ros/n8n-mcp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: resolve HTTP server URL handling and security issues (#41, #42)

Browse Source 
- Add intelligent URL detection supporting BASE_URL, PUBLIC_URL, and proxy headers
- Fix hardcoded localhost URLs in server console output
- Add hostname validation to prevent host header injection attacks
- Restrict URL schemes to http/https only (block javascript:, file://, etc.)
- Remove sensitive environment data from API responses
- Add GET endpoints (/, /mcp) for better API discovery
- Fix version inconsistency between server implementations
- Update HTTP bridge to use HOST/PORT environment variables
- Add comprehensive test scripts for URL configuration and security

This resolves issues #41 and #42 by making the HTTP server properly handle
deployment behind reverse proxies and adds critical security validations.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
czlonkowski
2025-07-15 16:46:30 +02:00
parent 4c217088f5
commit a0f09fba28
12 changed files with 641 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
.env.example
View File

@@ -44,6 +44,15 @@ USE_FIXED_HTTP=true
PORT=3000
HOST=0.0.0.0
# Base URL Configuration (optional)
# Set this when running behind a proxy or when the server is accessed via a different URL
# than what it binds to. If not set, URLs will be auto-detected from proxy headers (if TRUST_PROXY is set)
# or constructed from HOST and PORT.
# Examples:
# BASE_URL=https://n8n-mcp.example.com
# BASE_URL=https://your-domain.com:8443
# PUBLIC_URL=https://n8n-mcp.mydomain.com (alternative to BASE_URL)
# Authentication token for HTTP mode (REQUIRED)
# Generate with: openssl rand -base64 32
AUTH_TOKEN=your-secure-token-here

2
README.md
View File

@@ -2,7 +2,7 @@
[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
[![GitHub stars](https://img.shields.io/github/stars/czlonkowski/n8n-mcp?style=social)](https://github.com/czlonkowski/n8n-mcp)
[![Version](https://img.shields.io/badge/version-2.7.13-blue.svg)](https://github.com/czlonkowski/n8n-mcp)
[![Version](https://img.shields.io/badge/version-2.7.15-blue.svg)](https://github.com/czlonkowski/n8n-mcp)
[![npm version](https://img.shields.io/npm/v/n8n-mcp.svg)](https://www.npmjs.com/package/n8n-mcp)
[![n8n version](https://img.shields.io/badge/n8n-v1.101.1-orange.svg)](https://github.com/n8n-io/n8n)
[![Docker](https://img.shields.io/badge/docker-ghcr.io%2Fczlonkowski%2Fn8n--mcp-green.svg)](https://github.com/czlonkowski/n8n-mcp/pkgs/container/n8n-mcp)

BIN
data/nodes.db
View File

Binary file not shown.

39
docs/CHANGELOG.md
View File

@@ -5,6 +5,45 @@ All notable changes to this project will be documented in this file.
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
## [2.7.15] - 2025-07-15
### Fixed
- **HTTP Server URL Handling**: Fixed hardcoded localhost URLs in HTTP server output (Issue #41, #42)
- Added intelligent URL detection that considers BASE_URL, PUBLIC_URL, and proxy headers
- Server now displays correct public URLs when deployed behind reverse proxies
- Added support for X-Forwarded-Proto and X-Forwarded-Host headers when TRUST_PROXY is enabled
- Fixed port display logic to hide standard ports (80/443) in URLs
- Added new GET endpoints (/, /mcp) for better API discovery
### Security
- **Host Header Injection Prevention**: Added hostname validation to prevent malicious proxy headers
- Only accepts valid hostnames (alphanumeric, dots, hyphens, optional port)
- Rejects hostnames with paths, usernames, or special characters
- Falls back to safe defaults when invalid headers are detected
- **URL Scheme Validation**: Restricted URL schemes to http/https only
- Blocks dangerous schemes like javascript:, file://, data:
- Validates all configured URLs (BASE_URL, PUBLIC_URL)
- **Information Disclosure**: Removed sensitive environment data from API responses
- Root endpoint no longer exposes internal configuration
- Only shows essential API information
### Added
- **URL Detection Utility**: New `url-detector.ts` module for intelligent URL detection
- Prioritizes explicit configuration (BASE_URL/PUBLIC_URL)
- Falls back to proxy headers when TRUST_PROXY is enabled
- Uses host/port configuration as final fallback
- Includes comprehensive security validations
- **Test Scripts**: Added test scripts for URL configuration and security validation
- `test-url-configuration.ts`: Tests various URL detection scenarios
- `test-security.ts`: Validates security fixes for malicious headers
### Changed
- **Consistent Versioning**: Fixed version inconsistency between server implementations
- Both http-server.ts and http-server-single-session.ts now use PROJECT_VERSION
- Removed hardcoded version strings
- **HTTP Bridge**: Updated to use HOST/PORT environment variables for default URL construction
- **Documentation**: Updated HTTP deployment guide with URL configuration section
## [2.7.14] - 2025-07-15
### Fixed

