Clawdbot 生产级部署完整指南:7层防护体系
部署成熟度模型
Level 0: 能跑就行
- npm install && clawdbot gateway
- 本地测试,手动启停
Level 1: 基础安全
- 防火墙配置
- 控制台不暴露公网
- 运行在 Docker 容器
Level 2: 可恢复性
- 数据自动备份
- 配置版本管理
- 服务自动重启
Level 3: 可观测性
- 健康检查接口
- 结构化日志
- 监控告警
Level 4: 成本控制
- API 配额限制
- 成本预警
- 熔断机制
Level 5: 安全加固
- 容器沙盒
- 敏感数据加密
- 审计日志
Level 6: 高可用
- 蓝绿部署
- 零停机更新
- 故障自愈
本文目标:将 Clawdbot 从 Level 0 提升到 Level 3。
层级1:网络隔离
方案A:本地监听 + SSH 隧道
适合场景:个人使用,偶尔需要从外部访问。
配置文件:
{
"gateway": {
"bind": "127.0.0.1",
"port": 18789
}
}
远程访问:
# 从笔记本 SSH 到服务器,建立隧道
ssh -L 18789:localhost:18789 user@your-server
# 在笔记本浏览器访问
open http://localhost:18789
方案B:Tailscale VPN
适合场景:多设备访问,不想配置 SSH 隧道。
安装 Tailscale:
curl -fsSL https://tailscale.com/install.sh | sh
tailscale up
获取 Tailscale IP:
tailscale ip -4
# 输出:100.x.y.z
配置 Clawdbot:
{
"gateway": {
"bind": "100.x.y.z",
"port": 18789
}
}
只有加入同一 Tailscale 网络的设备能访问。
方案C:反向代理 + 认证
适合场景:需要公网访问,但有安全保护。
Nginx 配置(/etc/nginx/sites-available/clawdbot):
server {
listen 443 ssl http2;
server_name clawdbot.yourdomain.com;
ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
# HTTP Basic Auth
auth_basic "Clawdbot Access";
auth_basic_user_file /etc/nginx/.htpasswd;
location / {
proxy_pass http://127.0.0.1:18789;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
}
}
生成密码文件:
sudo apt install apache2-utils
sudo htpasswd -c /etc/nginx/.htpasswd admin
# 输入密码
启用配置:
sudo ln -s /etc/nginx/sites-available/clawdbot /etc/nginx/sites-enabled/
sudo nginx -t
sudo systemctl reload nginx
防火墙规则
# 安装 UFW
sudo apt install ufw
# 默认拒绝所有入站
sudo ufw default deny incoming
sudo ufw default allow outgoing
# 只允许 SSH 和 HTTPS
sudo ufw allow 22/tcp
sudo ufw allow 443/tcp
# 如果使用 Tailscale,允许其网段
sudo ufw allow from 100.64.0.0/10
# 启用防火墙
sudo ufw enable
层级2:容器隔离
Docker Compose 配置
docker-compose.yml:
version: '3.8'
services:
clawdbot:
image: node:22-alpine
container_name: clawdbot
working_dir: /app
command: npx clawdbot@latest gateway
volumes:
- ./config:/root/.clawdbot:ro # 配置只读
- ./data:/root/.clawdbot/data # 数据读写
- ./workspace:/workspace # 工作目录
environment:
- NODE_ENV=production
- ANTHROPIC_API_KEY=${ANTHROPIC_API_KEY}
ports:
- "127.0.0.1:18789:18789" # 只绑定 localhost
restart: unless-stopped
security_opt:
- no-new-privileges:true
cap_drop:
- ALL
cap_add:
- NET_BIND_SERVICE
read_only: true
tmpfs:
- /tmp
- /root/.npm
关键安全选项解释:
read_only: true:容器内文件系统只读,防止恶意写入cap_drop: ALL:移除所有 Linux capabilitiesno-new-privileges:防止进程提权tmpfs:临时文件写入内存,不影响宿主机
启动容器
# 第一次启动
docker-compose up -d
# 查看日志
docker-compose logs -f
# 重启
docker-compose restart
# 停止
docker-compose down
层级3:数据备份
自动备份脚本
backup.sh:
#!/bin/bash
set -e
BACKUP_DIR="/backups/clawdbot"
TIMESTAMP=$(date +%Y%m%d_%H%M%S)
BACKUP_PATH="$BACKUP_DIR/$TIMESTAMP"
# 创建备份目录
mkdir -p "$BACKUP_PATH"
# 备份数据库
cp ~/.clawdbot/data.db "$BACKUP_PATH/data.db"
# 备份配置
cp -r ~/.clawdbot/config "$BACKUP_PATH/"
# 压缩
cd "$BACKUP_DIR"
tar -czf "$TIMESTAMP.tar.gz" "$TIMESTAMP"
rm -rf "$TIMESTAMP"
