avatar

sunday

Sunday's Blog

  • 首页
Home 为MCP服务添加简单验证,并部署到服务器上
文章

为MCP服务添加简单验证,并部署到服务器上

Posted recently Updated recently
By sunday 已删除用户
12~15 min read

以下是mcp部署到服务的docker-compose.yml模板,可以把MongoDB-MCP改为任何mcp服务:
以下模板更改MDB_MCP_CONNECTION_STRING 和 BEARER_TOKEN 环境变量设置为自己值即可,然后即可在cursor IDE中调用了,理论上docker-compose.yml中的mcp-server可以更改为任何mcp容器服务

cursor 中配置:

    "mongoDB-mcp": {
      "url": "https://your_domain.com/mcp",
      "headers": {
        "Authorization": "Bearer your_secret"
      }
    }

docker-compose.yml模板,需配合nginx.conf模板:

services:
  mcp-server:
    image: mongodb/mongodb-mcp-server:latest
    container_name: mongodb-mcp-server
    restart: unless-stopped
    # ports:
    #   - "3000:3000"
    environment:
      # 选择其一:直连 MongoDB
      MDB_MCP_CONNECTION_STRING: "mongodb://your-username:[email protected]:27017/?retryWrites=false&ssl=false&authSource=admin"

      # 或 Atlas Service Account(仅示例,请按需启用)
      # MDB_MCP_API_CLIENT_ID: "your-atlas-service-accounts-client-id"
      # MDB_MCP_API_CLIENT_SECRET: "your-atlas-service-accounts-client-secret"

      MDB_MCP_READ_ONLY: "true"        # 只读,必要时去掉
      MDB_MCP_TRANSPORT: "http"        # 以 HTTP 传输启动
      MDB_MCP_HTTP_HOST: "0.0.0.0"
      MDB_MCP_HTTP_PORT: "3000"
      # MDB_MCP_LOG_PATH: "/home/mcp/.app-logs"
      # 可选:索引检查、日志等
      # MDB_MCP_INDEX_CHECK: "true"
      MDB_MCP_LOGGERS: "mcp,disk,stderr"
      # MDB_MCP_IDLE_TIMEOUT_MS: "600000"
      # MDB_MCP_NOTIFICATION_TIMEOUT_MS: "540000"
    # 如需持久化磁盘日志可挂载目录
    # volumes:
    #   - ./mcp-logs:/home/mcp/.app-logs
    expose:
      - "3000"   # 仅暴露给同一网络内的 nginx
    networks:
      - mongodb-mcp-network

  mcp-nginx:
    image: nginx:stable-perl
    container_name: mongodb-mcp-nginx
    restart: unless-stopped
    depends_on:
      - mcp-server  # 依赖 mcp-server 容器
    ports:
      - "80:80"
      # - "443:443"
    volumes:
      - ./nginx/nginx.conf:/etc/nginx/nginx.conf:ro
      # 将已签发的证书挂载到容器(示例路径请替换为你的证书实际路径)
      # - ./certs/fullchain.pem:/etc/nginx/certs/fullchain.pem:ro
      # - ./certs/privkey.pem:/etc/nginx/certs/privkey.pem:ro
    networks:
      - mongodb-mcp-network

networks:
  mongodb-mcp-network:
    driver: bridge

nginx.conf模板

worker_processes  auto;
pid /tmp/nginx.pid;

events {
  worker_connections  1024;
}


http {
  # 基础优化
  include       /etc/nginx/mime.types;
  default_type  application/octet-stream;
  sendfile      on;
  tcp_nopush    on;
  tcp_nodelay   on;
  keepalive_timeout 65;

  # 配置临时目录到用户可写的位置
  client_body_temp_path /tmp/nginx/client_temp;
  proxy_temp_path       /tmp/nginx/proxy_temp;
  fastcgi_temp_path     /tmp/nginx/fastcgi_temp;
  uwsgi_temp_path       /tmp/nginx/uwsgi_temp;
  scgi_temp_path        /tmp/nginx/scgi_temp;


