docs(mitmproxy): Update README and fix Makefile for HAProxy router addon

- Add haproxy_router.py to package install targets - Document HAProxy backend inspection feature - Document threat detection patterns - Document Web UI token authentication - Update RPCD API documentation - Bump secubox-app-mitmproxy to r18 Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-31 15:58:11 +01:00 · 2026-01-31 15:58:11 +01:00 · 2b8d786a72
commit 2b8d786a72
parent 92f73fc3d2
2 changed files with 165 additions and 51 deletions
--- a/package/secubox/luci-app-mitmproxy/README.md
+++ b/package/secubox/luci-app-mitmproxy/README.md
@ -7,11 +7,12 @@ Interactive HTTPS proxy for debugging, testing, and security analysis with trans
 | Feature | Description |
 |---------|-------------|
 | 🔍 **Traffic Inspection** | View and analyze HTTP/HTTPS requests in real-time |
-| 🖥️ **Web UI** | Built-in mitmweb interface for visual traffic analysis |
+| 🖥️ **Web UI** | Built-in mitmweb interface with auto-auth token |
 | 🎭 **Transparent Mode** | Intercept traffic automatically via nftables |
 | 🛡️ **Threat Detection** | Detect SQL injection, XSS, command injection, Log4Shell |
 | 🔗 **HAProxy Integration** | Inspect all vhost backends with threat detection |
 | 📜 **CA Certificate** | Generate and manage SSL interception certificates |
-| 📊 **Statistics** | Track requests, unique hosts, and flow data |
+| 📊 **CrowdSec Logging** | Log threats to CrowdSec for automatic blocking |
 | 🔄 **Request Replay** | Replay captured requests for testing |
 | ⚙️ **Filtering** | Filter and track CDN, media, ads, and trackers |
 | 🛡️ **Whitelist** | Bypass interception for specific IPs/domains |
@ -126,6 +127,83 @@ nft add rule inet fw4 prerouting tcp dport 80 redirect to :8080
 nft add rule inet fw4 prerouting tcp dport 443 redirect to :8080
 ```
 ## 🔗 HAProxy Backend Inspection
 Route all HAProxy vhost traffic through mitmproxy for threat detection.
 ### Architecture
 ```
 Internet → HAProxy (SSL termination) → mitmproxy :8889 → Actual Backends
                                           ↓
                                    Threat Detection
                                           ↓
                                    CrowdSec Logging
 ```
 ### Enable HAProxy Inspection
 ```bash
 # Via CLI
 mitmproxyctl haproxy-enable
 # What it does:
 # 1. Syncs HAProxy backends to mitmproxy routes
 # 2. Updates all vhosts to route through mitmproxy
 # 3. Restarts both services
 ```
 ### Disable HAProxy Inspection
 ```bash
 # Restore original backends
 mitmproxyctl haproxy-disable
 ```
 ### Manual Route Sync
 ```bash
 # Sync routes from HAProxy UCI without enabling inspection
 mitmproxyctl sync-routes
 ```
 ### HAProxy Inspector Commands
 | Command | Description |
 |---------|-------------|
 | `mitmproxyctl haproxy-enable` | Enable backend inspection |
 | `mitmproxyctl haproxy-disable` | Restore original backends |
 | `mitmproxyctl sync-routes` | Sync routes from HAProxy UCI |
 ## 🛡️ Threat Detection
 The analytics addon detects 90+ attack patterns including:
 | Category | Examples |
 |----------|----------|
 | **SQL Injection** | UNION SELECT, OR 1=1, time-based blind |
 | **XSS** | script tags, event handlers, javascript: |
 | **Command Injection** | shell commands, pipe injection |
 | **Path Traversal** | ../../../etc/passwd |
 | **SSRF** | internal IP access, metadata endpoints |
 | **Log4Shell** | ${jndi:ldap://...} |
 | **Admin Scanners** | /wp-admin, /phpmyadmin, /.env |
 ### View Threats
 Threats are displayed in the LuCI dashboard with:
 - Severity level (critical/high/medium/low)
 - Attack pattern type
 - Source IP and country
 - Request path and method
 ### CrowdSec Integration
 Detected threats are logged to `/var/log/crowdsec/mitmproxy-threats.log` for:
 - Automatic IP blocking via CrowdSec bouncer
 - Threat intelligence sharing
 - Security analytics
 ## ⚙️ Configuration
 ### UCI Settings
@ -160,11 +238,18 @@ config whitelist 'whitelist'
    list bypass_domain 'banking.com'
 config filtering 'filtering'
-    option enabled '0'
+    option enabled '1'
    option log_requests '1'
    option filter_cdn '0'
    option filter_media '0'
    option block_ads '0'
    option addon_script '/data/addons/secubox_analytics.py'
 config haproxy_router 'haproxy_router'
    option enabled '0'
    option listen_port '8889'
    option threat_detection '1'
    option routes_file '/srv/mitmproxy/haproxy-routes.json'
 config capture 'capture'
    option save_flows '0'
@ -180,81 +265,109 @@ config capture 'capture'
 | Method | Description |
 |--------|-------------|
-| `get_status` | Get service status |
+| `status` | Get service status (includes auth token) |
-| `service_start` | Start mitmproxy |
+| `start` | Start mitmproxy |
-| `service_stop` | Stop mitmproxy |
+| `stop` | Stop mitmproxy |
-| `service_restart` | Restart service |
