chore(sync): mirror docs from openclaw/openclaw@b7fba2100f
This commit is contained in:
parent
1aaca6eac2
commit
af64e7ba1a
@ -1,5 +1,5 @@
|
||||
{
|
||||
"repository": "openclaw/openclaw",
|
||||
"sha": "cb4fc585472a3ac9961a8d2948eb2904777585b0",
|
||||
"syncedAt": "2026-04-24T06:30:49.022Z"
|
||||
"sha": "b7fba2100f1780f9d2485ed7452482359747d1a1",
|
||||
"syncedAt": "2026-04-24T06:33:36.993Z"
|
||||
}
|
||||
|
||||
@ -77,7 +77,9 @@ Options:
|
||||
For a node connecting to a non-loopback `ws://` Gateway on a trusted private
|
||||
network, set `OPENCLAW_ALLOW_INSECURE_PRIVATE_WS=1`. Without it, node startup
|
||||
fails closed and asks you to use `wss://`, an SSH tunnel, or Tailscale.
|
||||
`openclaw node install` persists this opt-in into the supervised node service.
|
||||
This is a process-environment opt-in, not an `openclaw.json` config key.
|
||||
`openclaw node install` persists it into the supervised node service when it is
|
||||
present in the install command environment.
|
||||
|
||||
## Service (background)
|
||||
|
||||
|
||||
@ -28,6 +28,8 @@ openclaw onboard --mode remote --remote-url wss://gateway-host:18789
|
||||
|
||||
For plaintext private-network `ws://` targets (trusted networks only), set
|
||||
`OPENCLAW_ALLOW_INSECURE_PRIVATE_WS=1` in the onboarding process environment.
|
||||
There is no `openclaw.json` equivalent for this client-side transport
|
||||
break-glass.
|
||||
|
||||
Non-interactive custom provider:
|
||||
|
||||
|
||||
@ -319,7 +319,12 @@ See [Plugins](/tools/plugin).
|
||||
- `controlUi.allowedOrigins`: explicit browser-origin allowlist for Gateway WebSocket connects. Required when browser clients are expected from non-loopback origins.
|
||||
- `controlUi.dangerouslyAllowHostHeaderOriginFallback`: dangerous mode that enables Host-header origin fallback for deployments that intentionally rely on Host-header origin policy.
|
||||
- `remote.transport`: `ssh` (default) or `direct` (ws/wss). For `direct`, `remote.url` must be `ws://` or `wss://`.
|
||||
- `OPENCLAW_ALLOW_INSECURE_PRIVATE_WS=1`: client-side break-glass override that allows plaintext `ws://` to trusted private-network IPs; default remains loopback-only for plaintext.
|
||||
- `OPENCLAW_ALLOW_INSECURE_PRIVATE_WS=1`: client-side process-environment
|
||||
break-glass override that allows plaintext `ws://` to trusted private-network
|
||||
IPs; default remains loopback-only for plaintext. There is no `openclaw.json`
|
||||
equivalent, and browser private-network config such as
|
||||
`browser.ssrfPolicy.dangerouslyAllowPrivateNetwork` does not affect Gateway
|
||||
WebSocket clients.
|
||||
- `gateway.remote.token` / `.password` are remote-client credential fields. They do not configure gateway auth by themselves.
|
||||
- `gateway.push.apns.relay.baseUrl`: base HTTPS URL for the external APNs relay used by official/TestFlight iOS builds after they publish relay-backed registrations to the gateway. This URL must match the relay URL compiled into the iOS build.
|
||||
- `gateway.push.apns.relay.timeoutMs`: gateway-to-relay send timeout in milliseconds. Defaults to `10000`.
|
||||
|
||||
@ -138,7 +138,9 @@ Short version: **keep the Gateway loopback-only** unless you’re sure you need
|
||||
|
||||
- **Loopback + SSH/Tailscale Serve** is the safest default (no public exposure).
|
||||
- Plaintext `ws://` is loopback-only by default. For trusted private networks,
|
||||
set `OPENCLAW_ALLOW_INSECURE_PRIVATE_WS=1` on the client process as break-glass.
|
||||
set `OPENCLAW_ALLOW_INSECURE_PRIVATE_WS=1` on the client process as
|
||||
break-glass. There is no `openclaw.json` equivalent; this must be process
|
||||
environment for the client making the WebSocket connection.
|
||||
- **Non-loopback binds** (`lan`/`tailnet`/`custom`, or `auto` when loopback is unavailable) must use gateway auth: token, password, or an identity-aware reverse proxy with `gateway.auth.mode: "trusted-proxy"`.
|
||||
- `gateway.remote.token` / `.password` are client credential sources. They do **not** configure server auth by themselves.
|
||||
- Local call paths can use `gateway.remote.*` as fallback only when `gateway.auth.*` is unset.
|
||||
|
||||
@ -840,7 +840,9 @@ If `gateway.auth.token` / `gateway.auth.password` is explicitly configured via
|
||||
SecretRef and unresolved, resolution fails closed (no remote fallback masking).
|
||||
Optional: pin remote TLS with `gateway.remote.tlsFingerprint` when using `wss://`.
|
||||
Plaintext `ws://` is loopback-only by default. For trusted private-network
|
||||
paths, set `OPENCLAW_ALLOW_INSECURE_PRIVATE_WS=1` on the client process as break-glass.
|
||||
paths, set `OPENCLAW_ALLOW_INSECURE_PRIVATE_WS=1` on the client process as
|
||||
break-glass. This is intentionally process environment only, not an
|
||||
`openclaw.json` config key.
|
||||
|
||||
Local device pairing:
|
||||
|
||||
|
||||
@ -152,6 +152,10 @@ OPENCLAW_ALLOW_INSECURE_PRIVATE_WS=1 \
|
||||
openclaw node restart
|
||||
```
|
||||
|
||||
`OPENCLAW_ALLOW_INSECURE_PRIVATE_WS=1` is process environment, not an
|
||||
`openclaw.json` setting. `openclaw node install` stores it in the LaunchAgent
|
||||
environment when it is present on the install command.
|
||||
|
||||
Approve the node from the Gateway host:
|
||||
|
||||
```bash
|
||||
|
||||
Loading…
Reference in New Issue
Block a user