# Alfred Proxy Setup Status ## ✅ Completed Steps 1. **OpenClaw switched to localhost** ✅ - Bind mode: `loopback` - Port: `18789` - Status: Running 2. **Proxy service installed** ✅ - Location: `~/.openclaw/workspace/alfred-proxy/` - Configuration: `.env` created with Client ID - Dependencies: Installed 3. **Proxy running** ✅ - Port: `18790` - Health check: http://localhost:18790/health → OK - OpenClaw connection: Configured 4. **HAProxy configured** ✅ - Subdomain: `alfred-app.dnspegasus.net` - Backend: `192.168.1.169:18790` - SSL: Configured ## ⚠️ Pending: Windows Firewall **The proxy needs to be accessible from HAProxy (192.168.1.20)** ### Open Firewall (Run as Administrator) **Option 1: Using the batch file** 1. Open File Explorer 2. Navigate to: `\\wsl.localhost\Ubuntu-22.04\home\jknapp\.openclaw\workspace\alfred-proxy\` 3. Right-click `open-firewall.bat` 4. Select **"Run as administrator"** **Option 2: Using PowerShell (Admin)** ```powershell New-NetFirewallRule -DisplayName "Alfred Proxy" -Direction Inbound -LocalPort 18790 -Protocol TCP -Action Allow ``` **Option 3: Using Command Prompt (Admin)** ```cmd netsh advfirewall firewall add rule name="Alfred Proxy" dir=in action=allow protocol=TCP localport=18790 ``` ### Verify Firewall is Open After opening the firewall, test from HAProxy: ```bash ssh root@192.168.1.20 'curl -s http://192.168.1.169:18790/health' ``` Should return: ```json {"status":"ok","service":"alfred-proxy"} ``` --- ## Testing Checklist ### 1. Local Tests (Already Passing ✅) ```bash # Proxy health curl http://localhost:18790/health # ✅ {"status":"ok","service":"alfred-proxy"} # Proxy accessible on network curl http://192.168.1.169:18790/health # ✅ {"status":"ok","service":"alfred-proxy"} ``` ### 2. HAProxy Connection (After firewall) ```bash # From HAProxy server ssh root@192.168.1.20 'curl -s http://192.168.1.169:18790/health' # Should return: {"status":"ok","service":"alfred-proxy"} # From outside (browser redirect test) curl -I https://alfred-app.dnspegasus.net # Should return: HTTP/2 200 with HTML redirect ``` ### 3. WebSocket Test (After OAuth token) ```bash # Get OAuth token from Authentik first # Then test WebSocket connection: wscat -c "wss://alfred-app.dnspegasus.net" -H "Authorization: Bearer YOUR_TOKEN" ``` --- ## Current Configuration ### Proxy (.env) ``` PROXY_PORT=18790 OPENCLAW_URL=ws://127.0.0.1:18789 OPENCLAW_TOKEN=9b87d15fee3922ecfbe77b0ea1744851757cda618beceeba AUTHENTIK_URL=https://auth.dnspegasus.net AUTHENTIK_CLIENT_ID=QeSNaZPqZUz5pPClZMA2bakSsddkStiEhqbE4QZR REQUIRE_AUTH=true ``` ### OpenClaw Gateway ``` gateway.bind = "loopback" gateway.port = 18789 gateway.auth.token = "9b87d15fee3922ecfbe77b0ea1744851757cda618beceeba" ``` ### HAProxy Backend ``` Server: 192.168.1.169:18790 Domain: alfred-app.dnspegasus.net ``` --- ## Install Proxy as Systemd Service (Recommended) Once firewall is confirmed working, install as a service: ```bash cd ~/.openclaw/workspace/alfred-proxy # Install service mkdir -p ~/.config/systemd/user cp alfred-proxy.service ~/.config/systemd/user/ # Create override with Client ID mkdir -p ~/.config/systemd/user/alfred-proxy.service.d cat > ~/.config/systemd/user/alfred-proxy.service.d/override.conf << 'EOF' [Service] Environment="AUTHENTIK_CLIENT_ID=QeSNaZPqZUz5pPClZMA2bakSsddkStiEhqbE4QZR" EOF # Enable and start systemctl --user daemon-reload systemctl --user enable alfred-proxy.service systemctl --user start alfred-proxy.service # Check status systemctl --user status alfred-proxy.service # View logs journalctl --user -u alfred-proxy.service -f ``` --- ## Android App Configuration Once the proxy is fully working, configure your Android app: ```kotlin // OAuthConfig.kt object OAuthConfig { const val AUTHENTIK_URL = "https://auth.dnspegasus.net" const val CLIENT_ID = "QeSNaZPqZUz5pPClZMA2bakSsddkStiEhqbE4QZR" const val REDIRECT_URI = "alfredmobile://oauth/callback" const val SCOPE = "openid profile email" const val AUTHORIZATION_ENDPOINT = "$AUTHENTIK_URL/application/o/authorize/" const val TOKEN_ENDPOINT = "$AUTHENTIK_URL/application/o/token/" const val USERINFO_ENDPOINT = "$AUTHENTIK_URL/application/o/userinfo/" } // AlfredConfig.kt object AlfredConfig { const val GATEWAY_URL = "wss://alfred-app.dnspegasus.net" } ``` --- ## Next Steps 1. **Open Windows Firewall** (see instructions above) 2. **Test HAProxy connection** (verify backend is reachable) 3. **Test browser redirect** (https://alfred-app.dnspegasus.net → should redirect) 4. **Install as systemd service** (for auto-start) 5. **Implement OAuth in Android app** (see DEPLOYMENT.md for OAuth flow) 6. **Test end-to-end** (OAuth → WebSocket → OpenClaw) --- ## Troubleshooting ### Proxy won't connect to HAProxy **Check firewall:** ```bash # From HAProxy ssh root@192.168.1.20 'curl -v http://192.168.1.169:18790/health' ``` If it times out, firewall is blocking. ### "503 Service Unavailable" from HAProxy HAProxy can't reach the backend. Possible causes: - Firewall blocking port 18790 - Proxy not running - Wrong IP in HAProxy config ### Invalid OAuth token ```bash # Test token with Authentik curl -H "Authorization: Bearer YOUR_TOKEN" \ https://auth.dnspegasus.net/application/o/userinfo/ ``` Should return user info if token is valid.