ClawHub

OpenClaw HTTPS Setup

v1.0.0

Automate secure HTTPS setup for OpenClaw Gateway on a VPS by configuring Nginx reverse proxy with SSL certificates and domain redirection.

0· 94·0 current·0 all-time
by@nanue1

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for nanue1/openclaw-https-setup.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "OpenClaw HTTPS Setup" (nanue1/openclaw-https-setup) from ClawHub.
Skill page: https://clawhub.ai/nanue1/openclaw-https-setup
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install openclaw-https-setup

ClawHub CLI

Package manager switcher

npx clawhub@latest install openclaw-https-setup
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the provided instructions and script: both configure Nginx as a reverse proxy and obtain/renew Let's Encrypt certificates for OpenClaw Gateway. Required system privileges (sudo) and package installs are consistent with that goal.
Instruction Scope
Instructions and script perform expected system actions (install packages, configure /etc/nginx, stop/start Nginx, run certbot, and add a cron job). They do not attempt to read unrelated files or exfiltrate data. Minor scope issues: SKILL.md says 'Root/administrator privileges' while the script explicitly exits if run as root (it expects a sudo-enabled user). The script also writes a user crontab (not root crontab), which may not have permission to renew certificates—this is a functional inconsistency, not an obvious malicious behavior.
Install Mechanism
No install spec; the skill is instruction-plus-script only. The script uses the system package manager (dnf/apt) via sudo to install nginx/certbot, which is expected. Nothing is downloaded from unknown external URLs.
Credentials
The skill does not request environment variables, tokens, or credentials. It only requires a domain name and email (script parameters) and sudo privileges to change system configuration—appropriate for the stated task.
Persistence & Privilege
The script makes persistent changes: creates /etc/nginx/conf.d/openclaw-<domain>.conf, enables/starts nginx, and installs a crontab entry for certbot renewal. always:false and no cross-skill config modifications. These persistent changes are expected for this functionality but are high-impact, so they merit review before execution.
Assessment
This script appears to do what it claims: install/configure Nginx, obtain Let's Encrypt certificates, and add a renewal cron job. Before running it: 1) Review the script line-by-line and back up existing /etc/nginx configs. 2) Note the script expects you to run it as a non-root user with sudo (it exits if run as root) — reconcile this with any README that says 'run as root'. 3) Confirm the cron job will run with sufficient privileges to renew certificates (the script installs the cron entry for the invoking user, which may lack permissions to write /etc/letsencrypt unless renew is run via sudo/root crontab). 4) Ensure port 80 is reachable (Let's Encrypt validation) and that stopping/starting Nginx is acceptable for your environment. 5) If you plan to let an agent invoke this skill autonomously, be cautious: it will perform system-level changes and create persistent jobs. If anything is unclear, test on a non-production VPS or run steps manually rather than running the script unmodified.

Like a lobster shell, security has layers — review code before you run it.

httpsvk97ert73qgp3f42rbas7yy5h0h840vn5latestvk97ert73qgp3f42rbas7yy5h0h840vn5nginxvk97ert73qgp3f42rbas7yy5h0h840vn5openclawvk97ert73qgp3f42rbas7yy5h0h840vn5sslvk97ert73qgp3f42rbas7yy5h0h840vn5vpsvk97ert73qgp3f42rbas7yy5h0h840vn5
94downloads
0stars
1versions
Updated 3w ago
v1.0.0
MIT-0
@nanue1
httpslatestnginxopenclawsslvps
Download

openclaw-https-setup

Description

Setup OpenClaw Gateway with HTTPS access via custom domain on VPS server. This skill automates the process of configuring Nginx reverse proxy with SSL certificates to securely expose OpenClaw Gateway service via HTTPS.

