The MCP SDK ships with DNS-rebinding protection that 421s any request whose
Host header isn't in an allowlist (default: 127.0.0.1, localhost). Once
ProxyPreserveHost is On, Apache forwards the real Host (optical-dev.…) to
the container, which the SDK then rejects.
Two changes:
- email_server.py: pass TransportSecuritySettings(allowed_hosts=[...]) to
FastMCP, sourced from PUBLIC_HOSTS env var (defaults to the optical-dev
hostname)
- apache-mg-mcp.conf.tmpl: add ProxyPreserveHost On so the container sees
the real hostname instead of 127.0.0.1:9080
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Containerized FastAPI + FastMCP server exposing send_email tool, backed
by Mailgun (mg.oliver.solutions). Bearer-token auth. Deployable to
/opt/mg-mcp/ on optical-dev.oliver.solutions behind the shared Apache vhost,
following the same pattern as adeo-maturity-tool / oliver-sales-ops-platform.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
