[Bug]:

[papirov]

Bug type

Behavior bug (incorrect output/state without crash)

Summary

When OpenClaw is configured with gateway.auth.mode = "trusted-proxy" behind Traefik + authentik, the browser UI works, but manager/subagent/backend self-connections fail

Steps to reproduce

• Configure Gateway with auth.mode = "trusted-proxy" and trustedProxy.userHeader = "x-authentik-email".
• Put browser/UI traffic behind Traefik + authentik so the UI works normally.
• Enable subagents / agent-to-agent behavior.
• From manager, run a validation action that checks agent availability or spawns a subagent.
• Observe backend self-connection failure with trusted_proxy_user_missing.

In detail:

When OpenClaw is configured with gateway.auth.mode = "trusted-proxy" behind Traefik + authentik, the browser UI works, but manager/subagent/backend self-connections fail with:

• trusted_proxy_user_missing
• websocket close 1008 unauthorized

This appears to happen because OpenClaw’s internal gateway client connects directly to loopback (127.0.0.1) instead of going through the trusted proxy, but trusted-proxy auth requires the configured identity header on all accepted connections from trusted proxy IPs.

Deployment shape

• OpenClaw running in Docker
• Traefik + authentik on a different Docker host
• External UI access via Traefik/authentik
• Slack socket mode enabled
• Manager agent can respond in Slack
• Subagent validation/spawn fails

Config

OpenClaw gateway config

"gateway": {
  "port": 18789,
  "mode": "local",
  "bind": "loopback",
  "controlUi": {
    "enabled": true,
    "allowedOrigins": [
      "https://openclaw.example.com"
    ]
  },
  "auth": {
    "mode": "trusted-proxy",
    "trustedProxy": {
      "userHeader": "x-authentik-email",
      "allowUsers": [
        "me@example.com",
        "openclaw-internal@local"
      ]
    }
  },
  "trustedProxies": [
    "127.0.0.1"
  ]
}



### Expected behavior

If trusted-proxy is a supported auth mode for Gateway deployments that use manager/subagent/backend self-connections, one of these should be true:

Internal self-connections should inherit/authenticate as the already-authenticated user.
Internal self-connections should use a separate supported internal auth path.

### Actual behavior

Manager/subagent/backend validation fails with logs like:


[ws] unauthorized conn=... remote=127.0.0.1 client=gateway-client backend v2026.3.8 reason=trusted_proxy_user_missing
gateway connect failed: Error: unauthorized
[tools] sessions_list failed: gateway closed (1008): unauthorized

Gateway target: ws://127.0.0.1:18790
Source: local loopback
Bind: loopback


### OpenClaw version

2026.3.8

### Operating system

Ubuntu 24.04

### Install method

docker

### Model

n/a

### Provider / routing chain

Traefik forwardAuth -> authentik -> nginx sidecar -> OpenClaw Gateway

### Config file / key location

_No response_

### Additional provider/model setup details

If trusted-proxy is a supported auth mode for Gateway deployments that use manager/subagent/backend self-connections, one of these should be true:

- Internal self-connections should inherit/authenticate as the already-authenticated user.
- Internal self-connections should use a separate supported internal auth path.

### Why this looks like an implementation gap
Internal client hardcodes loopback self-connection
In src/gateway/call.ts, self-connections explicitly target loopback:

“Self-connections should always target loopback”
localUrl = ws://127.0.0.1:${localPort}
Code:
https://github.com/openclaw/openclaw/blob/main/src/gateway/call.ts#L2377-L2385

Trusted proxy auth requires the configured user header
In src/gateway/auth.ts, trusted-proxy mode rejects requests when the trusted proxy user header is missing, producing trusted_proxy_user_missing.

Code:
https://github.com/openclaw/openclaw/blob/main/src/gateway/auth.ts#L1846-L1879

Internal client does not send trusted-proxy headers
The gateway client appears to send auth in the protocol connect payload, but not reverse-proxy identity headers such as X-Authentik-Email.

Code:
https://github.com/openclaw/openclaw/blob/main/src/gateway/client.ts#L2133-L2245

Tests appear to cover token auth for live backend/CLI paths, not trusted-proxy
trusted-proxy auth is tested as proxied header-based auth
live backend/CLI test coverage appears to use token auth
Code:
https://github.com/openclaw/openclaw/blob/main/src/gateway/auth.test.ts
https://github.com/openclaw/openclaw/blob/main/src/gateway/gateway-cli-backend.live.test.ts

### Logs, screenshots, and evidence

```shell

Impact and severity

No response

Additional information

No response

[abbb66-jpg]

Mình nghi browser path của bạn đang ổn, còn cái hỏng là internal self-connection path.
trusted_proxy_user_missing + WS 1008 unauthorized trong setup Traefik/authentik kiểu này thường là request nội bộ không mang được identity header như browser request.
Mình sẽ soi đúng đoạn proxy pass / forwarded headers / trusted-proxy mapping trước, chứ chưa thấy giống kiểu cả stack hỏng.