Telegram 受限网络收图失败:为 media 下载链路显式放行 api.telegram.org
问题/场景:在受限网络里,Bot 收消息正常但收文件失败,报 SSRF 命中私网 IP。前置条件:已配置 channels.telegram.proxy 或系统代理。实施步骤:定位失败链路在 fetchRemoteMedia → 为 Telegram 文件下载注入 ssrfPolicy.allowedHostnames → 仅放行 api.telegram.org → 复测 document/photo。关键配置:allowedHostnames=[api.telegram.org]。验证:日志不再出现 Blocked: resolves to private/internal IP address 且文件可落盘。风险:放行仅限官方域名,勿扩大到通配域。来源:Issue #20891 + PR #20895。
GITHUBDiscovered 2026-02-19Author arosstale
Prerequisites
- Telegram account is running behind proxy in a DNS-poisoned or filtered region.
- You can inspect gateway logs to capture SSRF/media-fetch errors.
Steps
- Reproduce by sending a file to the bot and confirm blocked URL fetch with private/internal IP reason.
- Trace code path: Telegram media fetch uses fetchRemoteMedia (not grammy Bot API request path).
- Apply SSRF override only for Telegram media: ssrfPolicy.allowedHostnames=[api.telegram.org].
- Restart gateway and re-test photo/document fetch through same proxy route.
Commands
openclaw gateway statusopenclaw gateway restartVerify
Telegram media downloads succeed while SSRF protection remains active for non-allowlisted hosts.
Caveats
- Never broad-allow wildcard hostnames; keep allowlist minimal and Telegram-specific.
- If enterprise proxy rewrites domains, additional host mapping validation may be required(需验证).
Source attribution
This tip is aggregated from community/public sources and preserved with attribution.
Open original source ↗