@mcp-guardian/server 1.2.0 → 1.3.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/proxy/http-proxy-server.d.ts +3 -1
- package/dist/proxy/http-proxy-server.d.ts.map +1 -1
- package/dist/proxy/http-proxy-server.js +14 -3
- package/dist/proxy/http-proxy-server.js.map +1 -1
- package/dist/utils/mtls-config.d.ts +27 -0
- package/dist/utils/mtls-config.d.ts.map +1 -0
- package/dist/utils/mtls-config.js +82 -0
- package/dist/utils/mtls-config.js.map +1 -0
- package/package.json +8 -2
|
@@ -1,6 +1,7 @@
|
|
|
1
1
|
import { HistoryDatabase } from '../database/history-db.js';
|
|
2
2
|
import { PolicyEngine } from '../policy/policy-engine.js';
|
|
3
3
|
import { OAuthValidator } from '../auth/oauth.js';
|
|
4
|
+
import { MtlsConfig } from '../utils/mtls-config.js';
|
|
4
5
|
/**
|
|
5
6
|
* HTTP/SSE Proxy for remote MCP servers.
|
|
6
7
|
* Reuses the same auth, policy, circuit breaker, and metrics stack as the stdio proxy.
|
|
@@ -16,7 +17,8 @@ export declare class HttpProxyServer {
|
|
|
16
17
|
private db;
|
|
17
18
|
private port;
|
|
18
19
|
private server;
|
|
19
|
-
|
|
20
|
+
private httpsAgent;
|
|
21
|
+
constructor(targetUrl: string, serverName: string, policyEngine?: PolicyEngine, authValidator?: OAuthValidator, db?: HistoryDatabase, port?: number, mtlsConfig?: MtlsConfig);
|
|
20
22
|
start(): Promise<void>;
|
|
21
23
|
private handleRequest;
|
|
22
24
|
stop(): Promise<void>;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"http-proxy-server.d.ts","sourceRoot":"","sources":["../../src/proxy/http-proxy-server.ts"],"names":[],"mappings":"AAMA,OAAO,EAAE,eAAe,EAAE,MAAM,2BAA2B,CAAC;AAC5D,OAAO,EAAE,YAAY,EAAE,MAAM,4BAA4B,CAAC;AAG1D,OAAO,EAAE,cAAc,EAAE,MAAM,kBAAkB,CAAC;
|
|
1
|
+
{"version":3,"file":"http-proxy-server.d.ts","sourceRoot":"","sources":["../../src/proxy/http-proxy-server.ts"],"names":[],"mappings":"AAMA,OAAO,EAAE,eAAe,EAAE,MAAM,2BAA2B,CAAC;AAC5D,OAAO,EAAE,YAAY,EAAE,MAAM,4BAA4B,CAAC;AAG1D,OAAO,EAAE,cAAc,EAAE,MAAM,kBAAkB,CAAC;AAIlD,OAAO,EAAE,UAAU,EAAmB,MAAM,yBAAyB,CAAC;AAItE;;;GAGG;AACH,qBAAa,eAAe;IAC1B,OAAO,CAAC,UAAU,CAAS;IAC3B,OAAO,CAAC,SAAS,CAAS;IAC1B,OAAO,CAAC,YAAY,CAAsB;IAC1C,OAAO,CAAC,aAAa,CAAwB;IAC7C,OAAO,CAAC,YAAY,CAAsB;IAC1C,OAAO,CAAC,cAAc,CAAiB;IACvC,OAAO,CAAC,YAAY,CAAe;IACnC,OAAO,CAAC,EAAE,CAAkB;IAC5B,OAAO,CAAC,IAAI,CAAS;IACrB,OAAO,CAAC,MAAM,CAAgD;IAC9D,OAAO,CAAC,UAAU,CAAyB;gBAGzC,SAAS,EAAE,MAAM,EACjB,UAAU,EAAE,MAAM,EAClB,YAAY,CAAC,EAAE,YAAY,EAC3B,aAAa,CAAC,EAAE,cAAc,EAC9B,EAAE,CAAC,EAAE,eAAe,EACpB,IAAI,GAAE,MAAa,EACnB,UAAU,CAAC,EAAE,UAAU;IAkBnB,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;YAOd,aAAa;IAgIrB,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC;CAM5B"}
|
|
@@ -7,6 +7,7 @@ import { HistoryDatabase } from '../database/history-db.js';
|
|
|
7
7
|
import { OAuthValidator } from '../auth/oauth.js';
|
|
8
8
|
