What the External Controller Is (and Why Dashboards Need It)
Clash Meta (the kernel many distributions still call Mihomo) separates the data plane—the proxies, rules, and tunnels that move your traffic—from the control plane that exposes runtime state and accepts management commands. The control plane is the HTTP listener configured as external-controller. Web dashboards such as Yacd and metacubexd are not magical “remote desktop” views; they are static front ends that call the same REST API your automation scripts would call. When that listener is missing, bound to the wrong address, blocked by a firewall, or protected by a secret you did not type into the UI, the symptom is predictable: endless loading, “cannot connect,” or a blunt 401 Unauthorized.
If your only goal is “make the pretty charts work,” you can brute-force the problem by opening the API on 0.0.0.0 and clearing the password field. That path ages poorly. The external controller can list connections, inspect DNS history, reload configuration, and—in some setups—change policy selections. Treat it like an admin port on a router: localhost-first, authenticated, and intentionally narrow. The rest of this article walks through a sane baseline, shows how to align the dashboard with the kernel, and gives you a short troubleshooting ladder that does not require exposing your laptop to the coffee-shop Wi-Fi roster.
Readers migrating from legacy Clash Premium semantics will still recognize the field names; if your profile grew organically, refresh the mental model with the Clash Meta upgrade guide so you are not editing obsolete keys beside a modern external-controller stanza.
external-controller and secret into toggles. When instructions here mention YAML, translate them to the advanced editor in your app—the values must match exactly, including spaces and port numbers.
Localhost Baseline: 127.0.0.1, Ports, and TLS
The default story for a single-user laptop is simple: bind the controller to loopback only. In plain YAML that looks like external-controller: 127.0.0.1:9090 (port numbers vary by profile; 9090 is merely the community habit). Loopback binding means only local processes can open a TCP session to the API. Your browser running on the same machine qualifies; a random phone on the LAN does not, which is usually what you want when you are reading mail on the same network as untrusted guests.
Some users attempt external-controller: :9090 or an unspecified host and assume it behaves like “localhost.” Depending on the stack and parser, that can expand to all interfaces—functionally similar to 0.0.0.0—or surprise you with IPv6-only listeners. Prefer explicit 127.0.0.1 until you have a documented reason not to. If you truly need dual-stack localhost, [::1]:9090 is explicit on IPv6-first systems, but many dashboards default to IPv4 literals in examples; keep one address family consistent end to end during your first successful connection.
TLS is a separate axis. Some deployments terminate HTTPS on the controller itself; others place a reverse proxy in front for certificates. If you enabled TLS in the core, plain http:// URLs in the dashboard will fail fast with SSL errors that resemble “cannot connect.” Match the scheme. For a first test, stay on plaintext HTTP over loopback—your threat model on 127.0.0.1 is local malware, not the neighbor’s ARP scans, and eliminating TLS variables makes the rest of the debugging legible.
external-controller: 127.0.0.1:9090
secret: "change-me-to-a-long-random-string"Replace the placeholder secret with a random string from your password manager. Length beats poetry. The quotes matter if you use punctuation that YAML would otherwise treat as syntax.
secret, Bearer Tokens, and the 401 Pattern
When secret is non-empty, the kernel expects clients to authenticate API requests. Human-facing dashboards usually store the value in a settings field labeled API token, secret, or password. Under the hood, many UIs send an Authorization: Bearer <secret> header. If you paste the secret into the wrong box—for example, confusing it with a subscription URL token—or trim a trailing character while copying, every request returns 401 even though the listener is healthy.
Empty secret disables that gate. That is acceptable for lab VMs you snapshot and throw away; it is a poor default on machines you sleep-fold into a backpack. A practical compromise while debugging is: set a secret, verify the dashboard works once, then rotate the secret after you finish screen-sharing or recording a tutorial. Rotation is cheap; cleaning up after a stranger reloads your rules is not.
Advanced integrations sometimes split authentication across reverse proxies or inject headers at the edge. If you run that architecture, ensure only one layer adds Authorization; double headers and mismatched casefolding between proxies confuse both humans and middleware. When in doubt, test with curl directly against loopback—next section—before layering infrastructure.
Yacd, metacubexd, and Matching the API Base URL
Yacd and metacubexd are hosted as static sites and in desktop wrappers. Regardless of packaging, they need two coherent inputs: the API base URL (scheme, host, port, and optional path prefix) and the token field that maps to secret. A common mistake is pasting http://127.0.0.1:9090/ui into the API field because you saw that path in a blog screenshot. The controller serves the API under / with documented subpaths such as /version, /configs, and /connections; decorative /ui mounts depend on build and packaging. If your client bundles a local UI reverse proxy, read its tooltip text instead of guessing paths.
Another frequent mismatch is trailing slashes. Some fetch clients normalize URLs; others concatenate paths naively. Start with the minimal base http://127.0.0.1:9090 without a trailing slash, save, and reload the dashboard. If the UI offers separate fields for host and port, avoid duplicating the port in both.
Browser extensions and “installed PWA” builds may run in a different security context than a tab opened from file://. If the dashboard loads but network calls fail, open the developer console: mixed-content blocking and CORS errors print explicit reasons. Hosting the dashboard over HTTPS while pointing at http://127.0.0.1 is usually fine for local loopback in modern Chromium builds, but corporate policies and extensions can still interfere. A quick isolation test is to try another browser profile with extensions disabled.
