← 返回
未分类 Key 中文

fn-knock MCP Server

Manage fn-knock gateway via its admin API — reverse proxy, DDNS, SSL/ACME, tunnels (FRP/Cloudflared), scanner, whitelist, and more. Requires fn-knock running...
通过管理 API 管理 fn-knock 网关——反向代理、DDNS、SSL/ACME、隧道(FRP/Cloudflared)、扫描器、白名单等。需先运行 fn-knock...
kci-lnk kci-lnk 来源
未分类 clawhub v1.0.1 1 版本 100000 Key: 需要
★ 0
Stars
📥 344
下载
💾 0
安装
1
版本
#latest

概述

What is fn-knock?

fn-knock is a self-hosted gateway/reverse proxy solution for NAS and home lab environments.

This MCP Server exposes its admin API (100+ endpoints) as structured tools for AI assistants.

Installation

1. Install the MCP package

pip install mcp requests
# or with uv
uv tool install fn-knock-mcp  # (if published to PyPI)

If installing from source:

cd fn_knock_mcp
pip install -e .

2. Configure HMAC Secret (3 ways, pick one)

fn-knock's admin API requires HMAC authentication. The MCP auto-resolves the secret using this priority:

方式 A — 环境变量(推荐)

export FN_KNOCK_HMAC_SECRET="your-secret-here"

方式 B — 凭证文件

mkdir -p ~/.config/fn-knock
echo "HMAC_SECRET=your-secret-here" > ~/.config/fn-knock/credentials
chmod 600 ~/.config/fn-knock/credentials

方式 C — 自动检测(仅限本地运行 fn-knock)

如果 fn-knock 正在本机运行(http://localhost:7998),MCP 会自动从页面 HTML 中提取密钥,无需额外配置。

3. Add to OpenClaw MCP Settings

Edit your ~/.openclaw/openclaw.json (or use the OpenClaw web UI):

{
  "mcpServers": {
    "fn-knock": {
      "command": "python",
      "args": ["-m", "fn_knock_mcp.server"],
      "env": {
        "FN_KNOCK_BASE_URL": "http://localhost:7998/api/admin"
      }
    }
  }
}

Or reference the provided mcp.json:

{
  "mcpServers": {
    "fn-knock": {
      "command": "python",
      "args": ["-m", "fn_knock_mcp.server"]
    }
  }
}

> Note: The HMAC secret is resolved at startup via env file or auto-detection — do NOT put it in mcp.json.

4. (Optional) Configure HTTP Proxy

If fn-knock needs to reach external services (GitHub API, DNS providers, etc.) and you're behind a proxy:

export HTTP_PROXY=http://192.168.31.21:7890
export HTTPS_PROXY=http://192.168.31.21:7890

Available Tools (58 total)

Dashboard

  • fnknock_dashboard_stats — Traffic/auth/threat stats (configurable time range)
  • fnknock_realtime_traffic — Current real-time bytes in/out

Config & Run Mode

  • fnknock_get_config — Full gateway config
  • fnknock_update_run_type — Switch mode: direct / reverse_proxy / subdomain_proxy / tunnel
  • fnknock_sync_routes — Trigger immediate route reload

Reverse Proxy (Host Mappings)

  • fnknock_get_host_mappings — List all host → target rules
  • fnknock_add_host_mapping — Add a reverse proxy rule
  • fnknock_delete_host_mapping — Remove a rule by host

Stream / Tunnel

  • fnknock_get_stream_mappings — List port mappings
  • fnknock_update_stream_mappings — Replace all stream mappings
  • fnknock_frp_status / frp_start / frp_stop — FRP tunnel control
  • fnknock_cloudflared_status / cloudflared_start / cloudflared_stop

SSL / ACME

  • fnknock_ssl_status — Certificate library status
  • fnknock_acme_overview — ACME jobs & applications
  • fnknock_acme_dns_providers — Supported DNS providers
  • fnknock_acme_create_application — Create and submit a cert request

DDNS

  • fnknock_ddns_status — Current DDNS state and last IP
  • fnknock_ddns_toggle — Enable/disable DDNS
  • fnknock_ddns_save_config — Save provider config
  • fnknock_ddns_test — Test connectivity and detect public IP

