一方小天地
openclaw-docker-cn-im部署初体验
编辑
2026-03-01
技术漫谈
00
请注意,本文编写于 60 天前,最后修改于 46 天前,其中某些信息可能已经过时。

目录

openclaw本地部署
安全机制排查(内网体验版)
公网通知设置(以企业微信为例):
第一步:登录企微后台并创建应用
第二步:获取 Token 和 AES Key
第三步:填写到配置文件
⚠️ 第四步:填写回调 URL(最容易卡关的一步)

Gemini_Generated_Image_t5f3iht5f3iht5f3.png

前言

最近这段时间openclaw很火,用docker部署是最快速的办法,跟着一步步操作,小白也能体验到ai小助理的感觉!

项目地址(国内插件整合版):https://github.com/justlovemaki/openclaw-docker-cn-im

openclaw本地部署

先在根目录创建.env文件:

js
# OpenClaw Docker 环境变量配置示例
# 复制此文件为 .env 并修改相应的值

# Docker 镜像配置
OPENCLAW_IMAGE=justlikemaki/openclaw-docker-cn-im:latest

# 配置同步开关
# 是否自动同步环境变量到 openclaw.json (true/false)
# 如果你手动维护 openclaw.json,建议先设为 false
SYNC_OPENCLAW_CONFIG=true
# 是否自动同步模型配置到 openclaw.json (true/false)
# 仅在 SYNC_OPENCLAW_CONFIG=true 时生效;如果你手动修改了 openclaw.json 中的模型设置,请将其设为 false
SYNC_MODEL_CONFIG=true

# 提供商 1 (默认)
# 主模型 ID (支持多个,用逗号隔开,第一个将作为默认模型)
MODEL_ID=model id
# 显式指定 agents.defaults.model.primary(可选)
# 留空时默认使用 default/${MODEL_ID 的第一个值}
# 如需切换到其它 provider 的模型,可填写完整 provider/model,例如 aliyun/qwen3.5-plus
PRIMARY_MODEL=
# 图片模型 ID(可选,留空则使用 MODEL_ID,支持 provider/model 格式)
# 如需切换到其它 provider 的图片模型,可直接填写完整 provider/model,例如 aliyun/qwen-vl-max
IMAGE_MODEL_ID=
BASE_URL=http://xxxxx/v1
API_KEY=123456
# API 协议类型: openai-completions 或 anthropic-messages
API_PROTOCOL=openai-completions
# 模型上下文窗口大小
CONTEXT_WINDOW=200000
# 模型最大输出 tokens
MAX_TOKENS=8192

# 提供商 2 (可选)
# MODEL2_NAME=model2
# MODEL2_MODEL_ID=model id1,model id2
# MODEL2_BASE_URL=http://xxxxx/v1
# MODEL2_API_KEY=123456
# MODEL2_PROTOCOL=openai-completions
# MODEL2_CONTEXT_WINDOW=200000
# MODEL2_MAX_TOKENS=8192

# 渠道通用配置 (Channel Common Config)
# 默认私聊策略: open/closed/friend-only
DM_POLICY=open
# 默认群组策略: open/closed
GROUP_POLICY=open
# 默认允许来源 (多个用逗号隔开,* 代表全部)
ALLOW_FROM=*

