Skip to main content
🎓 Claude Code Masterclass Learn AI-assisted development on Udemy — plus the companion book on Leanpub & Amazon. Start Learning
Fix OpenClaw Gateway allowedorigins error
DevOps

Fix: Non-Loopback Control UI Requires allowedOrigins

Fix the OpenClaw startup error 'gateway failed to start: error: non-loopback control ui requires gateway.controlui.allowedorigins (set explicit origins)'.

LB
Luca Berton
· 2 min read

The Error

You start your OpenClaw gateway and hit this:

gateway failed to start: error: non-loopback control ui requires
gateway.controlui.allowedorigins (set explicit origins), or set
gateway.controlui.dangerouslyallowhostheaderoriginfallback=true
to use host-header origin fallback mode

This happens when you’re trying to access the OpenClaw Control UI from a different machine than where the gateway is running — a common scenario for VPS deployments, homelab setups, or any time you bind to 0.0.0.0 instead of 127.0.0.1.

Why This Happens

OpenClaw’s gateway protects the Control UI with origin checks to prevent cross-site request forgery (CSRF). When bound to loopback (127.0.0.1), it knows only local connections are possible. When bound to a network interface, it needs you to explicitly declare which origins (browser URLs) are allowed to connect.

The Fix

Edit your openclaw.json configuration:

{
  "gateway": {
    "bind": "0.0.0.0:18789",
    "controlui": {
      "allowedorigins": [
        "http://192.168.1.100:18789",
        "https://openclaw.yourdomain.com"
      ]
    }
  }
}

Or via the CLI:

openclaw configure --set gateway.controlui.allowedorigins='["http://192.168.1.100:18789"]'

Replace 192.168.1.100 with your actual server IP or domain name. The origin must match exactly what appears in your browser’s address bar — including protocol, hostname, and port.

Option 2: Allow Host-Header Origin Fallback

If you’re behind a reverse proxy that sets the Host header correctly, or you’re on a trusted network:

{
  "gateway": {
    "controlui": {
      "dangerouslyallowhostheaderoriginfallback": true
    }
  }
}
openclaw configure --set gateway.controlui.dangerouslyallowhostheaderoriginfallback=true

Warning: The setting name includes “dangerously” for a reason. Only use this on trusted networks or behind a properly configured reverse proxy. On a public-facing server without a reverse proxy, this weakens CSRF protection.

Option 3: Keep It on Loopback + SSH Tunnel

If you don’t need the UI accessible from the network, keep the gateway bound to loopback and use an SSH tunnel:

# From your local machine:
ssh -L 18789:localhost:18789 user@your-server

# Then open http://localhost:18789 in your browser

This is the most secure option — no origin configuration needed, and the Control UI never touches the network.

Common Scenarios

VPS / Cloud Server

{
  "gateway": {
    "bind": "0.0.0.0:18789",
    "controlui": {
      "allowedorigins": [
        "https://openclaw.yourdomain.com"
      ]
    }
  }
}

Pair this with a reverse proxy (nginx, Caddy) that terminates TLS:

server {
    listen 443 ssl;
    server_name openclaw.yourdomain.com;

    ssl_certificate /etc/letsencrypt/live/openclaw.yourdomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/openclaw.yourdomain.com/privkey.pem;

    location / {
        proxy_pass http://127.0.0.1:18789;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}

Homelab / Local Network

{
  "gateway": {
    "bind": "0.0.0.0:18789",
    "controlui": {
      "allowedorigins": [
        "http://192.168.1.50:18789",
        "http://homelab.local:18789"
      ]
    }
  }
}

Docker Deployment

# docker-compose.yml
services:
  openclaw:
    image: openclaw/openclaw:latest
    ports:
      - "18789:18789"
    volumes:
      - ./openclaw.json:/home/node/.openclaw/openclaw.json
    environment:
      - OPENCLAW_GATEWAY_BIND=0.0.0.0:18789

Make sure your openclaw.json inside the container has the correct allowedorigins set to the URL you’ll access from your browser.

After Fixing

Restart the gateway:

openclaw gateway restart

Verify it’s running:

openclaw gateway status

Then open the Control UI in your browser at the origin you configured. If you still see issues, check:

  1. Origin mismatch — the browser URL must exactly match one of the allowedorigins entries (protocol + host + port)
  2. Firewall — ensure port 18789 (or your custom port) is open
  3. Reverse proxy headers — if using nginx/Caddy, make sure Host, Upgrade, and Connection headers are forwarded

Frequently Asked Questions

What causes "non-loopback control ui requires gateway.controlui.allowedorigins"?

It fires when the gateway binds to a network interface such as 0.0.0.0 instead of loopback (127.0.0.1) and no allowed origins are listed. OpenClaw requires an explicit allowlist before it will expose the Control UI off-host.

How do I fix the non-loopback startup error?

Provide explicit origins and start the gateway again. Add your browser URLs to gateway.controlui.allowedorigins in openclaw.json or via openclaw config set, then restart the gateway.

Can I bypass the allowedorigins requirement?

You can set gateway.controlui.dangerouslyAllowHostHeaderOriginFallback=true to use host-header fallback mode, but it is less secure. Listing explicit origins is the recommended fix.

Does this error mean the gateway is running?

No. Unlike "origin not allowed", this is a startup failure — the gateway does not start until you provide allowed origins or enable the fallback flag.

Related Articles

Fix OpenClaw ERR_STRING_TOO_LONG bloated session error
DevOps

Fix OpenClaw ERR_STRING_TOO_LONG Session Error

OpenClaw agent fails with 'Cannot create a string longer than 0x1fffffe8 characters'? It's a bloated session JSONL hitting Node's string limit. Here's the fix.

Google Search Console growth analysis with a Python script
DevOps

Turn Google Search Console Data Into a Growth Plan

Run one dependency-free Python script on your Search Console export to surface the SEO levers that move traffic: CTR bands and striking-distance pages.

Argo CD: GitOps Continuous Deployment for Kubernetes
DevOps

Argo CD: GitOps Continuous Deployment for Kubernetes

Production-ready Argo CD setup — ApplicationSets, multi-cluster sync, RBAC, notifications, and progressive delivery patterns.

Buildah vs Kaniko: Container Image Building Without Docker
DevOps

Buildah vs Kaniko: Container Image Building Without Docker

Buildah vs Kaniko for rootless, daemonless container image builds in CI/CD: security, performance, Kubernetes integration, and pipeline examples.

All Articles

Free 30-min AI & Cloud consultation

Book Now