Originally published on Remote OpenClaw.
Marketplace
Free skills and AI personas for OpenClaw — browse the marketplace.
Join the Community
Join 1k+ OpenClaw operators sharing deployment guides, security configs, and workflow automations.
Why SSL Matters for OpenClaw
Every time you interact with your OpenClaw instance — through the web UI, through the API, or through webhook callbacks — your gateway token is transmitted as part of the request. This token is the key to your entire agent. Whoever has it can read all conversations, execute code, access your API keys, and control your agent's actions.
Without SSL (HTTPS), this token is sent as plain text. Anyone who can observe your network traffic can see it. This includes your ISP, other users on the same WiFi network (at a coffee shop, airport, or hotel), and any network equipment between your device and your server.
With SSL, all traffic is encrypted. The token is still sent with every request, but it is unreadable to anyone who intercepts the traffic. This is the single most important security measure for any OpenClaw deployment that is accessible over a network.
If your OpenClaw instance is only accessible on localhost (127.0.0.1), SSL is not strictly necessary because the traffic never leaves your machine. The moment you access it from another device — even on your local network — you need SSL.
Option 1: Caddy Auto-SSL
Caddy is a web server that automatically handles SSL certificates. It obtains certificates from Let's Encrypt, configures TLS correctly, and renews certificates before they expire — all without any manual intervention.
Prerequisites:
- A domain name pointing to your server's IP address (A record in DNS)
- Ports 80 and 443 open on your firewall
- OpenClaw running on port 3000
Step 1: Install Caddy
# Ubuntu/Debian
sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list
sudo apt update
sudo apt install caddy
Step 2: Create the Caddyfile
Create /etc/caddy/Caddyfile with just two lines:
openclaw.yourdomain.com {
reverse_proxy localhost:3000
}
That is it. Two lines. Caddy handles everything else.
Step 3: Start Caddy
sudo systemctl enable caddy
sudo systemctl start caddy
Within seconds, Caddy will obtain a Let's Encrypt certificate for your domain and start serving OpenClaw over HTTPS. It will also automatically redirect HTTP to HTTPS.
Step 4: Update your OpenClaw configuration
Make sure OpenClaw only listens on localhost, not on all interfaces. In your docker-compose.yml, change the port binding:
ports:
- "127.0.0.1:3000:3000" # Only accessible from localhost
This ensures that OpenClaw is only reachable through Caddy (which provides SSL), not directly over plain HTTP.
Option 2: Nginx + Certbot
Nginx with certbot is the traditional approach. It gives you more configuration control but requires more manual setup.
Step 1: Install Nginx and Certbot
sudo apt update
sudo apt install nginx certbot python3-certbot-nginx
Step 2: Create Nginx configuration
Create /etc/nginx/sites-available/openclaw:
server {
listen 80;
server_name openclaw.yourdomain.com;
location / {
proxy_pass http://127.0.0.1:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
Step 3: Enable the site
sudo ln -s /etc/nginx/sites-available/openclaw /etc/nginx/sites-enabled/
sudo nginx -t # Test configuration
sudo systemctl reload nginx
Step 4: Obtain SSL certificate
sudo certbot --nginx -d openclaw.yourdomain.com
Certbot will automatically modify your Nginx configuration to add SSL, obtain the certificate, and set up automatic renewal.
Step 5: Verify auto-renewal
sudo certbot renew --dry-run
If this completes without errors, your certificate will automatically renew before it expires (every 90 days).
The WebSocket headers (Upgrade and Connection) in the Nginx configuration are important. OpenClaw uses WebSockets for real-time communication. Without these headers, the web UI will not update in real-time.
Option 3: Tailscale HTTPS
Tailscale is a VPN service that creates encrypted tunnels between your devices. It is the simplest option if you only access OpenClaw from your own devices and do not need public internet access.
Step 1: Install Tailscale on your server
curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale up
Step 2: Install Tailscale on your devices
Install the Tailscale app on your phone, laptop, or any device you use to access OpenClaw. Sign in with the same account.
Step 3: Enable HTTPS
sudo tailscale cert openclaw-server
Tailscale provides automatic HTTPS certificates for your tailnet devices.
Step 4: Access OpenClaw
Access OpenClaw via your Tailscale hostname: https://openclaw-server.your-tailnet.ts.net:3000
No domain name required. No port forwarding. No firewall configuration. All traffic is encrypted end-to-end through Tailscale's WireGuard tunnels.
Limitation: External services cannot reach your OpenClaw instance through Tailscale. This means webhook callbacks from Telegram, WhatsApp, and other messaging platforms will not work unless you set up a Tailscale funnel or use a separate public endpoint for webhooks.
To solve the webhook problem, you can use Tailscale Funnel to expose specific routes publicly:
sudo tailscale funnel --bg 3000
This exposes your OpenClaw port through a Tailscale-managed HTTPS endpoint that external services can reach for webhook callbacks.
Which Option Should You Choose?
Criteria
Caddy
Nginx + Certbot
Tailscale
Setup difficulty
Easy (2 lines)
Moderate
Easiest
Needs domain name
Yes
Yes
No
Auto certificate renewal
Yes
Yes (certbot timer)
Yes
Public internet access
Yes
Yes
No (without Funnel)
Webhook support
Yes
Yes
Requires Funnel
Configuration control
Moderate
Full
Minimal
Choose Caddy if: You need public access (for webhooks) and want the simplest setup possible.
Choose Nginx if: You need public access and want full control over your web server configuration, or if Nginx is already running on your server.
Choose Tailscale if: You only access OpenClaw from your own devices and want zero-configuration encrypted access. Use Tailscale Funnel if you also need webhook support.
Testing Your SSL Setup
After setting up SSL, verify everything works:
- Check HTTPS access: Open
https://openclaw.yourdomain.comin your browser. You should see the OpenClaw login page with a valid certificate (lock icon in the address bar). - Check HTTP redirect: Open
http://openclaw.yourdomain.com(without the S). It should automatically redirect to HTTPS. - Check certificate validity: Click the lock icon in your browser to view the certificate details. Verify the domain matches and the expiration date is approximately 90 days in the future.
- Check direct HTTP access is blocked: Try accessing
http://your-server-ip:3000directly. If you followed the instructions above (binding to 127.0.0.1), this should fail. Your OpenClaw instance should only be reachable through the SSL-protected reverse proxy. - Test SSL grade: Use ssllabs.com/ssltest to check your SSL configuration. Both Caddy and a properly configured Nginx should score an A or A+.
Once SSL is verified, update any webhook URLs in your Telegram, WhatsApp, or other integration configurations to use the HTTPS URL. Remove any bookmarks or saved URLs that use HTTP.
Marketplace
Free skills and AI personas for OpenClaw — browse the marketplace.
Top comments (0)