Security Controls
BasicAuth (Caddy)
- Hash passwords with
caddy hash-password --plaintext 'StrongPass!'. - Sample snippet (hash truncated, secrets
<REDACTED>):fopenclaw.com { basicauth { deployer <REDACTED> } reverse_proxy 127.0.0.1:18789 } - Rotate quarterly; store plaintext only in a password vault.
UFW Enforcement
sudo ufw default deny incoming
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw limit 22/tcp
sudo ufw deny 18789/tcp
sudo ufw enable
- Confirm status after every change; document rule numbers for quick removal.
Trusted Proxies
- Configure gateway to trust only loopback/networks hosting Caddy: ```yaml trustedProxies:
- 127.0.0.1
- 172.18.0.0/16 # docker bridge (adjust if different) ```
- Never set
0.0.0.0/0; that would allow spoofedX-Forwarded-*.
Token & Pairing Authentication
- Gateway token
<REDACTED>stored via env/secret file; rotate withopenclaw gateway token rotate. - Device pairing already complete; audit regularly:
docker compose exec gateway openclaw devices list docker compose exec gateway openclaw devices revoke <device-id>
Risks & Recommendations
- Credential leakage: sanitize logs before sharing (
sed 's/<REDACTED>/…/g'). - Config drift: pin Docker image tags (e.g.,
openclaw/gateway:2026.2.18) and review before upgrades. - Brute-force attempts: enable fail2ban on SSH and Caddy logs for repeated BasicAuth failures.
Security Warning: Any accidental bind to
0.0.0.0:18789exposes the control plane—monitor withsudo ss -ltnp | grep 18789.