# Telegram 配置(可选,留空则不启用)
TELEGRAM_BOT_TOKEN=
TELEGRAM_DM_POLICY=
TELEGRAM_ALLOW_FROM=
TELEGRAM_GROUP_POLICY=

# 飞书配置(可选,留空则不启用)
# 方式1:单账号快捷配置,会自动同步为 channels.feishu.accounts.${FEISHU_DEFAULT_ACCOUNT}
FEISHU_APP_ID=
FEISHU_APP_SECRET=
FEISHU_DEFAULT_ACCOUNT=default
FEISHU_BOT_NAME=OpenClaw Bot
FEISHU_REPLY_MODE=auto
FEISHU_THREAD_SESSION=true
FEISHU_DOMAIN=
# 方式2:多账号 JSON(推荐,单行)
# 示例:{"default":{"appId":"cli_xxx","appSecret":"xxx","botName":"OpenClaw Bot"},"work":{"appId":"cli_work_yyy","appSecret":"work_secret_yyy","botName":"工作机器人","dmPolicy":"allowlist","allowFrom":["ou_5b990e213988b9bcf396f955a50b2a22","ou_1234567890abcdef"]},"support":{"appId":"cli_support_zzz","appSecret":"support_secret_zzz","botName":"客服机器人","dmPolicy":"open","allowFrom":["*"]}}
FEISHU_ACCOUNTS_JSON=
# 飞书群组规则 JSON(可选,单行)
# 示例:{"*":{"requireMention":true},"oc_83e1c0d069b94efc09ad22e05bc06365":{"requireMention":false,"groupPolicy":"open"},"oc_dev_123456789":{"requireMention":false,"groupPolicy":"allowlist","allowFrom":["ou_dev_001","ou_dev_002"]}}
FEISHU_GROUPS_JSON=
FEISHU_DM_POLICY=
FEISHU_ALLOW_FROM=
FEISHU_GROUP_POLICY=
FEISHU_GROUP_ALLOW_FROM=
# 是否启用飞书官方插件 (true/false)
FEISHU_OFFICIAL_PLUGIN_ENABLED=false
# 飞书特定配置 (可选)
FEISHU_STREAMING=true
FEISHU_FOOTER_ELAPSED=true
FEISHU_FOOTER_STATUS=true
FEISHU_REQUIRE_MENTION=true

# 钉钉配置(可选,留空则不启用)
# 方式1:单机器人快捷配置,会自动同步为 channels.dingtalk.accounts.default
DINGTALK_CLIENT_ID=
DINGTALK_CLIENT_SECRET=
DINGTALK_ROBOT_CODE=
DINGTALK_DM_POLICY=
DINGTALK_GROUP_POLICY=
DINGTALK_ALLOW_FROM=
DINGTALK_CORP_ID=
DINGTALK_AGENT_ID=
DINGTALK_MESSAGE_TYPE=markdown
DINGTALK_CARD_TEMPLATE_ID=
DINGTALK_CARD_TEMPLATE_KEY=
DINGTALK_MAX_RECONNECT_CYCLES=
DINGTALK_DEBUG=false
DINGTALK_JOURNAL_TTL_DAYS=
DINGTALK_SHOW_THINKING=false
DINGTALK_THINKING_MESSAGE=
DINGTALK_ASYNC_MODE=false
DINGTALK_ASYNC_ACK_TEXT=
# 方式2:多机器人 JSON(推荐,单行)
# 示例:{"bot_1":{"clientId":"your-client-id-1","clientSecret":"your-client-secret-1","robotCode":"your-robot-code-1","corpId":"your-corp-id","agentId":"your-dingtalk-agent-id-1","dmPolicy":"open","groupPolicy":"open","messageType":"card","cardTemplateId":"your-card-template-id.schema","cardTemplateKey":"content","maxReconnectCycles":10,"allowFrom":["*"]},"bot_2":{"clientId":"your-client-id-2","clientSecret":"your-client-secret-2","robotCode":"your-robot-code-2","corpId":"your-corp-id","agentId":"your-dingtalk-agent-id-2","dmPolicy":"open","groupPolicy":"open","messageType":"markdown","allowFrom":["*"]}}
DINGTALK_ACCOUNTS_JSON=

# QQ 机器人配置(可选,留空则不启用)
# 方式1:单 Bot(兼容旧格式),会自动同步为 channels.qqbot.accounts.default
QQBOT_APP_ID=
QQBOT_CLIENT_SECRET=
QQBOT_DM_POLICY=
QQBOT_ALLOW_FROM=
QQBOT_GROUP_POLICY=
# 方式2:多 Bot JSON,支持 default/bot2/bot3... 独立配置(会与现有配置深度合并)
# 注意:.envJSON 需要写成单行
# 示例:{"default":{"enabled":true,"appId":"111111111","clientSecret":"secret-of-bot-1"},"bot2":{"enabled":true,"appId":"222222222","clientSecret":"secret-of-bot-2"},"bot3":{"enabled":true,"appId":"333333333","clientSecret":"secret-of-bot-3"}}
QQBOT_BOTS_JSON=

