feat: Add nginx configuration rendering and HTTPS proxy support

- Introduced a new script `render_nginx.py` to generate nginx configuration and landing page HTML from templates based on environment variables.
- Updated `run.sh` to handle new access modes and configure HTTPS proxy settings for the gateway.
- Implemented TLS certificate generation for the built-in HTTPS proxy in `lan_https` mode.
- Enhanced disk usage reporting in the landing page.
- Updated translations for various languages to include new configuration options for access modes and authentication modes.
This commit is contained in:
techartdev
2026-02-23 10:07:25 +02:00
parent 9d0332a36a
commit 22c7d8ff4f
16 changed files with 1321 additions and 178 deletions
+32 -9
View File
@@ -46,23 +46,46 @@ configuration:
gateway_mode:
name: Gateway Mode
description: Gateway operation mode - local (run gateway locally, recommended) or remote (connect to a remote gateway)
options:
local: "Local (recommended)"
remote: "Remote"
gateway_bind_mode:
name: Gateway Bind Mode
description: Network bind mode - auto (OpenClaw selects), loopback (127.0.0.1 only, more secure), lan (all interfaces), or tailnet (Tailscale interface only).
description: Network bind mode - loopback (127.0.0.1 only, most secure), lan (all interfaces), or tailnet (Tailscale interface only). Overridden by access_mode presets.
options:
loopback: "Loopback (127.0.0.1 only, most secure)"
lan: "LAN (all interfaces)"
tailnet: "Tailnet (Tailscale only)"
gateway_port:
name: Gateway Port
description: Port number for the OpenClaw gateway to listen on (default - 18789)
access_mode:
name: Access Mode
description: "Simplifies secure access setup. Overrides gateway_bind_mode and gateway_auth_mode when not set to Custom."
options:
custom: "Custom (use individual settings)"
local_only: "Local Only (loopback + token, Ingress only)"
lan_https: "LAN HTTPS (built-in HTTPS proxy — recommended for phones)"
lan_reverse_proxy: "LAN Reverse Proxy (external proxy with trusted-proxy auth)"
tailnet_https: "Tailscale HTTPS (Tailscale bind + token)"
gateway_auth_mode:
name: Gateway Auth Mode
description: Gateway auth mode - token (default) or trusted-proxy (for HTTPS reverse proxies). Overridden when access_mode is not Custom.
options:
token: "Token (default)"
trusted-proxy: "Trusted Proxy (for reverse proxies)"
gateway_trusted_proxies:
name: Gateway Trusted Proxies
description: Comma-separated trusted proxy IP/CIDR list for trusted-proxy mode (example - 127.0.0.1,192.168.88.0/24).
enable_openai_api:
name: Enable OpenAI API
description: Enable OpenAI-compatible Chat Completions endpoint. Allows using OpenClaw as a conversation agent in HA Assist pipeline via Extended OpenAI Conversation (HACS) or any OpenAI-compatible client.
allow_insecure_auth:
name: Allow Insecure HTTP Auth
description: Allow HTTP authentication for gateway access on LAN. WARNING - Only enable if using HTTP (not HTTPS) for gateway_public_url. Required for browser access over HTTP.
force_ipv4_dns:
name: Force IPv4 DNS Order
description: Force IPv4-first DNS ordering for Node network calls. Useful when IPv6 DNS resolves but IPv6 internet routing is broken (can affect Telegram API polling).