fix(emancipate): Direct mitmproxy route registration on emancipation

Previously, emancipation relied on secubox-route or mitmproxyctl sync-routes which didn't reliably add routes to haproxy-routes.json. This caused newly emancipated services to return 404 from mitmproxy. Changes: - streamlitctl: Direct JSON write as primary method for route registration - metablogizerctl: Direct JSON write as primary method - peertubectl: Direct JSON write as primary method - pinaforectl: Direct JSON write + route through mitmproxy_inspector for WAF All emancipation flows now directly write to /srv/mitmproxy-in/haproxy-routes.json using Python, with secubox-route and mitmproxyctl as fallbacks. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-03-03 16:38:30 +01:00 · 2026-03-03 16:38:30 +01:00 · 684673d714
commit 684673d714
parent 8a242cb229
4 changed files with 108 additions and 54 deletions
--- a/package/secubox/secubox-app-metablogizer/files/usr/sbin/metablogizerctl
+++ b/package/secubox/secubox-app-metablogizer/files/usr/sbin/metablogizerctl
@ -865,44 +865,51 @@ _emancipate_mitmproxy() {
 	local name="$1"
 	local domain="$2"
 	local port=$(uci_get site_${name}.port)
-
-	log_info "[WAF] Registering route in centralized registry"
-
-	# Use centralized secubox-route for route management (preferred)
-	if command -v secubox-route >/dev/null 2>&1; then
-		secubox-route add "$domain" "127.0.0.1" "$port" "metablogizer" 2>&1 | while read -r line; do
-			log_info "[WAF] $line"
-		done
-		log_info "[WAF] Route registered in central registry"
-		return 0
-	fi
-
-	# Fallback: Use mitmproxyctl sync-routes
-	if command -v mitmproxyctl >/dev/null 2>&1; then
-		log_warn "[WAF] secubox-route not found, using mitmproxyctl"
-		mitmproxyctl sync-routes 2>&1 | while read -r line; do
-			log_info "[WAF] $line"
-		done
-		return 0
-	fi
-
-	# Last resort: Direct file manipulation
-	log_warn "[WAF] No route manager found, directly adding route"
 	local routes_file="/srv/mitmproxy-in/haproxy-routes.json"
-	if [ -f "$routes_file" ]; then
+
+	log_info "[WAF] Adding route: $domain -> 127.0.0.1:$port"
+
+	# Direct JSON update - most reliable method
+	if [ -f "$routes_file" ] && command -v python3 >/dev/null 2>&1; then
 		python3 -c "
 import json
+import sys
 try:
-    with open('$routes_file') as f:
-        data = json.load(f)
-    data['$domain'] = ['127.0.0.1', $port]
+    with open('$routes_file', 'r') as f:
+        routes = json.load(f)
+    routes['$domain'] = ['127.0.0.1', $port]
    with open('$routes_file', 'w') as f:
-        json.dump(data, f, indent=2)
-    print('[WAF] Route added: $domain -> 127.0.0.1:$port')
+        json.dump(routes, f, indent=2)
+    print('Route added successfully')
 except Exception as e:
-    print(f'[WAF] Error: {e}')
-" 2>/dev/null
+    print(f'Error: {e}', file=sys.stderr)
+    sys.exit(1)
+" 2>&1 && {
+			log_info "[WAF] Route registered in $routes_file"
+			return 0
+		}
 	fi
+
+	# Fallback: Use centralized secubox-route if available
+	if command -v secubox-route >/dev/null 2>&1; then
+		if secubox-route add "$domain" "127.0.0.1" "$port" "metablogizer" 2>&1; then
+			log_info "[WAF] Route registered via secubox-route"
+			return 0
+		fi
+	fi
+
+	# Fallback: Sync via mitmproxyctl
+	if command -v mitmproxyctl >/dev/null 2>&1; then
+		log_warn "[WAF] Direct update failed, trying mitmproxyctl"
+		mitmproxyctl sync-routes >/dev/null 2>&1 && {
+			log_info "[WAF] Routes synced via mitmproxyctl"
+			return 0
+		}
+	fi
+
+	log_error "[WAF] Failed to register route - manual intervention required"
+	log_error "[WAF] Add manually to $routes_file"
+	return 1
 }

 _emancipate_path_acl() {
--- a/package/secubox/secubox-app-peertube/files/usr/sbin/peertubectl
+++ b/package/secubox/secubox-app-peertube/files/usr/sbin/peertubectl
@ -944,11 +944,25 @@ cmd_emancipate() {
 	# Configure HAProxy
 	cmd_configure_haproxy

-	# Register route in centralized registry
+	# Register route in mitmproxy
 	local port=$(uci_get port server || echo 9000)
-	if command -v secubox-route >/dev/null 2>&1; then
+	local routes_file="/srv/mitmproxy-in/haproxy-routes.json"
+
+	# Direct JSON update - most reliable method
+	if [ -f "$routes_file" ] && command -v python3 >/dev/null 2>&1; then
+		python3 -c "
+import json
+try:
+    with open('$routes_file', 'r') as f:
+        routes = json.load(f)
+    routes['$domain'] = ['192.168.255.1', $port]
+    with open('$routes_file', 'w') as f:
+        json.dump(routes, f, indent=2)
+except: pass
+" 2>/dev/null && log_info "Route registered: $domain -> 192.168.255.1:$port"
+	elif command -v secubox-route >/dev/null 2>&1; then
 		secubox-route add "$domain" "192.168.255.1" "$port" "peertube" 2>/dev/null
-		log_info "Route registered: $domain -> 192.168.255.1:$port"
+		log_info "Route registered via secubox-route"
 	elif command -v mitmproxyctl >/dev/null 2>&1; then
 		mitmproxyctl sync-routes 2>/dev/null
 	fi
--- a/package/secubox/secubox-app-pinafore/files/usr/sbin/pinaforectl
+++ b/package/secubox/secubox-app-pinafore/files/usr/sbin/pinaforectl
@ -259,10 +259,10 @@ cmd_emancipate() {
 		uci set haproxy.${backend_name}_srv.port="$PORT"
 	fi

