Issue Station
Sign In
Tools hereToolbox

openclaw - 💡(How to fix) Fix web_fetch SSRF guard blocks fake-IP proxy ranges (198.18.0.0/15) - no user-configurable bypass [1 participants]

Official PRs (…)
ON THIS PAGE

Recommended Tools

×6

Utilities matched from this issue’s tags and category — try them while you read without losing context.

GitHub issue graph ai analysis

Paste a GitHub issue URL. We fetch that issue, discover linked issues from bodies/comments/timeline, collect linked pull requests, and produce a structured English report.

The report is written in English Markdown for sharing and archival.

Helpful · Quick feedback

Loading…
GitHub stats
openclaw/openclaw#62113Fetched 2026-04-08 03:08:53
View on GitHub
Comments
0
Participants
1
Timeline
0
Reactions
0
Author
hoyosunhoyosun
Participants
hoyosunhoyosun

web_fetch is blocked when the host uses a fake-IP transparent proxy (Cloudflare WARP, Clash fake-IP mode, Surge Enhanced Mode, etc.). These proxies resolve all DNS queries to IPs in the 198.18.0.0/15 range (RFC 2544 benchmark range), which the SSRF guard correctly identifies as a special-use address and blocks.

Error Message

Blocked: resolves to private/internal/special-use IP address

Root Cause

The SSRF guard in src/infra/net/ssrf.ts has code to handle this case:

ypescript if (inRfc2544BenchmarkRange && options.allowRfc2544BenchmarkRange === true) return false;

However, llowRfc2544BenchmarkRange is not exposed in the ools.web.fetch.ssrfPolicy schema. The schema for ools.web.fetch does not even accept ssrfPolicy as a key (dditionalProperties: false / Unrecognized key error from openclaw config validate).

Fix Action

Workaround

  • Use web_search (Gemini API, bypasses local DNS)
  • Use gent-browser skill (Playwright with its own SSRF policy)
  • Disable fake-IP mode in the local proxy software
RAW_BUFFERClick to expand / collapse

Description

web_fetch is blocked when the host uses a fake-IP transparent proxy (Cloudflare WARP, Clash fake-IP mode, Surge Enhanced Mode, etc.). These proxies resolve all DNS queries to IPs in the 198.18.0.0/15 range (RFC 2544 benchmark range), which the SSRF guard correctly identifies as a special-use address and blocks.

Error

Blocked: resolves to private/internal/special-use IP address

Root Cause

The SSRF guard in src/infra/net/ssrf.ts has code to handle this case:

ypescript if (inRfc2544BenchmarkRange && options.allowRfc2544BenchmarkRange === true) return false;

However, llowRfc2544BenchmarkRange is not exposed in the ools.web.fetch.ssrfPolicy schema. The schema for ools.web.fetch does not even accept ssrfPolicy as a key (dditionalProperties: false / Unrecognized key error from openclaw config validate).

Environment

  • OS: Windows Server (behind Cloudflare WARP)
  • OpenClaw: latest
  • Proxy: WARP resolves domains to 198.18.x.x virtual IPs

Proposed Fix

  1. Add ssrfPolicy to the ools.web.fetch schema (like rowser.ssrfPolicy exists for the browser tool)
  2. Include llowRfc2544BenchmarkRange as an option in the ssrfPolicy schema
  3. Pass the configured ssrfPolicy through to the SSRF guard when web_fetch performs DNS resolution

Workaround

  • Use web_search (Gemini API, bypasses local DNS)
  • Use gent-browser skill (Playwright with its own SSRF policy)
  • Disable fake-IP mode in the local proxy software

extent analysis

TL;DR

To resolve the web_fetch blockage, add ssrfPolicy to the tools.web.fetch schema and include allowRfc2544BenchmarkRange as an option to allow DNS resolution through fake-IP transparent proxies.

Guidance

  • Verify that the issue is caused by the SSRF guard blocking special-use IP addresses by checking the error message for "Blocked: resolves to private/internal/special-use IP address".
  • Update the tools.web.fetch schema to include ssrfPolicy and add allowRfc2544BenchmarkRange as an option to enable DNS resolution through fake-IP transparent proxies.
  • Consider using the proposed workaround of disabling fake-IP mode in the local proxy software or using alternative methods like web_search or agent-browser skill.
  • Ensure that the allowRfc2544BenchmarkRange option is properly passed to the SSRF guard when web_fetch performs DNS resolution.

Example

No code example is provided as the issue does not require a specific code snippet to illustrate the solution.

Notes

The proposed fix requires updating the schema and passing the configured ssrfPolicy to the SSRF guard, which may involve modifying the existing codebase. The workaround provides an alternative solution for users who cannot update the schema.

Recommendation

Apply the workaround by disabling fake-IP mode in the local proxy software or using alternative methods like web_search or agent-browser skill, as this provides a temporary solution until the schema can be updated.

Vote matrix · Quick signals

Works
Did the solution work? Tap to confirm.
Easy Fix
Was it a quick fix?
Time Saver
Did it save you time?
Blocking
Was it severely blocking?
Common Issue
Are others likely hitting this too?
Flaky / Intermittent
Is it intermittent?
Verified / Reproducible
Can you reproduce it reliably?
Loading…
#api#ssr#docker error#permission error#memory optimization

Still need to ship something?

×6

Another batch ranked right after the header list — different links, same matching logic.

Back to top recommendations

TRENDING