deployment-scripts/how-to/traefik-openclaw.md

OpenClaw behind Traefik

=======================

What I changed

• Changed OpenClaw gateway bind in /home/user/.openclaw/openclaw.json from loopback to lan
• Added Traefik dynamic config at /opt/traefik/dynamic/openclaw.yml
• Target upstream is http://host.docker.internal:18789
• Added gateway.controlUi.allowedOrigins entry for https://oc.an2.io

Why

• Traefik runs in Docker.
• The Traefik container already has host.docker.internal mapped to the Docker host gateway.
• OpenClaw was only listening on 127.0.0.1:18789, which the container could not reach.
• Binding OpenClaw to lan makes it listen on the host network so Traefik can reach it through the host gateway.
• The Control UI loaded through Traefik uses browser origin https://oc.an2.io, so that exact origin must be listed in gateway.controlUi.allowedOrigins.

Traefik config summary

• Router name: openclaw
• Entry point: websecure
• TLS cert resolver: letsencrypt
• Host rule: oc.an2.io
• Service upstream: http://host.docker.internal:18789
• Dynamic file: /opt/traefik/dynamic/openclaw.yml

OpenClaw config summary

• File: /home/user/.openclaw/openclaw.json
• gateway.bind: lan
• gateway.controlUi.allowedOrigins includes:
  • http://localhost:18789
  • http://127.0.0.1:18789
  • https://oc.an2.io

Notes

• https://localhost:18789 is not the correct public URL because OpenClaw on port 18789 speaks plain HTTP.
• TLS is terminated by Traefik on port 443 and then proxied to http://host.docker.internal:18789.
• If the browser shows "origin not allowed", check gateway.controlUi.allowedOrigins first.

Useful checks

• ss -ltnp | grep 18789
• curl http://localhost:18789/
• curl -k https://oc.an2.io/
• sudo docker logs --tail 100 traefik

If needed

• Restart OpenClaw gateway after config changes
• Traefik dynamic config should hot-reload automatically, no Traefik restart is usually needed