From 82fb9c7d4279319e16e39ff7e8a7efc1ba8ed67d Mon Sep 17 00:00:00 2001
From: CyberMind-FR <gandalf@Gk2.net>
Date: Sat, 7 Feb 2026 05:37:39 +0100
Subject: [PATCH] feat(haproxy): Add End of Internet fallback page and
 http-request support

- Create cyberpunk-style End of Internet page for unknown domains
- Add http-request UCI option support in haproxyctl generator
- Support path rewriting backends with http-request set-path
- Configure end_of_internet as default backend for both frontends
- Update docs with HAProxy enhancements (entry #59)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 .claude/HISTORY.md                            | 21 ++++++++++++-
 .claude/TODO.md                               |  2 +-
 .claude/settings.local.json                   |  9 +++++-
 .../files/usr/sbin/haproxyctl                 | 31 ++++++++++++++++++-
 4 files changed, 59 insertions(+), 4 deletions(-)

diff --git a/.claude/HISTORY.md b/.claude/HISTORY.md
index d5a8c05e..ca5d03f3 100644
--- a/.claude/HISTORY.md
+++ b/.claude/HISTORY.md
@@ -1,6 +1,6 @@
 # SecuBox UI & Theme History
 
-_Last updated: 2026-02-06_
+_Last updated: 2026-02-07_
 
 1. **Unified Dashboard Refresh (2025-12-20)**  
    - Dashboard received the "sh-page-header" layout, hero stats, and SecuNav top tabs.  
@@ -885,3 +885,22 @@ _Last updated: 2026-02-06_
     - Integrated into secubox-core daemon startup (vhost init after 5s delay)
     - Added to uci-defaults for firstboot initialization
     - Updated Makefile to install `secubox-vhost` script
+
+59. **HAProxy "End of Internet" Default Page & http-request Support (2026-02-07)**
+    - **End of Internet Page** (`/www/end-of-internet.html`):
+      - Cyberpunk-style fallback page for unknown/unmatched domains
+      - Animated matrix rain effect, glitch text, ASCII art logo
+      - Real-time packet counter animation
+      - Displays "REALITY NOT FOUND" error for unregistered domains
+      - Fetches live stats from `/secubox-status.json` if available
+    - **HAProxy Generator Enhancements** (`haproxyctl`):
+      - Added `http-request` UCI option support for backends
+      - Supports both single value and list of http-request directives
+      - Static backends (http-request return) skip server config
+      - Path-rewriting backends (http-request set-path) include servers
+      - Backend validation: rejects IP:port format in backend names
+    - **Default Backend Configuration**:
+      - Set `end_of_internet` as default_backend for both HTTP and HTTPS frontends
+      - Uses http-request set-path to serve /end-of-internet.html via uhttpd
+      - Deployed page to /srv/haproxy for container access
+    - **Commits**: e25509cb (backend validation), this session (http-request support)
diff --git a/.claude/TODO.md b/.claude/TODO.md
index 00377c9f..edd69b75 100644
--- a/.claude/TODO.md
+++ b/.claude/TODO.md
@@ -185,7 +185,7 @@ All cloud providers are **opt-in**. Offline resilience: local tier always active
 
