swag-mcp
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@swag-mcpcreate a proxy config for service1.local"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
SWAG MCP
MCP server for managing SWAG reverse-proxy configuration files, backups, logs, and health checks. Uses a single swag action router backed by local filesystem or SSH-accessible SWAG config storage.
Overview
SWAG MCP generates and manages nginx subdomain proxy configurations for SWAG (Secure Web Application Gateway). Every generated config includes MCP-compatible security headers unconditionally, making configs suitable for both standard web services and MCP/AI services.
Related MCP server: Fleet
What this repository ships
swag_mcp/: server, config, middleware, models, services, tools, and templatesconfig/: local config and test assetsdocs/: template notes, test commands, and design records.claude-plugin/,.codex-plugin/,gemini-extension.json: client manifestsdocker-compose.yaml,Dockerfile,entrypoint.sh: container deployment
MCP surface
Tool
Tool | Purpose |
| Unified action router for config, logs, backups, and health checks |
| Return help for the SWAG MCP server — lists all available actions and sub-actions |
Actions
Action | Purpose | Required params |
| List config files | none |
| Create a new reverse-proxy config |
|
| View config contents |
|
| Replace config contents |
|
| Update a specific field |
|
| Remove a config |
|
| Read SWAG logs | none |
| List or clean up backup files |
|
| Probe a service endpoint |
|
Resources
URI | Type | Description |
| Directory | All active |
| Stream | Real-time config change events |
| Stream | Real-time health status for monitored services |
| Stream | Live nginx error log tail |
Installation
Plugin (recommended)
Install as a Claude Code plugin. You will be prompted for:
SWAG Proxy Configs Path -- local path to proxy-confs directory
SWAG MCP Server URL -- base URL of the running HTTP server
SWAG MCP API Token -- bearer token for the HTTP server
The plugin connects to the server's native streamable-HTTP endpoint.
/plugin marketplace add jmagar/claude-homelab
/plugin install swag-mcp @jmagar-claude-homelabThe plugin uses native HTTP transport and appends /mcp to the configured server URL.
Docker Compose
cp .env.example .env
chmod 600 .env
# Edit .env with your paths and token
docker compose up -dThe container always runs on internal port 8000. Compose publishes it on
127.0.0.1:49152 by default; set SWAG_MCP_PORT to control the host port and
SWAG_MCP_BIND_ADDRESS only when you intentionally expose it beyond loopback.
Local development
just setup # copies .env.example and runs uv sync
just dev # starts the serverConfiguration
Two deployment paths are supported:
Path | Transport | Credentials | Auth |
Plugin (HTTP) | http |
| Bearer token |
Docker (HTTP) | http |
| Bearer token |
See docs/CONFIG.md for full variable reference. All variables use the SWAG_MCP_ prefix.
Core
Variable | Required | Default | Description |
| no |
| Local path to SWAG proxy confs directory |
| no | `` | Overrides |
| no |
| Base path for SWAG log files (local or remote) |
| no |
| Path to Jinja2 templates directory |
Server
Variable | Required | Default | Description |
| no |
| Bind address for the MCP server |
| no |
| Docker host bind address for the published MCP port |
| no |
| Host-side port (Docker only; container always uses 8000) |
| recommended | `` | Bearer token enforced by FastMCP for direct MCP server access |
| no |
| Set |
Defaults
Variable | Required | Default | Description |
| no |
| Web endpoint auth method used when |
| no |
| QUIC default for new configs |
Backups
Variable | Required | Default | Description |
| no |
| Days to keep backup files. Cleanup runs at startup and on |
Logging
Variable | Required | Default | Description |
| no |
|
|
| no |
| Directory for rotating log files |
| no |
| Write logs to files in addition to stdout |
| no |
| Max log file size before rotation (10 MB) |
| no |
| Emit JSON structured logs |
| no |
| Include request/response bodies in logs |
| no |
| Max payload length when |
Performance
Variable | Required | Default | Description |
| no |
| Log a warning when any operation exceeds this threshold |
| no |
| Automatically retry failed operations |
| no |
| Max retry attempts |
Health checks
Variable | Required | Default | Description |
| no |
| Skip SSL verification for health probes. Not recommended for production. |
Rate limiting
Variable | Required | Default | Description |
| no |
| Enable the rate-limiting middleware |
| no |
| Sustained requests per second |
| no |
| Burst capacity above the RPS limit |
Authentication methods
Pass auth_method to create to control which SWAG auth snippet the config includes. The default is set by SWAG_MCP_DEFAULT_WEB_AUTH_METHOD.
