docs: refresh reverse proxy hardening refs

2026-05-06 02:10:21 +00:00 · 2026-04-04 13:47:59 +01:00
parent 7985cf5531
commit 4991cd66ef
3 changed files with 16 additions and 5 deletions
--- a/docs/install/exe-dev.md
+++ b/docs/install/exe-dev.md
@@ -93,7 +93,7 @@ server {
        # Standard proxy headers
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header X-Forwarded-Proto $scheme;

        # Timeout settings for long-lived connections
@@ -103,6 +103,10 @@ server {
 }
 ```

+Overwrite forwarding headers instead of preserving client-supplied chains.
+OpenClaw trusts forwarded IP metadata only from explicitly configured proxies,
+and append-style `X-Forwarded-For` chains are treated as a hardening risk.
+
 ## 5) Access OpenClaw and grant privileges

 Access `https://<vm-name>.exe.xyz/` (see the Control UI output from onboarding). If it prompts for auth, paste the