vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-04-19 05:01:15 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(gateway): update runtime config guard for trusted-proxy

Browse Source 
- Allow non-loopback bind with trusted-proxy auth mode
- Reject trusted-proxy + loopback combination (nonsensical)
- Require trustedProxies to be configured for trusted-proxy mode

Part of #1560

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
This commit is contained in:
Nick Taylor
2026-01-25 05:57:30 +00:00
committed by Peter Steinberger
parent f3ec913489
commit 711fb49a98
1 changed files with 16 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
src/gateway/server-runtime-config.ts
View File

@@ -85,6 +85,8 @@ export async function resolveGatewayRuntimeConfig(params: {
const canvasHostEnabled =
process.env.OPENCLAW_SKIP_CANVAS_HOST !== "1" && params.cfg.canvasHost?.enabled !== false;
const trustedProxies = params.cfg.gateway?.trustedProxies ?? [];
assertGatewayAuthConfigured(resolvedAuth);
if (tailscaleMode === "funnel" && authMode !== "password") {
throw new Error(
@@ -100,6 +102,20 @@ export async function resolveGatewayRuntimeConfig(params: {
);
}
// Trusted-proxy mode validations
if (authMode === "trusted-proxy") {
if (isLoopbackHost(bindHost)) {
throw new Error(
"gateway auth mode=trusted-proxy makes no sense with bind=loopback; use bind=lan or bind=custom with gateway.trustedProxies configured",
);
}
if (trustedProxies.length === 0) {
throw new Error(
"gateway auth mode=trusted-proxy requires gateway.trustedProxies to be configured with at least one proxy IP",
);
}
}
return {
bindHost,
controlUiEnabled,