之前一直试着用官方提供的一键脚本试着部署,每次都是登录的时候几秒钟没反应然后抛异常,周末花了点时间研究了下,发现似乎是casdoor容器域名解析的问题,只要在官方脚本基础上将casdoor从域名改回局域网ip就能正常,后摸索出正确的compose。
我的配置中注释了pgsql和minio的部分,大家根据自己需要酌情保留相关部分,我的配置仅供大家参考。
初始配置请按照先用官方一键脚本,选择端口模式,并分别填入lobechat、auth和minio的域名,然后会得到一个http+默认端口的配置,在此基础上进行调整:
compose:
name: lobe-chat-database
services:
network-service:
image: alpine
container_name: lobe-network
ports:
- '${CASDOOR_PORT}:${CASDOOR_PORT}' # Casdoor
- '${LOBE_PORT}:3210' # LobeChat
command: tail -f /dev/null
# networks:
# - lobe-network
extra_hosts:
lobechat.yourdomain.com: 192.168.6.12
auth.yourdomain.com: 192.168.6.12
minio.yourdomain.com: 192.168.6.12
casdoor:
image: casbin/casdoor
container_name: lobe-casdoor
entrypoint: /bin/sh -c './server --createDatabase=true'
network_mode: 'service:network-service'
environment:
RUNNING_IN_DOCKER: 'true'
driverName: 'postgres'
dataSourceName: 'user=postgres password=${POSTGRES_PASSWORD} host=192.168.6.12 port=5432 sslmode=disable dbname=casdoor'
runmode: 'dev'
volumes:
- ./init_data.json:/init_data.json
env_file:
- .env
lobe:
image: lobehub/lobe-chat-database
container_name: lobe-chat
network_mode: 'service:network-service'
depends_on:
network-service:
condition: service_started
casdoor:
condition: service_started
environment:
- 'NEXT_AUTH_SSO_PROVIDERS=casdoor'
- 'KEY_VAULTS_SECRET=Kix2wcUONd4CX51E/ZPAd36BqM4wzJgKjPtz2sGztqQ='
- 'NEXT_AUTH_SECRET=NX2kaPE923dt6BL2U8e9oSre5RfoT7hg'
- 'DATABASE_URL=postgresql://postgres:${POSTGRES_PASSWORD}@192.168.6.12:5432/${LOBE_DB_NAME}'
- 'S3_BUCKET=${MINIO_LOBE_BUCKET}'
- 'S3_ENABLE_PATH_STYLE=1'
- 'S3_ACCESS_KEY=${MINIO_ROOT_USER}'
- 'S3_ACCESS_KEY_ID=${MINIO_ROOT_USER}'
- 'S3_SECRET_ACCESS_KEY=${MINIO_ROOT_PASSWORD}'
- 'LLM_VISION_IMAGE_USE_BASE64=1'
- 'S3_SET_ACL=0'
env_file:
- .env
restart: always
entrypoint: >
/bin/sh -c "
/bin/node /app/startServer.js &
LOBE_PID=\$!
sleep 3
if [ $(wget --timeout=5 --spider --server-response ${AUTH_CASDOOR_ISSUER}/.well-known/openid-configuration 2>&1 | grep -c 'HTTP/1.1 200 OK') -eq 0 ]; then
echo '⚠️Warining: Unable to fetch OIDC configuration from Casdoor'
echo 'Request URL: ${AUTH_CASDOOR_ISSUER}/.well-known/openid-configuration'
echo 'Read more at: https://lobehub.com/docs/self-hosting/server-database/docker-compose#necessary-configuration'
else
if ! wget -O - --timeout=5 ${AUTH_CASDOOR_ISSUER}/.well-known/openid-configuration 2>&1 | grep 'issuer' | grep ${AUTH_CASDOOR_ISSUER}; then
printf '❌Error: The Auth issuer is conflict, Issuer in OIDC configuration is: %s' \$(wget -O - --timeout=5 ${AUTH_CASDOOR_ISSUER}/.well-known/openid-configuration 2>&1 | grep -E 'issuer.*' | awk -F '\"' '{print \$4}')
echo ' , but the issuer in .env file is: ${AUTH_CASDOOR_ISSUER} '
echo 'Request URL: ${AUTH_CASDOOR_ISSUER}/.well-known/openid-configuration'
echo 'Read more at: https://lobehub.com/docs/self-hosting/server-database/docker-compose#necessary-configuration'
fi
fi
if [ $(wget --timeout=5 --spider --server-response ${S3_ENDPOINT}/minio/health/live 2>&1 | grep -c 'HTTP/1.1 200 OK') -eq 0 ]; then
echo '⚠️Warining: Unable to fetch MinIO health status'
echo 'Request URL: ${S3_ENDPOINT}/minio/health/live'
echo 'Read more at: https://lobehub.com/docs/self-hosting/server-database/docker-compose#necessary-configuration'
fi
wait \$LOBE_PID
"
# networks:
# lobe-network:
# driver: bridge
重点其实在于这里:
加了域名解析到局域网里,让容器间进行局域网通信,就万事大吉了。
实测公网访问没有半点问题,加了https也能正常PWA,登录使用全都正常。
网络拓扑也比较简单:路由端口转发53210\58000\59000->NGINX(192.168.6.12:53210\58000\59000)->compose容器(192.168.6.12:3210\8000\9000)
也就是反代和lobechat都在一台机器上
.env:
