chelydra
/
mcp-browser
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
mcp-browser/examples/mcp.conf

132 lines
4.1 KiB
Plaintext
Raw Blame History

# Example NGINX front-end for MCP Browser
#
# Replace the placeholder values (domain, certificate paths, slug, upstream
# ports) with values that match your deployment. This configuration exposes:
# * OAuth metadata + token endpoints implemented via an njs helper
# * An authenticated Streamable HTTP MCP endpoint
# * An unauthenticated debug endpoint (optional) that forwards to the
# mcp-browser SSE bridge
#
# The example assumes that:
# * An njs script lives at /etc/nginx/njs/mcp_oauth.js providing handlers
# for the metadata/register/token endpoints.
# * The mcp-browser bridge listens on 127.0.0.1:8251 for SSE requests.
# * The upstream MCP server (or proxy) exposes streamable-http at
# 127.0.0.1:8250.
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
js_path /etc/nginx/njs;
js_import mcp_oauth from /etc/nginx/njs/mcp_oauth.js;
# Upstream pools (tune keepalive as needed)
upstream mcp_streamable_backend {
server 127.0.0.1:8250;
keepalive 32;
}
upstream mcp_browser_backend {
server 127.0.0.1:8251;
keepalive 8;
}
server {
listen 443 ssl http2;
server_name mcp.example.com;
ssl_certificate /etc/letsencrypt/live/mcp.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mcp.example.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
# ssl_trusted_certificate /etc/letsencrypt/live/mcp.example.com/chain.pem;
add_header X-Robots-Tag "noindex, nofollow, noarchive" always;
# --- OAuth discovery + token endpoints (served by njs helper) -------------
# Replace __MCP_SLUG__ with the slug you publish in OAuth metadata.
location = /.well-known/oauth-authorization-server/__MCP_SLUG__/mcp {
default_type application/json;
js_content mcp_oauth.metadata;
}
location = /.well-known/oauth-protected-resource/__MCP_SLUG__/mcp {
default_type application/json;
js_content mcp_oauth.metadata;
}
location = /.well-known/oauth-authorization-server {
default_type application/json;
js_content mcp_oauth.metadata;
}
location = /.well-known/oauth-protected-resource {
default_type application/json;
js_content mcp_oauth.metadata;
}
location = /register {
default_type application/json;
js_content mcp_oauth.register;
}
location = /token {
default_type application/json;
js_content mcp_oauth.token;
}
# Internal auth_request hook used by the protected MCP endpoint.
location = /_oauth_check {
internal;
js_content mcp_oauth.check;
}
# --- Protected Streamable HTTP MCP endpoint --------------------------------
# Requires successful OAuth check before proxying to the upstream server.
location ^~ /__MCP_SLUG__/mcp/ {
auth_request /_oauth_check;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_set_header Authorization "";
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# Streaming friendly defaults
proxy_request_buffering off;
proxy_buffering off;
proxy_read_timeout 1d;
proxy_send_timeout 1d;
proxy_connect_timeout 30s;
# Advertise latest protocol version if desired
# proxy_set_header MCP-Protocol-Version "2025-06-18";
proxy_pass http://mcp_streamable_backend;
}
# --- Optional unauthenticated SSE bridge for local debugging ---------------
location ^~ /__MCP_SLUG__/mcp-browser/ {
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-NginX-Proxy true;
proxy_request_buffering off;
proxy_buffering off;
proxy_cache off;
proxy_read_timeout 1d;
proxy_send_timeout 1d;
send_timeout 1d;
keepalive_timeout 1d;
proxy_pass http://mcp_browser_backend/servers/mcp-browser/sse;
}
}
Reference in New Issue View Git Blame Copy Permalink