gandalf/secubox-openwrt
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(metablogizer): Add wildcard SSL cert mapping on site creation

Browse Source 
Sites on *.gk2.secubox.in were failing because HAProxy couldn't match
the SNI to the correct certificate. New add_haproxy_cert() helper:
- Extracts base domain from subdomain
- Creates UCI cert entry mapping domain to wildcard cert file
- Applied to all vhost creation paths (create, upload, republish)

Sites now work immediately after one-click deploy without manual
certificate configuration.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
CyberMind-FR 2026-02-23 08:45:50 +01:00
parent 2b7850379d
commit 5bf6d0d84c
1 changed files with 27 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
package/secubox/luci-app-metablogizer/root/usr/libexec/rpcd/luci.metablogizer
View File

@ -121,6 +121,23 @@ PYEOF
done
}
# Add HAProxy cert entry for wildcard SSL mapping
add_haproxy_cert() {
local domain="$1"
# Extract base domain for wildcard cert (e.g., gk2.secubox.in from sub.gk2.secubox.in)
local base_domain=$(echo "$domain" | sed 's/^[^.]*\.//')
local cert_name=$(echo "$domain" | sed 's/[^a-zA-Z0-9]/_/g')
# Check if wildcard cert exists
local wildcard_cert="/opt/haproxy/certs/*.${base_domain}.pem"
if lxc-attach -n haproxy -- ls "$wildcard_cert" >/dev/null 2>&1; then
uci set "haproxy.cert_${cert_name}=cert"
uci set "haproxy.cert_${cert_name}.domain=$domain"
uci set "haproxy.cert_${cert_name}.cert_file=$wildcard_cert"
fi
}
# Get .onion address for a site if Tor hidden service exists
get_onion_address() {
local site_name="$1"
@ -460,6 +477,9 @@ EOF
uci set "haproxy.$vhost_name.acme=$acme_val"
uci set "haproxy.$vhost_name.enabled=1"
uci set "haproxy.$vhost_name.priority=50"
# Add cert entry for wildcard SSL
add_haproxy_cert "$domain"
uci commit haproxy
# Add mitmproxy route for WAF inspection
@ -838,6 +858,9 @@ method_update_site() {
uci set "haproxy.$vhost_name.ssl_redirect=1"
uci set "haproxy.$vhost_name.acme=1"
uci set "haproxy.$vhost_name.enabled=1"
# Add cert entry for wildcard SSL
add_haproxy_cert "$domain"
uci commit haproxy
# Regenerate and reload HAProxy
@ -1173,6 +1196,8 @@ EOF
uci set "haproxy.$vhost_name.enabled=1"
uci set "haproxy.$vhost_name.priority=50"
# Add cert entry for wildcard SSL
add_haproxy_cert "$domain"
uci commit haproxy
# Add mitmproxy route for WAF inspection
@ -1960,6 +1985,8 @@ EOF
uci set "haproxy.$vhost_name.enabled=1"
uci set "haproxy.$vhost_name.priority=50"
# Add cert entry for wildcard SSL
add_haproxy_cert "$domain"
uci commit haproxy
# Add mitmproxy route for WAF inspection