GitHubDiscord

Reverse Proxy for OpenClaw: Nginx Setup

ProxySetup

Reverse Proxy for OpenClaw: Nginx Setup

Set up Nginx as a reverse proxy with WebSocket support, rate limiting, and SSL termination.

9 min readLast updated Feb 18, 2026
Stuck?Check the troubleshooting index or ask in Discord.

Overview

Nginx is a popular reverse proxy that can forward traffic to your OpenClaw instance. This guide covers setting up Nginx with SSL, WebSocket support, and basic security.

What you'll need
  • A server with Nginx installed
  • OpenClaw running (typically on port 3000 or 18789)
  • Domain name pointing to your server

Install Nginx

bash
sudo apt update
sudo apt install nginx

Configure Nginx

Create a configuration file for OpenClaw:

/etc/nginx/sites-available/openclaw
server {
    listen 80;
    server_name openclaw.yourdomain.com;

    # Redirect to HTTPS
    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl http2;
    server_name openclaw.yourdomain.com;

    # SSL configuration (see SSL section below)
    ssl_certificate /etc/letsencrypt/live/openclaw.yourdomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/openclaw.yourdomain.com/privkey.pem;

    # OpenClaw runs on port 3000 by default
    location / {
        proxy_pass http://127.0.0.1:3000;
        
        # Required for WebSocket
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        
        # Standard proxy headers
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        
        # Timeouts for long-running connections
        proxy_read_timeout 86400s;
        proxy_send_timeout 86400s;
    }
}

Enable the site:

bash
sudo ln -s /etc/nginx/sites-available/openclaw /etc/nginx/sites-enabled/
sudo nginx -t  # Test configuration
sudo systemctl reload nginx

Enable SSL with Let's Encrypt

Use Certbot to get a free SSL certificate:

1

Install Certbot

bash
# Ubuntu/Debian
sudo apt install certbot python3-certbot-nginx
2

Get certificate

bash
sudo certbot --nginx -d openclaw.yourdomain.com
3

Test auto-renewal

bash
sudo certbot renew --dry-run

WebSocket Support

OpenClaw uses WebSockets for real-time communication. The configuration above already includes the required WebSocket headers, but here's what they do:

nginx
# Enable WebSocket support
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
Don't skip this
Without WebSocket support, the OpenClaw dashboard and real-time features won't work properly.

Security Hardening

Rate limiting

Add rate limiting to prevent abuse:

nginx
http {
    limit_req_zone $binary_remote_addr zone=api:10m rate=10r/s;
    
    server {
        location /api {
            limit_req zone=api burst=20 nodelay;
        }
    }
}

Trusted proxies

Tell OpenClaw to trust Nginx for client IPs:

yaml
gateway:
  trustedProxies:
    - "127.0.0.1"
    - "::1"

Test & Restart

Always test your configuration before restarting:

bash
# Test configuration
sudo nginx -t

# Restart Nginx
sudo systemctl restart nginx

# Check status
sudo systemctl status nginx
You're done!
Your OpenClaw instance should now be accessible at https://openclaw.yourdomain.com