The Docker and Docker Compose deployment options do not support injecting the `NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY` through environment variables, which prevents enabling the Clerk authentication service. Recommended alternatives include:
- The one-click startup script is only for initial deployment; for subsequent deployments, please refer to the [Custom Deployment](#custom-deployment) section.
Execute the following commands to set up the deployment environment; the directory `lobe-chat-db` will be used to store your configuration files and subsequent database files.
The script supports the following deployment modes; please choose the appropriate mode based on your needs and read the rest of the documentation.
- [Local Mode (default)](#local-mode): Accessible only locally, not supporting LAN/public access; suitable for initial experiences.
- [Port Mode](#port-mode): Supports LAN/public `http` access; suitable for no domain or private network use.
- [Domain Mode](#domain-mode): Supports LAN/public `http/https` access with reverse proxy; suitable for personal or team use.
<Callout type="info">
In the script's options prompt `(Option1/Option2)[Option1]`: `(Option1 / Option2)` indicates selectable options, while `[Option1]` indicates the default option; simply press enter to choose the default.
After the script finishes running, you need to check the configuration generation report, which includes the accounts and initial login passwords for the Casdoor administrator and user.
The results of the secure key generation are as follows:
LobeChat:
- URL: http://localhost:3210
- Username: user
- Password: c66f8c
Casdoor:
- URL: http://localhost:8000
- Username: admin
- Password: c66f8c
Minio:
- URL: http://localhost:9000
- Username: admin
- Password: 8c82ea41
```
### Start Docker
```sh
docker compose up -d
```
### Check Logs
```sh
docker logs -f lobe-chat
```
If you see the following logs in the container, it means the startup was successful:
```log
[Database] Start to migration...
✅ database migration pass.
-------------------------------------
▲ Next.js 14.x.x
- Local: http://localhost:3210
- Network: http://0.0.0.0:3210
✓ Starting...
✓ Ready in 95ms
```
### Access Application
Visit your LobeChat service at [http://localhost:3210](http://localhost:3210). The account credentials for the application can be found in the report from step `2`.
- Server IP address settings: for LAN/public access.
- Regenerate secure keys: We highly recommend regenerating the secure keys; if you lack the key generation library required by the script, we suggest referring to the [Custom Deployment](#custom-deployment) section for key modifications.
After the script finishes running, please check the configuration generation report for the Casdoor administrator account, user account, and their initial login passwords.
The results of the secure key generation are as follows:
LobeChat:
- URL: http://your_server_ip:3210
- Username: user
- Password: 837e26
Casdoor:
- URL: http://your_server_ip:8000
- Username: admin
- Password: 837e26
Minio:
- URL: http://your_server_ip:9000
- Username: admin
- Password: dbac8440
```
### Start Docker
```sh
docker compose up -d
```
### Check Logs
```sh
docker logs -f lobe-chat
```
If you see the following logs in the container, it means the startup was successful:
```log
[Database] Start to migration...
✅ database migration pass.
-------------------------------------
▲ Next.js 14.x.x
- Local: http://your_server_ip:3210
- Network: http://0.0.0.0:3210
✓ Starting...
✓ Ready in 95ms
```
### Access Application
You can access your LobeChat service at `http://your_server_ip:3210`. The account credentials for the application can be found in the report from step `2`.
In domain mode, you need to complete the reverse proxy configuration and ensure that the LAN/public can access the following services. Please use a reverse proxy to map the following service ports to the domain names:
- Domain setup for the LobeChat service: `lobe.example.com`
- Domain setup for the Minio service: `s3-api.example.com`
- Domain setup for the Casdoor service: `auth-ui.example.com`
- Choose the access protocol: `http` or `https`
- Regenerate secure keys: We highly recommend regenerating the secure keys; if you lack the key generation library required by the script, we suggest referring to the [Custom Deployment](#custom-deployment) section for key modifications.
- If you have used the HTTPS protocol, ensure that your domain certificate is correctly configured; one-click deployment does not support self-signed certificates by default.
After the script finishes running, you need to check the configuration generation report, which includes the initial login password for the Casdoor administrator.
The results of the secure key generation are as follows:
LobeChat:
- URL: https://lobe.example.com
- Username: user
- Password: 837e26
Casdoor:
- URL: https://auth-ui.example.com
- Username: admin
- Password: 837e26
Minio:
- URL: https://s3-api.example.com
- Username: admin
- Password: dbac8440
```
### Start Docker
```sh
docker compose up -d
```
### Check Logs
```sh
docker logs -f lobe-chat
```
If you see the following logs in the container, it indicates a successful startup:
```log
[Database] Start to migration...
✅ database migration pass.
-------------------------------------
▲ Next.js 14.x.x
- Local: https://localhost:3210
- Network: http://0.0.0.0:3210
✓ Starting...
✓ Ready in 95ms
```
### Access Application
You can access your LobeChat service via `https://lobe.example.com`. The account credentials for the application can be found in the report from step `3`.
This section mainly introduces the configurations that need to be modified to customize the deployment of the LobeChat service in different network environments.
