开始
使用 docker-compose 完成
docker-compose 文件,需要修改postgres的密码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
| version: '3.8'
services:
outline:
image: docker.io/outlinewiki/outline:0.72.2
container_name: outline
env_file: ./outline-docker.env
expose:
- 3000
volumes:
- outline-data:/var/lib/outline/data
networks:
- outline_network
postgres:
image: abcfy2/zhparser:15-alpine
container_name: postgres
restart: unless-stopped
environment:
POSTGRES_PASSWORD: password
PGDATA: /var/lib/postgresql/data/pgdata
volumes:
- database-data:/var/lib/postgresql/data
expose:
- 5432
networks:
- outline_network
redis:
image: redis
container_name: redis
restart: unless-stopped
expose:
- 6379
networks:
- outline_network
authelia:
image: docker.io/authelia/authelia:4.37.5
container_name: authelia
volumes:
- ./data/authelia:/config
expose:
- 9091
restart: unless-stopped
environment:
- TZ=Asia/Shanghai
networks:
- outline_network
nginx:
image: nginx
container_name: nginx
restart: unless-stopped
ports:
- "80:80"
- "443:443"
volumes:
- ./data/nginx/conf/conf.d:/etc/nginx/conf.d
- ./data/nginx/conf/nginx.conf:/etc/nginx/nginx.conf
- ./data/nginx/conf/ssl:/etc/nginx/ssl
networks:
- outline_network
networks:
outline_network:
driver: bridge
volumes:
outline-data:
database-data:
|
完成以后,先生成一个 outline-docker.env 文件
1
| touch outline-docker.env
|
先拉取并跑一下容器,把文件映射出来(报错不用管)
nginx
1
2
| rm -rf data/nginx/conf/nginx.conf/
nano data/nginx/conf/nginx.conf
|
nginx.conf配置文件,不需要修改
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
| user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log notice;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
keepalive_timeout 65;
gzip on;
include /etc/nginx/conf.d/*;
server_tokens off;
}
|
需要两个域名,一个是 authelia 认证服务,一个是 outline 域名(SSL证书我直接从腾讯云下载的)
authelia
1
| nano data/nginx/conf/conf.d/authelia.conf
|
authelia.conf 配置文件,自行修改SSL证书位置和域名
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
| server {
listen 80;
listen 443 ssl;
resolver 127.0.0.11;
# 需要修改的部分
server_name sso.example.com;
ssl_certificate ssl/sso.example.com_bundle.crt;
ssl_certificate_key ssl/sso.example.com.key;
location / {
proxy_pass http://authelia:9091;
client_body_buffer_size 128k;
#Timeout if the real server is dead
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
# Advanced Proxy Config
send_timeout 5m;
proxy_read_timeout 360;
proxy_send_timeout 360;
proxy_connect_timeout 360;
# Basic Proxy Config
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Uri $request_uri;
proxy_set_header X-Forwarded-Ssl on;
proxy_redirect http:// $scheme://;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_buffers 64 256k;
# If behind reverse proxy, forwards the correct IP
set_real_ip_from 10.0.0.0/8;
set_real_ip_from 172.0.0.0/8;
set_real_ip_from 192.168.0.0/16;
set_real_ip_from fc00::/7;
real_ip_header X-Forwarded-For;
