diff --git a/docker-compose/local-logto/.env.example b/docker-compose/local/logto/.env.example similarity index 94% rename from docker-compose/local-logto/.env.example rename to docker-compose/local/logto/.env.example index 5fa0bb7b3bf8..df783be99449 100644 --- a/docker-compose/local-logto/.env.example +++ b/docker-compose/local/logto/.env.example @@ -1,6 +1,6 @@ # Logto secret -LOGTO_CLIENT_ID= -LOGTO_CLIENT_SECRET= +AUTH_LOGTO_CLIENT_ID= +AUTH_LOGTO_CLIENT_SECRET= # MinIO S3 configuration MINIO_ROOT_USER=YOUR_MINIO_USER diff --git a/docker-compose/local-logto/.env.zh-CN.example b/docker-compose/local/logto/.env.zh-CN.example similarity index 92% rename from docker-compose/local-logto/.env.zh-CN.example rename to docker-compose/local/logto/.env.zh-CN.example index 4557b2daa80a..bd48e50aa35d 100644 --- a/docker-compose/local-logto/.env.zh-CN.example +++ b/docker-compose/local/logto/.env.zh-CN.example @@ -1,6 +1,6 @@ -# Logto secret -LOGTO_CLIENT_ID= -LOGTO_CLIENT_SECRET= +# Logto 鉴权相关 +AUTH_LOGTO_CLIENT_ID= +AUTH_LOGTO_CLIENT_SECRET= # MinIO S3 配置 MINIO_ROOT_USER=YOUR_MINIO_USER diff --git a/docker-compose/local-logto/docker-compose.yml b/docker-compose/local/logto/docker-compose.yml similarity index 97% rename from docker-compose/local-logto/docker-compose.yml rename to docker-compose/local/logto/docker-compose.yml index cc59b6a2afa8..9550856a5ead 100644 --- a/docker-compose/local-logto/docker-compose.yml +++ b/docker-compose/local/logto/docker-compose.yml @@ -81,7 +81,7 @@ services: - 'KEY_VAULTS_SECRET=Kix2wcUONd4CX51E/ZPAd36BqM4wzJgKjPtz2sGztqQ=' - 'NEXT_AUTH_SECRET=NX2kaPE923dt6BL2U8e9oSre5RfoT7hg' - 'NEXTAUTH_URL=http://localhost:${LOBE_PORT}/api/auth' - - 'LOGTO_ISSUER=http://localhost:${LOGTO_PORT}/oidc' + - 'AUTH_LOGTO_ISSUER=http://localhost:${LOGTO_PORT}/oidc' - 'DATABASE_URL=postgresql://postgres:${POSTGRES_PASSWORD}@postgresql:5432/${LOBE_DB_NAME}' - 'S3_ENDPOINT=http://localhost:${MINIO_PORT}' - 'S3_BUCKET=${MINIO_LOBE_BUCKET}' diff --git a/docker-compose/local/setup.sh b/docker-compose/local/setup.sh index 2eefdb9de750..69cc6f52203d 100644 --- a/docker-compose/local/setup.sh +++ b/docker-compose/local/setup.sh @@ -232,6 +232,7 @@ download_file "$SOURCE_URL/${FILES[3]}" "s3_data.tar.gz" # Extract .tar.gz file without output extract_file "s3_data.tar.gz" "." +rm s3_data.tar.gz # Display final message printf "\n%s\n\n" "$(show_message "tips_run_command")" diff --git a/docker-compose/production/.env.example b/docker-compose/production/logto/.env.example similarity index 94% rename from docker-compose/production/.env.example rename to docker-compose/production/logto/.env.example index 50f34504f6f4..d049a014fb6a 100644 --- a/docker-compose/production/.env.example +++ b/docker-compose/production/logto/.env.example @@ -23,9 +23,9 @@ NEXTAUTH_URL=https://lobe.example.com/api/auth # NextAuth providers configuration (example using Logto) # For other providers, see: https://lobehub.com/docs/self-hosting/environment-variables/auth -LOGTO_CLIENT_ID=YOUR_LOGTO_CLIENT_ID -LOGTO_CLIENT_SECRET=YOUR_LOGTO_CLIENT_SECRET -LOGTO_ISSUER=https://lobe-auth-api.example.com/oidc +AUTH_LOGTO_CLIENT_ID=YOUR_LOGTO_CLIENT_ID +AUTH_LOGTO_CLIENT_SECRET=YOUR_LOGTO_CLIENT_SECRET +AUTH_LOGTO_ISSUER=https://lobe-auth-api.example.com/oidc # Proxy settings (if needed, e.g., when using GitHub as an auth provider) # HTTP_PROXY=http://localhost:7890 diff --git a/docker-compose/production/.env.zh-CN.example b/docker-compose/production/logto/.env.zh-CN.example similarity index 95% rename from docker-compose/production/.env.zh-CN.example rename to docker-compose/production/logto/.env.zh-CN.example index 8da19159f988..085dc0173d4e 100644 --- a/docker-compose/production/.env.zh-CN.example +++ b/docker-compose/production/logto/.env.zh-CN.example @@ -22,9 +22,9 @@ NEXTAUTH_URL=https://lobe.example.com/api/auth # NextAuth 鉴权服务提供商部分,以 Logto 为例 # 其他鉴权服务提供商所需的环境变量,请参考:https://lobehub.com/zh/docs/self-hosting/environment-variables/auth -LOGTO_CLIENT_ID=YOUR_LOGTO_CLIENT_ID -LOGTO_CLIENT_SECRET=YOUR_LOGTO_CLIENT_SECRET -LOGTO_ISSUER=https://lobe-auth-api.example.com/oidc +AUTH_LOGTO_CLIENT_ID=YOUR_LOGTO_CLIENT_ID +AUTH_LOGTO_CLIENT_SECRET=YOUR_LOGTO_CLIENT_SECRET +AUTH_LOGTO_ISSUER=https://lobe-auth-api.example.com/oidc # 代理相关,如果你需要的话(比如你使用 GitHub 作为鉴权服务提供商) # HTTP_PROXY=http://localhost:7890 diff --git a/docker-compose/production/docker-compose.yml b/docker-compose/production/logto/docker-compose.yml similarity index 100% rename from docker-compose/production/docker-compose.yml rename to docker-compose/production/logto/docker-compose.yml diff --git a/docs/self-hosting/advanced/auth.mdx b/docs/self-hosting/advanced/auth.mdx index fd6cdb1997c4..d27844226790 100644 --- a/docs/self-hosting/advanced/auth.mdx +++ b/docs/self-hosting/advanced/auth.mdx @@ -63,9 +63,13 @@ The order corresponds to the display order of the SSO providers. | SSO Provider | Value | | ------------------ | ----------- | | Auth0 | `auth0` | -| Microsoft Entra ID | `azure-ad` | +| Authenlia | `authenlia` | | Authentik | `authentik` | +| Casdoor | `casdoor` | +| Cloudflare Zero Trust | `cloudflare-zero-trust` | | Github | `github` | +| Logto | `logto` | +| Microsoft Entra ID | `azure-ad` | | ZITADEL | `zitadel` | ## Other SSO Providers diff --git a/docs/self-hosting/advanced/auth.zh-CN.mdx b/docs/self-hosting/advanced/auth.zh-CN.mdx index ebebacb6c03e..86467796e6c6 100644 --- a/docs/self-hosting/advanced/auth.zh-CN.mdx +++ b/docs/self-hosting/advanced/auth.zh-CN.mdx @@ -60,9 +60,13 @@ LobeChat 与 Clerk 做了深度集成,能够为用户提供一个更加安全 | SSO 提供商 | 值 | | ------------------ | ----------- | | Auth0 | `auth0` | -| Microsoft Entra ID | `azure-ad` | +| Authenlia | `authenlia` | | Authentik | `authentik` | +| Casdoor | `casdoor` | +| Cloudflare Zero Trust | `cloudflare-zero-trust` | | Github | `github` | +| Logto | `logto` | +| Microsoft Entra ID | `azure-ad` | | ZITADEL | `zitadel` | ## 其他 SSO 提供商 diff --git a/docs/self-hosting/advanced/auth/next-auth/authentik.zh-CN.mdx b/docs/self-hosting/advanced/auth/next-auth/authentik.zh-CN.mdx index ca5f708dc9d7..0bc9292f0bd3 100644 --- a/docs/self-hosting/advanced/auth/next-auth/authentik.zh-CN.mdx +++ b/docs/self-hosting/advanced/auth/next-auth/authentik.zh-CN.mdx @@ -27,8 +27,8 @@ https://your-domain/api/auth/callback/authentik ``` - - 可以之后再填写或修改 `重定向 URL/Origin(正则)`,但是务必保证填写的 URL 与部署的 URL 一致。 - - your-domain 请替换为自己的域名 + - 可以之后再填写或修改 `重定向 URL/Origin(正则)`,但是务必保证填写的 URL 与部署的 URL 一致。 + - your-domain 请替换为自己的域名 + If you want to privately deploy Casdoor, we recommend using Docker Compose to deploy it together with the LobeChat database version, allowing LobeChat to share the same Postgres instance. + + +## Casdoor Configuration Process + +If you are deploying using a local network IP, the following assumptions apply: + +- Your LobeChat database version IP/port is `http://LOBECHAT_IP:3210`. +- You privately deploy Casdoor, and its domain is `http://CASDOOR_IP:8000`. + +If you are deploying using a public network, the following assumptions apply: + +- Your LobeChat database version domain is `https://lobe.example.com`. +- You privately deploy Casdoor, and its domain is `https://lobe-auth-api.example.com`. + + + ### Create a Casdoor Application + +Access your privately deployed Casdoor WebUI (default is `http://localhost:8000/`) to enter the console. The default account is `admin`, and the password is `123`. + +Go to `Authentication` -> `Applications`, create a `LobeChat` application or directly modify the built-in `built-in` application. You can explore other fields, but you must configure at least the following fields: + +- Name, Display Name: `LobeChat` +- Redirect URLs: + - Local Development Environment: `http://localhost:3210/api/auth/callback/casdoor` + - Local Network IP Deployment: `http://LOBECHAT_IP:3210/api/auth/callback/casdoor` + - Public Network Environment: `https://lobe.example.com/api/auth/callback/casdoor` + +There are also some optional fields that can enhance user experience: + +- Logo: `https://lobehub.com/icon-192x192.png` +- Form CSS, Form CSS (Mobile): + + ```html + + ``` + +Then, copy the `Client ID` and `Client Secret` and save them. + +### Configure Environment Variables + +Set the obtained `Client ID` and `Client Secret` as `AUTH_CASDOOR_ID` and `AUTH_CASDOOR_SECRET` in the LobeChat environment variables. + +Configure `AUTH_CASDOOR_ISSUER` in the LobeChat environment variables as follows: + +- `http://localhost:8000/` if you are in a local development environment. +- `http://CASDOOR_IP:8000/` if you are privately deploying Casdoor in a local network. +- `https://lobe-auth-api.example.com/` if you are deploying Casdoor in a public network environment. + +When deploying LobeChat, you need to configure the following environment variables: + +| Environment Variable | Type | Description | +| --- | --- | --- | +| `NEXT_AUTH_SECRET` | Required | A key for encrypting Auth.js session tokens. You can generate a key using the command: `openssl rand -base64 32`. | +| `NEXT_AUTH_SSO_PROVIDERS` | Required | Select the single sign-on provider for LobeChat. Fill in `casdoor` for using Casdoor. | +| `AUTH_CASDOOR_ID` | Required | The client ID from the Casdoor application details page. | +| `AUTH_CASDOOR_SECRET` | Required | The client secret from the Casdoor application details page. | +| `AUTH_CASDOOR_ISSUER` | Required | The OpenID Connect issuer for the Casdoor provider. | +| `NEXTAUTH_URL` | Required | This URL specifies the callback address for Auth.js during OAuth verification and needs to be set only if the default generated redirect address is incorrect. `https://lobe.example.com/api/auth` | + + + Visit [📘 Environment Variables](/docs/self-hosting/environment-variables/auth#casdoor) for details on related variables. + + + + +Once deployed successfully, users will be able to authenticate via Casdoor and use LobeChat. diff --git a/docs/self-hosting/advanced/auth/next-auth/casdoor.zh-CN.mdx b/docs/self-hosting/advanced/auth/next-auth/casdoor.zh-CN.mdx new file mode 100644 index 000000000000..71d3229c9f79 --- /dev/null +++ b/docs/self-hosting/advanced/auth/next-auth/casdoor.zh-CN.mdx @@ -0,0 +1,121 @@ +--- +title: 在 LobeChat 中配置 Casdoor 身份验证服务 +description: 学习如何在 LobeChat 中配置 Casdoor 身份验证服务,包括部署、创建、设置权限和环境变量。 +tags: + - Casdoor 身份验证 + - 环境变量配置 + - 单点登录 + - LobeChat +--- + +# 配置 Casdoor 身份验证服务 + +[Casdoor](https://github.com/casdoor/casdoor) 是一个开源的身份验证服务,功能配置丰富且易于上手。 + + + 若你想要私有部署 Casdoor,我们建议你将之与 LobeChat 数据库版本一同使用 Docker Compose 部署,此时 + LobeChat 可以与之共用同一个 Postgres 实例。 + + +## Casdoor 配置流程 + +若你使用局域网 IP 部署,下文假设: + +- 你的 LobeChat 数据库版本 IP / 端口为 `http://LOBECHAT_IP:3210`。 +- 你私有部署 Casdoor,其域名为 `http://CASDOOR_IP:8000`。 + +若你使用公网部署,下文假设: + +- 你的 LobeChat 数据库版本域名为 `https://lobe.example.com`。 +- 你私有部署 Casdoor,其域名为 `https://lobe-auth-api.example.com`。 + + + ### 创建 Casdoor 应用 + +访问你私有部署的 Casdoor WebUI(默认为 `http://localhost:8000/`) 进入控制台,默认账号为 `admin`,密码为 `123`。 + +前往 `身份认证` -> `应用`,创建一个 `LobeChat` 应用或直接修改内置的 `built-in` 应用,其他字段可以自行探索,但你至少需要配置以下字段: + +- 名称、显示名称:`LobeChat` +- 重定向 URLs: + - 本地开发环境:`http://localhost:3210/api/auth/callback/casdoor` + - 局域网 IP 部署:`http://LOBECHAT_IP:3210/api/auth/callback/casdoor` + - 公网环境:`https://lobe.example.com/api/auth/callback/casdoor` + +还有一些不必需但是可以提高用户体验的字段: + +- Logo:`https://lobehub.com/icon-192x192.png` +- 表单 CSS、表单 CSS(移动端): + + ```html + + ``` + +随后,复制 `客户端 ID` 和 `客户端密钥`,并保存。 + +### 配置环境变量 + +将获取到的 `客户端 ID` 和 `客户端`,设为 LobeChat 环境变量中的 `AUTH_CASDOOR_ID` 和 `AUTH_CASDOOR_SECRET`。 + +配置 LobeChat 环境变量中 `AUTH_CASDOOR_ISSUER` 为: + +- `http://localhost:8000/`,若你是本地开发环境 +- `http://CASDOOR_IP:8000/`,若你是局域网私有部署的 Casdoor +- `https://lobe-auth-api.example.com/`,若你是公网环境部署的 Casdoor + +在部署 LobeChat 时,你需要配置以下环境变量: + +| 环境变量 | 类型 | 描述 | +| --- | --- | --- | +| `NEXT_AUTH_SECRET` | 必选 | 用于加密 Auth.js 会话令牌的密钥。您可以使用以下命令生成秘钥: `openssl rand -base64 32` | +| `NEXT_AUTH_SSO_PROVIDERS` | 必选 | 选择 LoboChat 的单点登录提供商。使用 Casdoor 请填写 `casdoor`。 | +| `AUTH_CASDOOR_ID` | 必选 | Casdoor 应用详情页的客户端 ID | +| `AUTH_CASDOOR_SECRET` | 必选 | Casdoor 应用详情页的客户端密钥 | +| `AUTH_CASDOOR_ISSUER` | 必选 | Casdoor 提供程序的 OpenID Connect 颁发者。 | +| `NEXTAUTH_URL` | 必选 | 该 URL 用于指定 Auth.js 在执行 OAuth 验证时的回调地址,当默认生成的重定向地址发生不正确时才需要设置。`https://lobe.example.com/api/auth` | + + + 前往 [📘 环境变量](/zh/docs/self-hosting/environment-variables/auth#casdoor) 可查阅相关变量详情。 + + + + +部署成功后,用户将可以通过 Casdoor 身份认证并使用 LobeChat。 diff --git a/docs/self-hosting/advanced/auth/next-auth/cloudflare-zero-trust.zh-CN.mdx b/docs/self-hosting/advanced/auth/next-auth/cloudflare-zero-trust.zh-CN.mdx index 55bdf5a61269..e7d241210c8f 100644 --- a/docs/self-hosting/advanced/auth/next-auth/cloudflare-zero-trust.zh-CN.mdx +++ b/docs/self-hosting/advanced/auth/next-auth/cloudflare-zero-trust.zh-CN.mdx @@ -49,9 +49,9 @@ tags: | --- | --- | --- | | `NEXT_AUTH_SECRET` | 必选 | 用于加密 Auth.js 会话令牌的密钥。您可以使用以下命令生成秘钥: `openssl rand -base64 32` | | `NEXT_AUTH_SSO_PROVIDERS` | 必选 | 选择 LoboChat 的单点登录提供商。使用 Cloudflare Zero Trust 请填写 `cloudflare-zero-trust`。 | -| `CLOUDFLARE_ZERO_TRUST_CLIENT_ID` | 必选 | 在 Cloudflare Zero Trust 生成的 `Client ID`,示例值是 `lobe-chat` | -| `CLOUDFLARE_ZERO_TRUST_CLIENT_SECRET` | 必选 | 在 Cloudflare Zero Trust 生成的 `Client secret`,示例值是 `insecure_secret` | -| `CLOUDFLARE_ZERO_TRUST_ISSUER` | 必选 | 在 Cloudflare Zero Trust 生成的 `Issuer`,例如 `https://example.cloudflareaccess.com/cdn-cgi/access/sso/oidc/7db0f` | +| `AUTH_CLOUDFLARE_ZERO_TRUST_CLIENT_ID` | 必选 | 在 Cloudflare Zero Trust 生成的 `Client ID`,示例值是 `lobe-chat` | +| `AUTH_CLOUDFLARE_ZERO_TRUST_CLIENT_SECRET` | 必选 | 在 Cloudflare Zero Trust 生成的 `Client secret`,示例值是 `insecure_secret` | +| `AUTH_CLOUDFLARE_ZERO_TRUST_ISSUER` | 必选 | 在 Cloudflare Zero Trust 生成的 `Issuer`,例如 `https://example.cloudflareaccess.com/cdn-cgi/access/sso/oidc/7db0f` | | `NEXTAUTH_URL` | 必选 | 该 URL 用于指定 Auth.js 在执行 OAuth 验证时的回调地址,当默认生成的重定向地址发生不正确时才需要设置。`https://chat.example.com/api/auth` | diff --git a/docs/self-hosting/advanced/auth/next-auth/logto.mdx b/docs/self-hosting/advanced/auth/next-auth/logto.mdx index 7c63e434eb76..e61216a0851d 100644 --- a/docs/self-hosting/advanced/auth/next-auth/logto.mdx +++ b/docs/self-hosting/advanced/auth/next-auth/logto.mdx @@ -15,9 +15,9 @@ tags: [Logto](https://github.com/logto-io/logto) is an open-source authentication service with a simple and beautiful interface, rich in features and easy to use. You can choose to use the official Logto Cloud or opt for a private deployment of Logto. - -If you want to deploy Logto privately, we recommend using Docker Compose to deploy it together with the LobeChat database version. In this case, LobeChat can share the same Postgres instance with it. - + If you want to deploy Logto privately, we recommend using Docker Compose to deploy it together + with the LobeChat database version. In this case, LobeChat can share the same Postgres instance + with it. ## Logto Configuration Process @@ -49,7 +49,7 @@ If you are using Logto Cloud, assume its endpoint domain is `https://example.log Set the obtained `Client ID` and `Client Secret` as `LOGTO_CLIENT_ID` and `LOGTO_CLIENT_SECRET` in the LobeChat environment variables. - Configure `LOGTO_ISSUER` in the LobeChat environment variables as follows: + Configure `AUTH_LOGTO_ISSUER` in the LobeChat environment variables as follows: - `https://lobe-auth-api.example.com/oidc` if you are using a privately deployed Logto - `https://example.logto.app/oidc` if you are using Logto Cloud @@ -60,9 +60,9 @@ If you are using Logto Cloud, assume its endpoint domain is `https://example.log | ------------------------- | -------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `NEXT_AUTH_SECRET` | Required | The key used to encrypt Auth.js session tokens. You can generate a key using the command: `openssl rand -base64 32` | | `NEXT_AUTH_SSO_PROVIDERS` | Required | Select the single sign-on provider for LobeChat. For Logto, enter `logto`. | - | `AUTH_LOGTO_ID` | Required | The Client ID from the Logto App details page | - | `AUTH_LOGTO_SECRET` | Required | The Client Secret from the Logto App details page | - | `AUTH_LOGTO_ISSUER` | Required | OpenID Connect issuer of the Logto provider | + | `AUTH_LOGTO_ID` | Required | The Client ID from the Logto App details page | + | `AUTH_LOGTO_SECRET` | Required | The Client Secret from the Logto App details page | + | `AUTH_LOGTO_ISSUER` | Required | OpenID Connect issuer of the Logto provider | | `NEXTAUTH_URL` | Required | This URL specifies the callback address for Auth.js during OAuth verification, needed only if the default generated redirect address is incorrect. `https://lobe.example.com/api/auth` | @@ -71,4 +71,6 @@ If you are using Logto Cloud, assume its endpoint domain is `https://example.log -After successful deployment, users will be able to authenticate via Logto and use LobeChat. + + After successful deployment, users will be able to authenticate via Logto and use LobeChat. + diff --git a/docs/self-hosting/advanced/auth/next-auth/logto.zh-CN.mdx b/docs/self-hosting/advanced/auth/next-auth/logto.zh-CN.mdx index 7aee10581893..284c83512ff8 100644 --- a/docs/self-hosting/advanced/auth/next-auth/logto.zh-CN.mdx +++ b/docs/self-hosting/advanced/auth/next-auth/logto.zh-CN.mdx @@ -53,7 +53,7 @@ tags: 将获取到的 `Client ID` 和 `Client Secret`,设为 LobeChat 环境变量中的 `LOGTO_CLIENT_ID` 和 `LOGTO_CLIENT_SECRET`。 -配置 LobeChat 环境变量中 `LOGTO_ISSUER` 为: +配置 LobeChat 环境变量中 `AUTH_LOGTO_ISSUER` 为: - `https://lobe-auth-api.example.com/oidc`,若你是私有部署的 Logto - `https://example.logto.app/oidc`,若你是使用的 Logto Cloud diff --git a/docs/self-hosting/environment-variables/auth.mdx b/docs/self-hosting/environment-variables/auth.mdx index 909ea90deb5c..524776196616 100644 --- a/docs/self-hosting/environment-variables/auth.mdx +++ b/docs/self-hosting/environment-variables/auth.mdx @@ -42,201 +42,226 @@ LobeChat provides a complete authentication service capability when deployed. Th ### Auth0 -#### `AUTH0_CLIENT_ID` +#### `AUTH_AUTH_AUTH0_CLIENT_ID` - Type: Required - Description: Client ID of the Auth0 application. You can access it [here](https://manage.auth0.com/dashboard) and navigate to the application settings to view. - Default: `-` - Example: `evCnOJP1UX8FMnXR9Xkj5t0NyFn5p70P` -#### `AUTH0_CLIENT_SECRET` +#### `AUTH_AUTH0_CLIENT_SECRET` - Type: Required - Description: Client Secret of the Auth0 application. - Default: `-` - Example: `wnX7UbZg85ZUzF6ioxPLnJVEQa1Elbs7aqBUSF16xleBS5AdkVfASS49-fQIC8Rm` -#### `AUTH0_ISSUER` +#### `AUTH_AUTH0_ISSUER` - Type: Required - Description: Issuer/domain of the Auth0 application. - Default: `-` - Example: `https://example.auth0.com` -### Microsoft Entra ID +### Authelia -#### `AZURE_AD_CLIENT_ID` +#### `AUTH_AUTHELIA_CLIENT_ID` - Type: Required -- Description: Client ID of the Microsoft Entra ID application. +- Description: Client ID of the Authelia provider application. - Default: `-` -- Example: `be8f6da1-58c3-4f16-ff1b-78f5148e10df` +- Example: `lobe-chat` -#### `AZURE_AD_CLIENT_SECRET` +#### `AUTH_AUTHELIA_CLIENT_SECRET` - Type: Required -- Description: Client Secret of the Microsoft Entra ID application. +- Description: The plaintext of the Client Secret for the Authelia provider - Default: `-` -- Example: `~gI8Q.pTiN1vwB6Gl.E1yFT1ojcXABkdACfJXaNj` +- Example: `insecure_secret` -#### `AZURE_AD_TENANT_ID` +#### `AUTH_AUTHELIA_ISSUER` - Type: Required -- Description: Tenant ID of the Microsoft Entra ID application. +- Description: Issuer of the Authelia provider application. - Default: `-` -- Example: `c8ae2f36-edf6-4cda-96b9-d3e198a47cba` +- Example: `https://sso.example.com` ### Authentik -#### `AUTHENTIK_CLIENT_ID` +#### `AUTH_AUTHENTIK_CLIENT_ID` - Type: Required -- Description: Client ID of the Authentik provider application. You can access it [here][auth0-client-page] and navigate to the application settings to view. +- Description: Client ID of the Authentik provider application. - Default: `-` - Example: `evCnOJP1UX8FMnXR9Xkj5t0NyFn5p70P` -#### `AUTHENTIK_CLIENT_SECRET` +#### `AUTH_AUTHENTIK_CLIENT_SECRET` - Type: