docs: clarify private ws node setup · openclaw/openclaw@b7fba21
steipete
·
2026-04-24
·
via Recent Commits to openclaw:main
| Original file line number | Diff line number | Diff line change |
|---|
@@ -77,7 +77,9 @@ Options:
|
77 | 77 | For a node connecting to a non-loopback `ws://` Gateway on a trusted private |
78 | 78 | network, set `OPENCLAW_ALLOW_INSECURE_PRIVATE_WS=1`. Without it, node startup |
79 | 79 | fails closed and asks you to use `wss://`, an SSH tunnel, or Tailscale. |
80 | | -`openclaw node install` persists this opt-in into the supervised node service. |
| 80 | +This is a process-environment opt-in, not an `openclaw.json` config key. |
| 81 | +`openclaw node install` persists it into the supervised node service when it is |
| 82 | +present in the install command environment. |
81 | 83 | |
82 | 84 | ## Service (background) |
83 | 85 | |
|
| Original file line number | Diff line number | Diff line change |
|---|
@@ -28,6 +28,8 @@ openclaw onboard --mode remote --remote-url wss://gateway-host:18789
|
28 | 28 | |
29 | 29 | For plaintext private-network `ws://` targets (trusted networks only), set |
30 | 30 | `OPENCLAW_ALLOW_INSECURE_PRIVATE_WS=1` in the onboarding process environment. |
| 31 | +There is no `openclaw.json` equivalent for this client-side transport |
| 32 | +break-glass. |
31 | 33 | |
32 | 34 | Non-interactive custom provider: |
33 | 35 | |
|
| Original file line number | Diff line number | Diff line change |
|---|
@@ -319,7 +319,12 @@ See [Plugins](/tools/plugin).
|
319 | 319 | - `controlUi.allowedOrigins`: explicit browser-origin allowlist for Gateway WebSocket connects. Required when browser clients are expected from non-loopback origins. |
320 | 320 | - `controlUi.dangerouslyAllowHostHeaderOriginFallback`: dangerous mode that enables Host-header origin fallback for deployments that intentionally rely on Host-header origin policy. |
321 | 321 | - `remote.transport`: `ssh` (default) or `direct` (ws/wss). For `direct`, `remote.url` must be `ws://` or `wss://`. |
322 | | -- `OPENCLAW_ALLOW_INSECURE_PRIVATE_WS=1`: client-side break-glass override that allows plaintext `ws://` to trusted private-network IPs; default remains loopback-only for plaintext. |
| 322 | +- `OPENCLAW_ALLOW_INSECURE_PRIVATE_WS=1`: client-side process-environment |
| 323 | + break-glass override that allows plaintext `ws://` to trusted private-network |
| 324 | + IPs; default remains loopback-only for plaintext. There is no `openclaw.json` |
| 325 | + equivalent, and browser private-network config such as |
| 326 | +`browser.ssrfPolicy.dangerouslyAllowPrivateNetwork` does not affect Gateway |
| 327 | + WebSocket clients. |
323 | 328 | - `gateway.remote.token` / `.password` are remote-client credential fields. They do not configure gateway auth by themselves. |
324 | 329 | - `gateway.push.apns.relay.baseUrl`: base HTTPS URL for the external APNs relay used by official/TestFlight iOS builds after they publish relay-backed registrations to the gateway. This URL must match the relay URL compiled into the iOS build. |
325 | 330 | - `gateway.push.apns.relay.timeoutMs`: gateway-to-relay send timeout in milliseconds. Defaults to `10000`. |
|
| Original file line number | Diff line number | Diff line change |
|---|
@@ -138,7 +138,9 @@ Short version: **keep the Gateway loopback-only** unless you’re sure you need
|
138 | 138 | |
139 | 139 | - **Loopback + SSH/Tailscale Serve** is the safest default (no public exposure). |
140 | 140 | - Plaintext `ws://` is loopback-only by default. For trusted private networks, |
141 | | - set `OPENCLAW_ALLOW_INSECURE_PRIVATE_WS=1` on the client process as break-glass. |
| 141 | + set `OPENCLAW_ALLOW_INSECURE_PRIVATE_WS=1` on the client process as |
| 142 | + break-glass. There is no `openclaw.json` equivalent; this must be process |
| 143 | + environment for the client making the WebSocket connection. |
142 | 144 | - **Non-loopback binds** (`lan`/`tailnet`/`custom`, or `auto` when loopback is unavailable) must use gateway auth: token, password, or an identity-aware reverse proxy with `gateway.auth.mode: "trusted-proxy"`. |
143 | 145 | - `gateway.remote.token` / `.password` are client credential sources. They do **not** configure server auth by themselves. |
144 | 146 | - Local call paths can use `gateway.remote.*` as fallback only when `gateway.auth.*` is unset. |
|
| Original file line number | Diff line number | Diff line change |
|---|
@@ -840,7 +840,9 @@ If `gateway.auth.token` / `gateway.auth.password` is explicitly configured via
|
840 | 840 | SecretRef and unresolved, resolution fails closed (no remote fallback masking). |
841 | 841 | Optional: pin remote TLS with `gateway.remote.tlsFingerprint` when using `wss://`. |
842 | 842 | Plaintext `ws://` is loopback-only by default. For trusted private-network |
843 | | -paths, set `OPENCLAW_ALLOW_INSECURE_PRIVATE_WS=1` on the client process as break-glass. |
| 843 | +paths, set `OPENCLAW_ALLOW_INSECURE_PRIVATE_WS=1` on the client process as |
| 844 | +break-glass. This is intentionally process environment only, not an |
| 845 | +`openclaw.json` config key. |
844 | 846 | |
845 | 847 | Local device pairing: |
846 | 848 | |
|
| Original file line number | Diff line number | Diff line change |
|---|
@@ -152,6 +152,10 @@ OPENCLAW_ALLOW_INSECURE_PRIVATE_WS=1 \
|
152 | 152 | openclaw node restart |
153 | 153 | ``` |
154 | 154 | |
| 155 | +`OPENCLAW_ALLOW_INSECURE_PRIVATE_WS=1` is process environment, not an |
| 156 | +`openclaw.json` setting. `openclaw node install` stores it in the LaunchAgent |
| 157 | +environment when it is present on the install command. |
| 158 | + |
155 | 159 | Approve the node from the Gateway host: |
156 | 160 | |
157 | 161 | ```bash |
|
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。