web_fetch still blocked by fake-ip SSRF in Mihomo/OpenClash setup even with HTTP_PROXY/HTTPS_PROXY configured

[Silronin]

Summary

In a Mihomo/OpenClash fake-ip network, web_fetch still fails for ordinary external URLs like https://huggingface.co with:

Blocked: resolves to private/internal/special-use IP address

This still happens on a recent OpenClaw build even after configuring openclaw-gateway to run with HTTP_PROXY / HTTPS_PROXY and verifying those env vars are present in the live gateway process.

From a user perspective, the current behavior is confusing because recent changelog entries suggest improved support for:

• RFC2544 fake-IP compatibility
• proxy-aware SSRF guard paths
• trusted env-proxy routing for web tools

But in practice, a normal web_fetch target such as Hugging Face still appears to stay on the strict pinned-DNS path and gets blocked in a common fake-ip deployment.

Environment

• OpenClaw gateway version: 2026.4.1
• OS: Linux
• Upstream network: OpenClash / Mihomo with fake-ip
• Fake-IP range involved: 198.18.0.0/15
• Explicit gateway proxy configured via user systemd drop-in:
  • HTTP_PROXY=http://127.0.0.1:7897
  • HTTPS_PROXY=http://127.0.0.1:7897
  • ALL_PROXY=http://127.0.0.1:7897
  • NO_PROXY=127.0.0.1,localhost,::1

What I verified

1. OpenClaw is already on a recent version (2026.4.1), so this does not appear to be an "old version" problem.
2. openclaw-gateway is actually running with the proxy env vars:
   • confirmed in systemctl --user cat openclaw-gateway.service
   • confirmed again in /proc/<pid>/environ
3. openclaw gateway status reports the gateway is healthy and reachable (RPC probe: ok).
4. The local proxy endpoint itself is reachable and working (http://127.0.0.1:7897).
5. Despite all of the above, web_fetch still fails for https://huggingface.co with the SSRF/private-address error.

Reproduction

1. Put the machine behind Mihomo / OpenClash with fake-ip enabled.
2. Configure openclaw-gateway with explicit env proxy variables (HTTP_PROXY / HTTPS_PROXY).
3. Restart the gateway and verify the env vars are present in the running process.
4. Call web_fetch on:
   • https://huggingface.co

Actual result

web_fetch fails with:

Blocked: resolves to private/internal/special-use IP address

Expected result

One of these should be true:

1. web_fetch should successfully work for common public targets in fake-ip deployments when the gateway is correctly configured with a trusted env proxy, or
2. the docs/config should clearly expose the intended user-facing mechanism for this case (for example, a documented trusted-domain / allowlist path for web_fetch).

Additional findings from local source inspection

From local source/tests in the OpenClaw repo, this behavior appears related to the fact that ordinary / untrusted web_fetch URLs still keep strict DNS pinning even when HTTP_PROXY is configured.

In other words, the current trusted env-proxy path seems to exist, but not in a way that solves this user-facing case for normal external fetch targets behind fake-ip.

Questions

1. Is this current behavior expected, or is it a bug / missing piece?
2. What is the officially recommended solution for web_fetch behind Mihomo/OpenClash fake-ip when users need to fetch normal public sites like Hugging Face?
3. Should OpenClaw expose a documented user-facing allowlist / trusted-domains mechanism for web_fetch specifically?

[cosmicnet]

Related: PR #58034 is aimed at the same user-facing gap.

The approach there is not to make ordinary web_fetch automatically trust HTTP_PROXY / HTTPS_PROXY, but to expose a documented explicit opt-in: tools.web.fetch.useTrustedEnvProxy. When enabled, web_fetch can take the trusted env proxy path for matching HTTP(S) proxy envs, with NO_PROXY fallback and pre-dispatch hostname checks preserved. So if the intended answer here is "provide a narrow, documented proxy mode for web_fetch", that PR is directly relevant.

Maybe you can test if that branch fixes your issue?

[steipete]

Closing this as implemented after Codex review.

Current main already implements an explicit fake-IP-compatible web_fetch path via tools.web.fetch.ssrfPolicy.allowRfc2544BenchmarkRange, wires that opt-in into the SSRF guard, and records it as shipped in v2026.4.10, so the reported gap is now implemented.

What I checked:

• Shipped release note: The 2026.4.10 changelog section includes a web_fetch fix for fake-IP environments: an opt-in tools.web.fetch.ssrfPolicy.allowRfc2544BenchmarkRange so sites resolved into 198.18.0.0/15 can be fetched without weakening the default SSRF block. (CHANGELOG.md:975, 6bc0dc8fb671)
• Config surface exists on main: tools.web.fetch.ssrfPolicy.allowRfc2544BenchmarkRange is part of the current tool config type, with help text explicitly calling out fake-IP compatibility for Clash/Surge-style setups. (src/config/types.tools.ts:561, 6bc0dc8fb671)
• Runtime wiring: runWebFetch reads the opt-in and passes { allowRfc2544BenchmarkRange: true } into the guarded fetch policy for the actual request path. (src/agents/tools/web-fetch.ts:390, 6bc0dc8fb671)
• SSRF guard honors the opt-in narrowly: The shared SSRF layer maps allowRfc2544BenchmarkRange into the IPv4 special-use checks instead of broadly disabling private-network blocking. (src/infra/net/ssrf.ts:100, 6bc0dc8fb671)
• Regression coverage: Tests cover both sides of the behavior: web_fetch stays on strict pinned-DNS behavior by default even when HTTP_PROXY is set, and the fake-IP opt-in allows RFC2544 benchmark-range targets only when explicitly enabled. (src/agents/tools/web-tools.fetch.test.ts:256, 6bc0dc8fb671)

So I’m closing this as already implemented rather than keeping a duplicate issue open.

Review notes: reviewed against 6bc0dc8fb671; fix evidence: release v2026.4.10.