gandalf/secubox-openwrt
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

docs: Update tracking files for 2026-02-15 work

Browse Source 
- HAProxy reload fix (copy config before signal)
- Mitmproxy Host header preservation for OAuth
- WAF global reset (70 vhosts/ACLs)
- PeerTube email configuration with mailserver
- Wazuh agent watchdog implementation
- Streamlit Gitea sync (4 new repos)
- Service fixes (roundcube, evolution, wazuh)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
CyberMind-FR 2026-02-15 09:19:30 +01:00
parent 851910e185
commit 274dbd8add
2 changed files with 66 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
.claude/HISTORY.md
View File

@ -1773,3 +1773,45 @@ git checkout HEAD -- index.html
- PeerTube validates requests against configured webserver.hostname - PeerTube validates requests against configured webserver.hostname
- **Listen hostname**: Set to `0.0.0.0` (not domain name) for proper binding - **Listen hostname**: Set to `0.0.0.0` (not domain name) for proper binding
- **Webserver hostname**: Set to `tube.gk2.secubox.in` for OAuth validation - **Webserver hostname**: Set to `tube.gk2.secubox.in` for OAuth validation
### 2026-02-15: HAProxy & Mitmproxy WAF Fixes
- **HAProxy reload fix** in haproxyctl
- HAProxy reads from `/etc/haproxy/haproxy.cfg` inside container
- Config was generated at `/opt/haproxy/config/haproxy.cfg` but not copied
- Added `lxc_exec cp /opt/haproxy/config/haproxy.cfg /etc/haproxy/haproxy.cfg` before reload signal
- **Mitmproxy Host header preservation** in haproxy_router.py
- Fixed PeerTube OAuth "Invalid client" error when WAF enabled
- Issue: `flow.request.host = backend[0]` was modifying the Host header
- Fix: Save original Host header, set backend destination, restore Host header
- Backends that validate Host (PeerTube OAuth, etc.) now work through WAF
- **WAF global reset**
- Removed `waf_bypass=1` from 70 vhosts and path ACLs
- All traffic now routes through mitmproxy for inspection
- Streamlit apps, infrastructure services all WAF-enabled
- **Committed**: f3f6eb4e - fix(haproxy,mitmproxy): Fix config reload and preserve Host header
### 2026-02-15: PeerTube Email Configuration
- **Configured SMTP** for local mailserver (192.168.255.30)
- Port 25, no TLS, disable_starttls=true (internal network)
- Auth: admin@secubox.in
- From: peertube@secubox.in
- **Fixed self-signed certificate error**
- Mailserver STARTTLS was enabled with self-signed cert
- Set `disable_starttls: true` in production.yaml
- **Added peertube@secubox.in alias** to mailserver virtual aliases
- PeerTube now sends registration confirmations and password resets
### 2026-02-15: Wazuh Agent Watchdog
- **Added watchdog** to wazuh-agent startup script
- Checks every 60 seconds if `wazuh-agentd` is running
- Automatically restarts Wazuh service if process dies
- Logs restart events to `/var/log/wazuh-watchdog.log`
- **Root cause**: wazuh-agentd process had stopped, agent showed disconnected
- **Committed**: 851910e1 - feat(wazuh): Add watchdog to wazuh-agent startup script
### 2026-02-15: Service Fixes
- **Roundcube webmail**: Container was stopped, started it
- **Wazuh dashboard**: Added waf_bypass (HTTPS backend incompatible with HTTP WAF)
- **Streamlit evolution**: Instance was not running, added on port 8510
- **Streamlit Gitea sync**: Pushed 4 missing apps (cineposter_fixed, pdf_slideshow, pharmacopoeia_secubox, wuyun_liuqi)
- **RTMP firewall**: Opened port 1935 for PeerTube live streaming

25
.claude/WIP.md
View File

@ -1,6 +1,6 @@
# Work In Progress (Claude) # Work In Progress (Claude)
_Last updated: 2026-02-15 (PeerTube + Generative LuCI Tree)_ _Last updated: 2026-02-15 (HAProxy/Mitmproxy WAF fixes + Wazuh watchdog)_
> **Architecture Reference**: SecuBox Fanzine v3 — Les 4 Couches > **Architecture Reference**: SecuBox Fanzine v3 — Les 4 Couches
@ -64,6 +64,29 @@ _Last updated: 2026-02-15 (PeerTube + Generative LuCI Tree)_
### Just Completed (2026-02-15) ### Just Completed (2026-02-15)
- **HAProxy & Mitmproxy WAF Fixes** — DONE (2026-02-15)
- Fixed HAProxy reload: copy config to `/etc/haproxy/` before signal
- Fixed mitmproxy Host header preservation for OAuth compatibility
- Reset WAF globally: removed `waf_bypass` from 70 vhosts/ACLs
- All traffic now routes through mitmproxy for inspection
- Committed: f3f6eb4e
- **PeerTube Email Configuration** — DONE (2026-02-15)
- Configured SMTP with local mailserver (192.168.255.30:25)
- Fixed STARTTLS self-signed cert error (disable_starttls: true)
- Password resets and notifications working
- **Wazuh Agent Watchdog** — DONE (2026-02-15)
- Added watchdog loop to check wazuh-agentd every 60 seconds
- Auto-restarts service if process dies
- Logs to `/var/log/wazuh-watchdog.log`
- Committed: 851910e1
- **Streamlit Gitea Integration** — DONE (2026-02-15)
- Auto-push on first upload confirmed working
- Pushed 4 missing apps to Gitea (cineposter_fixed, pdf_slideshow, pharmacopoeia_secubox, wuyun_liuqi)
- 18 apps now have Gitea repos
- **PeerTube Video Platform Package** — DONE (2026-02-15) - **PeerTube Video Platform Package** — DONE (2026-02-15)
- Created `secubox-app-peertube` package for self-hosted video streaming - Created `secubox-app-peertube` package for self-hosted video streaming
- LXC Debian Bookworm container with PostgreSQL 15, Redis 7, Node.js 18, FFmpeg - LXC Debian Bookworm container with PostgreSQL 15, Redis 7, Node.js 18, FFmpeg