# 只保留最近 30 天的备份
find "$BACKUP_DIR" -name "*.tar.gz" -mtime +30 -delete
echo "[$(date)] Backup completed: $TIMESTAMP.tar.gz"
设置定时任务:
chmod +x backup.sh
# 编辑 crontab
crontab -e
# 每天凌晨 3 点备份
0 3 * * * /path/to/backup.sh >> /var/log/clawdbot-backup.log 2>&1
备份到云存储
# 安装 AWS CLI
sudo apt install awscli
# 配置凭证
aws configure
# 修改备份脚本,增加上传步骤
aws s3 sync "$BACKUP_DIR" s3://my-bucket/clawdbot-backups/ \
--exclude "*" --include "*.tar.gz"
恢复演练
定期测试备份是否可用:
# 1. 解压备份
tar -xzf 20260127_030000.tar.gz
# 2. 恢复数据库
cp 20260127_030000/data.db ~/.clawdbot/data.db
# 3. 恢复配置
cp -r 20260127_030000/config ~/.clawdbot/
# 4. 重启服务
docker-compose restart
# 5. 验证
clawdbot agent --message "测试恢复是否成功"
层级4:监控与告警
健康检查脚本
healthcheck.sh:
#!/bin/bash
# 检查服务是否响应
HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" http://localhost:18789/health)
if [ "$HTTP_CODE" != "200" ]; then
echo "ERROR: Health check failed (HTTP $HTTP_CODE)"
# 发送告警邮件
echo "Clawdbot health check failed" | mail -s "Alert: Clawdbot Down" admin@example.com
exit 1
fi
# 检查磁盘空间
DISK_USAGE=$(df -h / | tail -1 | awk '{print $5}' | sed 's/%//')
if [ "$DISK_USAGE" -gt 90 ]; then
echo "WARNING: Disk usage at $DISK_USAGE%"
echo "Disk usage: $DISK_USAGE%" | mail -s "Alert: High Disk Usage" admin@example.com
fi
# 检查内存
MEM_USAGE=$(free | grep Mem | awk '{print int($3/$2 * 100)}')
if [ "$MEM_USAGE" -gt 90 ]; then
echo "WARNING: Memory usage at $MEM_USAGE%"
fi
echo "[$(date)] Health check passed"
定时执行:
*/5 * * * * /path/to/healthcheck.sh >> /var/log/clawdbot-health.log 2>&1
日志监控
安装 logwatch:
sudo apt install logwatch
# 配置
sudo nano /etc/logwatch/conf/logfiles/clawdbot.conf
内容:
LogFile = /var/log/clawdbot/*.log
Archive = /var/log/clawdbot/*.log.*.gz
/etc/logwatch/conf/services/clawdbot.conf:
Title = "Clawdbot"
LogFile = clawdbot
/etc/logwatch/scripts/services/clawdbot:
#!/bin/bash
echo "Errors:"
grep -i "error\|fatal\|exception" | sort | uniq -c
echo ""
echo "429 Rate Limits:"
grep "429" | wc -l
echo ""
echo "Top Users:"
grep "incoming_message" | awk '{print $NF}' | sort | uniq -c | sort -nr | head -10
外部监控服务
使用 UptimeRobot(免费):
- 访问 https://uptimerobot.com
- 添加监控:
- 类型:HTTP(s)
- URL:
https://clawdbot.yourdomain.com/health - 间隔:5 分钟
- 设置告警:
- 邮件
- Telegram(可选)
层级5:成本控制
API 配额限制
配置文件增加:
{
"cost": {
"dailyBudget": 10.0,
"monthlyBudget": 200.0,
"alertThreshold": 0.8,
"stopThreshold": 0.95
}
}
实现逻辑(需要修改源码或使用 wrapper):
class CostGuard {
private dailySpent = 0;
private lastResetDate = new Date().toDateString();
async checkBudget(): Promise<void> {
// 每天重置
const today = new Date().toDateString();
if (today !== this.lastResetDate) {
this.dailySpent = 0;
this.lastResetDate = today;
}
const config = loadConfig().cost;
// 超过预算直接拒绝
if (this.dailySpent >= config.dailyBudget * config.stopThreshold) {
throw new Error('Daily budget exceeded');
}
// 超过警告阈值发送通知
if (this.dailySpent >= config.dailyBudget * config.alertThreshold) {
