From 98fb91a0ce2af9a651a99ce5f98d82b5df08aa8a Mon Sep 17 00:00:00 2001 From: CyberMind-FR Date: Sat, 14 Feb 2026 11:58:19 +0100 Subject: [PATCH] docs: Document WAF architecture configuration - WAF enabled for Streamlit/MetaBlogizer (security filtering) - WAF bypass for infrastructure (Jellyfin, Mail, Glances, etc.) - Path ACLs bypass WAF (mitmproxy routes by host only) - 38 path ACLs configured with waf_bypass Co-Authored-By: Claude Opus 4.5 --- .claude/HISTORY.md | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/.claude/HISTORY.md b/.claude/HISTORY.md index 05af5d69..91875193 100644 --- a/.claude/HISTORY.md +++ b/.claude/HISTORY.md @@ -1609,3 +1609,37 @@ bday, clock, comic, eval, geo, gondwana, lldh, sdlc, wanted, devel, gandalf, gk2 - **SSL Certificates**: 52 active - **LXC Containers**: 5 running (haproxy, mitmproxy-in, jellyfin, gotosocial, domoticz) - **Public IP**: 82.67.100.75 + +## 2026-02-14: WAF Architecture Configuration + +### WAF Routing Strategy +Configured mitmproxy WAF filtering with selective bypass: + +**Through WAF (mitmproxy filtering enabled):** +- All Streamlit apps (20+) - security analysis active +- All MetaBlogizer sites (15+) - security analysis active +- Standard web vhosts for logging and threat detection + +**WAF Bypass (direct HAProxy → backend):** +| Service | Reason | +|---------|--------| +| media.maegia.tv | Jellyfin streaming incompatible | +| localai.secubox.in | AI API performance | +| mail.secubox.in | Mail protocols | +| glances.gk2.secubox.in | Monitoring API | +| social.gk2.secubox.in | ActivityPub federation | +| webmail.gk2.secubox.in | Roundcube webmail | +| client.gk2.secubox.in | Mastodon client | +| All path ACLs (/gk2/*) | mitmproxy routes by host only | + +### Path ACL Fix +- Path-based routing (`secubox.in/gk2/*`) requires `waf_bypass=1` +- mitmproxy haproxy_router.py routes by hostname, not path +- 38 path ACLs configured with waf_bypass for direct routing + +### Architecture +``` +Client → HAProxy → mitmproxy (WAF) → Backend (Streamlit/MetaBlog) +Client → HAProxy → Backend (Infrastructure - bypass WAF) +Client → HAProxy → Backend (Path ACLs - bypass WAF) +```