aliyun mcp-proxy: local OAuth authentication proxy for Alibaba Cloud OpenAPI MCP servers, with access control and systemd support - OpenAPI Explorer

aliyun mcp-proxy

aliyun mcp-proxy is a CLI tool that proxies requests between AI applications (such as Dify and LangChain) and OpenAPI MCP servers. A one-time OAuth authorization is required on first start; the proxy handles token refreshes automatically.

How it works: The application sends requests to aliyun mcp-proxy, which adds credentials and forwards them to the OpenAPI MCP server.

Warning

After starting aliyun mcp-proxy, any user on the host machine can access MCP servers through the proxy port within the CLI user's permission scope. Run the proxy only in a trusted, single-user environment and never expose the port externally. Use --allowed-servers or --blocked-servers to restrict accessible servers. Security risks and mitigations.

Configure and run the proxy

Step 1: Configure Alibaba Cloud CLI

Install or upgrade Alibaba Cloud CLI to version 3.2.0 or later. Install or update Alibaba Cloud CLI.
Configure the CLI with credentials of an Alibaba Cloud account or RAM user with permissions to create OAuth applications. To use an existing OAuth application, specify --oauth-app-name in a later step.
```
aliyun configure
# Enter your AccessKey ID, AccessKey Secret, and default region as prompted.
```

Step 2: First run and OAuth authorization

On first run, mcp-proxy requires a one-time OAuth authorization to obtain a refresh token.

Start the proxy in the foreground.
- In a GUI environment, the CLI opens a browser for OAuth authorization unless --no-browser is specified. After authorization, skip to step 5.
```
aliyun mcp-proxy --host 127.0.0.1 --port 8088
```
- In a headless environment, add --no-browser. The CLI prompts you to obtain the authorization code manually.
```
aliyun mcp-proxy --host 127.0.0.1 --port 8088 --no-browser
```
Note
To specify a custom OAuth application with --oauth-app-name, the application must meet these requirements:
- OAuth Scope: Must be /acs/mcp-server.
- Redirect URI: Must match the Redirect URI used during the aliyun mcp-proxy authentication.
- Application Type: Must be a Native application.

The terminal displays the authorization URL.

Setting up MCPOAuth profile 'default-mcp'...
Opening browser for OAuth login...
URL: https://signin.aliyun.com/oauth2/v1/auth?client_id=XXX8&response_type=code&scope=%2Facs%2Fmcp-server&redirect_uri=http://0.0.0.0:8088/callback&code_challenge=XXX&code_challenge_method=S256
Please open the authorization URL on a machine with a browser and complete the sign-in.
After authorization, the browser will redirect to a callback URL.
Even if the page fails to load (connection error), the authorization code is in the URL.
Please copy the value of the `code` parameter from the browser's address bar.
Example: If the URL is:
  http://127.0.0.1:8088/callback?code=abc123xyz&state=...
  Then copy only: abc123xyz
Enter authorization code: <YOUR CODE>

Open the URL in a browser, sign in, and complete the authorization.
After authorization, the page redirects to a URL containing a code parameter, or displays the code directly. Copy the code value, paste it into the terminal, and press Enter.

The terminal displays OAuth login successful! when authorization succeeds.

2025/12/04 19:11:49 Oauth authorization successfully, code received: XXXX
2025/12/04 19:11:49 Start to exchange code for token with PKCE
2025/12/04 19:11:49 Exchange code for token with PKCE successfully
OAuth login successful!

The terminal displays MCP Proxy Server Started when the proxy is ready.

MCP Profile 'default-mcp' configured for oauth app 'aliyun-cli-mcp-proxy' successfully!
MCP Proxy Server Started
Listen: 127.0.0.1:8088

Step 3: Configure systemd service (CentOS)

For stable operation, configure the proxy as a systemd service that starts on boot.

Create a systemd service file named aliyun-mcp-proxy.service.

Note:
- Replace your-user with the actual non-root username that runs this service. This user must have configured credentials by using aliyun configure.
- In the ExecStart line, $(which aliyun) automatically finds the path to the aliyun command. If this fails, manually replace it with the output of the which aliyun command (for example, /usr/local/bin/aliyun).
```
sudo tee /etc/systemd/system/aliyun-mcp-proxy.service << 'EOF'
[Unit]
Description=Aliyun CLI MCP Proxy
After=network.target
[Service]
Type=simple
User=your-user
ExecStart=$(which aliyun) mcp-proxy --host 127.0.0.1 --port 8088 --no-browser
Restart=always
RestartSec=10
Environment=HOME=/home/your-user
[Install]
WantedBy=multi-user.target
EOF
```

Reload the systemd configuration and start the service.