# 企业微信配置(可选,留空则不启用)
# 当前推荐格式:多账号结构,顶层共享字段会合并到各账号
WECOM_DEFAULT_ACCOUNT=open
WECOM_COMMANDS_ENABLED=true
WECOM_COMMANDS_ALLOWLIST=/new,/compact,/help,/status
WECOM_BOT_ID=
WECOM_SECRET=
# 单账号快捷配置:会写入 channels.wecom.${WECOM_DEFAULT_ACCOUNT}
WECOM_ADMIN_USERS=admin-userid
WECOM_DYNAMIC_AGENTS_ENABLED=true
WECOM_DYNAMIC_AGENTS_ADMIN_BYPASS=false
WECOM_WELCOME_MESSAGE=
WECOM_SEND_THINKING_MESSAGE=false
WECOM_DM_POLICY=
WECOM_ALLOW_FROM=
WECOM_GROUP_POLICY=
WECOM_GROUP_ALLOW_FROM=
WECOM_WORKSPACE_TEMPLATE=
WECOM_AGENT_CORP_ID=
WECOM_AGENT_CORP_SECRET=
WECOM_AGENT_ID=
WECOM_WEBHOOKS_JSON=
WECOM_DM_CREATE_AGENT_ON_FIRST_MESSAGE=true
WECOM_GROUP_CHAT_ENABLED=true
WECOM_GROUP_CHAT_REQUIRE_MENTION=true
WECOM_GROUP_CHAT_MENTION_PATTERNS=@
WECOM_NETWORK_EGRESS_PROXY_URL=
WECOM_NETWORK_API_BASE_URL=
# 多账号 JSON(推荐)
# 示例:{"open":{"botId":"aib-open-xxx","secret":"secret-open-xxx","dmPolicy":"open"},"support":{"botId":"aib-support-xxx","secret":"secret-support-xxx","dmPolicy":"pairing","agent":{"corpId":"wwxxxxxxxxxxxxxxxx","corpSecret":"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx","agentId":1000002},"webhooks":{"ops":"https://qyapi.weixin.qq.com/cgi-bin/webhook/send?key=xxx"}}}
WECOM_ACCOUNTS_JSON=

# NapCat (OneBot v11) 配置(可选,留空则不启用)
# NapCat 反向 WS 监听端口(NapCat 主动连接到此端口)
NAPCAT_REVERSE_WS_PORT=
NAPCAT_DM_POLICY=
NAPCAT_ALLOW_FROM=
NAPCAT_GROUP_POLICY=
# NapCat HTTP API 地址(可选,用于主动发送消息)
NAPCAT_HTTP_URL=
# 连接鉴权 Token(与 NapCat 侧保持一致)
NAPCAT_ACCESS_TOKEN=
# 管理员用户 ID,多个用逗号分隔
NAPCAT_ADMINS=

# 工作空间配置(不要更改)
WORKSPACE=/home/node/.openclaw/workspace

# 挂载目录配置(按实际更改)
# OpenClaw 数据目录(包含配置文件、工作空间等所有数据)
OPENCLAW_DATA_DIR=~/.openclaw

# 可选:容器启动用户 UID:GID
# 默认 0:0(root)用于 init.sh 自动修复挂载目录权限,再降权为 node 启动服务
# 如需与宿主机用户对齐,可设置为 1000:1000Linux 上的 $(id -u):$(id -g)
OPENCLAW_RUN_USER=0:0

# Gateway 配置
## 网关 token,用于认证(按实际更改)
OPENCLAW_GATEWAY_TOKEN=123456
OPENCLAW_GATEWAY_BIND=lan
OPENCLAW_GATEWAY_PORT=18789
OPENCLAW_BRIDGE_PORT=18790
OPENCLAW_GATEWAY_MODE=local
# 允许的 Origin 域,多个用逗号隔开
OPENCLAW_GATEWAY_ALLOWED_ORIGINS=http://localhost
# 允许不安全认证(如 http),可选 true/false
OPENCLAW_GATEWAY_ALLOW_INSECURE_AUTH=true
# 危险:禁用设备认证(如在 Docker 环境中无法获取设备信息),可选 true/false
OPENCLAW_GATEWAY_DANGEROUSLY_DISABLE_DEVICE_AUTH=false
# 网关认证模式,可选 token
OPENCLAW_GATEWAY_AUTH_MODE=token
# 插件全局控制
OPENCLAW_PLUGINS_ENABLED=true

# 工具配置 (Tools Config)
# 完整工具配置 JSON(可选)
# 示例:{"profile":"full","sessions":{"visibility":"all"},"fs":{"workspaceOnly":true}}
OPENCLAW_TOOLS_JSON=

