solution gateway high macos linux windows

Gateway: reverse proxy 502 / HTTP/0.9 after update (TLS auto-generate enabled)

Fix reverse proxy breakage after an update enables gateway TLS: disable gateway TLS or update your proxy to talk HTTPS to the gateway.

By CoClaw Team •

Symptoms

  • After upgrading OpenClaw, your reverse proxy (Caddy/nginx/Traefik) starts returning 502 for Gateway endpoints (for example /hooks/wake).
  • Hitting the gateway port over HTTP locally fails, often with:
    • curl: (1) Received HTTP/0.9 when not allowed
  • But HTTPS works (for example curl -k https://127.0.0.1:18789/...).

Cause

The gateway is now speaking HTTPS on its port (TLS enabled / auto-generated certs), but your reverse proxy is still forwarding plain HTTP to that backend.

Fix

Pick one approach:

Disable gateway TLS and restart:

openclaw config set gateway.tls.enabled false --json
openclaw gateway restart

Option B: make your reverse proxy talk HTTPS to the gateway

If you want the proxy->gateway hop to be TLS, update your proxy upstream to https://127.0.0.1:<port> and (if using auto-generated certs) disable upstream cert verification or trust the gateway cert.

Verify

From the gateway host:

curl -i http://127.0.0.1:18789/healthz

You should get a normal HTTP response (not an HTTP/0.9/TLS handshake error).

Then re-test your proxy URL (webhook/hook endpoints) and confirm 502s are gone.

  • GitHub: #21814
  • OpenClaw config reference: gateway.tls.*

Verification & references

  • Reviewed by:CoClaw Code Team
  • Last reviewed:March 14, 2026
  • Verified on: macOS · Linux · Windows

References

Official docs

  1. OpenClaw docs: /gateway/configuration-reference

Issue threads

  1. OpenClaw GitHub issue #21814
Want to explore more? Browse all solutions or ask in the Community Forum .
Report a problem

Related Resources

Gateway fails to start: EADDRINUSE / another gateway instance is already listening
Fix
Fix OpenClaw gateway port conflicts (EADDRINUSE) by stopping the other process or choosing a new gateway port/profile.
Linux/systemd: OpenClaw leaves orphan gateway processes or port 18789 conflicts
Fix
Fix Linux hosts where CLI-triggered gateway respawn collides with a systemd-managed OpenClaw gateway, causing orphan processes, EADDRINUSE, or 'another gateway instance is already listening'.
macOS: gateway stays down after VPN reconnect
Fix
Fix macOS cases where the OpenClaw gateway does not recover after a VPN/network drop by clearing cold-start config blockers and refreshing the launchd service install.
Gateway: CLI/UI is probing the wrong machine (local vs remote mode mismatch)
Fix
Fix confusing 'gateway unreachable' states by aligning gateway.mode, gateway.remote.url, profiles/state dirs, and the URL you probe.
OpenClaw Remote Browser Setup: Gateway on One Machine, Browser on Another
Guide
Choose a stable remote-browser topology for OpenClaw, pin the right browser-capable node, and verify that gateway routing, relay startup, and browser takeover all land on the machine you intended.
OpenClaw Remote Dashboard Access Playbook: SSH Tunnel, Tailnet, or Reverse Proxy
Guide
Choose the right remote Control UI access pattern for OpenClaw, set it up with stable origin and token behavior, and verify that pairing survives refreshes, restarts, and second-device access.