35
docs/HTTP_DEPLOYMENT.md
View File

@@ -151,6 +151,8 @@ Skip HTTP entirely and use stdio mode directly:
| `LOG_LEVEL` | Log verbosity | `info` |
| `NODE_ENV` | Environment | `production` |
| `TRUST_PROXY` | Trust proxy headers for correct IP logging | `0` |
| `BASE_URL` | Public URL for the server (v2.7.14+) | Auto-detected |
| `PUBLIC_URL` | Alternative to BASE_URL | Auto-detected |
### n8n Management Tools (Optional)
@@ -200,6 +202,39 @@ When configured, you get **16 additional tools** (total: 38 tools):
## 🌐 Reverse Proxy Configuration
### URL Configuration (v2.7.14+)
n8n-MCP now intelligently detects the correct URL for your deployment:
1. **Explicit Configuration** (highest priority):
```bash
BASE_URL=https://n8n-mcp.example.com # Explicitly set public URL
# or
PUBLIC_URL=https://your-domain.com:8443
```
2. **Auto-Detection from Proxy Headers** (when TRUST_PROXY is enabled):
- Detects from `X-Forwarded-Proto` and `X-Forwarded-Host` headers
- Perfect for Cloudflare, Nginx, and other proxies
3. **Fallback** (when not configured):
- Uses `HOST` and `PORT` configuration
- Shows `localhost` when bound to `0.0.0.0`
**Example scenarios:**
```bash
# Behind Cloudflare (auto-detected)
TRUST_PROXY=1
# Console shows: https://n8n-mcp.example.com
# Explicit configuration
BASE_URL=https://api.mycompany.com/mcp
# Console shows: https://api.mycompany.com/mcp
# Local development (no proxy)
# Console shows: http://localhost:3000
```
### Trust Proxy for Correct IP Logging
When running n8n-MCP behind a reverse proxy (Nginx, Traefik, etc.), enable trust proxy to log real client IPs instead of proxy IPs:

3
package.json
View File

@@ -1,6 +1,6 @@
{
"name": "n8n-mcp",
"version": "2.7.14",
"version": "2.7.15",
"description": "Integration between n8n workflow automation and Model Context Protocol (MCP)",
"main": "dist/index.js",
"bin": {
@@ -41,6 +41,7 @@
"test:workflow-diff": "node dist/scripts/test-workflow-diff.js",
"test:transactional-diff": "node dist/scripts/test-transactional-diff.js",
"test:tools-documentation": "node dist/scripts/test-tools-documentation.js",
"test:url-configuration": "npm run build && ts-node scripts/test-url-configuration.ts",
"test:search-improvements": "node dist/scripts/test-search-improvements.js",
"test:fts5-search": "node dist/scripts/test-fts5-search.js",
"migrate:fts5": "node dist/scripts/migrate-nodes-fts.js",