以上文件重点更改三项:大模型API,通知设置,允许的 Origin 域(注意后面一定带上端口号)还有最后的网关token(改个复杂点的)

下一步复制部署下面docker compose命令:

js
version: '3.8'

x-openclaw-common-env: &openclaw-common-env
  TZ: Asia/Shanghai
  HOME: /home/node
  TERM: xterm-256color
  # 配置同步开关
  SYNC_OPENCLAW_CONFIG: ${SYNC_OPENCLAW_CONFIG}
  # 模型配置
  SYNC_MODEL_CONFIG: ${SYNC_MODEL_CONFIG}
  MODEL_ID: ${MODEL_ID}
  PRIMARY_MODEL: ${PRIMARY_MODEL}
  IMAGE_MODEL_ID: ${IMAGE_MODEL_ID}
  BASE_URL: ${BASE_URL}
  API_KEY: ${API_KEY}
  API_PROTOCOL: ${API_PROTOCOL}
  CONTEXT_WINDOW: ${CONTEXT_WINDOW}
  MAX_TOKENS: ${MAX_TOKENS}
  # 提供商 2 (可选)
  MODEL2_NAME: ${MODEL2_NAME}
  MODEL2_MODEL_ID: ${MODEL2_MODEL_ID}
  MODEL2_BASE_URL: ${MODEL2_BASE_URL}
  MODEL2_API_KEY: ${MODEL2_API_KEY}
  MODEL2_PROTOCOL: ${MODEL2_PROTOCOL}
  MODEL2_CONTEXT_WINDOW: ${MODEL2_CONTEXT_WINDOW}
  MODEL2_MAX_TOKENS: ${MODEL2_MAX_TOKENS}
  # 提供商 3 (可选)
  MODEL3_NAME: ${MODEL3_NAME}
  MODEL3_MODEL_ID: ${MODEL3_MODEL_ID}
  MODEL3_BASE_URL: ${MODEL3_BASE_URL}
  MODEL3_API_KEY: ${MODEL3_API_KEY}
  MODEL3_PROTOCOL: ${MODEL3_PROTOCOL}
  MODEL3_CONTEXT_WINDOW: ${MODEL3_CONTEXT_WINDOW}
  MODEL3_MAX_TOKENS: ${MODEL3_MAX_TOKENS}
  # 提供商 4 (可选)
  MODEL4_NAME: ${MODEL4_NAME}
  MODEL4_MODEL_ID: ${MODEL4_MODEL_ID}
  MODEL4_BASE_URL: ${MODEL4_BASE_URL}
  MODEL4_API_KEY: ${MODEL4_API_KEY}
  MODEL4_PROTOCOL: ${MODEL4_PROTOCOL}
  MODEL4_CONTEXT_WINDOW: ${MODEL4_CONTEXT_WINDOW}
  MODEL4_MAX_TOKENS: ${MODEL4_MAX_TOKENS}
  # 提供商 5 (可选)
  MODEL5_NAME: ${MODEL5_NAME}
  MODEL5_MODEL_ID: ${MODEL5_MODEL_ID}
  MODEL5_BASE_URL: ${MODEL5_BASE_URL}
  MODEL5_API_KEY: ${MODEL5_API_KEY}
  MODEL5_PROTOCOL: ${MODEL5_PROTOCOL}
  MODEL5_CONTEXT_WINDOW: ${MODEL5_CONTEXT_WINDOW}
  MODEL5_MAX_TOKENS: ${MODEL5_MAX_TOKENS}
  # 提供商 6 (可选)
  MODEL6_NAME: ${MODEL6_NAME}
  MODEL6_MODEL_ID: ${MODEL6_MODEL_ID}
  MODEL6_BASE_URL: ${MODEL6_BASE_URL}
  MODEL6_API_KEY: ${MODEL6_API_KEY}
  MODEL6_PROTOCOL: ${MODEL6_PROTOCOL}
  MODEL6_CONTEXT_WINDOW: ${MODEL6_CONTEXT_WINDOW}
  MODEL6_MAX_TOKENS: ${MODEL6_MAX_TOKENS}
  # 通道配置
  DM_POLICY: ${DM_POLICY}
  GROUP_POLICY: ${GROUP_POLICY}
  ALLOW_FROM: ${ALLOW_FROM}
  # 电报机器人配置
  TELEGRAM_BOT_TOKEN: ${TELEGRAM_BOT_TOKEN}
  TELEGRAM_DM_POLICY: ${TELEGRAM_DM_POLICY}
  TELEGRAM_ALLOW_FROM: ${TELEGRAM_ALLOW_FROM}
  TELEGRAM_GROUP_POLICY: ${TELEGRAM_GROUP_POLICY}
