[Feature]: Provider requests ignore env proxy by default → causes silent timeout in WSL / proxy environments

[wnlen]

[UX] Warn when env proxy is detected but provider requests are not using it

Summary

OpenClaw already supports provider-level request proxy configuration via models.providers.<provider>.request.proxy.mode = "env-proxy", but this is currently hard to discover.

In proxy-required environments such as WSL + Clash/Mihomo or corporate networks, this creates a misleading failure mode: the gateway starts normally, the UI loads, but chat requests silently timeout because provider requests do not automatically use HTTP_PROXY / HTTPS_PROXY unless explicitly configured.

This proposal does not suggest changing the default behavior. It only suggests adding a startup warning to improve observability and reduce debugging friction.

Reproduction

Environment

• WSL2 (Ubuntu)
• Local proxy such as Clash / Mihomo, or a corporate proxy environment
• HTTP_PROXY / HTTPS_PROXY correctly set
• Remote model provider (for example OpenAI)

Steps

1. Start OpenClaw normally
2. Configure a remote provider
3. Send a chat request from the UI

Observed result

• Gateway starts successfully
• UI loads normally
• Chat requests timeout or fail with a network connection error
• No clear warning indicates that proxy configuration is the likely cause

Confirmed workaround

After explicitly enabling provider request proxy, requests work immediately:

{
  "models": {
    "providers": {
      "openai": {
        "baseUrl": "https://api.openai.com/v1",
        "models": [
          { "id": "gpt-5.4", "name": "gpt-5.4" },
          { "id": "gpt-5.4-mini", "name": "gpt-5.4-mini" }
        ],
        "request": {
          "proxy": {
            "mode": "env-proxy"
          }
        }
      }
    }
  }
}

Root cause

This is not a missing capability. OpenClaw already supports provider-level env proxy configuration.

The problem is that the current behavior is difficult to discover in common proxy-required setups:

• environment proxy variables may already be present
• the system service may inherit them correctly
• curl may work as expected
• but provider requests still bypass env proxy unless request.proxy.mode is explicitly configured for that provider

As a result, the app can appear healthy while core chat functionality is broken.

Proposed improvement

Add a non-breaking startup warning when all of the following are true:

• HTTP_PROXY or HTTPS_PROXY is detected
• the provider target is clearly remote rather than local
• provider request proxy is not explicitly configured

Example warning:

Detected HTTP_PROXY/HTTPS_PROXY but provider requests are not using env proxy.
This may cause request timeouts.
Consider setting:
models.providers.<provider>.request.proxy.mode = "env-proxy"

Non-goals

This proposal does not:

• auto-enable env proxy for all providers
• change existing proxy semantics
• route local or LAN providers through a proxy by default

The goal is only to improve discoverability and observability.

Why this matters

This issue is easy to hit in real-world setups:

• WSL + local proxy tools such as Clash / Mihomo
• corporate or restricted network environments
• users accessing remote model providers for the first time

Current behavior is misleading because:

• the gateway appears healthy
• the UI appears healthy
• only model requests fail
• users are pushed into low-signal debugging across gateway, service, and network layers

This makes first-run experience unnecessarily fragile for a common environment class.

Alternatives considered

1. Automatically use env proxy by default

Rejected for now.

That would reduce explicitness and could unintentionally route local, LAN, or otherwise non-remote providers through a proxy.

2. Documentation only

Helpful, but insufficient on its own.

The current failure mode is silent enough that many users will not know where to look.

3. Manual debugging by users

High friction and poor UX for a setup that is common and reproducible.

Additional note

In practice, enabling env proxy for a remote provider may require editing a larger explicit provider block than some users expect.

That makes the capability even less discoverable for users who only want provider requests to respect already-configured HTTP_PROXY / HTTPS_PROXY values.

[wnlen]

If this approach makes sense, I’d be happy to open a PR to implement the startup warning.

I can keep it:

• non-breaking
• only triggered for remote providers
• emitted once (no spam)

Let me know if you have any preferences on where/how this warning should be surfaced.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Summary
Keep open. Current main still has explicit model-provider env-proxy support, but it does not emit the requested startup warning when proxy env vars are present and remote providers lack models.providers.<provider>.request.proxy; the directly related implementation PR is closed and unmerged.

