From 447e4ab2be582cbe210156151c2b212770743274 Mon Sep 17 00:00:00 2001 From: CyberMind-FR Date: Sat, 17 Jan 2026 09:24:45 +0100 Subject: [PATCH] fix(secubox-app-mitmproxy): Fix Docker image token capture for LuCI integration - Add PYTHONUNBUFFERED=1 to ensure mitmweb output is not buffered - Use inline while loop to capture authentication token from startup output - Fix RPCD backend to read token from correct path ($DATA_DIR/.mitmproxy_token) - Add proper shell detection and symlink creation in Docker rootfs extraction - Remove unnecessary exec in pipeline that prevented output capture The mitmweb authentication token is now properly captured and available to the LuCI Web UI view for iframe embedding. Co-Authored-By: Claude Opus 4.5 --- package/secubox/luci-app-mitmproxy/Makefile | 2 +- .../root/usr/libexec/rpcd/luci.mitmproxy | 6 +- .../secubox/secubox-app-mitmproxy/Makefile | 2 +- .../files/usr/sbin/mitmproxyctl | 96 +++++++++++-------- 4 files changed, 63 insertions(+), 43 deletions(-) diff --git a/package/secubox/luci-app-mitmproxy/Makefile b/package/secubox/luci-app-mitmproxy/Makefile index 5126c585..be4da3f2 100644 --- a/package/secubox/luci-app-mitmproxy/Makefile +++ b/package/secubox/luci-app-mitmproxy/Makefile @@ -8,7 +8,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=luci-app-mitmproxy PKG_VERSION:=0.4.0 -PKG_RELEASE:=2 +PKG_RELEASE:=3 PKG_ARCH:=all PKG_LICENSE:=Apache-2.0 diff --git a/package/secubox/luci-app-mitmproxy/root/usr/libexec/rpcd/luci.mitmproxy b/package/secubox/luci-app-mitmproxy/root/usr/libexec/rpcd/luci.mitmproxy index 198dee66..0016c6bc 100755 --- a/package/secubox/luci-app-mitmproxy/root/usr/libexec/rpcd/luci.mitmproxy +++ b/package/secubox/luci-app-mitmproxy/root/usr/libexec/rpcd/luci.mitmproxy @@ -401,13 +401,15 @@ EOF } get_web_token() { - local token_file="$LXC_ROOTFS/data/.mitmproxy_token" + # Token is written to /data/.mitmproxy_token inside container + # /data is bind-mounted to DATA_DIR on host + local token_file="$DATA_DIR/.mitmproxy_token" local router_ip=$(uci -q get network.lan.ipaddr || echo "192.168.1.1") local web_port=$(uci -q get mitmproxy.main.web_port || echo "8081") local token="" if [ -f "$token_file" ]; then - token=$(cat "$token_file" 2>/dev/null) + token=$(cat "$token_file" 2>/dev/null | tr -d '\n\r') fi cat < diff --git a/package/secubox/secubox-app-mitmproxy/files/usr/sbin/mitmproxyctl b/package/secubox/secubox-app-mitmproxy/files/usr/sbin/mitmproxyctl index ddd7efff..e6903bb4 100755 --- a/package/secubox/secubox-app-mitmproxy/files/usr/sbin/mitmproxyctl +++ b/package/secubox/secubox-app-mitmproxy/files/usr/sbin/mitmproxyctl @@ -307,20 +307,53 @@ lxc_create_docker_rootfs() { log_info " Layer: ${layer_digest:7:12}..." wget -q -O - --header="Authorization: Bearer $token" \ "https://$registry/v2/$image/blobs/$layer_digest" | \ - tar xz -C "$rootfs" 2>/dev/null || true + tar xzf - -C "$rootfs" 2>&1 | grep -v "Cannot change ownership" || true done # Configure container echo "nameserver 8.8.8.8" > "$rootfs/etc/resolv.conf" - mkdir -p "$rootfs/data" "$rootfs/var/log/mitmproxy" "$rootfs/etc/mitmproxy/addons" + mkdir -p "$rootfs/data" "$rootfs/var/log/mitmproxy" "$rootfs/etc/mitmproxy/addons" "$rootfs/tmp" - # Create startup script for mitmweb + # Ensure proper shell setup - Docker image is Python slim (Debian-based) + # python:slim uses dash as /bin/sh but symlinks may not extract properly + log_info "Checking shell availability..." + ls -la "$rootfs/bin/" 2>/dev/null | head -20 || true + + # Ensure /bin/sh exists - critical for script execution + if [ ! -x "$rootfs/bin/sh" ]; then + log_warn "/bin/sh not found or not executable, attempting to fix..." + # Check for available