jknapp
44ac8b6d1c
- Environment-based configuration (no hardcoded secrets) - OAuth authentication via Authentik - ElevenLabs TTS integration via SAG CLI - FCM push notification support - User preferences sync system - Multi-user support with per-user context files - No internal IPs or service accounts in tracked files
4.1 KiB
4.1 KiB
Alfred Proxy Quick Start
Your Configuration
Backend Details for HAProxy
Add to HAProxy backend:
Server IP: 192.168.1.169
Server Port: 18790
Full HAProxy backend config:
backend alfred_mobile_proxy-backend
mode http
option forwardfor
http-request add-header X-CLIENT-IP %[var(txn.real_ip)]
http-request set-header X-Real-IP %[var(txn.real_ip)]
http-request set-header X-Forwarded-For %[var(txn.real_ip)]
http-request set-header X-Forwarded-Proto https if { ssl_fc }
timeout tunnel 1h
timeout client 1h
timeout server 1h
server alfred_proxy 192.168.1.169:18790 check
URLs
- Mobile app connects to:
wss://alfred-app.dnspegasus.net - OAuth authentication:
https://auth.dnspegasus.net - Web browser redirect:
https://alfred.dnspegasus.net
DNS
Your wildcard DNS (*.dnspegasus.net) should already resolve alfred-app.dnspegasus.net to HAProxy.
Test: nslookup alfred-app.dnspegasus.net
Android App Configuration
// OAuthConfig.kt
object OAuthConfig {
const val AUTHENTIK_URL = "https://auth.dnspegasus.net"
const val CLIENT_ID = "QeSNaZPqZUz5pPClZMA2bakSsddkStiEhqbE4QZR"
const val REDIRECT_URI = "alfredmobile://oauth/callback"
const val SCOPE = "openid profile email"
const val AUTHORIZATION_ENDPOINT = "$AUTHENTIK_URL/application/o/authorize/"
const val TOKEN_ENDPOINT = "$AUTHENTIK_URL/application/o/token/"
const val USERINFO_ENDPOINT = "$AUTHENTIK_URL/application/o/userinfo/"
}
// AlfredConfig.kt
object AlfredConfig {
const val GATEWAY_URL = "wss://alfred-app.dnspegasus.net"
}
Start the Proxy
cd ~/.openclaw/workspace/alfred-proxy
# 1. Create .env
cat > .env << 'EOF'
PROXY_PORT=18790
OPENCLAW_URL=ws://127.0.0.1:18789
OPENCLAW_TOKEN=9b87d15fee3922ecfbe77b0ea1744851757cda618beceeba
AUTHENTIK_URL=https://auth.dnspegasus.net
AUTHENTIK_CLIENT_ID=QeSNaZPqZUz5pPClZMA2bakSsddkStiEhqbE4QZR
REQUIRE_AUTH=true
EOF
# 2. Install and start
npm install
npm run dev
# 3. Test health
curl http://localhost:18790/health
HAProxy Configuration
See haproxy-alfred-app.cfg for complete config.
Key points:
- Frontend ACL:
alfred-app.dnspegasus.net - WebSocket connections →
alfred_mobile_proxy-backend - Browser visits → Redirect to main web UI
- Backend server:
192.168.1.169:18790
Network Diagram
Android App
↓
wss://alfred-app.dnspegasus.net (OAuth token in Authorization header)
↓
HAProxy (192.168.1.20:443)
↓
Alfred Proxy (192.168.1.169:18790)
- Validates OAuth token with Authentik
- Injects OpenClaw gateway token
↓
OpenClaw (127.0.0.1:18789)
↓
Alfred AI assistant
Testing Flow
-
Test proxy locally:
curl http://localhost:18790/health -
Test from HAProxy server:
curl http://192.168.1.169:18790/health -
Test DNS:
nslookup alfred-app.dnspegasus.net -
Test redirect (browser):
curl -I https://alfred-app.dnspegasus.net # Should redirect to alfred.dnspegasus.net -
Test WebSocket (with OAuth token):
# Get token from Authentik first, then: wscat -c "wss://alfred-app.dnspegasus.net" \ -H "Authorization: Bearer YOUR_TOKEN"
Troubleshooting
Can't reach proxy from HAProxy:
# Test direct connection
curl http://192.168.1.169:18790/health
# Check Windows firewall
# PowerShell (Admin):
New-NetFirewallRule -DisplayName "Alfred Proxy" `
-Direction Inbound -LocalPort 18790 -Protocol TCP -Action Allow
WebSocket upgrade fails:
- Check HAProxy ACL matches
alfred-app.dnspegasus.net - Verify WebSocket headers are present
- Check proxy logs:
journalctl --user -u alfred-proxy.service -f
Invalid token:
- Verify Client ID in proxy
.envmatches Authentik - Test token:
curl -H "Authorization: Bearer TOKEN" https://auth.dnspegasus.net/application/o/userinfo/
Next Steps
- ✅ Start proxy locally
- ✅ Configure HAProxy with correct backend
- ✅ Test DNS resolves
- ✅ Test redirect in browser
- ✅ Implement OAuth in Android app
- ✅ Test end-to-end flow