@@ -155,3 +155,62 @@ server {
155155 limit_conn perip 20;
156156 limit_conn_status 429;
157157}
158+
159+ # --- MCP server ---
160+ server {
161+ listen 80;
162+ listen [::]:80;
163+ server_name mcp.securechain.dev;
164+ return 301 https://$host$request_uri;
165+ }
166+
167+ server {
168+ listen 443 ssl http2;
169+ listen [::]:443 ssl http2;
170+ server_name mcp.securechain.dev;
171+
172+ # Reutilizamos los mismos certificados de Cloudflare
173+ ssl_certificate /etc/ssl/cf_origin.pem;
174+ ssl_certificate_key /etc/ssl/private/cf_origin.key;
175+
176+ ssl_protocols TLSv1.2 TLSv1.3;
177+ ssl_prefer_server_ciphers on;
178+ ssl_session_cache shared:SSL:50m;
179+ ssl_session_timeout 1d;
180+ ssl_session_tickets off;
181+
182+ add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
183+ add_header X-Frame-Options "SAMEORIGIN" always;
184+ add_header X-Content-Type-Options "nosniff" always;
185+ add_header X-XSS-Protection "1; mode=block" always;
186+ add_header Referrer-Policy "strict-origin-when-cross-origin" always;
187+
188+ # Proxy hacia tu contenedor MCP (ajusta el host/puerto según docker-compose)
189+ location / {
190+ proxy_pass http://securechain-mcp:8000;
191+
192+ proxy_http_version 1.1;
193+
194+ proxy_set_header Host $host;
195+ proxy_set_header X-Real-IP $remote_addr;
196+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
197+ proxy_set_header X-Forwarded-Host $host;
198+ proxy_set_header X-Forwarded-Port $server_port;
199+ proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
200+
201+ proxy_request_buffering on;
202+ proxy_buffering on;
203+ proxy_read_timeout 60s;
204+ proxy_send_timeout 60s;
205+ proxy_connect_timeout 5s;
206+
207+ proxy_pass_header Set-Cookie;
208+ }
209+
210+ # Health endpoint específico del MCP
211+ location /health {
212+ access_log off;
213+ return 200 "mcp healthy\n";
214+ add_header Content-Type text/plain;
215+ }
216+ }
0 commit comments