# Minimal NGINX reverse proxy for MCP Browser SSE bridge
#
# This configuration omits OAuth and exposes only the unauthenticated SSE
# endpoint. It is intended for quick local setup (e.g. tunnelling the bridge
# to the OpenAI MCP interface) and should not be used on the public Internet
# without adding authentication.

map $http_upgrade $connection_upgrade {
  default upgrade;
  ''      close;
}

upstream mcp_browser_backend {
  server 127.0.0.1:8251;
  keepalive 4;
}

server {
  listen      443 ssl http2;
  server_name mcp-dev.example.com;

  ssl_certificate      /etc/letsencrypt/live/mcp-dev.example.com/fullchain.pem;
  ssl_certificate_key  /etc/letsencrypt/live/mcp-dev.example.com/privkey.pem;
  include              /etc/letsencrypt/options-ssl-nginx.conf;
  ssl_dhparam          /etc/letsencrypt/ssl-dhparams.pem;

  add_header X-Robots-Tag "noindex, nofollow, noarchive" always;

  # Replace __MCP_SLUG__ with your private slug value.
  location ^~ /__MCP_SLUG__/mcp-browser/ {
    proxy_http_version 1.1;
    proxy_set_header Connection "";
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-NginX-Proxy true;

    proxy_request_buffering off;
    proxy_buffering        off;
    proxy_cache            off;
    proxy_read_timeout     1d;
    proxy_send_timeout     1d;
    send_timeout           1d;
    keepalive_timeout      1d;

    proxy_pass http://mcp_browser_backend/servers/mcp-browser/sse;
  }
}