feat: Add nginx configuration rendering and HTTPS proxy support
- Introduced a new script `render_nginx.py` to generate nginx configuration and landing page HTML from templates based on environment variables. - Updated `run.sh` to handle new access modes and configure HTTPS proxy settings for the gateway. - Implemented TLS certificate generation for the built-in HTTPS proxy in `lan_https` mode. - Enhanced disk usage reporting in the landing page. - Updated translations for various languages to include new configuration options for access modes and authentication modes.
This commit is contained in:
@@ -66,23 +66,34 @@ options:
|
||||
# - loopback: bind to 127.0.0.1 only (local access only, most secure)
|
||||
# - lan: bind to all interfaces (accessible from local network)
|
||||
# - tailnet: bind to Tailscale IP only (accessible only via Tailscale — recommended for remote access)
|
||||
# - auto: prefer loopback; use tailnet if Tailscale is available
|
||||
# Default is loopback for security.
|
||||
gateway_bind_mode: loopback
|
||||
|
||||
# Gateway port to listen on
|
||||
gateway_port: 18789
|
||||
|
||||
# Access mode preset — simplifies secure access configuration.
|
||||
# custom: use individual gateway_bind_mode / auth_mode settings (backward compatible)
|
||||
# local_only: loopback + token auth (Ingress / terminal only, most secure)
|
||||
# lan_https: Built-in HTTPS reverse proxy for LAN access (recommended for phones/tablets)
|
||||
# lan_reverse_proxy: LAN bind + trusted-proxy for an external reverse proxy (NPM, Caddy, …)
|
||||
# tailnet_https: Tailscale interface bind + token auth
|
||||
access_mode: custom
|
||||
|
||||
# Gateway authentication mode:
|
||||
# - token: standard token auth (default)
|
||||
# - trusted-proxy: trust auth headers from configured reverse proxies
|
||||
gateway_auth_mode: token
|
||||
|
||||
# Comma-separated trusted proxy IP/CIDR list for trusted-proxy mode.
|
||||
# Example: "127.0.0.1,192.168.88.0/24"
|
||||
gateway_trusted_proxies: ""
|
||||
|
||||
# Enable OpenAI-compatible Chat Completions API endpoint
|
||||
# When enabled, OpenClaw can be used as a conversation agent in HA Assist pipeline
|
||||
# via Extended OpenAI Conversation (HACS) or any OpenAI-compatible client
|
||||
enable_openai_api: false
|
||||
|
||||
# Allow insecure HTTP authentication (required for HTTP gateway access on LAN)
|
||||
# WARNING: Only enable if you're using HTTP (not HTTPS) for gateway_public_url
|
||||
# Default is false for security.
|
||||
allow_insecure_auth: false
|
||||
|
||||
# Force IPv4-first DNS result ordering for Node fetch/network calls.
|
||||
# Useful on networks where IPv6 resolution exists but IPv6 egress is broken
|
||||
# (can affect Telegram API polling in some HAOS/VM setups).
|
||||
@@ -104,8 +115,11 @@ schema:
|
||||
clean_session_locks_on_start: bool?
|
||||
clean_session_locks_on_exit: bool?
|
||||
gateway_mode: list(local|remote)?
|
||||
gateway_bind_mode: list(auto|loopback|lan|tailnet)?
|
||||
gateway_bind_mode: list(loopback|lan|tailnet)?
|
||||
gateway_port: int(1,65535)?
|
||||
access_mode: list(custom|local_only|lan_https|lan_reverse_proxy|tailnet_https)?
|
||||
gateway_auth_mode: list(token|trusted-proxy)?
|
||||
gateway_trusted_proxies: str?
|
||||
enable_openai_api: bool?
|
||||
allow_insecure_auth: bool?
|
||||
force_ipv4_dns: bool?
|
||||
|
||||
|
||||
Reference in New Issue
Block a user