vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-06 18:00:54 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(gateway): allow lan binding with trusted-proxy auth mode

Browse Source 
Critical bug: Gateway startup validation rejected lan binding when using
trusted-proxy auth mode because it only checked for token/password.

The validation on line 99 threw 'refusing to bind gateway to lan without auth'
even when authMode was 'trusted-proxy', because hasSharedSecret is false
for trusted-proxy mode (it doesn't use tokens/passwords).

Fix: Allow lan binding when authMode is 'trusted-proxy' by adding
&& authMode !== 'trusted-proxy' to the condition.

This allows the gateway to start with bind=lan when configured for
trusted-proxy authentication (e.g., behind Pomerium).

Without this fix, users get crash-loop with 'refusing to bind' error
even though trusted-proxy mode is correctly configured.
This commit is contained in:
Nick Taylor
2026-02-13 16:52:34 +00:00
committed by Peter Steinberger
parent 25ed7828f4
commit 702cf6545b
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/gateway/server-runtime-config.ts
View File

@@ -96,7 +96,7 @@ export async function resolveGatewayRuntimeConfig(params: {
if (tailscaleMode !== "off" && !isLoopbackHost(bindHost)) {
throw new Error("tailscale serve/funnel requires gateway bind=loopback (127.0.0.1)");
}
if (!isLoopbackHost(bindHost) && !hasSharedSecret) {
if (!isLoopbackHost(bindHost) && !hasSharedSecret && authMode !== "trusted-proxy") {
throw new Error(
`refusing to bind gateway to ${bindHost}:${params.port} without auth (set gateway.auth.token/password, or set OPENCLAW_GATEWAY_TOKEN/OPENCLAW_GATEWAY_PASSWORD)`,
);