diff --git a/package/secubox/secubox-app-mitmproxy/files/usr/sbin/mitmproxyctl b/package/secubox/secubox-app-mitmproxy/files/usr/sbin/mitmproxyctl
index 987a21ee..efb9cd43 100755
--- a/package/secubox/secubox-app-mitmproxy/files/usr/sbin/mitmproxyctl
+++ b/package/secubox/secubox-app-mitmproxy/files/usr/sbin/mitmproxyctl
@@ -75,7 +75,7 @@ EOF
require_root() { [ "$(id -u)" -eq 0 ] || { echo "Root required" >&2; exit 1; }; }
-log_info() { echo "[INFO] $*"; }
+log_info() { echo "[INFO] $*" >&2; }
log_warn() { echo "[WARN] $*" >&2; }
log_error() { echo "[ERROR] $*" >&2; }
@@ -1594,6 +1594,15 @@ cmd_sync_routes() {
local domain=$(uci -q get haproxy.$vhost.domain)
local backend=$(uci -q get haproxy.$vhost.backend)
+ # Skip wildcard domains (starting with '.') - they should fall through
+ # to the "WAF SAYS NO" 404 page for unknown subdomains, not route to a fallback
+ case "$domain" in
+ .*)
+ log_info " Skipping wildcard domain: $domain (no route = 404 error page)"
+ continue
+ ;;
+ esac
+
# If currently using mitmproxy_inspector, use the stored original backend
if [ "$backend" = "mitmproxy_inspector" ]; then
backend=$(uci -q get haproxy.$vhost.original_backend)
diff --git a/package/secubox/secubox-app-mitmproxy/root/srv/mitmproxy/addons/haproxy_router.py b/package/secubox/secubox-app-mitmproxy/root/srv/mitmproxy/addons/haproxy_router.py
index b930db36..1408afce 100644
--- a/package/secubox/secubox-app-mitmproxy/root/srv/mitmproxy/addons/haproxy_router.py
+++ b/package/secubox/secubox-app-mitmproxy/root/srv/mitmproxy/addons/haproxy_router.py
@@ -17,6 +17,7 @@ ROUTES_FILE = "/data/haproxy-routes.json"
# 404 page HTML - shown when no route is found
# NEVER fallback to LuCI - return proper 404 instead
+# Note: CSS curly braces must be doubled for Python .format() compatibility
NOT_FOUND_HTML = """
@@ -24,8 +25,8 @@ NOT_FOUND_HTML = """
WAF Says NO - SecuBox