Spaces:

kyle-ai
/

open-space

Paused

App Files Files Community

kyle-ai commited on Feb 27

Commit

0bd0b14

verified ·

1 Parent(s): e5775a8

Update Dockerfile

Browse files

Files changed (1) hide show

Dockerfile +24 -13

Dockerfile CHANGED Viewed

@@ -78,7 +78,7 @@ if __name__ == "__main__":\n\
     if len(sys.argv) > 1 and sys.argv[1] == "backup": backup()\n\
     else: restore()' > /usr/local/bin/sync.py
-# 6. 深度调试启动脚本 (抛弃 PM2，直接暴露日志)
 RUN echo "#!/bin/bash\n\
 set -e\n\
 \n\
@@ -94,7 +94,7 @@ python3 /usr/local/bin/sync.py restore\n\
 find /root/.openclaw -name \"*.lock\" -delete\n\
 chmod 700 /root/.openclaw\n\
 \n\
-# 4. 生成配置文件\n\
 CLEAN_BASE=\$(echo \"\$OPENAI_API_BASE\" | sed \"s|/chat/completions||g\" | sed \"s|/v1/|/v1|g\")\n\
 \n\
 cat > /root/.openclaw/openclaw.json <<EOF\n\
@@ -103,35 +103,46 @@ cat > /root/.openclaw/openclaw.json <<EOF\n\
   \"agents\": { \"defaults\": { \"model\": { \"primary\": \"siliconflow/\$MODEL\" } } },\n\
   \"gateway\": {\n\
     \"mode\": \"local\",\n\
-    \"bind\": \"0.0.0.0\",\n\
     \"port\": 7860,\n\
-    \"auth\": { \"mode\": \"token\", \"token\": \"\$OPENCLAW_GATEWAY_PASSWORD\" },\n\
     \"controlUi\": {\n\
       \"enabled\": true,\n\
       \"allowInsecureAuth\": true,\n\
       \"dangerouslyDisableDeviceAuth\": true,\n\
       \"dangerouslyAllowHostHeaderOriginFallback\": true\n\
     }\n\
   }\n\
 }\n\
 EOF\n\
 \n\
-echo \"--- [System] 📄 检查配置文件内容: ---\"\n\
-cat /root/.openclaw/openclaw.json\n\
-\n\
-# 5. 启动后台备份任务\n\
 (while true; do \n\
     sleep 1800; \n\
     python3 /usr/local/bin/sync.py backup; \n\
 done) &\n\
 \n\
-# 6. 【关键】直接启动 OpenClaw (前台运行)\n\
-echo \"--- [System] 🚀 正在启动 OpenClaw Gateway... ---\"\n\
 export NODE_ENV=production\n\
-export HOST=0.0.0.0\n\
-export OPENCLAW_TRUST_LOCAL_WS=1\n\
 \n\
-# 获取 openclaw 绝对路径并运行\n\
 OPENCLAW_BIN=\$(which openclaw)\n\
 exec \$OPENCLAW_BIN gateway run --port 7860\n\
 " > /usr/local/bin/start-openclaw && chmod +x /usr/local/bin/start-openclaw

     if len(sys.argv) > 1 and sys.argv[1] == "backup": backup()\n\
     else: restore()' > /usr/local/bin/sync.py
+# 6. 安全增强版启动脚本 (适配 2.26 + 隐私保护)
 RUN echo "#!/bin/bash\n\
 set -e\n\
 \n\
 find /root/.openclaw -name \"*.lock\" -delete\n\
 chmod 700 /root/.openclaw\n\
 \n\
+# 4. 生成配置文件 (已应用用户自定义的 gateway 安全配置)\n\
 CLEAN_BASE=\$(echo \"\$OPENAI_API_BASE\" | sed \"s|/chat/completions||g\" | sed \"s|/v1/|/v1|g\")\n\
 \n\
 cat > /root/.openclaw/openclaw.json <<EOF\n\
   \"agents\": { \"defaults\": { \"model\": { \"primary\": \"siliconflow/\$MODEL\" } } },\n\
   \"gateway\": {\n\
     \"mode\": \"local\",\n\
     \"port\": 7860,\n\
+    \"bind\": \"custom\",\n\
+    \"customBindHost\": \"0.0.0.0\",\n\
+    \"trustedProxies\": [\"10.0.0.0/8\"],\n\
+    \"auth\": {\n\
+      \"mode\": \"token\",\n\
+      \"token\": \"\$OPENCLAW_GATEWAY_PASSWORD\",\n\
+      \"rateLimit\": {\n\
+        \"maxAttempts\": 10,\n\
+        \"windowMs\": 60000,\n\
+        \"lockoutMs\": 300000,\n\
+        \"exemptLoopback\": true\n\
+      }\n\
+    },\n\
     \"controlUi\": {\n\
       \"enabled\": true,\n\
       \"allowInsecureAuth\": true,\n\
       \"dangerouslyDisableDeviceAuth\": true,\n\
       \"dangerouslyAllowHostHeaderOriginFallback\": true\n\
+    },\n\
+    \"tools\": {\n\
+      \"deny\": [\"gateway\"]\n\
     }\n\
   }\n\
 }\n\
 EOF\n\
 \n\
+# 5. 后台备份任务\n\
 (while true; do \n\
     sleep 1800; \n\
     python3 /usr/local/bin/sync.py backup; \n\
 done) &\n\
 \n\
+# 6. 启动 OpenClaw (移除 cat 命令，保护隐私)\n\
+echo \"--- [System] 🚀 正在启动 OpenClaw Gateway (端口 7860)... ---\"\n\
+echo \"--- [System] ℹ️ 配置文件已生成，敏感信息已脱敏处理。 ---\"\n\
+\n\
 export NODE_ENV=production\n\
+export OPENCLAW_TRUST_PROXY=true\n\
 \n\
 OPENCLAW_BIN=\$(which openclaw)\n\
 exec \$OPENCLAW_BIN gateway run --port 7860\n\
 " > /usr/local/bin/start-openclaw && chmod +x /usr/local/bin/start-openclaw