chore: switch ngrok helper to oauth-based auth
This commit is contained in:
gpt-5-codex
Andre Heinecke
parent
63a3f41726
commit
1d1dd262c6
|
|
@ -2,12 +2,14 @@
|
||||||
|
|
||||||
The `scripts/run_mcp_ngrok.sh` helper launches `mcp-browser` in
|
The `scripts/run_mcp_ngrok.sh` helper launches `mcp-browser` in
|
||||||
streamable-http mode and exposes it through an ngrok tunnel. By default it uses
|
streamable-http mode and exposes it through an ngrok tunnel. By default it uses
|
||||||
the `builtin-only` server profile so only the minimal proxy tools are visible.
|
whatever server is marked as default in your configuration (or you can specify
|
||||||
|
one explicitly with `--server`).
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
./scripts/run_mcp_ngrok.sh \
|
./scripts/run_mcp_ngrok.sh \
|
||||||
--allow-origin https://platform.openai.com \
|
--allow-origin https://platform.openai.com \
|
||||||
--ngrok-basic-auth "user:pass"
|
--ngrok-oauth-provider google \
|
||||||
|
--ngrok-oauth-allow-email you@example.com
|
||||||
```
|
```
|
||||||
|
|
||||||
Key behaviours:
|
Key behaviours:
|
||||||
|
|
@ -25,8 +27,9 @@ Useful options:
|
||||||
- `--config ~/.claude/mcp-browser/config.yaml` – point at a custom config file.
|
- `--config ~/.claude/mcp-browser/config.yaml` – point at a custom config file.
|
||||||
- `--ngrok-region eu` or `--ngrok-domain your-name.ngrok.app` – choose a region
|
- `--ngrok-region eu` or `--ngrok-domain your-name.ngrok.app` – choose a region
|
||||||
or reserved domain.
|
or reserved domain.
|
||||||
- `--ngrok-basic-auth user:pass` – require HTTP basic auth. Strongly recommended
|
- `--ngrok-oauth-provider google --ngrok-oauth-allow-email you@example.com` –
|
||||||
if the tunnel is exposed to the public.
|
gate the tunnel behind ngrok’s OAuth support (recommended when exposing the
|
||||||
|
gateway).
|
||||||
|
|
||||||
Additional `mcp-browser` arguments can be passed after `--`, for example to
|
Additional `mcp-browser` arguments can be passed after `--`, for example to
|
||||||
connect to a streamable HTTP upstream:
|
connect to a streamable HTTP upstream:
|
||||||
|
|
@ -37,5 +40,6 @@ connect to a streamable HTTP upstream:
|
||||||
--transport-url http://127.0.0.1:12306/mcp
|
--transport-url http://127.0.0.1:12306/mcp
|
||||||
```
|
```
|
||||||
|
|
||||||
The resulting public URL terminates at `/mcp`. Configure your MCP client (e.g.
|
The resulting public URL terminates at `/mcp` and is served via HTTPS by ngrok
|
||||||
OpenAI’s MCP interface) with that URL and the optional basic auth credentials.
|
automatically. Configure your MCP client (e.g. OpenAI’s MCP interface) with
|
||||||
|
that URL plus any OAuth restrictions you defined.
|
||||||
|
|
|
||||||
|
|
@ -1,18 +1,17 @@
|
||||||
#!/usr/bin/env bash
|
#!/usr/bin/env bash
|
||||||
set -euo pipefail
|
set -euo pipefail
|
||||||
set -x
|
|
||||||
|
|
||||||
usage() {
|
usage() {
|
||||||
cat <<'USAGE'
|
cat <<'USAGE'
|
||||||
Usage: run_mcp_ngrok.sh [options] [-- additional mcp-browser args]
|
Usage: run_mcp_ngrok.sh [options] [-- additional mcp-browser args]
|
||||||
|
|
||||||
Launch mcp-browser in streamable-http mode and expose it via an ngrok HTTPS
|
Launch mcp-browser in streamable-http mode and expose it via an ngrok HTTPS
|
||||||
endpoint. Designed to publish only the minimal built-in API (builtin-only
|
endpoint. By default it uses the configured default MCP server, but you can
|
||||||
server) unless overridden.
|
override that with --server if needed.
|
||||||
|
|
||||||
Options:
|
Options:
|
||||||
--config PATH Path to mcp-browser config file.
|
--config PATH Path to mcp-browser config file.
|
||||||
--server NAME Server entry to use (default: builtin-only).
|
--server NAME Server entry to use (optional).
|
||||||
--http-host HOST Local interface for the gateway (default: 127.0.0.1).
|
--http-host HOST Local interface for the gateway (default: 127.0.0.1).
|
||||||
--http-port PORT Local port for the gateway (default: auto).
|
--http-port PORT Local port for the gateway (default: auto).
|
||||||
--http-path PATH HTTP path prefix (default: /mcp).
|
--http-path PATH HTTP path prefix (default: /mcp).
