Deployment — Cloudflare Tunnel¶
The MCP server listens on port 8001 inside the Compass host
(13.59.75.103). Public traffic reaches it through the existing
Cloudflare Tunnel
that already fronts the rest of the Compass domain — we just add a new
ingress rule for mcp.chordia.ai rather than spinning up a new tunnel
or opening a port in the EC2 security group.
1. Add an ingress rule¶
On the Compass host, edit the cloudflared config (typically
/etc/cloudflared/config.yml, sometimes ~/.cloudflared/config.yml):
tunnel: <existing-tunnel-id>
credentials-file: /etc/cloudflared/<existing-tunnel-id>.json
ingress:
- hostname: mcp.chordia.ai
service: http://localhost:8001
# ... existing rules for compass.chordia.ai etc. above the catch-all ...
- service: http_status:404
The new rule must appear before the catch-all http_status:404
entry — cloudflared evaluates rules in order and the first match wins.
2. Create the DNS route¶
This tells Cloudflare to publish a CNAME for mcp.chordia.ai pointing
at the tunnel:
cloudflared tunnel route dns <tunnel-name> mcp.chordia.ai
You only run this once per hostname. After it succeeds, the DNS record
appears in the Cloudflare dashboard under the chordia.ai zone.
3. Restart the tunnel¶
sudo systemctl restart cloudflared
sudo systemctl status cloudflared # confirm "active (running)"
cloudflared will reload the config; new rules take effect immediately.
4. Boot the MCP process¶
start.sh runs both the main API and the MCP server in the same
container, but the MCP server only starts when MCP_SERVER_ENABLED=1
is set:
# In the host's .env (or .env.production):
MCP_SERVER_ENABLED=1
MCP_SERVER_PORT=8001 # optional — defaults to 8001
Redeploy via CI/CD (or deploy_production_compass.sh if running
manually). On boot you should see:
Starting MCP server on port 8001...
Starting main API server...
5. Smoke test¶
From any machine:
curl -sf https://mcp.chordia.ai/health
# → {"status":"ok"}
If you get a Cloudflare 530 / 502, the tunnel is up but localhost:8001
isn't responding inside the host — check container logs and confirm
MCP_SERVER_ENABLED=1 is actually in the env file.
If you get a 404 from cloudflared (not the MCP server), the ingress
rule is wrong — verify the hostname spelling and that the rule sits
above the catch-all.
Notes¶
- Port 8001 is never exposed via the EC2 security group. Cloudflare
Tunnel maintains an outbound connection from the host, so the public
endpoint is
mcp.chordia.aionly — direct connections to13.59.75.103:8001are blocked. - The
/docsstatic MkDocs site is mounted on the same MCP process athttps://mcp.chordia.ai/docs/, so this single ingress rule covers both the protocol endpoint and the documentation site. - The admin REST API (
/projects/{id}/mcp-keys) is on the main API domain (https://compass.chordia.ai), not on the MCP tunnel.