5
scripts/http-bridge.js
View File

@@ -8,7 +8,10 @@
const http = require('http');
const readline = require('readline');
const MCP_URL = process.env.MCP_URL || 'http://localhost:3000/mcp';
// Use MCP_URL from environment or construct from HOST/PORT if available
const defaultHost = process.env.HOST || 'localhost';
const defaultPort = process.env.PORT || '3000';
const MCP_URL = process.env.MCP_URL || `http://${defaultHost}:${defaultPort}/mcp`;
const AUTH_TOKEN = process.env.AUTH_TOKEN || process.argv[2];
if (!AUTH_TOKEN) {

96
scripts/test-security.ts Normal file
View File

@@ -0,0 +1,96 @@
#!/usr/bin/env node
import axios from 'axios';
import { spawn } from 'child_process';
async function testMaliciousHeaders() {
console.log('🔒 Testing Security Fixes...\n');
// Start server with TRUST_PROXY enabled
const serverProcess = spawn('node', ['dist/mcp/index.js'], {
env: {
...process.env,
MCP_MODE: 'http',
AUTH_TOKEN: 'test-security-token-32-characters-long',
PORT: '3999',
TRUST_PROXY: '1'
}
});
// Wait for server to start
await new Promise(resolve => {
serverProcess.stdout.on('data', (data) => {
if (data.toString().includes('Press Ctrl+C to stop')) {
resolve(undefined);
}
});
});
const testCases = [
{
name: 'Valid proxy headers',
headers: {
'X-Forwarded-Host': 'example.com',
'X-Forwarded-Proto': 'https'
}
},
{
name: 'Malicious host header (with path)',
headers: {
'X-Forwarded-Host': 'evil.com/path/to/evil',
'X-Forwarded-Proto': 'https'
}
},
{
name: 'Malicious host header (with @)',
headers: {
'X-Forwarded-Host': 'user@evil.com',
'X-Forwarded-Proto': 'https'
}
},
{
name: 'Invalid hostname (multiple dots)',
headers: {
'X-Forwarded-Host': '.....',
'X-Forwarded-Proto': 'https'
}
},
{
name: 'IPv6 address',
headers: {
'X-Forwarded-Host': '[::1]:3000',
'X-Forwarded-Proto': 'https'
}
}
];
for (const testCase of testCases) {
try {
const response = await axios.get('http://localhost:3999/', {
headers: testCase.headers,
timeout: 2000
});
const endpoints = response.data.endpoints;
const healthUrl = endpoints?.health?.url || 'N/A';
console.log(`${testCase.name}`);
console.log(` Response: ${healthUrl}`);
// Check if malicious headers were blocked
if (testCase.name.includes('Malicious') || testCase.name.includes('Invalid')) {
if (healthUrl.includes('evil.com') || healthUrl.includes('@') || healthUrl.includes('.....')) {
console.log(' ❌ SECURITY ISSUE: Malicious header was not blocked!');
} else {
console.log(' ✅ Malicious header was blocked');
}
}
} catch (error) {
console.log(`${testCase.name} - Request failed`);
}
console.log('');
}
serverProcess.kill();
}
testMaliciousHeaders().catch(console.error);

