[Bug]: Internal tool→gateway RPC calls incorrectly blocked by ws:// security check

[andreacasini]

Summary

Bug: Internal tool→gateway RPC calls incorrectly blocked by ws:// security check

Environment:

• OpenClaw version: 2026.2.14+
• Setup: Docker container, gateway.bind: "lan"

Summary:
The CWE-319 security check correctly blocks plaintext ws:// to remote hosts, but incorrectly blocks internal tool→gateway RPC calls that happen within the same process. This is a regression — these calls worked before v2026.2.14.

The bug:
When bind: "lan", the code resolves the gateway URL for internal RPC calls to the container's Docker network IP (e.g., ws://172.18.0.2:18789) instead of ws://127.0.0.1:18789. The security check then blocks this as "insecure."

Why this is a bug, not a feature request:

1. The security check's intent is to prevent credential interception over the network
2. Internal calls (agent → gateway in same process) have zero interception risk — there is no network
3. The gateway listens on 0.0.0.0 which includes 127.0.0.1 — localhost would work
4. The code choosing LAN IP instead of localhost for internal calls is the actual bug
5. This broke existing functionality that worked in v2026.2.13

Current workarounds:

• Downgrade to v2026.2.13
• Use bind: "loopback" (breaks external WebUI access)
• Complex TLS/reverse proxy setup

Steps to reproduce

Reproduction:

1. Run OpenClaw in Docker with gateway.bind: "lan"
2. Upgrade to v2026.2.14+
3. Try sessions_list tool → fails with:

Expected behavior

Expected behavior:
Internal RPC calls should use ws://127.0.0.1:<port> since agent and gateway are co-located.

Actual behavior

Tools cannot connect to gateway

OpenClaw version

2026.2.14+

Operating system

Linux

Install method

docker

Logs, screenshots, and evidence

Impact and severity

Affected tools:

• sessions_list
• sessions_history
• cron (list/add/remove)
• Any tool that calls gateway RPCs

Additional information

No response

[Mellowambience]

Taking this. Root cause is clear: the CWE-319 ws:// security check tests the resolved host against a "remote host" condition, but when gateway.bind: "lan" the gateway resolves to a LAN IP (e.g. 192.168.x.x), which the check treats as remote. Fix: add an exemption for loopback + RFC-1918 ranges (127.0.0.1, ::1, 10.x, 172.16-31.x, 192.168.x) since plaintext WebSocket to a private LAN address doesn't carry the same CWE-319 risk as cleartext to a public host. PR shortly.

[gbballpack]

Whoever approves PRs please make merging this PR a priority. After trying to setup Openclaw in Docker for the first time a couple of days ago and continuously failing to be able to approve any devices, Opus 4.6 finally gave me the suggestion of finding and patching the ws:// checks out of the Docker container in order to get basic OpenClaw functionality working in Docker. Please make this a priority fix!

[tapnl]

Same issue here. Gateway with bind: "lan" on a dedicated monitoring VM (Proxmox). All internal tool calls (sessions_spawn, cron list, etc.) blocked since 2026.2.19. The security check is correct for external CLI connections, but shouldn't apply to in-process RPC. Would appreciate a priority merge on the fix.

[li-yifei]

+1, can reproduce on 2026.2.19-2.

Observed behavior:

• With gateway.bind=lan, local CLI/tooling may resolve gateway target as ws://:
• Security guard then hard-blocks non-loopback ws:// with:
  SECURITY ERROR: Gateway URL "ws://:" uses plaintext ws:// to a non-loopback address
• This can break status/doctor/tool RPC paths even when gateway.remote.url is set to ws://127.0.0.1:

Workaround that restores local operation:

• gateway.bind=loopback
• gateway.remote.url=ws://127.0.0.1:

This matches issue #19004 as well (LAN IP selected instead of loopback for local self-calls).

[newcodebook]

Yep — the CWE-319 guard is doing the right thing for remote plaintext ws://, but it’s breaking in-process tool→gateway RPC when gateway.bind: "lan" causes the self-URL to resolve to a Docker/LAN IP.

Workarounds (no code changes):

1. Keep the gateway bound to loopback and expose the Control UI via a safe path (recommended):

• gateway.bind: "loopback"
• access UI via SSH tunnel, or Tailscale Serve (HTTPS)

2. If you must keep bind: "lan" for other machines, set up TLS / reverse proxy so clients use wss://... (and avoid plaintext ws:// entirely).

