1Panel-dev · f2c-ci-robot · Mar 25, 2026 · Mar 25, 2026 · Mar 25, 2026 · Mar 25, 2026
diff --git a/agent/app/service/agents.go b/agent/app/service/agents.go
@@ -81,6 +81,7 @@ const (
 	openclawGatewayPort           = 18789
 	openclawAllowedOriginHost     = "127.0.0.1"
 	openclawHTTPSVersion          = "2026.3.13"
+	openclawHTTPVersion           = "2026.3.23"
 	openclawTrustedProxyLoopback  = "127.0.0.1/32"
 	defaultOpenclawNPMRegistry    = "https://registry.npmjs.org/"
 )
@@ -178,7 +179,11 @@ func (a AgentService) Create(req dto.AgentCreateReq) (*dto.AgentItem, error) {
 		constant.HostIP:      "",
 	}
 	if agentType == constant.AppOpenclaw {
-		params["PANEL_APP_PORT_HTTPS"] = req.WebUIPort
+		if isOpenclawHTTPSWindowVersion(detail.Version) {
+			params["PANEL_APP_PORT_HTTPS"] = req.WebUIPort
+		} else {
+			params["PANEL_APP_PORT_HTTP"] = req.WebUIPort
+		}
 		if allowedOrigin := firstAllowedOrigin(allowedOrigins); allowedOrigin != "" {
 			params["ALLOWED_ORIGIN"] = allowedOrigin
 		}

diff --git a/agent/app/service/agents_utils.go b/agent/app/service/agents_utils.go
@@ -21,7 +21,6 @@ import (
 	"github.com/1Panel-dev/1Panel/agent/global"
 	"github.com/1Panel-dev/1Panel/agent/utils/common"
 	"github.com/1Panel-dev/1Panel/agent/utils/files"
-	openclawutil "github.com/1Panel-dev/1Panel/agent/utils/openclaw"
 	"github.com/1Panel-dev/1Panel/agent/utils/req_helper"
 	"gorm.io/gorm"
 )
@@ -340,7 +339,7 @@ func buildAgentItem(agent *model.Agent, appInstall *model.AppInstall, envMap map
 		item.Container = appInstall.ContainerName
 		item.AppVersion = appInstall.Version
 		if agentType == constant.AppOpenclaw {
-			if isOpenclawHTTPSVersion(appInstall.Version) {
+			if isOpenclawHTTPSWindowVersion(appInstall.Version) {
 				item.WebUIPort = appInstall.HttpsPort
 			} else {
 				item.WebUIPort = appInstall.HttpPort
@@ -360,36 +359,52 @@ func buildAgentItem(agent *model.Agent, appInstall *model.AppInstall, envMap map
 	return item
 }
 
-func isOpenclawHTTPSVersion(version string) bool {
-	target := strings.TrimSpace(strings.ToLower(version))
-	if target == "" || target == "latest" {
-		return true
-	}
-	if !strings.ContainsAny(target, "0123456789") {
-		return true
-	}
-	return common.CompareAppVersion(target, openclawHTTPSVersion)
+func isOpenclawLegacyHTTPVersion(version string) bool {
+	return !common.CompareAppVersion(version, openclawHTTPSVersion)
+}
+
+func isOpenclawHTTPSWindowVersion(version string) bool {
+	return common.CompareAppVersion(version, openclawHTTPSVersion) && !common.CompareAppVersion(version, openclawHTTPVersion)
+}
+
+func isOpenclawCurrentHTTPVersion(version string) bool {
+	return common.CompareAppVersion(version, openclawHTTPVersion)
 }
 
 func shouldMigrateOpenclawHTTPSUpgrade(install *model.AppInstall, fromVersion, toVersion string) bool {
 	if install == nil || install.App.Key != constant.AppOpenclaw {
 		return false
 	}
-	return !isOpenclawHTTPSVersion(fromVersion) && isOpenclawHTTPSVersion(toVersion)
+	return isOpenclawLegacyHTTPVersion(fromVersion) && isOpenclawHTTPSWindowVersion(toVersion)
+}
+
+func shouldMigrateOpenclawHTTPUpgrade(install *model.AppInstall, fromVersion, toVersion string) bool {
+	if install == nil || install.App.Key != constant.AppOpenclaw {
+		return false
+	}
+	return !isOpenclawCurrentHTTPVersion(fromVersion) && isOpenclawCurrentHTTPVersion(toVersion)
 }
 