Method | When to use |
| Public services, or services behind an external SSO not managed by SWAG |
| Simple HTTP basic auth. Credentials managed by SWAG. |
| LDAP/Active Directory authentication via SWAG's built-in LDAP support |
| Self-hosted SSO with 2FA. Most common for homelab services. |
| Self-hosted identity provider with rich policy engine |
| Lightweight single-user auth for internal tools |
| OAuth 2.1 gateway ( |
none exposes the service without authentication. Only use it if access is restricted at the network or proxy layer.
Template system
All configs are generated from a single Jinja2 template: templates/mcp.subdomain.conf.j2. Only subdomain-style configs are supported (service.domain.tld).
Template variables
Variable | Type | Required | Description |
| string | yes | Derived from |
| string | yes | Domain name (e.g., |
| string | yes | Container name or IP for the main service |
| integer | yes | Port the main service listens on |
| string | yes |
|
| string | no | Container name or IP for the MCP endpoint. Defaults to |
| integer | no | Port for the MCP endpoint. Defaults to |
| string | no | Protocol for the MCP endpoint. Defaults to |
| string | yes | One of the auth methods listed above |
| boolean | yes | Add |
MCP security headers
These headers are included unconditionally in every generated config, regardless of auth method:
Header | Value | Purpose |
|
| Advertises the MCP protocol version |
|
| Limits referrer leakage |
DNS rebinding protection is also applied unconditionally. The origin_valid variable is set to 1 only for empty origins, https://$server_name, localhost variants, and *.anthropic.com / *.claude.ai origins. Requests to /mcp with an invalid origin receive a 403 JSON error.
Split routing
Split routing sends the main application traffic to one upstream and MCP traffic to a different upstream. Use it when your MCP/AI service runs on a separate container or host (e.g., a GPU server).
Without split routing, both / and /mcp proxy to the same upstream_app:upstream_port.
With split routing:
/and/health→upstream_app:upstream_port/mcpand/session→mcp_upstream_app:mcp_upstream_port
Example: Jellyfin with a separate AI backend
action=create
config_name=jellyfin.subdomain.conf
server_name=jellyfin.example.com
upstream_app=jellyfin
upstream_port=8096
upstream_proto=http
mcp_upstream_app=ai-gpu-server
mcp_upstream_port=8080
mcp_upstream_proto=http
auth_method=autheliaThis generates:
location /→http://jellyfin:8096(protected by Authelia)location /mcp→http://ai-gpu-server:8080(protected by OAuth verify)location /health→http://jellyfin:8096(no auth, for health probes)
If mcp_upstream_app is omitted, all three locations proxy to jellyfin:8096.
SSH / remote configuration
Set SWAG_MCP_PROXY_CONFS_URI to manage configs on a remote SWAG host over SSH.
Supported URI formats:
# Default key, default port 22
SWAG_MCP_PROXY_CONFS_URI=swag-server:/mnt/appdata/swag/nginx/proxy-confs
# Explicit user
SWAG_MCP_PROXY_CONFS_URI=admin@swag-server:/mnt/appdata/swag/nginx/proxy-confs
# Explicit user and port
SWAG_MCP_PROXY_CONFS_URI=admin@swag-server:2222:/mnt/appdata/swag/nginx/proxy-confsRequirements:
SSH key-based (passwordless) access to the remote host
Mount an app-specific SSH directory with only the needed key, config, and
known_hostsentries into the container (seeSWAG_MCP_SSH_HOST_PATHin.env.example)SWAG_MCP_SWAG_LOG_BASE_PATHshould point to the log base path on the same remote host
When SWAG_MCP_PROXY_CONFS_URI is set it takes precedence over SWAG_MCP_PROXY_CONFS_PATH.
Usage examples
List
swag action=list
swag action=list list_filter=active
swag action=list list_filter=samples query=plex offset=0 limit=20list_filter accepts all (default), active (.conf files only), or samples (.conf.sample files only).
Create
swag action=create
config_name=jellyfin.subdomain.conf
server_name=jellyfin.example.com
upstream_app=jellyfin
upstream_port=8096After creation, a health check runs automatically against server_name.
View
swag action=view config_name=jellyfin.subdomain.confEdit
Replaces the full file content:
swag action=edit
config_name=jellyfin.subdomain.conf
new_content="..."
create_backup=trueUpdate
Updates a single field in place:
swag action=update config_name=jellyfin.subdomain.conf update_field=port update_value=8097
swag action=update config_name=jellyfin.subdomain.conf update_field=upstream update_value=jellyfin-new
swag action=update config_name=jellyfin.subdomain.conf update_field=app update_value=jellyfin:8097
swag action=update config_name=jellyfin.subdomain.conf update_field=add_mcp update_value=/mcpupdate_field options:
Value |
| Effect |
| port number | Updates |
| container name | Updates |
|
| Updates both |
| path (e.g., | Injects an MCP location block into the config |
After an update, a health check runs automatically.
