Reverse proxy issue | Friends of the Crustacean 🦞🤝 | Page 1

proper arch Mar 10, 2026, 5:38 PM

#

This used to work on previous versions, but is now not working. I get countinous error like this below

ws] closed before connect conn=42349618-d346-4723-9428-2fb8259480d7 remote=100.111.228.114 fwd=67.191.78.58 origin=https://ai.search.xxx.com host=ai.search.xxx.com ua=Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:148.0) Gecko/20100101 Firefox/148.0 code=4008 reason=connect failed

proper lakeBOT Mar 10, 2026, 5:38 PM

#

To help others find answers, you can mark your question as solved via Right click solution message -> Apps -> ✅ Mark Solution

floral ironBOT Mar 10, 2026, 5:45 PM

#

That log line is from the Gateway when a browser opens the WebSocket but never successfully completes the initial connect handshake. The Control UI client then closes the socket with code 4008 / “connect failed” (that’s the UI’s “connect() request was rejected” code).

In reverse-proxy setups the most common regression after upgrading is Origin allowlisting:

Your request has origin=https://ai.search.xxx.com
Newer Gateways will reject Control UI connects from non-loopback origins unless you allowlist them via gateway.controlUi.allowedOrigins.

Fix in ~/.openclaw/openclaw.json (JSON5):

{
  gateway: {
    controlUi: {
      allowedOrigins: ["https://ai.search.xxx.com"],
    },
  },

#

Restart the gateway after changing config.

Docs: https://docs.openclaw.ai/gateway/configuration-reference (see controlUi.allowedOrigins)

Two quick checks if it still fails:

Token mismatch: run openclaw dashboard and make sure you’re using the current token in Control UI → Control → Overview → Gateway Access.
Paste openclaw --version + your gateway.auth + gateway.controlUi config snippet (and what proxy you’re using: nginx/caddy/cloudflare/tailscale), and we can pinpoint whether it’s origin vs auth vs rate-limit.

#Reverse proxy issue