  # 飞书机器人配置
  FEISHU_DEFAULT_ACCOUNT: ${FEISHU_DEFAULT_ACCOUNT}
  FEISHU_APP_ID: ${FEISHU_APP_ID}
  FEISHU_APP_SECRET: ${FEISHU_APP_SECRET}
  FEISHU_BOT_NAME: ${FEISHU_BOT_NAME}
  FEISHU_REPLY_MODE: ${FEISHU_REPLY_MODE}
  FEISHU_THREAD_SESSION: ${FEISHU_THREAD_SESSION}
  FEISHU_DOMAIN: ${FEISHU_DOMAIN}
  # 飞书机器人多账号 JSON
  FEISHU_ACCOUNTS_JSON: ${FEISHU_ACCOUNTS_JSON}
  FEISHU_GROUPS_JSON: ${FEISHU_GROUPS_JSON}
  FEISHU_DM_POLICY: ${FEISHU_DM_POLICY}
  FEISHU_ALLOW_FROM: ${FEISHU_ALLOW_FROM}
  FEISHU_GROUP_POLICY: ${FEISHU_GROUP_POLICY}
  FEISHU_GROUP_ALLOW_FROM: ${FEISHU_GROUP_ALLOW_FROM}
  # 飞书机器人插件配置
  FEISHU_OFFICIAL_PLUGIN_ENABLED: ${FEISHU_OFFICIAL_PLUGIN_ENABLED}
  FEISHU_STREAMING: ${FEISHU_STREAMING}
  FEISHU_FOOTER_ELAPSED: ${FEISHU_FOOTER_ELAPSED}
  FEISHU_FOOTER_STATUS: ${FEISHU_FOOTER_STATUS}
  FEISHU_REQUIRE_MENTION: ${FEISHU_REQUIRE_MENTION}
  # 钉钉配置
  DINGTALK_CLIENT_ID: ${DINGTALK_CLIENT_ID}
  DINGTALK_CLIENT_SECRET: ${DINGTALK_CLIENT_SECRET}
  DINGTALK_ROBOT_CODE: ${DINGTALK_ROBOT_CODE}
  DINGTALK_DM_POLICY: ${DINGTALK_DM_POLICY}
  DINGTALK_GROUP_POLICY: ${DINGTALK_GROUP_POLICY}
  DINGTALK_ALLOW_FROM: ${DINGTALK_ALLOW_FROM}
  DINGTALK_CORP_ID: ${DINGTALK_CORP_ID}
  DINGTALK_AGENT_ID: ${DINGTALK_AGENT_ID}
  DINGTALK_MESSAGE_TYPE: ${DINGTALK_MESSAGE_TYPE}
  DINGTALK_CARD_TEMPLATE_ID: ${DINGTALK_CARD_TEMPLATE_ID}
  DINGTALK_CARD_TEMPLATE_KEY: ${DINGTALK_CARD_TEMPLATE_KEY}
  DINGTALK_MAX_RECONNECT_CYCLES: ${DINGTALK_MAX_RECONNECT_CYCLES}
  DINGTALK_DEBUG: ${DINGTALK_DEBUG}
  DINGTALK_JOURNAL_TTL_DAYS: ${DINGTALK_JOURNAL_TTL_DAYS}
  DINGTALK_SHOW_THINKING: ${DINGTALK_SHOW_THINKING}
  DINGTALK_THINKING_MESSAGE: ${DINGTALK_THINKING_MESSAGE}
  DINGTALK_ASYNC_MODE: ${DINGTALK_ASYNC_MODE}
  DINGTALK_ASYNC_ACK_TEXT: ${DINGTALK_ASYNC_ACK_TEXT}
  # 钉钉多机器人 JSON
  DINGTALK_ACCOUNTS_JSON: ${DINGTALK_ACCOUNTS_JSON}
  # QQ 机器人配置
  QQBOT_APP_ID: ${QQBOT_APP_ID}
  QQBOT_CLIENT_SECRET: ${QQBOT_CLIENT_SECRET}
  QQBOT_DM_POLICY: ${QQBOT_DM_POLICY}
  QQBOT_ALLOW_FROM: ${QQBOT_ALLOW_FROM}
  QQBOT_GROUP_POLICY: ${QQBOT_GROUP_POLICY}
  # QQ 机器人多账号 JSON
  QQBOT_BOTS_JSON: ${QQBOT_BOTS_JSON}
  # 企业微信配置
  WECOM_DEFAULT_ACCOUNT: ${WECOM_DEFAULT_ACCOUNT}
  WECOM_ADMIN_USERS: ${WECOM_ADMIN_USERS}
  WECOM_COMMANDS_ENABLED: ${WECOM_COMMANDS_ENABLED}
  WECOM_COMMANDS_ALLOWLIST: ${WECOM_COMMANDS_ALLOWLIST}