await sendAlert(`Daily cost: $${this.dailySpent.toFixed(2)}`);
}
}
async recordCost(inputTokens: number, outputTokens: number): Promise<void> {
const cost = inputTokens * 0.000003 + outputTokens * 0.000015;
this.dailySpent += cost;
// 记录到数据库
await db.insertCost({
timestamp: Date.now(),
inputTokens,
outputTokens,
cost
});
}
}
速率限制
class RateLimiter {
private userCounters = new Map<string, {count: number, resetAt: number}>();
async checkLimit(userId: string): Promise<boolean> {
const now = Date.now();
const counter = this.userCounters.get(userId);
if (!counter || now > counter.resetAt) {
this.userCounters.set(userId, {
count: 1,
resetAt: now + 60000 // 1 分钟窗口
});
return true;
}
if (counter.count >= 10) { // 每分钟 10 条消息
return false;
}
counter.count++;
return true;
}
}
层级6:服务管理
Systemd 服务配置
/etc/systemd/system/clawdbot.service:
[Unit]
Description=Clawdbot Gateway
After=network.target
[Service]
Type=simple
User=clawdbot
WorkingDirectory=/home/clawdbot
ExecStart=/usr/local/bin/clawdbot gateway
Restart=always
RestartSec=10
StartLimitBurst=5
StartLimitIntervalSec=600
# 环境变量
Environment="NODE_ENV=production"
Environment="ANTHROPIC_API_KEY=sk-xxx"
# 安全选项
NoNewPrivileges=true
PrivateTmp=true
ProtectSystem=strict
ProtectHome=true
ReadWritePaths=/home/clawdbot/.clawdbot/data
[Install]
WantedBy=multi-user.target
管理命令:
# 启用服务
sudo systemctl enable clawdbot
# 启动
sudo systemctl start clawdbot
# 查看状态
sudo systemctl status clawdbot
# 查看日志
sudo journalctl -u clawdbot -f
# 重启
sudo systemctl restart clawdbot
完整检查清单
运行此脚本验证配置:
#!/bin/bash
echo "=== Clawdbot 生产环境检查 ==="
# 1. 网络安全
echo -n "[1/7] 检查控制台绑定... "
if netstat -tlnp | grep 18789 | grep -q "127.0.0.1"; then
echo "✓ (仅本地)"
else
echo "✗ (暴露公网!)"
fi
# 2. 防火墙
echo -n "[2/7] 检查防火墙... "
if sudo ufw status | grep -q "active"; then
echo "✓"
else
echo "✗ (未启用)"
fi
# 3. 容器隔离
echo -n "[3/7] 检查 Docker 运行... "
if docker ps | grep -q clawdbot; then
echo "✓"
else
echo "- (未使用 Docker)"
fi
# 4. 备份
echo -n "[4/7] 检查备份任务... "
if crontab -l | grep -q backup.sh; then
echo "✓"
else
echo "✗ (无定时备份)"
fi
# 5. 监控
echo -n "[5/7] 检查健康检查... "
if crontab -l | grep -q healthcheck.sh; then
echo "✓"
else
echo "✗ (无监控)"
fi
# 6. 服务自启
echo -n "[6/7] 检查服务自启... "
if systemctl is-enabled clawdbot &>/dev/null; then
echo "✓"
else
echo "- (未配置 systemd)"
fi
# 7. 日志
echo -n "[7/7] 检查日志目录... "
if [ -d "/var/log/clawdbot" ]; then
echo "✓"
else
echo "- (未配置)"
fi
echo ""
echo "=== 建议改进项 ==="
# TODO: 添加具体建议
保存为 doctor.sh 并运行:
chmod +x doctor.sh
./doctor.sh
总结
将 Clawdbot 转变为生产级系统的核心要素:
- 隔离:网络、容器、权限
- 备份:自动、异地、可恢复
- 监控:健康检查、日志、告警
- 限制:成本、速率、资源
完成以上配置后,Clawdbot 可以:
- 7×24 小时稳定运行
- 遭遇故障时自动恢复
- 成本超标时自动熔断
- 被攻击时限制影响范围
这不是一劳永逸的,还需要:
- 每周查看监控告警
- 每月审查成本报告
- 每季度测试备份恢复
- 及时更新到新版本
但至少,你可以放心出门旅行,不用担心回来发现服务器被黑了。
参考资源:
- Docker 安全最佳实践: https://docs.docker.com/engine/security/
- UFW 完整指南: https://help.ubuntu.com/community/UFW
- Systemd 服务管理: https://www.freedesktop.org/software/systemd/man/systemd.service.html