OpenClaw (née MoltBot, née ClawdBot) is taking over the world. Everyone is spinning their own, either on a VPS, or their own Mac mini.

But here’s the problem: OpenClaw is brand new, and its security posture is mostly unknown. Security researchers have already found thousands of publicly available instances exposing everything from credentials to private messages.

While OpenClaw has a Gateway component — the UI and WebSocket that controls access — there are serious issues with its password/token-based authentication:

Until recently, you could skip authentication entirely on localhost.

The GET URL token authentication mechanism is questionable for such young code.

Trust needs to be earned, not assumed.

In this post, we’ll secure OpenClaw using a battle-tested method with HAProxy.

The plan: implement HAProxy’s HTTP Basic Authentication

HAProxy’s HTTP Basic Authentication is a robust method for securing access to production systems with a username/password combination. In this guide, we’ll do the following:

Install HAProxy 1.

Configure HAProxy with automatic TLS, basic auth, and rate limiting 1.

Install OpenClaw and authenticate access using the basic auth credentials

We’ll cover running OpenClaw on a VPS first. In a follow-up, we’ll tackle Mac mini deployments with secure remote access (think Tailscale, but entirely self-hosted).

We’ll also add smart rate limiting: anyone who sends more than 5 unauthorized requests within 120 seconds is blocked for 1 minute. The clever part? They’ll see a 401 Unauthorized instead of 429 Too Many Requests, so attackers won’t even know they’ve been rate-limited.

Bonus trick

By rewriting headers in HAProxy, we can skip OpenClaw’s device approval on first connection while keeping everything secure — you still authenticate using both your username/password and your token.

You’ll need two checklist items to get started:

A VPS running anywhere with Ubuntu 24.04, and a public IP address 1.

A domain/subdomain pointing DNS to the VPS public IP

To see everything in action, visit our live demo link and experiment.

Building it yourself

1) Install the HAProxy image

First, we’ll install the high-performance HAProxy image:

	# Create directory for the GPG key
	sudo install -d -m 0755 /usr/share/keyrings
	# Download the GPG key
	sudo wget -qO /usr/share/keyrings/HAPROXY-key-community.asc \
	https://www.haproxy.com/download/haproxy/HAPROXY-key-community.asc
	# Add HAProxy repository for Ubuntu Noble (24.04)
	echo "deb [arch=amd64 signed-by=/usr/share/keyrings/HAPROXY-key-community.asc] \
	https://www.haproxy.com/download/haproxy/performance/ubuntu/ha33 noble main" | \
	sudo tee /etc/apt/sources.list.d/haproxy.list
	# Install HAProxy with AWS-LC and whois
	sudo apt-get update
	sudo apt-get install haproxy-awslc whois

We now have HAProxy 3.3 installed, with the high-performance AWS-LC library and full ACME support for automatic TLS certificates. Now, we just need to apply the configuration to make it work.

2) Configure HAProxy

Edit /etc/haproxy/haproxy.cfg and insert the following lines into the global section. This will set us up to use automatic TLS:

	global
	expose-experimental-directives
	httpclient.resolvers.prefer ipv4

Now let’s add configuration for automatic TLS using Let’s Encrypt. Edit the last line for your own domain:

	acme letsencrypt
	directory https://acme-v02.api.letsencrypt.org/directory
	contact your@email.org
	challenge HTTP-01
	keytype RSA
	bits 2048
	map virt@acme
	crt-store my_files
	crt-base /etc/haproxy/
	key-base /etc/haproxy/
	load crt "subdomain.example.com.pem" acme letsencrypt domains "subdomain.example.com" alias "subdomain"

Next, we’ll take care of the basic HAProxy configuration items. Don’t forget to change the line starting with ssl-f-use to use the correct subdomain alias from the my_files section:

	frontend gw
	bind *:443 ssl
	bind *:80
	# Handle Let’s Encrypt challenges
	http-request return status 200 content-type text/plain \
	lf-string "%[path,field(-1,/)].%[path,field(-1,/),map(virt@acme)]\n" \
	if { path_beg ‘/.well-known/acme-challenge/’ }
	# Redirect HTTP to HTTPS
	http-request redirect scheme https unless { ssl_fc }
	ssl-f-use crt "@my_files/subdomain"
	mode http
	# Authentication and rate limiting
	acl auth_ok http_auth(mycredentials)
	stick-table type ip size 64k expire 120s store gpc0
	http-request track-sc0 src
	http-request sc-inc-gpc0 if !auth_ok
	# Return 401 to confuse attackers (not 429)
	http-request deny deny_status 401 if { sc_get_gpc0(0) ge 5 }
	# Require authentication
	http-request auth unless auth_ok
	backend openclaw_be
	server srv1 127.0.0.1:18789
	userlist mycredentials
	user admin insecure-password change-this-password

Important

Change change-this-password shown in the last line to a strong password!

3) Restart HAProxy

Restart HAProxy to apply the updated configuration:

	sudo systemctl restart haproxy

Next, edit the HAProxy systemd file to make it automatically write certificates to disk. Run the following command:

	sudo systemctl edit haproxy –full

You’re now ready to insert the following line under [Service]:

	ExecReload=/usr/sbin/haproxy-dump-certs

Finally, reload systemd:

	sudo systemctl daemon-reload

4) Install OpenClaw and access it securely

You’re now ready to install OpenClaw:

	curl -fsSL https://openclaw.ai/install.sh | bash

That’s it! You can now run the following command:

	openclaw dashboard

This process will give you your personal access token. This is still needed for proper authentication inside OpenClaw itself.

You can now visit https://subdomain.example.com/?token=<gateway token>. When doing this for the first time, you’ll have to provide a username and password.

You can also configure your macOS app to talk to this OpenClaw instance. Just insert the username and password directly into the Websocket URL, as shown below:

One more thing

Check your rate limiting occasionally to see who’s knocking at your door:

	echo "show table gw" | socat stdio /var/run/haproxy/admin.sock
	# table: gw, type: ip, size:65536, used:1
	0x72c0e2a0c6c8: key=103.40.140.18 use=1 exp=57407 shard=0 gpc0=3

You might be surprised how many bots are already scanning for OpenClaw instances. That 401 response is working hard. Any line item where gpc0 is higher than 5 has been limited.

What if you accidentally lock yourself out? Simply run this command, where <key> is your IP address:bash:

	echo "clear table gw key <ip>" | socat stdio /var/run/haproxy/admin.sock
	# table: gw, type: ip, size:65536, used:1
	0x72c0e2a0c6c8: key=103.40.140.18 use=1 exp=57407 shard=0 gpc0=3

Secure from the start

You now have an OpenClaw instance that’s actually secure, not just "hopefully secure." Here’s what’s protecting you:

Defense in depth – You’re not relying on OpenClaw’s young authentication code. HAProxy handles the security layer with battle-tested HTTP Basic Auth that’s been protecting production systems for decades.

Stealth rate limiting – Attackers hitting your instance will see authentication failures, not rate limit errors. They won’t know they’ve been blocked, which means they’ll waste time and resources before giving up.

Automatic TLS – Let’s Encrypt handles your certificates with zero manual intervention. No expired certs, no security warnings, no hassle.

If you need more authentication methods or additional security layers, check out HAProxy Enterprise. When you’re ready to control your deployment at scale, using HAProxy Fusion for centralized management, observability, and automation.

Stay safe and keep learning!

Subscribe to our blog. Get the latest release updates, tutorials, and deep-dives from HAProxy experts.