+| `restart` | Restart service |
 | `install` | Install mitmproxy container |
 ### Configuration
 | Method | Description |
 |--------|-------------|
-| `get_config` | Get main configuration |
+| `settings` | Get all settings |
-| `get_all_config` | Get all configuration sections |
+| `save_settings` | Save configuration |
-| `get_transparent_config` | Get transparent mode settings |
+| `set_mode` | Set proxy mode |
 | `get_whitelist_config` | Get whitelist settings |
 | `get_filtering_config` | Get filtering settings |
 | `set_config` | Set configuration value |
-### Statistics & Data
+### Threat Detection
 | Method | Description |
 |--------|-------------|
-| `get_stats` | Get traffic statistics |
+| `alerts` | Get detected threats |
-| `get_requests` | Get captured requests |
+| `threat_stats` | Get threat statistics |
-| `get_top_hosts` | Get most requested hosts |
+| `clear_alerts` | Clear all alerts |
-| `get_ca_info` | Get CA certificate info |
+
-| `clear_data` | Clear captured data |
+### HAProxy Integration
 | Method | Description |
 |--------|-------------|
 | `haproxy_enable` | Enable backend inspection |
 | `haproxy_disable` | Restore original backends |
 | `sync_routes` | Sync routes from HAProxy |
 ### Firewall
 | Method | Description |
 |--------|-------------|
-| `firewall_setup` | Setup transparent mode rules |
+| `setup_firewall` | Setup transparent mode rules |
-| `firewall_clear` | Remove firewall rules |
+| `clear_firewall` | Remove firewall rules |
 ### Example Usage
 ```bash
-# Get status
+# Get status (includes auth token for Web UI)
-ubus call luci.mitmproxy get_status
+ubus call luci.mitmproxy status
 # Response:
 {
  "enabled": true,
  "running": true,
  "installed": true,
  "docker_available": true,
  "web_port": 8081,
-  "proxy_port": 8080,
+  "proxy_port": 8888,
-  "listen_port": 8080,
+  "mode": "regular",
-  "web_url": "http://192.168.255.1:8081"
+  "token": "abc123xyz...",
  "haproxy_router_enabled": false,
  "haproxy_listen_port": 8889
 }
-# Get statistics
+# Get detected threats
-ubus call luci.mitmproxy get_stats
+ubus call luci.mitmproxy alerts
 # Response:
 {
-  "total_requests": 12500,
+  "success": true,
-  "unique_hosts": 245,
+  "alerts": [
-  "flow_file_size": 47185920,
+    {
-  "cdn_requests": 3200,
+      "time": "2026-01-31T12:00:00",
-  "media_requests": 890,
+      "severity": "high",
-  "blocked_ads": 156
+      "pattern": "sql_injection",
-}
+      "method": "GET",
-
+      "path": "/api?id=1' OR 1=1--",
-# Get top hosts
+      "ip": "192.168.1.100"
-ubus call luci.mitmproxy get_top_hosts '{"limit":10}'
+    }
 # Response:
 {
  "hosts": [
    { "host": "api.example.com", "count": 1234 },
    { "host": "cdn.cloudflare.com", "count": 890 }
  ]
 }
 # Enable HAProxy backend inspection
 ubus call luci.mitmproxy haproxy_enable
 # Response:
 {
  "success": true,
  "message": "HAProxy backend inspection enabled"
 }
 ```
 ## 🖥️ Web UI Access
 The mitmweb UI requires authentication via token.
 ### Auto-Auth via LuCI
 The LuCI dashboard shows the Web UI link with the token included:
 ```
 http://192.168.255.1:8081/?token=abc123xyz
 ```
 ### Manual Token Access
 ```bash
 # Token is stored in data directory
 cat /srv/mitmproxy/.mitmproxy_token
 # Or via RPCD
 ubus call luci.mitmproxy status | jsonfilter -e '@.token'
 ```
 ## 🔒 CA Certificate
@ -263,12 +376,12 @@ ubus call luci.mitmproxy get_top_hosts '{"limit":10}'
 ```bash
 # Certificate is auto-generated on first start
-# Located at: /srv/mitmproxy/certs/mitmproxy-ca-cert.pem
+# Located at: /srv/mitmproxy/mitmproxy-ca-cert.pem
 ```
 ### Download Certificate
-1. Access mitmweb UI at `http://192.168.255.1:8081`
+1. Access mitmweb UI (use token from LuCI dashboard)
 2. Or navigate to `http://mitm.it` from a proxied device
 3. Download certificate for your platform
@ -374,4 +487,4 @@ uci commit mitmproxy
 ## 📜 License
-MIT License - Copyright (C) 2025 CyberMind.fr
+MIT License - Copyright (C) 2025-2026 CyberMind.fr
--- a/package/secubox/secubox-app-mitmproxy/Makefile
+++ b/package/secubox/secubox-app-mitmproxy/Makefile
@ -1,7 +1,7 @@
 include $(TOPDIR)/rules.mk
 PKG_NAME:=secubox-app-mitmproxy
-PKG_RELEASE:=17
+PKG_RELEASE:=18
 PKG_VERSION:=0.5.0
 PKG_ARCH:=all
 PKG_MAINTAINER:=CyberMind Studio <contact@cybermind.fr>
@ -54,9 +54,10 @@ define Package/secubox-app-mitmproxy/install
 	$(INSTALL_DIR) $(1)/usr/sbin
 	$(INSTALL_BIN) ./files/usr/sbin/mitmproxyctl $(1)/usr/sbin/mitmproxyctl
-	# Analytics addon for threat detection
+	# Analytics and HAProxy router addons
 	$(INSTALL_DIR) $(1)/srv/mitmproxy/addons
 	$(INSTALL_DATA) ./root/srv/mitmproxy/addons/secubox_analytics.py $(1)/srv/mitmproxy/addons/
 	$(INSTALL_DATA) ./root/srv/mitmproxy/addons/haproxy_router.py $(1)/srv/mitmproxy/addons/
 endef
 define Package/secubox-app-mitmproxy/postinst