Deployment Overview of Openclaw on Server¶
Prerequisites and Basic Requirements¶
To ensure the successful deployment of Openclaw, the following requirements must be met:
-
Operating System: Linux (Ubuntu/Debian based systems are implied by
aptusage). -
Privileges: Root or sudo access is required for package installation, directory creation, and service management.
-
Network Ports:
-
Port
80(HTTP) for Let's Encrypt challenges and redirection. -
Port
443(HTTPS) for secure web traffic. -
Port
18789(Gateway) for the application backend.
-
FQDN of the final panel on the hostkey.in domain¶
The access point for the management interface follows this pattern: <prefix>Server ID.hostkey.in:<port>
(Note: The specific prefix is openclaw).
File and Directory Structure¶
The application utilizes several specific directories for configuration, certificates, and data storage:
| Path | Description |
|---|---|
/root/nginx | Contains the Docker Compose deployment files. |
/data/nginx | Main directory for Nginx configurations and environment files. |
/data/nginx/user_conf.d | Stores custom Nginx server block configurations. |
/data/nginx/letsencrypt | Webroot for Let's Encrypt ACME challenges. |
/data/nginx/nginx-certbot.env | Environment variables for the Nginx container. |
~/.ansible/openclaw | Directory for storing gateway tokens. |
Docker Containers and Their Deployment¶
The deployment utilizes a Dockerized Nginx instance with Certbot integration to handle SSL termination. The service is managed via Docker Compose.
-
Image:
jonasal/nginx-certbot:6.2.0-nginx1.31.0 -
Deployment Method: Docker Compose
-
Network Mode:
host(to allow direct access to local services and simplify SSL handling). -
Restart Policy:
unless-stopped
Proxy Servers¶
Nginx acts as a reverse proxy, managing SSL termination via Let's Encrypt certificates.
-
SSL Configuration:
-
Uses Certbot for automated certificate management.
-
Implements HSTS (
Strict-Transport-Security) with amax-ageof one year. -
Configured to handle HTTP to HTTPS redirection.
-
-
Proxy Settings:
-
Proxies traffic from port
443to the local gateway on127.0.0.1:18789. -
Supports WebSocket upgrades (
Upgrade $http_upgrade). -
Passes real client IP addresses and original host headers via
X-Forwarded-*headers.
-
Permission Settings¶
The following directory permissions are applied during deployment:
| Directory/File | Owner | Group | Mode |
|---|---|---|---|
/root/nginx | root | root | 0755 |
/data/nginx | root | root | 0755 |
/data/nginx/user_conf.d | root | root | 0755 |
/data/nginx/letsencrypt/.well-known/acme-challenge | root | root | 0755 |
/root/nginx/compose.yml | root | root | 0644 |
/data/nginx/*.conf | root | root | 0644 |
Available ports for connection¶
The following ports are utilized by the system:
-
80: Public HTTP access (Redirected to HTTPS).
-
443: Secure HTTPS web interface.
-
18789: Internal application gateway port.