Security MCP Server

#============================================================================== # MCP Network Tools Server - Docker Environment Configuration #============================================================================== # Purpose: Environment variables for Docker deployment # # Usage: # 1. Copy this file: cp .env.docker .env # 2. Edit values for your environment # 3. Do NOT commit .env file to git (contains secrets) # 4. Use docker-compose up -d # # Security: # - Keep this file secure # - Use secrets management for production # - Rotate credentials regularly # # Author: MCP Network Tools Team # Version: 2.0.0 #============================================================================== #------------------------------------------------------------------------------ # Server Configuration #------------------------------------------------------------------------------ # Transport mode: stdio or http # - stdio: For AI agent integration (Claude Desktop, etc.) # - http: For API access, monitoring, distributed deployments MCP_SERVER_TRANSPORT=http # HTTP server settings (only used if transport=http) MCP_SERVER_HOST=0.0.0.0 MCP_SERVER_PORT=8080 MCP_SERVER_WORKERS=1 MCP_SERVER_MAX_CONNECTIONS=100 # Graceful shutdown timeout (seconds) MCP_SERVER_SHUTDOWN_GRACE_PERIOD=30 #------------------------------------------------------------------------------ # Security Settings #------------------------------------------------------------------------------ # Allow intrusive operations (nmap -A, vulnerability scripts) # WARNING: Only enable in controlled environments! # Values: true, false MCP_SECURITY_ALLOW_INTRUSIVE=false # Allowed target patterns (comma-separated) # Default: RFC1918 private IPs and .lab.internal domains # MCP_SECURITY_ALLOWED_TARGETS=RFC1918,.lab.internal # Maximum argument length (bytes) MCP_SECURITY_MAX_ARGS_LENGTH=2048 # Maximum output size (bytes) MCP_SECURITY_MAX_OUTPUT_SIZE=1048576 # Default timeout for operations (seconds) MCP_SECURITY_TIMEOUT_SECONDS=300 # Concurrent operation limit MCP_SECURITY_CONCURRENCY_LIMIT=2 #------------------------------------------------------------------------------ # Tool Configuration #------------------------------------------------------------------------------ # Default timeout for tool execution (seconds) MCP_TOOL_DEFAULT_TIMEOUT=300 # Default concurrency per tool MCP_TOOL_DEFAULT_CONCURRENCY=2 # Tool inclusion/exclusion (comma-separated) # Example: TOOL_INCLUDE=NmapTool,PingTool # TOOL_INCLUDE= # TOOL_EXCLUDE= # Tools package to scan TOOLS_PACKAGE=mcp_server.tools #------------------------------------------------------------------------------ # Circuit Breaker Configuration #------------------------------------------------------------------------------ # Failure threshold before opening circuit MCP_CIRCUIT_BREAKER_FAILURE_THRESHOLD=5 # Recovery timeout (seconds) MCP_CIRCUIT_BREAKER_RECOVERY_TIMEOUT=60 # Success threshold to close circuit from half-open MCP_CIRCUIT_BREAKER_HALF_OPEN_SUCCESS_THRESHOLD=1 #------------------------------------------------------------------------------ # Health Check Configuration #------------------------------------------------------------------------------ # Health check interval (seconds) MCP_HEALTH_CHECK_INTERVAL=30.0 # CPU usage threshold (percentage) MCP_HEALTH_CPU_THRESHOLD=80.0 # Memory usage threshold (percentage) MCP_HEALTH_MEMORY_THRESHOLD=80.0 # Disk usage threshold (percentage) MCP_HEALTH_DISK_THRESHOLD=80.0 # Health check timeout (seconds) MCP_HEALTH_TIMEOUT=10.0 # Dependencies to check (comma-separated Python packages) # Example: MCP_HEALTH_DEPENDENCIES=psutil,prometheus_client MCP_HEALTH_DEPENDENCIES= #------------------------------------------------------------------------------ # Metrics Configuration #------------------------------------------------------------------------------ # Enable metrics collection MCP_METRICS_ENABLED=true # Enable Prometheus metrics endpoint MCP_METRICS_PROMETHEUS_ENABLED=true # Prometheus metrics port MCP_METRICS_PROMETHEUS_PORT=9090 # Metrics collection interval (seconds) MCP_METRICS_COLLECTION_INTERVAL=15.0 #------------------------------------------------------------------------------ # Logging Configuration #------------------------------------------------------------------------------ # Log