Reproducibility: yes. A high-confidence static reproduction is to set HTTPS_PROXY, configure a remote models.providers.*.baseUrl without request.proxy, and inspect/call the current startup logger; there is no matching warning path or test coverage on current main.

Next step
Queue a focused fix PR; the affected files and validation path are clear, and the closed unmerged prior PR provides concrete implementation context.

Review details

Best possible solution:

Implement a one-time startup diagnostic that reuses existing proxy-env helpers, inspects configured remote HTTP(S) model providers without explicit request proxy config, and points users to models.providers.<provider>.request.proxy.mode = "env-proxy".

Do we have a high-confidence way to reproduce the issue?

Yes. A high-confidence static reproduction is to set HTTPS_PROXY, configure a remote models.providers.*.baseUrl without request.proxy, and inspect/call the current startup logger; there is no matching warning path or test coverage on current main.

Is this the best way to solve the issue?

Yes. A startup warning is the narrowest maintainable solution because proxy routing already exists and remains explicit; changing defaults would broaden network behavior beyond the request.

Acceptance criteria:

• pnpm test src/gateway/server-startup-log.test.ts
• pnpm exec oxfmt --check --threads=1 src/gateway/server-startup-log.ts src/gateway/server-startup-log.test.ts CHANGELOG.md
• pnpm check:changed (Testbox by default before handoff)

What I checked:

• Startup logger lacks proxy diagnostic: logGatewayStartup logs the selected model, listening line, log file, Nix mode, and dangerous config flags; the file has no branch that inspects proxy env vars, provider baseUrl, or provider request proxy config. (src/gateway/server-startup-log.ts:8, d583662fd905)
• Startup-log tests do not cover this warning: The colocated tests cover dangerous-config warnings and the compact listening line only; there are no proxy-env warning or suppression cases. (src/gateway/server-startup-log.test.ts:9, d583662fd905)
• Reusable proxy-env helpers already exist: hasProxyEnvConfigured detects standard proxy env keys, and shouldUseEnvHttpProxyForUrl can evaluate HTTP(S) targets with NO_PROXY handling. (src/infra/net/proxy-env.ts:10, d583662fd905)
• Provider request proxy remains explicit: Absent request.proxy resolves to configured: false; the dispatcher policy becomes env-proxy only when the provider request proxy mode is explicitly configured as env-proxy. (src/agents/provider-request-config.ts:519, d583662fd905)
• Provider fetch uses that explicit dispatcher policy: buildGuardedModelFetch resolves provider request policy, builds the dispatcher policy, and passes it into the guarded fetch path; without an explicit proxy policy, the SSRF dispatcher path uses a direct pinned dispatcher. (src/agents/provider-transport-fetch.ts:266, d583662fd905)
• User-facing config documents the existing workaround: The config docs describe models.providers.*.request.proxy and the env-proxy mode, confirming this is discoverability/observability work rather than a missing proxy capability. Public docs: docs/gateway/config-tools.md. (docs/gateway/config-tools.md:452, d583662fd905)

Likely related people:

• Vincent Koc: Current local blame/log for the central startup logger, startup-log tests, provider request config, provider fetch path, and proxy-env helper resolves to a recent current-main snapshot authored by Vincent Koc. (role: recent maintainer; confidence: medium; commits: d122a3492d17, d583662fd905; files: src/gateway/server-startup-log.ts, src/gateway/server-startup-log.test.ts, src/infra/net/proxy-env.ts)
• skylee-01: Authored the closed unmerged PR feat(gateway): warn when proxy env vars detected but providers not using them #68023 that directly attempted the requested warning and focused startup-log tests, making that branch useful design context for a replacement fix. (role: prior implementation candidate; confidence: medium; commits: 024d6a031767, 1da36db4ac86; files: src/gateway/server-startup-log.ts, src/gateway/server-startup-log.test.ts)

Remaining risk / open question:

• Remote-provider classification needs to avoid false positives for loopback, .local, LAN/private, and explicitly proxied providers.
• The fix should remain warning-only; auto-enabling env-proxy would change network routing semantics the report explicitly excludes.

