docs: Update tracking files for 2026-02-15 work
- HAProxy reload fix (copy config before signal) - Mitmproxy Host header preservation for OAuth - WAF global reset (70 vhosts/ACLs) - PeerTube email configuration with mailserver - Wazuh agent watchdog implementation - Streamlit Gitea sync (4 new repos) - Service fixes (roundcube, evolution, wazuh) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
parent
851910e185
commit
274dbd8add
@ -1773,3 +1773,45 @@ git checkout HEAD -- index.html
|
||||
- PeerTube validates requests against configured webserver.hostname
|
||||
- **Listen hostname**: Set to `0.0.0.0` (not domain name) for proper binding
|
||||
- **Webserver hostname**: Set to `tube.gk2.secubox.in` for OAuth validation
|
||||
|
||||
### 2026-02-15: HAProxy & Mitmproxy WAF Fixes
|
||||
- **HAProxy reload fix** in haproxyctl
|
||||
- HAProxy reads from `/etc/haproxy/haproxy.cfg` inside container
|
||||
- Config was generated at `/opt/haproxy/config/haproxy.cfg` but not copied
|
||||
- Added `lxc_exec cp /opt/haproxy/config/haproxy.cfg /etc/haproxy/haproxy.cfg` before reload signal
|
||||
- **Mitmproxy Host header preservation** in haproxy_router.py
|
||||
- Fixed PeerTube OAuth "Invalid client" error when WAF enabled
|
||||
- Issue: `flow.request.host = backend[0]` was modifying the Host header
|
||||
- Fix: Save original Host header, set backend destination, restore Host header
|
||||
- Backends that validate Host (PeerTube OAuth, etc.) now work through WAF
|
||||
- **WAF global reset**
|
||||
- Removed `waf_bypass=1` from 70 vhosts and path ACLs
|
||||
- All traffic now routes through mitmproxy for inspection
|
||||
- Streamlit apps, infrastructure services all WAF-enabled
|
||||
- **Committed**: f3f6eb4e - fix(haproxy,mitmproxy): Fix config reload and preserve Host header
|
||||
|
||||
### 2026-02-15: PeerTube Email Configuration
|
||||
- **Configured SMTP** for local mailserver (192.168.255.30)
|
||||
- Port 25, no TLS, disable_starttls=true (internal network)
|
||||
- Auth: admin@secubox.in
|
||||
- From: peertube@secubox.in
|
||||
- **Fixed self-signed certificate error**
|
||||
- Mailserver STARTTLS was enabled with self-signed cert
|
||||
- Set `disable_starttls: true` in production.yaml
|
||||
- **Added peertube@secubox.in alias** to mailserver virtual aliases
|
||||
- PeerTube now sends registration confirmations and password resets
|
||||
|
||||
### 2026-02-15: Wazuh Agent Watchdog
|
||||
- **Added watchdog** to wazuh-agent startup script
|
||||
- Checks every 60 seconds if `wazuh-agentd` is running
|
||||
- Automatically restarts Wazuh service if process dies
|
||||
- Logs restart events to `/var/log/wazuh-watchdog.log`
|
||||
- **Root cause**: wazuh-agentd process had stopped, agent showed disconnected
|
||||
- **Committed**: 851910e1 - feat(wazuh): Add watchdog to wazuh-agent startup script
|
||||
|
||||
### 2026-02-15: Service Fixes
|
||||
- **Roundcube webmail**: Container was stopped, started it
|
||||
- **Wazuh dashboard**: Added waf_bypass (HTTPS backend incompatible with HTTP WAF)
|
||||
- **Streamlit evolution**: Instance was not running, added on port 8510
|
||||
- **Streamlit Gitea sync**: Pushed 4 missing apps (cineposter_fixed, pdf_slideshow, pharmacopoeia_secubox, wuyun_liuqi)
|
||||
- **RTMP firewall**: Opened port 1935 for PeerTube live streaming
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
# Work In Progress (Claude)
|
||||
|
||||
_Last updated: 2026-02-15 (PeerTube + Generative LuCI Tree)_
|
||||
_Last updated: 2026-02-15 (HAProxy/Mitmproxy WAF fixes + Wazuh watchdog)_
|
||||
|
||||
> **Architecture Reference**: SecuBox Fanzine v3 — Les 4 Couches
|
||||
|
||||
@ -64,6 +64,29 @@ _Last updated: 2026-02-15 (PeerTube + Generative LuCI Tree)_
|
||||
|
||||
### Just Completed (2026-02-15)
|
||||
|
||||
- **HAProxy & Mitmproxy WAF Fixes** — DONE (2026-02-15)
|
||||
- Fixed HAProxy reload: copy config to `/etc/haproxy/` before signal
|
||||
- Fixed mitmproxy Host header preservation for OAuth compatibility
|
||||
- Reset WAF globally: removed `waf_bypass` from 70 vhosts/ACLs
|
||||
- All traffic now routes through mitmproxy for inspection
|
||||
- Committed: f3f6eb4e
|
||||
|
||||
- **PeerTube Email Configuration** — DONE (2026-02-15)
|
||||
- Configured SMTP with local mailserver (192.168.255.30:25)
|
||||
- Fixed STARTTLS self-signed cert error (disable_starttls: true)
|
||||
- Password resets and notifications working
|
||||
|
||||
- **Wazuh Agent Watchdog** — DONE (2026-02-15)
|
||||
- Added watchdog loop to check wazuh-agentd every 60 seconds
|
||||
- Auto-restarts service if process dies
|
||||
- Logs to `/var/log/wazuh-watchdog.log`
|
||||
- Committed: 851910e1
|
||||
|
||||
- **Streamlit Gitea Integration** — DONE (2026-02-15)
|
||||
- Auto-push on first upload confirmed working
|
||||
- Pushed 4 missing apps to Gitea (cineposter_fixed, pdf_slideshow, pharmacopoeia_secubox, wuyun_liuqi)
|
||||
- 18 apps now have Gitea repos
|
||||
|
||||
- **PeerTube Video Platform Package** — DONE (2026-02-15)
|
||||
- Created `secubox-app-peertube` package for self-hosted video streaming
|
||||
- LXC Debian Bookworm container with PostgreSQL 15, Redis 7, Node.js 18, FFmpeg
|
||||
|
||||
Loading…
Reference in New Issue
Block a user