-func migrateOpenclawHTTPSUpgrade(install *model.AppInstall, fromVersion, toVersion string) error {
+func migrateOpenclawProtocolUpgrade(install *model.AppInstall, fromVersion, toVersion string) error {
 	systemIP, _ := settingRepo.GetValueByKey("SystemIP")
-	return migrateOpenclawHTTPSUpgradeWithSystemIP(install, fromVersion, toVersion, systemIP)
+	return migrateOpenclawProtocolUpgradeWithSystemIP(install, fromVersion, toVersion, systemIP)
 }
 
-func migrateOpenclawHTTPSUpgradeWithSystemIP(install *model.AppInstall, fromVersion, toVersion, systemIP string) error {
-	if !shouldMigrateOpenclawHTTPSUpgrade(install, fromVersion, toVersion) {
-		return nil
+func migrateOpenclawProtocolUpgradeWithSystemIP(install *model.AppInstall, fromVersion, toVersion, systemIP string) error {
+	if shouldMigrateOpenclawHTTPSUpgrade(install, fromVersion, toVersion) {
+		return applyOpenclawProtocolUpgradeWithSystemIP(install, toVersion, systemIP, true)
 	}
-	migrateOpenclawInstallPorts(install)
-	if err := openclawutil.WriteCatchAllCaddyfile(install.GetPath()); err != nil {
-		return err
+	if shouldMigrateOpenclawHTTPUpgrade(install, fromVersion, toVersion) {
+		return applyOpenclawProtocolUpgradeWithSystemIP(install, toVersion, systemIP, false)
+	}
+	return nil
+}
+
+func applyOpenclawProtocolUpgradeWithSystemIP(install *model.AppInstall, toVersion, systemIP string, useHTTPS bool) error {
+	if useHTTPS {
+		migrateOpenclawInstallPortsToHTTPS(install)
+	} else {
+		migrateOpenclawInstallPortsToHTTP(install)
 	}
 	configPath := path.Join(install.GetPath(), "data", "conf", "openclaw.json")
 	var allowedOrigins []string
@@ -400,8 +415,12 @@ func migrateOpenclawHTTPSUpgradeWithSystemIP(install *model.AppInstall, fromVers
 	if originHost == "" {
 		originHost = openclawAllowedOriginHost
 	}
-	if install.HttpsPort > 0 {
-		allowedOrigin, err := buildOpenclawAllowedOrigin(originHost, install.HttpsPort)
+	port := install.HttpPort
+	if useHTTPS {
+		port = install.HttpsPort
+	}
+	if port > 0 {
+		allowedOrigin, err := buildOpenclawAllowedOrigin(openclawAllowedOriginScheme(toVersion), originHost, port)
 		if err == nil {
 			conf, err := readOpenclawConfig(configPath)
 			if err != nil {
@@ -417,7 +436,14 @@ func migrateOpenclawHTTPSUpgradeWithSystemIP(install *model.AppInstall, fromVers
 	return migrateOpenclawInstallEnv(install, allowedOrigins)
 }
 
-func migrateOpenclawInstallPorts(install *model.AppInstall) {
+func openclawAllowedOriginScheme(version string) string {
+	if isOpenclawHTTPSWindowVersion(version) {
+		return "https"
+	}
+	return "http"
+}
+
+func migrateOpenclawInstallPortsToHTTPS(install *model.AppInstall) {
 	if install == nil {
 		return
 	}
@@ -429,6 +455,18 @@ func migrateOpenclawInstallPorts(install *model.AppInstall) {
 	}
 }
 