real_ip_recursive on;
}
}
|
outline
1
| nano data/nginx/conf/conf.d/outline.conf
|
outline.conf 配置文件,自行修改SSL证书位置和域名
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
| server {
listen 80;
listen 443 ssl;
charset utf-8;
# 需要修改的部分
server_name outline.example.com;
ssl_certificate ssl/outline.example.com_bundle.crt;
ssl_certificate_key ssl/outline.example.com.key;
resolver 127.0.0.11;
ssl_session_timeout 5m;
#请按照以下协议配置
ssl_protocols TLSv1.2 TLSv1.3;
#请按照以下套件配置,配置加密套件,写法遵循 openssl 标准。
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://outline:3000/;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;proxy_set_header Host $host;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_redirect off;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
|
postgres
再次运行docker
进入 PostgreSQL 数据库命令行
1
| docker exec -it --user postgres postgres psql -U postgres
|
自行修改密码字段,执行SQL
1
2
3
4
5
6
7
8
| # 创建用户,自行修改密码
CREATE USER outline WITH PASSWORD 'password_of_outline_user';
# 创建数据库
CREATE DATABASE outline OWNER outline;
# 退出命令行
\q
|
停止docker
authelia
authelia主要的两个配置文件:configuration.yml 和 users_database.yml
主要配置文件
configuration.yml 是主要的配置文件
所有可以定义的 环境变量
需要手动修改的参数有6个
- jwt_secret
- session.secret
- storage.encryption_key
- identity_providers.oidc.hmac_secret
- identity_providers.oidc.issuer_private_key
- identity_providers.oidc.clients.secret
可以用命令生成
identity_providers.oidc.issuer_private_key的生成,把在当前目录下生成的 private.pem 内容复制出来
1
| docker run --rm -u "$(id -u):$(id -g)" -v "$(pwd)":/keys authelia/authelia:4.37.5 authelia crypto pair rsa generate --bits 4096 --directory /keys
|
完整的配置文件
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
|
jwt_secret: xxx
default_redirection_url: https://sso.example.com
server:
host: 0.0.0.0
port: 9091
log:
level: debug
authentication_backend:
password_reset:
disable: false
file:
path: /config/users_database.yml
totp:
disable: false
issuer: example.com
algorithm: sha256
period: 30
skew: 1
secret_size: 32
access_control:
default_policy: deny
rules:
- domain: outline.example.com
policy: one_factor
subject:
- ['group:admins']
session:
name: authelia_session
domain: sso.example.com
secret: xxx
expiration: 3600
inactivity: 300
redis:
host: redis
port: 6379
storage:
encryption_key: xxx
local:
path: /config/db.sqlite3
regulation:
max_retries: 3
find_time: 2m
ban_time: 120m
notifier:
smtp:
username: 12345@qq.com
password: 4Rcec6pUA
host: smtp.exmail.qq.com
port: 465
sender: 12345@qq.com
identity_providers:
oidc:
hmac_secret: xxx
issuer_private_key: |
-----BEGIN RSA PRIVATE KEY-----
MIIJKwIBAAKCAgEA1So3Blq87Qn7PjY5K3BymZFgbsGODw6CZavOUBy9Za3mtwTZ
fzjipnbSpcaOWoDF5+m00TA5xqYuzyaCU95QVShg3irkCvD7CaQ1zyXCtBk0TVoj
RQ4rzj2Zj4NT4VlNgGtlnk3I2zq0wbQ4rLZ0fbqZjfcuHjmAEk5P1cBr0YyyuitY
03LpJFXjKkvsB099p1wEEZNhe/95xfDFMnd+NwWUK/n32RFw0XeHLa3buzSu29ww
