Infrastructure MCP Server
Provides tools for managing Cloudflare zones, DNS records, and security/performance settings, including onboarding domains with automated protection suite.
Provides tools for listing domains, retrieving DNS records, and managing nameservers, enabling domain migration and orchestration.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@Infrastructure MCP Serveronboard example.com with automatic DNS migration and security hardening"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
Infrastructure MCP Server
An MCP (Model Context Protocol) server and interactive terminal UI that orchestrates Cloudflare, Namecheap, and Fleet from a single interface. One command to onboard a domain — zone creation, DNS migration, nameserver cutover, and 30+ security hardening settings applied automatically. All free-tier compatible.
Two ways to use it:
With AI — 12 MCP tools for Claude Code or any MCP-compatible LLM client
Without AI — interactive terminal UI (Ink/React) with dashboard, wizards, and auditing
What happens when you onboard a domain
1. Creates Cloudflare zone OK Zone created
2. Fetches all DNS records from Namecheap OK 16 records found
3. Migrates records to Cloudflare (with retry) OK 16/16 migrated
4. Updates nameservers at Namecheap OK NS switched
5. Applies 30+ protection settings:
|-- SSL strict + HSTS preload (1 year) OK SSL/TLS hardened
|-- TLS 1.3 + 0-RTT + min TLS 1.2 OK Transport secured
|-- Bot Fight Mode + JS detection + AI blocking OK Bots blocked
|-- Free WAF Managed Ruleset deployed OK WAF active
|-- DNSSEC enabled OK DNS authenticated
|-- Managed transforms (strip X-Powered-By, OK Headers hardened
| add security headers, visitor geolocation)
|-- URL normalization OK Path canonicalized
|-- Brotli + HTTP/3 + Early Hints OK Speed optimized
'-- Aggressive caching + 4hr browser TTL OK Cache configured
Total: ~30 settings in <60 secondsEvery free-tier Cloudflare feature that improves security or performance — enabled, configured, and verified. No dashboard clicking, no missed settings, no "I'll do DNSSEC later."
Interactive TUI
Don't want to use an AI agent? The TUI gives you the same capabilities in a keyboard-driven terminal interface.
infrastructure-tui
Infrastructure MCP v1.2.0 q quit s settings ? help
---------------------------------------------------------------------
Cloudflare Zones
+---------------------------+----------+----------+------------+----------+
| Domain | Status | Records | Protection | SSL |
+---------------------------+----------+----------+------------+----------+
| matthesketh.pro | * active | 16 | all ok | strict |
| abmanandvan.co.uk | * active | 3 | all ok | strict |
| hostclaw.app | * active | 4 | all ok | strict |
+---------------------------+----------+----------+------------+----------+
Fleet Apps
8 root domains, 19 total endpoints
up/dn select Enter details o onboard a audit all r refreshFeatures:
Dashboard-first interface — see all zones and Fleet apps at a glance
Domain onboarding wizard with confirmation before destructive actions
Zone detail view with DNS records and full protection audit
Bulk protection audit across all zones
Setup wizard that adapts to your experience level — encourages source code review for learners
Install from npm:
npx infrastructure-tuiOr install globally:
npm install -g infrastructure-tui
infrastructure-tuiFrom source:
cd tui && npm install && npm startFirst run? Add --setup to configure credentials:
npx infrastructure-tui --setupHow it works
graph TD
AI[Claude Code / LLM Client]
TUI[Terminal UI - Ink/React]
AI -->|MCP stdio| Server
TUI -->|MCP stdio| Server
subgraph Server[Infrastructure MCP Server - Java 21]
Fleet[Fleet Client]
Namecheap[Namecheap Client]
Cloudflare[Cloudflare REST Client]
end
Fleet --> FleetAPI[Fleet Registry + CLI]
Namecheap --> NCAPI[api.namecheap.com]
Cloudflare --> CFAPI[api.cloudflare.com]The TUI and AI clients both communicate with the same Java MCP server over stdio. All business logic — API calls, rate limiting, retry logic, credential handling — lives in the server. The TUI is a thin presentation layer with zero API duplication.
Why this exists
Managing infrastructure across multiple providers means context-switching between dashboards, remembering different APIs, and running through the same checklist every time you onboard a domain. This project collapses that workflow into either a conversation or a terminal interface.