If you can’t change the bind right now, downgrading to v2026.2.13 (as noted) is the only clean short-term workaround.

CoClaw refs:

• https://coclaw.com/troubleshooting/solutions/control-ui-device-identity-required/
• https://coclaw.com/getting-started/vps/

[gbballpack]

This has got to be one of the most annoying errors I have ever come across in reference to running projects in Docker. Still working on it, but I’m blocked right now by that OpenClaw bug (issue #22104). The CLI refuses to talk to the gateway because it resolves the internal RPC to ws://172.18.0.2:18789 and rejects it as “plaintext ws:// to a non-loopback address.” Until the gateway patch drops (or we temporarily bind to loopback), I can’t list/add cron jobs — every openclaw cron … command fails at the transport layer. Once the RPC path is fixed, I’ll disable the post-boot script and add the twice-daily jobs exactly as you specified.

March 2, 2026 Update:

I had to add config change info here, for future reference for others, without entirely reopening the issue:

One immediate workaround without forking:

-set OPENCLAW_ALLOW_INSECURE_PRIVATE_WS=1, which current main already recognizes as the official escape hatch for trusted private-network/plaintext ws:// use. 

Gateway/WS: close repeated post-handshake unauthorized role:* request floods per connection and sample duplicate rejection logs, preventing a single misbehaving client from degrading gateway responsiveness. (#20168) Thanks @acy103, @vibecodooor, and @vincentkoc.

https://raw.githubusercontent.com/openclaw/openclaw/main/CHANGELOG.md ## 2026.3.2 (Unreleased)

[andreacasini]

Mindful that maintainers are working for free and there are 4k PR still to be merged, I am offering a long lived workaround.
This is inspired by work from coollabsio/openclaw because I prefer to modify native openclaw configurations as little as possible; you can actually use that one too, pick your poison.

Workaround for #22104: nginx Reverse Proxy in Shared Network Namespace

Problem: When gateway binds to LAN (bind: "lan"), internal tool→gateway RPC calls fail because LAN IPs are treated as "remote" by the CWE-319 security check.

Solution: Bind gateway to loopback only, use nginx in a separate container sharing the same network namespace to proxy external traffic.

Files

Dockerfile

FROM nginx:alpine

RUN rm /etc/nginx/conf.d/default.conf

COPY nginx.conf /etc/nginx/conf.d/openclaw.conf

EXPOSE 8080

CMD ["nginx", "-g", "daemon off;"]

nginx.conf

map $http_upgrade $connection_upgrade {
    default upgrade;
    ''      close;
}

server {
    listen 8080;
    server_name _;

    location / {
        proxy_pass http://127.0.0.1:18789;
        
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        # WebSocket support (required for Control UI)
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;

        proxy_read_timeout 86400s;
        proxy_send_timeout 86400s;
    }
}

OpenClaw Configuration

Add to openclaw.json:

{
  "gateway": {
    "bind": "loopback",
    "trustedProxies": ["127.0.0.1"],
    "controlUi": {
      "allowedOrigins": ["http://<your-server-ip>:8080"]
    }
  }
}

Docker Compose

Add port 8080 to your OpenClaw service in docker-compose.yml:

ports:
  - "18789-18790:18789-18790"
  - "8080:8080"

Build & Run

# Build nginx image from the directory where you saved `Dockerfile` and `nginx.conf`:
docker build -t openclaw-nginx-proxy .

# Restart OpenClaw to pick up config changes from the directory whare you have `docker-compose.yml`:
docker compose down && docker compose up -d

# Run nginx sharing OpenClaw's network namespace, given openclaw container is `openclaw-openclaw-gateway-1`:
docker run --rm -d \
  --name openclaw-nginx \
  --network container:openclaw-openclaw-gateway-1 \
  openclaw-nginx-proxy

Test

Open http://<your-server-ip>:8080/ in browser — Control UI should work.

How It Works

1. Gateway binds to 127.0.0.1:18789 (loopback only)
2. nginx runs in a separate container but shares OpenClaw's network namespace via --network container:<name>
3. nginx binds to 0.0.0.0:8080 and proxies to 127.0.0.1:18789
4. Docker's port mapping 8080:8080 exposes nginx externally
5. Internal RPC calls work because they use loopback directly
6. External traffic flows: Client → nginx:8080 → gateway:18789 (loopback)

Credits

Based on coollabsio/openclaw nginx configuration approach.

