OpenClaw 是一个开源的数据采集系统,Nginx 是高性能的 Web 服务器和反向代理,将它们集成可以提供:
- 负载均衡
- SSL/TLS 加密
- 静态文件服务
- 访问控制
- 性能优化
环境准备
安装 OpenClaw
# 克隆 OpenClaw 仓库 git clone https://github.com/openclaw-project/openclaw.git cd openclaw # 安装依赖 pip install -r requirements.txt # 启动 OpenClaw (假设默认端口 8000) python manage.py runserver 0.0.0.0:8000
安装 Nginx
# Ubuntu/Debian sudo apt update sudo apt install nginx # CentOS/RHEL sudo yum install epel-release sudo yum install nginx # 启动 Nginx sudo systemctl start nginx sudo systemctl enable nginx
基础配置
创建 Nginx 配置文件
sudo nano /etc/nginx/sites-available/openclaw.conf
基础反向代理配置
server {
listen 80;
server_name your-domain.com www.your-domain.com;
location / {
proxy_pass http://127.0.0.1:8000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# WebSocket 支持(OpenClaw 使用)
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
# 静态文件缓存
location /static/ {
alias /path/to/openclaw/static/;
expires 30d;
add_header Cache-Control "public, immutable";
}
location /media/ {
alias /path/to/openclaw/media/;
expires 30d;
}
}
高级配置选项
负载均衡配置
upstream openclaw_servers {
# 配置多个 OpenClaw 实例
server 127.0.0.1:8000 weight=3;
server 127.0.0.1:8001 weight=2;
server 127.0.0.1:8002 weight=1;
# 健康检查
least_conn;
keepalive 32;
}
server {
listen 80;
location / {
proxy_pass http://openclaw_servers;
# ... 其他配置
}
}
SSL/TLS 配置(使用 Let's Encrypt)
server {
listen 443 ssl http2;
server_name your-domain.com;
ssl_certificate /etc/letsencrypt/live/your-domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/your-domain.com/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512;
ssl_prefer_server_ciphers off;
# HSTS
add_header Strict-Transport-Security "max-age=31536000" always;
location / {
proxy_pass http://127.0.0.1:8000;
# ... 其他配置
}
}
# HTTP 重定向到 HTTPS
server {
listen 80;
server_name your-domain.com;
return 301 https://$server_name$request_uri;
}
访问限制配置
location /admin/ {
proxy_pass http://127.0.0.1:8000;
# IP 白名单
allow 192.168.1.0/24;
allow 10.0.0.0/8;
deny all;
# 基本认证
auth_basic "Restricted Access";
auth_basic_user_file /etc/nginx/.htpasswd;
}
# 限制请求速率
location /api/ {
proxy_pass http://127.0.0.1:8000;
# 限制每分钟 60 个请求
limit_req zone=api burst=20 nodelay;
limit_req_status 429;
}
# 在 http 块中添加
limit_req_zone $binary_remote_addr zone=api:10m rate=60r/m;
缓存配置
# 代理缓存
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=openclaw_cache:10m
max_size=1g inactive=60m use_temp_path=off;
server {
location / {
proxy_pass http://127.0.0.1:8000;
# 启用缓存
proxy_cache openclaw_cache;
proxy_cache_key "$scheme$request_method$host$request_uri";
proxy_cache_valid 200 302 10m;
proxy_cache_valid 404 1m;
# 缓存绕过
proxy_cache_bypass $http_cache_control;
add_header X-Cache-Status $upstream_cache_status;
}
}
性能优化配置
缓冲区优化
location / {
proxy_pass http://127.0.0.1:8000;
# 缓冲区设置
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
# 超时设置
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
# 启用压缩
gzip on;
gzip_vary on;
gzip_min_length 1024;
gzip_types text/plain text/css application/json application/javascript;
}
连接池配置
upstream openclaw_backend {
server 127.0.0.1:8000;
# 连接池
keepalive 32;
keepalive_requests 1000;
keepalive_timeout 60s;
}
location / {
proxy_pass http://openclaw_backend;
proxy_http_version 1.1;
proxy_set_header Connection "";
}
日志配置
自定义日志格式
# 在 http 块中添加
log_format openclaw_log '$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" '
'"$upstream_addr" $request_time';
server {
access_log /var/log/nginx/openclaw_access.log openclaw_log;
error_log /var/log/nginx/openclaw_error.log warn;
location / {
proxy_pass http://127.0.0.1:8000;
# ... 其他配置
}
}
监控配置
Nginx 状态页面
location /nginx_status {
stub_status on;
access_log off;
allow 127.0.0.1;
deny all;
}
健康检查端点
location /health {
proxy_pass http://127.0.0.1:8000/health;
access_log off;
# 健康检查设置
proxy_next_upstream error timeout http_500 http_502 http_503 http_504;
proxy_connect_timeout 5s;
proxy_read_timeout 5s;
}
部署和测试
启用配置
# 创建符号链接 sudo ln -s /etc/nginx/sites-available/openclaw.conf /etc/nginx/sites-enabled/ # 测试配置 sudo nginx -t # 重启 Nginx sudo systemctl reload nginx
测试命令
# 测试连接
curl -I http://your-domain.com
# 测试负载均衡
for i in {1..10}; do curl http://your-domain.com/api/status; done
# 查看 Nginx 状态
curl http://localhost/nginx_status
# 监控日志
sudo tail -f /var/log/nginx/openclaw_access.log
故障排除
常见问题及解决方案:
-
502 Bad Gateway
# 检查 OpenClaw 是否运行 ps aux | grep openclaw # 检查端口 netstat -tlnp | grep :8000 # 检查 Nginx 错误日志 tail -f /var/log/nginx/error.log
-
性能问题
# 检查系统资源 top htop # 检查连接数 ss -tan | grep ESTAB | wc -l # 调整系统参数 sysctl -w net.core.somaxconn=65535 sysctl -w net.ipv4.tcp_max_syn_backlog=65535
-
权限问题
# 确保 Nginx 用户有权限访问文件 sudo chown -R www-data:www-data /path/to/openclaw/static/ sudo chmod -R 755 /path/to/openclaw/static/
安全建议
-
定期更新
sudo apt update && sudo apt upgrade nginx
-
防火墙配置
# 只开放必要端口 sudo ufw allow 80/tcp sudo ufw allow 443/tcp sudo ufw enable
-
安全头配置
add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Content-Type-Options "nosniff" always; add_header X-XSS-Protection "1; mode=block" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always;
这个配置为 OpenClaw 提供了一个生产级的 Nginx 反向代理设置,根据实际需求调整参数,特别是缓存策略和安全设置。
版权声明:除非特别标注,否则均为本站原创文章,转载时请以链接形式注明文章出处。