  WECOM_DYNAMIC_AGENTS_ENABLED: ${WECOM_DYNAMIC_AGENTS_ENABLED}
  WECOM_DYNAMIC_AGENTS_ADMIN_BYPASS: ${WECOM_DYNAMIC_AGENTS_ADMIN_BYPASS}
  # 企业微信单账号快捷配置(会写入 defaultAccount 指定的账号)
  WECOM_BOT_ID: ${WECOM_BOT_ID}
  WECOM_SECRET: ${WECOM_SECRET}
  WECOM_WELCOME_MESSAGE: ${WECOM_WELCOME_MESSAGE}
  WECOM_SEND_THINKING_MESSAGE: ${WECOM_SEND_THINKING_MESSAGE}
  WECOM_DM_POLICY: ${WECOM_DM_POLICY}
  WECOM_ALLOW_FROM: ${WECOM_ALLOW_FROM}
  WECOM_GROUP_POLICY: ${WECOM_GROUP_POLICY}
  WECOM_GROUP_ALLOW_FROM: ${WECOM_GROUP_ALLOW_FROM}
  WECOM_WORKSPACE_TEMPLATE: ${WECOM_WORKSPACE_TEMPLATE}
  WECOM_AGENT_CORP_ID: ${WECOM_AGENT_CORP_ID}
  WECOM_AGENT_CORP_SECRET: ${WECOM_AGENT_CORP_SECRET}
  WECOM_AGENT_ID: ${WECOM_AGENT_ID}
  WECOM_WEBHOOKS_JSON: ${WECOM_WEBHOOKS_JSON}
  WECOM_DM_CREATE_AGENT_ON_FIRST_MESSAGE: ${WECOM_DM_CREATE_AGENT_ON_FIRST_MESSAGE}
  WECOM_GROUP_CHAT_ENABLED: ${WECOM_GROUP_CHAT_ENABLED}
  WECOM_GROUP_CHAT_REQUIRE_MENTION: ${WECOM_GROUP_CHAT_REQUIRE_MENTION}
  WECOM_GROUP_CHAT_MENTION_PATTERNS: ${WECOM_GROUP_CHAT_MENTION_PATTERNS}
  WECOM_NETWORK_EGRESS_PROXY_URL: ${WECOM_NETWORK_EGRESS_PROXY_URL}
  WECOM_NETWORK_API_BASE_URL: ${WECOM_NETWORK_API_BASE_URL}
  # 企业微信多账号 JSON
  WECOM_ACCOUNTS_JSON: ${WECOM_ACCOUNTS_JSON}
  # NAPCAT 配置
  NAPCAT_REVERSE_WS_PORT: ${NAPCAT_REVERSE_WS_PORT}
  NAPCAT_DM_POLICY: ${NAPCAT_DM_POLICY}
  NAPCAT_ALLOW_FROM: ${NAPCAT_ALLOW_FROM}
  NAPCAT_GROUP_POLICY: ${NAPCAT_GROUP_POLICY}
  NAPCAT_HTTP_URL: ${NAPCAT_HTTP_URL}
  NAPCAT_ACCESS_TOKEN: ${NAPCAT_ACCESS_TOKEN}
  NAPCAT_ADMINS: ${NAPCAT_ADMINS}
  # 工作空间配置
  WORKSPACE: ${WORKSPACE}
  # Gateway 配置
  OPENCLAW_GATEWAY_TOKEN: ${OPENCLAW_GATEWAY_TOKEN}
  OPENCLAW_GATEWAY_BIND: ${OPENCLAW_GATEWAY_BIND}
  OPENCLAW_GATEWAY_PORT: ${OPENCLAW_GATEWAY_PORT}
  OPENCLAW_BRIDGE_PORT: ${OPENCLAW_BRIDGE_PORT}
  OPENCLAW_GATEWAY_MODE: ${OPENCLAW_GATEWAY_MODE}
  OPENCLAW_GATEWAY_ALLOWED_ORIGINS: ${OPENCLAW_GATEWAY_ALLOWED_ORIGINS}
  OPENCLAW_GATEWAY_ALLOW_INSECURE_AUTH: ${OPENCLAW_GATEWAY_ALLOW_INSECURE_AUTH}
  OPENCLAW_GATEWAY_DANGEROUSLY_DISABLE_DEVICE_AUTH: ${OPENCLAW_GATEWAY_DANGEROUSLY_DISABLE_DEVICE_AUTH}
  OPENCLAW_GATEWAY_AUTH_MODE: ${OPENCLAW_GATEWAY_AUTH_MODE}
  # 插件控制
  OPENCLAW_PLUGINS_ENABLED: ${OPENCLAW_PLUGINS_ENABLED}
  # 工具配置
  OPENCLAW_TOOLS_JSON: ${OPENCLAW_TOOLS_JSON}

