OpenClaw 服务器配置记录

Posted on 2026年6月24日 by Debian

OpenClaw 服务器配置记录

一、初始诊断与修复

1.1 运行诊断

openclaw doctor --fix

诊断发现以下问题:

  • exa 搜索插件未安装
  • gateway.auth.password 明文存储,存在安全风险
  • 35 个 skill 因依赖缺失无法使用
  • 未配置 command owner(无法执行特权命令)
  • memory search 未配置 API key

1.2 修复明文密码

gateway.auth.password 从明文迁移到环境变量引用:

openclaw secrets configure

操作路径:Add provider → env → alias: default → Continue → gateway.auth.password → env → id: OPENCLAW_GATEWAY_PASSWORD → Apply

迁移为单向操作,原密码不可恢复。

二、Gateway 崩溃修复

2.1 问题

迁移密码后,gateway 反复崩溃重启。原因:systemd 托管的 gateway 进程无法读取终端 export 的环境变量。

2.2 修复

mkdir -p ~/.config/systemd/user/openclaw-gateway.service.d
cat > ~/.config/systemd/user/openclaw-gateway.service.d/env.conf << 'EOF'
[Service]
Environment="OPENCLAW_GATEWAY_PASSWORD=你的密码"
EOF

systemctl --user daemon-reload
systemctl --user restart openclaw-gateway.service

2.3 配置 Command Owner

openclaw config set commands.ownerAllowFrom '["openclaw-weixin:你的用户ID"]'

三、代理配置(解决国内网络访问问题)

3.1 安装 Xray

下载地址需用 GitHub 代理加速(ghfast.top):

curl -L -o /tmp/xray.zip "https://ghfast.top/https://github.com/XTLS/Xray-core/releases/download/v26.3.27/Xray-linux-64.zip" --connect-timeout 30
unzip -o /tmp/xray.zip -d /tmp/xray-extract
sudo cp /tmp/xray-extract/xray /usr/local/bin/
sudo chmod +x /usr/local/bin/xray

3.2 下载 GeoIP/GeoSite 数据库

路由分流必需:

curl -L "https://ghfast.top/https://github.com/v2fly/geoip/releases/latest/download/geoip.dat" | sudo tee /usr/local/bin/geoip.dat > /dev/null
curl -L "https://ghfast.top/https://github.com/v2fly/domain-list-community/releases/latest/download/dlc.dat" | sudo tee /usr/local/bin/geosite.dat > /dev/null

3.3 Xray 配置

sudo mkdir -p /etc/xray
sudo tee /etc/xray/config.json << 'EOF'
{
  "log": { "loglevel": "warning" },
  "inbounds": [
    {
      "listen": "127.0.0.1", "port": 10808, "protocol": "socks",
      "settings": { "auth": "noauth", "udp": true },
      "sniffing": { "destOverride": ["http", "tls"], "enabled": true },
      "tag": "socks"
    },
    {
      "listen": "127.0.0.1", "port": 10809, "protocol": "http", "tag": "http"
    }
  ],
  "outbounds": [
    {
      "protocol": "vmess",
      "settings": {
        "vnext": [{
          "address": "<SERVER_IP>", "port": 443,
          "users": [{ "id": "<UUID>", "alterId": 0, "security": "auto" }]
        }]
      },
      "streamSettings": {
        "network": "ws", "security": "tls",
        "tlsSettings": {
          "allowInsecure": false, "alpn": ["h3","h2","http/1.1"],
          "fingerprint": "chrome", "serverName": "<SNI_DOMAIN>"
        },
        "wsSettings": { "headers": { "Host": "<WS_HOST>" }, "path": "<WS_PATH>" }
      },
      "tag": "proxy"
    },
    { "protocol": "freedom", "settings": { "domainStrategy": "UseIP" }, "tag": "direct" },
    { "protocol": "blackhole", "tag": "block" }
  ],
  "routing": {
    "domainStrategy": "AsIs",
    "rules": [
      { "ip": ["geoip:private"], "outboundTag": "direct", "type": "field" },
      { "domain": ["geosite:private"], "outboundTag": "direct", "type": "field" },
      { "ip": ["geoip:cn"], "outboundTag": "direct", "type": "field" },
      { "domain": ["geosite:cn"], "outboundTag": "direct", "type": "field" }
    ]
  }
}
EOF

路由规则确保国内流量直连,国外流量走代理。

3.4 设为系统服务

sudo tee /etc/systemd/system/xray.service << 'EOF'
[Unit]
Description=Xray Service
After=network.target

[Service]
Type=simple
ExecStart=/usr/local/bin/xray run -c /etc/xray/config.json
Restart=on-failure
RestartSec=5

[Install]
WantedBy=multi-user.target
EOF

sudo systemctl daemon-reload
sudo systemctl enable xray
sudo systemctl start xray

3.5 验证代理

# 国外走代理
curl -s --proxy http://127.0.0.1:10809 https://www.google.com -o /dev/null -w "%{http_code}\n" --connect-timeout 10
# 国内直连
curl -s --proxy http://127.0.0.1:10809 https://www.baidu.com -o /dev/null -w "%{http_code}\n" --connect-timeout 10

两个都返回 200 即正常。

3.6 注入代理到 OpenClaw 网关

cat > ~/.config/systemd/user/openclaw-gateway.service.d/proxy.conf << 'EOF'
[Service]
Environment="HTTPS_PROXY=http://127.0.0.1:10809"
Environment="HTTP_PROXY=http://127.0.0.1:10809"
Environment="NO_PROXY=127.0.0.1,localhost,::1"
EOF

systemctl --user daemon-reload
systemctl --user restart openclaw-gateway.service

四、搜索功能配置

4.1 问题

exa 需要付费 API key 且依赖代理。改用 DuckDuckGo,免费且国内可直连。

4.2 启用 DuckDuckGo 插件

openclaw plugins enable duckduckgo
openclaw config set tools.web.search.provider duckduckgo
openclaw config set tools.web.search.enabled true
systemctl --user restart openclaw-gateway.service

4.3 验证

openclaw gateway status

确认 Runtime: running、Connectivity probe: ok、Capability: admin-capable。

五、最终状态

组件 状态
Gateway running, systemd 托管, 开机自启
Xray 代理 running, systemd 托管, 国内外分流
搜索 DuckDuckGo, 免费, 国内直连
密码 环境变量引用, 无明文
Command Owner 已配置
Plugin 57 loaded, 0 errors