# High-performance nginx configuration with TLS 1.2/1.3 for MCP security demo worker_processes auto; worker_rlimit_nofile 65535; events { worker_connections 4096; use epoll; multi_accept on; } http { # Basic settings include /etc/nginx/mime.types; default_type application/octet-stream; sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 65; client_max_body_size 10M; # Logging log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; error_log /var/log/nginx/error.log warn; # Gzip compression gzip on; gzip_vary on; gzip_min_length 1024; gzip_types text/plain text/css application/json application/javascript text/xml application/xml; # SSL/TLS Configuration ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_prefer_server_ciphers off; ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; ssl_session_tickets off; # Security headers add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; add_header X-Frame-Options DENY always; add_header X-Content-Type-Options nosniff always; add_header X-XSS-Protection "1; mode=block" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; # Upstream blocks upstream oauth_server { server oauth:8080; keepalive 32; } upstream mcp_server { server mcp:8000; keepalive 32; } # HTTP to HTTPS redirect server { listen 80; server_name _; return 301 https://$host:8443$request_uri; } # OAuth Server - HTTPS on port 8443 server { listen 8443 ssl http2; server_name localhost; # TLS certificates ssl_certificate /etc/nginx/certs/server.crt; ssl_certificate_key /etc/nginx/certs/server.key; # OCSP stapling ssl_stapling on; ssl_stapling_verify on; location / { proxy_pass http://oauth_server; # Proxy headers proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Port $server_port; # Connection settings proxy_connect_timeout 30s; proxy_send_timeout 30s; proxy_read_timeout 30s; proxy_buffer_size 4k; proxy_buffers 8 4k; proxy_busy_buffers_size 8k; # HTTP version proxy_http_version 1.1; proxy_set_header Connection ""; } } # MCP Server - HTTPS on port 8001 server { listen 8001 ssl http2; server_name localhost; # TLS certificates ssl_certificate /etc/nginx/certs/server.crt; ssl_certificate_key /etc/nginx/certs/server.key; # OCSP stapling ssl_stapling on; ssl_stapling_verify on; location / { proxy_pass http://mcp_server; # Proxy headers proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Port $server_port; # WebSocket and SSE support for MCP proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; proxy_cache_bypass $http_upgrade; # Connection settings proxy_connect_timeout 30s; proxy_send_timeout 30s; proxy_read_timeout 300s; # Longer timeout for SSE streams proxy_buffer_size 4k; proxy_buffers 8 4k; proxy_busy_buffers_size 8k; # HTTP version proxy_http_version 1.1; # Disable buffering for SSE proxy_buffering off; proxy_cache off; } } # WebSocket upgrade mapping map $http_upgrade $connection_upgrade { default upgrade; '' close; } }