🚀 OpenClaw生产环境部署指南：从开发到上线

将OpenClaw从本地开发环境部署到生产服务器，需要考虑的不仅是"能跑起来"，还要考虑安全性、稳定性和可维护性。本文提供经过实战验证的部署方案。

📋 环境要求

🐳 Docker部署方案

1. 安装Docker环境

# Ubuntu/Debian
sudo apt update
sudo apt install docker.io docker-compose

# CentOS/RHEL
sudo yum install docker docker-compose

# 启动Docker
sudo systemctl start docker
sudo systemctl enable docker

2. 创建项目目录

mkdir -p ~/openclaw-production/{config,data,logs}
cd ~/openclaw-production

3. 编写docker-compose.yml

version: '3.8'

services:
  openclaw:
    image: openclaw/openclaw:latest
    container_name: openclaw-prod
    restart: unless-stopped
    ports:
      - "3000:3000"
      - "8080:8080"  # API端口
    volumes:
      - ./config:/config
      - ./data:/data
      - ./logs:/logs
    environment:
      - NODE_ENV=production
      - OPENAI_API_KEY=${OPENAI_API_KEY}
      - ANTHROPIC_API_KEY=${ANTHROPIC_API_KEY}
    env_file:
      - .env
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:3000/health"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 60s
    networks:
      - openclaw-network

  # 可选：Redis缓存
  redis:
    image: redis:7-alpine
    container_name: openclaw-redis
    restart: unless-stopped
    volumes:
      - redis_data:/data
    command: redis-server --appendonly yes
    networks:
      - openclaw-network

  # 可选：Nginx反向代理
  nginx:
    image: nginx:alpine
    container_name: openclaw-nginx
    restart: unless-stopped
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - ./nginx/nginx.conf:/etc/nginx/nginx.conf
      - ./nginx/ssl:/etc/nginx/ssl
      - ./logs/nginx:/var/log/nginx
    depends_on:
      - openclaw
    networks:
      - openclaw-network

volumes:
  redis_data:

networks:
  openclaw-network:
    driver: bridge

4. 配置环境变量

# .env 文件
OPENAI_API_KEY=sk-xxxxxxxxxxxxx
ANTHROPIC_API_KEY=sk-ant-xxxxxxxxxxxxx

# Telegram Bot
TELEGRAM_BOT_TOKEN=xxxxxx:xxxxxxxx

# Discord Bot
DISCORD_BOT_TOKEN=xxxxxxxx

# GitHub
GITHUB_TOKEN=ghp_xxxxxxxx

# 安全配置
JWT_SECRET=your-super-secret-jwt-key
ENCRYPTION_KEY=your-32-char-encryption-key

5. Nginx配置

# nginx/nginx.conf
upstream openclaw {
    server openclaw:3000;
}

server {
    listen 80;
    server_name your-domain.com;
    
    # 强制HTTPS
    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl http2;
    server_name your-domain.com;
    
    # SSL证书
    ssl_certificate /etc/nginx/ssl/cert.pem;
    ssl_certificate_key /etc/nginx/ssl/key.pem;
    
    # SSL安全设置
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
    ssl_prefer_server_ciphers off;
    
    # 安全头
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-XSS-Protection "1; mode=block" always;
    
    # 反向代理
    location / {
        proxy_pass http://openclaw;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_cache_bypass $http_upgrade;
        
        # 超时设置
        proxy_connect_timeout 60s;
        proxy_send_timeout 60s;
        proxy_read_timeout 60s;
    }
    
    # API限流
    location /api/ {
        limit_req zone=api_limit burst=20 nodelay;
        proxy_pass http://openclaw;
    }
}

🔒 安全加固

1. 防火墙配置

# UFW (Ubuntu)
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow ssh
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw enable

# 或使用iptables
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT
sudo iptables -A INPUT -j DROP

2. 自动更新

# 启用自动安全更新
sudo apt install unattended-upgrades
sudo dpkg-reconfigure -plow unattended-upgrades

3. 日志监控

# 安装Fail2ban防止暴力破解
sudo apt install fail2ban

# 配置Fail2ban
cat > /etc/fail2ban/jail.local << EOF
[DEFAULT]
bantime = 3600
findtime = 600
maxretry = 3

[sshd]
enabled = true

[nginx-http-auth]
enabled = true
EOF

sudo systemctl restart fail2ban

📊 监控与日志

Docker日志管理

# 查看实时日志
docker-compose logs -f openclaw

# 限制日志大小
cat >> docker-compose.yml << 'EOF'
logging:
  driver: "json-file"
  options:
    max-size: "10m"
    max-file: "3"
EOF

健康检查

# 检查服务状态
docker-compose ps

# 自动重启失败容器
docker-compose up -d --restart unless-stopped

⚡ 性能优化

1. 资源限制

services:
  openclaw:
    deploy:
      resources:
        limits:
          cpus: '2'
          memory: 4G
        reservations:
          cpus: '1'
          memory: 2G

2. 连接池优化

# config.yaml
database:
  pool_size: 20
  max_overflow: 30
  pool_timeout: 30

redis:
  max_connections: 50
  socket_timeout: 5

🔄 备份策略

#!/bin/bash
# backup.sh - 每日自动备份

BACKUP_DIR="/backup/openclaw/$(date +%Y%m%d)"
mkdir -p $BACKUP_DIR

# 备份配置
cp -r ~/openclaw-production/config $BACKUP_DIR/

# 备份数据
docker exec openclaw-prod tar czf - /data > $BACKUP_DIR/data.tar.gz

# 保留最近7天备份
find /backup/openclaw -type d -mtime +7 -exec rm -rf {} \;

🆘 故障处理

常见问题

• 容器无法启动：检查日志 docker-compose logs
• API无响应：检查网络配置和防火墙
• 内存不足：添加swap或升级配置
• SSL证书错误：确保证书路径和权限正确