# Reload the configuration
sudo systemctl daemon-reload
# Start the service
sudo systemctl start aliyun-mcp-proxy
# Enable the service to start on boot
sudo systemctl enable aliyun-mcp-proxy

Step 4: Verify the proxy service

Verify the service is running.

View the service status

Check the service status.
```
sudo systemctl status aliyun-mcp-proxy
```
If the output contains active (running), the service has started successfully.

Request the proxy port

Send a test request to the proxy port.

curl http://127.0.0.1:8088/

A working proxy returns an XML error response from the MCP server, confirming connectivity.

<?xml version='1.0' encoding='UTF-8'?><Error><RequestId>B3311876-XXXXX</RequestId><HostId>openapi-mcp.cn-hangzhou.aliyuncs.com</HostId><Code>InvalidAction.NotFound</Code><Message>Specified api is not found, please check your url and method.</Message><Recommend><![CDATA[https://api.aliyun.com/troubleshoot?q=InvalidAction.NotFound&product=OpenAPIExplorer&requestId=B3311876-XXX]]></Recommend></Error>

Integrate with Dify

This example configures mcp-proxy with Dify deployed via Docker Compose on the same ECS instance.

Step 1: Get host IP and start proxy

The Dify container accesses mcp-proxy through the host machine's Docker bridge IP.

Get the Docker bridge IP address.
```
ip addr show docker0 | grep "inet\b" | awk '{print $2}' | cut -d/ -f1
```
This command returns an IP address similar to 172.17.0.1.
Start aliyun mcp-proxy in the foreground, or modify the systemd startup command to run it as a service.
```
aliyun mcp-proxy --host 172.17.0.1 --port 8088 --no-browser
```

Step 2: Configure the MCP server in Dify

In Dify, go to the Tools > MCP configuration page.
ClickAdd MCP Server (HTTP).
In theserver endpoint URL field, enter your MCP proxy address.

Find the Streamable HTTP Endpoint in the OpenAPI MCP Service console and replace the host with your proxy address.

Example conversion:
- Original Endpoint:
  https://openapi-mcp.cn-hangzhou.aliyuncs.com/accounts/1234/custom/cli-proxy-test/id/1234/mcp
- Proxied Endpoint: (assuming the proxy runs on172.17.0.1:8088):
  http://172.17.0.1:8088/accounts/1234/custom/cli-proxy-test/id/1234/mcp
Complete the remaining fields and click Add & Authorize. Dify routes MCP traffic through this proxy.

Security risks and mitigations

After starting mcp-proxy, any host-machine user can access MCP servers through the proxy port within the CLI user's permission scope. Key risks:

Internal privilege abuse: Other users on the same machine can use the proxy port to perform unauthorized actions, leading to privilege abuse or data leakage.
External exposure: If the proxy listens on 0.0.0.0 without a firewall, anyone on the network can access MCP servers through the port.

Note

The proxy uses the logged-in CLI user's Alibaba Cloud identity. Configure access permissions carefully.

Mitigations

Environment isolation: Run the proxy only in a trusted, single-user environment.
Network access control: Bind --host to 127.0.0.1 (default) or a specific internal IP. Use firewall or security group rules to restrict proxy port access. Never expose the port to the public internet.
Server access control: Use --allowed-servers (allowlist) or --blocked-servers (blocklist) to restrict accessible MCP servers. Configure server access control.
Principle of least privilege: Grant the CLI user and MCP server only the minimum required permissions. Prefer read-only access.
Auditing and monitoring: Review proxy access logs regularly. Blocked requests are recorded in the logs.

Configure server access control

aliyun mcp-proxy supports allowlist and blocklist modes to restrict accessible MCP servers.

Priority rules

Access control is evaluated in the following order:

Blocklist first: A request that matches the blocklist is rejected immediately, even if it is also on the allowlist.
Allowlist filtering: If an allowlist is configured, only servers on the allowlist are permitted.
Default allow: If no lists are configured, access to all servers is allowed.

Get server name and ID

After starting aliyun mcp-proxy, the terminal lists available MCP servers:

Available Servers:
  - cloudphone
    MCP: http://127.0.0.1:8088/accounts/0000000000000000/system/eds-aic/cloudphone/id/XSkb9v4dXx000000/mcp
    SSE: http://127.0.0.1:8088/accounts/0000000000000000/system/eds-aic/cloudphone/id/XSkb9v4dXx000000/sse
  - multi_account
    MCP: http://127.0.0.1:8088/accounts/0000000000000000/custom/multi_account/id/OV0Qkpxh0Uodx000/mcp
    SSE: http://127.0.0.1:8088/accounts/0000000000000000/custom/multi_account/id/OV0Qkpxh0Uodx000/sse

In the output, cloudphone and multi_account are the server name values (usually located before the id keyword).
In the output, XSkb9v4dXx000000 and OV0Qkpxh0Uodx000 are the server id values (usually located before the mcp keyword).

