feat(mitmproxy): Disable LAN transparent proxy by default

LAN transparent mode now requires explicit opt-in via transparent.enabled to prevent HTTPS certificate errors for LAN clients. Changes: - mitmproxyctl: Check transparent_enabled before setting up LAN firewall rules - LuCI settings: Add warning about certificate requirements for LAN mode - Default config already has transparent.enabled='0' WAN protection mode remains active for incoming threat detection. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-02 10:20:59 +01:00 · 2026-02-02 10:20:59 +01:00 · 4a8975f436
commit 4a8975f436
parent f4b9c910c5
4 changed files with 16 additions and 8 deletions
--- a/package/secubox/luci-app-mitmproxy/Makefile
+++ b/package/secubox/luci-app-mitmproxy/Makefile
@ -8,7 +8,7 @@ include $(TOPDIR)/rules.mk

 PKG_NAME:=luci-app-mitmproxy
 PKG_VERSION:=0.5.0
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 PKG_ARCH:=all

 PKG_LICENSE:=Apache-2.0
--- a/package/secubox/luci-app-mitmproxy/htdocs/luci-static/resources/view/mitmproxy/settings.js
+++ b/package/secubox/luci-app-mitmproxy/htdocs/luci-static/resources/view/mitmproxy/settings.js
@ -109,12 +109,12 @@ return view.extend({
 		o.depends('enabled', '1');

 		// LAN Transparent Mode
-		s = m.section(form.TypedSection, 'transparent', _('LAN Transparent Mode'));
+		s = m.section(form.TypedSection, 'transparent', _('LAN Transparent Mode (Disabled by Default)'));
 		s.anonymous = true;
-		s.description = _('Intercept outbound LAN traffic for inspection. Note: WAN Protection Mode is recommended for most use cases.');
+		s.description = _('<strong>Warning:</strong> LAN transparent mode intercepts HTTPS traffic which requires all LAN clients to trust the mitmproxy CA certificate. Without this, secured websites will show certificate errors. This mode is disabled by default. Use WAN Protection Mode for threat detection without client-side certificate requirements.');

 		o = s.option(form.Flag, 'enabled', _('Enable LAN Transparent Redirect'));
-		o.description = _('Redirect outbound LAN HTTP/HTTPS traffic through proxy');
+		o.description = _('Redirect outbound LAN HTTP/HTTPS traffic through proxy. Requires mitmproxy CA certificate installed on all clients.');

 		o = s.option(form.Value, 'interface', _('LAN Interface'));
 		o.default = 'br-lan';
--- a/package/secubox/secubox-app-mitmproxy/Makefile
+++ b/package/secubox/secubox-app-mitmproxy/Makefile
@ -1,7 +1,7 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=secubox-app-mitmproxy
-PKG_RELEASE:=19
+PKG_RELEASE:=20
 PKG_VERSION:=0.5.0
 PKG_ARCH:=all
 PKG_MAINTAINER:=CyberMind Studio <contact@cybermind.fr>
--- a/package/secubox/secubox-app-mitmproxy/files/usr/sbin/mitmproxyctl
+++ b/package/secubox/secubox-app-mitmproxy/files/usr/sbin/mitmproxyctl
@ -167,7 +167,15 @@ nft_setup() {
 		return 0
 	fi

-	log_info "Setting up nftables for transparent proxy..."
+	# Check if LAN transparent mode is enabled
+	if [ "$transparent_enabled" != "1" ]; then
+		log_warn "LAN transparent mode is disabled. Enable with: uci set mitmproxy.transparent.enabled='1'"
+		log_warn "Note: HTTPS interception requires clients to trust the mitmproxy CA certificate."
+		return 0
+	fi
+
+	log_info "Setting up nftables for LAN transparent proxy..."
+	log_warn "Warning: HTTPS sites may show certificate errors until clients trust the CA."

 	# Enable IP forwarding (required for transparent proxying)
 	log_info "Enabling IP forwarding..."
@ -857,8 +865,8 @@ lxc_run() {
 	ensure_dir "$data_path"
 	ensure_dir "$ADDON_PATH"

-	# Setup firewall rules if in transparent mode (LAN)
-	if [ "$mode" = "transparent" ]; then
+	# Setup LAN transparent firewall rules if both mode=transparent AND transparent.enabled=1
+	if [ "$mode" = "transparent" ] && [ "$transparent_enabled" = "1" ]; then
 		nft_setup
 	fi