mirror of https://github.com/openclaw/openclaw.git
6aec34bc60
* fix(gateway): prevent auth bypass when behind unconfigured reverse proxy When proxy headers (X-Forwarded-For, X-Real-IP) are present but gateway.trustedProxies is not configured, the gateway now treats connections as non-local. This prevents a scenario where all proxied requests appear to come from localhost and receive automatic trust. Previously, running behind nginx/Caddy without configuring trustedProxies would cause isLocalClient=true for all external connections, potentially bypassing authentication and auto-approving device pairing. The gateway now logs a warning when this condition is detected, guiding operators to configure trustedProxies for proper client IP detection. Also adds documentation for reverse proxy security configuration. * fix: harden reverse proxy auth (#1795) (thanks @orlyjamie) --------- Co-authored-by: orlyjamie <orlyjamie@users.noreply.github.com> Co-authored-by: Peter Steinberger <steipete@gmail.com> |
||
|---|---|---|
| .. | ||
| authentication.md | ||
| background-process.md | ||
| bonjour.md | ||
| bridge-protocol.md | ||
| cli-backends.md | ||
| configuration-examples.md | ||
| configuration.md | ||
| discovery.md | ||
| doctor.md | ||
| gateway-lock.md | ||
| health.md | ||
| heartbeat.md | ||
| index.md | ||
| local-models.md | ||
| logging.md | ||
| multiple-gateways.md | ||
| openai-http-api.md | ||
| openresponses-http-api.md | ||
| pairing.md | ||
| protocol.md | ||
| remote-gateway-readme.md | ||
| remote.md | ||
| sandbox-vs-tool-policy-vs-elevated.md | ||
| sandboxing.md | ||
| security.md | ||
| tailscale.md | ||
| tools-invoke-http-api.md | ||
| troubleshooting.md | ||