bryan/nixos
0
0
Fork 0
mirror of https://github.com/itme-brain/nixos.git synced 2026-05-08 06:50:11 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

cors

Browse source
This commit is contained in:
Bryan Ramos 2026-04-20 01:13:36 -04:00
parent f42ec1f725
commit 89768a9e0b
2 changed files with 26 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

25
system/machines/server/modules/nginx/default.nix
View file

@ -78,6 +78,14 @@ in
recommendedGzipSettings = true;
eventsConfig = "worker_connections 4096;";
# CORS origin allowlist for MCP servers
commonHttpConfig = ''
map $http_origin $mcp_cors_origin {
default "";
"https://ai.${domain}" "https://ai.${domain}";
}
'';
# Catch-all default - friendly error for unknown subdomains
virtualHosts."_" = {
default = true;
@ -148,6 +156,23 @@ in
proxyWebsockets = true;
extraConfig = ''
include ${config.sops.templates."nginx-mcp-auth.conf".path};
# CORS — $mcp_cors_origin is set by the http-level map
# and is empty for disallowed origins
if ($request_method = OPTIONS) {
add_header Access-Control-Allow-Origin $mcp_cors_origin always;
add_header Access-Control-Allow-Methods "GET, POST, OPTIONS" always;
add_header Access-Control-Allow-Headers "Content-Type, Authorization, X-API-Key" always;
add_header Access-Control-Allow-Credentials "true" always;
add_header Access-Control-Max-Age 86400 always;
return 204;
}
add_header Access-Control-Allow-Origin $mcp_cors_origin always;
add_header Access-Control-Allow-Methods "GET, POST, OPTIONS" always;
add_header Access-Control-Allow-Headers "Content-Type, Authorization, X-API-Key" always;
add_header Access-Control-Allow-Credentials "true" always;
proxy_read_timeout 300s;
proxy_send_timeout 300s;
'';