The URL path typically follows these patterns:

......./system/eds-aic/$server_name/id/$server_id/mcp
......./custom/$server_name/id/$server_id/mcp

Matching patterns

The --allowed-servers and --blocked-servers parameters support three matching patterns, which are automatically identified by the value format:

Matching pattern	Format	Example	Description
Server Name Match	A string that does not start with `/`	`cloudcontrol`	Exactly matches the server's `name` field.
Server ID Match	A string that does not start with `/`	`OV0Qkpxh0Uodx000`	Exactly matches the server's `id` field.
Path Prefix Match	A string that starts with `/`	`/acs/mcp-server/ecs`	Matches the path prefix of the request URL.

Note

Server name and ID matching is an exact match.
Path prefix matching uses prefix comparison. For example, /acs/mcp-server/ecs matches both /acs/mcp-server/ecs/mcp and /acs/mcp-server/ecs/sse.
You can mix all three patterns in the same parameter.

Configuration examples

Allowlist mode: Allow access only to specified servers
```
aliyun mcp-proxy --allowed-servers "ecs,oss"
```
Only ecs and oss are accessible. Requests to other servers return 403 Forbidden.
Blocklist mode: Deny access to specified servers
```
aliyun mcp-proxy --blocked-servers "ram"
```
All servers except ram are accessible.
Use path prefix matching
```
aliyun mcp-proxy --allowed-servers "/acs/mcp-server/ecs,/acs/mcp-server/oss"
```
Same effect as name-based matching, with precise path control.

Verify access control

After starting the proxy, the terminal shows the access control configuration and server status:

MCP Proxy Server Started
Listen: 127.0.0.1:8088
Region: CN
Access Control:
  Blacklist (blocked servers):
    - ram
  Whitelist (allowed servers):
    - ecs
    - oss
Available Servers:
  - ecs
    MCP: http://127.0.0.1:8088/acs/mcp-server/ecs/mcp
  - oss
    MCP: http://127.0.0.1:8088/acs/mcp-server/oss/mcp
  - ram (blocked)

Blocked requests are recorded in the proxy log for troubleshooting.

Security incident response

If you suspect the proxy's authentication token has been leaked or abused:

Stop the MCP Proxy service.
Delete the local configuration file: rm ~/.aliyun/.mcpproxy_config.
Revoke the OAuth authorization in the Alibaba Cloud console.
Check the API call logs to identify any abnormal operations.
Reconfigure the MCP Proxy and generate a new token.

Parameters

The aliyun mcp-proxy command supports these parameters.

Parameter	Description	Default
`--host`	Proxy listen address.	`127.0.0.1`
`--port`	Proxy listen port.	`8088`
`--no-browser`	Disables automatic browser opening for OAuth authorization. In headless environments, the CLI prints the authorization URL to the terminal.	Not enabled
`--oauth-app-name`	Name of a pre-existing OAuth application. Skips automatic application creation.	`aliyun-cli-mcp-proxy`
`--region-type`	Service site for the OpenAPI MCP server. Valid values: `CN` (China site) and `INTL` (international site).	`CN`
`--upstream-url`	Overrides the default upstream OpenAPI MCP server address.	China site: `https://openapi-mcp.cn-hangzhou.aliyuncs.com` International site: `https://openapi-mcp.ap-southeast-1.aliyuncs.com`
`--allowed-servers`	Allowlist of accessible MCP servers (comma-separated). Supports server name, ID, or path prefix. If unspecified, all servers are allowed. Configure server access control.	Not enabled
`--blocked-servers`	Blocklist of inaccessible MCP servers (comma-separated). Supports server name, ID, or path prefix. Takes precedence over the allowlist. Configure server access control.	Not enabled

FAQ

After running `aliyun mcp-proxy` for OAuth authentication, I get the "`ERROR: OAuth flow returned empty RefreshToken`" error and the proxy fails to start. Why does this happen?

This usually indicates an incorrect OAuth application type or identity. Verify:

The OAuth application type used is Native.
You are authenticating with an Alibaba Cloud account or a RAM user. Assuming a RAM role does not support obtaining a refresh token.

Connection Refused or Timeout error in Dify

Check these configurations:

Set --host to the Docker bridge IP or host internal IP so the container can reach the mcp-proxy service.
The ECS security group or host firewall must allow TCP traffic from Docker containers to the proxy port (for example, 8088).

How to view mcp-proxy logs?

For systemd deployments, view real-time logs with:

sudo journalctl -u aliyun-mcp-proxy -f