From a0ac5e1a162e822ef9bafd4fe10ab933c558d06b Mon Sep 17 00:00:00 2001
From: CyberMind-FR <gandalf@Gk2.net>
Date: Sun, 22 Feb 2026 00:07:27 +0100
Subject: [PATCH] fix(metablogizer): Add vhost creation for chunked upload
 methods

Both create_site_from_upload and upload_and_create_site were missing
HAProxy vhost creation step (step 8 from create_site method).

Changes:
- Add vhost creation with backend=mitmproxy_inspector for WAF routing
- Add mitmproxy route to /srv/mitmproxy-in/haproxy-routes.json
- Apply same fix to original create_site method for consistency

This ensures all MetaBlogizer uploaded sites are immediately accessible
via HTTPS and all traffic passes through WAF inspection.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 .claude/HISTORY.md                            |  9 +++
 .../root/usr/libexec/rpcd/luci.metablogizer   | 68 ++++++++++++++++++-
 2 files changed, 75 insertions(+), 2 deletions(-)

diff --git a/.claude/HISTORY.md b/.claude/HISTORY.md
index 65a40e72..735a9d18 100644
--- a/.claude/HISTORY.md
+++ b/.claude/HISTORY.md
@@ -3088,3 +3088,12 @@ git checkout HEAD -- index.html
     - Installed Node.js (20.20.0) for yt-dlp JavaScript runtime support
     - Verified end-to-end import flow: YouTube → download → subtitles → PeerTube upload
 
+
+32. **MetaBlogizer Vhost Auto-Creation Fix (2026-02-22)**
+    - Fixed `create_site_from_upload` and `upload_and_create_site` methods missing HAProxy vhost creation.
+    - All three site creation methods now:
+      - Create HAProxy backend + server (direct to uhttpd port)
+      - Create HAProxy vhost pointing to `mitmproxy_inspector` (WAF routing)
+      - Add mitmproxy route in `/srv/mitmproxy-in/haproxy-routes.json`
+    - Ensures all MetaBlogizer sites go through WAF inspection (security policy compliance).
+    - Uploaded sites now immediately accessible via HTTPS domain.
diff --git a/package/secubox/luci-app-metablogizer/root/usr/libexec/rpcd/luci.metablogizer b/package/secubox/luci-app-metablogizer/root/usr/libexec/rpcd/luci.metablogizer
index 8a5dfb5b..1d677c78 100755
--- a/package/secubox/luci-app-metablogizer/root/usr/libexec/rpcd/luci.metablogizer
+++ b/package/secubox/luci-app-metablogizer/root/usr/libexec/rpcd/luci.metablogizer
@@ -423,20 +423,34 @@ EOF
 		uci set "haproxy.$server_name.check=1"
 		uci set "haproxy.$server_name.enabled=1"
 
-		# 8. Create HAProxy vhost
+		# 8. Create HAProxy vhost (route through mitmproxy WAF)
 		local vhost_name=$(echo "$domain" | sed 's/[^a-zA-Z0-9]/_/g')
 		local acme_val="0"
 		[ "$ssl" = "1" ] && acme_val="1"
 
 		uci set "haproxy.$vhost_name=vhost"
 		uci set "haproxy.$vhost_name.domain=$domain"
-		uci set "haproxy.$vhost_name.backend=$backend_name"
+		uci set "haproxy.$vhost_name.backend=mitmproxy_inspector"
 		uci set "haproxy.$vhost_name.ssl=$ssl"
 		uci set "haproxy.$vhost_name.ssl_redirect=$ssl"
 		uci set "haproxy.$vhost_name.acme=$acme_val"
 		uci set "haproxy.$vhost_name.enabled=1"
 		uci commit haproxy
 
+		# Add mitmproxy route for WAF inspection
+		local routes_file="/srv/mitmproxy-in/haproxy-routes.json"
+		if [ -f "$routes_file" ]; then
+			# Add route: domain -> [server_address, server_port]
+			local tmp_routes="/tmp/routes_update_$$.json"
+			jsonfilter -i "$routes_file" -e '@' 2>/dev/null | \
+				sed "s/}$/,\"$domain\":[\"$server_address\",$server_port]}/" > "$tmp_routes" 2>/dev/null
+			if [ -s "$tmp_routes" ]; then
+				mv "$tmp_routes" "$routes_file"
+			else
+				rm -f "$tmp_routes"
+			fi
+		fi
+
 		# Regenerate HAProxy config and reload
 		reload_haproxy &
 		haproxy_configured=1
@@ -1094,7 +1108,32 @@ EOF
 		uci set "haproxy.$server_name.check=1"
 		uci set "haproxy.$server_name.enabled=1"
 
+		# Create HAProxy vhost (route through mitmproxy WAF)
+		local vhost_name=$(echo "$domain" | sed 's/[^a-zA-Z0-9]/_/g')
+		uci set "haproxy.$vhost_name=vhost"
+		uci set "haproxy.$vhost_name.domain=$domain"
+		uci set "haproxy.$vhost_name.backend=mitmproxy_inspector"
+		uci set "haproxy.$vhost_name.ssl=1"
+		uci set "haproxy.$vhost_name.ssl_redirect=1"
+		uci set "haproxy.$vhost_name.acme=1"
+		uci set "haproxy.$vhost_name.enabled=1"
+
 		uci commit haproxy
+
+		# Add mitmproxy route for WAF inspection
+		local routes_file="/srv/mitmproxy-in/haproxy-routes.json"
+		if [ -f "$routes_file" ]; then
+			# Add route: domain -> [server_address, port]
+			local tmp_routes="/tmp/routes_update_$$.json"
+			jsonfilter -i "$routes_file" -e '@' 2>/dev/null | \
+				sed "s/}$/,\"$domain\":[\"$server_address\",$port]}/" > "$tmp_routes" 2>/dev/null
+			if [ -s "$tmp_routes" ]; then
+				mv "$tmp_routes" "$routes_file"
+			else
+				rm -f "$tmp_routes"
+			fi
+		fi
+
 		reload_haproxy &
 	fi
 
@@ -1866,7 +1905,32 @@ EOF
 		uci set "haproxy.$server_name.check=1"
 		uci set "haproxy.$server_name.enabled=1"
 
+		# Create HAProxy vhost (route through mitmproxy WAF)
+		local vhost_name=$(echo "$domain" | sed 's/[^a-zA-Z0-9]/_/g')
+		uci set "haproxy.$vhost_name=vhost"
+		uci set "haproxy.$vhost_name.domain=$domain"
+		uci set "haproxy.$vhost_name.backend=mitmproxy_inspector"
+		uci set "haproxy.$vhost_name.ssl=1"
+		uci set "haproxy.$vhost_name.ssl_redirect=1"
+		uci set "haproxy.$vhost_name.acme=1"
+		uci set "haproxy.$vhost_name.enabled=1"
+
 		uci commit haproxy
+
+		# Add mitmproxy route for WAF inspection
+		local routes_file="/srv/mitmproxy-in/haproxy-routes.json"
+		if [ -f "$routes_file" ]; then
+			# Add route: domain -> [server_address, port]
+			local tmp_routes="/tmp/routes_update_$$.json"
+			jsonfilter -i "$routes_file" -e '@' 2>/dev/null | \
+				sed "s/}$/,\"$domain\":[\"$server_address\",$port]}/" > "$tmp_routes" 2>/dev/null
+			if [ -s "$tmp_routes" ]; then
+				mv "$tmp_routes" "$routes_file"
+			else
+				rm -f "$tmp_routes"
+			fi
+		fi
+
 		reload_haproxy &
 	fi