2026 OpenClaw Enterprise Egress Proxy:
HTTP_PROXY / HTTPS_PROXY / NO_PROXY — LaunchAgent vs systemd
Cross-border office WANs often force all outbound traffic through a corporate HTTP(S) proxy. This guide compares macOS LaunchAgent environment injection with Linux systemd drop-ins, gives paste-ready repro steps, and maps common toolchain fetch errors to fixes—so your always-on OpenClaw gateway stays reachable and your installs do not flap.
Why enterprise egress proxy settings matter for OpenClaw
An always-on OpenClaw gateway node must pull packages, call upstream APIs, and refresh model or plugin metadata over the public internet. On cross-border office networks, outbound traffic is often forced through an HTTP or HTTPS forward proxy with authentication, split DNS, or TLS inspection. If HTTP_PROXY / HTTPS_PROXY / NO_PROXY are wrong—or only present in an interactive shell—the daemon sees a different environment than your terminal, and failures look “random.” For broader WAN and routing context, see cross-regional access optimization strategies.
1. Variable semantics (quick reference)
| Variable | Typical use | Notes |
|---|---|---|
| HTTP_PROXY | Proxy URL for http:// requests |
Format http://user:pass@host:port (avoid logging secrets). |
| HTTPS_PROXY | Proxy for HTTPS CONNECT tunnels | Often same host as HTTP_PROXY; some stacks fall back to http_proxy lowercase. |
| ALL_PROXY | Catch-all (socks / http) | Node, Go, and some CLI tools consult it; can override per-protocol vars—test explicitly. |
| NO_PROXY | Bypass list | Comma-separated hostnames, optional *.corp.internal patterns; include localhost, 127.0.0.1, ::1 so local gateway binds do not loop through the proxy. |
Operational rule: mirror the same four variables in the process environment that actually runs the gateway (LaunchAgent or systemd), not only in ~/.zshrc.
2. macOS LaunchAgent: inject env for a persistent gateway
launchd does not read shell profiles. Use a plist with <key>EnvironmentVariables</key> or wrap the binary in a small script that exports vars then execs OpenClaw.
Minimal pattern (plist excerpt)
<key>EnvironmentVariables</key>
<dict>
<key>HTTP_PROXY</key><string>http://proxy.corp.example:8080</string>
<key>HTTPS_PROXY</key><string>http://proxy.corp.example:8080</string>
<key>NO_PROXY</key><string>localhost,127.0.0.1,::1,.internal.corp,10.0.0.0/8</string>
</dict>
After editing: launchctl bootout / bootstrap the agent (or log out/in). Verify with launchctl print gui/$UID/com.example.openclaw—environment blocks should list your keys.
3. Linux systemd: unit drop-in vs global environment
On servers, prefer systemctl edit servicename to create /etc/systemd/system/servicename.service.d/override.conf with [Service] Environment= lines or EnvironmentFile=/etc/openclaw/proxy.env. Then systemctl daemon-reload and systemctl restart servicename. This matches how teams already harden other daemons; for mixed Windows/Linux nodes, pair with OpenClaw on Windows/Linux and systemd.
Drop-in snippet
[Service]
EnvironmentFile=-/etc/openclaw/proxy.env
File proxy.env uses KEY=value per line, no export keyword.
4. LaunchAgent vs systemd (decision table)
| Topic | macOS LaunchAgent | Linux systemd |
|---|---|---|
| Where env lives | Plist EnvironmentVariables or wrapper script |
Unit, drop-in, or EnvironmentFile |
| Reload config | launchctl bootout/bootstrap |
daemon-reload + service restart |
| User vs system | User agents in ~/Library/LaunchAgents |
Often system units under /etc/systemd/system |
| Common pitfall | GUI login session vs SSH—different UID domain for agents | Service lacks login profile; /etc/environment not always loaded |
5. Reproducible checks
macOS (5 min)
- • Install the LaunchAgent plist and load it for your GUI session.
- • Run
launchctl printon the label and confirm proxy keys. - • From the same UID,
curl -v https://registry.npmjs.org—expect CONNECT via corporate proxy if not in NO_PROXY.
Linux (5 min)
- • Place
proxy.envunder/etcwith restrictive permissions. - • Reference it from the unit drop-in; reload and restart.
- •
systemctl show servicename -p Environmentshould list expanded variables.
6. Toolchain fetch error matrix (symptom → likely cause)
| Tool / symptom | Typical error shape | What to verify first |
|---|---|---|
| npm / pnpm | ETIMEDOUT, ECONNRESET to registry |
HTTPS_PROXY for Node; corporate CA in NODE_EXTRA_CA_CERTS if TLS inspection. |
| curl | Connection to proxy failed; empty response | Proxy URL scheme, port, auth; try curl -x explicitly. |
| git clone / fetch | SSL certificate problem; HTTP 407 | git config --global http.proxy; proxy auth; custom CA (http.sslCAInfo). |
| Docker pull | TLS handshake timeout behind proxy | Docker daemon env (not just shell): systemd drop-in for docker.service; or ~/.docker/config.json proxies. |
| Go modules | dial tcp i/o timeout |
HTTPS_PROXY; GOPRIVATE for internal modules bypassing public proxy. |
7. FAQ
Why does my terminal work but the gateway fails?
The shell loads .zshrc / .bashrc; launchd and systemd do not. Copy the effective environment into the service definition.
Should NO_PROXY include my OpenClaw bind address?
Yes—if the gateway listens on loopback and tools on the same host talk to 127.0.0.1, exclude it so traffic does not hairpin through the corporate proxy.
Does order matter for multiple proxy variables?
Implementations differ; after setting vars, test each toolchain (curl, node, git) independently. Document the working triple in your internal runbook.
Can I rely on CIDR notation in NO_PROXY?
Support varies by runtime (some Go versions accept IP ranges; many libcurl builds list host suffixes only). When in doubt, enumerate critical internal hosts explicitly.
Run the gateway on hardware that tolerates 24/7 network duty
Proxy debugging is painful enough without chasing thermal throttling or random sleep on a laptop. A desktop-class Mac mini with Apple Silicon delivers strong single-thread performance for Node-based gateways, sips power on idle (often on the order of a few watts), and stays quiet enough to live next to a router in a regional office. macOS gives you a familiar Unix toolchain—curl, ssh, Homebrew, and LaunchAgents—without rebuilding your mental model for each release.
Gatekeeper, SIP, and FileVault also reduce the attack surface compared with a typical commodity Windows box that shares the same VLAN as your proxy bypass rules. If you want a stable home for OpenClaw and the rest of your automation stack, Mac mini M4 is a sensible place to start—see current Mac mini options on MacCDN.
Bottom line
Treat HTTP_PROXY, HTTPS_PROXY, and NO_PROXY as part of your service contract: define them in LaunchAgent plists on macOS and systemd drop-ins on Linux, validate with launchctl print / systemctl show, then map fetch errors to proxy, TLS, or auth—not to “the internet is down.”
Stable macOS Nodes for Gateways
Run always-on OpenClaw-style workloads on Mac mini M4 cloud hosts—low idle power, quiet operation, and a Unix-native stack that matches your LaunchAgent runbooks.