Observe MCP Server

# Nginx reverse proxy configuration for Observe MCP Server # Optimized for MCP streamable-http protocol with /mcp endpoint # Deploy to: /etc/nginx/sites-available/your-domain.example.com # Symlink to: /etc/nginx/sites-enabled/your-domain.example.com # # OPTIONAL: To enable rate limiting and custom logging, add to /etc/nginx/nginx.conf # in the http {} block BEFORE including this file: # # # Rate limiting for MCP server # limit_req_zone $binary_remote_addr zone=mcp_limit:10m rate=100r/s; # # # Custom log format for MCP server # log_format mcp_access '$remote_addr - $remote_user [$time_local] ' # '"$request" $status $body_bytes_sent ' # '"$http_referer" "$http_user_agent" ' # 'rt=$request_time uct=$upstream_connect_time ' # 'uht=$upstream_header_time urt=$upstream_response_time'; # # Then uncomment the rate limiting lines in the location blocks below. # Upstream backend configuration with keepalive upstream mcp_backend { server localhost:8000; keepalive 32; # Maintain persistent connections } # Redirect HTTP to HTTPS server { listen 80; listen [::]:80; server_name your-domain.example.com; # Allow Let's Encrypt ACME challenge location /.well-known/acme-challenge/ { root /var/www/html; } # Redirect all other traffic to HTTPS location / { return 301 https://$server_name$request_uri; } } # HTTPS server server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name your-domain.example.com; # SSL certificate paths (configured by certbot) ssl_certificate /etc/letsencrypt/live/your-domain.example.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/your-domain.example.com/privkey.pem; ssl_trusted_certificate /etc/letsencrypt/live/your-domain.example.com/chain.pem; # SSL configuration - Modern, secure settings ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384'; ssl_prefer_server_ciphers off; ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; ssl_stapling on; ssl_stapling_verify on; # Security headers add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header X-Frame-Options DENY always; add_header X-Content-Type-Options nosniff always; add_header X-XSS-Protection "1; mode=block" always; # Logging access_log /var/log/nginx/your-domain.example.com.access.log; error_log /var/log/nginx/your-domain.example.com.error.log; # MCP endpoint - Primary interface for MCP protocol location /mcp { # Rate limiting (uncomment if you added limit_req_zone to nginx.conf) # limit_req zone=mcp_limit burst=200 nodelay; # Proxy to Docker container proxy_pass http://mcp_backend/mcp; # HTTP version - HTTP/1.1 or HTTP/2 both work with streamable-http proxy_http_version 1.1; # Connection handling for keepalive proxy_set_header Connection ""; # Preserve original request information proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Port $server_port; # CRITICAL: Pass through Authorization header for JWT authentication proxy_pass_request_headers on; # Reasonable timeouts for streamable-http proxy_connect_timeout 60s; proxy_send_timeout 300s; # 5 minutes proxy_read_timeout 300s; # 5 minutes # Buffering settings - moderate buffering for performance proxy_buffering on; proxy_buffer_size 4k; proxy_buffers 8 4k; proxy_busy_buffers_size 8k; # Large request support for OPAL queries and responses client_max_body_size 10M; proxy_max_temp_file_size 0; } # Health check endpoint (no rate limiting, no authentication) location /health { proxy_pass http://mcp_backend/health; proxy_http_version 1.1; proxy_set_header Connection ""; proxy_connect_timeout 5s; proxy_send_timeout 5s; proxy_read_timeout 5s; access_log off; # Don't log health checks } # Root redirect to documentation or info page (optional) location = / { return 200 'Observe MCP Server - Use /mcp endpoint for MCP protocol, /health for health checks'; add_header Content-Type text/plain; } }