Adding Auth Basic header to mcp client for server to site in front of…

[jrespeto]

update to hexstrike_mcp.py

Adding Auth Basic --auth-basic and TLS --disable-ssl-verify flag to mcp client for servers behind a reverse proxy with auth.

edit: - Added --auth-token client and code to mcp server to check to token header.

User can setup a reverse proxy win nginx container.

mkdir nginx
cd nginx

podman run -it --rm -v "./nginx/auth:/auth" docker.io/httpd bash -c "htpasswd -c /auth/users hexmin"

cat <<EOF > container-compose.yml 
services:

  nginx:
    hostname: nginx
    container_name: nginx
    image: docker.io/nginx
    pull_policy: always
    network_mode: host
    restart: always
    ports:
      - 8080:8888
    volumes:
      - ./nginx/nginx.conf:/etc/nginx/nginx.conf:ro
      - ./nginx/users:/etc/nginx/auth/users:ro
      - ./nginx/certs:/etc/nginx/ssl:ro
      - ./nginx/logs:/var/log/nginx
EOF

cat <<EOF > nginx.conf
events {
    worker_connections 2048;
}


http {

# Needed for the $connection_upgrade variable
map $http_upgrade $connection_upgrade {
  default upgrade;
    ''      close;
}

    upstream hexstrike {
        server               127.0.0.1:8888;
    }

    keepalive_timeout 300s;

    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log info;

    server {
        listen              8080 ssl;
        http2 on; 
        server_name example.local;

        ssl_certificate     /etc/nginx/ssl/selfsigned.crt;
        ssl_certificate_key /etc/nginx/ssl/selfsigned.key;

        # Reasonable TLS settings (works broadly)
        ssl_session_cache shared:SSL:10m;
        ssl_session_timeout 10m;
        ssl_protocols TLSv1.2 TLSv1.3;
        ssl_prefer_server_ciphers off;

        # Basic authentication based on the $authentication variable 
        # If using app level token keep comment out 
        #auth_basic "Restricted Area";
        #auth_basic_user_file /etc/nginx/auth/users;
        
        location / {
            proxy_http_version 1.1;
            proxy_buffering off; #
            proxy_set_header  Host "localhost";
            proxy_set_header  X-Real-IP "127.0.0.1";
            proxy_set_header  X-Forwarded-For "127.0.0.1";
            proxy_set_header  X-Forwarded-Proto $scheme;
            proxy_set_header  Connection "";
            proxy_read_timeout 300;
            proxy_connect_timeout 300;
            proxy_send_timeout 300;
            proxy_pass        http://hexstrike;  # Forward request to the actual web service
        }
    }
}
EOF

mkdir certs
openssl req -x509 -nodes -newkey rsa:2048 \
  -keyout certs/selfsigned.key \ 
  -out certs/selfsigned.crt \ 
  -days 365 \
  -subj "/C=US/ST=NY/L=NewYork/O=LocalDev/OU=IT/CN=example.local" \
  -addext "subjectAltName=DNS:example.local,DNS:localhost,IP:127.0.0.1"

cd ..
podman-compose up -d 


hexstrike_server.py # should be on localhost:8888 

hexstrike_mcp.py --server https://x.x.x.x:8080 --auth-basic hexmin:asdfasdf --disable-ssl-verify

update to hexstrike_server.py
update host to use API_HOST variable to use localhost as default.

If users want to have the mcp server to bind to all IPs on the host.
export HEXSTRIKE_HOST=0.0.0.0

#122
#124

[jrespeto]

Added Auth Bearer token check with @app.before_request

before running the server use export HEXSTRIKE_API_TOKEN=secret or default is to allow all request.

Tested on my system with opencode / mcp client to a connect to remote mcp server on kali.

"mcp": {
    "HexStrike1": {
      "type": "local",
      "command": ["~/hexstrike-ai/hexstrike_env/bin/python", "~/hexstrike-ai/hexstrike_mcp.py", "--server", "https://x.x.x.x:8080", "--auth-basic", "hexmin:asdfasdf", "--disable-ssl-verify" ],
      "enabled": false
    },
    "HexStrike2": {
      "type": "local",
      "command": ["~/hexstrike-ai/hexstrike_env/bin/python", "~/hexstrike-ai/hexstrike_mcp.py", "--server", "https://x.x.x.x:8080", "--auth-basic", "hexmin:asdfasdf", "--auth-token", "asdf", "--disable-ssl-verify" ],
      "enabled": false
    },