|
||||||
|
|
@ -20,7 +19,10 @@ Options:
|
||||||
(default: https://platform.openai.com).
|
(default: https://platform.openai.com).
|
||||||
--ngrok-domain DOMAIN Reserved ngrok domain to use (optional).
|
--ngrok-domain DOMAIN Reserved ngrok domain to use (optional).
|
||||||
--ngrok-region REGION ngrok region code (optional).
|
--ngrok-region REGION ngrok region code (optional).
|
||||||
--ngrok-basic-auth USER:PASS Require HTTP basic auth on the tunnel.
|
--ngrok-oauth-provider PROVIDER Enable ngrok OAuth (e.g. google, github).
|
||||||
|
--ngrok-oauth-allow-email EMAIL Restrict OAuth to a specific email (repeatable).
|
||||||
|
--ngrok-oauth-allow-domain DOMAIN Restrict OAuth to an email domain (repeatable).
|
||||||
|
--ngrok-oauth-scope SCOPE Additional OAuth scope (repeatable).
|
||||||
--ngrok-inspect true|false Enable ngrok inspector (default: false).
|
--ngrok-inspect true|false Enable ngrok inspector (default: false).
|
||||||
--mcp-arg ARG Extra argument passed to mcp-browser (repeatable).
|
--mcp-arg ARG Extra argument passed to mcp-browser (repeatable).
|
||||||
--ngrok-arg ARG Extra argument passed to ngrok (repeatable).
|
--ngrok-arg ARG Extra argument passed to ngrok (repeatable).
|
||||||
|
|
@ -37,13 +39,17 @@ USAGE
|
||||||
MCP_BIN=${MCP_BROWSER_BIN:-mcp-browser}
|
MCP_BIN=${MCP_BROWSER_BIN:-mcp-browser}
|
||||||
NGROK_BIN=${NGROK_BIN:-ngrok}
|
NGROK_BIN=${NGROK_BIN:-ngrok}
|
||||||
CONFIG_PATH=""
|
CONFIG_PATH=""
|
||||||
|
SERVER_NAME=""
|
||||||
HTTP_HOST="127.0.0.1"
|
HTTP_HOST="127.0.0.1"
|
||||||
HTTP_PORT=""
|
HTTP_PORT=""
|
||||||
HTTP_PATH="/mcp"
|
HTTP_PATH="/mcp"
|
||||||
ALLOW_ORIGIN="https://platform.openai.com"
|
ALLOW_ORIGIN="https://platform.openai.com"
|
||||||
NGROK_DOMAIN=""
|
NGROK_DOMAIN=""
|
||||||
NGROK_REGION=""
|
NGROK_REGION=""
|
||||||
NGROK_BASIC_AUTH=""
|
NGROK_OAUTH_PROVIDER=""
|
||||||
|
NGROK_OAUTH_ALLOW_EMAILS=()
|
||||||
|
NGROK_OAUTH_ALLOW_DOMAINS=()
|
||||||
|
NGROK_OAUTH_SCOPES=()
|
||||||
NGROK_INSPECT="false"
|
NGROK_INSPECT="false"
|
||||||
MCP_EXTRA_ARGS=()
|
MCP_EXTRA_ARGS=()
|
||||||
NGROK_EXTRA_ARGS=()
|
NGROK_EXTRA_ARGS=()
|
||||||
|
|
@ -52,6 +58,8 @@ while [[ $# -gt 0 ]]; do
|
||||||
case "$1" in
|
case "$1" in
|
||||||
--config)
|
--config)
|
||||||
CONFIG_PATH=$2; shift 2;;
|
CONFIG_PATH=$2; shift 2;;
|
||||||
|
--server)
|
||||||
|
SERVER_NAME=$2; shift 2;;
|
||||||
--http-host)
|
--http-host)
|
||||||
HTTP_HOST=$2; shift 2;;
|
HTTP_HOST=$2; shift 2;;
|
||||||
--http-port)
|
--http-port)
|
||||||
|
|
@ -64,8 +72,14 @@ while [[ $# -gt 0 ]]; do
|
||||||
NGROK_DOMAIN=$2; shift 2;;
|
NGROK_DOMAIN=$2; shift 2;;
|
||||||
--ngrok-region)
|
--ngrok-region)
|
||||||
NGROK_REGION=$2; shift 2;;
|
NGROK_REGION=$2; shift 2;;
|
||||||
--ngrok-basic-auth)
|
--ngrok-oauth-provider)
|
||||||
NGROK_BASIC_AUTH=$2; shift 2;;
|
NGROK_OAUTH_PROVIDER=$2; shift 2;;
|
||||||
|
--ngrok-oauth-allow-email)
|
||||||
|
NGROK_OAUTH_ALLOW_EMAILS+=("$2"); shift 2;;
|
||||||
|
--ngrok-oauth-allow-domain)