For AI usage: MCP gives you implicit security through human-in-the-loop approval. Destructive tools are annotated with destructiveHint: true, so the client gates them behind explicit approval.
For TUI usage: Every destructive action requires y/n confirmation. The setup wizard encourages users to review the source code before entering credentials.
For both: Content sanitization wraps untrusted DNS data in boundary markers to prevent prompt injection.
Full protection suite
Every setting below is applied automatically during onboarding. All are Cloudflare free-tier compatible.
SSL/TLS
Setting | Value | Why |
SSL mode | Strict | Validates origin certificate, prevents MITM |
Always Use HTTPS | On | 301 redirects all HTTP to HTTPS |
Automatic HTTPS Rewrites | On | Fixes mixed content in page source |
TLS 1.3 + 0-RTT | On | Fastest, most secure TLS with zero round-trip resumption |
Minimum TLS Version | 1.2 | Rejects legacy TLS 1.0/1.1 connections |
HSTS | 1 year, preload, includeSubDomains, nosniff | Eligible for browser HSTS preload lists |
Security & WAF
Setting | Value | Why |
Security Level | Medium | Challenges suspicious visitors via Cloudflare threat score |
Browser Integrity Check | On | Blocks requests with missing or suspicious UA headers |
Challenge TTL | 30 minutes | Balance between security and user friction |
Bot Fight Mode | On + JS detection | Challenges known bots with JS challenge |
AI Bot Blocking | Block | Blocks AI scrapers (GPTBot, CCBot, etc.) |
Free WAF Managed Ruleset | Deployed | Cloudflare's curated WAF rules for common vulnerabilities |
DDoS Protection | Always-on | Automatic L3/L4/L7 DDoS mitigation |
DNSSEC | Enabled | Cryptographically signs DNS responses |
Privacy Pass | On | Reduces challenge frequency for Privacy Pass token holders |
Scrape Shield
Setting | Value | Why |
Email Obfuscation | On | Hides email addresses from scrapers |
Server Side Excludes | On | Hides |
Hotlink Protection | On | Blocks image hotlinking from other domains |
Managed Transforms
Transform | Direction | Effect |
Remove X-Powered-By | Response | Strips server technology fingerprint |
Add Security Headers | Response | Adds CSP, X-Frame-Options, X-XSS-Protection |
Add Visitor Location | Request | Adds CF-IPCountry, lat/lon to origin requests |
Speed & Optimization
Setting | Value | Why |
Brotli Compression | On | Smaller responses, faster page loads |
HTTP/3 (QUIC) | On | Faster connections, especially on mobile |
Early Hints (103) | On | Preload assets before main response |
IP Geolocation | On | CF-IPCountry header for geo-aware apps |
URL Normalization | Cloudflare, incoming | Canonicalizes URL paths to prevent cache poisoning |
Caching & Network
Setting | Value | Why |
Cache Level | Aggressive | Caches static content, ignores query strings |
Browser Cache TTL | 4 hours | Reduces origin load without stale content risk |
Always Online | On | Serves cached version if origin is down |
IPv6 | On | Full IPv6 support on proxied records |
WebSockets | On | WebSocket proxying for real-time apps |
Opportunistic Encryption | On | Advertises HTTPS via Alt-Svc header |
Onion Routing | On | Cloudflare .onion service for Tor users |
0-RTT | On | TLS session resumption without round trip |
MCP Tools
Fleet
Tool | Type | Description |
| read | List all applications in the Fleet registry |
| write | Execute a Fleet CLI command |
| read | List all domains across Fleet-registered apps |
Namecheap
Tool | Type | Description |
| read | List domains registered at Namecheap |
| read | Get DNS host records for a domain |
| read | Get nameserver configuration for a domain |
Cloudflare
Tool | Type | Description |
| read | List all Cloudflare zones in the account |
| read | Get DNS records for a Cloudflare zone |
| read | Audit security and performance settings |
Orchestration
Tool | Type | Description |
| write | Full domain onboarding: CF zone + DNS migration + NS update + 30+ protection settings |
| write | Migrate DNS records from Namecheap to an existing Cloudflare zone |
| write | Apply Cloudflare security and performance settings |
Quick start
Prerequisites
Java 21+ (for the MCP server)
Node 20+ (for the TUI, optional)
Maven 3.9+ (build only)
1. Build
git clone https://github.com/wrxck/infrastructure-mcp.git
cd infrastructure-mcp
# Install library dependencies (required until published to Maven Central)
git clone https://github.com/wrxck/namecheap-mcp.git /tmp/namecheap-mcp
cd /tmp/namecheap-mcp && mvn install -DskipTests -q && cd -
git clone https://github.com/wrxck/cloudflare-mcp.git /tmp/cloudflare-mcp
cd /tmp/cloudflare-mcp && mvn install -DskipTests -q && cd -
# Build MCP server
mvn clean package
# Build TUI (optional)
cd tui && npm install && cd ..2. Setup
Option A: Interactive TUI setup (recommended for new users)
npx infrastructure-tui --setupThe wizard adapts to your experience level and guides you through entering credentials.
