mg-mcp

History

DJP 5e1a88b53c Fix MCP 421: allow-list public host for DNS-rebinding protection The MCP SDK ships with DNS-rebinding protection that 421s any request whose Host header isn't in an allowlist (default: 127.0.0.1, localhost). Once ProxyPreserveHost is On, Apache forwards the real Host (optical-dev.…) to the container, which the SDK then rejects. Two changes: - email_server.py: pass TransportSecuritySettings(allowed_hosts=[...]) to FastMCP, sourced from PUBLIC_HOSTS env var (defaults to the optical-dev hostname) - apache-mg-mcp.conf.tmpl: add ProxyPreserveHost On so the container sees the real hostname instead of 127.0.0.1:9080 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-06 22:35:26 -04:00
..
apache-mg-mcp.conf.tmpl	Fix MCP 421: allow-list public host for DNS-rebinding protection	2026-05-06 22:35:26 -04:00
deploy.sh	Initial mg-mcp: Mailgun MCP server (Streamable HTTPS) for optical-dev	2026-05-06 22:05:38 -04:00

DJP 5e1a88b53c Fix MCP 421: allow-list public host for DNS-rebinding protection

The MCP SDK ships with DNS-rebinding protection that 421s any request whose
Host header isn't in an allowlist (default: 127.0.0.1, localhost). Once
ProxyPreserveHost is On, Apache forwards the real Host (optical-dev.…) to
the container, which the SDK then rejects.

Two changes:
- email_server.py: pass TransportSecuritySettings(allowed_hosts=[...]) to
  FastMCP, sourced from PUBLIC_HOSTS env var (defaults to the optical-dev
  hostname)
- apache-mg-mcp.conf.tmpl: add ProxyPreserveHost On so the container sees
  the real hostname instead of 127.0.0.1:9080

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-06 22:35:26 -04:00

apache-mg-mcp.conf.tmpl

Fix MCP 421: allow-list public host for DNS-rebinding protection

2026-05-06 22:35:26 -04:00

deploy.sh

Initial mg-mcp: Mailgun MCP server (Streamable HTTPS) for optical-dev

2026-05-06 22:05:38 -04:00