#Gateway suddenly not reachable

1 messages · Page 1 of 1 (latest)

upper hamletBOT
#

To help others find answers, you can mark your question as solved via Right click solution message -> Apps -> âś… Mark Solution

sly stone
#

Gateway is suddenly not reachable through https

[Tue Feb 10 2026 07:37:22.860]

2026-02-10T00:37:26.513Z [ws] closed before connect conn=ee98d952-9ec4-46f1-9c4c-201c6758037b remote=127.0.0.1 fwd=n/a origin=http://7 host=private ua=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/144.0.0.0 Safari/537.36 code=1008 reason=control ui requires HTTPS or localhost (secure context)

#

?

rose canyonBOT
#

Those logs mean the Gateway is reachable, but it’s rejecting the Control UI WebSocket because you’re opening it from a non-secure context:

  • code=1008 reason=control ui requires HTTPS or localhost (secure context)
  • origin=http://76.13.143.94:55204 → plain HTTP from a remote origin
  • remote=127.0.0.1 host=76.13.143.94:55204 + the warning about Host header → you’re very likely going through a local reverse proxy (nginx/Caddy/Traefik) that connects to OpenClaw on loopback, but the browser origin is still http://….

Fix options (pick one)

1) Recommended: put the Control UI behind HTTPS

2) Local-only access (works immediately)

  • Open on the gateway machine: http://127.0.0.1:18789/
  • Or SSH tunnel from your PC:
# 
  ssh -L 18789:127.0.0.1:18789 <user>@<server>

then open http://127.0.0.1:18789/ in your local browser.

3) “Break-glass” downgrade (not recommended): allow token-only over HTTP
If you must use plain HTTP on a trusted network, you can allow insecure auth (security downgrade):

{
  gateway: {
    controlUi: { allowInsecureAuth: true },
    auth: { mode: "token", token: "replace-me" },
  },
}

(docs: https://docs.openclaw.ai/web/control-ui#insecure-http)

#

About the trustedProxies warning

If you are behind a reverse proxy, configure gateway.trustedProxies and make sure your proxy forwards/overwrites X-Forwarded-For / X-Real-IP (and typically X-Forwarded-Proto: https when terminating TLS). This is separate from the secure-context block, but it’s the right fix for the “loopback + non-local Host header” warning. (docs: https://docs.openclaw.ai/gateway/security)

If you paste:

  1. openclaw --version
  2. whether you’re using nginx/Caddy/Traefik (and whether it’s HTTPS on the outside)

…I can tell you the exact minimal config for your setup.

#

That ? in the logs is answered by the last line:

reason=control ui requires HTTPS or localhost (secure context)

So the Gateway isn’t “down” — your browser is opening the Control UI over plain HTTP from a remote origin (origin=http://76.13.143.94:55204), and the Gateway rejects the WebSocket because the Control UI requires a secure context (HTTPS) or localhost.

Fast fixes:

  1. Open it locally on the gateway host: http://127.0.0.1:18789/
    (or SSH tunnel -L 18789:127.0.0.1:18789 and open that locally)

  2. Use HTTPS (recommended), e.g. Tailscale Serve:
    openclaw gateway --tailscale serve → open https://<magicdns>/

Break-glass (not recommended): set gateway.controlUi.allowInsecureAuth: true to allow token-only over HTTP.

If you tell me: