summaryrefslogtreecommitdiff
path: root/deploy/food.tomflux.xyz.nginx
blob: 400f7f1846813a138b6368b362665bccbd2293eb (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
# nginx config for food.tomflux.xyz
# Adds the MCP location to the existing web-app server block.
#
# The MCP connector is "authless" from claude.ai's side — the long secret in the
# URL path IS the credential. Only that exact prefix is proxied to the FastMCP
# service; everything else under /mcp/ falls through to the catch-all 301.
# Generate the secret once and keep it out of git, e.g.:
#     python -c "import secrets; print(secrets.token_urlsafe(32))"
# then replace REPLACE_WITH_LONG_SECRET below and in the claude.ai connector URL:
#     https://food.tomflux.xyz/mcp/REPLACE_WITH_LONG_SECRET/

server {
    server_name food.tomflux.xyz;

    location /app/ {
        proxy_pass http://127.0.0.1:8042;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    location /accounts/ {
        proxy_pass http://127.0.0.1:8042;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    location /static/ {
        proxy_pass http://127.0.0.1:8042;
    }

    # --- MCP server (claude.ai cooking-mode connector) ---
    # Regex so it matches with OR without a trailing slash — claude.ai stores
    # the connector URL without one. Whatever follows the secret is normalised
    # onto the FastMCP root (the service serves at "/").
    location ~ ^/mcp/REPLACE_WITH_LONG_SECRET/?(?<mcp_rest>.*)$ {
        proxy_pass http://127.0.0.1:8765/$mcp_rest$is_args$args;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_buffering off;            # MCP Streamable HTTP / SSE
        proxy_read_timeout 3600s;
    }

    # OAuth-discovery probes MUST 404, not fall through to the /app/ login
    # redirect. Otherwise claude.ai's connector flow sees the login page at
    # /.well-known/oauth-* , thinks the server has an OAuth sign-in service,
    # tries Dynamic Client Registration, and fails ("Couldn't register with
    # ... sign-in service"). A 404 here makes it treat the server as authless.
    location /.well-known/ { return 404; }

    location / {
        return 301 /app/;
    }

    # Block API and admin from external access (MCP reaches the API over
    # localhost, so this does not affect it).
    location /api/ { return 404; }
    location /admin/ { return 404; }

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/dav.jihakuz.xyz/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/dav.jihakuz.xyz/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

server {
    if ($host = food.tomflux.xyz) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    server_name food.tomflux.xyz;
    listen 80;
    return 404; # managed by Certbot
}