vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-06 07:00:43 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: persist private ws opt-in for node services

Browse Source
This commit is contained in:
Peter Steinberger
2026-04-24 06:07:15 +01:00
parent 171322644d
commit d4e93e791b
4 changed files with 30 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
docs/cli/node.md
View File

@@ -74,6 +74,11 @@ Options:
- In `gateway.mode=remote`, remote client fields (`gateway.remote.token` / `gateway.remote.password`) are also eligible per remote precedence rules.
- Node host auth resolution only honors `OPENCLAW_GATEWAY_*` env vars.
For a node connecting to a non-loopback `ws://` Gateway on a trusted private
network, set `OPENCLAW_ALLOW_INSECURE_PRIVATE_WS=1`. Without it, node startup
fails closed and asks you to use `wss://`, an SSH tunnel, or Tailscale.
`openclaw node install` persists this opt-in into the supervised node service.
## Service (background)
Install a headless node host as a user service.

16
docs/plugins/google-meet.md
View File

@@ -136,6 +136,22 @@ Start the node host in the VM:
openclaw node run --host <gateway-host> --port 18789 --display-name parallels-macos
```
If `<gateway-host>` is a LAN IP and you are not using TLS, the node refuses the
plaintext WebSocket unless you opt in for that trusted private network:
```bash
OPENCLAW_ALLOW_INSECURE_PRIVATE_WS=1 \
openclaw node run --host <gateway-lan-ip> --port 18789 --display-name parallels-macos
```
Use the same environment variable when installing the node as a LaunchAgent:
```bash
OPENCLAW_ALLOW_INSECURE_PRIVATE_WS=1 \
openclaw node install --host <gateway-lan-ip> --port 18789 --display-name parallels-macos --force
openclaw node restart
```
Approve the node from the Gateway host:
```bash

7
src/daemon/service-env.test.ts
View File

@@ -388,6 +388,13 @@ describe("buildNodeServiceEnvironment", () => {
expect(env.OPENCLAW_GATEWAY_TOKEN).toBe("node-token");
});
it("passes through OPENCLAW_ALLOW_INSECURE_PRIVATE_WS for node services", () => {
const env = buildNodeServiceEnvironment({
env: { HOME: "/home/user", OPENCLAW_ALLOW_INSECURE_PRIVATE_WS: " 1 " },
});
expect(env.OPENCLAW_ALLOW_INSECURE_PRIVATE_WS).toBe("1");
});
it("omits OPENCLAW_GATEWAY_TOKEN when the env var is empty", () => {
const env = buildNodeServiceEnvironment({
env: {

2
src/daemon/service-env.ts
View File

@@ -298,9 +298,11 @@ export function buildNodeServiceEnvironment(params: {
params.execPath,
);
const gatewayToken = normalizeOptionalString(env.OPENCLAW_GATEWAY_TOKEN);
const allowInsecurePrivateWs = normalizeOptionalString(env.OPENCLAW_ALLOW_INSECURE_PRIVATE_WS);
return {
...buildCommonServiceEnvironment(env, sharedEnv),
OPENCLAW_GATEWAY_TOKEN: gatewayToken,
OPENCLAW_ALLOW_INSECURE_PRIVATE_WS: allowInsecurePrivateWs,
OPENCLAW_LAUNCHD_LABEL: resolveNodeLaunchAgentLabel(),
OPENCLAW_SYSTEMD_UNIT: resolveNodeSystemdServiceName(),
OPENCLAW_WINDOWS_TASK_NAME: resolveNodeWindowsTaskName(),