Bug
When CHAT_UI_URL is set to an HTTPS URL without an explicit port — exactly as documented at Remote Dashboard Access — onboard unconditionally overrides the port with the internal dashboard port (18789).
Root cause: src/lib/onboard.ts line ~4002:
parsed.port = String(effectivePort);
This produces:
"allowedOrigins": [
"http://127.0.0.1:18789",
"https://brev-host.brevlab.com:18789"
]
But when the dashboard is accessed through a reverse proxy (Brev Cloudflare Tunnel, nginx, Caddy, etc.), the browser sends origin https://brev-host.brevlab.com (port 443) — which doesn't match, causing:
origin not allowed (open the Control UI from the gateway host or allow it in gateway.controlUi.allowedOrigins)
The docs say to do exactly this:
set CHAT_UI_URL to the origin the browser will use before running setup:
export CHAT_UI_URL="https://openclaw0-<id>.brevlab.com"
Repro
CHAT_UI_URL="https://brev-host.brevlab.com" nemoclaw onboard --non-interactive- Access dashboard via Brev tunnel:
https://brev-host.brevlab.com/chat?session=main
- CORS error: "origin not allowed"
Workaround
Manually add the portless origin via kubectl:
docker exec openshell-cluster-nemoclaw kubectl exec my-assistant -n openshell -- python3 -c "
import json
path = '/sandbox/.openclaw/openclaw.json'
with open(path) as f:
config = json.load(f)
config['gateway']['controlUi']['allowedOrigins'].append('https://brev-host.brevlab.com')
with open(path, 'w') as f:
json.dump(config, f, indent=2)
"Then: nemoclaw my-assistant connect --probe-only
Suggested fix
In scripts/generate-openclaw-config.py (line ~197), when the user-provided CHAT_UI_URL had no explicit port, include both the original origin and the port-annotated origin in allowedOrigins. Safe (same host) and covers both direct and proxied access.
Affected platforms
Any reverse proxy: Brev (Cloudflare Tunnel), nginx, Caddy, Tailscale Funnel, etc.
Bug
When
CHAT_UI_URLis set to an HTTPS URL without an explicit port — exactly as documented at Remote Dashboard Access — onboard unconditionally overrides the port with the internal dashboard port (18789).Root cause:
src/lib/onboard.tsline ~4002:This produces:
But when the dashboard is accessed through a reverse proxy (Brev Cloudflare Tunnel, nginx, Caddy, etc.), the browser sends origin
https://brev-host.brevlab.com(port 443) — which doesn't match, causing:The docs say to do exactly this:
Repro
CHAT_UI_URL="https://brev-host.brevlab.com" nemoclaw onboard --non-interactivehttps://brev-host.brevlab.com/chat?session=mainWorkaround
Manually add the portless origin via kubectl:
Then:
nemoclaw my-assistant connect --probe-onlySuggested fix
In
scripts/generate-openclaw-config.py(line ~197), when the user-providedCHAT_UI_URLhad no explicit port, include both the original origin and the port-annotated origin inallowedOrigins. Safe (same host) and covers both direct and proxied access.Affected platforms
Any reverse proxy: Brev (Cloudflare Tunnel), nginx, Caddy, Tailscale Funnel, etc.