From daa701660e5ebd1245b22769476b9361950af3ce Mon Sep 17 00:00:00 2001 From: "openclaw-docs-sync[bot]" Date: Wed, 29 Apr 2026 11:02:21 +0000 Subject: [PATCH] chore(sync): mirror docs from openclaw/openclaw@bdcd543ed78a6a6c86422434ef6b87f2ac6f17f4 --- .openclaw-sync/source.json | 4 ++-- docs/security/network-proxy.md | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.openclaw-sync/source.json b/.openclaw-sync/source.json index 307cb52bd..b66756f60 100644 --- a/.openclaw-sync/source.json +++ b/.openclaw-sync/source.json @@ -1,5 +1,5 @@ { "repository": "openclaw/openclaw", - "sha": "e6cd90e3fd9c66a9008a5a6de1b7da42c4a4c521", - "syncedAt": "2026-04-29T10:55:44.329Z" + "sha": "bdcd543ed78a6a6c86422434ef6b87f2ac6f17f4", + "syncedAt": "2026-04-29T11:00:49.793Z" } diff --git a/docs/security/network-proxy.md b/docs/security/network-proxy.md index d4eb0a260..63370c7ae 100644 --- a/docs/security/network-proxy.md +++ b/docs/security/network-proxy.md @@ -36,7 +36,7 @@ OpenClaw process WebSocket clients -> operator-managed filtering proxy -> public internet ``` -The public contract is the routing behavior, not the internal Node hooks used to implement it. OpenClaw Gateway control-plane WebSocket clients use a narrow direct path for local loopback Gateway RPC traffic when the Gateway URL uses a literal loopback IP such as `127.0.0.1` or `[::1]`. That control-plane path must be able to reach loopback Gateways even when the operator proxy blocks loopback destinations. Normal runtime HTTP and WebSocket requests still use the configured proxy. +The public contract is the routing behavior, not the internal Node hooks used to implement it. OpenClaw Gateway control-plane WebSocket clients use a narrow direct path for local loopback Gateway RPC traffic when the Gateway URL uses `localhost` or a literal loopback IP such as `127.0.0.1` or `[::1]`. That control-plane path must be able to reach loopback Gateways even when the operator proxy blocks loopback destinations. Normal runtime HTTP and WebSocket requests still use the configured proxy. The proxy URL itself must use `http://`. HTTPS destinations are still supported through the proxy with HTTP `CONNECT`; this only means OpenClaw expects a plain HTTP forward-proxy listener such as `http://127.0.0.1:3128`. @@ -150,6 +150,6 @@ proxy: - The proxy improves coverage for process-local JavaScript HTTP and WebSocket clients, but it does not replace application-level `fetchWithSsrFGuard`. - Raw `net`, `tls`, and `http2` sockets, native addons, and child processes may bypass Node-level proxy routing unless they inherit and respect proxy environment variables. - User local WebUIs and local model servers should be allowlisted in the operator proxy policy when needed; OpenClaw does not expose a general local-network bypass for them. -- Gateway control-plane proxy bypass is intentionally limited to literal loopback IP URLs. Use `ws://127.0.0.1:18789` or `ws://[::1]:18789` for local direct Gateway control-plane connections; `localhost` hostnames route like ordinary hostname-based traffic. +- Gateway control-plane proxy bypass is intentionally limited to `localhost` and literal loopback IP URLs. Use `ws://127.0.0.1:18789`, `ws://[::1]:18789`, or `ws://localhost:18789` for local direct Gateway control-plane connections; other hostnames route like ordinary hostname-based traffic. - OpenClaw does not inspect, test, or certify your proxy policy. - Treat proxy policy changes as security-sensitive operational changes.