# Nginx Configuration for Optional HTTP/2 Upgrade # Client-facing: HTTP/2 # Backend: HTTP/1.1 (MCP server) upstream gds_mcp_backend { server 127.0.0.1:3000; keepalive 32; } server { listen 443 ssl http2; server_name gds-mock-mcp.example.com; # SSL configuration (replace with your certificates) ssl_certificate /path/to/ssl/certificate.crt; ssl_certificate_key /path/to/ssl/private.key; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers HIGH:!aNULL:!MD5; # Logging access_log /var/log/nginx/gds-mcp-access.log; error_log /var/log/nginx/gds-mcp-error.log; # MCP endpoint proxy location /mcp { proxy_pass http://gds_mcp_backend; proxy_http_version 1.1; # Preserve headers proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; # MCP headers proxy_set_header MCP-Protocol-Version $http_mcp_protocol_version; proxy_set_header MCP-Session-Id $http_mcp_session_id; proxy_set_header Last-Event-ID $http_last_event_id; # SSE configuration proxy_set_header Connection ''; proxy_buffering off; proxy_cache off; chunked_transfer_encoding off; # Timeouts proxy_connect_timeout 60s; proxy_send_timeout 60s; proxy_read_timeout 60s; } # Health check endpoint location /health { proxy_pass http://gds_mcp_backend; proxy_http_version 1.1; proxy_set_header Connection ''; proxy_buffering off; } # Rate limiting (additional layer beyond application) limit_req_zone $binary_remote_addr zone=mcp_limit:10m rate=100r/m; limit_req zone=mcp_limit burst=20 nodelay; # Security headers add_header X-Content-Type-Options nosniff; add_header X-Frame-Options DENY; add_header X-XSS-Protection "1; mode=block"; } # HTTP redirect to HTTPS server { listen 80; server_name gds-mock-mcp.example.com; return 301 https://$server_name$request_uri; }