bryan/nixos
0
0
Fork 0
mirror of https://github.com/itme-brain/nixos.git synced 2026-05-08 14:50:12 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

back

Browse source
This commit is contained in:
Bryan Ramos 2026-04-20 01:21:19 -04:00
parent 89768a9e0b
commit 2805b2aa2d
1 changed files with 2 additions and 31 deletions
Download patch file Download diff file Expand all files Collapse all files

33
system/machines/server/modules/nginx/default.nix
View file

@ -78,13 +78,6 @@ in
recommendedGzipSettings = true;
eventsConfig = "worker_connections 4096;";
# CORS origin allowlist for MCP servers
commonHttpConfig = ''
map $http_origin $mcp_cors_origin {
default "";
"https://ai.${domain}" "https://ai.${domain}";
}
'';
# Catch-all default - friendly error for unknown subdomains
virtualHosts."_" = {
@ -145,34 +138,12 @@ in
'';
};
};
virtualHosts."mcp.${domain}" = {
useACMEHost = domain;
forceSSL = true;
locations."/web_search/" = {
# MCP servers (same-origin with the web UI to avoid CORS)
locations."/mcp/web_search/" = {
proxyPass = "http://192.168.0.23:8002/";
proxyWebsockets = true;
extraConfig = ''
include ${config.sops.templates."nginx-mcp-auth.conf".path};
# CORS — $mcp_cors_origin is set by the http-level map
# and is empty for disallowed origins
if ($request_method = OPTIONS) {
add_header Access-Control-Allow-Origin $mcp_cors_origin always;
add_header Access-Control-Allow-Methods "GET, POST, OPTIONS" always;
add_header Access-Control-Allow-Headers "Content-Type, Authorization, X-API-Key" always;
add_header Access-Control-Allow-Credentials "true" always;
add_header Access-Control-Max-Age 86400 always;
return 204;
}
add_header Access-Control-Allow-Origin $mcp_cors_origin always;
add_header Access-Control-Allow-Methods "GET, POST, OPTIONS" always;
add_header Access-Control-Allow-Headers "Content-Type, Authorization, X-API-Key" always;
add_header Access-Control-Allow-Credentials "true" always;
proxy_read_timeout 300s;
proxy_send_timeout 300s;
'';