Docker部署开源身份验证服务：Logto-荒岛

Logto项目介绍（摘自官方项目页面）

Logto is the open-source auth alternative to Auth0, Cognito, and Firebase Auth. It offers a complete identity solution with pre-built UI, modern protocols for authentication and authorization (OIDC/OAuth 2.0/SAML), and enterprise-grade security. Perfect for multi-device apps, SaaS products, and API services.

安装好Docker和需要用到的包：

apt -y update
apt -y install curl nginx python3-certbot-nginx
curl -fsSL https://get.docker.com -o get-docker.sh
sh get-docker.sh

创建目录和compose文件：

mkdir -p /opt/logto && cd /opt/logto && nano docker-compose.yml

写入如下内容：

name: logto.io
services:
  app:
    image: svhd/logto:latest
    container_name: logto-server
    restart: unless-stopped
    depends_on:
      postgres:
        condition: service_healthy
    environment:
      - TRUST_PROXY_HEADER=1
      - DB_URL=postgres://imlala:pgpassword@postgres:5432/logto
      - ENDPOINT=https://logto-api.example.com
      - ADMIN_ENDPOINT=https://logto-admin.example.com
    ports:
      - "127.0.0.1:3001:3001"
      - "127.0.0.1:3002:3002"
    entrypoint: ["sh", "-c", "npm run cli db seed -- --swe && npm start"]

  postgres:
    image: postgres:17-alpine
    container_name: logto-postgres
    restart: unless-stopped
    environment:
      POSTGRES_USER: imlala
      POSTGRES_PASSWORD: pgpassword
      POSTGRES_DB: logto
    volumes:
      - ./db-data:/var/lib/postgresql/data
    healthcheck:
      test: ["CMD-SHELL", "pg_isready"]
      interval: 10s
      timeout: 5s
      retries: 5

启动：

docker compose up -d

配置NGINX反向代理，需要反代API和管理面板。

新建反代API的NGINX配置文件：

nano /etc/nginx/sites-available/logto

写入如下配置：

server {
    listen 80;
    server_name logto-api.example.com;
    client_max_body_size 0;

    location / {
        proxy_pass http://127.0.0.1:3001;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

新建反代管理面板的NGINX配置文件：

nano /etc/nginx/sites-available/logto-admin

写入如下配置：

server {
    listen 80;
    server_name logto-admin.example.com;
    client_max_body_size 0;

    location / {
        proxy_pass http://127.0.0.1:3002;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

启用站点：

ln -s /etc/nginx/sites-available/logto /etc/nginx/sites-enabled/logto
ln -s /etc/nginx/sites-available/logto-admin /etc/nginx/sites-enabled/logto-admin

签发SSL证书：