shells + if [ -x "$rootfs/bin/dash" ]; then + ln -sf dash "$rootfs/bin/sh" + log_info "Created /bin/sh -> dash" + elif [ -x "$rootfs/bin/bash" ]; then + ln -sf bash "$rootfs/bin/sh" + log_info "Created /bin/sh -> bash" + elif [ -x "$rootfs/usr/bin/dash" ]; then + mkdir -p "$rootfs/bin" + ln -sf /usr/bin/dash "$rootfs/bin/sh" + log_info "Created /bin/sh -> /usr/bin/dash" + else + # Last resort: copy busybox sh from host if available + log_error "No shell found in container! Container may not start properly." + fi + fi + + # Verify shell is now available + if [ -x "$rootfs/bin/sh" ]; then + log_info "Shell ready: $(ls -la "$rootfs/bin/sh")" + else + log_error "Shell setup failed!" + fi + + # Create startup script for mitmweb (POSIX-compliant for dash) cat > "$rootfs/opt/start-mitmproxy.sh" << 'START' #!/bin/sh -export PATH="/usr/local/bin:$PATH" +export PATH="/usr/local/bin:/usr/bin:/bin:$PATH" +export PYTHONUNBUFFERED=1 cd /data -# Read environment variables for configuration +# Read environment variables MODE="${MITMPROXY_MODE:-regular}" PROXY_PORT="${MITMPROXY_PROXY_PORT:-8888}" WEB_PORT="${MITMPROXY_WEB_PORT:-8081}" @@ -328,28 +361,19 @@ WEB_HOST="${MITMPROXY_WEB_HOST:-0.0.0.0}" ADDON_SCRIPT="${MITMPROXY_ADDON_SCRIPT:-}" FILTERING_ENABLED="${MITMPROXY_FILTERING_ENABLED:-0}" -# Build command arguments -ARGS="--listen-host 0.0.0.0 --listen-port $PROXY_PORT" -ARGS="$ARGS --set confdir=/data" +# Build args +ARGS="--listen-host 0.0.0.0 --listen-port $PROXY_PORT --set confdir=/data" +ARGS="$ARGS --web-host $WEB_HOST --web-port $WEB_PORT --no-web-open-browser" -# Mode-specific options case "$MODE" in - transparent) - ARGS="$ARGS --mode transparent" - ;; - upstream) - [ -n "$UPSTREAM_PROXY" ] && ARGS="$ARGS --mode upstream:$UPSTREAM_PROXY" - ;; - reverse) - [ -n "$REVERSE_TARGET" ] && ARGS="$ARGS --mode reverse:$REVERSE_TARGET" - ;; + transparent) ARGS="$ARGS --mode transparent" ;; + upstream) [ -n "$UPSTREAM_PROXY" ] && ARGS="$ARGS --mode upstream:$UPSTREAM_PROXY" ;; + reverse) [ -n "$REVERSE_TARGET" ] && ARGS="$ARGS --mode reverse:$REVERSE_TARGET" ;; esac -# Optional flags [ "$SSL_INSECURE" = "1" ] && ARGS="$ARGS --ssl-insecure" [ "$ANTICACHE" = "1" ] && ARGS="$ARGS --anticache" [ "$ANTICOMP" = "1" ] && ARGS="$ARGS --anticomp" -# Note: --flow-detail removed in recent mitmproxy versions # Load addon script if filtering is enabled if [ "$FILTERING_ENABLED" = "1" ] && [ -n "$ADDON_SCRIPT" ] && [ -f "$ADDON_SCRIPT" ]; then @@ -357,27 +381,21 @@ if [ "$FILTERING_ENABLED" = "1" ] && [ -n "$ADDON_SCRIPT" ] && [ -f "$ADDON_SCRI echo "Loading addon: $ADDON_SCRIPT" fi -# Run mitmweb and capture token -# Use tee to both display output and capture token -LOG_FILE="/tmp/mitmweb.log" -rm -f "$LOG_FILE" /data/.mitmproxy_token +rm -f /data/.mitmproxy_token /tmp/mitmweb.log -# Background job to capture token from log -( - for i in $(seq 1 30); do - if [ -f "$LOG_FILE" ]; then - token=$(grep -o 'token=[a-f0-9]*' "$LOG_FILE" 2>/dev/null | head -1 | cut -d= -f2) - if [ -n "$token" ]; then - echo "$token" > /data/.mitmproxy_token - break - fi - fi - sleep 1 - done -) & +echo "Starting mitmweb..." -# Run mitmweb with output to both console and log file -exec mitmweb $ARGS --web-host "$WEB_HOST" --web-port "$WEB_PORT" --no-web-open-browser 2>&1 | tee "$LOG_FILE" +# Run mitmweb with unbuffered output and inline token capture +/usr/local/bin/mitmweb $ARGS 2>&1 | while IFS= read -r line; do + echo "$line" + echo "$line" >> /tmp/mitmweb.log + case "$line" in + *token=*) + token=$(echo "$line" | grep -o 'token=[a-f0-9]*' | cut -d= -f2) + [ -n "$token" ] && echo "$token" > /data/.mitmproxy_token + ;; + esac +done START chmod +x "$rootfs/opt/start-mitmproxy.sh"