192
scripts/test-url-configuration.ts Executable file
View File

@@ -0,0 +1,192 @@
#!/usr/bin/env node
/**
* Test script for URL configuration in n8n-MCP HTTP server
* Tests various BASE_URL, TRUST_PROXY, and proxy header scenarios
*/
import axios from 'axios';
import { spawn } from 'child_process';
import { logger } from '../src/utils/logger';
interface TestCase {
name: string;
env: Record<string, string>;
expectedUrls?: {
health: string;
mcp: string;
};
proxyHeaders?: Record<string, string>;
}
const testCases: TestCase[] = [
{
name: 'Default configuration (no BASE_URL)',
env: {
MCP_MODE: 'http',
AUTH_TOKEN: 'test-token-for-testing-only',
PORT: '3001'
},
expectedUrls: {
health: 'http://localhost:3001/health',
mcp: 'http://localhost:3001/mcp'
}
},
{
name: 'With BASE_URL configured',
env: {
MCP_MODE: 'http',
AUTH_TOKEN: 'test-token-for-testing-only',
PORT: '3002',
BASE_URL: 'https://n8n-mcp.example.com'
},
expectedUrls: {
health: 'https://n8n-mcp.example.com/health',
mcp: 'https://n8n-mcp.example.com/mcp'
}
},
{
name: 'With PUBLIC_URL configured',
env: {
MCP_MODE: 'http',
AUTH_TOKEN: 'test-token-for-testing-only',
PORT: '3003',
PUBLIC_URL: 'https://api.company.com/mcp'
},
expectedUrls: {
health: 'https://api.company.com/mcp/health',
mcp: 'https://api.company.com/mcp/mcp'
}
},
{
name: 'With TRUST_PROXY and proxy headers',
env: {
MCP_MODE: 'http',
AUTH_TOKEN: 'test-token-for-testing-only',
PORT: '3004',
TRUST_PROXY: '1'
},
proxyHeaders: {
'X-Forwarded-Proto': 'https',
'X-Forwarded-Host': 'proxy.example.com'
}
},
{
name: 'Fixed HTTP implementation',
env: {
MCP_MODE: 'http',
USE_FIXED_HTTP: 'true',
AUTH_TOKEN: 'test-token-for-testing-only',
PORT: '3005',
BASE_URL: 'https://fixed.example.com'
},
expectedUrls: {
health: 'https://fixed.example.com/health',
mcp: 'https://fixed.example.com/mcp'
}
}
];
async function runTest(testCase: TestCase): Promise<void> {
console.log(`\n🧪 Testing: ${testCase.name}`);
console.log('Environment:', testCase.env);
const serverProcess = spawn('node', ['dist/mcp/index.js'], {
env: { ...process.env, ...testCase.env }
});
let serverOutput = '';
let serverStarted = false;
return new Promise((resolve, reject) => {
const timeout = setTimeout(() => {
serverProcess.kill();
reject(new Error('Server startup timeout'));
}, 10000);
serverProcess.stdout.on('data', (data) => {
const output = data.toString();
serverOutput += output;
if (output.includes('Press Ctrl+C to stop the server')) {
serverStarted = true;
clearTimeout(timeout);
// Give server a moment to fully initialize
setTimeout(async () => {
try {
// Test root endpoint
const rootUrl = `http://localhost:${testCase.env.PORT}/`;
const rootResponse = await axios.get(rootUrl, {
headers: testCase.proxyHeaders || {}
});
console.log('✅ Root endpoint response:');
console.log(` - Endpoints: ${JSON.stringify(rootResponse.data.endpoints, null, 2)}`);
// Test health endpoint
const healthUrl = `http://localhost:${testCase.env.PORT}/health`;
const healthResponse = await axios.get(healthUrl);
console.log(`✅ Health endpoint status: ${healthResponse.data.status}`);
// Test MCP info endpoint
const mcpUrl = `http://localhost:${testCase.env.PORT}/mcp`;
const mcpResponse = await axios.get(mcpUrl);
console.log(`✅ MCP info endpoint: ${mcpResponse.data.description}`);
// Check console output
if (testCase.expectedUrls) {
const outputContainsExpectedUrls =
serverOutput.includes(testCase.expectedUrls.health) &&
serverOutput.includes(testCase.expectedUrls.mcp);
if (outputContainsExpectedUrls) {
console.log('✅ Console output shows expected URLs');
} else {
console.log('❌ Console output does not show expected URLs');
console.log('Expected:', testCase.expectedUrls);
}
}
serverProcess.kill();
resolve();
} catch (error) {
console.error('❌ Test failed:', error instanceof Error ? error.message : String(error));
serverProcess.kill();
reject(error);
}
}, 500);
}
});
serverProcess.stderr.on('data', (data) => {
console.error('Server error:', data.toString());
});
serverProcess.on('close', (code) => {
if (!serverStarted) {
reject(new Error(`Server exited with code ${code} before starting`));
} else {
resolve();
}
});
});
}
async function main() {
console.log('🚀 n8n-MCP URL Configuration Test Suite');
console.log('======================================');
for (const testCase of testCases) {
try {
await runTest(testCase);
console.log('✅ Test passed\n');
} catch (error) {
console.error('❌ Test failed:', error instanceof Error ? error.message : String(error));
console.log('\n');
}
}
console.log('✨ All tests completed');
}
main().catch(console.error);

