Production SSL/TLS Setup

Advanced ⏱ 45 minutes 📅 Updated Feb 2026

Deploy openclaw.ai for production with HTTPS, Nginx reverse proxy, and security hardening.

⚠️

Prerequisite

This guide assumes you have openclaw.ai running on a VPS. Complete a cloud installation first.

📋 Prerequisites

VPS with openclaw.ai installed and running
Domain name pointing to your server IP (A record)
Ports 80 and 443 open in firewall

Install Nginx

bash

sudo apt update
sudo apt install -y nginx
sudo systemctl enable nginx
sudo systemctl start nginx

# Open firewall ports
sudo ufw allow 'Nginx Full'

Point Domain to Server

In your domain registrar's DNS settings, create an A record:

Type	Name	Value
A	@	Your Server IP
A	www	Your Server IP

Wait for DNS propagation (up to 48 hours, usually 15 minutes).

Install SSL Certificate (Let's Encrypt)

bash

# Install Certbot
sudo apt install -y certbot python3-certbot-nginx

# Get certificate (replace with your domain)
sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com

Follow the prompts to enter your email and accept terms. Certbot will automatically configure Nginx.

🔄

Auto-Renewal

Let's Encrypt certificates auto-renew. Test with: sudo certbot renew --dry-run

Configure Nginx Reverse Proxy

Create Nginx configuration for openclaw.ai:

bash

sudo nano /etc/nginx/sites-available/openclaw

nginx

server {
    listen 80;
    server_name yourdomain.com www.yourdomain.com;
    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl http2;
    server_name yourdomain.com www.yourdomain.com;

    ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
    ssl_prefer_server_ciphers off;

    # HSTS
    add_header Strict-Transport-Security "max-age=31536000" always;

    location / {
        proxy_pass http://127.0.0.1:8080;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_cache_bypass $http_upgrade;
    }
}

bash

# Enable site and test
sudo ln -s /etc/nginx/sites-available/openclaw /etc/nginx/sites-enabled/
sudo nginx -t
sudo systemctl reload nginx

Security Hardening

Environment Variables (Don't expose API keys)

bash

# Create secure env file
sudo nano /etc/openclaw/env
# Add: OPENAI_API_KEY=your-key (Optional for Local LLM)
sudo chmod 600 /etc/openclaw/env
sudo chown openclaw:openclaw /etc/openclaw/env

Fail2ban (Prevent Brute Force)

bash

sudo apt install -y fail2ban
sudo systemctl enable fail2ban
sudo systemctl start fail2ban

Regular Updates

bash

# Enable automatic security updates
sudo apt install -y unattended-upgrades
sudo dpkg-reconfigure -plow unattended-upgrades

Production Ready!

Your openclaw.ai is now secure with HTTPS at https://yourdomain.com

Was this helpful?