# Proxy,如果你需要的话(比如你使用 GitHub 作为鉴权服务提供商)
# HTTP_PROXY=http://localhost:7890
# HTTPS_PROXY=http://localhost:7890
# 其他环境变量,视需求而定,可以参照客户端版本的环境变量配置,注意不要有 ACCESS_CODE
# OPENAI_API_KEY=sk-xxxx
# OPENAI_PROXY_URL=https://api.openai.com/v1
# OPENAI_MODEL_LIST=...
# ===================
# ===== 预设配置 =====
# ===================
# 如没有特殊需要不用更改
LOBE_PORT=3210
CASDOOR_PORT=8000
MINIO_PORT=9000
APP_URL=https://lobechat.yourdomain.com:53210
AUTH_URL=https://lobechat.yourdomain.com:53210/api/auth
# Postgres 相关,也即 DB 必须的环境变量
LOBE_DB_NAME=lobechat
POSTGRES_PASSWORD=pg密码
AUTH_CASDOOR_ISSUER=https://auth.yourdomain.com:58000
# Casdoor secret
AUTH_CASDOOR_ID=a387a4892ee19b1a2249
AUTH_CASDOOR_SECRET=36ec05e3ac88107928519395304a41f8
# MinIO S3 配置
MINIO_ROOT_USER=minio用户名
MINIO_ROOT_PASSWORD=minio密码
# 在下方配置 minio 中添加的桶
S3_PUBLIC_DOMAIN=https://minio.yourdomain.com:59000
S3_ENDPOINT=https://minio.yourdomain.com:59000
MINIO_LOBE_BUCKET=lobe
# 为 casdoor 配置
origin=https://auth.yourdomain.com:58000
nginx配置片段:
server {
listen [::]:53210 ssl;
listen 53210 ssl;
#charset koi8-r;
server_name lobechat.yourdomain.com;
ssl_certificate /usr/local/nginx/cert/live/yourdomain.com/fullchain.pem;
ssl_certificate_key /usr/local/nginx/cert/live/yourdomain.com/privkey.pem;
# Configurações de segurança SSL recomendadas
# ssl_protocols TLSv1.2 TLSv1.3;
# ssl_prefer_server_ciphers on;
# ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
location / {
proxy_pass http://192.168.6.12:3210;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
proxy_set_header X-Real-IP $remote_addr; # 保留客户端真实IP
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # 保留转发的IP
proxy_set_header X-Forwarded-Proto $scheme; # 保留请求协议
}
}
server {
listen [::]:58000 ssl;
listen 58000 ssl;
#charset koi8-r;
server_name auth.yourdomain.com;
ssl_certificate /usr/local/nginx/cert/live/yourdomain.com/fullchain.pem;
ssl_certificate_key /usr/local/nginx/cert/live/yourdomain.com/privkey.pem;
# Configurações de segurança SSL recomendadas
# ssl_protocols TLSv1.2 TLSv1.3;
# ssl_prefer_server_ciphers on;
# ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
location / {
proxy_pass http://192.168.6.12:8000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
proxy_set_header X-Real-IP $remote_addr; # 保留客户端真实IP
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # 保留转发的IP
proxy_set_header X-Forwarded-Proto $scheme; # 保留请求协议
}
location /.well-known/openid-configuration {
proxy_pass http://192.168.6.12:8000; # 转发到 localhost:8000
proxy_set_header Host $host; # 保留原始主机头
proxy_set_header X-Real-IP $remote_addr; # 保留客户端真实IP
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # 保留转发的IP
proxy_set_header X-Forwarded-Proto $scheme; # 保留请求协议
}
}
server {
listen 59000 ssl;
server_name minio.yourdomain.com;
ssl_certificate /usr/local/nginx/cert/live/yourdomain.com/fullchain.pem;
ssl_certificate_key /usr/local/nginx/cert/live/yourdomain.com/privkey.pem;
client_max_body_size 30m; #最大上传限制
location / {
proxy_pass http://192.168.6.12:9000;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_connect_timeout 300;
# Default is HTTP/1, keepalive is only enabled in HTTP/1.1
proxy_http_version 1.1;
proxy_set_header Connection "";
chunked_transfer_encoding off;
}
}
server {
listen 59001 ssl ;
server_name minio.yourdomain.com;
ssl_certificate /usr/local/nginx/cert/live/yourdomain.com/fullchain.pem;
ssl_certificate_key /usr/local/nginx/cert/live/yourdomain.com/privkey.pem;
location / {
proxy_pass http://192.168.6.12:9001;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_connect_timeout 300;
# Default is HTTP/1, keepalive is only enabled in HTTP/1.1
proxy_http_version 1.1;
proxy_set_header Connection "";
chunked_transfer_encoding off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_next_upstream http_500 http_502 http_503 http_504 error timeout invalid_header;
}
}