import { SessionCache } from '../auth/session-cache.js';
|
|
9
9
|
import { CircuitBreaker } from '../utils/circuit-breaker.js';
|
|
10
|
+
import { createMtlsAgent } from '../utils/mtls-config.js';
|
|
10
11
|
import * as Metrics from '../utils/metrics.js';
|
|
11
12
|
import { Logger } from '../utils/logger.js';
|
|
12
13
|
/**
|
|
@@ -24,7 +25,8 @@ export class HttpProxyServer {
|
|
|
24
25
|
db;
|
|
25
26
|
port;
|
|
26
27
|
server = null;
|
|
27
|
-
|
|
28
|
+
httpsAgent;
|
|
29
|
+
constructor(targetUrl, serverName, policyEngine, authValidator, db, port = 4000, mtlsConfig) {
|
|
28
30
|
this.serverName = serverName;
|
|
29
31
|
this.targetUrl = targetUrl.replace(/\/$/, '');
|
|
30
32
|
this.policyEngine = policyEngine || null;
|
|
@@ -34,7 +36,11 @@ export class HttpProxyServer {
|
|
|
34
36
|
this.tokenCounter = new TokenCounter();
|
|
35
37
|
this.db = db || new HistoryDatabase(':memory:');
|
|
36
38
|
this.port = port;
|
|
39
|
+
this.httpsAgent = createMtlsAgent(mtlsConfig || { enabled: false, rejectUnauthorized: true });
|
|
37
40
|
Metrics.circuitBreakerState.set({ server_name: this.serverName }, 0);
|
|
41
|
+
if (this.httpsAgent) {
|
|
42
|
+
Logger.info(`[http-proxy:${this.serverName}] mTLS enabled for upstream connection`);
|
|
43
|
+
}
|
|
38
44
|
}
|
|
39
45
|
async start() {
|
|
40
46
|
this.server = createServer((req, res) => this.handleRequest(req, res));
|
|
@@ -118,13 +124,18 @@ export class HttpProxyServer {
|
|
|
118
124
|
try {
|
|
119
125
|
const upstreamUrl = new URL(this.targetUrl + (req.url || '/'));
|
|
120
126
|
const isHttps = upstreamUrl.protocol === 'https:';
|
|
121
|
-
const
|
|
127
|
+
const reqOpts = {
|
|
122
128
|
hostname: upstreamUrl.hostname,
|
|
123
129
|
port: upstreamUrl.port || (isHttps ? 443 : 80),
|
|
124
130
|
path: upstreamUrl.pathname + upstreamUrl.search,
|
|
125
131
|
method: req.method,
|
|
126
132
|
headers: { ...req.headers, host: upstreamUrl.hostname },
|
|
127
|
-
}
|
|
133
|
+
};
|
|
134
|
+
// Attach mTLS agent for HTTPS connections
|
|
135
|
+
if (isHttps && this.httpsAgent) {
|
|
136
|
+
reqOpts.agent = this.httpsAgent;
|
|
137
|
+
}
|
|
138
|
+
const proxyReq = (isHttps ? httpsReq : httpReq)(reqOpts, (upstreamRes) => {
|
|
128
139
|
res.writeHead(upstreamRes.statusCode || 200, upstreamRes.headers);
|
|
129
140
|
upstreamRes.pipe(res);
|
|
130
141
|
this.circuitBreaker.recordSuccess();
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"http-proxy-server.js","sourceRoot":"","sources":["../../src/proxy/http-proxy-server.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAmC,MAAM,MAAM,CAAC;AACrE,OAAO,EAAE,OAAO,IAAI,OAAO,EAAE,MAAM,MAAM,CAAC;AAC1C,OAAO,EAAE,OAAO,IAAI,QAAQ,
|
|
1
|
+