Required - Description: Client Secret of the Authentik provider application. - Default: `-` - Example: `wnX7UbZg85ZUzF6ioxPLnJVEQa1Elbs7aqBUSF16xleBS5AdkVfASS49-fQIC8Rm` -#### `AUTHENTIK_ISSUER` +#### `AUTH_AUTHENTIK_ISSUER` - Type: Required - Description: Issuer/domain of the Authentik provider application. - Default: `-` - Example: `https://your-authentik-domain.com/application/o/slug/` -### Authelia +### Casdoor -#### `AUTHELIA_CLIENT_ID` +#### `AUTH_CASDOOR_CLIENT_ID` - Type: Required -- Description: Client ID of the Authelia provider application. You can access it [here][auth0-client-page] and navigate to the application settings to view. +- Description: Client ID provided by Casdoor - Default: `-` -- Example: `lobe-chat` +- Example: `570bfa85a21800a25198` -#### `AUTHELIA_CLIENT_SECRET` +#### `AUTH_CASDOOR_CLIENT_SECRET` - Type: Required -- Description: The plaintext of the Client Secret for the Authelia provider +- Description: Plaintext Client Secret provided by Casdoor - Default: `-` -- Example: `insecure_secret` +- Example: `233a623a15eac2db2e43bb8a323eda729552c405` -#### `AUTHELIA_ISSUER` +#### `AUTH_CASDOOR_ISSUER` - Type: Required -- Description: Issuer of the Authelia provider application. +- Description: OpenID Connect issuer provided by Casdoor - Default: `-` -- Example: `https://sso.example.com` +- Example: `https://lobe-auth-api.example.com/` ### Cloudflare Zero Trust -#### `CLOUDFLARE_ZERO_TRUST_CLIENT_ID` +#### `AUTH_CLOUDFLARE_ZERO_TRUST_CLIENT_ID` - Type: Required - Description: Client ID of the Cloudflare Zero Trust provider application. - Default: `-` - Example: `711963a58df8c943cfd6c487cac99ce9f6ee0c88c0b7bf94584b8ff052fcb09c` -#### `CLOUDFLARE_ZERO_TRUST_CLIENT_SECRET` +#### `AUTH_CLOUDFLARE_ZERO_TRUST_CLIENT_SECRET` - Type: Required - Description: The plaintext of the Client Secret for the Cloudflare Zero Trust provider - Default: `-` - Example: `8f26d4ef834a828045b401e032ae128dbb00471bca53f0d25332323f525dfa30` -#### `CLOUDFLARE_ZERO_TRUST_ISSUER` +#### `AUTH_CLOUDFLARE_ZERO_TRUST_ISSUER` - Type: Required - Description: Issuer of the Cloudflare Zero Trust provider application. - Default: `-` - Example: `https://example.cloudflareaccess.com/cdn-cgi/access/sso/oidc/711963a58df8c943cfd6c487cac99ce9f6ee0c88c0b7bf94584b8ff052fcb09c` -### Generic OIDC +### Github -#### `GENERIC_OIDC_CLIENT_ID` +#### `AUTH_GITHUB_CLIENT_ID` - Type: Required -- Description: Client ID of the Generic OIDC provider application. +- Description: Client ID of the Github application. You can access it [here](https://github.com/settings/apps) and navigate to the application settings to view. - Default: `-` -- Example: `_client_id_for_lobe_chat_` +- Example: `abd94200333283550508` -#### `GENERIC_OIDC_CLIENT_SECRET` +#### `AUTH_GITHUB_CLIENT_SECRET` - Type: Required -- Description: The plaintext of the Client Secret for the Generic OIDC provider +- Description: Client Secret of the Github application. - Default: `-` -- Example: `_client_secret_for_lobe_chat_` +- Example: `dd262976ac0931d947e104891586a053f3d3750b` -#### `GENERIC_OIDC_ISSUER` +### Logto + +#### `AUTH_LOGTO_CLIENT_ID` - Type: Required -- Description: Issuer of the Generic OIDC provider application. -- Default: `-` -- Example: `https://sso.example.com` +- Description: The Client ID of the Logto application. You can find it in the Logto console for private deployment or [Logto Cloud](http://cloud.logto.io/) depending on the deployment mode. +- Default value: `-` +- Example: `123456789012345678@your-project` -### Github +#### `AUTH_LOGTO_CLIENT_SECRET` + +- Type: Required +- Description: The Client Secret of the Logto application. +- Default value: `-` +- Example: `9QF1n5ATzU7Z3mHp2Iw4gKX8kY6oR7uW1DnKcV3LqX2jF6iG3fBmJ1kV7nS5zE6A` -#### `GITHUB_CLIENT_ID` +#### `AUTH_LOGTO_ISSUER` - Type: Required -- Description: Client ID of the Github application. You can access it [here](https://github.com/settings/apps) and navigate to the application settings to view. +- Description: The OpenID Connect issuer of the Logto application. You can find it in the Logto console for private deployment or [Logto Cloud](http://cloud.logto.io/) depending on the deployment mode. +- Default value: `-` +- Example: `https://lobe-auth-api.example.com/oidc` + +### Microsoft Entra ID + +#### `AUTH_AZURE_AD_CLIENT_ID` + +- Type: Required +- Description: Client ID of the Microsoft Entra ID application. - Default: `-` -- Example: `abd94200333283550508` +- Example: `be8f6da1-58c3-4f16-ff1b-78f5148e10df` -#### `GITHUB_CLIENT_SECRET` +#### `AUTH_AZURE_AD_CLIENT_SECRET` - Type: Required -- Description: Client Secret of the Github application. +- Description: Client Secret of the Microsoft Entra ID application. - Default: `-` -- Example: `dd262976ac0931d947e104891586a053f3d3750b` +- Example: `~gI8Q.pTiN1vwB6Gl.E1yFT1ojcXABkdACfJXaNj` + +#### `AUTH_AZURE_AD_TENANT_ID` + +- Type: Required +- Description: Tenant ID of the Microsoft Entra ID application. +- Default: `-` +- Example: `c8ae2f36-edf6-4cda-96b9-d3e198a47cba` ### ZITADEL -#### `ZITADEL_CLIENT_ID` +#### `AUTH_ZITADEL_CLIENT_ID` - Type: Required - Description: Client ID of the ZITADEL application. This can be found under your application in the ZITADEL console. - Default: `-` - Example: `123456789012345678@your-project` -#### `ZITADEL_CLIENT_SECRET` +#### `AUTH_ZITADEL_CLIENT_SECRET` - Type: Required - Description: Client Secret of the ZITADEL application. - Default: `-` - Example: `9QF1n5ATzU7Z3mHp2Iw4gKX8kY6oR7uW1DnKcV3LqX2jF6iG3fBmJ1kV7nS5zE6A` -#### `ZITADEL_ISSUER` +#### `AUTH_ZITADEL_ISSUER` - Type: Required - Description: Issuer of the ZITADEL application. This is usually the URL of the ZITADEL instance, and can be found in `URLs` tab of your application in the console. - Default: `-` - Example: `https://your-instance-abc123.zitadel.cloud` -#### `LOGTO_CLIENT_ID` +### Generic OIDC + +#### `GENERIC_OIDC_CLIENT_ID` - Type: Required -- Description: The Client ID of the Logto application. You can find it in the Logto console for private deployment or [Logto Cloud](http://cloud.logto.io/) depending on the deployment mode. -- Default value: `-` -- Example: `123456789012345678@your-project` +- Description: Client ID of the Generic OIDC provider application. +- Default: `-` +- Example: `_client_id_for_lobe_chat_` -#### `LOGTO_CLIENT_SECRET` +#### `GENERIC_OIDC_CLIENT_SECRET` - Type: Required -- Description: The Client Secret of the Logto application. -- Default value: `-` -- Example: `9QF1n5ATzU7Z3mHp2Iw4gKX8kY6oR7uW1DnKcV3LqX2jF6iG3fBmJ1kV7nS5zE6A` +- Description: The plaintext of the Client Secret for the Generic OIDC provider +- Default: `-` +- Example: `_client_secret_for_lobe_chat_` -#### `LOGTO_ISSUER` +#### `GENERIC_OIDC_ISSUER` - Type: Required -- Description: The OpenID Connect issuer of the Logto application. You can find it in the Logto console for private deployment or [Logto Cloud](http://cloud.logto.io/) depending on the deployment mode. -- Default value: `-` -- Example: `https://lobe-auth-api.example.com/oidc` +- Description: Issuer of the Generic OIDC provider application. +- Default: `-` +- Example: `https://sso.example.com` Currently, we only support providers above. If you need to use other identity verification service diff --git a/docs/self-hosting/environment-variables/auth.zh-CN.mdx b/docs/self-hosting/environment-variables/auth.zh-CN.mdx index 768b7d0c224c..1ff582fa65ba 100644 --- a/docs/self-hosting/environment-variables/auth.zh-CN.mdx +++ b/docs/self-hosting/environment-variables/auth.zh-CN.mdx @@ -40,203 +40,226 @@ LobeChat 在部署时提供了完善的身份验证服务能力,以下是相 ### Auth0 -#### `AUTH0_CLIENT_ID` +#### `AUTH_AUTH0_CLIENT_ID` - 类型:必选 - 描述: Auth0 应用程序的 Client ID,您可以访问[这里](https://manage.auth0.com/dashboard)并导航至应用程序设置来查看 - 默认值: `-` - 示例: `evCnOJP1UX8FMnXR9Xkj5t0NyFn5p70P` -#### `AUTH0_CLIENT_SECRET` +#### `AUTH_AUTH0_CLIENT_SECRET` - 类型:必选 - 描述: Auth0 应用程序的 Client Secret - 默认值: `-` - 示例: `wnX7UbZg85ZUzF6ioxPLnJVEQa1Elbs7aqBUSF16xleBS5AdkVfASS49-fQIC8Rm` -#### `AUTH0_ISSUER` +#### `AUTH_AUTH0_ISSUER` - 类型:必选 - 描述: Auth0 应用程序的签发人 / 域 - 默认值: `-` - 示例: `https://example.auth0.com` -### Microsoft Entra ID +### Authelia -#### `AZURE_AD_CLIENT_ID` +#### `AUTH_AUTHELIA_CLIENT_ID` - 类型:必选 -- 描述:Microsoft Entra ID 应用程序的客户端 ID。 -- 默认值:`-` -- 示例:`be8f6da1-58c3-4f16-ff1b-78f5148e10df` +- 描述: Authelia 提供程序的 Client ID +- 默认值: `-` +- 示例: `lobe-chat` -#### `AZURE_AD_CLIENT_SECRET` +#### `AUTH_AUTHELIA_CLIENT_SECRET` - 类型:必选 -- 描述:Microsoft Entra ID 应用程序的客户端密钥。 -- 默认值:`-` -- 示例:`~gI8Q.pTiN1vwB6Gl.E1yFT1ojcXABkdACfJXaNj` +- 描述: Authelia 提供程序的 Client Secret 的明文 +- 默认值: `-` +- 示例: `insecure_secret` -#### `AZURE_AD_TENANT_ID` +#### `AUTH_AUTHELIA_ISSUER` - 类型:必选 -- 描述:Microsoft Entra ID 应用程序的租户 ID。 -- 默认值:`-` -- 示例:`c8ae2f36-edf6-4cda-96b9-d3e198a47cba` +- 描述: Authentik 提供程序的 OpenID Connect 颁发者 +- 默认值: `-` +- 示例: `https://sso.example.com` ### Authentik -#### `AUTHENTIK_CLIENT_ID` +#### `AUTH_AUTHENTIK_CLIENT_ID` - 类型:必选 - 描述: Authentik 提供程序的 Client ID - 默认值: `-` - 示例: `YNtbIRlYF8Kj66mTLue59nsGLlb7HNyx1qjPH6VS` -#### `AUTHENTIK_CLIENT_SECRET` +#### `AUTH_AUTHENTIK_CLIENT_SECRET` - 类型:必选 - 描述: Authentik 提供程序的 Client Secret - 默认值: `-` - 示例: `h3lMI1vPUzqyqqeIDUbH5UNNOxyQLXk35h89yETeaAwHk7qVXBG3sJQWeqHBU5pyggwhP9u0eaZ1eq6DHUddVPLoS4gncqD37yuCr8jI8dY66WAt45MStDsDcQm0Ygze` -#### `AUTHENTIK_ISSUER` +#### `AUTH_AUTHENTIK_ISSUER` - 类型:必选 - 描述: Authentik 提供程序的 OpenID Connect 颁发者 - 默认值: `-` - 示例: `https://your-authentik-domain.com/application/o/slug/` -### Authelia +### Casdoor -#### `AUTHELIA_CLIENT_ID` +#### `AUTH_CASDOOR_CLIENT_ID` - 类型:必选 -- 描述: Authelia 提供程序的 Client ID +- 描述: Casdoor 提供程序的 Client ID - 默认值: `-` -- 示例: `lobe-chat` +- 示例: `570bfa85a21800a25198` -#### `AUTHELIA_CLIENT_SECRET` +#### `AUTH_CASDOOR_CLIENT_SECRET` - 类型:必选 -- 描述: Authelia 提供程序的 Client Secret 的明文 +- 描述: Casdoor 提供程序的 Client Secret 的明文 - 默认值: `-` -- 示例: `insecure_secret` +- 示例: `233a623a15eac2db2e43bb8a323eda729552c405` -#### `AUTHELIA_ISSUER` +#### `AUTH_CASDOOR_ISSUER` - 类型:必选 -- 描述: Authentik 提供程序的 OpenID Connect 颁发者 +- 描述: Casdoor 提供程序的 OpenID Connect 颁发者 - 默认值: `-` -- 示例: `https://sso.example.com` +- 示例: `https://lobe-auth-api.example.com/` ### Cloudflare Zero Trust -#### `CLOUDFLARE_ZERO_TRUST_CLIENT_ID` +#### `AUTH_CLOUDFLARE_ZERO_TRUST_CLIENT_ID` - 类型:必选 - 描述: Cloudflare Zero Trust 提供程序的 Client ID - 默认值: `-` - 示例: `711963a58df8c943cfd6c487cac99ce9f6ee0c88c0b7bf94584b8ff052fcb09c` -#### `CLOUDFLARE_ZERO_TRUST_CLIENT_SECRET` +#### `AUTH_CLOUDFLARE_ZERO_TRUST_CLIENT_SECRET` - 类型:必选 - 描述: Cloudflare Zero Trust 提供程序的 Client Secret 的明文 - 默认值: `-` - 示例: `8f26d4ef834a828045b401e032ae128dbb00471bca53f0d25332323f525dfa30` -#### `CLOUDFLARE_ZERO_TRUST_ISSUER` +#### `AUTH_CLOUDFLARE_ZERO_TRUST_ISSUER` - 类型:必选 - 描述: Cloudflare Zero Trust 提供程序的 OpenID Connect 颁发者 - 默认值: `-` - 示例: `https://example.cloudflareaccess.com/cdn-cgi/access/sso/oidc/711963a58df8c943cfd6c487cac99ce9f6ee0c88c0b7bf94584b8ff052fcb09c` -### Generic OIDC +### Github -#### `GENERIC_OIDC_CLIENT_ID` +#### `AUTH_GITHUB_CLIENT_ID` - 类型:必选 -- 描述: Generic OIDC 提供程序的 Client ID +- 描述: Github 应用的客户端 ID。