Documents the two-container setup, volume/auth gotchas, nginx SSL
configuration, control center startup sequence, and usage connector
source status.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Remove :ro from the .openclaw volume so the CLI can write state files
on startup (it was crashing immediately with EROFS). Add
OPENCLAW_GATEWAY_TOKEN so the CLI bypasses the device identity
handshake when auth=none, allowing the gateway reachability probe to
succeed before the device is auto-approved.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Control center runs 'openclaw status --json' as a subprocess to probe
the gateway. Mount the gateway install volume and set OPENCLAW_BIN_PATH
so the control center can find the binary.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Newer openclaw (2026.6.6) requires more config than our minimal json.
--dev creates a working config if missing, --auth none skips token
auth since the gateway is loopback-only.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Gateway runs in its own node:22-alpine container with host networking,
installs openclaw@latest on first boot (persisted to /var/openclaw/gateway).
Control center also switches to host networking so ws://127.0.0.1:18789
reaches the gateway's loopback. UI_BIND_ADDRESS locked to 127.0.0.1.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Patch app source at startup to change default language from zh to en
- Add basicAuth (ironmagma) to nginx vhost for claw.quineglobal.com
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Cloudflare is in Flexible SSL mode so it hits our origin over HTTP.
forceSSL was causing an infinite HTTP->HTTPS redirect loop. Switch to
addSSL so HTTPS still works for direct connections while HTTP serves
normally through Cloudflare.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Paperless-ngx uses WebSockets to push task completion status to the
browser. Without Upgrade/Connection headers the UI hangs indefinitely
after upload while waiting for the done notification.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
recommendedProxySettings already injects Host, X-Real-IP, X-Forwarded-*
via an include in the location block. Our explicit extraConfig set them
again, causing Django to receive 'host,host' and reject with DisallowedHost.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>