lywsvip/supabase
1
0
Fork 0
mirror of https://github.com/supabase/supabase.git synced 2026-05-06 22:18:00 +08:00
Code Issues Packages Projects Releases Wiki Activity

docs(self-hosted): clarify envoy api gateway setup (#45238)

Browse Source
This commit is contained in:
Luiz Felipe Machado
2026-04-29 06:33:53 -03:00
committed by GitHub
parent d5c0303053
commit 5fa012cfa9
2 changed files with 146 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

131
apps/docs/content/guides/self-hosting/enable-mcp.mdx
View File

@@ -25,6 +25,15 @@ Do not allow connections to the self-hosted MCP server from the Internet. Only a
When connecting via an SSH tunnel to the Studio Docker container, the source IP will be that of the Docker bridge gateway. You need to allow connections from this IP address.
<Tabs
scrollable
size="small"
type="underlined"
defaultActiveId="kong"
>
<TabPanel id="kong" label="Kong">
Determine the Docker bridge gateway IP on the host running your Supabase containers:
```sh
@@ -32,16 +41,41 @@ docker inspect supabase-kong \
--format '{{range .NetworkSettings.Networks}}{{println .Gateway}}{{end}}'
```
</TabPanel>
<TabPanel id="envoy" label="Envoy">
Determine the Docker bridge gateway IP on the host running your Supabase containers:
```sh
docker inspect supabase-envoy \
--format '{{range .NetworkSettings.Networks}}{{println .Gateway}}{{end}}'
```
</TabPanel>
</Tabs>
This command will output an IP address, e.g., `172.18.0.1`.
### Step 2: Allow connections from the gateway IP
<Tabs
scrollable
size="small"
type="underlined"
defaultActiveId="kong"
>
<TabPanel id="kong" label="Kong">
Add the IP address you discovered to the Kong configuration by editing the following section in `./volumes/api/kong.yml`:
1. Comment out the request-termination section
2. Remove the # symbols from the entire section starting with `- name: cors`, including `deny: []`
3. Add your local IP to the 'allow' list.
4. Your edited configuration should look like the example below.
3. Add your local IP to the 'allow' list
4. **Preserve the existing indentation** - YAML is whitespace-sensitive and the config will fail to load if it changes
5. Your edited configuration should look like the example below:
```yaml name=volumes/api/kong.yml
## MCP endpoint - local access
@@ -75,14 +109,105 @@ Add the IP address you discovered to the Kong configuration by editing the follo
deny: []
```
</TabPanel>
<TabPanel id="envoy" label="Envoy">
Add the IP address you discovered to the Envoy configuration by editing the `/mcp` route in `./volumes/api/envoy/lds.template.yaml`:
1. Find the route with `prefix: /mcp`
2. Comment out the `rbac` block that denies all traffic and uncomment the allow-list policy below
3. Keep loopback entries (`127.0.0.1` and `::1`) and add your Docker bridge gateway IP
4. **Preserve the existing indentation** - YAML is whitespace-sensitive and the config will fail to load if it changes
5. Your edited configuration should look like the example below:
```yaml name=volumes/api/envoy/lds.template.yaml
- match:
prefix: /mcp
route:
cluster: studio
prefix_rewrite: /api/mcp
timeout: 30s
request_headers_to_add:
- header:
key: X-Forwarded-Prefix
value: /mcp
append_action: ADD_IF_ABSENT
typed_per_filter_config:
envoy.filters.http.basic_auth:
'@type': >-
type.googleapis.com/envoy.config.route.v3.FilterConfig
disabled: true
envoy.filters.http.rbac:
'@type': >-
type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBACPerRoute
# Block access to /mcp by default
#rbac:
# rules:
# action: DENY
# policies:
# deny_all:
# permissions:
# - any: true
# principals:
# - any: true
# Enable local access (danger zone!)
# 1. Comment out the 'rbac' block above.
# 2. Uncomment and adjust the 'rbac' block below.
# 3. Add or adjust your local IPs in 'principals'.
rbac:
rules:
action: ALLOW
policies:
allow_local:
permissions:
- any: true
principals:
- direct_remote_ip:
address_prefix: 127.0.0.1
prefix_len: 32
- direct_remote_ip:
address_prefix: ::1
prefix_len: 128
- direct_remote_ip:
# Add your Docker bridge gateway IP below
address_prefix: 172.18.0.1
prefix_len: 32
```
</TabPanel>
</Tabs>
### Step 3: Restart API gateway
After you've added the local IP address as above, restart the Kong container:
After you've added the local IP address as above, restart your gateway:
<Tabs
scrollable
size="small"
type="underlined"
defaultActiveId="kong"
>
<TabPanel id="kong" label="Kong">
```sh
docker compose restart kong
```
</TabPanel>
<TabPanel id="envoy" label="Envoy">
```sh
docker compose -f docker-compose.yml -f docker-compose.envoy.yml restart api-gw
```
</TabPanel>
</Tabs>
### Step 4: Create the SSH tunnel
From your local machine, create an SSH tunnel to your Supabase host:

34
docker/volumes/api/envoy/lds.template.yaml
View File

@@ -476,6 +476,7 @@ resources:
envoy.filters.http.rbac:
'@type': >-
type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBACPerRoute
# Block access to /mcp by default
rbac:
rules:
action: DENY
@@ -486,22 +487,23 @@ resources:
principals:
- any: true
# Enable local access (danger zone!)
# 1. Replace the `rbac` block above with the one below.
# 2. Adjust the IP ranges in `principals`.
# rbac:
# rules:
# action: ALLOW
# policies:
# allow_local:
# permissions:
# - any: true
# principals:
# - direct_remote_ip:
# address_prefix: 127.0.0.1
# prefix_len: 32
# - direct_remote_ip:
# address_prefix: ::1
# prefix_len: 128
# 1. Comment out the 'rbac' block above.
# 2. Uncomment and adjust the 'rbac' block below.
# 3. Add or adjust your local IPs in 'principals'.
#rbac:
# rules:
# action: ALLOW
# policies:
# allow_local:
# permissions:
# - any: true
# principals:
# - direct_remote_ip:
# address_prefix: 127.0.0.1
# prefix_len: 32
# - direct_remote_ip:
# address_prefix: ::1
# prefix_len: 128
- match:
prefix: /