If you are configuring OpenClaw’s Control UI for remote access, gateway.controlui.allowedOrigins is the setting that decides which browsers can connect. This guide is a complete configuration reference for every deployment pattern — Docker, Tailscale, reverse proxies, and environment variables.
Just need the quick fix for the runtime “origin not allowed” browser error? See Fix ‘Origin Not Allowed’ — OpenClaw Control UI. This page is the in-depth configuration reference.
The Exact Error
Origin not allowed (open the Control UI from the gateway host or allow it in gateway.controlui.allowedOrigins)You will also see one of these variants in the gateway logs:
gateway failed to start: error: non-loopback control UI requires gateway.controlui.allowedOrigins (set explicit origins), or set gateway.controlui.dangerouslyAllowHostHeaderOriginFallback=true to use host-header origin fallback modeTL;DR fix — set the allowed origins for the host(s) you will use to reach the Control UI:
openclaw config set gateway.controlui.allowedOrigins '["http://192.168.1.100:18789"]'
openclaw gateway restartContinue below for Docker, Tailscale, reverse-proxy, and environment-variable variants.
I have deployed OpenClaw on bare metal, Docker, Kubernetes, Azure VMs, and Raspberry Pis. The gateway.controlui.allowedOrigins setting is the single most common configuration question I see. Let me walk through every deployment pattern.
What gateway.controlui.allowedOrigins Does
When your OpenClaw gateway bind modess to a non-loopback address (anything other than 127.0.0.1), it requires you to explicitly list which browser origins can access the Control UI. This prevents unauthorized access from unknown domains.
# openclaw.json
{
"gateway": {
"controlui": {
"allowedOrigins": [
"http://192.168.1.100:18789",
"https://openclaw.example.com"
]
}
}
}Configuration by Deployment Type
Local Network (LAN) Access
The most common scenario — you want to access OpenClaw from another device on your network:
# Step 1: Set bind to LAN
openclaw config set gateway.bind lan
# Step 2: Find your IP
ip addr show | grep 'inet ' | grep -v 127.0.0.1
# Step 3: Set allowed origins
openclaw config set gateway.controlui.allowedOrigins '["http://192.168.1.100:18789"]'
# Step 4: Restart
openclaw gateway restartReplace 192.168.1.100 with your actual machine IP. Include the port number.
Docker Deployment
Docker adds a layer because the container IP differs from the host:
# docker-compose.yml
services:
openclaw:
image: openclaw/openclaw:latest
ports:
- "18789:18789"
environment:
- OPENCLAW_GATEWAY_BIND=0.0.0.0
- OPENCLAW_GATEWAY_CONTROLUI_ALLOWEDORIGINS=["http://YOUR_HOST_IP:18789"]
volumes:
- ./openclaw-data:/home/node/.openclawCommon Docker mistakes:
- Using
localhostin allowedOrigins when accessing from another machine - Forgetting to map the port with
-p 18789:18789 - Using the container internal IP instead of the host IP
Tailscale Setup
Tailscale gives you a stable hostname:
# Get your Tailscale IP
tailscale ip -4
# Configure with Tailscale hostname
openclaw config set gateway.bind tailnet
openclaw config set gateway.controlui.allowedOrigins '["http://your-machine.tail12345.ts.net:18789"]'
openclaw gateway restartReverse Proxy (Nginx/Caddy)
When using a reverse proxy with HTTPS:
# Your proxy terminates TLS, so allowedOrigins uses the public URL
openclaw config set gateway.controlui.allowedOrigins '["https://openclaw.yourdomain.com"]'Nginx config:
server {
listen 443 ssl;
server_name openclaw.yourdomain.com;
location / {
proxy_pass http://127.0.0.1:18789;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
}Multiple Origins
You can allow multiple origins for different access methods:
openclaw config set gateway.controlui.allowedOrigins '[
"http://192.168.1.100:18789",
"http://my-machine.tail12345.ts.net:18789",
"https://openclaw.example.com"
]'The dangerouslyAllowHostHeaderOriginFallback Option
If you cannot predict the exact origin (dynamic IPs, multiple access methods):
openclaw config set gateway.controlui.dangerouslyAllowHostHeaderOriginFallback trueWhen to use it:
- Development and testing environments
- Home networks with DHCP (changing IPs)
- Quick prototyping
When NOT to use it:
- Production deployments exposed to the internet
- Multi-tenant environments
- Any setup where untrusted users could access the network
Troubleshooting
Error: “origin not allowed”
Your browser URL does not match any entry in allowedOrigins:
# Check current config
openclaw config get gateway.controlui.allowedOrigins
# Compare with the URL in your browser address bar
# They must match EXACTLY (protocol + host + port)Error: “non-loopback control UI requires gateway.controlui.allowedOrigins”
You changed gateway.bind away from loopback but did not set allowedOrigins:
# Either set allowedOrigins
openclaw config set gateway.controlui.allowedOrigins '["http://YOUR_IP:18789"]'
# Or use the fallback (less secure)
openclaw config set gateway.controlui.dangerouslyAllowHostHeaderOriginFallback true
# Then restart
openclaw gateway restartDocker Permission Denied
If OpenClaw cannot read its config file in Docker:
# Fix permissions on the mounted volume
sudo chown -R 1000:1000 ./openclaw-dataEnvironment Variables Reference
All gateway.controlui settings can be set via environment variables:
| Setting | Environment Variable |
|---|---|
gateway.bind | OPENCLAW_GATEWAY_BIND |
gateway.controlui.allowedOrigins | OPENCLAW_GATEWAY_CONTROLUI_ALLOWEDORIGINS |
gateway.controlui.dangerouslyAllowHostHeaderOriginFallback | OPENCLAW_GATEWAY_CONTROLUI_DANGEROUSLYALLOWHOSTHEADERORIGINFALLBACK |
gateway.controlui.allowInsecureAuth | OPENCLAW_GATEWAY_CONTROLUI_ALLOWINSECUREAUTH |
gateway.controlui.basePath | OPENCLAW_GATEWAY_CONTROLUI_BASEPATH |
