# nginx config for food.tomflux.xyz # Adds the MCP location to the existing web-app server block. # # The MCP connector is "authless" from claude.ai's side — the long secret in the # URL path IS the credential. Only that exact prefix is proxied to the FastMCP # service; everything else under /mcp/ falls through to the catch-all 301. # Generate the secret once and keep it out of git, e.g.: # python -c "import secrets; print(secrets.token_urlsafe(32))" # then replace REPLACE_WITH_LONG_SECRET below and in the claude.ai connector URL: # https://food.tomflux.xyz/mcp/REPLACE_WITH_LONG_SECRET/ server { server_name food.tomflux.xyz; location /app/ { proxy_pass http://127.0.0.1:8042; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } location /accounts/ { proxy_pass http://127.0.0.1:8042; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } location /static/ { proxy_pass http://127.0.0.1:8042; } # --- MCP server (claude.ai cooking-mode connector) --- # Trailing slashes on both sides strip the secret prefix, so the FastMCP # service (serving at "/") sees clean paths. location /mcp/REPLACE_WITH_LONG_SECRET/ { proxy_pass http://127.0.0.1:8765/; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Forwarded-Proto $scheme; proxy_buffering off; # MCP Streamable HTTP / SSE proxy_read_timeout 3600s; } location / { return 301 /app/; } # Block API and admin from external access (MCP reaches the API over # localhost, so this does not affect it). location /api/ { return 404; } location /admin/ { return 404; } listen 443 ssl; # managed by Certbot ssl_certificate /etc/letsencrypt/live/dav.jihakuz.xyz/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/dav.jihakuz.xyz/privkey.pem; # managed by Certbot include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot } server { if ($host = food.tomflux.xyz) { return 301 https://$host$request_uri; } # managed by Certbot server_name food.tomflux.xyz; listen 80; return 404; # managed by Certbot }