/yTt9hWsdyjkpdl0v7HBiLF7Bu7nfpXZ8XD37y5V8/RFACG3yGwtpwCb4j2B+cEV
MCi5pyh/4CSJKZaKhvQo2B1YoBNo81sbi3tHVf7WA/yUOcui8epaumSCnS7vi1hN
7IPswERVeZRWx3EIoTzXnXabi9rnLv2mrebGf7E4og8Ze9DrYRhl2oqV5KOXb3g4
TylC0CRlxVOeIrhgW8oftfGbE741xQibHl6uSynmPHuHdBPVplJE44wOyNqaskvt
eb1rCMTT0drf00aSg7722n9oI8uBsanDQKXwZi6ZwbhabUX2KHmiYLfZderx/XYz
XDftnYRA1wJo26b59iuwe2aor6T2tcSonhH2PV6yTrwfRS1aoLe+mB4UTwmYVxJJ
60PY7kuIOInBrcL1mdJyUdF57gBoyNieJ/+XmiIWm5tAf0+NNmNLN3t3fdcCAwEA
AQKCAgEAz6vY/6/W73gR9YIOIGvkuggP0tdu9uxDzZmb3iChxDWv2A45duCMr3CD
uE3A0hsys8XUCxjYsNemMtppjhvAV7aG6OsQUDiF2dbJNY6sKZmEgveV9OjhdIQ+
3rorNhgykTIQRjGxxSNkhnJ15I283+CzSMPPglKymyMAVFaqs/RHC2i/mQEScfva
3JIq2NRwrmPO8vCKwKscj+MJuyj/Jcuhl1ZoSGndZ7TzVWVT9QZWdIwIkAoCawSi
iVSlrY41V6xtyCZgnViS35hORBKy+apCwvDvaDlxOylpMJI/TCJwRkn9wnVqqZej
PVNa7dFkFCY6xJGSjiFa1fuk0jbAPxhim0AKSAnVu1o+Da7CgG0ZlaZ4ecd/EzT6
4NVEDQlmFu+diKiSj/6xND7UgKerhEahq0lDy7S/n7pzlLFBzddMOuP3QsqLX0my
7qRKtj2FlHFvtUiyVNsS01cONvGDHc7kLIxzgOa18idmoWSmz5vZCnKGYIo9kCBq
/NOot48IruytAOnHCFT/C2y1zpPvDtCBk0zWF23lUutkWyQvW+6r5fQHR53U6AML
8pWiOTO4n82on1o+alYtfNyF1GErEN++t3pZV8iIdqKtPomO3KT9OypVVaguWy15
F4H8T6tODxLOAP/SmHTEQl/fl2t7ajm1R+iWt/yCk6pk71VFtMECggEBAOljYSHg
rvH3GbxuB4m4+SLdeUr5mE0QasQXSs0cj/evKeE0egwXgOthf8EOA3t4LA2ztZlZ
ENWVYcRbsXm7MOCtVhZqYcKmRcqzODz/vPqunUBaZJWWatJA9mo9nSIIbCd6KN14
qZmTXBh+TOojst2SIbNcKqfN9l7+FuW6QMfe3efk/l8H2kooaSUgPyebhIybn0Lx
QFyvf4WNeTdxHT4wA3cDyPiSYh9f5cBEkaAg3WI8mGe+D1UPf5ajrPHj7hxCQOQG
bygfMVkKc+tz4iUqtbKDXUUUlbEMEsB1Kq33RUgs7FHzYKP4HtkQ5gVlaEFek1Cq
YUL6GHb4GrRdlT0CggEBAOnRPw4ARK7j/TIGU+wDB0Kn+8p9e1C17Y7QK5Ht5fJU
C0U66/bFouAe7seMIEAVJrD/3S4Qpw7rzqkPdNerIwd8KlFGy54L5s5A3yymT2IJ
j51aSOPEIeQx817Q7Ea2KyZ3xUjtaQVxLo34+hZrDYJ3v2mzdTA+kOHcacc5ONfO
8+yTvvlfJ+/7ZQTO56pJEPqeHYZ4RCaFwCRDUw0FAYggnWSnZa3GysZXoj+WpTpC
Qq9v69ZZXe2XIyaI5lHS6zwWmMMFCVW111D1otbd/Jw3nQure39Ht3gtq1bV86vC
uSCn61Qk6UMMhpHPsLlb1sLLNRw959PSVp0ogiEu2KMCggEBAK3bLhxCd5Af9rf7
bvoVJOHoAdbsH5wowp/YigxJXqWvgo8UvGYNjCfLtZNmkQmE96wtVvYo9vVkFjRj
6c04uKxl8183WCPcINlisF4gU/KZ6OJrc8pLBsAhTG7P/yG/DHJL+e0hWZXhxBUq
4Lj6Zt/PX/NwkQX307Pnq77uBBvf1YZNe3/nJaFggRL69pDWtOLZesYvWTayNViT
jtzSEmqk8a/Szf79bMLaeRfE/IZAdSoc4ZtGZb2DkhPxUX/Pvyyl3hj/AgbtVaFy
u++Fn8z4B+o3GV/AedItoDpmDakSLjYZ4OEbX75FsxUYFYGnjQZFIZBRm6p9C4R0
RdBedjECggEBAL0A1+eJb/uvb8wwMUZmbEgFYhOcu0HSzeTTgWTE2Uu5hCLCLluc
Br0ERCAptSgX8N7C9Rd3fpMhKjyeseRkAjzasZphj9aB6GBxL/X3udOVxvF7OdBj
isHbXs8WMug1+UtvJZp9zpcHlopM6FuWzaTZB3F6DxCggp0QfrD8IGbSc3qZM5aA
xNfIbzAj0EBmL8NmbJd2QCCjnV2yzj+H/GT9eD0U06xVNTR/QjgEnispxJ3r6seq
FbMoqNFNeGBMDrrTyUhbmeAezZ4z8R2e88OTcO8t/vY0EqqiwA3BhOci0GMFWcT6
0VPRnDXhnQk4o7FyccwSfoNLU5hWVlpcc+ECggEBAJHvbFhvmtq8GMtvQPsoy38f
3UirVKqvXQ/u3tHNd6tljr7oTraTTwAfxwn6mk79ZnM4iuys23Hou4oiZvDMbSuy
eg5q7mThcJbUOokVBF4SEwxZiLjBwK6zfnmqN6hs1YY0jDINtjQcknNlZ793xe4z
xwTwTOWL6m8bxEwDMJ+XoOG+VLHPt29alM/SJlP9ns8z8cS9gvgc8XfM++nHzfAT
YfMfViRhTNeh9LyMPVA+tzdRxKXWbJCIJaeoNdssjObDrcQPXpJgkg5ec5ic+zw1
