "/C=CN/ST=LN/L=SY/O=OpenClaw/CN=openclaw.wangshui898.top"
生成登录认证:
sh -c 'echo "admin:$(openssl passwd -apr1 Aa123456)" > /data/nginx/nginx_data/ssl/.htpasswd'
Nginx反向代理配置
cat > /data/nginx/nginx_data/conf/openclaw.conf << 'EOF'
# OpenClaw Nginx 配置
# HTTPS 服务
server {
listen 18443 ssl;
server_name openclaw.wangshui898.top;
# SSL 证书路径
ssl_certificate /etc/nginx/ssl/openclaw.crt;
ssl_certificate_key /etc/nginx/ssl/openclaw.key;
# 安全与性能配置
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
# 添加登录保护
auth_basic "OpenClaw Login";
auth_basic_user_file /etc/nginx/ssl/.htpasswd;
# 安全响应头
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
# 日志配置
access_log /var/log/nginx/openclaw-access.log;
error_log /var/log/nginx/openclaw-error.log;
location / {
# WebSocket 支持(必需)
proxy_pass http://172.16.0.2:18789; # OpenClaw内网访问IP
# 核心:这里清空认证头防止冲突
proxy_set_header Authorization "";
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
# 转发用户身份(信任代理模式必需)
proxy_set_header X-Forwarded-User $remote_user;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
# 超时设置(WebSocket 长连接)
proxy_connect_timeout 60s;
proxy_send_timeout 60s;
proxy_read_timeout 300s;
proxy_buffering off;
}
}
EOF
docker-compose编排文件
cat > /data/nginx/docker-compose.yml << EOF
services:
nginx:
image: nginx:1.28-alpine
container_name: nginx-proxy
restart: always
ports:
- "14311:14311"
- "18443:18443"
volumes:
- ./nginx_data/nginx.conf:/etc/nginx/nginx.conf
- ./nginx_data/html:/usr/share/nginx/html
- ./nginx_data/conf:/etc/nginx/conf.d
- ./nginx_data/ssl:/etc/nginx/ssl
- ./nginx_data/logs:/var/log/nginx
deploy:
resources:
limits:
memory: 2G
EOF
# 启动Nginx
docker compose up -d
网关配置:
- gateway字段配置参考
"gateway": {
"port": 18789,
"mode": "local",
"bind": "custom",
"customBindHost": "172.16.0.2",
"controlUi": {
"allowedOrigins": [
"http://172.0.0.1:18789",
"http://localhost:18789",
"http://172.16.0.2:18789",
"https://openclaw.wangshui898.top:18443"
],
"allowInsecureAuth": false,
"dangerouslyDisableDeviceAuth": false
},
"auth": {
"mode": "trusted-proxy",
"trustedProxy": {
"userHeader": "x-forwarded-user",
"requiredHeaders": [
"x-forwarded-proto",
"x-forwarded-host"
],
"allowUsers": [
"admin"
]
}
},
"trustedProxies": [
"localhost",
"127.0.0.1",
"172.16.0.2",
"172.18.0.2",
],
"tailscale": {
"mode": "off",
"resetOnExit": false
}
},
常用插件
微信微信
# 安装微信插件(多试几次)
## 微信官方命令
npx -y @tencent-weixin/openclaw-weixin-cli@latest install
## 龙虾手动安装
openclaw plugins install "@tencent-weixin/openclaw-weixin@latest"
# 查看消息通道
openclaw channels list
# 扫码登录
openclaw channels login --channel openclaw-weixin
企业微信
# 企业微信后台创建机器人(长连接模式)
获取BootID和Secret
# 安装插件
npx -y @wecom/wecom-openclaw-cli install
# 查看消息通道
openclaw channels list
# 选择配对模式, 然后去机器人里随便说一句话获取命令进入openclaw容器内执行就可以了
小龙虾开发者社区是 CSDN 旗下专注 OpenClaw 生态的官方阵地,聚焦技能开发、插件实践与部署教程,为开发者提供可直接落地的方案、工具与交流平台,助力高效构建与落地 AI 应用
更多推荐
6
0- 0
已为社区贡献1条内容
所有评论(0)