gandalf/secubox-openwrt
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(emancipate): Direct mitmproxy route registration on emancipation

Browse Source 
Previously, emancipation relied on secubox-route or mitmproxyctl sync-routes
which didn't reliably add routes to haproxy-routes.json. This caused newly
emancipated services to return 404 from mitmproxy.

Changes:
- streamlitctl: Direct JSON write as primary method for route registration
- metablogizerctl: Direct JSON write as primary method
- peertubectl: Direct JSON write as primary method
- pinaforectl: Direct JSON write + route through mitmproxy_inspector for WAF

All emancipation flows now directly write to /srv/mitmproxy-in/haproxy-routes.json
using Python, with secubox-route and mitmproxyctl as fallbacks.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
CyberMind-FR 2026-03-03 16:38:30 +01:00
parent 8a242cb229
commit 684673d714
4 changed files with 108 additions and 54 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

69
package/secubox/secubox-app-metablogizer/files/usr/sbin/metablogizerctl
View File

@ -865,44 +865,51 @@ _emancipate_mitmproxy() {
local name="$1" local name="$1"
local domain="$2" local domain="$2"
local port=$(uci_get site_${name}.port) local port=$(uci_get site_${name}.port)
log_info "[WAF] Registering route in centralized registry"
# Use centralized secubox-route for route management (preferred)
if command -v secubox-route >/dev/null 2>&1; then
secubox-route add "$domain" "127.0.0.1" "$port" "metablogizer" 2>&1 | while read -r line; do
log_info "[WAF] $line"
done
log_info "[WAF] Route registered in central registry"
return 0
fi
# Fallback: Use mitmproxyctl sync-routes
if command -v mitmproxyctl >/dev/null 2>&1; then
log_warn "[WAF] secubox-route not found, using mitmproxyctl"
mitmproxyctl sync-routes 2>&1 | while read -r line; do
log_info "[WAF] $line"
done
return 0
fi
# Last resort: Direct file manipulation
log_warn "[WAF] No route manager found, directly adding route"
local routes_file="/srv/mitmproxy-in/haproxy-routes.json" local routes_file="/srv/mitmproxy-in/haproxy-routes.json"
if [ -f "$routes_file" ]; then
log_info "[WAF] Adding route: $domain -> 127.0.0.1:$port"
# Direct JSON update - most reliable method
if [ -f "$routes_file" ] && command -v python3 >/dev/null 2>&1; then
python3 -c " python3 -c "
import json import json
import sys
try: try:
with open('$routes_file') as f: with open('$routes_file', 'r') as f:
data = json.load(f) routes = json.load(f)
data['$domain'] = ['127.0.0.1', $port] routes['$domain'] = ['127.0.0.1', $port]
with open('$routes_file', 'w') as f: with open('$routes_file', 'w') as f:
json.dump(data, f, indent=2) json.dump(routes, f, indent=2)
print('[WAF] Route added: $domain -> 127.0.0.1:$port') print('Route added successfully')
except Exception as e: except Exception as e:
print(f'[WAF] Error: {e}') print(f'Error: {e}', file=sys.stderr)
" 2>/dev/null sys.exit(1)
" 2>&1 && {
log_info "[WAF] Route registered in $routes_file"
return 0
}
fi fi
# Fallback: Use centralized secubox-route if available
if command -v secubox-route >/dev/null 2>&1; then
if secubox-route add "$domain" "127.0.0.1" "$port" "metablogizer" 2>&1; then
log_info "[WAF] Route registered via secubox-route"
return 0
fi
fi
# Fallback: Sync via mitmproxyctl
if command -v mitmproxyctl >/dev/null 2>&1; then
log_warn "[WAF] Direct update failed, trying mitmproxyctl"
mitmproxyctl sync-routes >/dev/null 2>&1 && {
log_info "[WAF] Routes synced via mitmproxyctl"
return 0
}
fi
log_error "[WAF] Failed to register route - manual intervention required"
log_error "[WAF] Add manually to $routes_file"
return 1
} }
_emancipate_path_acl() { _emancipate_path_acl() {

20
package/secubox/secubox-app-peertube/files/usr/sbin/peertubectl
View File

@ -944,11 +944,25 @@ cmd_emancipate() {
# Configure HAProxy # Configure HAProxy
cmd_configure_haproxy cmd_configure_haproxy
# Register route in centralized registry # Register route in mitmproxy
local port=$(uci_get port server || echo 9000) local port=$(uci_get port server || echo 9000)
if command -v secubox-route >/dev/null 2>&1; then local routes_file="/srv/mitmproxy-in/haproxy-routes.json"
# Direct JSON update - most reliable method
if [ -f "$routes_file" ] && command -v python3 >/dev/null 2>&1; then
python3 -c "
import json
try:
with open('$routes_file', 'r') as f:
routes = json.load(f)
routes['$domain'] = ['192.168.255.1', $port]
with open('$routes_file', 'w') as f:
json.dump(routes, f, indent=2)
except: pass
" 2>/dev/null && log_info "Route registered: $domain -> 192.168.255.1:$port"
elif command -v secubox-route >/dev/null 2>&1; then
secubox-route add "$domain" "192.168.255.1" "$port" "peertube" 2>/dev/null secubox-route add "$domain" "192.168.255.1" "$port" "peertube" 2>/dev/null
log_info "Route registered: $domain -> 192.168.255.1:$port" log_info "Route registered via secubox-route"
elif command -v mitmproxyctl >/dev/null 2>&1; then elif command -v mitmproxyctl >/dev/null 2>&1; then
mitmproxyctl sync-routes 2>/dev/null mitmproxyctl sync-routes 2>/dev/null
fi fi

