61 lines
1.9 KiB
Markdown
61 lines
1.9 KiB
Markdown
# 2026-04-03/04 局域网访问 OpenClaw Control UI
|
||
|
||
## 问题
|
||
局域网其他设备无法访问 OpenClaw 的 Web UI(Control UI)。
|
||
|
||
## 原因
|
||
1. **nginx SSL 证书权限问题**:本机 nginx 反代(`/etc/nginx/sites-enabled/reverse-proxy`)配置了 HTTPS → OpenClaw,但自签证书私钥 `/etc/ssl/self-signed.key` 权限为 `600 root:root`,nginx 以 `www-data` 运行无法读取。
|
||
2. **Control UI 安全限制**:非 localhost 的 HTTP 访问会被 device identity 检查拦截。
|
||
|
||
## 解决方案
|
||
|
||
### 1. 修复 SSL 证书权限
|
||
```bash
|
||
sudo chmod 640 /etc/ssl/self-signed.key
|
||
sudo chgrp www-data /etc/ssl/self-signed.key
|
||
sudo systemctl restart nginx
|
||
```
|
||
|
||
### 2. openclaw.json 配置
|
||
`gateway.controlUi` 段添加:
|
||
```json
|
||
{
|
||
"allowedOrigins": [
|
||
"http://localhost:18789",
|
||
"http://127.0.0.1:18789",
|
||
"http://192.168.2.110:18789",
|
||
"http://192.168.2.110",
|
||
"https://192.168.2.110",
|
||
"https://192.168.2.110:443"
|
||
],
|
||
"allowInsecureAuth": true,
|
||
"dangerouslyDisableDeviceAuth": true
|
||
}
|
||
```
|
||
|
||
### 3. nginx 反代配置
|
||
文件:`/etc/nginx/sites-enabled/reverse-proxy`
|
||
```nginx
|
||
server {
|
||
listen 192.168.2.110:443 ssl;
|
||
ssl_certificate /etc/ssl/self-signed.crt;
|
||
ssl_certificate_key /etc/ssl/self-signed.key;
|
||
|
||
location / {
|
||
proxy_pass http://127.0.0.1:18789;
|
||
proxy_set_header Host $host;
|
||
proxy_set_header Upgrade $http_upgrade;
|
||
proxy_set_header Connection "upgrade";
|
||
proxy_set_header X-Real-IP $remote_addr;
|
||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||
proxy_set_header X-Forwarded-Proto $scheme;
|
||
proxy_read_timeout 86400;
|
||
proxy_send_timeout 86400;
|
||
}
|
||
}
|
||
```
|
||
|
||
## 访问方式
|
||
- 局域网:`https://192.168.2.110/`(自签证书,浏览器需手动信任)
|
||
- 首次连接需要 `openclaw devices approve`(或已启用 `dangerouslyDisableDeviceAuth` 则跳过)
|