- Gateway 绑定 :
gateway.bind改为"lan",controlUi.allowedOrigins添加 IP 域名- SSL 证书:生成自签名证书(CN=IP,有效期 365 天)
- Nginx 配置 :HTTPS 反向代理 +
proxy_set_header Host localhost绕过配对验证- 防火墙:UFW 放行 80/443 及局域网 18789(192.168.0.0/16)
- 设备配对 :首次访问运行
openclaw devices approve <id>
📋 OpenClaw 局域网 HTTPS 访问配置总结
一、修改 Gateway 绑定地址
bash
# 编辑配置文件
nano ~/.openclaw/openclaw.json
# 找到 gateway.bind,从 "loopback" 改为 "lan"
"gateway": {
"bind": "lan", # ← 允许局域网访问
"mode": "local",
"port": 18789
}二、修改 Control UI 允许的域名
在同一个文件中,添加所有可能的访问域名:
json
"gateway": {
...
"controlUi": {
"allowedOrigins": [
"http://localhost:18789",
"http://127.0.0.1:18789",
"https://localhost:18789",
"https://127.0.0.1:18789",
"http://YOUR_IP:18789",
"https://YOUR_IP:18789",
"http://YOUR_IP",
"https://YOUR_IP"
]
}
}💡 将
YOUR_IP替换为实际 IP,如192.168.123.123
三、生成 SSL 证书(自签名)
bash
openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
-keyout /etc/ssl/private/openclaw.key \
-out /etc/ssl/certs/openclaw.crt \
-subj "/CN=YOUR_IP" \
-addext "subjectAltName=DNS:localhost,DNS:YOUR_IP,IP:YOUR_IP"四、配置 Nginx HTTPS 反向代理
bash
nano /etc/nginx/sites-available/openclaw-https粘贴以下配置(将 YOUR_IP 替换为实际 IP):
nginx
server {
listen 443 ssl;
server_name YOUR_IP localhost;
# SSL 证书配置
ssl_certificate /etc/ssl/certs/openclaw.crt;
ssl_certificate_key /etc/ssl/private/openclaw.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
location / {
proxy_pass http://YOUR_IP:18789/;
proxy_http_version 1.1;
# 🔑 关键:强制本地化,避免配对要求
proxy_set_header Host localhost;
proxy_set_header Origin https://localhost:18789;
# WebSocket 支持
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_read_timeout 86400;
proxy_send_timeout 86400;
proxy_buffering off;
}
location /app/ {
try_files $uri $uri/ /index.html;
add_header Cache-Control "public, max-age=31536000";
}
}
# HTTP 自动跳转 HTTPS
server {
listen 80;
server_name YOUR_IP localhost;
return 301 https://$host$request_uri;
}启用配置:
bash
ln -sf /etc/nginx/sites-available/openclaw-https /etc/nginx/sites-enabled/
rm -f /etc/nginx/sites-enabled/default
nginx -t && systemctl reload nginx五、配置 UFW 防火墙
bash
# 重置并启用防火墙
ufw --force reset
# 允许必要端口
ufw allow 22/tcp # SSH(所有来源)
ufw allow 80/tcp # HTTP 重定向
ufw allow 443/tcp # HTTPS(所有来源)
ufw allow from 192.168.0.0/16 to any port 18789 # Gateway(仅局域网)
# 启用防火墙
ufw --force enable六、重启 OpenClaw Gateway
bash
pkill -f openclaw-gateway
sleep 2
nohup /root/.nvm/versions/node/v25.8.1/bin/node \
/root/.nvm/versions/node/v25.8.1/lib/node_modules/openclaw/bin/gateway.js > /tmp/openclaw-gw.log 2>&1 &七、首次访问配对(如需要)
浏览器访问 https://YOUR_IP/chat?session=main,如果遇到 "pairing required":
bash
# 查看配对请求列表
openclaw devices list
# 批准设备(替换为实际设备 ID)
openclaw devices approve <Request ID>- OpenClaw "Pairing Required" 机制详解🔐 OpenClaw "Pairing Require - 掘金
- OpenClaw Pairing required 错误解决方案详解 - 知乎
✅ 验证清单
| 检查项 | 命令 | 预期结果 |
|---|---|---|
| Gateway 运行 | `ps aux | grep openclaw-gateway` |
| Gateway 端口 | `ss -ltnp | grep 18789` |
| Nginx 运行 | systemctl status nginx |
active (running) |
| 防火墙状态 | ufw status |
包含 22/80/443/18789 |
| HTTPS 访问 | curl -k https://localhost/ |
返回 HTML |
📞 访问方式
局域网内任意设备:
ini
https://YOUR_IP/chat?session=main首次浏览器访问会提示自签名证书警告,选择"继续访问"即可。
🔒 安全建议
- Token 认证 : Gateway 已有 token 保护(查看
openclaw.json) - 限制 QQBot 访问 : 将
"allowFrom": ["*"]改为具体账号 - SSH 加固: 考虑限制 SSH 为特定 IP 或禁用密码登录
- 定期更新 SSL 证书: 自签名证书一年后需重新生成
这样配置后,局域网内的任何设备都可以直接通过 HTTPS 访问 Control UI 了!