{"version":3,"file":"http-proxy-server.js","sourceRoot":"","sources":["../../src/proxy/http-proxy-server.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAmC,MAAM,MAAM,CAAC;AACrE,OAAO,EAAE,OAAO,IAAI,OAAO,EAAE,MAAM,MAAM,CAAC;AAC1C,OAAO,EAAE,OAAO,IAAI,QAAQ,EAAuB,MAAM,OAAO,CAAC;AACjE,OAAO,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAC;AACpC,OAAO,EAAE,YAAY,EAAE,MAAM,2BAA2B,CAAC;AAEzD,OAAO,EAAE,eAAe,EAAE,MAAM,2BAA2B,CAAC;AAI5D,OAAO,EAAE,cAAc,EAAE,MAAM,kBAAkB,CAAC;AAElD,OAAO,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAC;AACxD,OAAO,EAAE,cAAc,EAAE,MAAM,6BAA6B,CAAC;AAC7D,OAAO,EAAc,eAAe,EAAE,MAAM,yBAAyB,CAAC;AACtE,OAAO,KAAK,OAAO,MAAM,qBAAqB,CAAC;AAC/C,OAAO,EAAE,MAAM,EAAE,MAAM,oBAAoB,CAAC;AAE5C;;;GAGG;AACH,MAAM,OAAO,eAAe;IAClB,UAAU,CAAS;IACnB,SAAS,CAAS;IAClB,YAAY,CAAsB;IAClC,aAAa,CAAwB;IACrC,YAAY,CAAsB;IAClC,cAAc,CAAiB;IAC/B,YAAY,CAAe;IAC3B,EAAE,CAAkB;IACpB,IAAI,CAAS;IACb,MAAM,GAA2C,IAAI,CAAC;IACtD,UAAU,CAAyB;IAE3C,YACE,SAAiB,EACjB,UAAkB,EAClB,YAA2B,EAC3B,aAA8B,EAC9B,EAAoB,EACpB,OAAe,IAAI,EACnB,UAAuB;QAEvB,IAAI,CAAC,UAAU,GAAG,UAAU,CAAC;QAC7B,IAAI,CAAC,SAAS,GAAG,SAAS,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;QAC9C,IAAI,CAAC,YAAY,GAAG,YAAY,IAAI,IAAI,CAAC;QACzC,IAAI,CAAC,aAAa,GAAG,aAAa,IAAI,IAAI,CAAC;QAC3C,IAAI,CAAC,YAAY,GAAG,aAAa,CAAC,CAAC,CAAC,IAAI,YAAY,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;QAC9D,IAAI,CAAC,cAAc,GAAG,IAAI,cAAc,CAAC,IAAI,CAAC,UAAU,EAAE,EAAE,cAAc,EAAE,KAAK,EAAE,CAAC,CAAC;QACrF,IAAI,CAAC,YAAY,GAAG,IAAI,YAAY,EAAE,CAAC;QACvC,IAAI,CAAC,EAAE,GAAG,EAAE,IAAI,IAAI,eAAe,CAAC,UAAU,CAAC,CAAC;QAChD,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC;QACjB,IAAI,CAAC,UAAU,GAAG,eAAe,CAAC,UAAU,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,kBAAkB,EAAE,IAAI,EAAE,CAAC,CAAC;QAC9F,OAAO,CAAC,mBAAmB,CAAC,GAAG,CAAC,EAAE,WAAW,EAAE,IAAI,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC,CAAC;QACrE,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;YACpB,MAAM,CAAC,IAAI,CAAC,eAAe,IAAI,CAAC,UAAU,wCAAwC,CAAC,CAAC;QACtF,CAAC;IACH,CAAC;IAED,KAAK,CAAC,KAAK;QACT,IAAI,CAAC,MAAM,GAAG,YAAY,CAAC,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,CAAC,IAAI,CAAC,aAAa,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,CAAC;QACvE,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,GAAG,EAAE;YACjC,MAAM,CAAC,IAAI,CAAC,eAAe,IAAI,CAAC,UAAU,iCAAiC,IAAI,CAAC,IAAI,MAAM,IAAI,CAAC,SAAS,EAAE,CAAC,CAAC;QAC9G,CAAC,CAAC,CAAC;IACL,CAAC;IAEO,KAAK,CAAC,aAAa,CAAC,GAAoB,EAAE,GAAmB;QACnE,MAAM,SAAS,GAAG,UAAU,EAAE,CAAC;QAC/B,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAEzB,4DAA4D;QAC5D,IAAI,aAAwC,CAAC;QAC7C,IAAI,YAAY,GAAG,KAAK,CAAC;QAEzB,IAAI,IAAI,CAAC,aAAa,EAAE,CAAC;YACvB,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC;YAChD,MAAM,KAAK,GAAG,cAAc,CAAC,YAAY,CAAC,UAAU,CAAC,CAAC;YAEtD,IAAI,CAAC,KAAK,IAAI,IAAI,CAAC,aAAa,CAAC,SAAS,EAAE,CAAC,QAAQ,EAAE,CAAC;gBACtD,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC,CAAC;gBAC3D,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,yBAAyB,EAAE,CAAC,CAAC