80
src/http-server-single-session.ts
View File

@@ -11,6 +11,8 @@ import { ConsoleManager } from './utils/console-manager';
import { logger } from './utils/logger';
import { readFileSync } from 'fs';
import dotenv from 'dotenv';
import { getStartupBaseUrl, formatEndpointUrls, detectBaseUrl } from './utils/url-detector';
import { PROJECT_VERSION } from './utils/version';
dotenv.config();
@@ -230,12 +232,44 @@ export class SingleSessionHTTPServer {
next();
});
// Root endpoint with API information
app.get('/', (req, res) => {
const port = parseInt(process.env.PORT || '3000');
const host = process.env.HOST || '0.0.0.0';
const baseUrl = detectBaseUrl(req, host, port);
const endpoints = formatEndpointUrls(baseUrl);
res.json({
name: 'n8n Documentation MCP Server',
version: PROJECT_VERSION,
description: 'Model Context Protocol server providing comprehensive n8n node documentation and workflow management',
endpoints: {
health: {
url: endpoints.health,
method: 'GET',
description: 'Health check and status information'
},
mcp: {
url: endpoints.mcp,
method: 'GET/POST',
description: 'MCP endpoint - GET for info, POST for JSON-RPC'
}
},
authentication: {
type: 'Bearer Token',
header: 'Authorization: Bearer <token>',
required_for: ['POST /mcp']
},
documentation: 'https://github.com/czlonkowski/n8n-mcp'
});
});
// Health check endpoint (no body parsing needed for GET)
app.get('/health', (req, res) => {
res.json({
status: 'ok',
mode: 'single-session',
version: '2.3.2',
version: PROJECT_VERSION,
uptime: Math.floor(process.uptime()),
sessionActive: !!this.session,
sessionAge: this.session
@@ -250,6 +284,35 @@ export class SingleSessionHTTPServer {
});
});
// MCP information endpoint (no auth required for discovery)
app.get('/mcp', (req, res) => {
res.json({
description: 'n8n Documentation MCP Server',
version: PROJECT_VERSION,
endpoints: {
mcp: {
method: 'POST',
path: '/mcp',
description: 'Main MCP JSON-RPC endpoint',
authentication: 'Bearer token required'
},
health: {
method: 'GET',
path: '/health',
description: 'Health check endpoint',
authentication: 'None'
},
root: {
method: 'GET',
path: '/',
description: 'API information',
authentication: 'None'
}
},
documentation: 'https://github.com/czlonkowski/n8n-mcp'
});
});
// Main MCP endpoint with authentication
app.post('/mcp', async (req: express.Request, res: express.Response): Promise<void> => {
// Enhanced authentication check with specific logging
@@ -347,10 +410,21 @@ export class SingleSessionHTTPServer {
this.expressServer = app.listen(port, host, () => {
logger.info(`n8n MCP Single-Session HTTP Server started`, { port, host });
// Detect the base URL using our utility
const baseUrl = getStartupBaseUrl(host, port);
const endpoints = formatEndpointUrls(baseUrl);
console.log(`n8n MCP Single-Session HTTP Server running on ${host}:${port}`);
console.log(`Health check: http://localhost:${port}/health`);
console.log(`MCP endpoint: http://localhost:${port}/mcp`);
console.log(`Health check: ${endpoints.health}`);
console.log(`MCP endpoint: ${endpoints.mcp}`);
console.log('\nPress Ctrl+C to stop the server');
if (process.env.BASE_URL || process.env.PUBLIC_URL) {
console.log(`\nPublic URL configured: ${baseUrl}`);
} else if (process.env.TRUST_PROXY && Number(process.env.TRUST_PROXY) > 0) {
console.log(`\nNote: TRUST_PROXY is enabled. URLs will be auto-detected from proxy headers.`);
}
});
// Handle server errors