level: DEBUG, INFO, WARNING, ERROR, CRITICAL LOG_LEVEL=INFO # Log format LOG_FORMAT=%(asctime)s - %(name)s - %(levelname)s - %(message)s # Log file path (optional, logs to stdout by default) # MCP_LOGGING_FILE_PATH=/app/logs/mcp_server.log # Maximum log file size (bytes) MCP_LOGGING_MAX_FILE_SIZE=10485760 # Number of backup log files MCP_LOGGING_BACKUP_COUNT=5 #------------------------------------------------------------------------------ # Database Configuration (if needed) #------------------------------------------------------------------------------ # Database URL (PostgreSQL example) # MCP_DATABASE_URL=postgresql://user:password@postgres:5432/mcp_db # Connection pool settings # MCP_DATABASE_POOL_SIZE=10 # MCP_DATABASE_MAX_OVERFLOW=20 # MCP_DATABASE_POOL_TIMEOUT=30 # MCP_DATABASE_POOL_RECYCLE=3600 #------------------------------------------------------------------------------ # Configuration File #------------------------------------------------------------------------------ # Path to configuration file (YAML or JSON) # Overrides environment variables if specified # MCP_CONFIG_FILE=/app/config/config.yaml # Configuration directory MCP_CONFIG_DIR=./config #------------------------------------------------------------------------------ # Resource Limits (for reference, set in docker-compose.yml) #------------------------------------------------------------------------------ # These are enforced by Docker, not environment variables # See docker-compose.yml deploy.resources section # CPU limit: 2.0 cores # Memory limit: 1GB # Memory reservation: 256MB #------------------------------------------------------------------------------ # Network Configuration #------------------------------------------------------------------------------ # DNS servers (optional, comma-separated) # MCP_DNS_SERVERS=8.8.8.8,8.8.4.4 #------------------------------------------------------------------------------ # Development Settings (docker-compose.override.yml) #------------------------------------------------------------------------------ # These settings are typically overridden in docker-compose.override.yml # for development environments # Enable debug mode # DEBUG=false # Python optimizations PYTHONUNBUFFERED=1 PYTHONDONTWRITEBYTECODE=1 #============================================================================== # Environment-Specific Configurations #============================================================================== #------------------------------------------------------------------------------ # Production Example #------------------------------------------------------------------------------ # MCP_SERVER_TRANSPORT=http # MCP_SECURITY_ALLOW_INTRUSIVE=false # LOG_LEVEL=INFO # MCP_METRICS_ENABLED=true # MCP_CIRCUIT_BREAKER_FAILURE_THRESHOLD=5 # MCP_HEALTH_CHECK_INTERVAL=30 #------------------------------------------------------------------------------ # Development Example #------------------------------------------------------------------------------ # MCP_SERVER_TRANSPORT=http # MCP_SECURITY_ALLOW_INTRUSIVE=true # LOG_LEVEL=DEBUG # MCP_METRICS_ENABLED=true # MCP_CIRCUIT_BREAKER_RECOVERY_TIMEOUT=30 # MCP_HEALTH_CHECK_INTERVAL=15 #------------------------------------------------------------------------------ # Testing Example #------------------------------------------------------------------------------ # MCP_SERVER_TRANSPORT=stdio # MCP_SECURITY_ALLOW_INTRUSIVE=true # LOG_LEVEL=DEBUG # MCP_CIRCUIT_BREAKER_FAILURE_THRESHOLD=3 # MCP_TOOL_DEFAULT_TIMEOUT=60 #============================================================================== # Security Notes #============================================================================== # # Secrets Management: # - Use Docker secrets or external secret management (Vault, AWS Secrets Manager) # - Never commit .env file with real credentials # - Rotate credentials regularly # - Use least-privilege principle # # File Permissions: # - chmod 600 .env (owner read/write only) # - Store in secure location # - Audit access regularly # # Environment Variables vs. Config File: # - Environment variables: Dynamic, container-specific # - Config file: Static, shared configuration # - Environment variables override config file settings # #==============================================================================