mirror of
https://github.com/openclaw/openclaw.git
synced 2026-07-07 04:23:54 +08:00
Source-grounded rewrite of 529 published docs pages with per-unit information-loss verification: 1,713 factual corrections cited to src/**, generated surfaces regenerated, frontmatter titles preserved for i18n, release notes pages untouched. All docs gates green. Closes #100141
4.3 KiB
4.3 KiB
summary, read_when, title
| summary | read_when | title | ||
|---|---|---|---|---|
| Gateway web surfaces: Control UI, bind modes, and security |
|
Web |
The Gateway serves a small browser Control UI (Vite + Lit) from the same port as the Gateway WebSocket:
- default:
http://<host>:18789/ - with
gateway.tls.enabled: true:https://<host>:18789/ - optional prefix: set
gateway.controlUi.basePath(e.g./openclaw)
Capabilities live in Control UI. This page covers bind modes, security, and other web-facing surfaces.
Config (default-on)
Control UI is enabled by default when assets are present (dist/control-ui):
{
gateway: {
controlUi: { enabled: true, basePath: "/openclaw" }, // basePath optional
},
}
Webhooks
When hooks.enabled=true, the Gateway also exposes a webhook endpoint on the same HTTP server. See hooks in Gateway configuration reference for auth and payloads.
Admin HTTP RPC
POST /api/v1/admin/rpc exposes selected Gateway control-plane methods over HTTP. Off by default; registered only when the admin-http-rpc plugin is enabled. See Admin HTTP RPC for the auth model, allowed methods, and comparison with the WebSocket API.
Tailscale access
Keep the Gateway on loopback and let Tailscale Serve proxy it:```json5
{
gateway: {
bind: "loopback",
tailscale: { mode: "serve" },
},
}
```
Start the gateway:
```bash
openclaw gateway
```
Open `https://<magicdns>/` (or your configured `gateway.controlUi.basePath`).
```json5
{
gateway: {
bind: "tailnet",
controlUi: { enabled: true },
auth: { mode: "token", token: "your-token" },
},
}
```
Start the gateway (this non-loopback example uses shared-secret token auth):
```bash
openclaw gateway
```
Open `http://<tailscale-ip>:18789/` (or your configured `gateway.controlUi.basePath`).
```json5
{
gateway: {
bind: "loopback",
tailscale: { mode: "funnel" },
auth: { mode: "password" }, // or OPENCLAW_GATEWAY_PASSWORD
},
}
```
`tailscale.mode: "funnel"` requires `gateway.auth.mode: "password"`; Serve and Funnel both require `gateway.bind: "loopback"`.
Security notes
- Gateway auth is required by default: token, password, trusted-proxy, or Tailscale Serve identity headers when enabled.
- Non-loopback binds still require gateway auth: token/password auth or an identity-aware reverse proxy with
gateway.auth.mode: "trusted-proxy". - The onboarding wizard creates shared-secret auth by default and usually generates a gateway token, even on loopback.
- In shared-secret mode, the UI sends
connect.params.auth.tokenorconnect.params.auth.passwordduring the WebSocket handshake. - With
gateway.tls.enabled: true, local dashboard/status helpers renderhttps://URLs andwss://WebSocket URLs. - In identity-bearing modes (Tailscale Serve,
trusted-proxy), the WebSocket auth check is satisfied from request headers instead of a shared secret. - For public non-loopback Control UI deployments, set
gateway.controlUi.allowedOriginsexplicitly (full origins). Private same-origin loads are accepted without it for loopback, RFC1918/link-local,.local,.ts.net, and Tailscale CGNAT hosts. gateway.controlUi.dangerouslyAllowHostHeaderOriginFallback: trueenables Host-header origin fallback; this is a dangerous security downgrade.- With Serve, Tailscale identity headers satisfy Control UI/WebSocket auth when
gateway.auth.allowTailscale: true(no token/password required). HTTP API endpoints do not use Tailscale identity headers; they always follow the gateway's normal HTTP auth mode. Setgateway.auth.allowTailscale: falseto require explicit credentials even over Serve. This tokenless flow assumes the gateway host itself is trusted. See Tailscale and Security.
Building the UI
The Gateway serves static files from dist/control-ui:
pnpm ui:build