node/docs/examples/mcp-reverse-proxy/Caddyfile.example at main · trufnetwork/node · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
# Caddy configuration example for TRUF.NETWORK MCP Server with SSE transport
#
# Caddy automatically handles many SSE requirements, making configuration simpler
# compared to other reverse proxies.
#
# Usage:
# 1. Copy this file to your Caddy configuration directory
# 2. Update domain name and backend address
# 3. Test: caddy validate --config Caddyfile
# 4. Reload: caddy reload --config Caddyfile

# Production HTTPS configuration with automatic TLS
mcp.your-domain.com {
    # MCP Server SSE endpoint
    reverse_proxy /sse/* localhost:8000 {
        # Caddy handles SSE automatically, but these settings ensure optimal performance
        flush_interval -1

        # Headers
        header_up Host {http.reverse_proxy.upstream.hostport}
        header_up X-Real-IP {http.request.remote}
        header_up X-Forwarded-Proto {http.request.scheme}
        header_up X-Forwarded-Port {http.request.port}

        # Optional: Health checks
        health_uri /health
        health_interval 30s
        health_timeout 5s
    }

    # Security headers
    header {
        # Security headers
        X-Frame-Options DENY
        X-Content-Type-Options nosniff
        X-XSS-Protection "1; mode=block"
        Strict-Transport-Security "max-age=31536000; includeSubDomains"
        Referrer-Policy "strict-origin-when-cross-origin"

        # CORS headers for browser-based clients (optional)
        Access-Control-Allow-Origin "*"
        Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization"
        Access-Control-Allow-Methods "GET, POST, OPTIONS"
    }

    # Handle preflight requests
    @options method OPTIONS
    respond @options 204

    # Rate limiting (optional; requires a Caddy plugin such as mholt/caddy-ratelimit)
    # rate_limit {
    #     zone static
    #     key {remote}
    #     events 10
    #     window 1m
    # }

    # Access control (optional) - restrict to trusted networks
    # @denied not remote_ip 192.168.1.0/24 10.0.0.0/8
    # respond @denied 403

    # Logging
    log {
        output file /var/log/caddy/mcp-access.log
        format json
    }

    # Error handling
    handle_errors {
        respond "MCP Server Error: {http.error.status_code}" {http.error.status_code}
    }
}

# Development configuration (HTTP only)
# mcp-dev.your-domain.com:80 {
#     reverse_proxy /sse/* localhost:8000 {
#         flush_interval -1
#         header_up Host {http.reverse_proxy.upstream.hostport}
#     }
# }

# Advanced configuration with load balancing (for high availability)
# mcp-ha.your-domain.com {
#     reverse_proxy /sse/* {
#         to localhost:8000
#         to localhost:8001
#         to localhost:8002
#
#         lb_policy least_conn
#         health_uri /health
#         health_interval 10s
#
#         flush_interval -1
#         header_up Host {http.reverse_proxy.upstream.hostport}
#     }
# }

# Global options (place at the top of your Caddyfile)
{
    # Email for Let's Encrypt (update with your email)
    email admin@your-domain.com

    # Optional: Enable admin API
    admin localhost:2019

    # Logging
    log {
        level INFO
    }

    # ACME CA for certificates (default is Let's Encrypt production)
    # acme_ca https://acme-staging-v02.api.letsencrypt.org/directory  # staging
}

# Example with custom TLS certificates
# mcp-custom-tls.your-domain.com {
#     tls /path/to/cert.pem /path/to/key.pem
#
#     reverse_proxy /sse/* localhost:8000 {
#         flush_interval -1
#         header_up Host {http.reverse_proxy.upstream.hostport}
#     }
# }