2026 OpenClaw Public Internet Access:
Caddy/Nginx + TLS vs Cloudflare Tunnel
Localhost binding, WebSocket upgrades, rate limiting, and copy-paste Caddy/Nginx snippets—plus Cloudflare Tunnel trade-offs and a practical FAQ for 502 Bad Gateway and certificate errors.
What this runbook covers
Exposing an OpenClaw control plane or dashboard in 2026 is rarely “open port 3000 and hope.” You want a deliberate split: the app listens on loopback, while TLS and policy live at the edge—either on your own reverse proxy (Caddy or Nginx) or on a managed ingress path such as Cloudflare Tunnel.
This guide assumes you already have OpenClaw running locally; if not, start from our install matrix (curl / npm / Docker), then return here to harden public access.
Localhost binding: the first line of defense
Bind the upstream service to 127.0.0.1 (or a Unix socket) so it is not reachable directly from the LAN or WAN. The reverse proxy—or tunnel agent—becomes the only listener that faces untrusted networks.
Common mistakes
- • Listening on
0.0.0.0“just to make it work,” which bypasses your proxy ACLs for anyone who can route to the host. - • Terminating TLS in the proxy but still pointing
proxy_passathttps://127.0.0.1without a matching cert—see the FAQ below. - • Forgetting macOS Application Firewall rules when you move from Wi‑Fi lab to office VLANs—symptoms look like random 502s, not hard failures.
For a broader deployment narrative—why macOS-shaped nodes help with global agent traffic—see 2026 OpenClaw deployment practices on macOS cloud.
Path A — Caddy or Nginx: reverse proxy + TLS termination
You own the public IP (or port-forward) and a DNS name. TLS certificates are issued on the proxy (Let’s Encrypt ACME, DNS-01, or a corporate PKI). OpenClaw stays on HTTP over loopback.
Caddy (minimal, automatic HTTPS)
Caddy v2 upgrades WebSockets automatically when the client sends Upgrade: websocket. A practical starting point:
openclaw.example.com {
encode gzip zstd
reverse_proxy 127.0.0.1:18789
}
Replace the port with your real OpenClaw HTTP port. Add header_up Host {host} only if the app validates Host headers strictly. For long-lived streams, you can raise transport timeouts in a transport http block if you observe idle disconnects.
Nginx (explicit WebSocket map)
Nginx needs a connection upgrade map. Paste this pattern verbatim, then adjust server name, cert paths, and upstream port:
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
listen 443 ssl http2;
server_name openclaw.example.com;
ssl_certificate /etc/ssl/openclaw/fullchain.pem;
ssl_certificate_key /etc/ssl/openclaw/privkey.pem;
location / {
limit_req zone=openclaw_limit burst=20 nodelay;
proxy_pass http://127.0.0.1:18789;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_read_timeout 3600s;
proxy_send_timeout 3600s;
}
}
Define the rate-limit zone once in http context, for example: limit_req_zone $binary_remote_addr zone=openclaw_limit:10m rate=10r/s;. Tune rate and burst to your API surface—interactive dashboards tolerate higher bursts than raw webhook endpoints.
Path B — Cloudflare Tunnel (no inbound ports)
Cloudflare Tunnel (cloudflared) dials out to Cloudflare; you publish a hostname in the dashboard or via IaC. Pros: no public listener on the Mac, fast rollback, and centralized access policies when paired with Cloudflare Access. Cons: you inherit Cloudflare’s path semantics, upload size limits, and WebSocket timeouts unless tuned; debugging is split between edge and origin logs.
Typical pattern: run OpenClaw on 127.0.0.1:PORT, configure the tunnel ingress to that origin as HTTP, and let Cloudflare terminate TLS. If you previously used “flexible” SSL to an HTTP origin, avoid re-introducing HTTPS loops at the origin—pick one TLS termination point.
Decision matrix (60-second version)
| Topic | Own proxy (Caddy/Nginx) | Cloudflare Tunnel |
|---|---|---|
| Inbound firewall | Requires open 443 (or forwarded port) | Outbound-only agent |
| TLS certificates | You operate ACME / renewals | Cloudflare edge certs |
| WebSocket | Explicit headers (Nginx); automatic (Caddy) | Supported; watch idle timeouts |
| Rate limiting | limit_req, WAF, mTLS options | Cloudflare rules + Access |
| Debuggability | Full access to proxy + app logs | Split between CF and origin |
WebSocket checklist
- • Client must request upgrade; intercepting middleware must not strip
UpgradeorConnection. - • Any CDN or Tunnel in the path must allow WebSockets (not “static only”).
- • Align idle timeouts: browser ↔ edge ↔ proxy ↔ OpenClaw. The weakest timeout wins and looks like “random disconnect.”
FAQ — 502 Bad Gateway
Upstream refused connection
Confirm OpenClaw is listening on the same IP family and port as proxy_pass. If the app bound to ::1 only, 127.0.0.1 fails silently from the proxy’s perspective.
Wrong protocol
TLS termination at the edge means the hop to OpenClaw is usually plain HTTP. Pointing the proxy at https://127.0.0.1 without a valid local cert yields handshake errors logged as 502.
Body too large / timeouts
Import or attachment heavy flows may need client_max_body_size (Nginx) or Caddy’s request body limits. Long jobs need higher read timeouts on every hop.
FAQ — certificate and hostname errors
Browser shows wrong certificate
Another vhost on the same IP is catching the request, or DNS still points to an old load balancer. Verify SNI with openssl s_client -connect openclaw.example.com:443 -servername openclaw.example.com.
Mixed content or redirect loops
If OpenClaw issues redirects based on X-Forwarded-Proto, ensure the proxy sets it to https. Missing headers often produce http↔https loops that fail at the edge.
Why a Mac mini is a strong home edge for this pattern
OpenClaw plus Caddy or cloudflared is exactly the kind of always-on, low-touch service stack that benefits from Apple Silicon efficiency: a Mac mini M4 can sit at roughly single-digit watt idle while running native Unix tooling, Homebrew-managed daemons, and launchd services without the fan noise of a typical x86 tower. macOS pairs that hardware with a stable scheduler and mature TLS stacks—useful when your reverse proxy is also your daily workstation.
Gatekeeper, SIP, and FileVault add defense in depth for a machine that holds agent credentials and tunnel tokens. If you want this topology without maintaining physical hardware, the same stack ports cleanly to a dedicated macOS cloud instance for 24/7 uptime.
If you are standardizing OpenClaw for a distributed team, pairing this ingress guide with macOS cloud collaboration patterns keeps builds, secrets, and edge routing in one familiar OS family.
Ready to run it on quiet, efficient Apple Silicon? A Mac mini M4 remains one of the simplest ways to host this stack at home; use the Get Now card below to explore Mac mini options on MacCDN and wire up your tunnel or reverse proxy with confidence.
Host OpenClaw on Apple Silicon
Low-power 24/7 nodes with native Unix tooling—ideal for reverse proxies, tunnels, and agent sidecars without a noisy rack.