Skip to content
OpenClaw Docs

EasyRunner

EasyRunner can host the OpenClaw Gateway as a small containerized app behind its Caddy proxy. This guide assumes an EasyRunner host that runs Podman-compatible Compose apps and exposes HTTPS through Caddy.

Before you begin

Section titled “Before you begin”
  • An EasyRunner server with a domain routed to it.
  • A built or published OpenClaw container image.
  • A persistent config volume for /home/node/.openclaw.
  • A persistent workspace volume for /workspace.
  • A strong Gateway token or password.

Keep device auth enabled when possible. If your reverse proxy deployment cannot carry device identity correctly, fix trusted-proxy settings first; use dangerous auth bypasses only for a fully private, operator-controlled network.

Compose app

Section titled “Compose app”

Create an EasyRunner app with a Compose file shaped like this:

services:
  openclaw:
    image: ghcr.io/openclaw/openclaw:latest
    restart: unless-stopped
    environment:
      OPENCLAW_GATEWAY_TOKEN: ${OPENCLAW_GATEWAY_TOKEN}
      OPENCLAW_HOME: /home/node
      OPENCLAW_STATE_DIR: /home/node/.openclaw
      OPENCLAW_CONFIG_PATH: /home/node/.openclaw/openclaw.json
      OPENCLAW_WORKSPACE_DIR: /workspace
    volumes:
      - openclaw-config:/home/node/.openclaw
      - openclaw-workspace:/workspace
    labels:
      caddy: openclaw.example.com
      caddy.reverse_proxy: "{{upstreams 1455}}"
    command: ["openclaw", "gateway", "--bind", "lan", "--port", "1455"]


volumes:
  openclaw-config:
  openclaw-workspace:

Replace openclaw.example.com with your Gateway hostname. Store OPENCLAW_GATEWAY_TOKEN in EasyRunner’s secret/environment manager instead of committing it to the app definition.

Configure OpenClaw

Section titled “Configure OpenClaw”

Inside the persistent config volume, keep the Gateway reachable only through the proxy and require auth:

{
  gateway: {
    bind: "lan",
    port: 1455,
    auth: {
      token: "${OPENCLAW_GATEWAY_TOKEN}",
    },
  },
}

If Caddy terminates TLS for the Gateway, configure trusted proxy settings for the exact proxy path rather than disabling auth checks globally. See Trusted proxy auth.

Verify

Section titled “Verify”

From your workstation:

Terminal window
openclaw gateway probe --url https://openclaw.example.com --token <token>
openclaw gateway status --url https://openclaw.example.com --token <token>

From the EasyRunner host, check the app logs for a listening Gateway and no startup SecretRef, plugin, or channel auth failures.

Updates and backups

Section titled “Updates and backups”
  • Pull or build the new OpenClaw image, then redeploy the EasyRunner app.
  • Back up the openclaw-config volume before updates.
  • Back up openclaw-workspace if agents write durable project data there.
  • Run openclaw doctor after major updates to catch config migrations and service warnings.

Troubleshooting

Section titled “Troubleshooting”
  • gateway probe cannot connect: confirm the Caddy hostname points at the app and that the container listens on 0.0.0.0:1455.
  • Auth fails: rotate the token in EasyRunner secrets and the local client command together.
  • Files are root-owned after restore: repair the mounted volumes so the container user can write /home/node/.openclaw and /workspace.
  • Browser or channel plugins fail: check whether the required external binaries, network egress, and mounted credentials are available inside the container.