Hiddenden/AegisGitea-MCP
3
0
Fork 0
Code Issues 3 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
de0ae09fc40ec631adb3f5fca57e2ad92bdcf137
AegisGitea-MCP/docker-compose.yml
latte eeaad748a6 feat: add API key authentication system for ChatGPT Business 
Implements comprehensive Bearer token authentication to ensure only
authorized ChatGPT workspaces can access the MCP server.

Core Features:
- API key validation with constant-time comparison
- Multi-key support for rotation grace periods
- Rate limiting (5 failures per IP per 5 min)
- Comprehensive audit logging of all auth attempts
- IP-based failed attempt tracking

Key Management:
- generate_api_key.py: Create secure 64-char keys
- rotate_api_key.py: Guided key rotation with backup
- check_key_age.py: Automated expiration monitoring

Infrastructure:
- Traefik labels for HTTPS and rate limiting
- Security headers (HSTS, CSP, X-Frame-Options)
- Environment-based configuration
- Docker secrets support

Documentation:
- AUTH_SETUP.md: Complete authentication setup guide
- CHATGPT_SETUP.md: ChatGPT Business integration guide
- KEY_ROTATION.md: Key rotation procedures and automation

Security:
- Read-only operations enforced
- No write access to Gitea possible
- All auth attempts logged with correlation IDs
- Failed attempts trigger IP rate limits
- Keys never logged in full (only hints)

Breaking Changes:
- AUTH_ENABLED defaults to true
- MCP_API_KEYS environment variable now required
- Minimum key length: 32 characters (64 recommended)

Migration:
1. Generate API key: make generate-key
2. Add to .env: MCP_API_KEYS=<generated-key>
3. Restart: docker-compose restart aegis-mcp
4. Configure ChatGPT with Authorization header

Closes requirements for ChatGPT Business exclusive access.
2026-01-29 20:05:49 +01:00

88 lines
2.6 KiB
YAML
Raw Blame History

# AegisGitea MCP - Docker Compose Configuration
# Usage: docker-compose up -d
version: '3.8'
services:
aegis-mcp:
build:
context: .
dockerfile: docker/Dockerfile
container_name: aegis-gitea-mcp
restart: unless-stopped
env_file:
- .env
ports:
- "${MCP_PORT:-8080}:8080"
volumes:
- aegis-mcp-logs:/var/log/aegis-mcp
networks:
- aegis-network
- traefik # Connect to Traefik network (if using Traefik)
security_opt:
- no-new-privileges:true
deploy:
resources:
limits:
cpus: '1.0'
memory: 512M
reservations:
cpus: '0.25'
memory: 128M
healthcheck:
test: ["CMD", "python", "-c", "import httpx; httpx.get('http://localhost:8080/health')"]
interval: 30s
timeout: 10s
retries: 3
start_period: 10s
# Traefik labels for automatic HTTPS and routing
labels:
- "traefik.enable=true"
# Router configuration
- "traefik.http.routers.aegis-mcp.rule=Host(`${MCP_DOMAIN:-mcp.example.com}`)"
- "traefik.http.routers.aegis-mcp.entrypoints=websecure"
- "traefik.http.routers.aegis-mcp.tls=true"
- "traefik.http.routers.aegis-mcp.tls.certresolver=letsencrypt"
# Service configuration
- "traefik.http.services.aegis-mcp.loadbalancer.server.port=8080"
# Rate limiting middleware (60 req/min per IP)
- "traefik.http.middlewares.aegis-ratelimit.ratelimit.average=60"
- "traefik.http.middlewares.aegis-ratelimit.ratelimit.period=1m"
- "traefik.http.middlewares.aegis-ratelimit.ratelimit.burst=10"
# Security headers middleware
- "traefik.http.middlewares.aegis-security.headers.sslredirect=true"
- "traefik.http.middlewares.aegis-security.headers.stsSeconds=31536000"
- "traefik.http.middlewares.aegis-security.headers.stsIncludeSubdomains=true"
- "traefik.http.middlewares.aegis-security.headers.stsPreload=true"
- "traefik.http.middlewares.aegis-security.headers.contentTypeNosniff=true"
- "traefik.http.middlewares.aegis-security.headers.browserXssFilter=true"
- "traefik.http.middlewares.aegis-security.headers.forceSTSHeader=true"
# Apply middlewares to router
- "traefik.http.routers.aegis-mcp.middlewares=aegis-ratelimit@docker,aegis-security@docker"
volumes:
aegis-mcp-logs:
driver: local
networks:
aegis-network:
driver: bridge
# External Traefik network (create with: docker network create traefik)
# Comment out if not using Traefik
traefik:
external: true
Reference in New Issue View Git Blame Copy Permalink