64d13c017a
Co-authored-by: Quratulain-bilal <umayaimanshah@gmail.com> Co-authored-by: Mariano Belinky <mbelinky@gmail.com> Co-authored-by: tao <itaofe@gmail.com> Co-authored-by: julian <julian@tencent.com> Co-authored-by: xenouzik <xenouziq@gmail.com> Co-authored-by: Olamiposi <56056759+posigit@users.noreply.github.com> Co-authored-by: surlymochan <surlymo@apache.org> Co-authored-by: Janaka A <contact@janaka.co.uk> Co-authored-by: choiking <samsamuels1927@gmail.com>
3.5 KiB
summary, read_when, title
| summary | read_when | title | |||
|---|---|---|---|---|---|
| Run the OpenClaw Gateway on EasyRunner with Podman and Caddy |
|
EasyRunner |
EasyRunner can host the OpenClaw Gateway as a small containerized app behind its Caddy proxy. This guide assumes an EasyRunner host that runs Podman-compatible Compose apps and exposes HTTPS through Caddy.
Before you begin
- An EasyRunner server with a domain routed to it.
- A built or published OpenClaw container image.
- A persistent config volume for
/home/node/.openclaw. - A persistent workspace volume for
/workspace. - A strong Gateway token or password.
Keep device auth enabled when possible. If your reverse proxy deployment cannot carry device identity correctly, fix trusted-proxy settings first; use dangerous auth bypasses only for a fully private, operator-controlled network.
Compose app
Create an EasyRunner app with a Compose file shaped like this:
services:
openclaw:
image: ghcr.io/openclaw/openclaw:latest
restart: unless-stopped
environment:
OPENCLAW_GATEWAY_TOKEN: ${OPENCLAW_GATEWAY_TOKEN}
OPENCLAW_HOME: /home/node
OPENCLAW_STATE_DIR: /home/node/.openclaw
OPENCLAW_CONFIG_PATH: /home/node/.openclaw/openclaw.json
OPENCLAW_WORKSPACE_DIR: /workspace
volumes:
- openclaw-config:/home/node/.openclaw
- openclaw-workspace:/workspace
labels:
caddy: openclaw.example.com
caddy.reverse_proxy: "{{upstreams 1455}}"
command: ["openclaw", "gateway", "--bind", "lan", "--port", "1455"]
volumes:
openclaw-config:
openclaw-workspace:
Replace openclaw.example.com with your Gateway hostname. Store
OPENCLAW_GATEWAY_TOKEN in EasyRunner's secret/environment manager instead of
committing it to the app definition.
Configure OpenClaw
Inside the persistent config volume, keep the Gateway reachable only through the proxy and require auth:
{
gateway: {
bind: "lan",
port: 1455,
auth: {
token: "${OPENCLAW_GATEWAY_TOKEN}",
},
},
}
If Caddy terminates TLS for the Gateway, configure trusted proxy settings for the exact proxy path rather than disabling auth checks globally. See Trusted proxy auth.
Verify
From your workstation:
openclaw gateway probe --url https://openclaw.example.com --token <token>
openclaw gateway status --url https://openclaw.example.com --token <token>
From the EasyRunner host, check the app logs for a listening Gateway and no startup SecretRef, plugin, or channel auth failures.
Updates and backups
- Pull or build the new OpenClaw image, then redeploy the EasyRunner app.
- Back up the
openclaw-configvolume before updates. - Back up
openclaw-workspaceif agents write durable project data there. - Run
openclaw doctorafter major updates to catch config migrations and service warnings.
Troubleshooting
gateway probecannot connect: confirm the Caddy hostname points at the app and that the container listens on0.0.0.0:1455.- Auth fails: rotate the token in EasyRunner secrets and the local client command together.
- Files are root-owned after restore: repair the mounted volumes so the
container user can write
/home/node/.openclawand/workspace. - Browser or channel plugins fail: check whether the required external binaries, network egress, and mounted credentials are available inside the container.