-	# Add vhost
+	# Add vhost - route through mitmproxy for WAF protection
 	uci set haproxy.$vhost_name=vhost
 	uci set haproxy.$vhost_name.domain="$domain"
-	uci set haproxy.$vhost_name.backend='pinafore'
+	uci set haproxy.$vhost_name.backend='mitmproxy_inspector'
 	uci set haproxy.$vhost_name.ssl='1'
 	uci set haproxy.$vhost_name.ssl_redirect='1'
 	uci set haproxy.$vhost_name.acme='1'
@ -271,12 +271,26 @@ cmd_emancipate() {

 	uci commit haproxy

+	# Register route in mitmproxy
+	local routes_file="/srv/mitmproxy-in/haproxy-routes.json"
+	if [ -f "$routes_file" ] && command -v python3 >/dev/null 2>&1; then
+		python3 -c "
+import json
+try:
+    with open('$routes_file', 'r') as f:
+        routes = json.load(f)
+    routes['$domain'] = ['192.168.255.1', $PORT]
+    with open('$routes_file', 'w') as f:
+        json.dump(routes, f, indent=2)
+except: pass
+" 2>/dev/null && log_info "Route registered: $domain -> 192.168.255.1:$PORT"
+	elif command -v mitmproxyctl >/dev/null 2>&1; then
+		mitmproxyctl sync-routes 2>/dev/null
+	fi
+
 	# Reload HAProxy
 	haproxyctl reload 2>/dev/null || /etc/init.d/haproxy reload 2>/dev/null

-	# Sync mitmproxy routes
-	mitmproxyctl sync-routes 2>/dev/null
-
 	log_info "Pinafore exposed at https://$domain"
 }

--- a/package/secubox/secubox-app-streamlit/files/usr/sbin/streamlitctl
+++ b/package/secubox/secubox-app-streamlit/files/usr/sbin/streamlitctl
@ -1349,32 +1349,51 @@ _emancipate_ssl() {
 _emancipate_mitmproxy() {
 	local domain="$1"
 	local port="$2"
+	local routes_file="/srv/mitmproxy-in/haproxy-routes.json"

-	log_info "[MITMPROXY] Registering route in centralized registry"
+	log_info "[MITMPROXY] Adding route: $domain -> 192.168.255.1:$port"

-	# Use centralized secubox-route for route management (preferred)
+	# Direct JSON update - most reliable method
+	if [ -f "$routes_file" ] && command -v python3 >/dev/null 2>&1; then
+		python3 -c "
+import json
+import sys
+try:
+    with open('$routes_file', 'r') as f:
+        routes = json.load(f)
+    routes['$domain'] = ['192.168.255.1', $port]
+    with open('$routes_file', 'w') as f:
+        json.dump(routes, f, indent=2)
+    print('Route added successfully')
+except Exception as e:
+    print(f'Error: {e}', file=sys.stderr)
+    sys.exit(1)
+" 2>&1 && {
+			log_info "[MITMPROXY] Route registered in $routes_file"
+			return 0
+		}
+	fi
+
+	# Fallback: Use centralized secubox-route if available
 	if command -v secubox-route >/dev/null 2>&1; then
 		if secubox-route add "$domain" "192.168.255.1" "$port" "streamlit" 2>&1; then
-			log_info "[MITMPROXY] Route registered: $domain -> 192.168.255.1:$port"
-		else
-			log_warn "[MITMPROXY] Failed to register route"
+			log_info "[MITMPROXY] Route registered via secubox-route"
+			return 0
 		fi
-		return 0
 	fi

 	# Fallback: Sync via mitmproxyctl
 	if command -v mitmproxyctl >/dev/null 2>&1; then
-		log_warn "[MITMPROXY] secubox-route not found, using mitmproxyctl"
-		if mitmproxyctl sync-routes >/dev/null 2>&1; then
-			log_info "[MITMPROXY] Routes synced successfully"
-		else
-			log_warn "[MITMPROXY] Route sync failed - manual sync may be required"
-			log_warn "[MITMPROXY] Run: mitmproxyctl sync-routes"
-		fi
-		return 0
+		log_warn "[MITMPROXY] Direct update failed, trying mitmproxyctl"
+		mitmproxyctl sync-routes >/dev/null 2>&1 && {
+			log_info "[MITMPROXY] Routes synced via mitmproxyctl"
+			return 0
+		}
 	fi

-	log_warn "[MITMPROXY] No route manager found - routes not synced"
+	log_error "[MITMPROXY] Failed to register route - manual intervention required"
+	log_error "[MITMPROXY] Add manually: echo '{\"$domain\": [\"192.168.255.1\", $port]}' to $routes_file"
+	return 1
 }

 _emancipate_reload() {