turbomcp-proxy 3.0.9

Universal MCP adapter/generator - introspection, proxying, and code generation for any MCP server
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169

//! Configuration types for turbomcp-proxy

use ipnetwork::IpNetwork;
use serde::{Deserialize, Serialize};
use std::time::Duration;

/// Proxy configuration
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct ProxyConfig {
    /// Session timeout
    pub session_timeout: Duration,

    /// Maximum concurrent sessions
    pub max_sessions: usize,

    /// Request timeout
    pub request_timeout: Duration,
}

impl Default for ProxyConfig {
    fn default() -> Self {
        Self {
            session_timeout: Duration::from_secs(300),
            max_sessions: 1000,
            request_timeout: Duration::from_secs(30),
        }
    }
}

/// ID mapping strategy
#[derive(Debug, Clone, Copy, Serialize, Deserialize, Default)]
pub enum IdMappingStrategy {
    /// Prefix message IDs with session ID
    #[default]
    Prefix,

    /// Use UUID mapping table
    MappingTable,

    /// Pass through (no mapping)
    PassThrough,
}

/// Backend configuration for runtime proxy
#[derive(Debug, Clone, Serialize, Deserialize)]
#[serde(tag = "type", rename_all = "lowercase")]
pub enum BackendConfig {
    /// Standard I/O backend (subprocess)
    Stdio {
        /// Command to execute (e.g., "python", "node")
        command: String,
        /// Command arguments
        args: Vec<String>,
        /// Optional working directory
        #[serde(skip_serializing_if = "Option::is_none")]
        working_dir: Option<String>,
    },
    /// HTTP backend with Server-Sent Events
    Http {
        /// Base URL of the HTTP server
        url: String,
        /// Optional authentication token
        #[serde(skip_serializing_if = "Option::is_none")]
        auth_token: Option<String>,
    },
    /// TCP backend with bidirectional communication
    Tcp {
        /// Host or IP address
        host: String,
        /// Port number
        port: u16,
    },
    /// Unix domain socket backend
    #[cfg(unix)]
    Unix {
        /// Socket file path
        path: String,
    },
    /// WebSocket backend with bidirectional communication
    WebSocket {
        /// WebSocket URL (ws:// or wss://)
        url: String,
    },
}

/// Frontend type for runtime proxy
#[derive(Debug, Clone, Copy, Serialize, Deserialize, PartialEq, Eq)]
#[serde(rename_all = "lowercase")]
pub enum FrontendType {
    /// Standard I/O frontend
    Stdio,
    /// HTTP with Server-Sent Events frontend
    Http,
    /// WebSocket bidirectional frontend
    WebSocket,
}

/// SSRF protection level for backend URL validation
///
/// Controls which IP ranges and endpoints are blocked to prevent
/// Server-Side Request Forgery attacks.
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq, Default)]
#[serde(rename_all = "lowercase")]
pub enum SsrfProtection {
    /// Strict: Block all private networks and cloud metadata endpoints
    ///
    /// This is the recommended default for public-facing proxies.
    /// Blocks:
    /// - Private IPv4 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)
    /// - Loopback addresses (127.0.0.0/8, `::1`)
    /// - Link-local addresses (169.254.0.0/16, `fe80::/10`)
    /// - Cloud metadata endpoints (169.254.169.254, 168.63.129.16)
    /// - IPv6 unique local addresses (`fc00::/7`)
    #[default]
    Strict,

    /// Balanced: Block cloud metadata, allow specific private networks
    ///
    /// Use this for internal proxies that need to connect to private services.
    /// Configure `allowed_private_networks` to specify which private networks
    /// are permitted.
    Balanced {
        /// List of allowed private IP ranges
        ///
        /// Uses the industry-standard `ipnetwork` crate for CIDR notation.
        /// Create networks using `IpNetwork::from_str("10.0.0.0/8")` or
        /// `Ipv4Network::from_str("192.168.1.0/24")`.
        allowed_private_networks: Vec<IpNetwork>,
    },

    /// Disabled: No SSRF protection (USE ONLY BEHIND FIREWALL)
    ///
    /// Only use this when the proxy is behind a firewall that handles
    /// SSRF protection at the network level.
    Disabled,
}

/// Backend URL validation configuration
///
/// Controls SSRF protection, allowed schemes, and custom blocklists for
/// backend connections.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct BackendValidationConfig {
    /// SSRF protection level
    pub ssrf_protection: SsrfProtection,

    /// Allowed URL schemes (default: http, https, ws, wss)
    pub allowed_schemes: Vec<String>,

    /// Additional blocked hostnames (custom blocklist)
    ///
    /// Use this to block specific hostnames beyond the default SSRF protection.
    pub blocked_hosts: Vec<String>,
}

impl Default for BackendValidationConfig {
    fn default() -> Self {
        Self {
            ssrf_protection: SsrfProtection::Strict,
            allowed_schemes: vec![
                "http".to_string(),
                "https".to_string(),
                "ws".to_string(),
                "wss".to_string(),
            ],
            blocked_hosts: vec![],
        }
    }
}