Summary
I'm trying to secure Clawdbot with Pomerium (an Identity Aware Proxy). Full disclosure, I work at Pomerium. The proxy handles authentication, so Clawdbot doesn't need its own auth.
But when I bind to LAN, Clawdbot forces token authentication. This breaks WebSocket connections because browsers can't pass the token in WebSocket message payloads. The web UI loads but shows "disconnected (1008): unauthorized" for all real-time features.
Proposed solution
Allow gateway.auth: "off" when gateway.bind: "lan" for reverse proxy scenarios.
Could add an explicit opt-in flag like:
{
gateway: {
bind: "lan",
auth: {
mode: "off",
allowUnauthenticatedProxy: true
}
}
}This would only work when users explicitly opt in and understand they need a reverse proxy handling auth.
Alternatives considered
- iptables forwarding to keep loopback binding - ran into complex networking issues with Kubernetes service routing
- Passing token via Pomerium headers - doesn't work because the token is required in WebSocket message data, not HTTP headers
- Just accepting the errors - web UI is non-functional without WebSockets
- Using Docker instead of Kubernetes - works fine with simple Docker setups (host networking or host.docker.internal), but not suitable for Kubernetes deployments where service routing is more complex.
Additional context
My setup: Kubernetes with Pomerium securing services in my cluster. Clawdbot runs on the host, not exposed to the internet. Only Pomerium can reach it.
This is a similar pattern to how people run apps behind Caddy with authentication or nginx with OAuth plugins.
Summary
I'm trying to secure Clawdbot with Pomerium (an Identity Aware Proxy). Full disclosure, I work at Pomerium. The proxy handles authentication, so Clawdbot doesn't need its own auth.
But when I bind to LAN, Clawdbot forces token authentication. This breaks WebSocket connections because browsers can't pass the token in WebSocket message payloads. The web UI loads but shows "disconnected (1008): unauthorized" for all real-time features.
Proposed solution
Allow gateway.auth: "off" when gateway.bind: "lan" for reverse proxy scenarios.
Could add an explicit opt-in flag like:
{ gateway: { bind: "lan", auth: { mode: "off", allowUnauthenticatedProxy: true } } }This would only work when users explicitly opt in and understand they need a reverse proxy handling auth.
Alternatives considered
Additional context
My setup: Kubernetes with Pomerium securing services in my cluster. Clawdbot runs on the host, not exposed to the internet. Only Pomerium can reach it.
This is a similar pattern to how people run apps behind Caddy with authentication or nginx with OAuth plugins.