,CAAC;gBAC9D,OAAO;YACT,CAAC;YAED,IAAI,KAAK,EAAE,CAAC;gBACV,MAAM,MAAM,GAAyB,MAAM,IAAI,CAAC,aAAa,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;gBAC9E,YAAY,GAAG,MAAM,CAAC,KAAK,CAAC;gBAC5B,IAAI,MAAM,CAAC,QAAQ;oBAAE,aAAa,GAAG,MAAM,CAAC,QAAQ,CAAC;gBAErD,IAAI,CAAC,MAAM,CAAC,KAAK,IAAI,IAAI,CAAC,aAAa,CAAC,SAAS,EAAE,CAAC,QAAQ,EAAE,CAAC;oBAC7D,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC,CAAC;oBAC3D,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,0BAA0B,MAAM,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,CAAC;oBAC7E,OAAO;gBACT,CAAC;YACH,CAAC;QACH,CAAC;QAED,4DAA4D;QAC5D,IAAI,CAAC,IAAI,CAAC,cAAc,CAAC,YAAY,EAAE,EAAE,CAAC;YACxC,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC,CAAC;YAC3D,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,4CAA4C,EAAE,CAAC,CAAC,CAAC;YACjF,OAAO,CAAC,aAAa,CAAC,GAAG,CAAC,EAAE,WAAW,EAAE,IAAI,CAAC,UAAU,EAAE,QAAQ,EAAE,OAAO,EAAE,aAAa,EAAE,MAAM,CAAC,YAAY,CAAC,EAAE,CAAC,CAAC;YACpH,OAAO;QACT,CAAC;QAED,4DAA4D;QAC5D,MAAM,MAAM,GAAa,EAAE,CAAC;QAC5B,IAAI,KAAK,EAAE,MAAM,KAAK,IAAI,GAAG;YAAE,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAClD,MAAM,IAAI,GAAG,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,EAAE,CAAC;QAE9C,4DAA4D;QAC5D,IAAI,IAAI,CAAC,YAAY,EAAE,CAAC;YACtB,IAAI,CAAC;gBACH,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;gBAC7B,IAAI,GAAG,CAAC,MAAM,KAAK,YAAY,EAAE,CAAC;oBAChC,MAAM,QAAQ,GAAG,GAAG,CAAC,MAAM,EAAE,IAAI,IAAI,SAAS,CAAC;oBAC/C,MAAM,MAAM,GAAG,IAAI,CAAC,YAAY,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;oBAE7C,MAAM,OAAO,GAAgB;wBAC3B,UAAU,EAAE,IAAI,CAAC,UAAU;wBAC3B,QAAQ;wBACR,SAAS,EAAE,GAAG,CAAC,MAAM,EAAE,SAAS;wBAChC,SAAS;wBACT,aAAa,EAAE,MAAM;wBACrB,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;wBACnC,aAAa;qBACd,CAAC;oBAEF,MAAM,QAAQ,GAAG,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;oBAErD,IAAI,QAAQ,CAAC,MAAM,KAAK,OAAO,EAAE,CAAC;wBAChC,OAAO,CAAC,oBAAoB,CAAC,GAAG,CAAC,EAAE,WAAW,EAAE,IAAI,CAAC,UAAU,EAAE,YAAY,EAAE,UAAU,QAAQ,CAAC,IAAI,EAAE,EAAE,IAAI,EAAE,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC;wBACjI,OAAO,CAAC,aAAa,CAAC,GAAG,CAAC,EAAE,WAAW,EAAE,IAAI,CAAC,UAAU,EAAE,QAAQ,EAAE,OAAO,EAAE,aAAa,EAAE,MAAM,CAAC,YAAY,CAAC,EAAE,CAAC,CAAC;wBACpH,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC,CAAC;wBAC3D,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC;4BACrB,OAAO,EAAE,KAAK;4BACd,EAAE,EAAE,GAAG,CAAC,EAAE;4BACV,KAAK,EAAE,EAAE,IAAI,EAAE,CAAC,KAAK,EAAE,OAAO,EAAE,mCAAmC,QAAQ,CAAC,MAAM,EAAE,EAAE;yBACvF,CAAC,CAAC,CAAC;wBACJ,OAAO;oBACT,CAAC;gBACH,CAAC;YACH,CAAC;YAAC,MAAM,CAAC;gBACP,sCAAsC;YACxC,CAAC;QACH,CAAC;QAED,4DAA4D;QAC5D,IAAI,CAAC;YACH,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,SAAS,GAAG,CAAC,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC,CAAC,CAAC;YAC/D,MAAM,OAAO,GAAG,WAAW,CAAC,QAAQ,KAAK,QAAQ,CAAC;YAElD,MAAM,OAAO,GAAQ;gBACnB,QAAQ,EAAE,WAAW,CAAC,QAAQ;gBAC9B,IAAI,EAAE,WAAW,CAAC,IAAI,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;gBAC9C,IAAI,EAAE,WAAW,CAAC,QAAQ,GAAG,WAAW,CAAC,MAAM;gBAC/C,MAAM,EAAE,GAAG,CAAC,MAAM;gBAClB,OAAO,EAAE,EAAE,GAAG,GAAG,CAAC,OAAO,EAAE,IAAI,EAAE,WAAW,CAAC,QAAQ,EAAE;aACxD,CAAC;YAEF,0CAA0C;YAC1C,IAAI,OAAO,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;gBAC/B,OAAO,CAAC,KAAK,GAAG,IAAI,CAAC,UAAU,CAAC;YAClC,CAAC;YAED,MAAM,QAAQ,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,OAAO,EAAE,CAAC,WAAW,EAAE,EAAE;gBACvE,GAAG,CAAC,SAAS,CAAC,WAAW,CAAC,UAAU,IAAI,GAAG,EAAE,WAAW,CAAC,OAAO,CAAC,CAAC;gBAClE,WAAW,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;gBACtB,IAAI,CAAC,cAAc,CAAC,aAAa,EAAE,CAAC;gBACpC,OAAO,CAAC,mBAAmB,CAAC,GAAG,CAAC,EAAE,WAAW,EAAE,IAAI,CAAC,UAAU,EAAE,EAAE,IAAI,CAAC,cAAc,CAAC,QAAQ,EAAE,KAAK,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;gBACrH,OAAO,CAAC,cAAc,CAAC,OAAO,CAAC,EAAE,WAAW,EAAE,IAAI,CAAC,UAAU,EAAE,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,CAAC,CAAC;gBACrF,OAAO,CAAC,aAAa,CAAC,GAAG,CAAC,EAAE,WAAW,EAAE,IAAI,CAAC,UAAU,EAAE,QAAQ,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,CAAC,YAAY,CAAC,EAAE,CAAC,CAAC;YACrH,CAAC,CAAC,CAAC;YAEH,QAAQ,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;gBAC3B,IAAI,CAAC,cAAc,CAAC,aAAa,EAAE,CAAC;gBACpC,OAAO,CAAC,mBAAmB,CAAC,GAAG,CAAC,EAAE,WAAW,EAAE,IAAI,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC,CAAC;gBACrE,IAAI,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC;oBACrB,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC,CAAC;oBAC3D,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,mBAAmB,GAAG,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,CAAC;gBACvE,CAAC;YACH,CAAC,CAAC,CAAC;YAEH,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YACrB,QAAQ,CAAC,GAAG,EAAE,CAAC;QACjB,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,IAAI,CAAC,cAAc,CAAC,aAAa,EAAE,CAAC;YACpC,IAAI,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC;gBACrB,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC,CAAC;gBAC3D,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,gBAAgB,GAAG,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,CAAC;YACpE,CAAC;QACH,CAAC;IACH,CAAC;IAED,KAAK,CAAC,IAAI;QACR,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YAChB,MAAM,IAAI,OAAO,CAAO,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,MAAO,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;YAC5D,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC;QACrB,CAAC;IACH,CAAC;CACF"}
|
|
@@ -0,0 +1,27 @@
|
|
|
1
|
+
import { Agent as HttpsAgent } from 'https';
|
|
2
|
+
export interface MtlsConfig {
|
|
3
|
+
enabled: boolean;
|
|
4
|
+
ca?: Buffer;
|
|
5
|
+
cert?: Buffer;
|
|
6
|
+
key?: Buffer;
|
|
7
|
+
rejectUnauthorized: boolean;
|
|
8
|
+
}
|
|
9
|
+
/**
|
|
10
|
+
* Load mTLS configuration from environment variables.
