Source-grounded rewrite of 529 published docs pages with per-unit information-loss verification: 1,713 factual corrections cited to src/**, generated surfaces regenerated, frontmatter titles preserved for i18n, release notes pages untouched. All docs gates green. Closes #100141
5.5 KiB
summary, read_when, title
| summary | read_when | title | |||
|---|---|---|---|---|---|
| CLI reference for `openclaw proxy`, including operator-managed proxy validation and the local debug proxy capture inspector |
|
Proxy |
openclaw proxy
Validate operator-managed proxy routing, or run the local explicit debug proxy and inspect captured traffic.
openclaw proxy validate [--json] [--proxy-url <url>] [--proxy-ca-file <path>] [--allowed-url <url>] [--denied-url <url>] [--apns-reachable] [--apns-authority <url>] [--timeout-ms <ms>]
openclaw proxy start [--host <host>] [--port <port>]
openclaw proxy run [--host <host>] [--port <port>] -- <cmd...>
openclaw proxy coverage
openclaw proxy sessions [--limit <count>]
openclaw proxy query --preset <name> [--session <id>]
openclaw proxy blob --id <blobId>
openclaw proxy purge
validate preflights an operator-managed forward proxy. The rest are debugging tools for transport-level investigation: start a local capturing proxy, run a child command through it, list capture sessions, query traffic patterns, read captured blobs, and purge local capture data.
Validate
Checks the effective operator-managed proxy URL from --proxy-url, config (proxy.proxyUrl), or OPENCLAW_PROXY_URL, in that precedence order. Reports a config problem if no proxy is enabled and configured; pass --proxy-url for a one-off preflight without touching config.
Managed proxy URLs use http:// for a plain forward-proxy listener, or https:// when OpenClaw must open TLS to the proxy endpoint itself before sending proxy requests. Use --proxy-ca-file to trust a private CA for that TLS connection.
By default it runs:
- one allowed check against
https://example.com/(override/add with--allowed-url, repeatable) - one denied check against a temporary loopback canary (override with
--denied-url, repeatable)
Custom --denied-url targets are fail-closed: both HTTP responses and ambiguous transport failures count as failures unless you can independently verify a deployment-specific denial signal. The built-in loopback canary is the only target where a transport error is treated as proof of blocking.
Add --apns-reachable to also open an APNs HTTP/2 CONNECT tunnel through the proxy and confirm sandbox APNs responds. The probe sends an intentionally invalid provider token, so an APNs 403 InvalidProviderToken response counts as a successful reachability signal (not a failure).
Options
| Flag | Effect |
|---|---|
--json |
print machine-readable JSON |
--proxy-url <url> |
validate this http:///https:// proxy URL instead of config or env |
--proxy-ca-file <path> |
trust this PEM CA file for TLS verification of an HTTPS proxy endpoint |
--allowed-url <url> |
destination expected to succeed through the proxy (repeatable) |
--denied-url <url> |
destination expected to be blocked by the proxy (repeatable) |
--apns-reachable |
also verify sandbox APNs HTTP/2 is reachable through the proxy |
--apns-authority <url> |
APNs authority to probe (default https://api.sandbox.push.apple.com; production is https://api.push.apple.com) |
--timeout-ms <ms> |
per-request timeout |
Exits with code 1 when proxy config or destination checks fail.
See Network Proxy for deployment guidance and denial semantics.
Debug proxy
start launches a local capturing proxy and prints its URL, CA cert path, and capture DB path; stop with Ctrl+C. Defaults to binding 127.0.0.1 unless --host is set.
run starts a local debug proxy, then runs <cmd...> (after --) with the proxy env applied, under its own capture session.
The debug proxy's direct upstream forwarding opens upstream sockets for diagnostics. When OpenClaw managed proxy mode is active, direct forwarding for proxy requests and CONNECT tunnels is disabled by default; set OPENCLAW_DEBUG_PROXY_ALLOW_DIRECT_CONNECT_WITH_MANAGED_PROXY=1 only for approved local diagnostics.
coverage prints a JSON report (summary + per-transport entries) of which transports are captured, proxy-only, or uncovered.
sessions lists recent capture sessions (--limit, default 20).
query --preset <name> runs a built-in query against captured traffic, optionally scoped to --session <id>. Presets:
double-sendsretry-stormscache-bustingws-duplicate-framesmissing-ackerror-bursts
blob --id <blobId> prints a captured payload blob's raw content.
purge deletes all captured traffic metadata and blobs. Captures are local debugging data; purge when finished.