您可以在[这里](https://github.com/settings/apps)访问,并导航到应用程序设置以查看。 - 默认值: `-` -- 示例: `_client_id_for_lobe_chat_` +- 示例: `abd94200333283550508` -#### `GENERIC_OIDC_CLIENT_SECRET` +#### `AUTH_GITHUB_CLIENT_SECRET` - 类型:必选 -- 描述: Generic OIDC 提供程序的 Client Secret 的明文 +- 描述: Github应用的客户端密钥。 - 默认值: `-` -- 示例: `_client_secret_for_lobe_chat_` +- 示例: `dd262976ac0931d947e104891586a053f3d3750b` -#### `GENERIC_OIDC_ISSUER` +### Logto + +#### `AUTH_LOGTO_CLIENT_ID` - 类型:必选 -- 描述: Generic OIDC 提供程序的 OpenID Connect 颁发者 -- 默认值: `-` -- 示例: `https://sso.example.com` +- 描述:Logto 应用程序的 Client ID。您可以在根据部署模式,在私有部署的 Logto 控制台或 [Logto Cloud](http://cloud.logto.io/) 中找到。 +- 默认值:`-` +- 示例:`123456789012345678@your-project` -### Github +#### `AUTH_LOGTO_CLIENT_SECRET` -#### `GITHUB_CLIENT_ID` +- 类型:必选 +- 描述:Logto 应用程序的 Client Secret。 +- 默认值:`-` +- 示例:`9QF1n5ATzU7Z3mHp2Iw4gKX8kY6oR7uW1DnKcV3LqX2jF6iG3fBmJ1kV7nS5zE6A` + +#### `AUTH_LOGTO_ISSUER` - 类型:必选 -- 描述: Github 应用的客户端 ID。您可以在[这里](https://github.com/settings/apps)访问,并导航到应用程序设置以查看。 -- 默认值: `-` -- 示例: `abd94200333283550508` +- 描述:Logto 应用程序的 OpenID Connect 颁发者(issuer)。根据部署模式,您可以在私有部署的 Logto 控制台或 [Logto Cloud](http://cloud.logto.io/) 中找到。 +- 默认值:`-` +- 示例:`https://lobe-auth-api.example.com/oidc` + +### Microsoft Entra ID -#### `GITHUB_CLIENT_SECRET` +#### `AUTH_AZURE_AD_CLIENT_ID` - 类型:必选 -- 描述: Github应用的客户端密钥。 -- 默认值: `-` -- 示例: `dd262976ac0931d947e104891586a053f3d3750b` +- 描述:Microsoft Entra ID 应用程序的客户端 ID。 +- 默认值:`-` +- 示例:`be8f6da1-58c3-4f16-ff1b-78f5148e10df` + +#### `AUTH_AZURE_AD_CLIENT_SECRET` + +- 类型:必选 +- 描述:Microsoft Entra ID 应用程序的客户端密钥。 +- 默认值:`-` +- 示例:`~gI8Q.pTiN1vwB6Gl.E1yFT1ojcXABkdACfJXaNj` + +#### `AUTH_AZURE_AD_TENANT_ID` + +- 类型:必选 +- 描述:Microsoft Entra ID 应用程序的租户 ID。 +- 默认值:`-` +- 示例:`c8ae2f36-edf6-4cda-96b9-d3e198a47cba` ### ZITADEL -#### `ZITADEL_CLIENT_ID` +#### `AUTH_ZITADEL_CLIENT_ID` - 类型:必选 - 描述:ZITADEL 应用的 Client ID。您可以在 ZITADEL 控制台应用设置中找到 Client ID。 - 默认值:`-` - 示例:`123456789012345678@your-project` -#### `ZITADEL_CLIENT_SECRET` +#### `AUTH_ZITADEL_CLIENT_SECRET` - 类型:必选 - 描述:ZITADEL 应用的 Client Secret。 - 默认值:`-` - 示例:`9QF1n5ATzU7Z3mHp2Iw4gKX8kY6oR7uW1DnKcV3LqX2jF6iG3fBmJ1kV7nS5zE6A` -#### `ZITADEL_ISSUER` +#### `AUTH_ZITADEL_ISSUER` - 类型:必选 - 描述:ZITADEL 应用的 OpenID Connect 颁发者(issuer),通常为 ZITADEL 实例的 URL。您可以在 ZITADEL 控制台应用设置中的 `URLs` 选项卡中找到 issuer。 - 默认值:`-` - 示例:`https://your-instance-abc123.zitadel.cloud` -### Logto +### Generic OIDC -#### `LOGTO_CLIENT_ID` +#### `GENERIC_OIDC_CLIENT_ID` - 类型:必选 -- 描述:Logto 应用程序的 Client ID。您可以在根据部署模式,在私有部署的 Logto 控制台或 [Logto Cloud](http://cloud.logto.io/) 中找到。 -- 默认值:`-` -- 示例:`123456789012345678@your-project` +- 描述: Generic OIDC 提供程序的 Client ID +- 默认值: `-` +- 示例: `_client_id_for_lobe_chat_` -#### `LOGTO_CLIENT_SECRET` +#### `GENERIC_OIDC_CLIENT_SECRET` - 类型:必选 -- 描述:Logto 应用程序的 Client Secret。 -- 默认值:`-` -- 示例:`9QF1n5ATzU7Z3mHp2Iw4gKX8kY6oR7uW1DnKcV3LqX2jF6iG3fBmJ1kV7nS5zE6A` +- 描述: Generic OIDC 提供程序的 Client Secret 的明文 +- 默认值: `-` +- 示例: `_client_secret_for_lobe_chat_` -#### `LOGTO_ISSUER` +#### `GENERIC_OIDC_ISSUER` - 类型:必选 -- 描述:Logto 应用程序的 OpenID Connect 颁发者(issuer)。根据部署模式,您可以在私有部署的 Logto 控制台或 [Logto Cloud](http://cloud.logto.io/) 中找到。 -- 默认值:`-` -- 示例:`https://lobe-auth-api.example.com/oidc` +- 描述: Generic OIDC 提供程序的 OpenID Connect 颁发者 +- 默认值: `-` +- 示例: `https://sso.example.com` 如果您需要使用其他身份验证服务提供商,可以提交 diff --git a/docs/self-hosting/server-database/docker-compose.mdx b/docs/self-hosting/server-database/docker-compose.mdx index 48391cce67fd..8b87730b4365 100644 --- a/docs/self-hosting/server-database/docker-compose.mdx +++ b/docs/self-hosting/server-database/docker-compose.mdx @@ -1,16 +1,14 @@ --- -title: Deploying LobeChat Server Database with Docker Compose -description: >- - Learn how to deploy LobeChat Server Database using Docker Compose, including - configuration tutorials for various services. +title: Deploying LobeChat with Docker Compose +description: Learn how to deploy the LobeChat service using Docker Compose, including configuration tutorials for various services. tags: - Docker Compose - LobeChat - - Docker Container + - Docker Containers - Deployment Guide --- -# Deploying LobeChat server database with Docker Compose +# Deploying LobeChat Server Database Version with Docker Compose
[![][docker-release-shield]][docker-release-link] @@ -22,81 +20,120 @@ tags:
- This article assumes that you are familiar with the basic principles and processes of deploying - the LobeChat server database version (hereinafter referred to as DB version), so it only includes - the core environment variable configuration. If you are not familiar with the deployment - principles of LobeChat DB version, please refer to [Deploying using a Server - Database](/zh/docs/self-hosting/server-database). + This article assumes you are familiar with the basic principles and processes of deploying the LobeChat server database version (hereinafter referred to as DB version), so it only includes core environment variable configurations. If you are not familiar with the deployment principles of LobeChat DB version, please refer to [Deploying with a Server Database](/docs/self-hosting/server-database). - Due to the inability to expose `NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY` using Docker environment variables, you cannot use Clerk as an authentication service when deploying LobeChat using Docker / Docker Compose. + Due to the inability to expose `NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY` using Docker environment variables, you cannot use Clerk as a login authentication service when deploying LobeChat with Docker / Docker Compose. -If you do need Clerk as an authentication service, you might consider deploying using Vercel or building your own image. +If you need Clerk as a login authentication service, consider deploying with Vercel or building your own image. -Generally speaking, to fully run the LobeChat database version, you need at least the following four services: +In general, to fully run the LobeChat database version, you need at least the following four services: -- LobeChat database version itself -- PostgreSQL database with PGVector plugin -- Object storage service supporting S3 protocol -- SSO authentication service supported by LobeChat +- The LobeChat database version itself +- A PostgreSQL database with the PGVector plugin +- An object storage service that supports S3 protocol +- An SSO login authentication service supported by LobeChat -These services can be combined through self-hosting or online cloud services to meet your needs. +These services can be combined through self-built or online cloud services to meet different levels of deployment needs. -We provide a fully self-built Docker Compose configuration, which you can use directly to start the LobeChat database version or modify to suit your needs. +In this article, we provide a Docker Compose configuration entirely based on open-source self-built services. You can use this configuration file directly to start the LobeChat database version or modify it to suit your needs. -We default to using [MinIO](https://github.com/minio/minio) as the local S3 object storage service and [Logto](https://github.com/logto-io/logto) as the local authentication service. +We default to using [MinIO](https://github.com/minio/minio) as the local S3 object storage service and [Casdoor](https://github.com/casdoor/casdoor) as the local authentication service. ## Quick Start -To facilitate quick start, this chapter uses the docker-compose configuration file in the `docker-compose/local` directory. The LobeChat application runs at `http://localhost:3210` after startup and can be run locally. +To facilitate a quick start, this section uses the `docker-compose/local` directory's `docker-compose.yml` configuration file. The started LobeChat application runs at `http://localhost:3210` and can be run locally. - To facilitate quick start, this docker-compose.yml omits a large number of Secret/Password configurations and is only suitable for quick demonstration or personal local use. Do not use it directly in a production environment! Otherwise, you will be responsible for any security issues! + For a quick start, this `docker-compose.yml` contains a large number of sensitive Secret/Password fields, suitable only for quick demonstrations or personal local use. Do not use it directly in a production environment! Otherwise, you will be responsible for any security issues encountered! - ### Create Configuration Files + ### One-click Startup Script -Create a new `lobe-chat-db` directory to store your configuration files and subsequent database files. +Create a new directory named `lobe-chat-db` to store your configuration files and subsequent database files. ```sh mkdir lobe-chat-db +cd lobe-chat-db ``` -Pull the configuration files into your directory: +We provide a one-click startup script `setup.sh`, which can automatically use the default configuration and start the service: ```sh -curl -fsSL https://raw.githubusercontent.com/lobehub/lobe-chat/HEAD/docker-compose/local-logto/docker-compose.yml > docker-compose.yml -curl -fsSL https://raw.githubusercontent.com/lobehub/lobe-chat/HEAD/docker-compose/local-logto/.env.example > .env +bash <(curl -fsSL https://raw.githubusercontent.com/lobehub/lobe-chat/HEAD/docker-compose/local/setup.sh) -f ``` -### Start Services +### Start Docker ```sh -docker compose up -d +docker compose -p lobechat-starter up -d ``` -### Configure Logto +### Check Logs -1. Open `http://localhost:3002` to access the Logto WebUI and register an administrator account. +```sh +docker logs -f lobe-database +``` -2. Create a `Next.js (App Router)` application and add the following configurations: +If you see the following logs in the container, it means the startup was successful: - - `Redirect URI` should be `http://localhost:3210/api/auth/callback/logto` - - `Post sign-out redirect URI` should be `http://localhost:3210/` +```log +[Database] Start to migration... +✅ database migration pass. +------------------------------------- + ▲ Next.js 14.x.x + - Local: http://localhost:3210 + - Network: http://0.0.0.0:3210 + + ✓ Starting... + ✓ Ready in 95ms +``` + + -3. Obtain the `App ID` and `App secrets`, and fill them into your `.env` file corresponding to `AUTH_LOGTO_ID` and `AUTH_LOGTO_SECRET`. +At this point, you have successfully deployed the LobeChat database version, and you can access your LobeChat service at `http://localhost:3210`. -### Configure MinIO S3 +If you encounter problems, try checking the Docker logs and console logs for troubleshooting. -1. Open `http://localhost:9001` to access the MinIO WebUI. The default admin account password is configured in `.env`. +## Publishing to Production (IP Mode) -2. Create a bucket that matches the `MINIO_LOBE_BUCKET` field in your `.env` file, which defaults to `lobe`. +The following assumes that the machine IP running the LobeChat service on the LAN/public network is `your_server_ip`. -3. Choose a custom policy, copy the following content, and paste it in (if you modified the bucket name, please find and replace accordingly): +To access via the local network IP, you first need to run the local startup: + +```sh +bash <(curl -fsSL https://raw.githubusercontent.com/lobehub/lobe-chat/HEAD/docker-compose/local/setup.sh) -f +docker compose -p lobechat-starter up -d +``` + +Next, you need to modify the downloaded `docker-compose.yml` file, performing a global replacement to change `localhost` to `your_server_ip`, and then restart: + +```sh +sed -i 's/localhost/your_server_ip/g' docker-compose.yml +docker compose -p lobechat-starter up -d +``` + +### Configuring Casdoor + +1. After starting with the `setup.sh` script, the default port for Casdoor WebUI is `8000`. You can access it via `http://your_server_ip:8000`, with the default username `admin` and password `123`. + +2. In `Identity -> Applications`, add a new line: + + ``` + http://your_server_ip:3210/api/auth/callback/casdoor + ``` + +3. Most other configurations can remain default; you can modify the default configurations in `Identity -> Applications`. + +### Configuring MinIO S3 + +1. After starting with the `setup.sh` script, the default port for MinIO WebUI is `9001`. You can access it via `http://your_server_ip:9001`, with the default username `YOUR_MINIO_USER` and password `YOUR_MINIO_PASSWORD`. + +2. Most configurations can remain default. If you wish to allow users to change their avatars, you need to create a bucket named `casdoor` in `buckets`, select custom policy, and copy and paste the following content (if you have changed the bucket name, please find and replace): ```json { @@ -107,7 +144,7 @@ docker compose up -d "AWS": ["*"] }, "Action": ["s3:GetBucketLocation"], - "Resource": ["arn:aws:s3:::lobe"] + "Resource": ["arn:aws:s3:::casdoor"] }, { "Effect": "Allow", @@ -115,7 +152,7 @@ docker compose up -d "AWS": ["*"] }, "Action": ["s3:ListBucket"], - "Resource": ["arn:aws:s3:::lobe"], + "Resource": ["arn:aws:s3:::casdoor"], "Condition": { "StringEquals": { "s3:prefix": ["files/*"] @@ -128,122 +165,100 @@ docker compose up -d "AWS": ["*"] }, "Action": ["s3:PutObject", "s3:DeleteObject", "s3:GetObject"], - "Resource": ["arn:aws:s3:::lobe/files/**"] + "Resource": ["arn:aws:s3:::casdoor/**"] } ], "Version": "2012-10-17" } ``` -4. Create a new access key, and fill the generated `Access Key` and `Secret Key` into your `.env` file under `S3_ACCESS_KEY_ID` and `S3_SECRET_ACCESS_KEY`. - -### Restart LobeChat Service - -```sh -docker compose up -d -``` +3. Create a new access key and store the generated `Access Key` and `Secret Key`. - - At this point, do not use `docker compose restart lobe` to restart, as this method will not reload the environment variables, and your S3 configuration will not take effect. - - +4. In Casdoor's `Identity -> Providers`, associate the MinIO S3 service. Here is a sample configuration: -If you see the following logs in the container, it indicates that it has started successfully: + ![casdoor](https://github.com/user-attachments/assets/71035610-0706-434e-9488-ab5819b55330) -```log -[Database] Start to migration... -✅ database migration pass. -------------------------------------- - ▲ Next.js 14.x.x - - Local: http://localhost:3210 - - Network: http://0.0.0.0:3210 - - ✓ Starting... - ✓ Ready in 95ms -``` + The Client ID and Client Secret should be the `Access Key` and `Secret Key` from the previous step, and `192.168.31.251` should be replaced with `your_server_ip`. - +5. In Casdoor's `Identity -> Applications`, add the provider to the `app-built-in` application, select `minio`, save and exit. -You have successfully deployed the LobeChat database version, and you can access your LobeChat service at `http://localhost:3210`. +6. You can try uploading a file in Casdoor's `Identity -> Resources` to test if the configuration is correct. -If you encounter issues, please check the Docker logs and console logs, and follow the detailed troubleshooting guide later in the document. +## Publishing to Production (Domain Name Mode) -## Deploying to Production + + For deployments with a domain name, we recommend using [Logto](https://logto.io/) as the login authentication service. The remainder of this article will use it as an example. If you use other authentication services like Casdoor, the process should be similar, but note that different authentication services may have different port configurations. + -The main difference between production and local operation is the need to use domain addresses instead of localhost. We assume that in addition to the above services, you are also running an Nginx layer for reverse proxy and SSL configuration. +In the following text, we assume that in addition to the above services, you are also running a layer of Nginx for reverse proxy and SSL configuration. -The domain names and corresponding service port descriptions are as follows: +The domain and associated service port descriptions are as follows: -- `lobe.example.com`: your LobeChat service domain, needs to be reverse proxied to the LobeChat service port, default is `3210` -- `lobe-auth-api.example.com`: your Logto service domain, needs to be reverse proxied to the Logto API service port, default is `3001` -- `lobe-auth-ui.example.com`: your Logto UI domain, needs to be reverse proxied to the Logto WebUI service port, default is `3002` -- `lobe-s3-api.example.com`: your MinIO API domain, needs to be reverse proxied to the MinIO API service port, default is `9000` -- `lobe-s3-ui.example.com`: optional, your MinIO UI domain, needs to be reverse proxied to the MinIO WebUI service port, default is `9001` +- `lobe.example.com`: Your LobeChat service domain, which needs to reverse proxy to the LobeChat service port, defaulting to `3210`. +- `lobe-auth-api.example.com`: Your Logto service domain, which needs to reverse proxy to the Logto API service port, defaulting to `3001`. +- `lobe-auth-ui.example.com`: Your Logto UI domain, which needs to reverse proxy to the Logto WebUI service port, defaulting to `3002`. +- `lobe-s3-api.example.com`: Your MinIO API domain, which needs to reverse proxy to the MinIO API service port, defaulting to `9000`. +- `lobe-s3-ui.example.com`: Optional, your MinIO UI domain, which needs to reverse proxy to the MinIO WebUI service port, defaulting to `9001`. -And the service port without reverse proxy: +And the service ports that do not require reverse proxy: -- `postgresql`: your PostgreSQL database service port, default is `5432` +- `postgresql`: Your PostgreSQL database service port, defaulting to `5432`. - Please note that CORS cross-origin is configured internally in MinIO / Logto service, do not configure CORS additionally in your reverse proxy, as this will cause errors. - For minio ports other than 443, Host must be $http_host (with port number), otherwise a 403 error will occur: proxy_set_header Host $http_host. + Please note that CORS cross-domain is configured internally in MinIO / Logto services. Do not configure CORS additionally in your reverse proxy, as this will cause errors. -If you need to configure SSL certificates, please configure them uniformly in the outer Nginx reverse proxy, rather than in MinIO. + For MinIO not on port 443, the Host must be `$http_host` (with port number), otherwise a 403 error will occur: `proxy_set_header Host $http_host`. +If you need to configure an SSL certificate, please configure it uniformly in the outer Nginx reverse proxy and not in MinIO. ### Configuration Files ```sh -curl -fsSL https://raw.githubusercontent.com/lobehub/lobe-chat/HEAD/docker-compose/production/docker-compose.yml > docker-compose.yml -curl -fsSL https://raw.githubusercontent.com/lobehub/lobe-chat/HEAD/docker-compose/production/.env.example > .env +curl -fsSL https://raw.githubusercontent.com/lobehub/lobe-chat/HEAD/docker-compose/production/logto/docker-compose.yml > docker-compose.yml +curl -fsSL https://raw.githubusercontent.com/lobehub/lobe-chat/HEAD/docker-compose/production/logto/.env.example > .env ``` -The configuration files include `.env` and `docker-compose.yml`, where the `.env` file is used to configure LobeChat's environment variables, and the `docker-compose.yml` file is used to configure the Postgres, MinIO, and Logto services. +The configuration files include both `.env` and `docker-compose.yml`, where the `.env` file is used to configure the environment variables for LobeChat, and the `docker-compose.yml` file is used to configure the Postgres, MinIO, and Logto services. -In general, you should only modify sensitive information such as domain names and account passwords, while other configuration items should be set according to the default values. +Generally, you should only modify sensitive information such as domain names and account passwords, while keeping other configuration items at their default values. -Refer to the example configurations in the appendix of this article. +Refer to the appendix for example configurations. -### PostgreSQL Database Configuration +### Postgres Database Configuration -You can check the logs using the following command: +You can check the logs with the following command: ```sh docker logs -f lobe-database ``` - In our official Docker images, the database schema migration will be automatically executed before - starting the image. Our official image guarantees the stability of the "empty database -> complete - table" automatic table creation. Therefore, we recommend that your database instance use an empty - table instance, thereby avoiding the hassle of manually maintaining table structures or - migrations. + In our official Docker image, database schema migration is automatically executed before starting the image. Our official image promises stability in the automatic creation of tables from "empty database -> complete tables." Therefore, we recommend that your database instance use an empty table instance to avoid the hassle of manual table structure maintenance or migration. -If you encounter issues when creating tables, you can try using the following commands to forcibly remove the database container and restart: +If you encounter issues when creating tables, you can try the following command to force remove the database container and restart: ```sh -docker compose down # Stop services +docker compose down # Stop the service sudo rm -rf ./data # Remove mounted database data docker compose up -d # Restart ``` -### Authentication Service Configuration +### Login Authentication Service Configuration This article uses Logto as an example to explain the configuration process. If you are using other authentication service providers, please refer to their documentation for configuration. - Please remember to configure the corresponding CORS cross-origin settings for the authentication service provider to ensure that LobeChat can access the authentication service properly. - -In this article, you need to allow cross-origin requests from `https://lobe.example.com`. + Please remember to configure the CORS cross-domain settings for the corresponding login authentication service provider to ensure LobeChat can access the authentication service properly. +In this article, you need to allow cross-domain requests from `https://lobe.example.com`. -You need to first access the WebUI for configuration: +You first need to visit the WebUI for configuration: -- If you configured the reverse proxy as mentioned earlier, open `https://lobe-auth-ui.example.com` -- Otherwise, after port mapping, open `http://localhost:3002` +- If you have configured the reverse proxy as mentioned earlier, open `https://lobe-auth-ui.example.com`. +- Otherwise, open `http://localhost:3002` after performing port mapping. 1. Register a new account; the first registered account will automatically become an administrator. @@ -254,7 +269,7 @@ You need to first access the WebUI for configuration: 4. Set `CORS allowed origins` to `https://lobe.example.com`. Configure Logto @@ -263,14 +278,14 @@ You need to first access the WebUI for configuration: 6. Set `AUTH_LOGTO_ISSUER` in your `.env` file to `https://lobe-auth-api.example.com/oidc`. Configure environment variables -7. Optional: In the left panel under `Sign-in experience`, in `Sign-up and sign-in - Advanced Options`, disable `Enable user registration` to prohibit user self-registration. If you disable user self-registration, you can only manually add users in the left panel under `User Management`. +7. Optionally, in the left panel under `Sign-in experience`, you can disable `Enable user registration` in `Sign-up and sign-in - Advanced Options` to prevent users from registering on their own. If you disable user registration, you will need to manually add users in the left panel under `User Management`. Disable user registration @@ -281,8 +296,7 @@ You need to first access the WebUI for configuration: ``` - Please note that the administrator account is not the same as a registered user; do not use your - administrator account to log into LobeChat, as this will only result in an error. + Please note that the administrator account is not the same as a registered user. Do not log in to LobeChat with your administrator account, as this will only result in an error. ### S3 Object Storage Service Configuration @@ -290,44 +304,43 @@ You need to first access the WebUI for configuration: This article uses MinIO as an example to explain the configuration process. If you are using other S3 service providers, please refer to their documentation for configuration. - Please remember to configure the corresponding CORS cross-origin settings for the S3 service provider to ensure that LobeChat can access the S3 service properly. - -In this article, you need to allow cross-origin requests from `https://lobe.example.com`. This can be configured in the MinIO WebUI under `Configuration - API - Cors Allow Origin`, or in the Docker Compose under `minio - environment - MINIO_API_CORS_ALLOW_ORIGIN`. + Please remember to configure the CORS cross-domain settings for the corresponding S3 service provider to ensure LobeChat can access the S3 service properly. -If you configure using the second method (which is also the default method), you will not be able to configure it in the MinIO WebUI anymore. +In this article, you need to allow cross-domain requests from `https://lobe.example.com`. This can be configured in MinIO WebUI under `Configuration - API - Cors Allow Origin`, or in the Docker Compose under `minio - environment - MINIO_API_CORS_ALLOW_ORIGIN`. +If you use the second method (which is also the default method) for configuration, you will not be able to configure it in MinIO WebUI anymore. -You need to first access the WebUI for configuration: +You first need to visit the WebUI for configuration: -- If you configured the reverse proxy as mentioned earlier, open `https://lobe-s3-ui.example.com` -- Otherwise, after port mapping, open `http://localhost:9001` +- If you have configured the reverse proxy as mentioned earlier, open `https://lobe-s3-ui.example.com`. +- Otherwise, open `http://localhost:9001` after performing port mapping. -1. Enter your `MINIO_ROOT_USER` and `MINIO_ROOT_PASSWORD` on the login screen, then click login. +1. Enter your set `MINIO_ROOT_USER` and `MINIO_ROOT_PASSWORD` on the login page, then click login. -2. In the left panel under Administer / Buckets, click `Create Bucket`, enter `lobe` (corresponding to your `S3_BUCKET` environment variable), and then click `Create`. +2. In the left panel under Administer / Buckets, click `Create Bucket`, enter `lobe` (which corresponds to your `S3_BUCKET` environment variable), and then click `Create`. Create a bucket -3. Select your bucket, click Summary - Access Policy, edit, choose `Custom`, and input the content from `minio-bucket-config.json` (see appendix) and save (again, assuming your bucket name is `lobe`): +3. Select your bucket, click Summary - Access Policy, edit, choose `Custom`, input the content from `minio-bucket-config.json` (see appendix), and save (assuming your bucket name is `lobe`): Select MinIO bucket policy Configure MinIO bucket policy -4. In the left panel under User / Access Keys, click `Create New Access Key`, make no additional modifications, and fill the generated `Access Key` and `Secret Key` into your `.env` file under `S3_ACCESS_KEY_ID` and `S3_SECRET_ACCESS_KEY`. +4. In the left panel under User / Access Keys, click `Create New Access Key`, without any extra modifications, and fill the generated `Access Key` and `Secret Key` into your `.env` file under `S3_ACCESS_KEY_ID` and `S3_SECRET_ACCESS_KEY`. Create a new access key @@ -337,161 +350,13 @@ You need to first access the WebUI for configuration: docker compose up -d ``` -You have successfully deployed the LobeChat database version, and you can access your LobeChat service at `https://lobe.example.com`. +At this point, you have successfully deployed the LobeChat database version, and you can access your LobeChat service at `https://lobe.example.com`. ## Appendix -To facilitate one-click copying, here are the example configuration files needed to configure the server database: +For convenience, here is a summary of the example configuration files needed for deploying the server database in domain name mode (for local quick start, local IP access, etc., please directly use the `setup.sh` script to generate and modify it yourself): -### Local Deployment - -#### `.env` - -```sh -# Logto secret -AUTH_LOGTO_ID= -AUTH_LOGTO_SECRET= - -# MinIO S3 configuration -MINIO_ROOT_USER=YOUR_MINIO_USER -MINIO_ROOT_PASSWORD=YOUR_MINIO_PASSWORD - -# Configure the bucket information of MinIO -MINIO_LOBE_BUCKET=lobe -S3_ACCESS_KEY_ID= -S3_SECRET_ACCESS_KEY= - -# Proxy, if you need it -# HTTP_PROXY=http://localhost:7890 -# HTTPS_PROXY=http://localhost:7890 - -# Other environment variables, as needed. You can refer to the environment variables configuration for the client version, making sure not to have ACCESS_CODE. -# OPENAI_API_KEY=sk-xxxx -# OPENAI_PROXY_URL=https://api.openai.com/v1 -# OPENAI_MODEL_LIST=... - -# ----- Other config ----- -# if no special requirements, no need to change -LOBE_PORT=3210 -LOGTO_PORT=3001 -MINIO_PORT=9000 - -# Postgres related, which are the necessary environment variables for DB -LOBE_DB_NAME=lobechat -POSTGRES_PASSWORD=uWNZugjBqixf8dxC - -``` - -#### `docker-compose.yml` - -```yaml -services: - network-service: - image: alpine - container_name: lobe-network - ports: - - '${MINIO_PORT}:${MINIO_PORT}' # MinIO API - - '9001:9001' # MinIO Console - - '${LOGTO_PORT}:${LOGTO_PORT}' # Logto - - '3002:3002' # Logto Admin - - '${LOBE_PORT}:3210' # LobeChat - command: tail -f /dev/null - networks: - - lobe-network - - postgresql: - image: pgvector/pgvector:pg16 - container_name: lobe-postgres - ports: - - "5432:5432" - volumes: - - './data:/var/lib/postgresql/data' - environment: - - 'POSTGRES_DB=${LOBE_DB_NAME}' - - 'POSTGRES_PASSWORD=${POSTGRES_PASSWORD}' - healthcheck: - test: ['CMD-SHELL', 'pg_isready -U postgres'] - interval: 5s - timeout: 5s - retries: 5 - restart: always - networks: - - lobe-network - - minio: - image: minio/minio - container_name: lobe-minio - network_mode: 'service:network-service' - volumes: - - './s3_data:/etc/minio/data' - environment: - - 'MINIO_ROOT_USER=${MINIO_ROOT_USER}' - - 'MINIO_ROOT_PASSWORD=${MINIO_ROOT_PASSWORD}' - - 'MINIO_API_CORS_ALLOW_ORIGIN=http://localhost:${LOBE_PORT}' - restart: always - command: > - server /etc/minio/data --address ":${MINIO_PORT}" --console-address ":9001" - - logto: - image: svhd/logto - container_name: lobe-logto - network_mode: 'service:network-service' - depends_on: - postgresql: - condition: service_healthy - environment: - - 'TRUST_PROXY_HEADER=1' - - 'PORT=${LOGTO_PORT}' - - 'DB_URL=postgresql://postgres:${POSTGRES_PASSWORD}@postgresql:5432/logto' - - 'ENDPOINT=http://localhost:${LOGTO_PORT}' - - 'ADMIN_ENDPOINT=http://localhost:3002' - entrypoint: ['sh', '-c', 'npm run cli db seed -- --swe && npm start'] - - lobe: - image: lobehub/lobe-chat-database - container_name: lobe-database - network_mode: 'service:network-service' - depends_on: - postgresql: - condition: service_healthy - network-service: - condition: service_started - minio: - condition: service_started - logto: - condition: service_started - - environment: - - 'APP_URL=http://localhost:3210' - - 'NEXT_AUTH_SSO_PROVIDERS=logto' - - 'KEY_VAULTS_SECRET=Kix2wcUONd4CX51E/ZPAd36BqM4wzJgKjPtz2sGztqQ=' - - 'NEXT_AUTH_SECRET=NX2kaPE923dt6BL2U8e9oSre5RfoT7hg' - - 'NEXTAUTH_URL=http://localhost:${LOBE_PORT}/api/auth' - - 'AUTH_LOGTO_ISSUER=http://localhost:${LOGTO_PORT}/oidc' - - 'DATABASE_URL=postgresql://postgres:${POSTGRES_PASSWORD}@postgresql:5432/${LOBE_DB_NAME}' - - 'S3_ENDPOINT=http://localhost:${MINIO_PORT}' - - 'S3_BUCKET=${MINIO_LOBE_BUCKET}' - - 'S3_PUBLIC_DOMAIN=http://localhost:${MINIO_PORT}' - - 'S3_ENABLE_PATH_STYLE=1' - env_file: - - .env - restart: always - -volumes: - data: - driver: local - s3_data: - driver: local - -networks: - lobe-network: - driver: bridge - -``` - -### Deploying to Production - -#### `.env` +### `.env` ```sh # Required: LobeChat domain for tRPC calls @@ -519,8 +384,8 @@ NEXTAUTH_URL=https://lobe.example.com/api/auth # NextAuth providers configuration (example using Logto) # For other providers, see: https://lobehub.com/docs/self-hosting/environment-variables/auth -AUTH_LOGTO_ID=YOUR_LOGTO_CLIENT_ID -AUTH_LOGTO_SECRET=YOUR_LOGTO_CLIENT_SECRET +AUTH_LOGTO_CLIENT_ID=YOUR_LOGTO_CLIENT_ID +AUTH_LOGTO_CLIENT_SECRET=YOUR_LOGTO_CLIENT_SECRET AUTH_LOGTO_ISSUER=https://lobe-auth-api.example.com/oidc # Proxy settings (if needed, e.g., when using GitHub as an auth provider) @@ -550,10 +415,10 @@ S3_ENABLE_PATH_STYLE=1 # OPENAI_API_KEY=sk-xxxx # OPENAI_PROXY_URL=https://api.openai.com/v1 # OPENAI_MODEL_LIST=... - ``` -#### `docker-compose.yml` +### `docker-compose.yml` + ```yaml services: @@ -628,7 +493,7 @@ volumes: ``` -#### `minio-bucket-config.json` +### `minio-bucket-config.json` ```json { diff --git a/docs/self-hosting/server-database/docker-compose.zh-CN.mdx b/docs/self-hosting/server-database/docker-compose.zh-CN.mdx index 3e7d0f62c6be..8273d9c8774c 100644 --- a/docs/self-hosting/server-database/docker-compose.zh-CN.mdx +++ b/docs/self-hosting/server-database/docker-compose.zh-CN.mdx @@ -44,57 +44,100 @@ tags: 本文中,我们提供了完全基于开源自建服务的 Docker Compose 配置,你可以直接使用这份配置文件来启动 LobeChat 数据库版本,也可以对之进行修改以适应你的需求。 -我们默认使用 [MinIO](https://github.com/minio/minio) 作为本地 S3 对象存储服务,使用 [Logto](https://github.com/logto-io/logto) 作为本地鉴权服务。 +我们默认使用 [MinIO](https://github.com/minio/minio) 作为本地 S3 对象存储服务,使用 [Casdoor](https://github.com/casdoor/casdoor) 作为本地鉴权服务。 ## 快速启动 -为方便快速上手,这一章使用 `docker-compose/local` 目录中的 docker-compose 配置文件,启动后的 LobeChat 应用运行在 `http://localhost:3210`,可在本地运行。 +为方便快速上手,这一章使用 `docker-compose/local` 目录中的 `docker-compose.yml` 配置文件,启动后的 LobeChat 应用运行在 `http://localhost:3210`,可在本地运行。 - 为了快速上手,此 docker-compose.yml内置掉了大量的 Secret/Password - 的配置,仅适用于快速演示或个人本地使用。请勿直接用于线上生产环境!否则遇到安全问题请自行负责! + 为了快速上手,此 `docker-compose.yml` 内置了大量的 Secret/Password + 的敏感字段配置,仅适用于快速演示或个人本地使用。请勿直接用于线上生产环境!否则遇到安全问题请自行负责! - ### 创建配置文件 + ### 一键启动脚本 新建一个 `lobe-chat-db` 目录,用于存放你的配置文件和后续的数据库文件。 ```sh mkdir lobe-chat-db +cd lobe-chat-db ``` -拉取配置文件到你的目录中: +我们提供了一个一键启动脚本 `setup.sh`,可以自动使用默认配置并启动服务: ```sh -curl -fsSL https://raw.githubusercontent.com/lobehub/lobe-chat/HEAD/docker-compose/local-logto/docker-compose.yml > docker-compose.yml -curl -fsSL https://raw.githubusercontent.com/lobehub/lobe-chat/HEAD/docker-compose/local-logto/.env.zh-CN.example > .env +bash <(curl -fsSL https://raw.githubusercontent.com/lobehub/lobe-chat/HEAD/docker-compose/local/setup.sh) -f -l zh_CN ``` -### 启动服务 +### 启动 Docker ```sh -docker compose up -d +docker compose -p lobechat-starter up -d ``` -### 配置 Logto +### 检查日志 -1. 打开 `http://localhost:3002`,访问 Logto WebUI,注册管理员账号 +```sh +docker logs -f lobe-database +``` -2. 创建一个 `Next.js (App Router)` 应用,添加以下配置: +如果你在容器中看到了以下日志,则说明已经启动成功: - - `Redirect URI` 为 `http://localhost:3210/api/auth/callback/logto` - - `Post sign-out redirect URI` 为 `http://localhost:3210/` +```log +[Database] Start to migration... +✅ database migration pass. +------------------------------------- + ▲ Next.js 14.x.x + - Local: http://localhost:3210 + - Network: http://0.0.0.0:3210 + + ✓ Starting... + ✓ Ready in 95ms +``` -3. 获取 `App ID` 和 `App secrets`,填入 `.env` 文件中对应的 `AUTH_LOGTO_ID` 、 `AUTH_LOGTO_SECRET` + -### 配置 MinIO S3 +至此,你已经成功部署了 LobeChat 数据库版本,你可以通过 `http://localhost:3210` 访问你的 LobeChat 服务。 + +如果你遇到问题,请尝试查看 Docker 日志和控制台日志进行排查。 + +## 发布到生产(IP 模式) -1. 打开 `http://localhost:9001`,访问 MinIO WebUI,默认管理员账号密码在 `.env` 中配置 +下文假设局域网 / 公网需要运行 LobeChat 服务的机器 IP 为 `your_server_ip`。 -2. 创建符合你的 `.env` 文件中 `MINIO_LOBE_BUCKET` 字段的桶,默认为 `lobe` +想要通过局域网 IP 访问,你需要首先按照本地启动运行: + +```sh +bash <(curl -fsSL https://raw.githubusercontent.com/lobehub/lobe-chat/HEAD/docker-compose/local/setup.sh) -f -l zh_CN +docker compose -p lobechat-starter up -d +``` + +接着,你需要修改下载下来的 `docker-compose.yml` 文件,执行一次全文替换,将 `localhost` 替换为 `your_server_ip`,随后重新启动: + +```sh +sed -i 's/localhost/your_server_ip/g' docker-compose.yml +docker compose -p lobechat-starter up -d +``` + +### 配置 Casdoor + +1. 使用 `setup.sh` 脚本启动后,Casdoor WebUI 默认端口为 `8000`,你可以通过 `http://your_server_ip:8000` 访问,默认用户名 `admin`,密码 `123` + +2. 在 `身份认证 -> 应用` 中添加一行 + + ``` + http://your_server_ip:3210/api/auth/callback/casdoor + ``` + +3. 其他配置大多保持默认即可,你也可以在 `身份认证 -> 应用` 中修改默认配置 + +### 配置 MinIO S3 -3. 选择自定义策略,复制并粘贴如下内容(如果你修改了桶名,请自行查找替换) +1. 使用 `setup.sh` 脚本启动后,MinIO WebUI 默认端口为 `9001`,你可以通过 `http://your_server_ip:9001` 访问,默认用户名 `YOUR_MINIO_USER`,密码 `YOUR_MINIO_PASSWORD` + +2. 大多数配置保持默认即可,如果你希望能允许用户更换头像功能,你需要首先在 `buckets` 中创建一个名为 `casdoor` 的桶,选择自定义策略,复制并粘贴如下内容(如果你修改了桶名,请自行查找替换) ```json { @@ -105,7 +148,7 @@ docker compose up -d "AWS": ["*"] }, "Action": ["s3:GetBucketLocation"], - "Resource": ["arn:aws:s3:::lobe"] + "Resource": ["arn:aws:s3:::casdoor"] }, { "Effect": "Allow", @@ -113,7 +156,7 @@ docker compose up -d "AWS": ["*"] }, "Action": ["s3:ListBucket"], - "Resource": ["arn:aws:s3:::lobe"], + "Resource": ["arn:aws:s3:::casdoor"], "Condition": { "StringEquals": { "s3:prefix": ["files/*"] @@ -126,50 +169,33 @@ docker compose up -d "AWS": ["*"] }, "Action": ["s3:PutObject", "s3:DeleteObject", "s3:GetObject"], - "Resource": ["arn:aws:s3:::lobe/files/**"] + "Resource": ["arn:aws:s3:::casdoor/**"] } ], "Version": "2012-10-17" } ``` -4. 创建一个新的访问密钥,将生成的 `Access Key` 和 `Secret Key` 填入你的 `.env` 文件中的 `S3_ACCESS_KEY_ID` 和 `S3_SECRET_ACCESS_KEY` 中 +3. 创建一个新的访问密钥,将生成的 `Access Key` 和 `Secret Key` 存储之 -### 重启 LobeChat 服务 +4. 在 Casdoor 的 `身份认证 -> 提供商` 中关联 MinIO S3 服务,以下是一个示例配置: -```sh -docker compose up -d -``` + ![casdoor](https://github.com/user-attachments/assets/71035610-0706-434e-9488-ab5819b55330) - - 此时,请勿使用 `docker compose restart lobe` 来重启,因为这种重启方式不会重新加载环境变量,你的 - S3 配置将不会生效。 + 其中,客户端 ID、客户端密钥为上一步创建的访问密钥中的 `Access Key` 和 `Secret Key`,`192.168.31.251` 应当被替换为 `your_server_ip`。 - +5. 在 Casdoor 的 `身份认证 -> 应用` 中,对 `app-built-in` 应用添加提供商,选择 `minio`,保存并退出 -如果你在容器中看到了以下日志,则说明已经启动成功: +6. 你可以在 Casdoor 的 `身份认证 -> 资源` 中,尝试上传文件以测试配置是否正确 -```log -[Database] Start to migration... -✅ database migration pass. -------------------------------------- - ▲ Next.js 14.x.x - - Local: http://localhost:3210 - - Network: http://0.0.0.0:3210 - - ✓ Starting... - ✓ Ready in 95ms -``` +## 发布到生产(域名模式) - - -至此,你已经成功部署了 LobeChat 数据库版本,你可以通过 `http://localhost:3210` 访问你的 LobeChat 服务。 - -如果你遇到问题,请尝试查看 Docker 日志和控制台日志,并根据后文的详细指引进行排查。 + + 对于拥有域名的部署,我们推荐使用 [Logto](https://logto.io/) 作为登录鉴权服务。本文剩余部分也将以其为例进行说明。如果你使用其他诸如 Casdoor 等其他登录鉴权服务,流程应当相近,但请注意不同的登录鉴权服务的端口配置可能有所差异。 -## 发布到生产 + -生产和本地运行存在一个很大的差别,就是在于需要使用域名地址而不是 localhost。我们假设在上述服务之外,你还运行了一层 Nginx 来进行反向代理、配置 SSL。 +在下文中,我们假设在上述服务之外,你还运行了一层 Nginx 来进行反向代理、配置 SSL。 域名和配套服务端口说明如下: @@ -185,7 +211,8 @@ docker compose up -d 请务必注意,CORS 跨域是在 MinIO / Logto 服务端内部配置的,请勿在你的反向代理中额外配置 CORS,这会导致错误。 - 对于minio非443端口时,Host必须是$http_host(带端口号),否则会403错误:proxy_set_header Host $http_host。 + + 对于 minio 非 443 端口时,Host 必须是 `$http_host`(带端口号),否则会 403 错误:`proxy_set_header Host $http_host`。 如果你需要配置 SSL 证书,请统一在外层的 Nginx 反向代理中配置,而不是在 MinIO 中配置。 @@ -194,8 +221,8 @@ docker compose up -d ### 配置文件 ```sh -curl -fsSL https://raw.githubusercontent.com/lobehub/lobe-chat/HEAD/docker-compose/production/docker-compose.yml > docker-compose.yml -curl -fsSL https://raw.githubusercontent.com/lobehub/lobe-chat/HEAD/docker-compose/production/.env.zh-CN.example > .env +curl -fsSL https://raw.githubusercontent.com/lobehub/lobe-chat/HEAD/docker-compose/production/logto/docker-compose.yml > docker-compose.yml +curl -fsSL https://raw.githubusercontent.com/lobehub/lobe-chat/HEAD/docker-compose/production/logto/.env.zh-CN.example > .env ``` 配置文件包括 `.env` 和 `docker-compose.yml` 两个文件,其中 `.env` 文件用于配置 LobeChat 的环境变量,`docker-compose.yml` 文件用于配置 Postgres、MinIO 和 Logto 服务。 @@ -338,157 +365,9 @@ docker compose up -d # 重新启动 ## 附录 -为方便一键复制,在此汇总配置服务端数据库所需要的示例配置文件: - -### 本地部署 - -#### `.env` - -```sh -# Logto secret -AUTH_LOGTO_ID= -AUTH_LOGTO_SECRET= - -# MinIO S3 配置 -MINIO_ROOT_USER=YOUR_MINIO_USER -MINIO_ROOT_PASSWORD=YOUR_MINIO_PASSWORD - -# 在下方配置 minio 中添加的桶 -MINIO_LOBE_BUCKET=lobe -S3_ACCESS_KEY_ID= -S3_SECRET_ACCESS_KEY= - -# Proxy,如果你需要的话(比如你使用 GitHub 作为鉴权服务提供商) -# HTTP_PROXY=http://localhost:7890 -# HTTPS_PROXY=http://localhost:7890 - -# 其他环境变量,视需求而定,可以参照客户端版本的环境变量配置,注意不要有 ACCESS_CODE -# OPENAI_API_KEY=sk-xxxx -# OPENAI_PROXY_URL=https://api.openai.com/v1 -# OPENAI_MODEL_LIST=... - -# ----- 相关配置 start ----- -# 如没有特殊需要不用更改 -LOBE_PORT=3210 -LOGTO_PORT=3001 -MINIO_PORT=9000 - -# Postgres 相关,也即 DB 必须的环境变量 -LOBE_DB_NAME=lobechat -POSTGRES_PASSWORD=uWNZugjBqixf8dxC - -``` - -#### `docker-compose.yml` - -```yaml -services: - network-service: - image: alpine - container_name: lobe-network - ports: - - '${MINIO_PORT}:${MINIO_PORT}' # MinIO API - - '9001:9001' # MinIO Console - - '${LOGTO_PORT}:${LOGTO_PORT}' # Logto - - '3002:3002' # Logto Admin - - '${LOBE_PORT}:3210' # LobeChat - command: tail -f /dev/null - networks: - - lobe-network - - postgresql: - image: pgvector/pgvector:pg16 - container_name: lobe-postgres - ports: - - "5432:5432" - volumes: - - './data:/var/lib/postgresql/data' - environment: - - 'POSTGRES_DB=${LOBE_DB_NAME}' - - 'POSTGRES_PASSWORD=${POSTGRES_PASSWORD}' - healthcheck: - test: ['CMD-SHELL', 'pg_isready -U postgres'] - interval: 5s - timeout: 5s - retries: 5 - restart: always - networks: - - lobe-network - - minio: - image: minio/minio - container_name: lobe-minio - network_mode: 'service:network-service' - volumes: - - './s3_data:/etc/minio/data' - environment: - - 'MINIO_ROOT_USER=${MINIO_ROOT_USER}' - - 'MINIO_ROOT_PASSWORD=${MINIO_ROOT_PASSWORD}' - - 'MINIO_API_CORS_ALLOW_ORIGIN=http://localhost:${LOBE_PORT}' - restart: always - command: > - server /etc/minio/data --address ":${MINIO_PORT}" --console-address ":9001" - - logto: - image: svhd/logto - container_name: lobe-logto - network_mode: 'service:network-service' - depends_on: - postgresql: - condition: service_healthy - environment: - - 'TRUST_PROXY_HEADER=1' - - 'PORT=${LOGTO_PORT}' - - 'DB_URL=postgresql://postgres:${POSTGRES_PASSWORD}@postgresql:5432/logto' - - 'ENDPOINT=http://localhost:${LOGTO_PORT}' - - 'ADMIN_ENDPOINT=http://localhost:3002' - entrypoint: ['sh', '-c', 'npm run cli db seed -- --swe && npm start'] - - lobe: - image: lobehub/lobe-chat-database - container_name: lobe-database - network_mode: 'service:network-service' - depends_on: - postgresql: - condition: service_healthy - network-service: - condition: service_started - minio: - condition: service_started - logto: - condition: service_started - - environment: - - 'APP_URL=http://localhost:3210' - - 'NEXT_AUTH_SSO_PROVIDERS=logto' - - 'KEY_VAULTS_SECRET=Kix2wcUONd4CX51E/ZPAd36BqM4wzJgKjPtz2sGztqQ=' - - 'NEXT_AUTH_SECRET=NX2kaPE923dt6BL2U8e9oSre5RfoT7hg' - - 'NEXTAUTH_URL=http://localhost:${LOBE_PORT}/api/auth' - - 'AUTH_LOGTO_ISSUER=http://localhost:${LOGTO_PORT}/oidc' - - 'DATABASE_URL=postgresql://postgres:${POSTGRES_PASSWORD}@postgresql:5432/${LOBE_DB_NAME}' - - 'S3_ENDPOINT=http://localhost:${MINIO_PORT}' - - 'S3_BUCKET=${MINIO_LOBE_BUCKET}' - - 'S3_PUBLIC_DOMAIN=http://localhost:${MINIO_PORT}' - - 'S3_ENABLE_PATH_STYLE=1' - env_file: - - .env - restart: always - -volumes: - data: - driver: local - s3_data: - driver: local - -networks: - lobe-network: - driver: bridge - -``` - -### 发布到生产 +为方便一键复制,在此汇总域名方式下生产部署配置服务端数据库所需要的示例配置文件(对于本地快速启动、局域网 IP 访问等场景,请直接使用 `setup.sh` 脚本生成后自行修改): -#### `.env` +### `.env` ```sh # 必填,LobeChat 域名,用于 tRPC 调用 @@ -549,7 +428,7 @@ S3_ENABLE_PATH_STYLE=1 ``` -#### `docker-compose.yml` +### `docker-compose.yml` ```yaml services: @@ -624,7 +503,7 @@ volumes: ``` -#### `minio-bucket-config.json` +### `minio-bucket-config.json` ```json { diff --git a/docs/usage/providers/ai21.mdx b/docs/usage/providers/ai21.mdx index c4ac8004ce3c..c25de778cd13 100644 --- a/docs/usage/providers/ai21.mdx +++ b/docs/usage/providers/ai21.mdx @@ -1,6 +1,8 @@ --- title: Using AI21 Labs in LobeChat -description: Learn how to integrate and utilize AI21 Labs's language model APIs in LobeChat. +description: >- + Learn how to integrate and utilize AI21 Labs's language model APIs in + LobeChat. tags: - LobeChat - AI21 Labs diff --git a/docs/usage/providers/ai360.mdx b/docs/usage/providers/ai360.mdx index 12de95ee00de..1b3dd4f82f5f 100644 --- a/docs/usage/providers/ai360.mdx +++ b/docs/usage/providers/ai360.mdx @@ -1,6 +1,6 @@ --- title: Using the 360AI in LobeChat -description: Learn how to integrate and utilize 360AI's language model APIs in LobeChat. +description: Learn how to integrate and utilize 360AI's language model APIs in LobeChat. tags: - LobeChat - 360AI diff --git a/docs/usage/providers/fireworksai.mdx b/docs/usage/providers/fireworksai.mdx index 664442b588ce..edfb44174e4b 100644 --- a/docs/usage/providers/fireworksai.mdx +++ b/docs/usage/providers/fireworksai.mdx @@ -1,6 +1,8 @@ --- title: Using Fireworks AI in LobeChat -description: Learn how to integrate and utilize Fireworks AI's language model APIs in LobeChat. +description: >- + Learn how to integrate and utilize Fireworks AI's language model APIs in + LobeChat. tags: - LobeChat - Fireworks AI diff --git a/docs/usage/providers/github.mdx b/docs/usage/providers/github.mdx index 8a4374f26283..1aa69945bdbd 100644 --- a/docs/usage/providers/github.mdx +++ b/docs/usage/providers/github.mdx @@ -1,6 +1,6 @@ --- title: Using GitHub Models in LobeChat -description: Learn how to integrate and utilize GitHub Models in LobeChat. +description: Learn how to integrate and utilize GitHub Models in LobeChat. tags: - LobeChat - GitHub diff --git a/docs/usage/providers/hunyuan.mdx b/docs/usage/providers/hunyuan.mdx index e909c50181b0..cd384fc0911b 100644 --- a/docs/usage/providers/hunyuan.mdx +++ b/docs/usage/providers/hunyuan.mdx @@ -1,6 +1,8 @@ --- title: Using Tencent Hunyuan in LobeChat -description: Learn how to integrate and utilize Tencent Hunyuan's language model APIs in LobeChat. +description: >- + Learn how to integrate and utilize Tencent Hunyuan's language model APIs in + LobeChat. tags: - LobeChat - Tencent Hunyuan diff --git a/docs/usage/providers/siliconcloud.mdx b/docs/usage/providers/siliconcloud.mdx index 138f46f6501a..8da6b6cec273 100644 --- a/docs/usage/providers/siliconcloud.mdx +++ b/docs/usage/providers/siliconcloud.mdx @@ -1,6 +1,8 @@ --- title: Using SiliconCloud in LobeChat -description: Learn how to integrate and utilize SiliconCloud's language model APIs in LobeChat. +description: >- + Learn how to integrate and utilize SiliconCloud's language model APIs in + LobeChat. tags: - LobeChat - SiliconCloud diff --git a/docs/usage/providers/spark.mdx b/docs/usage/providers/spark.mdx index 53c1d90eaf0d..d678850b7f9a 100644 --- a/docs/usage/providers/spark.mdx +++ b/docs/usage/providers/spark.mdx @@ -1,6 +1,6 @@ --- title: Using iFLYTEK Spark in LobeChat -description: Learn how to integrate and utilize iFLYTEK's Spark model APIs in LobeChat. +description: Learn how to integrate and utilize iFLYTEK's Spark model APIs in LobeChat. tags: - LobeChat - iFLYTEK diff --git a/docs/usage/providers/upstage.mdx b/docs/usage/providers/upstage.mdx index 6b79a540f18c..85613164095f 100644 --- a/docs/usage/providers/upstage.mdx +++ b/docs/usage/providers/upstage.mdx @@ -1,6 +1,6 @@ --- title: Using Upstage in LobeChat -description: Learn how to integrate and utilize Upstage's language model APIs in LobeChat. +description: Learn how to integrate and utilize Upstage's language model APIs in LobeChat. tags: - LobeChat - Upstage diff --git a/docs/usage/providers/wenxin.mdx b/docs/usage/providers/wenxin.mdx index b38ecc7668e0..41f7daa74a7d 100644 --- a/docs/usage/providers/wenxin.mdx +++ b/docs/usage/providers/wenxin.mdx @@ -1,6 +1,8 @@ --- title: Using Wenxin Qianfan in LobeChat -description: Learn how to integrate and utilize Wenxin Qianfan's language model APIs in LobeChat. +description: >- + Learn how to integrate and utilize Wenxin Qianfan's language model APIs in + LobeChat. tags: - LobeChat - 百度 diff --git a/docs/usage/providers/zeroone.mdx b/docs/usage/providers/zeroone.mdx index c2d7f5c026eb..9ccf79619fc0 100644 --- a/docs/usage/providers/zeroone.mdx +++ b/docs/usage/providers/zeroone.mdx @@ -2,8 +2,8 @@ title: Using 01 AI API Key in LobeChat description: >- Learn how to integrate and use 01 AI in LobeChat with step-by-step - instructions. Obtain an API key, configure 01 AI, and start - conversations with AI models. + instructions. Obtain an API key, configure 01 AI, and start conversations with + AI models. tags: - 01.AI - Web UI