|
|
11
|
+
*/
|
|
12
|
+
export declare function loadMtlsConfig(): MtlsConfig;
|
|
13
|
+
/**
|
|
14
|
+
* Create an HTTPS Agent configured with mTLS client certificate and CA.
|
|
15
|
+
*/
|
|
16
|
+
export declare function createMtlsAgent(config: MtlsConfig): HttpsAgent | undefined;
|
|
17
|
+
/**
|
|
18
|
+
* CLI flag names for mTLS configuration.
|
|
19
|
+
*/
|
|
20
|
+
export declare const MTL_CLI_FLAGS: {
|
|
21
|
+
readonly tlsEnabled: "--mtls";
|
|
22
|
+
readonly tlsCa: "--mtls-ca <path>";
|
|
23
|
+
readonly tlsCert: "--mtls-cert <path>";
|
|
24
|
+
readonly tlsKey: "--mtls-key <path>";
|
|
25
|
+
readonly tlsInsecure: "--mtls-insecure";
|
|
26
|
+
};
|
|
27
|
+
//# sourceMappingURL=mtls-config.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"mtls-config.d.ts","sourceRoot":"","sources":["../../src/utils/mtls-config.ts"],"names":[],"mappings":"AAgBA,OAAO,EAAE,KAAK,IAAI,UAAU,EAAE,MAAM,OAAO,CAAC;AAG5C,MAAM,WAAW,UAAU;IACzB,OAAO,EAAE,OAAO,CAAC;IACjB,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,kBAAkB,EAAE,OAAO,CAAC;CAC7B;AAED;;GAEG;AACH,wBAAgB,cAAc,IAAI,UAAU,CAsC3C;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,MAAM,EAAE,UAAU,GAAG,UAAU,GAAG,SAAS,CAW1E;AAED;;GAEG;AACH,eAAO,MAAM,aAAa;;;;;;CAMhB,CAAC"}
|
|
@@ -0,0 +1,82 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* mTLS Configuration for Zero-Trust Proxy ↔ Upstream Communication.
|
|
3
|
+
*
|
|
4
|
+
* When MCP_TLS_ENABLED=true, the HTTP/SSE proxy validates the upstream
|
|
5
|
+
* server's certificate AND presents a client certificate for mutual
|
|
6
|
+
* authentication. This prevents MITM attacks and ensures only authorized
|
|
7
|
+
* proxies can connect to upstream MCP servers.
|
|
8
|
+
*
|
|
9
|
+
* Configuration via environment variables:
|
|
10
|
+
* MCP_TLS_ENABLED=true|false
|
|
11
|
+
* MCP_TLS_CA=/path/to/ca-cert.pem (required — trusted CA bundle)
|
|
12
|
+
* MCP_TLS_CERT=/path/to/client-cert.pem (required — proxy's client cert)
|
|
13
|
+
* MCP_TLS_KEY=/path/to/client-key.pem (required — proxy's client key)
|
|
14
|
+
* MCP_TLS_REJECT_UNAUTHORIZED=true|false (default: true — strict mode)
|
|
15
|
+
*/
|
|
16
|
+
import { readFileSync } from 'fs';
|
|
17
|
+
import { Agent as HttpsAgent } from 'https';
|
|
18
|
+
import { Logger } from './logger.js';
|
|
19
|
+
/**
|
|
20
|
+
* Load mTLS configuration from environment variables.
