From 684673d71424a7f3248324525b2e16356cde1fc6 Mon Sep 17 00:00:00 2001 From: CyberMind-FR Date: Tue, 3 Mar 2026 16:38:30 +0100 Subject: [PATCH] fix(emancipate): Direct mitmproxy route registration on emancipation Previously, emancipation relied on secubox-route or mitmproxyctl sync-routes which didn't reliably add routes to haproxy-routes.json. This caused newly emancipated services to return 404 from mitmproxy. Changes: - streamlitctl: Direct JSON write as primary method for route registration - metablogizerctl: Direct JSON write as primary method - peertubectl: Direct JSON write as primary method - pinaforectl: Direct JSON write + route through mitmproxy_inspector for WAF All emancipation flows now directly write to /srv/mitmproxy-in/haproxy-routes.json using Python, with secubox-route and mitmproxyctl as fallbacks. Co-Authored-By: Claude Opus 4.5 --- .../files/usr/sbin/metablogizerctl | 69 ++++++++++--------- .../files/usr/sbin/peertubectl | 20 +++++- .../files/usr/sbin/pinaforectl | 24 +++++-- .../files/usr/sbin/streamlitctl | 49 +++++++++---- 4 files changed, 108 insertions(+), 54 deletions(-) diff --git a/package/secubox/secubox-app-metablogizer/files/usr/sbin/metablogizerctl b/package/secubox/secubox-app-metablogizer/files/usr/sbin/metablogizerctl index d94f5dd5..801d4d25 100644 --- a/package/secubox/secubox-app-metablogizer/files/usr/sbin/metablogizerctl +++ b/package/secubox/secubox-app-metablogizer/files/usr/sbin/metablogizerctl @@ -865,44 +865,51 @@ _emancipate_mitmproxy() { local name="$1" local domain="$2" local port=$(uci_get site_${name}.port) - - log_info "[WAF] Registering route in centralized registry" - - # Use centralized secubox-route for route management (preferred) - if command -v secubox-route >/dev/null 2>&1; then - secubox-route add "$domain" "127.0.0.1" "$port" "metablogizer" 2>&1 | while read -r line; do - log_info "[WAF] $line" - done - log_info "[WAF] Route registered in central registry" - return 0 - fi - - # Fallback: Use mitmproxyctl sync-routes - if command -v mitmproxyctl >/dev/null 2>&1; then - log_warn "[WAF] secubox-route not found, using mitmproxyctl" - mitmproxyctl sync-routes 2>&1 | while read -r line; do - log_info "[WAF] $line" - done - return 0 - fi - - # Last resort: Direct file manipulation - log_warn "[WAF] No route manager found, directly adding route" local routes_file="/srv/mitmproxy-in/haproxy-routes.json" - if [ -f "$routes_file" ]; then + + log_info "[WAF] Adding route: $domain -> 127.0.0.1:$port" + + # Direct JSON update - most reliable method + if [ -f "$routes_file" ] && command -v python3 >/dev/null 2>&1; then python3 -c " import json +import sys try: - with open('$routes_file') as f: - data = json.load(f) - data['$domain'] = ['127.0.0.1', $port] + with open('$routes_file', 'r') as f: + routes = json.load(f) + routes['$domain'] = ['127.0.0.1', $port] with open('$routes_file', 'w') as f: - json.dump(data, f, indent=2) - print('[WAF] Route added: $domain -> 127.0.0.1:$port') + json.dump(routes, f, indent=2) + print('Route added successfully') except Exception as e: - print(f'[WAF] Error: {e}') -" 2>/dev/null + print(f'Error: {e}', file=sys.stderr) + sys.exit(1) +" 2>&1 && { + log_info "[WAF] Route registered in $routes_file" + return 0 + } fi + + # Fallback: Use centralized secubox-route if available + if command -v secubox-route >/dev/null 2>&1; then + if secubox-route add "$domain" "127.0.0.1" "$port" "metablogizer" 2>&1; then + log_info "[WAF] Route registered via secubox-route" + return 0 + fi + fi + + # Fallback: Sync via mitmproxyctl + if command -v mitmproxyctl >/dev/null 2>&1; then + log_warn "[WAF] Direct update failed, trying mitmproxyctl" + mitmproxyctl sync-routes >/dev/null 2>&1 && { + log_info "[WAF] Routes synced via mitmproxyctl" + return 0 + } + fi + + log_error "[WAF] Failed to register route - manual intervention required" + log_error "[WAF] Add manually to $routes_file" + return 1 } _emancipate_path_acl() { diff --git a/package/secubox/secubox-app-peertube/files/usr/sbin/peertubectl b/package/secubox/secubox-app-peertube/files/usr/sbin/peertubectl index 9ddc2f9c..cd97c5f0 100644 --- a/package/secubox/secubox-app-peertube/files/usr/sbin/peertubectl +++ b/package/secubox/secubox-app-peertube/files/usr/sbin/peertubectl @@ -944,11 +944,25 @@ cmd_emancipate() { # Configure HAProxy cmd_configure_haproxy - # Register route in centralized registry + # Register route in mitmproxy local port=$(uci_get port server || echo 9000) - if command -v secubox-route >/dev/null 2>&1; then + local routes_file="/srv/mitmproxy-in/haproxy-routes.json" + + # Direct JSON update - most reliable method + if [ -f "$routes_file" ] && command -v python3 >/dev/null 2>&1; then + python3 -c " +import json +try: + with