77
src/http-server.ts
View File

@@ -13,6 +13,7 @@ import { PROJECT_VERSION } from './utils/version';
import { isN8nApiConfigured } from './config/n8n-api';
import dotenv from 'dotenv';
import { readFileSync } from 'fs';
import { getStartupBaseUrl, formatEndpointUrls, detectBaseUrl } from './utils/url-detector';
dotenv.config();
@@ -145,6 +146,38 @@ export async function startFixedHTTPServer() {
const mcpServer = new N8NDocumentationMCPServer();
logger.info('Created persistent MCP server instance');
// Root endpoint with API information
app.get('/', (req, res) => {
const port = parseInt(process.env.PORT || '3000');
const host = process.env.HOST || '0.0.0.0';
const baseUrl = detectBaseUrl(req, host, port);
const endpoints = formatEndpointUrls(baseUrl);
res.json({
name: 'n8n Documentation MCP Server',
version: PROJECT_VERSION,
description: 'Model Context Protocol server providing comprehensive n8n node documentation and workflow management',
endpoints: {
health: {
url: endpoints.health,
method: 'GET',
description: 'Health check and status information'
},
mcp: {
url: endpoints.mcp,
method: 'GET/POST',
description: 'MCP endpoint - GET for info, POST for JSON-RPC'
}
},
authentication: {
type: 'Bearer Token',
header: 'Authorization: Bearer <token>',
required_for: ['POST /mcp']
},
documentation: 'https://github.com/czlonkowski/n8n-mcp'
});
});
// Health check endpoint
app.get('/health', (req, res) => {
res.json({
@@ -181,6 +214,35 @@ export async function startFixedHTTPServer() {
}
});
// MCP information endpoint (no auth required for discovery)
app.get('/mcp', (req, res) => {
res.json({
description: 'n8n Documentation MCP Server',
version: PROJECT_VERSION,
endpoints: {
mcp: {
method: 'POST',
path: '/mcp',
description: 'Main MCP JSON-RPC endpoint',
authentication: 'Bearer token required'
},
health: {
method: 'GET',
path: '/health',
description: 'Health check endpoint',
authentication: 'None'
},
root: {
method: 'GET',
path: '/',
description: 'API information',
authentication: 'None'
}
},
documentation: 'https://github.com/czlonkowski/n8n-mcp'
});
});
// Main MCP endpoint - handle each request with custom transport handling
app.post('/mcp', async (req: express.Request, res: express.Response): Promise<void> => {
const startTime = Date.now();
@@ -414,10 +476,21 @@ export async function startFixedHTTPServer() {
expressServer = app.listen(port, host, () => {
logger.info(`n8n MCP Fixed HTTP Server started`, { port, host });
// Detect the base URL using our utility
const baseUrl = getStartupBaseUrl(host, port);
const endpoints = formatEndpointUrls(baseUrl);
console.log(`n8n MCP Fixed HTTP Server running on ${host}:${port}`);
console.log(`Health check: http://localhost:${port}/health`);
console.log(`MCP endpoint: http://localhost:${port}/mcp`);
console.log(`Health check: ${endpoints.health}`);
console.log(`MCP endpoint: ${endpoints.mcp}`);
console.log('\nPress Ctrl+C to stop the server');
if (process.env.BASE_URL || process.env.PUBLIC_URL) {
console.log(`\nPublic URL configured: ${baseUrl}`);
} else if (process.env.TRUST_PROXY && Number(process.env.TRUST_PROXY) > 0) {
console.log(`\nNote: TRUST_PROXY is enabled. URLs will be auto-detected from proxy headers.`);
}
});
// Handle errors