|
|
21
|
+
*/
|
|
22
|
+
export function loadMtlsConfig() {
|
|
23
|
+
const enabled = process.env['MCP_TLS_ENABLED'] === 'true';
|
|
24
|
+
if (!enabled) {
|
|
25
|
+
return { enabled: false, rejectUnauthorized: true };
|
|
26
|
+
}
|
|
27
|
+
const caPath = process.env['MCP_TLS_CA'];
|
|
28
|
+
const certPath = process.env['MCP_TLS_CERT'];
|
|
29
|
+
const keyPath = process.env['MCP_TLS_KEY'];
|
|
30
|
+
const rejectUnauthorized = process.env['MCP_TLS_REJECT_UNAUTHORIZED'] !== 'false';
|
|
31
|
+
const missing = [];
|
|
32
|
+
if (!caPath)
|
|
33
|
+
missing.push('MCP_TLS_CA');
|
|
34
|
+
if (!certPath)
|
|
35
|
+
missing.push('MCP_TLS_CERT');
|
|
36
|
+
if (!keyPath)
|
|
37
|
+
missing.push('MCP_TLS_KEY');
|
|
38
|
+
if (missing.length > 0) {
|
|
39
|
+
Logger.error(`[mtls] mTLS enabled but missing env vars: ${missing.join(', ')}`);
|
|
40
|
+
throw new Error(`mTLS misconfigured: missing ${missing.join(', ')}`);
|
|
41
|
+
}
|
|
42
|
+
let ca;
|
|
43
|
+
let cert;
|
|
44
|
+
let key;
|
|
45
|
+
try {
|
|
46
|
+
ca = readFileSync(caPath);
|
|
47
|
+
cert = readFileSync(certPath);
|
|
48
|
+
key = readFileSync(keyPath);
|
|
49
|
+
}
|
|
50
|
+
catch (err) {
|
|
51
|
+
Logger.error(`[mtls] Failed to read TLS files: ${err?.message}`);
|
|
52
|
+
throw err;
|
|
53
|
+
}
|
|
54
|
+
Logger.info(`[mtls] mTLS enabled (CA: ${caPath}, cert: ${certPath}, rejectUnauthorized: ${rejectUnauthorized})`);
|
|
55
|
+
return { enabled: true, ca, cert, key, rejectUnauthorized };
|
|
56
|
+
}
|
|
57
|
+
/**
|
|
58
|
+
* Create an HTTPS Agent configured with mTLS client certificate and CA.
|
|
59
|
+
*/
|
|
60
|
+
export function createMtlsAgent(config) {
|
|
61
|
+
if (!config.enabled)
|
|
62
|
+
return undefined;
|
|
63
|
+
return new HttpsAgent({
|
|
64
|
+
ca: config.ca,
|
|
65
|
+
cert: config.cert,
|
|
66
|
+
key: config.key,
|
|
67
|
+
rejectUnauthorized: config.rejectUnauthorized,
|
|
68
|
+
keepAlive: true,
|
|
69
|
+
keepAliveMsecs: 30000,
|
|
70
|
+
});
|
|
71
|
+
}
|
|
72
|
+
/**
|
|
73
|
+
* CLI flag names for mTLS configuration.