Finally, confirm you are looking at the same runtime your GUI launched. Some applications spawn a helper core with an alternate profile path or a random high port for the controller. The YAML on disk is not authoritative if the app overlays runtime settings—check the live config viewer inside the client if it provides one. For picking a client that exposes these details clearly, see how to choose a Clash client.
Prove the REST API With curl Before Blaming the GUI
Dashboards compress errors into spinners. curl prints facts. With a non-empty secret, the version endpoint should return JSON immediately. Example for macOS or Linux shells:
curl -sS -H "Authorization: Bearer YOUR_SECRET_HERE" \
http://127.0.0.1:9090/version
A JSON body with a version field means the listener, port, and token align. If you receive HTTP 401, either the secret is wrong or an intermediary stripped the header. If you receive “connection refused,” the process is not listening on that interface/port pair—perhaps the controller is still bound to a different port from an older profile, or the core failed to start the HTTP server due to a syntax error earlier in the YAML.
Empty-secret profiles omit the header entirely:
curl — no secret configuredcurl -sS http://127.0.0.1:9090/version
Once /version works, spot-check /configs read-only endpoints before attempting writes. Mutation calls are powerful: they can reload files you did not mean to touch. Script carefully, especially on shared machines.
Connection Refused, Timeouts, and “Wrong Machine” Errors
Symptom clustering matters. Connection refused almost always means nothing is listening on the target tuple: wrong port, controller disabled, or the core exited. Timeouts suggest filtering—local firewall, loopback mis-routed through a proxy tool, or a Docker bridge where “localhost” inside a container is not the host. Instant HTTP errors (401, 404, 301) mean you reached some HTTP server; celebrate that progress and pivot to authentication or path issues instead of chasing ARP ghosts.
Remote SSH port-forwarding and container topologies deserve explicit diagrams on a sticky note. If the dashboard runs on your workstation but the core runs in a remote VM, 127.0.0.1:9090 on the workstation is simply the wrong address unless you forwarded the port. Forwarding carries the same secret requirements; it does not magically add TLS or strip authentication.
On Windows, loopback exemptions for UWP apps and “localhost hardening” features occasionally block cross-user listeners. If you verified YAML correctness and curl still fails from PowerShell, test from the same user context that launched the core, then compare with netstat or built-in resource monitors to see which PID owns the port.
When logs mention address already in use, another process grabbed the port first—often a zombie instance of the same client. Quit stray processes, or change the controller port consistently in both YAML and dashboard settings.
When You Truly Need LAN Access: allow-lan and Firewalls
Phone dashboards and household split setups tempt people to bind 0.0.0.0 immediately. A tighter pattern keeps the controller on loopback for daily use and enables LAN reachability only when you need it, paired with a strong secret and OS firewall rules that limit source IPs. Meta-class cores expose allow-lan alongside bind directives; understand that allow-lan: true without careful binding still surprises newcomers who expected “LAN” to mean “RFC1918 only.”
If you must expose the API beyond loopback, document the blast radius: anyone who can reach the port and guess or intercept the secret can manipulate your proxy. Use long secrets, rotate them after guest networks, and prefer VPN or SSH tunnels over raw exposure to hotel Wi-Fi. For subnet-specific bind addresses and firewall vocabulary that pairs with this topic, read the LAN sharing and firewall bind guide—it complements controller planning without encouraging open WAN administration.
Docker users should map ports deliberately: publishing 9090:9090 on all interfaces replicates the 0.0.0.0 hazard at the host boundary. Bind publish directives to 127.0.0.1:9090:9090 when the dashboard runs on the same Docker host, or tunnel if it does not.
Security Model: Why 0.0.0.0 Without a Secret Is a Bad Idea
Capture-the-flag contests love forgotten admin ports. Your home lab is not a CTF, but the mechanics rhyme: an unauthenticated Clash REST surface on a routable address is a remote configuration API for outbound traffic. Attackers who cannot break TLS on your banking session may still enjoy reloading a permissive ruleset if you hand them the keys.
Defense layers that actually help: loopback binding by default, long random secret values, host firewalls that default deny inbound, segregated guest SSIDs, and avoiding public preview links that leak your token in URL query parameters. Some dashboards append tokens to URLs for convenience; clear browser history after demos.
Compliance and workplace policies matter too. Running a wide-open controller on corporate hardware can violate acceptable-use rules even if your technical intent is benign. When unsure, treat the API like SSH: authenticate, limit interfaces, and log changes.
Wrap-Up
Fixing Clash Meta dashboards is rarely about “which pretty UI is best.” It is about aligning three concrete facts: where external-controller listens, whether secret matches the Authorization header your tool sends, and whether your browser can reach that exact loopback tuple without a container, SSH, or firewall story you forgot to draw. Yacd and metacubexd become reliable once the REST API answers /version cleanly in curl; everything after that is polish.
Compared with turning the control plane into a public service, localhost-first binding plus a rotated token trades one minute of setup for months of not wondering why the coffee shop captive portal showed your proxy group names. Ecosystem context on connectivity and client behavior lives in the Clash FAQ—useful when symptoms overlap DNS or TUN issues even though the dashboard misled you first.
→ Download Clash for free and experience the difference—keep the data plane fast, and keep the control plane boringly local until you truly intend otherwise.