nyrn
/
openclaw
mirror of https://github.com/openclaw/openclaw.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

docs: refresh shared-secret auth mirrors

This commit is contained in:
Peter Steinberger 2026-04-04 14:02:29 +01:00
parent f8dcd3ed83
commit 0afd30d325
No known key found for this signature in database
3 changed files with 9 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
docs/gateway/security/index.md
View File

@ -936,11 +936,14 @@ Important boundary note:
**Trust assumption:** tokenless Serve auth assumes the gateway host is trusted.
Do not treat this as protection against hostile same-host processes. If untrusted
local code may run on the gateway host, disable `gateway.auth.allowTailscale`
and require token/password auth.
and require explicit shared-secret auth with `gateway.auth.mode: "token"` or
`"password"`.
**Security rule:** do not forward these headers from your own reverse proxy. If
you terminate TLS or proxy in front of the gateway, disable
`gateway.auth.allowTailscale` and use token/password auth (or [Trusted Proxy Auth](/gateway/trusted-proxy-auth)) instead.
`gateway.auth.allowTailscale` and use shared-secret auth (`gateway.auth.mode:
"token"` or `"password"`) or [Trusted Proxy Auth](/gateway/trusted-proxy-auth)
instead.
Trusted proxies:

2
docs/platforms/digitalocean.md
View File

@ -133,7 +133,7 @@ Open: `https://<magicdns>/`
Notes:
- Serve keeps the Gateway loopback-only and authenticates Control UI/WebSocket traffic via Tailscale identity headers (tokenless auth assumes trusted gateway host; HTTP APIs still require token/password).
- To require token/password instead, set `gateway.auth.allowTailscale: false` or use `gateway.auth.mode: "password"`.
- To require explicit shared-secret credentials instead, set `gateway.auth.allowTailscale: false` and use `gateway.auth.mode: "token"` or `"password"`.
**Option C: Tailnet bind (no Serve)**

5
docs/web/control-ui.md
View File

@ -141,8 +141,9 @@ By default, Control UI/WebSocket Serve requests can authenticate via Tailscale i
verifies the identity by resolving the `x-forwarded-for` address with
`tailscale whois` and matching it to the header, and only accepts these when the
request hits loopback with Tailscales `x-forwarded-*` headers. Set
`gateway.auth.allowTailscale: false` (or force `gateway.auth.mode: "password"`)
if you want to require a token/password even for Serve traffic.
`gateway.auth.allowTailscale: false` if you want to require explicit shared-secret
credentials even for Serve traffic. Then use `gateway.auth.mode: "token"` or
`"password"`.
Tokenless Serve auth assumes the gateway host is trusted. If untrusted local
code may run on that host, require token/password auth.