  # 使用 Bearer Token 鉴权

  map $http_upgrade $connection_upgrade {
    default upgrade;
    ''      close;
  }

  # 日志(按需)
  # access_log  /var/log/nginx/access.log  main;
  # error_log   /var/log/nginx/error.log   warn;

  # 上游到同容器内的 MCP Server(统一镜像场景)
  upstream mcp_upstream {
    server 127.0.0.1:3000;
    keepalive 64;
  }

  server {
    listen 8080;
    server_name localhost; # 替换为你的域名

    # Bearer Token 从环境变量 BEARER_TOKEN 读取,启动时通过 envsubst 替换
    # 运行时使用 -e BEARER_TOKEN="your_token" 设置
    set $expected_bearer "${BEARER_TOKEN}";

    # 通用反代设置(SSE 友好)
    proxy_http_version 1.1;
    proxy_set_header Host              $host;
    proxy_set_header X-Real-IP         $remote_addr;
    proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;

    # 可选:转发 Authorization 头到后端(Basic)

    # SSE 需要关闭缓冲
    proxy_buffering off;
    proxy_cache off;

    # 长连接与心跳相关(按需调整)
    proxy_read_timeout 600s;
    proxy_send_timeout 600s;

    # CORS 预检改为在具体 location 中处理,避免在 server 级别使用 add_header

    # 如果后端或中间件需要保持连接升级(一般 SSE 不需要 upgrade,但确保不被错误处理)
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $connection_upgrade;

    # 鉴权由各 location 使用 auth_basic 控制

    # 允许公开访问的发现端点(不鉴权),让客户端能读取 OAuth/.well-known 信息
    location ^~ /.well-known/ {
        add_header Access-Control-Allow-Origin "*" always;
        add_header Access-Control-Allow-Headers "Authorization, Content-Type, Accept, Cache-Control, X-Requested-With" always;
        add_header Access-Control-Allow-Methods "GET, POST, OPTIONS" always;
        proxy_pass http://mcp_upstream;
    }

    # 兜底:其余路径也进行 Bearer Token 鉴权
    location / {
        if ($request_method = OPTIONS) { return 204; }
        if ($http_authorization = "") {
            add_header WWW-Authenticate 'Bearer realm="mcp"';
            return 401;
        }
        if ($http_authorization != "Bearer $expected_bearer") {
            add_header WWW-Authenticate 'Bearer realm="mcp"';
            return 401;
        }
        proxy_pass http://mcp_upstream;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
    }

  }
}

如果有需要mongodb-mcp服务的话,也可以看我的仓库:https://github.com/hst-Sunday/mongodb-mcp-auth.git
已经打包好镜像了,并且适配好了choreo.dev 的免费容器服务了

mcp, docker
mcp docker-compose docker
License:  CC BY 4.0
Share

Further Reading

Aug 10, 2025

为MCP服务添加简单验证,并部署到服务器上

以下是mcp部署到服务的docker-compose.yml模板,可以把MongoDB-MCP改为任何mcp服务: 以下模板更改MDB_MCP_CONNECTION_STRING 和 BEARER_TOKEN 环境变量设置为自己值即可,然后即可在cursor IDE中调用了,理论上docker-co
OLDER

多个github账号在一台电脑上如何使用呢?

 NEWER

Recently Updated

  • 为MCP服务添加简单验证,并部署到服务器上
  • 多个github账号在一台电脑上如何使用呢?
  • Google Search Conosle DNS验证域名
  • 申请Google oauth授权验证,并通过验证中心
  • Coze Studio 一键安装工具,马上开始你的AI工作流

Trending Tags

nginx acme 强制跳转HTTPS nodejs 代理 mac 神器 vue3 工具 docker

Contents

©2025 sunday. Some rights reserved.

Using the Halo theme Chirpy