services:
  openclaw-gateway:
    container_name: openclaw-gateway
    image: ${OPENCLAW_IMAGE}
    cap_add:
      - CHOWN
      - SETUID
      - SETGID
      - DAC_OVERRIDE
    # 可选:指定容器运行 UID:GID(例如 1000:1000)
    # 默认保持 root 启动,以便 init.sh 自动修复挂载卷权限后再降权运行网关
    user: ${OPENCLAW_RUN_USER:-0:0}
    environment: *openclaw-common-env
    volumes:
      - ${OPENCLAW_DATA_DIR}:/home/node/.openclaw
      # 使用命名卷共享 extensions,确保工具容器安装后的插件主容器可见
      - openclaw-extensions:/home/node/.openclaw/extensions
    ports:
      - "${OPENCLAW_GATEWAY_PORT}:18789"
      - "${OPENCLAW_BRIDGE_PORT}:18790"
    init: true
    restart: unless-stopped

  openclaw-installer:
    container_name: openclaw-installer
    image: ${OPENCLAW_IMAGE}
    profiles:
      - tools
    user: ${OPENCLAW_RUN_USER:-0:0}
    environment: *openclaw-common-env
    volumes:
      - ${OPENCLAW_DATA_DIR}:/home/node/.openclaw
      - openclaw-extensions:/home/node/.openclaw/extensions
    entrypoint: ["tail", "-f", "/dev/null"]
    init: true
    restart: 'no'
    ports: []
    stdin_open: true
    tty: true
    cap_add:
      - CHOWN
      - SETUID
      - SETGID
      - DAC_OVERRIDE

volumes:
  openclaw-extensions:

安全机制排查(内网体验版)

这个时候正常来说就可以进入对应端口访问后台了。但是如果你不是用本地部署的浏览器访问,多半会有报错提示: disconnected (1008): control ui requires HTTPS or localhost (secure context)

这个错误是 OpenClaw(一个 AI 代理网关项目)的一项安全机制。

简单来说,OpenClaw 的控制面板需要使用浏览器的 “安全上下文 (Secure Context)” 来调用 WebCrypto API 生成设备身份。如果你的浏览器认为当前连接不安全,它就会拒绝运行这些加密功能,导致连接中断。

可以尝试在 openclaw.json 配置文件中添加以下设置来简化验证(仅建议在受信任的内网使用):

JSON
"gateway": {
  "controlUi": {
    "allowInsecureAuth": true
  }
}

下一步可能会让认证设备,如果在可信赖的内网中,可以再在刚才配置中加一行:

js
"controlUi": {
            "allowInsecureAuth": true,
            "dangerouslyDisableDeviceAuth": true
        }
    }
}

代码的最后10行是这样的:

js
"gateway": {
    "port": 18789,
    "bind": "lan",
    "mode": "local",
    "auth": {
      "token": "123456"
    },
    "controlUi": {
      "allowInsecureAuth": true,
      "dangerouslyDisableDeviceAuth": true
    }
  }
}

