more readme updates and documentation for HTTPS config and example nginx file

aarora79 · aarora79 · commit 7002e422f4e9 · 2025-05-02T02:21:11.000Z
diff --git a/README.md b/README.md
@@ -125,6 +125,7 @@ flowchart TB
 *   Python 3.12+ (or compatible version supporting FastAPI and MCP Client)
 *   [uv](https://github.com/astral-sh/uv) for package management.
 *   Nginx installed (steps for [`Ubuntu`](https://ubuntu.com/tutorials/install-and-configure-nginx#1-overview)) and configured to use the generated configuration file.
+*   **You definitely want to run your MCP Gateway and Registry over HTTPS**. Refer to [this guide](secure.md) for steps to install Nginx and secure with an SSL cert.
 *   One of the example MCP servers packaged in this repo uses the [`Polygon`](https://polygon.io/stocks) API for stock ticker data. Get an API key from [here](https://polygon.io/dashboard/signup?redirect=%2Fdashboard%2Fkeys) and place it in `servers/fininfo/.env` as `POLYGON_API_KEY=your-polygon-key`. The server will still start without the API key but you will get a 401 Unauthorized error when using the tools provided by this server.
 
 ## Installation
@@ -203,10 +204,11 @@ flowchart TB
     uv run uvicorn registry.main:app --reload --host 0.0.0.0 --port 7860    
     ```
 
-    You should be able to see the MCP Registry running on `http://localhost:7860` as shown in the following screenshot.
+    You should be able to see the MCP Registry running on `http://localhost:7860` as shown in the following screenshot. You should be able to access the Registry over HTTPS as well using the domain name you configured for your server in the [prerequisites](#Prerequisites) section.
 
     ![MCP Registry](./img/registry.png)
 
+
 ## Configuration
 
 1.  **Environment Variables:** Create a `.env` file in the registry folder (`mcp-gateway/registry`).
diff --git a/examples/nginx_rev_proxy.conf b/examples/nginx_rev_proxy.conf
@@ -0,0 +1,72 @@
+server {
+    listen 80;
+    server_name ec2-44-192-72-20.compute-1.amazonaws.com;
+
+    # Optional: Redirect HTTP to HTTPS
+    return 301 https://$host$request_uri;
+}
+
+server {
+    listen 443 ssl;
+    server_name ec2-44-192-72-20.compute-1.amazonaws.com;
+
+    # Self-signed certificate paths
+    ssl_certificate     /etc/letsencrypt/live/awscostexplorer-mcp.ddns.net/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/awscostexplorer-mcp.ddns.net/privkey.pem; 
+
+    #ssl_certificate     /etc/ssl/certs/ec2-selfsigned.crt;
+    #ssl_certificate_key /etc/ssl/private/ec2-selfsigned.key;
+
+    # Optional: Good practice
+    ssl_protocols       TLSv1.2 TLSv1.3;
+    ssl_ciphers         HIGH:!aNULL:!MD5;
+
+    # Route for Cost Explorer service
+    location / {
+        proxy_pass http://127.0.0.1:8000/;
+        proxy_http_version 1.1;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    }
+    
+    # Route for Current Time service
+    location /currenttime/ {
+        proxy_pass http://127.0.0.1:8001/;
+        proxy_http_version 1.1;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    }
+    
+    # Route for Financial Information service
+    location /fininfo/ {
+        proxy_pass http://127.0.0.1:8002/;
+        proxy_http_version 1.1;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    }
+
+    location /tsbedrock/ {
+    # Fix the path handling by adding trailing slash and using $request_uri
+    proxy_pass https://hwfo2k8szg.execute-api.us-east-1.amazonaws.com/prod/;
+    
+    # AWS API Gateway often needs Host header to match the API Gateway domain
+    proxy_set_header Host hwfo2k8szg.execute-api.us-east-1.amazonaws.com;
+    
+    # These headers help with request routing
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $scheme;
+    
+    # API Gateway often requires these settings
+    proxy_ssl_server_name on;
+    proxy_buffer_size 16k;
+    proxy_buffers 4 16k;
+    
+    # Adjust the rewrite to handle the path correctly
+    rewrite ^/tsbedrock/(.*)$ /prod/$1 break;
+} 
+    error_log /var/log/nginx/error.log debug;
+}
diff --git a/nginx_mcp_revproxy.conf b/nginx_mcp_revproxy.conf
diff --git a/secure.md b/secure.md
@@ -0,0 +1,66 @@
+# Secure your MCP Gateway and Registry
+
+A fully functional nginx configuration file is available [here](examples/nginx_rev_proxy.conf) in the examples folder for use as a reference i.e. you would need to edit this configuration file as per the information provided below.
+
+1. Enable access to TCP port 443 from the IP address of your MCP client (your laptop, or anywhere) in the inbound rules in the security group associated with your EC2 instance.
+
+1. You would need to have an HTTPS certificate and private key to proceed. Let's say you use `your-mcp-server-domain-name.com` as the domain for your MCP server then you will need an SSL cert for `your-mcp-server-domain-name.com` and it will be accessible to MCP clients as `https://your-mcp-server-domain-name.com/sse`. _While you can use a self-signed cert but it would require disabling SSL verification on the MCP client, we DO NOT recommend you do that_. If you are hosting your MCP server on EC2 then you could generate an SSL cert using [no-ip](https://www.noip.com/) or [Let' Encrypt](https://letsencrypt.org/) or other similar services. Place the SSL cert and private key files in `/etc/ssl/certs` and `/etc/ssl/privatekey` folders respectively on your EC2 machine.
+
+1. Install `nginx` on your EC2 machine using the following commands.
+
+    ```{.bashrc}
+    sudo apt-get install nginx
+    sudo nginx -t
+    sudo systemctl reload nginx
+    ```
+
+1. Get the hostname for your EC2 instance, this would be needed for configuring the `nginx` reverse proxy.
+
+    ```{.bashrc}
+    TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600") && curl -H "X-aws-ec2-metadata-token: $TOKEN" -s http://169.254.169.254/latest/meta-data/public-hostname
+    ```
+
+1. Copy the following content into a new file `/etc/nginx/conf.d/ec2.conf`. Replace `YOUR_EC2_HOSTNAME`, `/etc/ssl/certs/cert.pem` and `/etc/ssl/privatekey/privkey.pem` with values appropriate for your setup.
+
+   ```{.bashrc}
+   server {
+    listen 80;
+    server_name YOUR_EC2_HOSTNAME;
+
+    # Optional: Redirect HTTP to HTTPS
+    return 301 https://$host$request_uri;
+    }
+
+    server {
+        listen 443 ssl;
+        server_name YOUR_EC2_HOSTNAME;
+
+        # Self-signed certificate paths
+        ssl_certificate     /etc/ssl/certs/cert.pem;
+        ssl_certificate_key /etc/ssl/privatekey/privkey.pem; 
+
+        # Optional: Good practice
+        ssl_protocols       TLSv1.2 TLSv1.3;
+        ssl_ciphers         HIGH:!aNULL:!MD5;
+
+        location / {
+            # Reverse proxy to your local app (e.g., port 8000)
+            proxy_pass http://127.0.0.1:8000;
+            proxy_http_version 1.1;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        }
+    }
+
+   ```
+
+1. Restart `nginx`.
+
+    ```{.bashrc}
+    sudo systemctl start nginx
+    ```
+
+1. Start your MCP server as usual as described in the [remote setup](#remote-setup) section.
+
+1. Your MCP server is now accessible over HTTPS as `https://your-mcp-server-domain-name.com/sse` to your MCP client.
