openclaw-deploy/how-to/traefik-openclaw.md

# OpenClaw behind Traefik
=======================

What I changed
- Changed OpenClaw gateway bind in /home/user/.openclaw/openclaw.json from loopback to lan
- Added Traefik dynamic config at /opt/traefik/dynamic/openclaw.yml
- Target upstream is http://host.docker.internal:18789
- Added gateway.controlUi.allowedOrigins entry for https://oc.an2.io

Why
- Traefik runs in Docker.
- The Traefik container already has host.docker.internal mapped to the Docker host gateway.
- OpenClaw was only listening on 127.0.0.1:18789, which the container could not reach.
- Binding OpenClaw to lan makes it listen on the host network so Traefik can reach it through the host gateway.
- The Control UI loaded through Traefik uses browser origin https://oc.an2.io, so that exact origin must be listed in gateway.controlUi.allowedOrigins.

Traefik config summary
- Router name: openclaw
- Entry point: websecure
- TLS cert resolver: letsencrypt
- Host rule: oc.an2.io
- Service upstream: http://host.docker.internal:18789
- Dynamic file: /opt/traefik/dynamic/openclaw.yml

OpenClaw config summary
- File: /home/user/.openclaw/openclaw.json
- gateway.bind: lan
- gateway.controlUi.allowedOrigins includes:
  - http://localhost:18789
  - http://127.0.0.1:18789
  - https://oc.an2.io

Notes
- https://localhost:18789 is not the correct public URL because OpenClaw on port 18789 speaks plain HTTP.
- TLS is terminated by Traefik on port 443 and then proxied to http://host.docker.internal:18789.
- If the browser shows "origin not allowed", check gateway.controlUi.allowedOrigins first.

Useful checks
- ss -ltnp | grep 18789
- curl http://localhost:18789/
- curl -k https://oc.an2.io/
- sudo docker logs --tail 100 traefik

If needed
- Restart OpenClaw gateway after config changes
- Traefik dynamic config should hot-reload automatically, no Traefik restart is usually needed