+func migrateOpenclawInstallPortsToHTTP(install *model.AppInstall) {
+	if install == nil {
+		return
+	}
+	if install.HttpPort == 0 && install.HttpsPort > 0 {
+		install.HttpPort = install.HttpsPort
+	}
+	if install.HttpsPort > 0 {
+		install.HttpsPort = 0
+	}
+}
+
 func migrateOpenclawInstallEnv(install *model.AppInstall, allowedOrigins []string) error {
 	if install == nil {
 		return nil
@@ -441,11 +479,20 @@ func migrateOpenclawInstallEnv(install *model.AppInstall, allowedOrigins []strin
 	}
 	if install.HttpsPort > 0 {
 		envMap["PANEL_APP_PORT_HTTPS"] = install.HttpsPort
+	} else {
+		delete(envMap, "PANEL_APP_PORT_HTTPS")
+	}
+	if install.HttpPort > 0 {
+		envMap["PANEL_APP_PORT_HTTP"] = install.HttpPort
+	}
+	if install.HttpPort == 0 {
+		delete(envMap, "PANEL_APP_PORT_HTTP")
 	}
 	if allowedOrigin := firstAllowedOrigin(allowedOrigins); allowedOrigin != "" {
 		envMap["ALLOWED_ORIGIN"] = allowedOrigin
+	} else {
+		delete(envMap, "ALLOWED_ORIGIN")
 	}
-	delete(envMap, "PANEL_APP_PORT_HTTP")
 	payload, err := json.Marshal(envMap)
 	if err != nil {
 		return err
@@ -487,19 +534,20 @@ func firstAllowedOrigin(allowedOrigins []string) string {
 	return ""
 }
 
-func buildOpenclawAllowedOrigin(host string, port int) (string, error) {
+func buildOpenclawAllowedOrigin(scheme, host string, port int) (string, error) {
+	scheme = strings.TrimSpace(strings.ToLower(scheme))
 	host = strings.TrimSpace(host)
-	if host == "" || port <= 0 {
+	if (scheme != "http" && scheme != "https") || host == "" || port <= 0 {
 		return "", fmt.Errorf("invalid openclaw allowed origin")
 	}
 	if strings.Contains(host, ":") && !strings.HasPrefix(host, "[") && strings.Count(host, ":") > 1 {
 		host = "[" + host + "]"
 	}
-	return normalizeAllowedOrigin(fmt.Sprintf("https://%s:%d", host, port))
+	return normalizeAllowedOrigin(fmt.Sprintf("%s://%s:%d", scheme, host, port))
 }
 
 func checkAgentUpgradable(install model.AppInstall) bool {
-	if install.ID == 0 || install.Version == "" || install.Version == "latest" {
+	if install.ID == 0 || install.Version == "" {
 		return false
 	}
 	if install.App.ID == 0 {
@@ -651,7 +699,7 @@ func writeOpenclawConfig(confDir string, account *model.AgentAccount, modelName,
 	cfg := openclawConfig{
 		Gateway: gatewayConfig{
 			Mode: "local",
-			Bind: "loopback",
+			Bind: "lan",
 			Port: openclawGatewayPort,
 			Auth: gatewayAuth{
 				Mode:  "token",
@@ -744,7 +792,7 @@ func writeOpenclawConfig(confDir string, account *model.AgentAccount, modelName,
 			gatewayMap["mode"] = "local"
 		}
 		if _, ok := gatewayMap["bind"]; !ok {
-			gatewayMap["bind"] = "loopback"
+			gatewayMap["bind"] = "lan"
 		}
 		if _, ok := gatewayMap["port"]; !ok {
 			gatewayMap["port"] = openclawGatewayPort

diff --git a/agent/app/service/app_utils.go b/agent/app/service/app_utils.go
@@ -802,7 +802,7 @@ func upgradeInstall(req request.AppInstallUpgrade) error {
 		}
 
 		var newCompose string
-		if err = migrateOpenclawHTTPSUpgrade(&install, oldVersion, detail.Version); err != nil {
+		if err = migrateOpenclawProtocolUpgrade(&install, oldVersion, detail.Version); err != nil {
 			return err
 		}
 		if req.DockerCompose == "" {