|
|
74
|
+
*/
|
|
75
|
+
export const MTL_CLI_FLAGS = {
|
|
76
|
+
tlsEnabled: '--mtls',
|
|
77
|
+
tlsCa: '--mtls-ca <path>',
|
|
78
|
+
tlsCert: '--mtls-cert <path>',
|
|
79
|
+
tlsKey: '--mtls-key <path>',
|
|
80
|
+
tlsInsecure: '--mtls-insecure',
|
|
81
|
+
};
|
|
82
|
+
//# sourceMappingURL=mtls-config.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"mtls-config.js","sourceRoot":"","sources":["../../src/utils/mtls-config.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AACH,OAAO,EAAE,YAAY,EAAE,MAAM,IAAI,CAAC;AAClC,OAAO,EAAE,KAAK,IAAI,UAAU,EAAE,MAAM,OAAO,CAAC;AAC5C,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AAUrC;;GAEG;AACH,MAAM,UAAU,cAAc;IAC5B,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC,KAAK,MAAM,CAAC;IAE1D,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,kBAAkB,EAAE,IAAI,EAAE,CAAC;IACtD,CAAC;IAED,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;IACzC,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;IAC7C,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC;IAC3C,MAAM,kBAAkB,GAAG,OAAO,CAAC,GAAG,CAAC,6BAA6B,CAAC,KAAK,OAAO,CAAC;IAElF,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,IAAI,CAAC,MAAM;QAAE,OAAO,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;IACxC,IAAI,CAAC,QAAQ;QAAE,OAAO,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;IAC5C,IAAI,CAAC,OAAO;QAAE,OAAO,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;IAE1C,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACvB,MAAM,CAAC,KAAK,CAAC,6CAA6C,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAChF,MAAM,IAAI,KAAK,CAAC,+BAA+B,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACvE,CAAC;IAED,IAAI,EAAsB,CAAC;IAC3B,IAAI,IAAwB,CAAC;IAC7B,IAAI,GAAuB,CAAC;IAE5B,IAAI,CAAC;QACH,EAAE,GAAG,YAAY,CAAC,MAAO,CAAC,CAAC;QAC3B,IAAI,GAAG,YAAY,CAAC,QAAS,CAAC,CAAC;QAC/B,GAAG,GAAG,YAAY,CAAC,OAAQ,CAAC,CAAC;IAC/B,CAAC;IAAC,OAAO,GAAQ,EAAE,CAAC;QAClB,MAAM,CAAC,KAAK,CAAC,oCAAoC,GAAG,EAAE,OAAO,EAAE,CAAC,CAAC;QACjE,MAAM,GAAG,CAAC;IACZ,CAAC;IAED,MAAM,CAAC,IAAI,CAAC,4BAA4B,MAAM,WAAW,QAAQ,yBAAyB,kBAAkB,GAAG,CAAC,CAAC;IAEjH,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,EAAE,EAAE,IAAI,EAAE,GAAG,EAAE,kBAAkB,EAAE,CAAC;AAC9D,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,eAAe,CAAC,MAAkB;IAChD,IAAI,CAAC,MAAM,CAAC,OAAO;QAAE,OAAO,SAAS,CAAC;IAEtC,OAAO,IAAI,UAAU,CAAC;QACpB,EAAE,EAAE,MAAM,CAAC,EAAE;QACb,IAAI,EAAE,MAAM,CAAC,IAAI;QACjB,GAAG,EAAE,MAAM,CAAC,GAAG;QACf,kBAAkB,EAAE,MAAM,CAAC,kBAAkB;QAC7C,SAAS,EAAE,IAAI;QACf,cAAc,EAAE,KAAK;KACtB,CAAC,CAAC;AACL,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,MAAM,aAAa,GAAG;IAC3B,UAAU,EAAE,QAAQ;IACpB,KAAK,EAAE,kBAAkB;IACzB,OAAO,EAAE,oBAAoB;IAC7B,MAAM,EAAE,mBAAmB;IAC3B,WAAW,EAAE,iBAAiB;CACtB,CAAC"}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@mcp-guardian/server",
|
|
3
|
-
"version": "1.
|
|
3
|
+
"version": "1.3.0",
|
|
4
4
|
"description": "Security, cost, and health audit for MCP infrastructure",
|
|
5
5
|
"type": "module",
|
|
6
6
|
"files": [
|
|
@@ -13,9 +13,15 @@
|
|
|
13
13
|
"engines": {
|
|
14
14
|
"node": ">=18"
|
|
15
15
|
},
|
|
16
|
-
"repository":
|
|
16
|
+
"repository": {
|
|
17
|
+
"type": "git",
|
|
18
|
+
"url": "git+https://github.com/rudraneel93/mcp-guardian.git"
|
|
19
|
+
},
|
|
17
20
|
"bugs": "https://github.com/rudraneel93/mcp-guardian/issues",
|
|
18
21
|
"homepage": "https://www.npmjs.com/package/@mcp-guardian/server",
|
|
22
|
+
"publishConfig": {
|
|
23
|
+
"access": "public"
|
|
24
|
+
},
|
|
19
25
|
"keywords": [
|
|
20
26
|
"mcp",
|
|
21
27
|
"model-context-protocol",
|