# ChromaDB Remote MCP Server Configuration # External Port (Caddy Reverse Proxy) # This is the port you'll access the server on PORT=8080 # ChromaDB Data Storage Path # Options: # - Named volume (default): chroma-data # - Absolute path: /path/to/data # - Relative path: ./data CHROMA_DATA_PATH=chroma-data # ChromaDB Connection (Internal - usually no need to change) CHROMA_HOST=chromadb CHROMA_PORT=8000 # ChromaDB Database Configuration CHROMA_TENANT=default_tenant CHROMA_DATABASE=default_database # Authentication Token (IMPORTANT for public access!) # This single token protects both MCP and ChromaDB REST API endpoints. # ChromaDB itself runs without authentication; this server handles auth at the gateway. # # Generate a URL-safe secure token: # node -e "console.log(require('crypto').randomBytes(32).toString('base64url'))" # Or use OpenSSL (URL-safe version): # openssl rand -base64 32 | tr '+/' '-_' | tr -d '=' # # Leave empty to disable authentication (NOT recommended for production) MCP_AUTH_TOKEN= # Rate Limiting (optional) # Maximum number of requests per IP address within 15 minutes # Default: 100 requests per 15 minutes # Set higher for high-traffic deployments RATE_LIMIT_MAX=100 # Allowed Origins (optional, comma-separated) # DNS Rebinding Attack Prevention (MCP spec: MUST validate Origin header) # Default allowed origins (always permitted): # - Localhost: 127.0.0.1, localhost, [::1] # - Claude.ai: https://claude.ai, https://api.anthropic.com # Add additional trusted domains here (comma-separated) # Example: https://myapp.com,https://yourdomain.com # Note: Only applies to browser requests (requests with Origin header) ALLOWED_ORIGINS= # Query Parameter Authentication (optional, default: true) # Allows authentication via query parameters (?apiKey=TOKEN) # Required for: Claude Desktop Custom Connector, browser-based clients # Security note: While this violates MCP spec (tokens in URI), it's enabled by default # for compatibility with Claude Desktop UI and browser integrations # Set to 'false' to enforce header-based auth only (more secure) # Recommended: Use Authorization header or X-Chroma-Token header when possible ALLOW_QUERY_AUTH=true # Request Timeout (optional, default: 120000ms = 2 minutes) # Maximum time in milliseconds for a request to complete # Increase for long-running queries or large data operations REQUEST_TIMEOUT=120000 # Ping Timeout (optional, default: 30000ms = 30 seconds) # Maximum time to wait for ping responses from clients # Lower values detect disconnects faster but may cause false positives PING_TIMEOUT=30000 # Graceful Shutdown Timeout (hardcoded: 30000ms = 30 seconds) # Time to wait for active connections to complete during shutdown # This cannot be configured via environment variable # Log Level (optional, default: info) # Controls console output verbosity # Options: error, warn, info, debug # - error: Only critical errors # - warn: Errors and warnings (throttled to once per minute for repeated warnings) # - info: Normal operation logs (default) # - debug: Verbose logging including all requests # Recommended: info for production, debug for troubleshooting LOG_LEVEL=info # Node.js Warnings (hardcoded in docker-compose: NODE_NO_WARNINGS=1) # Suppresses Node.js deprecation warnings from dependencies # This is already configured in docker-compose.yml and docker-compose.dev.yml # No action needed - included here for documentation only # ONNX Runtime Logging (hardcoded in docker-compose: ORT_LOGGING_LEVEL=3) # Suppresses ONNX Runtime thread affinity warnings in Docker environments # Level 3 = ERROR (only shows critical errors, hides pthread warnings) # This is already configured in docker-compose.yml and docker-compose.dev.yml # No action needed - included here for documentation only