gandalf/secubox-openwrt
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(haproxy): Add waf_bypass option for WebSocket-heavy apps

Browse Source 
Streamlit apps require WebSocket connections that mitmproxy WAF
doesn't handle properly. Added waf_bypass UCI option to allow
specific vhosts to route directly to backends while other
services still get WAF protection.

- Add waf_bypass option check in haproxyctl
- Vhosts with waf_bypass=1 skip mitmproxy_inspector
- Fixes blank page issue with Streamlit apps

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
CyberMind-FR 2026-02-14 08:03:27 +01:00
parent b62f82b77e
commit 2637fb516b
2 changed files with 33 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
.claude/HISTORY.md
View File

@ -1420,3 +1420,32 @@ _Last updated: 2026-02-11_
- **Login Issue Resolution**:
- Form field is `username` not `email` (GoToSocial quirk)
- Admin user: `admin@secubox.in` / `TestAdmin123!`
## 2026-02-14: Fixed Streamlit apps + WAF compatibility
### Problem
- Streamlit apps showing blank page with loading spinner when accessed via public URLs
- Direct access to backends (192.168.255.1:xxxx) worked fine
- Issue was mitmproxy WAF not handling WebSocket connections properly
### Root Cause
- HAProxy `waf_enabled=1` routed ALL vhosts through `mitmproxy_inspector` backend
- mitmproxy's `haproxy_router` addon wasn't properly handling WebSocket upgrade connections
- WebSocket connections disconnected immediately, breaking Streamlit's real-time UI
### Solution
1. Added `waf_bypass` option to `/usr/sbin/haproxyctl`:
- Vhosts with `waf_bypass=1` route directly to their backends
- Other vhosts still go through mitmproxy WAF
2. Set `waf_bypass=1` for Streamlit vhosts (yling, bazi, bweep, bweek, wuyun, pix, hermes, evolution, control)
3. Updated haproxy_router.py addon with WebSocket event handlers (for future improvement)
### Files Modified
- `/usr/sbin/haproxyctl` - Added waf_bypass option check
- `/srv/mitmproxy-in/addons/haproxy_router.py` - Added WebSocket handlers
- `/srv/lxc/mitmproxy-in/config` - Enabled HAPROXY_ROUTER_ENABLED=1
### Result
- Streamlit apps work with full WebSocket support
- Other services still protected by mitmproxy WAF
- Hybrid approach balances security and functionality

6
package/secubox/secubox-app-haproxy/files/usr/sbin/haproxyctl
View File

@ -723,7 +723,8 @@ _emit_sorted_path_acls() {
# Generate use_backend rule (use WAF backend if enabled)
local effective_backend="$backend"
[ "$waf_enabled" = "1" ] && effective_backend="$waf_backend"
config_get waf_bypass "$section" waf_bypass "0"
[ "$waf_enabled" = "1" ] && [ "$waf_bypass" != "1" ] && effective_backend="$waf_backend"
if [ -n "$host_acl_name" ]; then
echo " use_backend $effective_backend if host_${host_acl_name} ${acl_name}"
else
@ -788,7 +789,8 @@ _add_vhost_acl() {
esac
# Use WAF backend if enabled, otherwise use original backend
local effective_backend="$backend"
[ "$waf_enabled" = "1" ] && effective_backend="$waf_backend"
config_get waf_bypass "$section" waf_bypass "0"
[ "$waf_enabled" = "1" ] && [ "$waf_bypass" != "1" ] && effective_backend="$waf_backend"
echo " use_backend $effective_backend if host_${acl_name}"
}