docs: Update FAQ with HAProxy SNI/certs.list troubleshooting

- Add HAProxy multi-domain SSL certificate matching issue
- Document crt-list solution for SNI issues
- Minor updates to settings and streamlit readme

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

.claude/FAQ-TROUBLESHOOTING.md

@@ -174,6 +174,42 @@ uci commit firewall
 
 ## HAProxy Issues
 
+### Issue: Multi-domain SSL certificates not matching correctly (SNI issues)
+
+**Symptoms:**
+- Wrong certificate served for some domains
+- SSL handshake failures for specific domains
+- Browser shows certificate name mismatch warnings
+
+**Root Cause:**
+HAProxy directory mode (`crt /path/to/certs/`) uses certificate filenames for SNI matching, which can be unreliable with multiple certificates. The certificate CN/SAN extraction is automatic but may not match the expected domain.
+
+**Solution:**
+Use `crt-list` instead of directory mode for explicit domain-to-certificate mapping.
+
+1. Generate `certs.list` file that maps each certificate to its domains:
+```bash
+haproxyctl generate
+# or manually regenerate:
+haproxy-sync-certs
+```
+
+2. The certs.list format is:
+```
+/opt/haproxy/certs/example.com.pem example.com
+/opt/haproxy/certs/example.com.pem www.example.com
+/opt/haproxy/certs/api.example.com.pem api.example.com
+```
+
+3. HAProxy config uses:
+```
+bind *:443 ssl crt-list /opt/haproxy/certs/certs.list alpn h2,http/1.1
+```
+
+This was fixed in haproxyctl (2026-02-07) to automatically generate certs.list from certificate SANs.
+
+---
+
 ### Issue: HAProxy fails with "unable to find required use_backend"
 
 **Symptoms:**

.claude/settings.local.json

@@ -293,7 +293,40 @@
       "WebFetch(domain:evolution.gk2.secubox.in)",
       "WebFetch(domain:console.gk2.secubox.in)",
       "Bash(SCRIPT)",
-      "Bash(tcpdump:*)"
+      "Bash(tcpdump:*)",
+      "Bash(resolvectl query:*)",
+      "Bash(systemctl restart:*)",
+      "Bash(getent:*)",
+      "Bash(unzip:*)",
+      "Bash(__NEW_LINE_86d4afe3b9fa8d1c__ echo \"\")",
+      "Bash(__NEW_LINE_9ed23c10c78c59e7__ echo \"\")",
+      "Bash(__NEW_LINE_eb3bd3ef6592bca8__ echo \"\")",
+      "Bash(__NEW_LINE_7eaa189e50a78a6c__ echo \"\")",
+      "WebFetch(domain:oracle.ganimed.fr)",
+      "Bash(')",
+      "WebFetch(domain:gk2.secubox.in)",
+      "WebFetch(domain:press.cybermood.eu)",
+      "Bash(command -v:*)",
+      "Bash(# Configure serial port stty -F /dev/ttyUSB0 115200 cs8 -cstopb -parenb raw -echo # Send a newline and try to read response \\(echo \"\"\"\"; sleep 0.5; echo \"\"\"\"; sleep 0.5\\) & timeout 3 cat /dev/ttyUSB0)",
+      "Bash(do if sh -n \"$f\")",
+      "Bash(then echo \"OK: $f\")",
+      "Bash(else echo \"FAIL: $f\")",
+      "Bash(do echo \"Resolver $resolver:\" nslookup -type=NS secubox.in $resolver)",
+      "Bash(do echo \"Resolver $resolver:\" nslookup secubox.in $resolver)",
+      "Bash(do echo \"Resolver $resolver:\" nslookup gk2.secubox.in $resolver)",
+      "Bash(do echo \"Resolver $resolver:\" nslookup evolution.gk2.secubox.in $resolver)",
+      "Bash(stty:*)",
+      "Bash(sudo stty:*)",
+      "Bash(./secubox-clone-station.sh:*)",
+      "Bash(sudo apt install:*)",
+      "Bash(dmesg:*)",
+      "Bash(lsusb:*)",
+      "Bash(ss:*)",
+      "Bash(netstat:*)",
+      "Bash(fuser:*)",
+      "Bash(lsof:*)",
+      "Bash(arp:*)",
+      "Bash(ip link:*)"
     ]
   }
 }

package/secubox/secubox-app-streamlit/README.md

@@ -212,7 +212,7 @@ To expose Streamlit apps via HAProxy vhost:
 uci add haproxy backend
 uci set haproxy.@backend[-1].name='streamlit_myapp'
 uci set haproxy.@backend[-1].mode='http'
-uci add_list haproxy.@backend[-1].server='myapp 127.0.0.1:8502'
+uci add_list haproxy.@backend[-1].server='myapp 192.168.255.1:8502'
 uci commit haproxy
 
 # Add vhost