fix: persist private ws opt-in for node services · openclaw/openclaw@d4e93e7
steipete
·
2026-04-24
·
via Recent Commits to openclaw:main
| Original file line number | Diff line number | Diff line change |
|---|
@@ -74,6 +74,11 @@ Options:
|
74 | 74 | - In `gateway.mode=remote`, remote client fields (`gateway.remote.token` / `gateway.remote.password`) are also eligible per remote precedence rules. |
75 | 75 | - Node host auth resolution only honors `OPENCLAW_GATEWAY_*` env vars. |
76 | 76 | |
| 77 | +For a node connecting to a non-loopback `ws://` Gateway on a trusted private |
| 78 | +network, set `OPENCLAW_ALLOW_INSECURE_PRIVATE_WS=1`. Without it, node startup |
| 79 | +fails closed and asks you to use `wss://`, an SSH tunnel, or Tailscale. |
| 80 | +`openclaw node install` persists this opt-in into the supervised node service. |
| 81 | + |
77 | 82 | ## Service (background) |
78 | 83 | |
79 | 84 | Install a headless node host as a user service. |
|
| Original file line number | Diff line number | Diff line change |
|---|
@@ -136,6 +136,22 @@ Start the node host in the VM:
|
136 | 136 | openclaw node run --host <gateway-host> --port 18789 --display-name parallels-macos |
137 | 137 | ``` |
138 | 138 | |
| 139 | +If `<gateway-host>` is a LAN IP and you are not using TLS, the node refuses the |
| 140 | +plaintext WebSocket unless you opt in for that trusted private network: |
| 141 | + |
| 142 | +```bash |
| 143 | +OPENCLAW_ALLOW_INSECURE_PRIVATE_WS=1 \ |
| 144 | + openclaw node run --host <gateway-lan-ip> --port 18789 --display-name parallels-macos |
| 145 | +``` |
| 146 | + |
| 147 | +Use the same environment variable when installing the node as a LaunchAgent: |
| 148 | + |
| 149 | +```bash |
| 150 | +OPENCLAW_ALLOW_INSECURE_PRIVATE_WS=1 \ |
| 151 | + openclaw node install --host <gateway-lan-ip> --port 18789 --display-name parallels-macos --force |
| 152 | +openclaw node restart |
| 153 | +``` |
| 154 | + |
139 | 155 | Approve the node from the Gateway host: |
140 | 156 | |
141 | 157 | ```bash |
|
| Original file line number | Diff line number | Diff line change |
|---|
@@ -388,6 +388,13 @@ describe("buildNodeServiceEnvironment", () => {
|
388 | 388 | expect(env.OPENCLAW_GATEWAY_TOKEN).toBe("node-token"); |
389 | 389 | }); |
390 | 390 | |
| 391 | +it("passes through OPENCLAW_ALLOW_INSECURE_PRIVATE_WS for node services", () => { |
| 392 | +const env = buildNodeServiceEnvironment({ |
| 393 | +env: { HOME: "/home/user", OPENCLAW_ALLOW_INSECURE_PRIVATE_WS: " 1 " }, |
| 394 | +}); |
| 395 | +expect(env.OPENCLAW_ALLOW_INSECURE_PRIVATE_WS).toBe("1"); |
| 396 | +}); |
| 397 | + |
391 | 398 | it("omits OPENCLAW_GATEWAY_TOKEN when the env var is empty", () => { |
392 | 399 | const env = buildNodeServiceEnvironment({ |
393 | 400 | env: { |
|
| Original file line number | Diff line number | Diff line change |
|---|
@@ -298,9 +298,11 @@ export function buildNodeServiceEnvironment(params: {
|
298 | 298 | params.execPath, |
299 | 299 | ); |
300 | 300 | const gatewayToken = normalizeOptionalString(env.OPENCLAW_GATEWAY_TOKEN); |
| 301 | +const allowInsecurePrivateWs = normalizeOptionalString(env.OPENCLAW_ALLOW_INSECURE_PRIVATE_WS); |
301 | 302 | return { |
302 | 303 | ...buildCommonServiceEnvironment(env, sharedEnv), |
303 | 304 | OPENCLAW_GATEWAY_TOKEN: gatewayToken, |
| 305 | +OPENCLAW_ALLOW_INSECURE_PRIVATE_WS: allowInsecurePrivateWs, |
304 | 306 | OPENCLAW_LAUNCHD_LABEL: resolveNodeLaunchAgentLabel(), |
305 | 307 | OPENCLAW_SYSTEMD_UNIT: resolveNodeSystemdServiceName(), |
306 | 308 | OPENCLAW_WINDOWS_TASK_NAME: resolveNodeWindowsTaskName(), |
|
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。