24
package/secubox/secubox-app-pinafore/files/usr/sbin/pinaforectl
View File

@ -259,10 +259,10 @@ cmd_emancipate() {
uci set haproxy.${backend_name}_srv.port="$PORT" uci set haproxy.${backend_name}_srv.port="$PORT"
fi fi
# Add vhost # Add vhost - route through mitmproxy for WAF protection
uci set haproxy.$vhost_name=vhost uci set haproxy.$vhost_name=vhost
uci set haproxy.$vhost_name.domain="$domain" uci set haproxy.$vhost_name.domain="$domain"
uci set haproxy.$vhost_name.backend='pinafore' uci set haproxy.$vhost_name.backend='mitmproxy_inspector'
uci set haproxy.$vhost_name.ssl='1' uci set haproxy.$vhost_name.ssl='1'
uci set haproxy.$vhost_name.ssl_redirect='1' uci set haproxy.$vhost_name.ssl_redirect='1'
uci set haproxy.$vhost_name.acme='1' uci set haproxy.$vhost_name.acme='1'
@ -271,12 +271,26 @@ cmd_emancipate() {
uci commit haproxy uci commit haproxy
# Register route in mitmproxy
local routes_file="/srv/mitmproxy-in/haproxy-routes.json"
if [ -f "$routes_file" ] && command -v python3 >/dev/null 2>&1; then
python3 -c "
import json
try:
with open('$routes_file', 'r') as f:
routes = json.load(f)
routes['$domain'] = ['192.168.255.1', $PORT]
with open('$routes_file', 'w') as f:
json.dump(routes, f, indent=2)
except: pass
" 2>/dev/null && log_info "Route registered: $domain -> 192.168.255.1:$PORT"
elif command -v mitmproxyctl >/dev/null 2>&1; then
mitmproxyctl sync-routes 2>/dev/null
fi
# Reload HAProxy # Reload HAProxy
haproxyctl reload 2>/dev/null || /etc/init.d/haproxy reload 2>/dev/null haproxyctl reload 2>/dev/null || /etc/init.d/haproxy reload 2>/dev/null
# Sync mitmproxy routes
mitmproxyctl sync-routes 2>/dev/null
log_info "Pinafore exposed at https://$domain" log_info "Pinafore exposed at https://$domain"
} }

49
package/secubox/secubox-app-streamlit/files/usr/sbin/streamlitctl
View File

@ -1349,32 +1349,51 @@ _emancipate_ssl() {
_emancipate_mitmproxy() { _emancipate_mitmproxy() {
local domain="$1" local domain="$1"
local port="$2" local port="$2"
local routes_file="/srv/mitmproxy-in/haproxy-routes.json"
log_info "[MITMPROXY] Registering route in centralized registry" log_info "[MITMPROXY] Adding route: $domain -> 192.168.255.1:$port"
# Use centralized secubox-route for route management (preferred) # Direct JSON update - most reliable method
if [ -f "$routes_file" ] && command -v python3 >/dev/null 2>&1; then
python3 -c "
import json
import sys
try:
with open('$routes_file', 'r') as f:
routes = json.load(f)
routes['$domain'] = ['192.168.255.1', $port]
with open('$routes_file', 'w') as f:
json.dump(routes, f, indent=2)
print('Route added successfully')
except Exception as e:
print(f'Error: {e}', file=sys.stderr)
sys.exit(1)
" 2>&1 && {
log_info "[MITMPROXY] Route registered in $routes_file"
return 0
}
fi
# Fallback: Use centralized secubox-route if available
if command -v secubox-route >/dev/null 2>&1; then if command -v secubox-route >/dev/null 2>&1; then
if secubox-route add "$domain" "192.168.255.1" "$port" "streamlit" 2>&1; then if secubox-route add "$domain" "192.168.255.1" "$port" "streamlit" 2>&1; then
log_info "[MITMPROXY] Route registered: $domain -> 192.168.255.1:$port" log_info "[MITMPROXY] Route registered via secubox-route"
else return 0
log_warn "[MITMPROXY] Failed to register route"
fi fi
return 0
fi fi
# Fallback: Sync via mitmproxyctl # Fallback: Sync via mitmproxyctl
if command -v mitmproxyctl >/dev/null 2>&1; then if command -v mitmproxyctl >/dev/null 2>&1; then
log_warn "[MITMPROXY] secubox-route not found, using mitmproxyctl" log_warn "[MITMPROXY] Direct update failed, trying mitmproxyctl"
if mitmproxyctl sync-routes >/dev/null 2>&1; then mitmproxyctl sync-routes >/dev/null 2>&1 && {
log_info "[MITMPROXY] Routes synced successfully" log_info "[MITMPROXY] Routes synced via mitmproxyctl"
else return 0
log_warn "[MITMPROXY] Route sync failed - manual sync may be required" }
log_warn "[MITMPROXY] Run: mitmproxyctl sync-routes"
fi
return 0
fi fi
log_warn "[MITMPROXY] No route manager found - routes not synced" log_error "[MITMPROXY] Failed to register route - manual intervention required"
log_error "[MITMPROXY] Add manually: echo '{\"$domain\": [\"192.168.255.1\", $port]}' to $routes_file"
return 1
} }
_emancipate_reload() { _emancipate_reload() {