这两行代码的本质,就是为了在局域网纯 HTTP 环境下,强行解除 OpenClaw 自带的安全“封印”。

具体含义如下:

  1. "allowInsecureAuth": true 字面意思:允许不安全的身份验证。

实际作用:默认情况下,OpenClaw 一旦发现你没有使用 HTTPS(也就是地址栏没有安全小锁头),就会直接拒绝通信请求。把它设为 true 后,相当于告诉网关:“我知道当前是 HTTP 环境,请放行我的请求。” 它主要解决的是通信层面的拦截。

  1. "dangerouslyDisableDeviceAuth": true 字面意思:危险地禁用设备认证。

实际作用:这是最核心的一句。OpenClaw 为了防止别人随意控制你的高权限 AI 代理,原本要求每一台访问它的浏览器(比如你的手机、电脑)都必须在底层生成一对加密密钥,进行严格的“设备绑定(Pairing)”。

为什么非要加它:因为各大浏览器有一条死规定——只有在 HTTPS 下,才允许网页调用生成加密密钥的功能。既然你在局域网纯 HTTP 下没法生成密钥,加上这行参数,就等于告诉 OpenClaw:“彻底跳过生成加密密钥和设备绑定的环节。别校验设备了,只要能访问这个页面并输入密码(Token),就直接让进。”

公网通知设置(以企业微信为例):

因为涉及公网传输,为了信息安全强烈建议去掉上文的两条规则!

去掉规则后,你在公网访问会再次看到 1008 需要配对的拦截。此时需要打开飞牛的终端,输入

docker exec -it openclaw-gateway openclaw devices list

找到你的设备 ID,然后再输入

docker exec -it openclaw-gateway openclaw devices approve <你的设备ID>

进行安全放行。这样既保证了绝对安全,又能顺畅访问。

第一步:登录企微后台并创建应用

用电脑浏览器登录 企业微信管理后台。

注意请务必创建‘智能机器人’,千万不要用‘自建应用’!因为自建应用推送的是 XML 格式会导致 OpenClaw 报错崩溃,而智能机器人推送的是标准的 JSON 格式。

给你的机器人起个名字(比如“AI 助手”),上传个头像,然后点击“创建”。

第二步:获取 Token 和 AES Key

创建好应用后,进入该应用的详情页面。

往下滚动,找到 “接收消息” 这一栏,点击 “设置 API 接收”。

在弹出的页面中,你会看到三个核心输入框:

URL:(这个等下说,非常关键)

Token:点击后面的 “随机获取”。

EncodingAESKey:点击后面的 “随机获取”。

不要关闭这个网页,把刚才随机生成的这两个字符串复制下来。

第三步:填写到配置文件

回到你飞牛 NAS 的 .env 文件,把复制好的内容填进去(注意等号后面不要有空格):

js
# 企业微信配置 (可选,留空则不启用)
WECOM_TOKEN=你刚才复制的Token
WECOM_ENCODING_AES_KEY=你刚才复制的超长AES密钥

填好后,保存文件并重启你的 Docker 容器,让机器人带着这两个新配置跑起来。

⚠️ 第四步:填写回调 URL(最容易卡关的一步)

机器人重启后,回到刚才企业微信那个没关的“设置 API 接收”网页,你需要填写 URL。

关键注意点:企业微信的服务器在公网上,它无法直接访问你家里的 192.168.x.x 局域网 IP,必须给我们的openclaw后台反向代理成公网域名。

注意:配置了公网域名后,为了防止跨站攻击导致容器无限重启,务必在 openclaw.json 的 gateway.controlUi 里面加上域名白名单,例如:"allowedOrigins": ["https://你的公网域名"]。

我们这个项目URL 格式是:https://你的公网域名/api/platform/webhook/XXXX (由后台生成,直接复制到企业微信对应位置,点击保存)。

PixPin_2026-03-01_18-32-20.png

如果你的机器人已经在飞牛上正常运行,并且网络外网能访问,企业微信就会提示“保存成功”。这时候,你在企业微信里给这个应用发消息,机器人就能回复你了!

本文作者:小转圈

本文链接:

版权声明:本博客所有文章除特别声明外,均采用 BY-NC-SA 许可协议。转载请注明出处!