PpGiAKRvtT+jgSRFG4m+wyKf7eQX2Mg6O12v4mC/V4aqcJDugztnHRB7+fp3Gao=
-----END RSA PRIVATE KEY-----
access_token_lifespan: 1h
authorize_code_lifespan: 1m
id_token_lifespan: 1h
refresh_token_lifespan: 90m
enable_client_debug_messages: false
enforce_pkce: public_clients_only
cors:
endpoints:
- authorization
- token
- revocation
- introspection
allowed_origins:
- https://outline.example.com
allowed_origins_from_client_redirect_uris: false
clients:
- id: outline
description: outline团队知识库
secret: 'TBbCctA3uCpeUn1U04th1UV6dwrKVaAccME4LIrhKSZ_P3R8an4VK6IqO5qnzNSuhEIdSR7l'
public: false
scopes:
- openid
- offline_access
- profile
- email
authorization_policy: one_factor
redirect_uris:
- https://outline.example.com/auth/oidc.callback
userinfo_signing_algorithm: none
|
后端验证文件
users_database.yml 是身份后端验证方式之一,使用文件来做验证,当然也可以选择LDAP。
用户密码文件的参考文档:user–password-file
1
2
3
4
5
6
7
8
9
10
11
| users:
outline:
disabled: false
displayname: "Outline"
password: "$argon2id$v=19$m=65536,t=3,p=4$9BTjyrRh5FNYjvpO4wIa9A$oLqRqvjjb9twHBI0ELA6AP/NXsJcrMwv9vACo2+J/A0"
email: 123@example.com
groups:
- admins
|
password 的生成,复制生成的Digest:后面的参数
1
| docker run --rm authelia/authelia:4.37.5 authelia crypto hash generate argon2 --password 'password'
|
outline
编辑 outline-docker.env 文件,完整的官方配置
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
| # ================ Outline ================
NODE_ENV=production
# 一个十六进制编码的 32 字节随机密钥。官方推荐使用 `openssl rand -hex 32` 在你的终端生成
SECRET_KEY=xxx
# 一个唯一的随机密钥。格式并不重要,官方推荐使用 `openssl rand -hex 32` 在你的终端生成
UTILS_SECRET=xxx
# 表示外部浏览器将会以什么域名访问 Outline 及其资源文件
# 1. outline.example.com: 修改为你自己的域名
URL=https://outline.example.com
# Outline 使用的端口
PORT=3000
# 使用本地存储,没有使用S3
FILE_STORAGE=local
# =========================================
# ================ PostgreSQL ================
# 用于连接 PostgreSQL 的 URL,password是在docker-compose中定义的
DATABASE_URL=postgres://outline:password@postgres:5432/outline
# 禁止使用SSSL连接
PGSSLMODE=disable
# ============================================
# ================ Redis ================
# 用于连接 Redis 的 URL
REDIS_URL=redis://redis:6379
# =======================================
# ================ AUTHENTICATION ================
# ID要和authelia配置文件中的identity_providers.clients.id保持一致
OIDC_CLIENT_ID=outline
OIDC_CLIENT_SECRET=TBbCctA3uCpeUn1U04th1UV6dwrKVaAccME4LIrhKSZ_P3R8an4VK6IqO5qnzNSuhEIdSR7l
# 将sso.example.com换成自己的
OIDC_AUTH_URI=https://sso.example.com/api/oidc/authorization
OIDC_TOKEN_URI=https://sso.example.com/api/oidc/token
OIDC_USERINFO_URI=https://sso.example.com/api/oidc/userinfo
# outline登录界面显示的名称:使用{}登录
OIDC_DISPLAY_NAME=账号密码
OIDC_USERNAME_CLAIM=preferred_username
OIDC_SCOPES="openid offline_access profile email"
|
备份路径
需要备份的内容:
- /var/lib/docker/volumes/outline_database-data
- /var/lib/docker/volumes/outline_outline-data
docker-compose.yml 同级目录下的 data 文件