Remove
swag action=remove config_name=jellyfin.subdomain.conf
swag action=remove config_name=jellyfin.subdomain.conf create_backup=falseLogs
swag action=logs log_type=nginx-error lines=100
swag action=logs log_type=nginx-access lines=50
swag action=logs log_type=fail2ban lines=200Log types and format
| Source file | Format |
|
| Combined nginx access log: IP, timestamp, method, path, status, bytes, referrer, user-agent |
|
| Nginx error format: timestamp, level, PID, message |
|
| fail2ban log: timestamp, level, jail name, action, IP |
|
| Certbot output: certificate request, renewal, errors |
|
| Periodic renewal cron output |
lines accepts 1–1000 (default 50).
Backups
swag action=backups backup_action=list
swag action=backups backup_action=cleanup retention_days=7
swag action=backups backup_action=cleanup retention_days=0backup_action=cleanup removes backup files older than retention_days. Pass retention_days=0 to use the server default (SWAG_MCP_BACKUP_RETENTION_DAYS).
Backup files are named <original>.backup.<timestamp>. They are created automatically before any edit, update, or remove operation when create_backup=true (the default).
Cleanup also runs at server startup. The startup cleanup uses SWAG_MCP_BACKUP_RETENTION_DAYS.
Health check
swag action=health_check domain=jellyfin.example.com
swag action=health_check domain=jellyfin.example.com timeout=10 follow_redirects=falseResponse fields
Field | Type | Description |
| boolean |
|
| string | Domain that was checked |
| integer or null | HTTP status code returned |
| integer or null | Round-trip time in milliseconds |
| string or null | Error message if the probe failed |
| array | Per-endpoint probe attempts with URL, success flag, status, timing, and error detail |
timeout accepts 1–300 seconds (default 30). The server adds a 10-second buffer on top of timeout for its own wait.
SSL certificate verification can be disabled globally with SWAG_MCP_HEALTH_CHECK_INSECURE=true.
Development commands
just setup # copy .env.example and install dependencies
just dev # start the server with uv
just lint # ruff check
just fmt # ruff format
just typecheck # ty check
just test # pytest
just build # build a local swag-mcp image for manual testing
just up # docker compose up -d
just down # docker compose down
just logs # docker compose logs -f
just health # curl http://127.0.0.1:${SWAG_MCP_PORT:-49152}/health | jq
just gen-token # generate a random bearer tokenOperations
The Docker service publishes 127.0.0.1:49152 by default. Keep production MCP
ports on high-numbered, documented ports and run just preflight before
deployment to validate the external Docker network and selected host port.
Operational failure signals include Docker health becoming unhealthy, repeated tool error responses, timeout messages for create/edit/update/log operations, slow-operation warnings, health-check failures for known-good domains, and nginx error log spikes. Use docs/mcp/LOGS.md for signal triage and docs/mcp/DEPLOY.md for rollback and restore.
Backups are created before destructive edits, updates, and removals. To restore,
list backups with swag(action="backups", backup_action="list"), copy the
chosen backup content back with swag(action="edit", create_backup=true),
validate nginx syntax, reload SWAG, and record the restore in
docs/deployment-log.md.
Verification
just lint
just typecheck
just testCheck the server health endpoint:
just health
# {"status": "healthy", "service": "swag-mcp", "version": "1.1.6"}The /health endpoint is also used by the Docker HEALTHCHECK directive. It always returns:
Field | Value |
|
|
|
|
| Package version from |
Related plugins
Plugin | Category | Description |
core | Core agents, commands, skills, and setup/health workflows for homelab management. | |
media | Search movies and TV shows, submit requests, and monitor failed requests via Overseerr. | |
infrastructure | Query, monitor, and manage Unraid servers: Docker, VMs, array, parity, and live telemetry. | |
infrastructure | Monitor and manage UniFi devices, clients, firewall rules, and network health. | |
utilities | Send and manage push notifications via a self-hosted Gotify server. | |
infrastructure | Docker management (Flux) and SSH remote operations (Scout) across homelab hosts. | |
infrastructure | Manage Docker environments, containers, images, volumes, networks, and GitOps via Arcane. | |
infrastructure | Receive, index, and search syslog streams from all homelab hosts via SQLite FTS5. | |
dev-tools | Scaffold, review, align, and deploy homelab MCP plugins with agents and canonical templates. |
License
MIT
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/jmagar/swag-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server