[andreacasini]

I have upgraded and while it worked I ran into some issues which I will document here for your reference (in my case I was able to fix everything.
FYI I have given full access to my agent to run commands, the new security framework could have this more granular and I might make it more stringent in the future but for now this is what I did, you do you I do me.

Work with this with your agent, that's what I did and we figured it out, do the same if you have problems.

I hope this helps.

Post-Upgrade Setup Guide

OpenClaw v2026.2.22 — Documented 2026-02-22

This guide covers the complete setup performed after upgrading OpenClaw, including the nginx reverse proxy workaround for issue #22104, HTTPS configuration, and exec permissions.

---

1. SSL Certificate Generation

You will need this now under the new security framework.

Self-signed certificate with 10-year validity for the nginx proxy:

cd ~/.openclaw/workspace/projects/nginx-proxy

openssl req -x509 -nodes -days 3650 -newkey rsa:2048 \
  -keyout ssl.key -out ssl.crt \
  -subj "/C=IT/ST=whatever/L=whatever/O=HomeServer/CN=<IP>"

Files created:

• ssl.crt — Certificate (10 years)
• ssl.key — Private key

---

2. Nginx Proxy Configuration

Purpose: Work around issue #22104 where internal RPC fails when gateway binds to LAN.

nginx.conf

events {
    worker_connections 1024;
}

http {
    upstream gateway {
        server 127.0.0.1:18789;
    }

    server {
        listen 8080 ssl;
        ssl_certificate /etc/nginx/ssl.crt;
        ssl_certificate_key /etc/nginx/ssl.key;

        location / {
            proxy_pass http://gateway;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_read_timeout 86400;
        }
    }
}

Dockerfile

FROM nginx:alpine
COPY nginx.conf /etc/nginx/nginx.conf
COPY ssl.crt /etc/nginx/ssl.crt
COPY ssl.key /etc/nginx/ssl.key
EXPOSE 8080
CMD ["nginx", "-g", "daemon off;"]

Build & Run

cd ~/.openclaw/workspace/projects/nginx-proxy

# Build
docker build -t openclaw-nginx-proxy .

# Run (shares network namespace with gateway container)
docker run --rm -d \
  --name openclaw-nginx \
  --network container:openclaw-openclaw-gateway-1 \
  openclaw-nginx-proxy

Key: --network container:openclaw-openclaw-gateway-1 allows nginx to reach gateway on 127.0.0.1:18789.

---

3. Gateway Configuration

In ~/.openclaw/openclaw.json:

{
  "gateway": {
    "bind": "loopback",
    "trustedProxies": ["127.0.0.1"]
  },
  "controlUi": {
    "allowedOrigins": [
      "https://<IP>:8080"
    ]
  }
}

• bind: loopback — Gateway only listens on 127.0.0.1
• trustedProxies — Allows nginx to forward requests
• allowedOrigins — Permits Control UI access via HTTPS proxy

---

4. Exec Without Approval

To allow the agent to run exec commands without manual approval, add to ~/.openclaw/openclaw.json:

{
  "tools": {
    "exec": {
      "security": "full",
      "ask": "off"
    }
  }
}

Options:

Setting	Values	Description
security	deny, allowlist, full	Command execution policy
ask	off, on-miss, always	Approval prompt behavior

After adding, restart the gateway:

docker restart openclaw-openclaw-gateway-1

---

5. Device Pairing (Control UI)

After SSL setup, pair the Control UI:

1. Open https://192.168.1.115:8080 in browser
2. Accept self-signed certificate warning
3. Gateway shows pairing request in logs
4. Approve via CLI or existing session
   (eg. openclaw-cli devices list then openclaw-cli pairing approve <device>)

Paired devices stored in ~/.openclaw/devices/paired.json.

---

6. Files Reference

File	Purpose
~/.openclaw/openclaw.json	Main config (gateway, tools, exec)
~/.openclaw/devices/paired.json	Paired Control UI devices
~/.openclaw/identity/device-auth.json	Agent device authentication
projects/nginx-proxy/nginx.conf	Nginx reverse proxy config
projects/nginx-proxy/ssl.crt	SSL certificate
projects/nginx-proxy/ssl.key	SSL private key
scripts/upgrade.sh	Upgrade/rollback script

---

7. Related Issues

• [Bug]: Internal tool→gateway RPC calls incorrectly blocked by ws:// security check #22104 — Internal RPC fails with bind: "lan" (Docker)
• fix(tools): prefer loopback for internal tool-to-gateway RPC calls #22110 — PR with fix (pending merge)

Once #22110 is merged, the nginx workaround may no longer be needed.