diff --git a/agent/init/migration/migrate.go b/agent/init/migration/migrate.go
@@ -72,11 +72,11 @@ func InitAgentDB() {
 		migrations.AddAgentTypeForAgents,
 		migrations.NormalizeAgentAccountVerifiedStatus,
 		migrations.NormalizeOllamaAccountAPIType,
-		migrations.RewriteOpenclawBundledCaddyfile,
 		migrations.InitAgentAccountModelPool,
 		migrations.AddHostTable,
 		migrations.AddAITerminalSettings,
 		migrations.UpdateAgentQuickJumpTitle,
+		migrations.FixOpenclaw20260323HTTPPort,
 	})
 	if err := m.Migrate(); err != nil {
 		global.LOG.Error(err)

diff --git a/agent/init/migration/migrations/init.go b/agent/init/migration/migrations/init.go
@@ -989,13 +989,6 @@ var NormalizeOllamaAccountAPIType = &gormigrate.Migration{
 	},
 }
 
-var RewriteOpenclawBundledCaddyfile = &gormigrate.Migration{
-	ID: "20260318-rewrite-openclaw-bundled-caddyfile",
-	Migrate: func(tx *gorm.DB) error {
-		return migrationutils.RewriteOpenclawBundledCaddyfile(tx)
-	},
-}
-
 var InitAgentAccountModelPool = &gormigrate.Migration{
 	ID: "20260319-init-agent-account-model-pool",
 	Migrate: func(tx *gorm.DB) error {
@@ -1142,3 +1135,19 @@ var UpdateAgentQuickJumpTitle = &gormigrate.Migration{
 			Update("title", "aiTools.agents.agent").Error
 	},
 }
+
+var FixOpenclaw20260323HTTPPort = &gormigrate.Migration{
+	ID: "20260325-fix-openclaw-20260323-http-port",
+	Migrate: func(tx *gorm.DB) error {
+		return tx.Exec(
+			`UPDATE app_installs
+SET http_port = https_port,
+    https_port = 0
+WHERE version = ?
+  AND https_port > 0
+  AND app_id IN (SELECT id FROM apps WHERE key = ?)`,
+			"2026.3.23",
+			constant.AppOpenclaw,
+		).Error
+	},
+}
diff --git a/agent/init/migration/migrations/utils/openclaw_caddyfile.go b/agent/init/migration/migrations/utils/openclaw_caddyfile.go
diff --git a/agent/utils/openclaw/caddyfile.go b/agent/utils/openclaw/caddyfile.go
diff --git a/frontend/src/lang/modules/en.ts b/frontend/src/lang/modules/en.ts
@@ -681,9 +681,6 @@ const message = {
             appVersion: 'App Version',
             webuiPort: 'WebUI Port',
             allowedOrigins: 'Access Addresses',
-            allowedOriginsHelper:
-                'Enter one full access address per line. HTTPS is recommended, for example https://192.168.1.2:18789. Fill it manually if the default access address is not configured.',
-            allowedOriginsPlaceholder: 'https://192.168.1.2:18789',
             allowedOriginsRequired: 'Enter at least one access address',
             allowedOriginsInvalid: 'Use the format http(s)://host-or-ip[:port]',
             provider: 'Provider',
@@ -2472,11 +2469,11 @@ const message = {
         upgradeWarn:
             'Upgrading the application will replace the docker-compose.yml file. If there are any changes, you can click to view the file comparison',
         openclawHttpsUpgradeNoticeTitle:
-            'Note: The following instructions only apply to users upgrading OpenClaw from versions earlier than 2026.3.13:',
+            'Note: The following instructions only apply to users upgrading OpenClaw from versions 2026.3.13 through 2026.3.22 to 2026.3.23 or later:',
         openclawHttpsUpgradeNoticeItem1:
-            'After the deployed agent is upgraded, go to Configuration -> Settings -> Security and manually add the access address.',
+            'After the upgrade, agent access switches back to HTTP. Go to Configuration -> Settings -> Security and check the access address.',
         openclawHttpsUpgradeNoticeItem2:
-            'The new version now requires HTTPS to access the agent. If you previously used a reverse proxy website, change the proxy target to https://IP:Port.',
+            'If you previously used a reverse proxy website, change the proxy target to http://IP:Port.',
         newVersion: 'New version',
         oldVersion: 'Current version',
         composeDiff: 'File comparison',