feat: add API key authentication system for ChatGPT Business
Implements comprehensive Bearer token authentication to ensure only authorized ChatGPT workspaces can access the MCP server. Core Features: - API key validation with constant-time comparison - Multi-key support for rotation grace periods - Rate limiting (5 failures per IP per 5 min) - Comprehensive audit logging of all auth attempts - IP-based failed attempt tracking Key Management: - generate_api_key.py: Create secure 64-char keys - rotate_api_key.py: Guided key rotation with backup - check_key_age.py: Automated expiration monitoring Infrastructure: - Traefik labels for HTTPS and rate limiting - Security headers (HSTS, CSP, X-Frame-Options) - Environment-based configuration - Docker secrets support Documentation: - AUTH_SETUP.md: Complete authentication setup guide - CHATGPT_SETUP.md: ChatGPT Business integration guide - KEY_ROTATION.md: Key rotation procedures and automation Security: - Read-only operations enforced - No write access to Gitea possible - All auth attempts logged with correlation IDs - Failed attempts trigger IP rate limits - Keys never logged in full (only hints) Breaking Changes: - AUTH_ENABLED defaults to true - MCP_API_KEYS environment variable now required - Minimum key length: 32 characters (64 recommended) Migration: 1. Generate API key: make generate-key 2. Add to .env: MCP_API_KEYS=<generated-key> 3. Restart: docker-compose restart aegis-mcp 4. Configure ChatGPT with Authorization header Closes requirements for ChatGPT Business exclusive access.
This commit is contained in:
@@ -1,4 +1,4 @@
|
||||
# Convenience symlink to docker/docker-compose.yml
|
||||
# AegisGitea MCP - Docker Compose Configuration
|
||||
# Usage: docker-compose up -d
|
||||
|
||||
version: '3.8'
|
||||
@@ -22,6 +22,7 @@ services:
|
||||
|
||||
networks:
|
||||
- aegis-network
|
||||
- traefik # Connect to Traefik network (if using Traefik)
|
||||
|
||||
security_opt:
|
||||
- no-new-privileges:true
|
||||
@@ -41,6 +42,36 @@ services:
|
||||
timeout: 10s
|
||||
retries: 3
|
||||
start_period: 10s
|
||||
|
||||
# Traefik labels for automatic HTTPS and routing
|
||||
labels:
|
||||
- "traefik.enable=true"
|
||||
|
||||
# Router configuration
|
||||
- "traefik.http.routers.aegis-mcp.rule=Host(`${MCP_DOMAIN:-mcp.example.com}`)"
|
||||
- "traefik.http.routers.aegis-mcp.entrypoints=websecure"
|
||||
- "traefik.http.routers.aegis-mcp.tls=true"
|
||||
- "traefik.http.routers.aegis-mcp.tls.certresolver=letsencrypt"
|
||||
|
||||
# Service configuration
|
||||
- "traefik.http.services.aegis-mcp.loadbalancer.server.port=8080"
|
||||
|
||||
# Rate limiting middleware (60 req/min per IP)
|
||||
- "traefik.http.middlewares.aegis-ratelimit.ratelimit.average=60"
|
||||
- "traefik.http.middlewares.aegis-ratelimit.ratelimit.period=1m"
|
||||
- "traefik.http.middlewares.aegis-ratelimit.ratelimit.burst=10"
|
||||
|
||||
# Security headers middleware
|
||||
- "traefik.http.middlewares.aegis-security.headers.sslredirect=true"
|
||||
- "traefik.http.middlewares.aegis-security.headers.stsSeconds=31536000"
|
||||
- "traefik.http.middlewares.aegis-security.headers.stsIncludeSubdomains=true"
|
||||
- "traefik.http.middlewares.aegis-security.headers.stsPreload=true"
|
||||
- "traefik.http.middlewares.aegis-security.headers.contentTypeNosniff=true"
|
||||
- "traefik.http.middlewares.aegis-security.headers.browserXssFilter=true"
|
||||
- "traefik.http.middlewares.aegis-security.headers.forceSTSHeader=true"
|
||||
|
||||
# Apply middlewares to router
|
||||
- "traefik.http.routers.aegis-mcp.middlewares=aegis-ratelimit@docker,aegis-security@docker"
|
||||
|
||||
volumes:
|
||||
aegis-mcp-logs:
|
||||
@@ -49,3 +80,8 @@ volumes:
|
||||
networks:
|
||||
aegis-network:
|
||||
driver: bridge
|
||||
|
||||
# External Traefik network (create with: docker network create traefik)
|
||||
# Comment out if not using Traefik
|
||||
traefik:
|
||||
external: true
|
||||
|
||||
Reference in New Issue
Block a user