Codex review notes: model gpt-5.5, reasoning high; reviewed against d583662fd905.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Keep this open. Current main still has explicit provider request proxy support, but it does not implement the requested startup warning when proxy environment variables are present and remote model providers lack an explicit request proxy; the directly related implementation candidate, #68023, is closed and unmerged.

Required change / next step:

This is a narrow, reproducible observability gap with clear files and validation; the prior PR is closed unmerged, and the fix should not alter provider routing semantics.

Review details

Best possible solution:

Implement a warning-only gateway startup check that uses existing proxy-env helpers, inspects configured model providers for remote HTTP(S) targets without explicit request proxy configuration, warns once with the models.providers.<provider>.request.proxy.mode = "env-proxy" remediation, and covers the warn/no-env/all-configured/local-provider cases in focused tests.

Acceptance criteria:

• pnpm test src/gateway/server-startup-log.test.ts
• pnpm exec oxfmt --check --threads=1 src/gateway/server-startup-log.ts src/gateway/server-startup-log.test.ts
• pnpm check:changed

What I checked:

• Startup logger lacks proxy warning path: logGatewayStartup logs the selected model, listening summary, log file, Nix mode, and dangerous config flags, but it does not inspect HTTP_PROXY/HTTPS_PROXY, provider baseUrl, or models.providers.*.request.proxy. (src/gateway/server-startup-log.ts:8, acae48b790fa)
• Startup tests have no proxy observability coverage: The colocated startup-log tests cover dangerous config warnings and the compact listening line only; there are no cases for proxy env detection, local-provider suppression, or configured request proxy suppression. (src/gateway/server-startup-log.test.ts:9, acae48b790fa)
• Existing env proxy helpers can support the warning: The infra helper already detects proxy env vars and can determine whether an HTTP(S) target would use env proxy after NO_PROXY matching, so the missing piece is startup wiring and remote-provider classification. (src/infra/net/proxy-env.ts:10, acae48b790fa)
• Provider proxy remains explicit: Model provider request config treats absent request.proxy as configured: false; the dispatcher policy becomes env-proxy only when request.proxy.mode is explicitly set to env-proxy. (src/agents/provider-request-config.ts:519, acae48b790fa)
• Provider fetch uses resolved dispatcher policy: buildGuardedModelFetch resolves the provider request policy, builds a dispatcher policy from it, and passes that policy to the guarded fetch path; without explicit proxy config there is no env-proxy dispatcher. This matches the reported workaround and confirms the remaining request is observability. (src/agents/provider-transport-fetch.ts:266, acae48b790fa)
• Prior implementation candidate is not shipped: Provided GitHub context shows feat(gateway): warn when proxy env vars detected but providers not using them #68023 directly implemented the requested warning and included Closes syntax, but that PR is closed, unmerged, and its head commit is not present in the local checkout.

Likely related people:

• steipete: Current-main blame for the central startup logger, proxy env helper, provider request config, and provider fetch path resolves to Peter Steinberger's baseline/current-main commit in this checkout, so he is the strongest local-history routing candidate. (role: recent maintainer; confidence: medium; commits: a972c9ec4547; files: src/gateway/server-startup-log.ts, src/gateway/server-startup-log.test.ts, src/infra/net/proxy-env.ts)
• skylee-01: Authored feat(gateway): warn when proxy env vars detected but providers not using them #68023, the closed unmerged PR that attempted the same startup warning and test coverage for this issue; useful for design context even though it is not current-main ownership. (role: prior implementation candidate; confidence: medium; commits: 1da36db4ac86, 024d6a031767; files: src/gateway/server-startup-log.ts, src/gateway/server-startup-log.test.ts)

Remaining risk / open question:

• Remote-target detection needs to avoid false positives for loopback, .local, LAN/private/self-hosted providers, and providers that already configure any request.proxy.
• The warning should remain observability-only; auto-enabling env proxy would change provider routing semantics that the report explicitly rejected.

Codex review notes: model gpt-5.5, reasoning high; reviewed against acae48b790fa.