5e1a88b53c
The MCP SDK ships with DNS-rebinding protection that 421s any request whose Host header isn't in an allowlist (default: 127.0.0.1, localhost). Once ProxyPreserveHost is On, Apache forwards the real Host (optical-dev.…) to the container, which the SDK then rejects. Two changes: - email_server.py: pass TransportSecuritySettings(allowed_hosts=[...]) to FastMCP, sourced from PUBLIC_HOSTS env var (defaults to the optical-dev hostname) - apache-mg-mcp.conf.tmpl: add ProxyPreserveHost On so the container sees the real hostname instead of 127.0.0.1:9080 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
21 lines
890 B
Text
21 lines
890 B
Text
# Copy to .env on the server and fill in real values.
|
|
# .env is gitignored.
|
|
|
|
# --- Mailgun (already provisioned at mg.oliver.solutions) ---
|
|
MAILGUN_API_KEY=replace-with-private-mailgun-api-key
|
|
MAILGUN_DOMAIN=mg.oliver.solutions
|
|
MAILGUN_FROM=noreply@mg.oliver.solutions
|
|
|
|
# --- MCP server bearer token ---
|
|
# Generate with: openssl rand -hex 32
|
|
# This is the API key clients (LibreChat, etc.) put in their connector config.
|
|
MCP_BEARER_KEY=replace-with-strong-random-secret
|
|
|
|
# --- Host port (managed by deploy/deploy.sh — leave blank on first run) ---
|
|
MG_MCP_PORT=
|
|
|
|
# --- Public hostnames (comma-separated) the server is reachable as ---
|
|
# Required for the MCP SDK's DNS-rebinding protection to accept requests
|
|
# from Apache once ProxyPreserveHost is on. Default already covers
|
|
# optical-dev.oliver.solutions; override only if deploying elsewhere.
|
|
# PUBLIC_HOSTS=optical-dev.oliver.solutions
|