From 640ceafa434c52a761f2a981cd18e8cbae6801f5 Mon Sep 17 00:00:00 2001
From: CyberMind-FR <gandalf@Gk2.net>
Date: Sat, 7 Mar 2026 11:13:42 +0100
Subject: [PATCH] fix(mitmproxy): Change WAF proxy port from 8889 to 8890

Port 8889 conflicts with avatar-tap Streamlit service.
Updated mitmproxy-in instance to use port 8890 for HAProxy WAF routing.

Changes:
- UCI config: proxy_port and listen_port now default to 8890
- mitmproxyctl: Updated fallback defaults and documentation
- README: Updated architecture diagrams with correct port

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 package/secubox/luci-app-mitmproxy/README.md                | 2 +-
 package/secubox/secubox-app-mitmproxy/README.md             | 6 +++---
 .../secubox-app-mitmproxy/files/etc/config/mitmproxy        | 4 ++--
 .../secubox-app-mitmproxy/files/usr/sbin/mitmproxyctl       | 6 +++---
 4 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/package/secubox/luci-app-mitmproxy/README.md b/package/secubox/luci-app-mitmproxy/README.md
index e46f3f3f..79836d93 100644
--- a/package/secubox/luci-app-mitmproxy/README.md
+++ b/package/secubox/luci-app-mitmproxy/README.md
@@ -134,7 +134,7 @@ Route all HAProxy vhost traffic through mitmproxy for threat detection.
 ### Architecture
 
 ```
-Internet → HAProxy (SSL termination) → mitmproxy :8889 → Actual Backends
+Internet → HAProxy (SSL termination) → mitmproxy :8890 → Actual Backends
                                            ↓
                                     Threat Detection
                                            ↓
diff --git a/package/secubox/secubox-app-mitmproxy/README.md b/package/secubox/secubox-app-mitmproxy/README.md
index a2847072..ed1be2a5 100644
--- a/package/secubox/secubox-app-mitmproxy/README.md
+++ b/package/secubox/secubox-app-mitmproxy/README.md
@@ -143,13 +143,13 @@ curl -sL "https://github.com/P3TERX/GeoLite.mmdb/raw/download/GeoLite2-Country.m
 │                              │                                  │
 │                              ▼                                  │
 │  ┌─────────────────────────────────────────────────────────┐   │
-│  │ Backend: mitmproxy_inspector (127.0.0.1:8889)            │   │
+│  │ Backend: mitmproxy_inspector (127.0.0.1:8890)            │   │
 │  └─────────────────────────────────────────────────────────┘   │
 └─────────────────────────────────────────────────────────────────┘
                               │
                               ▼
 ┌─────────────────────────────────────────────────────────────────┐
-│  mitmproxy LXC Container (port 8889)                            │
+│  mitmproxy LXC Container (port 8890)                            │
 │  ┌─────────────────────────────────────────────────────────┐   │
 │  │ haproxy_router.py: Routes by Host header                 │   │
 │  │ secubox_analytics.py: Threat detection                   │   │
@@ -202,7 +202,7 @@ This generates `/srv/mitmproxy/haproxy-routes.json`:
 mitmproxyctl haproxy-enable
 
 # This will:
-# 1. Create mitmproxy_inspector backend (127.0.0.1:8889)
+# 1. Create mitmproxy_inspector backend (127.0.0.1:8890)
 # 2. Store original backends in UCI (haproxy.$vhost.original_backend)
 # 3. Redirect all vhosts through mitmproxy
 # 4. Sync route mappings
diff --git a/package/secubox/secubox-app-mitmproxy/files/etc/config/mitmproxy b/package/secubox/secubox-app-mitmproxy/files/etc/config/mitmproxy
index 36500a88..b0797f0f 100644
--- a/package/secubox/secubox-app-mitmproxy/files/etc/config/mitmproxy
+++ b/package/secubox/secubox-app-mitmproxy/files/etc/config/mitmproxy
@@ -33,7 +33,7 @@ config instance 'in'
 	option enabled '1'
 	option description 'WAF/Reverse Proxy'
 	option container_name 'mitmproxy-in'
-	option proxy_port '8889'
+	option proxy_port '8890'
 	option web_port '8090'
 	option web_host '0.0.0.0'
 	option data_path '/srv/mitmproxy-in'
@@ -154,7 +154,7 @@ config whitelist 'whitelist'
 config haproxy_router 'haproxy_router'
 	option enabled '0'
 	# Port HAProxy sends traffic to
-	option listen_port '8889'
+	option listen_port '8890'
 	# Enable threat detection on HAProxy traffic
 	option threat_detection '1'
 	# Routes file (auto-generated from HAProxy UCI)
diff --git a/package/secubox/secubox-app-mitmproxy/files/usr/sbin/mitmproxyctl b/package/secubox/secubox-app-mitmproxy/files/usr/sbin/mitmproxyctl
index cda2606a..4ca183c8 100755
--- a/package/secubox/secubox-app-mitmproxy/files/usr/sbin/mitmproxyctl
+++ b/package/secubox/secubox-app-mitmproxy/files/usr/sbin/mitmproxyctl
@@ -64,7 +64,7 @@ Modes (configure per-instance):
 
 Instance Ports (default):
   out: proxy=8888, web=8089 (LAN->Internet)
-  in:  proxy=8889, web=8090 (WAF/HAProxy backend)
+  in:  proxy=8890, web=8090 (WAF/HAProxy backend)
 
 Examples:
   mitmproxyctl status out       # Status of 'out' instance
@@ -247,7 +247,7 @@ load_config() {
 	else
 		haproxy_router_enabled="$(uci_get haproxy_router.enabled || echo 0)"
 	fi
-	haproxy_listen_port="$(uci_get haproxy_router.listen_port || echo 8889)"
+	haproxy_listen_port="$(uci_get haproxy_router.listen_port || echo 8890)"
 	haproxy_threat_detection="$(uci_get haproxy_router.threat_detection || echo 1)"
 	haproxy_routes_file="$(uci_get haproxy_router.routes_file || echo /srv/mitmproxy/haproxy-routes.json)"
 }
@@ -669,7 +669,7 @@ FILTERING_ENABLED="${MITMPROXY_FILTERING_ENABLED:-0}"
 
 # HAProxy router mode
 HAPROXY_ROUTER_ENABLED="${MITMPROXY_HAPROXY_ROUTER_ENABLED:-0}"
-HAPROXY_LISTEN_PORT="${MITMPROXY_HAPROXY_LISTEN_PORT:-8889}"
+HAPROXY_LISTEN_PORT="${MITMPROXY_HAPROXY_LISTEN_PORT:-8890}"
 HAPROXY_ROUTES_FILE="${MITMPROXY_HAPROXY_ROUTES_FILE:-/data/haproxy-routes.json}"
 
 # Build args