Before starting, you can download the [Docker Compose configuration file](https://raw.githubusercontent.com/lobehub/lobe-chat/HEAD/docker-compose/local/docker-compose.yml) and the [environment variable configuration file](https://raw.githubusercontent.com/lobehub/lobe-chat/HEAD/docker-compose/local/.env.en_US.example).
This section does not cover all complete variables; remaining variables can be referenced in [Deploying with the Server Database](/en/docs/self-hosting/server-database).
</Callout>
### Prerequisites
Generally, to fully run the LobeChat database version, you will need at least the following four services:
- The LobeChat database version itself
- PostgreSQL database with PGVector plugin
- Object storage service that supports S3 protocol
- An SSO authentication service supported by LobeChat
These services can be combined through self-hosting or online cloud services to meet various deployment needs. In this article, we provide a Docker Compose configuration entirely based on open-source self-hosted services, which can be used directly to start the LobeChat database version or modified to suit your requirements.
We use [MinIO](https://github.com/minio/minio) as the local S3 object storage service and [Casdoor](https://github.com/casdoor/casdoor) as the local authentication service by default.
<Callout type="warning">
If your network topology is complex, please make sure these services can communicate properly within your network environment.
</Callout>
### Necessary Configuration
Now, we will introduce the necessary configurations for running these services:
1. Casdoor
- LobeChat requires communication with Casdoor, so you need to configure Casdoor's Issuer.
```env
AUTH_CASDOOR_ISSUER=https://auth-ui.example.com
```
This configuration will affect LobeChat's login authentication service, and you need to ensure that the URL of the Casdoor service is correct. You can find common manifestations and solutions for errors in this configuration in the [FAQ](#faq).
- Additionally, you need to allow the callback URL in Casdoor to point to the LobeChat address:
Please add a line in the `Authentication -> Application` -> `<Application ID, default is app-built-in>` -> `Redirect URI` in Casdoor's web panel:
Check for the following errors based on the container logs:
```sh
docker logs -f lobe-chat
```
- r3: "response" is not a conform Authorization Server Metadata response (unexpected HTTP status code)
```log
lobe-chat | [auth][error] r3: "response" is not a conform Authorization Server Metadata response (unexpected HTTP status code)
```
Cause: This issue is typically caused by improper reverse proxy configuration; you need to ensure your reverse proxy configuration does not intercept the Casdoor OAuth2 configuration requests.
Solutions:
- Please refer to the reverse proxy configuration notes in the [Domain Mode](#domain-mode) section.
- A direct troubleshooting method is to access `https://auth-ui.example.com/.well-known/openid-configuration` directly; if:
- Non-JSON format data is returned, it indicates your reverse proxy configuration is incorrect.
- If the returned JSON format data contains an `"issuer": "URL"` field that does not match your configured `https://auth-ui.example.com`, it indicates your environment variable configuration is incorrect.
- TypeError: fetch failed
```log
lobe-chat | [auth][error] TypeError: fetch failed
```
Cause: LobeChat cannot access the authentication service.
Solutions:
- Check whether your authentication service is running properly and whether LobeChat's network can reach the authentication service.
- A straightforward troubleshooting method is to use the `curl` command in the LobeChat container terminal to access your authentication service at `https://auth-ui.example.com/.well-known/openid-configuration`. If JSON format data is returned, it indicates your authentication service is functioning correctly.
To enhance your LobeChat service, you can perform the following extended configurations according to your needs.
### Use MinIO to Store Casdoor Avatars
Allow users to change their avatars in Casdoor.
1. First, create a bucket named `casdoor` in `buckets`, select a custom policy, and copy and paste the content below (if you modify the bucket name, please find and replace accordingly).
Here, the client ID and client secret correspond to the `Access Key` and `Secret Key` from the previous step; replace `192.168.31.251` with `your_server_ip`.
Due to significant instability when using [Logto](https://logto.io/)
as a login and authentication service, the following tutorial is based on deploying with an IP mode, implementing a domain release solution using Casdoor as the authentication service provider.
The remainder of this article will illustrate using this as an example. If you are using other login authentication services like Logto, the process should be similar, but be aware that port configurations may differ among different services.
In the following, it is assumed that in addition to the above services, you are also running an **Nginx** layer for reverse proxy and SSL configuration.
In our official Docker images, automatic migration of the database schema is performed before starting the images.
Our official images guarantee the stability of "empty database -> complete tables" for automatic table creation. Therefore, we recommend your database instance use an empty table instance to avoid the trouble of manually maintaining table structure or migrations.
This article uses MinIO as an example to explain the configuration process. If you are using another S3 service provider, please refer to their documentation for configuration.
In this document, you need to allow cross-origin requests from `https://lobe.example.com`. This can either be configured in MinIO WebUI under `Configuration - API - Cors Allow Origin`, or in the Docker Compose configuration under `minio - environment - MINIO_API_CORS_ALLOW_ORIGIN`.
2. In the left panel under User / Access Keys, click `Create New Access Key`, no additional modifications needed, and fill the generated `Access Key` and `Secret Key` into your `.env` file under `S3_ACCESS_KEY_ID` and `S3_SECRET_ACCESS_KEY`.
# Other environment variables, as needed. You can refer to the environment variables configuration for the client version, making sure not to have ACCESS_CODE.
