Explicitly Declare Trusted Proxies When Using a Reverse Proxy
If public network access is required, you must explicitly declare the trusted proxy when using a reverse proxy, and ensure that the reverse proxy forwards the real client IP address. You do not need to configure this item if public network access is disabled or if you only integrate with WeCom or QQ bots.
Procedure
- Method 1
- Configure the IP address of the proxy server for the OpenClaw gateway.
openclaw config set gateway.trustedProxies[0] "127.0.0.1" openclaw config set gateway.trustedProxies[1] "::1"
- Set the authentication mode to trusted-proxy.
openclaw config set gateway.auth.mode "trusted-proxy"
- Set the user header field.
openclaw config set gateway.auth.trustedProxy.userHeader "x-forwarded-user"
- Set the user allowlist. The following uses user@example.com as an example (change it based on your actual users).
openclaw config set gateway.auth.trustedProxy.allowUsers[0] "user@example.com"
- Restart the OpenClaw gateway.
openclaw gateway restart
- Configure the IP address of the proxy server for the OpenClaw gateway.
- Method 2
- Open the configuration file.
vim ~/.openclaw/openclaw.json
- Press i to enter the insert mode and add the following information.
"gateway": { "auth": { "mode": "trusted-proxy", "trustedProxy": { "userHeader": "x-forwarded-user", "allowUsers": [ "user@example.com" ] } }, "trustedProxies": [ "127.0.0.1" ] } - Press Esc to exit the insert mode. Type :wq! and press Enter to save the file and exit.
- Restart the OpenClaw gateway.
openclaw gateway restart
- Open the configuration file.
Parent topic: Manual Configuration Items