OpenClaw Docker Container without docket_setup.sh - Only using the official Docker Image (ghcr.io/openclaw/openclaw)

openclaw_standalone.md

OpenClaw Standalone Setup

A minimal, production-ready guide to deploying OpenClaw (standalone) using Docker on a Linux based Server.

Caution

SECURITY WARNING: DO NOT EXPOSE THIS PUBLICLY WITHOUT PROTECTION

The OpenClaw Gateway is designed as an internal communication component. It should NOT be open to the public internet indiscriminately.

You MUST restrict access to your domain using one of the following methods:

1. Cloudflare Access / Zero Trust: Put the domain behind an authentication layer. SSL is included and free (RECOMMENDED!)
2. Firewall Rules: Allow inbound traffic on port 80/443 ONLY from your specific IP address. You will need to use allowInsecureAuth on the OpenClaw config, if you want to access it without HTTPS.
3. VPN: Only allow access while connected to your private VPN. You will need to use allowInsecureAuth on the OpenClaw config, if you want to access it without HTTPS.

1. Prerequisites

Get a Domain and register it on Cloudflare. You need to enable the "SSL Flexible" setting to make it work without any SSL hassle on your Server. Either change it domain-wide (on .../ssl-tls/configuration) or create a specific rule.

⚠️ If you don't want to use Cloudflare, you will need to configure SSL yourself (e.g. with Let's Encrypt) and expose port 443 instead of 80.

Then, add an A-Record pointing your domain to your server's IP address (with Cloudflare proxy enabled).

2. OpenClaw Setup

A. Permissions

OpenClaw runs as the node user (UID 1000). We must pre-create the host volumes and assign the correct ownership, otherwise the container will crash with EACCES errors.

⚠️ Better don't use system directories like /root - they are blacklisted by OpenClaw e.g. when spawning sandboxed agents.

mkdir -p /home/openclaw/workspace
chown -R 1000:1000 /home/openclaw

B. Gateway Token

Generate a random Gateway Token using this:

export OPENCLAW_GATEWAY_TOKEN=$(tr -dc A-Za-z0-9 < /dev/urandom | head -c 32; echo '')
echo "Your Gateway Token is: $OPENCLAW_GATEWAY_TOKEN"

C. Start Container

docker run -d \
  --name openclaw \
  --restart unless-stopped \
  -p 80:18789 \
  -v /home/openclaw:/home/node/.openclaw \
  -e OPENCLAW_GATEWAY_TOKEN=$OPENCLAW_GATEWAY_TOKEN \
  ghcr.io/openclaw/openclaw:latest \
  node openclaw.mjs gateway --allow-unconfigured --bind lan

Optionally check docker logs -f openclaw to see if there are any errors.

3. Device pairing

Open https://your-domain.com/overview and enter your pre-generated Gateway Token from above. Click Connect. You will see

disconnected (1008): pairing required

Then, lets do the pairing. Run

docker exec -it openclaw node openclaw.mjs devices list

and you should find a Pending request. Copy the Request UUID and paste it into this command and run it:

docker exec -it openclaw node openclaw.mjs devices approve <request-uuid>

Then, reload the Overview page in your Browser and it should say Connected. Your device has been paired successfully! Now run this to start the onboarding and you are done!

docker exec -it openclaw node openclaw.mjs onboard

openclaw_traefik.md

OpenClaw + Traefik Setup

A minimal, production-ready guide to deploying OpenClaw behind a Traefik reverse proxy using Docker.

Caution

SECURITY WARNING: DO NOT EXPOSE THIS PUBLICLY WITHOUT PROTECTION

The OpenClaw Gateway is designed as an internal communication component. It should NOT be open to the public internet indiscriminately.

You MUST restrict access to your domain using one of the following methods:

1. Cloudflare Access / Zero Trust: Put the domain behind an authentication layer. SSL is included and free (RECOMMENDED!)
2. Firewall Rules: Allow inbound traffic on port 80/443 ONLY from your specific IP address. You will need to use allowInsecureAuth on the OpenClaw config, if you want to access it without HTTPS.
3. VPN: Only allow access while connected to your private VPN. You will need to use allowInsecureAuth on the OpenClaw config, if you want to access it without HTTPS.

1. Network & Prerequisites

Get a Domain and register it on Cloudflare. You need to enable the "SSL Flexible" setting to make it work without any SSL hassle on your Server. Either change it domain-wide (on .../ssl-tls/configuration) or create a specific rule.

⚠️ If you don't want to use Cloudflare, you will need to install a SSL Cert (e.g. with Let's Encrypt) and configure it in the traefik config below.

Then, add the A-Records like this:

ℹ️ The wildcard domain (*.your-domain.com) is only needed for skills like the Devboxes skill, where sandboxed containers need to register new hosts automatically. If you don't use such skills, a single A-Record for your-domain.com is sufficient.

⚠️ If you are using Cloudflare free, sub-sub-domains like *.oc.your-domain.com will not be covered by a free certificate.

Then, create a dedicated network so Traefik can route traffic to containers via internal IP addresses (avoiding exposed ports).

⚠️ Better don't use system directories like /root - they are blacklisted by OpenClaw e.g. when spawning sandboxed agents.

# Create shared network
docker network create traefik

# Create Traefik configs directory
# It must be within the openclaw directory + 777 privileges (because of the Sandbox security)!
mkdir -p /home/openclaw/traefik
chmod 777 /home/openclaw/traefik

2. Traefik Configuration

Create the static configuration file. This will not be visible by OpenClaw. Traefik watches the configs/ directory for route configs.

mkdir -p /etc/traefik
cat > /etc/traefik/traefik.yml << 'EOF'
entryPoints:
  web:
    address: ":80"

providers:
  file:
    directory: /etc/traefik/configs
    watch: true
EOF

Create the route config for OpenClaw. Replace example.com with your actual domain.

cat > /home/openclaw/traefik/openclaw.yml << 'EOF'
http:
  routers:
    openclaw:
      rule: "Host(`example.com`)"
      entryPoints:
        - web
      service: openclaw

  services:
    openclaw:
      loadBalancer:
        servers:
          - url: "http://openclaw:18789"
EOF

3. Start Traefik

docker run -d \
  --name traefik \
  --restart=unless-stopped \
  --network=traefik \
  -p 80:80 \
  -v /etc/traefik/traefik.yml:/etc/traefik/traefik.yml:ro \
  -v /home/openclaw/traefik:/etc/traefik/configs:ro \
  traefik:3.6

4. OpenClaw Setup

A. Permissions

OpenClaw runs as the node user (UID 1000). We must pre-create the host volumes and assign the correct ownership, otherwise the container will crash with EACCES errors.

mkdir -p /home/openclaw/workspace
chown -R 1000:1000 /home/openclaw

B. Gateway Token

Generate a random Gateway Token using this:

export OPENCLAW_GATEWAY_TOKEN=$(tr -dc A-Za-z0-9 < /dev/urandom | head -c 32; echo '')
echo "Your Gateway Token is: $OPENCLAW_GATEWAY_TOKEN"

C. Start Container

docker run -d \
  --name openclaw \
  --network traefik \
  --restart unless-stopped \
  -v /home/openclaw:/home/node/.openclaw \
  -e OPENCLAW_GATEWAY_TOKEN=$OPENCLAW_GATEWAY_TOKEN \
  ghcr.io/openclaw/openclaw:latest \
  node openclaw.mjs gateway --allow-unconfigured --bind lan

Optionally check docker logs -f openclaw to see if there are any errors.

5. Device pairing

Open https://your-domain.com/overview and enter your pre-generated Gateway Token from above. Click Connect. You will see

disconnected (1008): pairing required

Then, lets do the pairing. Run

docker exec -it openclaw node openclaw.mjs devices list

and you should find a Pending request. Copy the Request UUID and paste it into this command and run it:

docker exec -it openclaw node openclaw.mjs devices approve <request-uuid>

Then, reload the Overview page in your Browser and it should say Connected. Your device has been paired successfully! Now run this to start the onboarding and you are done!

docker exec -it openclaw node openclaw.mjs onboard