111
src/utils/url-detector.ts Normal file
View File

@@ -0,0 +1,111 @@
import { Request } from 'express';
import { logger } from './logger';
/**
* Validates a hostname to prevent header injection attacks
*/
function isValidHostname(host: string): boolean {
// Allow alphanumeric, dots, hyphens, and optional port
return /^[a-zA-Z0-9.-]+(:[0-9]+)?$/.test(host) && host.length < 256;
}
/**
* Validates a URL string
*/
function isValidUrl(url: string): boolean {
try {
const parsed = new URL(url);
// Only allow http and https protocols
return parsed.protocol === 'http:' || parsed.protocol === 'https:';
} catch {
return false;
}
}
/**
* Detects the base URL for the server, considering:
* 1. Explicitly configured BASE_URL or PUBLIC_URL
* 2. Proxy headers (X-Forwarded-Proto, X-Forwarded-Host)
* 3. Host and port configuration
*/
export function detectBaseUrl(req: Request | null, host: string, port: number): string {
try {
// 1. Check for explicitly configured URL
const configuredUrl = process.env.BASE_URL || process.env.PUBLIC_URL;
if (configuredUrl) {
if (isValidUrl(configuredUrl)) {
logger.debug('Using configured BASE_URL/PUBLIC_URL', { url: configuredUrl });
return configuredUrl.replace(/\/$/, ''); // Remove trailing slash
} else {
logger.warn('Invalid BASE_URL/PUBLIC_URL configured, falling back to auto-detection', { url: configuredUrl });
}
}
// 2. If we have a request, try to detect from proxy headers
if (req && process.env.TRUST_PROXY && Number(process.env.TRUST_PROXY) > 0) {
const proto = req.get('X-Forwarded-Proto') || req.protocol || 'http';
const forwardedHost = req.get('X-Forwarded-Host');
const hostHeader = req.get('Host');
const detectedHost = forwardedHost || hostHeader;
if (detectedHost && isValidHostname(detectedHost)) {
const baseUrl = `${proto}://${detectedHost}`;
logger.debug('Detected URL from proxy headers', {
proto,
forwardedHost,
hostHeader,
baseUrl
});
return baseUrl;
} else if (detectedHost) {
logger.warn('Invalid hostname detected in proxy headers, using fallback', { detectedHost });
}
}
// 3. Fall back to configured host and port
const displayHost = host === '0.0.0.0' ? 'localhost' : host;
const protocol = 'http'; // Default to http for local bindings
// Don't show standard ports (for http only in this fallback case)
const needsPort = port !== 80;
const baseUrl = needsPort ?
`${protocol}://${displayHost}:${port}` :
`${protocol}://${displayHost}`;
logger.debug('Using fallback URL from host/port', {
host,
displayHost,
port,
baseUrl
});
return baseUrl;
} catch (error) {
logger.error('Error detecting base URL, using fallback', error);
// Safe fallback
return `http://localhost:${port}`;
}
}
/**
* Gets the base URL for console display during startup
* This is used when we don't have a request object yet
*/
export function getStartupBaseUrl(host: string, port: number): string {
return detectBaseUrl(null, host, port);
}
/**
* Formats endpoint URLs for display
*/
export function formatEndpointUrls(baseUrl: string): {
health: string;
mcp: string;
root: string;
} {
return {
health: `${baseUrl}/health`,
mcp: `${baseUrl}/mcp`,
root: baseUrl
};
}