Option B: MCP server setup wizard
java -jar target/infrastructure-mcp-*.jar --setupOption C: Manual — add to ~/.claude.json:
{
"mcpServers": {
"infrastructure-mcp": {
"command": "java",
"args": ["-jar", "/path/to/infrastructure-mcp-1.2.0.jar"],
"env": {
"CLOUDFLARE_API_KEY": "your-global-api-key",
"CLOUDFLARE_EMAIL": "your-cloudflare-email",
"CLOUDFLARE_ACCOUNT_ID": "your-account-id",
"NAMECHEAP_API_USER": "your-username",
"NAMECHEAP_API_KEY": "your-api-key",
"NAMECHEAP_CLIENT_IP": "your-ip"
}
}
}
}3. Use
With AI (Claude Code):
> Onboard example.com to Cloudflare with full protection
> List all my Cloudflare zones and check their protection status
> Migrate DNS from Namecheap to Cloudflare for example.co.ukWith TUI:
npx infrastructure-tuiDNS migration
The migrate_dns tool automatically converts Namecheap DNS records to Cloudflare format:
A, AAAA, CNAME records are proxied through Cloudflare (orange cloud) by default
MX, TXT, SRV, NS, CAA records are never proxied (DNS only)
Mail-related hostnames (mail, smtp, imap, pop, autodiscover, etc.) are never proxied
URL redirect and frame records are skipped (not supported by Cloudflare API)
Multi-part TLDs (co.uk, com.au, co.nz, etc.) are handled correctly
Automatic retry — up to 3 attempts with backoff on transient 403 errors (new zone propagation)
Configuration
Cloudflare authentication
Method | Variables | Header |
Global API Key (recommended) |
|
|
Scoped API Token |
|
|
If both are set, Global API Key takes priority.
All environment variables
Variable | Required | Default | Description |
| * | — | Cloudflare Global API Key |
| * | — | Cloudflare account email |
| * | — | Cloudflare scoped API token |
| Yes | — | Cloudflare account ID |
| Yes | — | Namecheap API username |
| Yes | — | Namecheap API key |
| Yes | — | Whitelisted IP for Namecheap API |
| No |
| Fleet app registry path |
| No |
| Fleet CLI binary path |
* Provide either CLOUDFLARE_API_KEY + CLOUDFLARE_EMAIL or CLOUDFLARE_API_TOKEN.
TUI configuration
The TUI loads config from ~/.infrastructure-mcp.json first, falling back to ~/.claude.json. Config files are written with 0600 permissions (owner read/write only).
Security
Config file permissions —
~/.infrastructure-mcp.jsonis written with mode0600to protect credentialsContent sanitization — DNS record data is wrapped in boundary markers to prevent prompt injection
Rate limiting — sliding window rate limiters enforce Cloudflare (240/min) and Namecheap (20/min) API limits
Human-in-the-loop — destructive tools annotated with
destructiveHint: true; TUI requires y/n confirmationProcess cleanup — TUI kills the Java subprocess on SIGINT/SIGTERM/exit to prevent orphan processes
JAR validation — TUI validates the JAR path before spawning the subprocess
Domain validation — onboard wizard validates domain format before submission
No credentials in output — API tokens are never included in tool responses or console output
Source code review — setup wizard encourages users to review the code before entering credentials
Documentation
Full documentation: infrastructure-mcp.hesketh.pro
Building and testing
# MCP server (Java)
mvn clean verify # 73 tests
# TUI (TypeScript)
cd tui && npm test # 53 testsTotal: 126 tests across both components.
License
MIT
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/wrxck/infrastructure-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server