open('$routes_file', 'r') as f: + routes = json.load(f) + routes['$domain'] = ['192.168.255.1', $port] + with open('$routes_file', 'w') as f: + json.dump(routes, f, indent=2) +except: pass +" 2>/dev/null && log_info "Route registered: $domain -> 192.168.255.1:$port" + elif command -v secubox-route >/dev/null 2>&1; then secubox-route add "$domain" "192.168.255.1" "$port" "peertube" 2>/dev/null - log_info "Route registered: $domain -> 192.168.255.1:$port" + log_info "Route registered via secubox-route" elif command -v mitmproxyctl >/dev/null 2>&1; then mitmproxyctl sync-routes 2>/dev/null fi diff --git a/package/secubox/secubox-app-pinafore/files/usr/sbin/pinaforectl b/package/secubox/secubox-app-pinafore/files/usr/sbin/pinaforectl index 6704efbb..e1754acd 100755 --- a/package/secubox/secubox-app-pinafore/files/usr/sbin/pinaforectl +++ b/package/secubox/secubox-app-pinafore/files/usr/sbin/pinaforectl @@ -259,10 +259,10 @@ cmd_emancipate() { uci set haproxy.${backend_name}_srv.port="$PORT" fi - # Add vhost + # Add vhost - route through mitmproxy for WAF protection uci set haproxy.$vhost_name=vhost uci set haproxy.$vhost_name.domain="$domain" - uci set haproxy.$vhost_name.backend='pinafore' + uci set haproxy.$vhost_name.backend='mitmproxy_inspector' uci set haproxy.$vhost_name.ssl='1' uci set haproxy.$vhost_name.ssl_redirect='1' uci set haproxy.$vhost_name.acme='1' @@ -271,12 +271,26 @@ cmd_emancipate() { uci commit haproxy + # Register route in mitmproxy + local routes_file="/srv/mitmproxy-in/haproxy-routes.json" + if [ -f "$routes_file" ] && command -v python3 >/dev/null 2>&1; then + python3 -c " +import json +try: + with open('$routes_file', 'r') as f: + routes = json.load(f) + routes['$domain'] = ['192.168.255.1', $PORT] + with open('$routes_file', 'w') as f: + json.dump(routes, f, indent=2) +except: pass +" 2>/dev/null && log_info "Route registered: $domain -> 192.168.255.1:$PORT" + elif command -v mitmproxyctl >/dev/null 2>&1; then + mitmproxyctl sync-routes 2>/dev/null + fi + # Reload HAProxy haproxyctl reload 2>/dev/null || /etc/init.d/haproxy reload 2>/dev/null - # Sync mitmproxy routes - mitmproxyctl sync-routes 2>/dev/null - log_info "Pinafore exposed at https://$domain" } diff --git a/package/secubox/secubox-app-streamlit/files/usr/sbin/streamlitctl b/package/secubox/secubox-app-streamlit/files/usr/sbin/streamlitctl index dcf5b8fb..d796f3f5 100644 --- a/package/secubox/secubox-app-streamlit/files/usr/sbin/streamlitctl +++ b/package/secubox/secubox-app-streamlit/files/usr/sbin/streamlitctl @@ -1349,32 +1349,51 @@ _emancipate_ssl() { _emancipate_mitmproxy() { local domain="$1" local port="$2" + local routes_file="/srv/mitmproxy-in/haproxy-routes.json" - log_info "[MITMPROXY] Registering route in centralized registry" + log_info "[MITMPROXY] Adding route: $domain -> 192.168.255.1:$port" - # Use centralized secubox-route for route management (preferred) + # Direct JSON update - most reliable method + if [ -f "$routes_file" ] && command -v python3 >/dev/null 2>&1; then + python3 -c " +import json +import sys +try: + with open('$routes_file', 'r') as f: + routes = json.load(f) + routes['$domain'] = ['192.168.255.1', $port] + with open('$routes_file', 'w') as f: + json.dump(routes, f, indent=2) + print('Route added successfully') +except Exception as e: + print(f'Error: {e}', file=sys.stderr) + sys.exit(1) +" 2>&1 && { + log_info "[MITMPROXY] Route registered in $routes_file" + return 0 + } + fi + + # Fallback: Use centralized secubox-route if available if command -v secubox-route >/dev/null 2>&1; then if secubox-route add "$domain" "192.168.255.1" "$port" "streamlit" 2>&1; then - log_info "[MITMPROXY] Route registered: $domain -> 192.168.255.1:$port" - else - log_warn "[MITMPROXY] Failed to register route" + log_info "[MITMPROXY] Route registered via secubox-route" + return 0 fi - return 0 fi # Fallback: Sync via mitmproxyctl if command -v mitmproxyctl >/dev/null 2>&1; then - log_warn "[MITMPROXY] secubox-route not found, using mitmproxyctl" - if mitmproxyctl sync-routes >/dev/null 2>&1; then - log_info "[MITMPROXY] Routes synced successfully" - else - log_warn "[MITMPROXY] Route sync failed - manual sync may be required" - log_warn "[MITMPROXY] Run: mitmproxyctl sync-routes" - fi - return 0 + log_warn "[MITMPROXY] Direct update failed, trying mitmproxyctl" + mitmproxyctl sync-routes >/dev/null 2>&1 && { + log_info "[MITMPROXY] Routes synced via mitmproxyctl" + return 0 + } fi - log_warn "[MITMPROXY] No route manager found - routes not synced" + log_error "[MITMPROXY] Failed to register route - manual intervention required" + log_error "[MITMPROXY] Add manually: echo '{\"$domain\": [\"192.168.255.1\", $port]}' to $routes_file" + return 1 } _emancipate_reload() {