Prerequisites

  • Running OpenClaw Gateway service (typically on port 18789)
  • Domain name pointing to the VPS server IP
  • Root/administrator privileges on the VPS
  • CentOS Stream 10 or similar RedHat-based system (commands may vary for other systems)

Steps

1. Install Nginx

# For CentOS/RHEL systems
sudo dnf install -y epel-release
sudo dnf install -y nginx

# For Ubuntu/Debian systems
# sudo apt update
# sudo apt install -y nginx

2. Configure SELinux (for CentOS/RHEL)

# Check SELinux status
getenforce

# If enforcing, allow Nginx to connect to network services
sudo setsebool -P httpd_can_network_connect 1

3. Test OpenClaw Gateway locally

# Ensure OpenClaw Gateway is running and accessible locally
curl -v http://127.0.0.1:18789/

4. Create Nginx configuration

Create /etc/nginx/conf.d/openclaw.conf with the following content:

server {
    listen 80;
    server_name YOUR_DOMAIN.com;

    location / {
        proxy_pass http://127.0.0.1:18789;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        
        # WebSocket support
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        
        # Timeout settings
        proxy_connect_timeout 60s;
        proxy_send_timeout 60s;
        proxy_read_timeout 60s;
    }
}

Replace YOUR_DOMAIN.com with your actual domain.

5. Test and start Nginx

sudo nginx -t  # Test configuration
sudo systemctl start nginx
sudo systemctl enable nginx

6. Install Certbot and get SSL certificate

# For CentOS/RHEL
sudo dnf install -y certbot python3-certbot-nginx

# For Ubuntu/Debian
# sudo apt install -y certbot python3-certbot-nginx

7. Obtain SSL certificate

# Stop Nginx temporarily
sudo systemctl stop nginx

# Get certificate using standalone method
sudo certbot certonly --standalone --non-interactive --agree-tos --email your-email@example.com -d YOUR_DOMAIN.com

# Start Nginx again
sudo systemctl start nginx

8. Update Nginx configuration for HTTPS

Replace the content of /etc/nginx/conf.d/openclaw.conf with:

# HTTP server - redirects to HTTPS
server {
    listen 80;
    server_name YOUR_DOMAIN.com;
    
    # Redirect all HTTP requests to HTTPS
    return 301 https://$server_name$request_uri;
}

# HTTPS server
server {
    listen 443 ssl http2;
    server_name YOUR_DOMAIN.com;

    ssl_certificate /etc/letsencrypt/live/YOUR_DOMAIN.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/YOUR_DOMAIN.com/privkey.pem;
    
    # SSL configuration
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
    ssl_prefer_server_ciphers off;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;
    
    # HSTS
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    
    # Security headers
    add_header X-Frame-Options DENY always;
    add_header X-Content-Type-Options nosniff always;
    add_header Referrer-Policy no-referrer always;

    location / {
        proxy_pass http://127.0.0.1:18789;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;
        proxy_set_header X-Forwarded-Host $host;
        
        # WebSocket support
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        
        # Timeout settings
        proxy_connect_timeout 60s;
        proxy_send_timeout 60s;
        proxy_read_timeout 60s;
    }
}

9. Reload Nginx configuration

sudo nginx -t  # Test configuration
sudo nginx -s reload  # Reload configuration

10. Set up automatic certificate renewal

# Add cron job for certificate renewal
sudo crontab -l | { cat; echo "0 12 * * * /usr/bin/certbot renew --quiet --nginx"; } | sudo crontab -

Verification

  1. Visit https://YOUR_DOMAIN.com in a web browser
  2. Check that the site loads securely with a valid SSL certificate
  3. Verify that all OpenClaw features work properly

Troubleshooting

  • If getting 502 Bad Gateway errors, check that OpenClaw Gateway is running and accessible at 127.0.0.1:18789
  • If SSL certificate fails, ensure port 80 is accessible from the internet
  • Check Nginx error logs: sudo tail -f /var/log/nginx/error.log
  • Check SELinux: sudo setsebool -P httpd_can_network_connect 1

Security Notes

  • The configuration includes proper security headers
  • SSL certificate is automatically renewed
  • WebSocket connections are properly proxied
  • All HTTP requests are redirected to HTTPS

Comments

Loading comments...