openclaw - 💡(How to fix) Fix Top-level network proxy breaks Discord TLS when using local HTTP proxy [1 comments, 2 participants]

Bug type

Network proxy / transport bug

Version

OpenClaw 2026.4.27 (cbc2ba0)

Summary

Enabling the documented top-level network proxy with a local HTTP forward proxy caused Discord gateway TLS failures. The same local proxy works with raw curl and Undici ProxyAgent, so the failure appears specific to OpenClaw's process-wide global-agent routing path.

Environment

• macOS host
• Surge local HTTP proxy listening at http://127.0.0.1:6152
• Gateway bound to loopback

Config that triggers it

"proxy": {
  "enabled": true,
  "proxyUrl": "http://127.0.0.1:6152"
}

Observed behavior

After restarting the gateway, OpenClaw logs proxy activation:

[proxy] routing process HTTP traffic through external proxy http://127.0.0.1:6152

Then Discord channel startup enters gateway reconnect/restart loops with TLS errors:

[discord] gateway error: Error: Hostname/IP does not match certificate's altnames: Host: localhost. is not in the cert's altnames: DNS:discord.gg, DNS:*.discord.gg
[discord] gateway was not ready after 15000ms; restarting gateway

Telegram command/webhook calls also failed while this top-level proxy was active, though the Discord TLS error is the clearest symptom.

Expected behavior

Top-level proxy.enabled=true should route Discord gateway/API traffic through the configured HTTP forward proxy without changing TLS server name verification to the proxy hostname.

Evidence that the proxy itself is not the problem

Raw Surge proxy to Discord works:

curl --proxy http://127.0.0.1:6152 https://discord.gg
# returns HTTP/2 301 to https://discord.com

Undici explicit proxy also works:

const { ProxyAgent, fetch } = require('undici');
const agent = new ProxyAgent('http://127.0.0.1:6152');
const res = await fetch('https://discord.gg', { dispatcher: agent });
console.log(res.status); // 200/301-class success depending redirect handling

But reproducing the OpenClaw-style global-agent hook fails with the same TLS error:

process.env.GLOBAL_AGENT_HTTP_PROXY = 'http://127.0.0.1:6152';
process.env.GLOBAL_AGENT_HTTPS_PROXY = 'http://127.0.0.1:6152';
process.env.GLOBAL_AGENT_FORCE_GLOBAL_AGENT = 'true';
process.env.GLOBAL_AGENT_NO_PROXY = '';
require('global-agent').bootstrap();

require('node:https').get('https://discord.gg').on('error', console.error);
// Hostname/IP does not match certificate's altnames: Host: localhost...

Workaround used locally

Do not use top-level proxy for this fleet. Instead, configure owner/provider-specific explicit proxies:

"channels": {
  "discord": {
    "accounts": {
      "<id>": { "proxy": "http://127.0.0.1:6152" }
    }
  },
  "telegram": {
    "accounts": {
      "default": { "proxy": "http://127.0.0.1:6152" }
    }
  }
}

And provider-level explicit proxy config:

"request": {
  "proxy": {
    "mode": "explicit-proxy",
    "url": "http://127.0.0.1:6152"
  }
}

This path logs discord rest proxy enabled and discord gateway proxy enabled and avoids the Host: localhost TLS failure.

Notes

The documented network proxy feature says it covers fetch, node:http, node:https, and WebSocket clients through Undici plus global-agent. Based on this repro, the global-agent part appears unsafe with at least this common local HTTP proxy setup.