let5see/clawdbot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
a22d4e7962315aa9072fe60376c549a05fdb3d0f
clawdbot/docs/web.md
Peter Steinberger c8c807adcc refactor: drop PAM auth and require password for funnel
2025-12-23 13:13:09 +00:00

2.4 KiB
Raw Blame History

summary, read_when
summary read_when
Gateway web surfaces: Control UI, bind modes, and security
You want to access the Gateway over Tailscale
You want the browser Control UI and config editing

Web (Gateway)

The Gateway serves a small browser Control UI (Vite + Lit) from the same port as the Gateway WebSocket:

  • http://<host>:18789/ui/

The UI talks directly to the Gateway WS and supports:

  • Chat (chat.history, chat.send, chat.abort)
  • Connections (provider status, WhatsApp QR, Telegram config)
  • Instances (system-presence)
  • Sessions (sessions.list, sessions.patch)
  • Cron (cron.*)
  • Skills (skills.status, skills.update, skills.install)
  • Nodes (node.list, node.describe, node.invoke)
  • Config (config.get, config.set) for ~/.clawdis/clawdis.json
  • Debug (status/health/models snapshots + manual calls)

Config (default-on)

The Control UI is enabled by default when assets are present (dist/control-ui). You can control it via config:

{
  gateway: {
    controlUi: { enabled: true } // set false to disable /ui/
  }
}

Tailscale access

Integrated Serve (recommended)

Keep the Gateway on loopback and let Tailscale Serve proxy it:

{
  gateway: {
    bind: "loopback",
    tailscale: { mode: "serve" }
  }
}

Then start the gateway:

clawdis gateway

Open:

  • https://<magicdns>/ui/

Tailnet bind + token (legacy)

{
  gateway: {
    bind: "tailnet",
    controlUi: { enabled: true }
  }
}

Then start the gateway (token required for non-loopback binds):

export CLAWDIS_GATEWAY_TOKEN="…your token…"
clawdis gateway

Open:

  • http://<tailscale-ip>:18789/ui/

Public internet (Funnel)

{
  gateway: {
    bind: "loopback",
    tailscale: { mode: "funnel" },
    auth: { mode: "password" } // or CLAWDIS_GATEWAY_PASSWORD
  }
}

Security notes

  • Binding the Gateway to a non-loopback address requires auth (CLAWDIS_GATEWAY_TOKEN or gateway.auth).
  • The UI sends connect.params.auth.token or connect.params.auth.password.
  • Use gateway.auth.allowTailscale: false to require explicit credentials even in Serve mode.
  • gateway.tailscale.mode: "funnel" requires gateway.auth.mode: "password" (shared password).

Building the UI

The Gateway serves static files from dist/control-ui. Build them with:

pnpm ui:install
pnpm ui:build
Reference in New Issue View Git Blame Copy Permalink