- Add intelligent URL detection supporting BASE_URL, PUBLIC_URL, and proxy headers - Fix hardcoded localhost URLs in server console output - Add hostname validation to prevent host header injection attacks - Restrict URL schemes to http/https only (block javascript:, file://, etc.) - Remove sensitive environment data from API responses - Add GET endpoints (/, /mcp) for better API discovery - Fix version inconsistency between server implementations - Update HTTP bridge to use HOST/PORT environment variables - Add comprehensive test scripts for URL configuration and security This resolves issues #41 and #42 by making the HTTP server properly handle deployment behind reverse proxies and adds critical security validations. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
czlonkowski
@@ -5,6 +5,45 @@ All notable changes to this project will be documented in this file.
|
||||
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
|
||||
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
|
||||
|
||||
## [2.7.15] - 2025-07-15
|
||||
|
||||
### Fixed
|
||||
- **HTTP Server URL Handling**: Fixed hardcoded localhost URLs in HTTP server output (Issue #41, #42)
|
||||
- Added intelligent URL detection that considers BASE_URL, PUBLIC_URL, and proxy headers
|
||||
- Server now displays correct public URLs when deployed behind reverse proxies
|
||||
- Added support for X-Forwarded-Proto and X-Forwarded-Host headers when TRUST_PROXY is enabled
|
||||
- Fixed port display logic to hide standard ports (80/443) in URLs
|
||||
- Added new GET endpoints (/, /mcp) for better API discovery
|
||||
|
||||
### Security
|
||||
- **Host Header Injection Prevention**: Added hostname validation to prevent malicious proxy headers
|
||||
- Only accepts valid hostnames (alphanumeric, dots, hyphens, optional port)
|
||||
- Rejects hostnames with paths, usernames, or special characters
|
||||
- Falls back to safe defaults when invalid headers are detected
|
||||
- **URL Scheme Validation**: Restricted URL schemes to http/https only
|
||||
- Blocks dangerous schemes like javascript:, file://, data:
|
||||
- Validates all configured URLs (BASE_URL, PUBLIC_URL)
|
||||
- **Information Disclosure**: Removed sensitive environment data from API responses
|
||||
- Root endpoint no longer exposes internal configuration
|
||||
- Only shows essential API information
|
||||
|
||||
### Added
|
||||
- **URL Detection Utility**: New `url-detector.ts` module for intelligent URL detection
|
||||
- Prioritizes explicit configuration (BASE_URL/PUBLIC_URL)
|
||||
- Falls back to proxy headers when TRUST_PROXY is enabled
|
||||
- Uses host/port configuration as final fallback
|
||||
- Includes comprehensive security validations
|
||||
- **Test Scripts**: Added test scripts for URL configuration and security validation
|
||||
- `test-url-configuration.ts`: Tests various URL detection scenarios
|
||||
- `test-security.ts`: Validates security fixes for malicious headers
|
||||
|
||||
### Changed
|
||||
- **Consistent Versioning**: Fixed version inconsistency between server implementations
|
||||
- Both http-server.ts and http-server-single-session.ts now use PROJECT_VERSION
|
||||
- Removed hardcoded version strings
|
||||
- **HTTP Bridge**: Updated to use HOST/PORT environment variables for default URL construction
|
||||
- **Documentation**: Updated HTTP deployment guide with URL configuration section
|
||||
|
||||
## [2.7.14] - 2025-07-15
|
||||
|
||||
### Fixed
|
||||
|
||||
@@ -151,6 +151,8 @@ Skip HTTP entirely and use stdio mode directly:
|
||||
| `LOG_LEVEL` | Log verbosity | `info` |
|
||||
| `NODE_ENV` | Environment | `production` |
|
||||
| `TRUST_PROXY` | Trust proxy headers for correct IP logging | `0` |
|
||||
| `BASE_URL` | Public URL for the server (v2.7.14+) | Auto-detected |
|
||||
| `PUBLIC_URL` | Alternative to BASE_URL | Auto-detected |
|
||||
|
||||
### n8n Management Tools (Optional)
|
||||
|
||||
@@ -200,6 +202,39 @@ When configured, you get **16 additional tools** (total: 38 tools):
|
||||
|
||||
## 🌐 Reverse Proxy Configuration
|
||||
|
||||
### URL Configuration (v2.7.14+)
|
||||
|
||||
n8n-MCP now intelligently detects the correct URL for your deployment:
|
||||
|
||||
1. **Explicit Configuration** (highest priority):
|
||||
```bash
|
||||
BASE_URL=https://n8n-mcp.example.com # Explicitly set public URL
|
||||
# or
|
||||
PUBLIC_URL=https://your-domain.com:8443
|
||||
```
|
||||
|
||||
2. **Auto-Detection from Proxy Headers** (when TRUST_PROXY is enabled):
|
||||
- Detects from `X-Forwarded-Proto` and `X-Forwarded-Host` headers
|
||||
- Perfect for Cloudflare, Nginx, and other proxies
|
||||
|
||||
3. **Fallback** (when not configured):
|
||||
- Uses `HOST` and `PORT` configuration
|
||||
- Shows `localhost` when bound to `0.0.0.0`
|
||||
|
||||
**Example scenarios:**
|
||||
```bash
|
||||
# Behind Cloudflare (auto-detected)
|
||||
TRUST_PROXY=1
|
||||
# Console shows: https://n8n-mcp.example.com
|
||||
|
||||
# Explicit configuration
|
||||
BASE_URL=https://api.mycompany.com/mcp
|
||||
# Console shows: https://api.mycompany.com/mcp
|
||||
|
||||
# Local development (no proxy)
|
||||
# Console shows: http://localhost:3000
|
||||
```
|
||||
|
||||
### Trust Proxy for Correct IP Logging
|
||||
|
||||
When running n8n-MCP behind a reverse proxy (Nginx, Traefik, etc.), enable trust proxy to log real client IPs instead of proxy IPs:
|
||||
|
||||
Reference in New Issue
Block a user