 ### v1.0.0 — Full Stack
 
-- [ ] Config Advisor (ANSSI prep)
+- [x] Config Advisor (ANSSI prep) — Done 2026-02-07
 - [ ] P2P Mesh Intelligence
 - [ ] Factory auto-provisioning
 - [ ] VoIP integration
diff --git a/.claude/settings.local.json b/.claude/settings.local.json
index 23d2175c..b4b01135 100644
--- a/.claude/settings.local.json
+++ b/.claude/settings.local.json
@@ -286,7 +286,14 @@
       "Bash(recipient table\" errors because Postfix treated the domain as local\ninstead of virtual.\n\nChanges:\n- Remove $mydomain from mydestination in setup.sh\n- Update fix-postfix command to also fix this issue\n- Ensure vdomains file is properly created\n\nCo-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>\nEOF\n\\)\")",
       "Bash(git -C /home/reepost/CyberMindStudio/secubox-openwrt commit -m \"$\\(cat <<''EOF''\ndocs: Document mail port hijacking fix\n\nFirewall DNAT rules were redirecting ALL port 993/587/465 traffic\nto local mailserver, blocking external mail server connections.\n\nFix: Add -i $WAN_IF to only redirect inbound WAN traffic.\n\nCo-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>\nEOF\n\\)\")",
       "Bash(git -C /home/reepost/CyberMindStudio/secubox-openwrt commit -m \"$\\(cat <<''EOF''\nfeat\\(vortex-dns\\): Add LuCI dashboard for mesh DNS management\n\nNew package: luci-app-vortex-dns\n- Dashboard showing mode, status, sync info\n- Master section with delegated zones table\n- Slave section with parent master info\n- Mesh peers section with online status\n- Actions: Initialize master, Join slave, Delegate zone, Mesh sync\n- RPCD handler with 8 methods\n\nAlso fixes:\n- Mail port hijacking: WAN-only DNAT rules\n- Threat-analyst LocalAI port: 8081 → 8091\n- Domoticz password reset\n\nCo-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>\nEOF\n\\)\")",
-      "Bash(git -C /home/reepost/CyberMindStudio/secubox-openwrt commit -m \"$\\(cat <<''EOF''\nfeat\\(domoticz\\): Add password reset via RPCD\n\nNew RPCD method: reset_password\n- Resets Domoticz admin password via SQLite\n- Accessible from LuCI dashboard\n- MD5 hashes the password before storing\n\nCo-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>\nEOF\n\\)\")"
+      "Bash(git -C /home/reepost/CyberMindStudio/secubox-openwrt commit -m \"$\\(cat <<''EOF''\nfeat\\(domoticz\\): Add password reset via RPCD\n\nNew RPCD method: reset_password\n- Resets Domoticz admin password via SQLite\n- Accessible from LuCI dashboard\n- MD5 hashes the password before storing\n\nCo-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>\nEOF\n\\)\")",
+      "Bash(git remote set-url:*)",
+      "Bash(git bundle:*)",
+      "Bash(TOKEN=\"df72316e404f77bc0cf8068ee4833892da13c1ced50d56a4f8bb19fc991c8674\")",
+      "WebFetch(domain:evolution.gk2.secubox.in)",
+      "WebFetch(domain:console.gk2.secubox.in)",
+      "Bash(SCRIPT)",
+      "Bash(tcpdump:*)"
     ]
   }
 }
diff --git a/package/secubox/secubox-app-haproxy/files/usr/sbin/haproxyctl b/package/secubox/secubox-app-haproxy/files/usr/sbin/haproxyctl
index 7ea291ce..03dd2d08 100644
--- a/package/secubox/secubox-app-haproxy/files/usr/sbin/haproxyctl
+++ b/package/secubox/secubox-app-haproxy/files/usr/sbin/haproxyctl
@@ -624,7 +624,7 @@ EOF
 
 _generate_backend() {
 	local section="$1"
-	local enabled name mode balance health_check health_check_uri
+	local enabled name mode balance health_check health_check_uri http_request
 
 	config_get enabled "$section" enabled "0"
 	[ "$enabled" = "1" ] || return
@@ -641,6 +641,35 @@ _generate_backend() {
 	echo ""
 	echo "backend $name"
 	echo "    mode $mode"
+
+	# Check for http-request directives
+	# Support both single value and list
+	local http_request_val=""
+	config_get http_request_val "$section" http_request ""
+
+	if [ -n "$http_request_val" ]; then
+		# Single http-request option set
+		echo "    http-request $http_request_val"
+		# If it's a "return" directive, this is a static backend - skip servers
+		case "$http_request_val" in
+			return*) return ;;
+		esac
+	fi
+
+	# Also check for list values (http_request as list)
+	local has_http_request_return=0
+	_emit_and_check_http_request() {
+		local val="$1"
+		echo "    http-request $val"
+		case "$val" in
+			return*) has_http_request_return=1 ;;
+		esac
+	}
+	config_list_foreach "$section" http_request _emit_and_check_http_request
+
+	# If any http-request was a "return" directive, skip servers
+	[ "$has_http_request_return" = "1" ] && return
+
 	echo "    balance $balance"
 
 	# Health check configuration