Network Topology
Address & Port Matrix
| Component | IP/Interface | Port | Exposure | Notes | | — | — | — | — | — | | Caddy HTTP | 0.0.0.0 | 80/tcp | Public | Redirects to HTTPS | | Caddy HTTPS | 0.0.0.0 | 443/tcp | Public | TLS termination + BasicAuth | | SSH (rate-limited) | 0.0.0.0 | 22/tcp | Restricted | Allow only trusted IPs via UFW limit | | OpenClaw Gateway | 127.0.0.1 | 18789/tcp | Internal only | Accessed by Caddy; UFW denies WAN |
Traffic Paths
- Public Route: Internet → Caddy (80/443) → Gateway loopback.
- SSH Tunnel (admin-use):
ssh -L 18789:127.0.0.1:18789 ubuntu@<YOUR_VPS_IP> curl -u deployer:<REDACTED> https://localhost:18789/statusUse when testing without exposing additional ports; still requires BasicAuth headers.
Verification Commands
# Confirm DNS
dig +short fopenclaw.com
# Ensure gateway hidden externally
sudo nmap -p 18789 <YOUR_VPS_IP> # should be filtered/closed
sudo nmap -p 18789 127.0.0.1 # should be open
# UFW state
sudo ufw status numbered
Security Note: After editing firewall rules, reload (
sudo ufw reload) and re-run the verification commands to catch accidental 0.0.0.0 exposure.