# 2026-04-03/04 局域网访问 OpenClaw Control UI

## 问题
局域网其他设备无法访问 OpenClaw 的 Web UI（Control UI）。

## 原因
1. **nginx SSL 证书权限问题**：本机 nginx 反代（`/etc/nginx/sites-enabled/reverse-proxy`）配置了 HTTPS → OpenClaw，但自签证书私钥 `/etc/ssl/self-signed.key` 权限为 `600 root:root`，nginx 以 `www-data` 运行无法读取。
2. **Control UI 安全限制**：非 localhost 的 HTTP 访问会被 device identity 检查拦截。

## 解决方案

### 1. 修复 SSL 证书权限
```bash
sudo chmod 640 /etc/ssl/self-signed.key
sudo chgrp www-data /etc/ssl/self-signed.key
sudo systemctl restart nginx
```

### 2. openclaw.json 配置
`gateway.controlUi` 段添加：
```json
{
  "allowedOrigins": [
    "http://localhost:18789",
    "http://127.0.0.1:18789",
    "http://192.168.2.110:18789",
    "http://192.168.2.110",
    "https://192.168.2.110",
    "https://192.168.2.110:443"
  ],
  "allowInsecureAuth": true,
  "dangerouslyDisableDeviceAuth": true
}
```

### 3. nginx 反代配置
文件：`/etc/nginx/sites-enabled/reverse-proxy`
```nginx
server {
    listen 192.168.2.110:443 ssl;
    ssl_certificate     /etc/ssl/self-signed.crt;
    ssl_certificate_key /etc/ssl/self-signed.key;

    location / {
        proxy_pass http://127.0.0.1:18789;
        proxy_set_header Host $host;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_read_timeout 86400;
        proxy_send_timeout 86400;
    }
}
```

## 访问方式
- 局域网：`https://192.168.2.110/`（自签证书，浏览器需手动信任）
- 首次连接需要 `openclaw devices approve`（或已启用 `dangerouslyDisableDeviceAuth` 则跳过）