vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-06 10:20:42 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: guard debug proxy CONNECT under managed proxy (#77010)

Browse Source 
Summary:
- The PR adds a managed-proxy-aware debug proxy direct-upstream guard, a diagnostics override env var, regression tests, docs, and a changelog entry.
- Reproducibility: yes. Source inspection on current main shows direct HTTP forwarding and CONNECT net.connect() can run while managed proxy mode is active, against the documented managed-proxy egress guardrail.

Automerge notes:
- Ran the ClawSweeper repair loop before final review.
- Included post-review commit in the final squash: fix(clawsweeper): address review for automerge-openclaw-openclaw-7701…

Validation:
- ClawSweeper review passed for head aaa52a7f5f.
- Required merge gates passed before the squash merge.

Prepared head SHA: aaa52a7f5f
Review: https://github.com/openclaw/openclaw/pull/77010#issuecomment-4367600656

Co-authored-by: jesse-merhi <79823012+jesse-merhi@users.noreply.github.com>
Co-authored-by: clawsweeper <274271284+clawsweeper[bot]@users.noreply.github.com>
This commit is contained in:
Jesse Merhi
2026-05-04 13:54:18 +10:00
committed by GitHub
parent 973e240bb3
commit f42a2c738c
5 changed files with 266 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
docs/cli/proxy.md
View File

@@ -68,6 +68,7 @@ semantics.
- `start` defaults to `127.0.0.1` unless `--host` is set.
- `run` starts a local debug proxy and then runs the command after `--`.
- The debug proxy's direct upstream forwarding opens upstream sockets for diagnostics. When OpenClaw managed proxy mode is active, direct forwarding for proxy requests and CONNECT tunnels is disabled by default; set `OPENCLAW_DEBUG_PROXY_ALLOW_DIRECT_CONNECT_WITH_MANAGED_PROXY=1` only for approved local diagnostics.
- `validate` exits with code 1 when proxy config or destination checks fail.
- Captures are local debugging data; use `openclaw proxy purge` when finished.

1
docs/security/network-proxy.md
View File

@@ -194,6 +194,7 @@ proxy:
- The proxy improves coverage for process-local JavaScript HTTP and WebSocket clients, but it is not an OS-level network sandbox.
- Raw `net`, `tls`, and `http2` sockets, native addons, and child processes may bypass Node-level proxy routing unless they inherit and respect proxy environment variables.
- IRC is a raw TCP/TLS channel outside operator-managed forward proxy routing. In deployments that require all egress through that forward proxy, set `channels.irc.enabled=false` unless direct IRC egress is explicitly approved.
- The local debug proxy is diagnostic tooling and its direct upstream forwarding for proxy requests and CONNECT tunnels is disabled by default while managed proxy mode is active; enable direct forwarding only for approved local diagnostics.
- User local WebUIs and local model servers should be allowlisted in the operator proxy policy when needed; OpenClaw does not expose a general local-network bypass for them.
- Gateway control-plane proxy bypass is intentionally limited to `localhost` and literal loopback IP URLs. Use `ws://127.0.0.1:18789`, `ws://[::1]:18789`, or `ws://localhost:18789` for local direct Gateway control-plane connections; other hostnames route like ordinary hostname-based traffic.
- OpenClaw does not inspect, test, or certify your proxy policy.