config mitmproxy 'main'
	option enabled '0'
	option runtime 'lxc'
	option proxy_port '8888'
	option web_port '8081'
	option web_host '0.0.0.0'
	option data_path '/srv/mitmproxy'
	option memory_limit '256M'
	option mode 'regular'
	# mode: regular, transparent, upstream, reverse
	# option upstream_proxy 'http://proxy:8080'
	# option reverse_target 'http://localhost:80'
	option ssl_insecure '0'
	option anticache '0'
	option anticomp '0'
	option flow_detail '1'

# WAN Protection Mode - protect services exposed to internet
# Acts as WAF/reverse proxy for incoming WAN traffic
config wan_protection 'wan_protection'
	# Enable WAN protection mode (acts as WAF for incoming traffic)
	option enabled '0'
	# WAN interface name (incoming traffic interface)
	option wan_interface 'wan'
	# Ports to intercept on WAN (HTTP)
	option wan_http_port '80'
	# Ports to intercept on WAN (HTTPS)
	option wan_https_port '443'
	# Feed detected threats to CrowdSec for automatic blocking
	option crowdsec_feed '1'
	# Block requests from known bot scanners immediately
	option block_bots '0'
	# Rate limiting: max requests per IP per minute (0=disabled)
	option rate_limit '0'

# Auto-ban configuration - automatically ban IPs via CrowdSec
config autoban 'autoban'
	# Enable automatic banning of detected threats
	option enabled '0'
	# Ban duration (e.g., 1h, 4h, 24h, 7d)
	option ban_duration '4h'
	# Minimum severity to trigger auto-ban: critical, high, medium
	option min_severity 'critical'
	# Auto-ban on CVE exploit attempts
	option ban_cve_exploits '1'
	# Auto-ban SQL injection attempts
	option ban_sqli '1'
	# Auto-ban command injection attempts
	option ban_cmdi '1'
	# Auto-ban path traversal attempts
	option ban_traversal '1'
	# Auto-ban known vulnerability scanners
	option ban_scanners '1'
	# Auto-ban on rate limit exceeded
	option ban_rate_limit '0'
	# Whitelist IPs from auto-ban (comma-separated)
	option whitelist ''
	#
	# Sensitivity level: aggressive, moderate, permissive
	# - aggressive: Ban immediately on first detection (critical threats only)
	# - moderate: Ban after repeated attempts within minutes (default)
	# - permissive: Ban after persistent attempts over longer period
	option sensitivity 'moderate'
	#
	# Aggressive level: Immediate ban on first critical threat
	# (CVE exploits, SQL injection, command injection always trigger immediately)
	#
	# Moderate level thresholds
	# Ban after N attempts within the time window
	option moderate_threshold '3'
	option moderate_window '300'
	#
	# Permissive level thresholds
	# Ban after N attempts within the time window
	option permissive_threshold '5'
	option permissive_window '3600'

# LAN Transparent mode settings (outbound traffic interception)
config transparent 'transparent'
	option enabled '0'
	# Interface to intercept traffic from (e.g., br-lan)
	option interface 'br-lan'
	# Redirect HTTP traffic (port 80)
	option redirect_http '1'
	# Redirect HTTPS traffic (port 443)
	option redirect_https '1'
	# Custom HTTP port (default 80)
	option http_port '80'
	# Custom HTTPS port (default 443)
	option https_port '443'

# DPI Mirror Mode - feed traffic to network inspection engines
config dpi_mirror 'dpi_mirror'
	option enabled '0'
	# Interface for DPI mirroring (netifyd/ndpid listens on this)
	option dpi_interface 'br-lan'
	# Enable DPI for WAN traffic (incoming)
	option mirror_wan '0'
	# Enable DPI for LAN traffic (outgoing)
	option mirror_lan '0'

# Whitelist/bypass - IPs and domains that bypass the proxy
config whitelist 'whitelist'
	option enabled '1'
	# Bypass local networks by default
	list bypass_ip '10.0.0.0/8'
	list bypass_ip '172.16.0.0/12'
	list bypass_ip '192.168.0.0/16'
	list bypass_ip '127.0.0.0/8'
	# Bypass sensitive domains (banking, medical, etc.)
	list bypass_domain 'banking'
	list bypass_domain 'paypal.com'
	list bypass_domain 'stripe.com'
	# Add custom bypasses here
	# list bypass_ip 'x.x.x.x'
	# list bypass_domain 'example.com'

# HAProxy backend inspection mode
config haproxy_router 'haproxy_router'
	option enabled '0'
	# Port HAProxy sends traffic to
	option listen_port '8889'
	# Enable threat detection on HAProxy traffic
	option threat_detection '1'
	# Routes file (auto-generated from HAProxy UCI)
	option routes_file '/srv/mitmproxy/haproxy-routes.json'

# CDN/MediaFlow filtering addon
config filtering 'filtering'
	option enabled '0'
	# Log all requests to JSON file
	option log_requests '1'
	# Filter CDN traffic (e.g., cloudflare, akamai, fastly)
	option filter_cdn '0'
	# Filter streaming media
	option filter_media '0'
	# Block ads and trackers
	option block_ads '0'
	# Custom filter script path
	option addon_script '/data/addons/secubox_analytics.py'

# Capture settings
config capture 'capture'
	option save_flows '0'
	option capture_request_headers '1'
	option capture_response_headers '1'
	option capture_request_body '0'
	option capture_response_body '0'
