olemd/forgejo-mcp-broker
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

docs(deploy): Caddy front-end example + walkthrough (forgejo-mcp-broker-r2c)

Browse source 
Adds deploy/caddy/Caddyfile and docs/deploy-caddy.md, the front-end
half of the production deployment that pairs with deploy-podman.md.

Caddyfile:
  - reverse_proxy with flush_interval -1 (mandatory for /mcp SSE)
  - structured JSON access log to a separate file
  - validated with `caddy validate` and formatted with `caddy fmt`
  - omits explicit X-Forwarded-{For,Proto,Host} since Caddy forwards
    them by default (caddy validate flags them as redundant)

deploy-caddy.md walks operators through:
  - why a reverse proxy at all (TLS, SSE, future rate limits)
  - the host-header trap and why FJMCP_BROKER_PUBLIC_URL is the
    trusted source of issuer URLs (cross-references the existing
    TestDiscovery_IssuerIgnoresHostHeader regression)
  - SSE buffering as the most common deployment foot-gun
  - optional rate-limit recipe via caddy-ratelimit (defers to backlog
    issue -ttl)
  - troubleshooting for the four failure modes the broker has actually
    seen during dev: wrong issuer, buffered SSE, unreachable upstream,
    TLS conflict

README updated to link both deploy guides and the deploy/ subtree.

Closes forgejo-mcp-broker-r2c.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Ole-Morten Duesund 2026-04-27 17:49:25 +02:00
commit c18120c470
5 changed files with 184 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

2
README.md
View file

@ -29,8 +29,10 @@ Process-level isolation. Each user's Forgejo token lives in exactly one subproce
| [`docs/design.md`](docs/design.md) | Architecture, components, token flow, deployment, security |
| [`docs/plan.md`](docs/plan.md) | Seven-phase implementation plan with acceptance criteria |
| [`docs/deploy-podman.md`](docs/deploy-podman.md) | End-to-end production deploy with rootless podman + Quadlet |
| [`docs/deploy-caddy.md`](docs/deploy-caddy.md) | Caddy reverse-proxy front-end (TLS, SSE, host-header defense) |
| [`Containerfile`](Containerfile) | Multi-stage build; bundles broker + pinned forgejo-mcp |
| [`deploy/podman/`](deploy/podman/) | Quadlet unit and example env file |
| [`deploy/caddy/`](deploy/caddy/) | Example Caddyfile |
## License