|
||||||
|
NGROK_OAUTH_ALLOW_DOMAINS+=("$2"); shift 2;;
|
||||||
|
--ngrok-oauth-scope)
|
||||||
|
NGROK_OAUTH_SCOPES+=("$2"); shift 2;;
|
||||||
--ngrok-inspect)
|
--ngrok-inspect)
|
||||||
NGROK_INSPECT=$2; shift 2;;
|
NGROK_INSPECT=$2; shift 2;;
|
||||||
--mcp-arg)
|
--mcp-arg)
|
||||||
|
|
@ -115,10 +129,13 @@ HTTP_PATH="/${HTTP_PATH#/}"
|
||||||
MCP_CMD=("$MCP_BIN" --mode streamable-http \
|
MCP_CMD=("$MCP_BIN" --mode streamable-http \
|
||||||
--http-host "$HTTP_HOST" --http-port "$HTTP_PORT" \
|
--http-host "$HTTP_HOST" --http-port "$HTTP_PORT" \
|
||||||
--http-path "$HTTP_PATH" --http-allow-origin "$ALLOW_ORIGIN")
|
--http-path "$HTTP_PATH" --http-allow-origin "$ALLOW_ORIGIN")
|
||||||
|
if [[ -n "$SERVER_NAME" ]]; then
|
||||||
|
MCP_CMD+=(--server "$SERVER_NAME")
|
||||||
|
fi
|
||||||
if [[ -n "$CONFIG_PATH" ]]; then
|
if [[ -n "$CONFIG_PATH" ]]; then
|
||||||
MCP_CMD+=(--config "$CONFIG_PATH")
|
MCP_CMD+=(--config "$CONFIG_PATH")
|
||||||
fi
|
fi
|
||||||
#[[ ${#MCP_EXTRA_ARGS[@]} -gt 0 ]] && MCP_CMD+=("${MCP_EXTRA_ARGS[@]}")
|
[[ ${#MCP_EXTRA_ARGS[@]} -gt 0 ]] && MCP_CMD+=("${MCP_EXTRA_ARGS[@]}")
|
||||||
|
|
||||||
MCP_LOG=$(mktemp -t mcp-browser-gateway.XXXXXX.log)
|
MCP_LOG=$(mktemp -t mcp-browser-gateway.XXXXXX.log)
|
||||||
NGROK_LOG=$(mktemp -t ngrok-mcp.XXXXXX.log)
|
NGROK_LOG=$(mktemp -t ngrok-mcp.XXXXXX.log)
|
||||||
|
|
@ -152,7 +169,7 @@ if [[ $? -ne 0 ]]; then
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
NGROK_CMD=("$NGROK_BIN" http --scheme=http "http://$HTTP_HOST:$HTTP_PORT")
|
NGROK_CMD=("$NGROK_BIN" http "http://$HTTP_HOST:$HTTP_PORT")
|
||||||
NGROK_CMD+=(--request-header-add "X-MCP-Gateway:true")
|
NGROK_CMD+=(--request-header-add "X-MCP-Gateway:true")
|
||||||
NGROK_CMD+=(--response-header-add "Cache-Control:no-store")
|
NGROK_CMD+=(--response-header-add "Cache-Control:no-store")
|
||||||
NGROK_CMD+=(--inspect="$NGROK_INSPECT")
|
NGROK_CMD+=(--inspect="$NGROK_INSPECT")
|
||||||
|
|
@ -162,8 +179,17 @@ fi
|
||||||
if [[ -n "$NGROK_REGION" ]]; then
|
if [[ -n "$NGROK_REGION" ]]; then
|
||||||
NGROK_CMD+=(--region "$NGROK_REGION")
|
NGROK_CMD+=(--region "$NGROK_REGION")
|
||||||
fi
|
fi
|
||||||
if [[ -n "$NGROK_BASIC_AUTH" ]]; then
|
if [[ -n "$NGROK_OAUTH_PROVIDER" ]]; then
|
||||||
NGROK_CMD+=(--basic-auth "$NGROK_BASIC_AUTH")
|
NGROK_CMD+=(--oauth="$NGROK_OAUTH_PROVIDER")
|
||||||
|
for email in "${NGROK_OAUTH_ALLOW_EMAILS[@]}"; do
|
||||||
|
NGROK_CMD+=(--oauth-allow-email "$email")
|
||||||
|
done
|
||||||
|
for domain in "${NGROK_OAUTH_ALLOW_DOMAINS[@]}"; do
|
||||||
|
NGROK_CMD+=(--oauth-allow-domain "$domain")
|
||||||
|
done
|
||||||
|
for scope in "${NGROK_OAUTH_SCOPES[@]}"; do
|
||||||
|
NGROK_CMD+=(--oauth-scope "$scope")
|
||||||
|
done
|
||||||
fi
|
fi
|
||||||
[[ ${#NGROK_EXTRA_ARGS[@]} -gt 0 ]] && NGROK_CMD+=("${NGROK_EXTRA_ARGS[@]}")
|
[[ ${#NGROK_EXTRA_ARGS[@]} -gt 0 ]] && NGROK_CMD+=("${NGROK_EXTRA_ARGS[@]}")
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue