#!/bin/bash # 打印所有命令,方便调试 set -x # ========================================================= # 环境变量检查与配置 # ========================================================= # 2. 生成 Cookie Secret (如果未设置) if [ -z "$OAUTH2_PROXY_COOKIE_SECRET" ]; then echo "Generating temporary cookie secret..." # 生成 16 字节的随机字符串 (32 字符 hex) 确保符合长度要求 export OAUTH2_PROXY_COOKIE_SECRET=$(head -c 32 /dev/urandom | base64 | head -c 32) echo "Cookie Secret Generated." fi # 3. 生成白名单 (支持 Email 和 GitHub Username 混合) # 使用 /tmp 目录,确保任何用户都可写,避免 Docker 权限问题 AUTH_FILE="/tmp/authenticated_emails.txt" GITHUB_USERS="" if [ -n "$ALLOWED_USERS" ]; then echo "Processing ALLOWED_USERS: $ALLOWED_USERS" # 清空文件 > "$AUTH_FILE" # 分割并处理每个用户 IFS=',' read -ra ADDR <<< "$ALLOWED_USERS" for user in "${ADDR[@]}"; do # 去除首尾空格 user=$(echo "$user" | xargs) if [[ "$user" == *"@"* ]]; then # 如果包含 @,视为邮箱 echo "$user" >> "$AUTH_FILE" else # 如果不含 @,且是 GitHub Provider,视为 GitHub 用户名 if [ -z "$GITHUB_USERS" ]; then GITHUB_USERS="$user" else GITHUB_USERS="$GITHUB_USERS,$user" fi fi done else echo "Warning: ALLOWED_USERS is not set! Creating empty whitelist." touch "$AUTH_FILE" fi # ========================================================= # 启动服务 # ========================================================= # 1. 启动 ttyd (本地监听 7681) # -b /: 设置 Web 终端为根路径,登录即是终端 echo "Starting ttyd on 127.0.0.1:7681..." ttyd -p 7681 -i 127.0.0.1 -W bash & TTYD_PID=$! # 2. OpenClaw 已在降级方案中移除预启动 # (保留手动启动逻辑作为注释参考) # export OPENCLAW_AUTH_DISABLE=true # openclaw gateway run & # 3. 启动 oauth2-proxy (本地监听 4180) # 回退到稳定模式:根据环境变量智能选择单个 Provider echo "Starting oauth2-proxy on 127.0.0.1:4180..." if [ -n "$GITHUB_CLIENT_ID" ] && [ -n "$GITHUB_CLIENT_SECRET" ]; then echo "Detected GITHUB_CLIENT_ID/SECRET. Using GitHub Provider." export OAUTH2_PROXY_PROVIDER="github" export OAUTH2_PROXY_CLIENT_ID="$GITHUB_CLIENT_ID" export OAUTH2_PROXY_CLIENT_SECRET="$GITHUB_CLIENT_SECRET" elif [ -n "$GOOGLE_CLIENT_ID" ] && [ -n "$GOOGLE_CLIENT_SECRET" ]; then echo "Detected GOOGLE_CLIENT_ID/SECRET. Using Google Provider." export OAUTH2_PROXY_PROVIDER="google" export OAUTH2_PROXY_CLIENT_ID="$GOOGLE_CLIENT_ID" export OAUTH2_PROXY_CLIENT_SECRET="$GOOGLE_CLIENT_SECRET" else # Fallback to defaults or generic variables if [ -z "$OAUTH2_PROXY_PROVIDER" ]; then export OAUTH2_PROXY_PROVIDER="github" fi echo "Using generic/default Provider: $OAUTH2_PROXY_PROVIDER" fi # 构建 oauth2-proxy 命令 (标准命令行模式) # 上游指向 ttyd (127.0.0.1:7681) CMD="oauth2-proxy \ --config=oauth2-proxy.cfg \ --provider=$OAUTH2_PROXY_PROVIDER \ --client-id=$OAUTH2_PROXY_CLIENT_ID \ --client-secret=$OAUTH2_PROXY_CLIENT_SECRET \ --cookie-secret=$OAUTH2_PROXY_COOKIE_SECRET \ --email-domain=* \ --upstream=http://127.0.0.1:7681 \ --http-address=127.0.0.1:4180 \ --authenticated-emails-file=$AUTH_FILE \ --custom-sign-in-logo="-" \ --banner="-" \ --footer="-" \ --custom-templates-dir=/var/www/html/theme" # 如果有 GitHub Users,追加参数 if [ -n "$GITHUB_USERS" ]; then echo "Adding GitHub User whitelist: $GITHUB_USERS" CMD="$CMD --github-user=$GITHUB_USERS" fi # 执行命令 $CMD 2>&1 & OAUTH2_PROXY_PID=$! # 4. 健康检查与等待 echo "Waiting for services to start..." # 等待 oauth2-proxy 启动 (最多 10 秒) for i in {1..10}; do if nc -z 127.0.0.1 4180; then echo "oauth2-proxy is up and running!" break fi echo "Waiting for oauth2-proxy (attempt $i/10)..." sleep 1 # 检查进程是否还在 if ! kill -0 $OAUTH2_PROXY_PID 2>/dev/null; then echo "CRITICAL: oauth2-proxy failed to start! Checking logs..." # 这里的日志已经在上面重定向到 stdout 了,所以会在 Space logs 中显示 # 我们可以尝试重新启动或直接退出 echo "Exiting due to oauth2-proxy failure." exit 1 fi done # 5. 启动 Nginx (对外监听 7860) echo "Starting Nginx on port 7860..." nginx -g "daemon off;"