OpenClaw with Nginx Reverse Proxy: SSL Setup Guide
Configure Nginx as a reverse proxy for OpenClaw with SSL termination. Step-by-step guide with complete Nginx config and Let's Encrypt setup.
Nginx is the most widely used reverse proxy for self-hosted OpenClaw. It handles SSL termination, serves as a buffer against direct traffic to your application, and enables multiple services on the same server. This guide provides a complete, production-ready Nginx configuration for OpenClaw with Let's Encrypt TLS.
Why Use Nginx as a Reverse Proxy?
When you run OpenClaw directly, it listens on a local port (typically 3000 or 8080). Without a reverse proxy:
- Users would need to access
http://yourip:3000— not how websites work - You have no SSL/TLS — traffic is unencrypted
- No DDoS protection or request rate limiting
- No easy way to host multiple services on the same IP
Nginx solves all of this elegantly.
Prerequisites
- VPS with public IP and a domain pointing to it
- OpenClaw running on localhost:3000 (or your configured port)
- Root or sudo access
Step 1: Install Nginx
sudo apt update
sudo apt install nginx -y
sudo systemctl enable nginx
sudo systemctl start nginx
Step 2: Install Certbot for Let's Encrypt
sudo apt install certbot python3-certbot-nginx -y
Step 3: Create Nginx Config for OpenClaw
Create /etc/nginx/sites-available/openclaw:
# Redirect HTTP to HTTPS
server {
listen 80;
server_name openclaw.yourdomain.com;
return 301 https://$host$request_uri;
}
# HTTPS server
server {
listen 443 ssl http2;
server_name openclaw.yourdomain.com;
# SSL certificates (managed by Certbot)
ssl_certificate /etc/letsencrypt/live/openclaw.yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/openclaw.yourdomain.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
# Security headers
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Content-Type-Options nosniff always;
add_header X-Frame-Options DENY always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
# WebSocket support (required for OpenClaw real-time features)
location / {
proxy_pass http://127.0.0.1:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_read_timeout 86400;
}
}
# Enable the site
sudo ln -s /etc/nginx/sites-available/openclaw /etc/nginx/sites-enabled/
sudo nginx -t # Test configuration
sudo systemctl reload nginx
Step 4: Obtain SSL Certificate
sudo certbot --nginx -d openclaw.yourdomain.com
Certbot modifies your Nginx config to add the SSL certificate paths and schedules automatic renewal. Verify renewal works:
sudo certbot renew --dry-run
Step 5: Rate Limiting (Recommended)
Add rate limiting to prevent abuse:
# Add to nginx.conf http block:
limit_req_zone $binary_remote_addr zone=openclaw_limit:10m rate=30r/m;
# Add to your location block:
limit_req zone=openclaw_limit burst=10 nodelay;
Troubleshooting
502 Bad Gateway: OpenClaw is not running. Check docker compose ps and docker compose logs.
WebSocket errors: Missing the Upgrade and Connection headers. Ensure both are present in your proxy_set_header config.
Certificate renewal fails: Check that port 80 is open and not blocked by your firewall.
Frequently Asked Questions
Should I use Caddy instead of Nginx?
Caddy is simpler for basic setups — automatic TLS with zero configuration. Nginx is better when you need fine-grained control, are running multiple services, or want familiar tooling. Both work equally well for OpenClaw.
nacre.sh
Run OpenClaw without the server headaches
Dedicated instance, automatic TLS, nightly backups, and 290+ LLM integrations. Live in under 90 seconds from $12/month.
Deploy your agent →