pfSense MCP Server

server { listen 80; server_name _; # Redirect HTTP to HTTPS in production if ($http_x_forwarded_proto != "https") { return 301 https://$server_name$request_uri; } } server { listen 443 ssl http2; server_name _; # SSL configuration ssl_certificate /etc/nginx/ssl/cert.pem; ssl_certificate_key /etc/nginx/ssl/key.pem; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; # OCSP stapling ssl_stapling on; ssl_stapling_verify on; # Security headers add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; # API endpoint location / { # Rate limiting limit_req zone=api_limit burst=20 nodelay; # Proxy settings proxy_pass http://mcp_backend; proxy_http_version 1.1; proxy_set_header Connection ""; # Headers proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; # Timeouts proxy_connect_timeout 30s; proxy_send_timeout 30s; proxy_read_timeout 30s; # Buffering proxy_buffering on; proxy_buffer_size 4k; proxy_buffers 8 4k; proxy_busy_buffers_size 8k; # Error handling proxy_intercept_errors on; } # Health check endpoint location /health { limit_req zone=health_limit; proxy_pass http://mcp_backend/health; access_log off; } # Metrics endpoint (restricted) location /metrics { allow 127.0.0.1; allow 172.25.0.0/16; # Docker network deny all; proxy_pass http://mcp_backend:9090/metrics; } # Error pages error_page 500 502 503 504 /50x.html; location = /50x.html { root /usr/share/nginx/html; } }