Auth & Security

  • fnknock_get_auth_settings — Auth settings (session timeout, 2FA)
  • fnknock_get_totp_status — TOTP 2FA status
  • fnknock_totp_setup — Initiate TOTP enrollment
  • fnknock_totp_bind — Complete TOTP binding
  • fnknock_passkey_list — List registered passkeys

IP Management

  • fnknock_whitelist_list / whitelist_add / whitelist_delete
  • fnknock_ip_lookup — Batch IP geolocation lookup (up to 20 IPs)

Scanner / Security

  • fnknock_scanner_settings — Path scanner config
  • fnknock_scanner_blacklist — Blocked suspicious IPs
  • fnknock_scanner_toggle — Enable/disable scanner protection

Logs & Events

  • fnknock_get_events — System event log (filterable)
  • fnknock_delete_events — Delete events by ID
  • fnknock_gateway_logs_dates — Dates with gateway logs
  • fnknock_gateway_logs_entries — Access logs for a date

Notifications

  • fnknock_notifications_providers — Notification channels
  • fnknock_notifications_rules — Notification rules
  • fnknock_notifications_triggers — Historical notification trigger records (可按 status/rule_id 筛选)
  • fnknock_notifications_deliveries — Historical delivery records (可按 status/provider_id/rule_id/trigger_id 筛选)
  • fnknock_notifications_deliveries_clear — Clear delivery records (不传参数则清空全部)

Gateway & Network

  • fnknock_gateway_settings / gateway_update
  • fnknock_gateway_visibility — Regional visibility config
  • fnknock_system_reset_firewall — Reset firewall for a run type
  • fnknock_system_dnsmasq_status — DNS proxy status

Sessions & Terminal

  • fnknock_sessions_list — Active user sessions
  • fnknock_session_kick — Kick a session
  • fnknock_terminal_status / terminal_sessions — tmux management
  • fnknock_backoff_list / backoff_reset — Rate limit state

Maintenance

  • fnknock_backup_export / backup_import
  • fnknock_update_check — Check for fn-knock updates
  • fnknock_traffic_stats — Traffic statistics

Finding Your HMAC Secret

If fn-knock is running, open its web UI at http://localhost:7998 and check:

  • Browser DevTools → Network tab → any API request → look for x-timestamp, x-nonce, x-signature headers
  • Or search the page source for __FN_KNOCK_HMAC_SECRET__

The secret is a 64-char hex string. Create the credentials file with it:

mkdir -p ~/.config/fn-knock
echo "HMAC_SECRET=42e0a9e578284ad8313752293a3079680b377c249e0e3306527442b363a4cd78" \
  > ~/.config/fn-knock/credentials

Troubleshooting

"Missing Required Security Headers"

→ HMAC secret is wrong or not resolved. Check env var or credentials file.

"Request Expired or Time Desynced"

→ System clock is out of sync. Run timedatectl set-ntp true on Linux.

MCP not loading in OpenClaw

→ Verify Python path: which python and confirm mcp package is installed there.

→ Check OpenClaw logs: openclaw logs for MCP initialization errors.

Port 7998 unreachable

→ fn-knock may be bound to a different interface. Check its listen address in the config.

版本历史

共 1 个版本

  • v1.0.1 当前
    2026-05-07 17:01 安全 安全

安全检测

腾讯云安全 (Keen)

安全,无风险
查看报告

腾讯云安全 (Sanbu)

安全,无风险
查看报告

🔗 相关推荐

it-ops-security

1password

steipete
设置和使用 1Password CLI (op)。适用于:安装 CLI、启用桌面应用集成、登录(单/多账户)、通过 op 读取/注入/运行密钥。
★ 53 📥 31,705
it-ops-security

MoltGuard - Security & Antivirus & Guardrails

thomaslwang
MoltGuard — OpenClaw 安全守卫,由 OpenGuardrails 提供。安装后可防止您和您的用户受到提示注入、数据泄露及恶意行为的侵害。
★ 116 📥 31,006
it-ops-security

Free Ride - Unlimited free AI

shaivpidadi
管理OpenClaw的OpenRouter免费AI模型,自动按质量排名模型,配置速率限制备用方案,并更新opencla...
★ 471 📥 78,452