From c8a5e1c19ac38f3f497ae2235284fe700db45336 Mon Sep 17 00:00:00 2001 From: CyberMind-FR Date: Tue, 17 Mar 2026 10:35:26 +0100 Subject: [PATCH] fix(metablogizer): Route new sites through mitmproxy for WAF inspection - Changed vhost backend from direct metablog_* to mitmproxy_inspector - Added original_backend tracking for mitmproxy route resolution - Changed server address from 192.168.255.1 to 127.0.0.1 - Added _add_mitmproxy_route helper for route registration - Fixed both cmd_publish() and _emancipate_haproxy() functions This ensures all newly published sites go through WAF inspection rather than bypassing security checks. Co-Authored-By: Claude Opus 4.5 --- .../files/usr/sbin/metablogizerctl | 62 ++++++++++++++++--- 1 file changed, 54 insertions(+), 8 deletions(-) diff --git a/package/secubox/secubox-app-metablogizer/files/usr/sbin/metablogizerctl b/package/secubox/secubox-app-metablogizer/files/usr/sbin/metablogizerctl index 44830f20..42d85be0 100644 --- a/package/secubox/secubox-app-metablogizer/files/usr/sbin/metablogizerctl +++ b/package/secubox/secubox-app-metablogizer/files/usr/sbin/metablogizerctl @@ -442,6 +442,47 @@ EOF lxc-attach -n "$NGINX_LXC" -- nginx -s reload 2>/dev/null || true } +# Add mitmproxy route for WAF forwarding +_add_mitmproxy_route() { + local domain="$1" + local port="$2" + local routes_file="/srv/mitmproxy-in/haproxy-routes.json" + + # mitmproxy reaches uhttpd on host via 127.0.0.1 + local host_ip="127.0.0.1" + + # Direct JSON update + if [ -f "$routes_file" ] && command -v python3 >/dev/null 2>&1; then + python3 -c " +import json +try: + with open('$routes_file', 'r') as f: + routes = json.load(f) + routes['$domain'] = ['$host_ip', $port] + with open('$routes_file', 'w') as f: + json.dump(routes, f, indent=2) +except Exception as e: + pass +" 2>/dev/null + fi + + # Also update the main mitmproxy routes file + local main_routes="/srv/mitmproxy/haproxy-routes.json" + if [ -f "$main_routes" ] && command -v python3 >/dev/null 2>&1; then + python3 -c " +import json +try: + with open('$main_routes', 'r') as f: + routes = json.load(f) + routes['$domain'] = ['$host_ip', $port] + with open('$main_routes', 'w') as f: + json.dump(routes, f, indent=2) +except Exception as e: + pass +" 2>/dev/null + fi +} + cmd_publish() { local name="$1" [ -z "$name" ] && { log_error "Site name required"; return 1; } @@ -484,22 +525,23 @@ cmd_publish() { uci set haproxy.${backend_name}.balance="roundrobin" uci set haproxy.${backend_name}.enabled="1" - # Create HAProxy server + # Create HAProxy server (use 127.0.0.1 for mitmproxy to reach uhttpd on host) local server_name="${backend_name}_srv" uci set haproxy.${server_name}=server uci set haproxy.${server_name}.backend="$backend_name" uci set haproxy.${server_name}.name="uhttpd" - uci set haproxy.${server_name}.address="192.168.255.1" + uci set haproxy.${server_name}.address="127.0.0.1" uci set haproxy.${server_name}.port="$port" uci set haproxy.${server_name}.weight="100" uci set haproxy.${server_name}.check="1" uci set haproxy.${server_name}.enabled="1" - # Create HAProxy vhost + # Create HAProxy vhost - route through mitmproxy for WAF inspection local vhost_name=$(echo "$domain" | tr '.-' '_') uci set haproxy.${vhost_name}=vhost uci set haproxy.${vhost_name}.domain="$domain" - uci set haproxy.${vhost_name}.backend="$backend_name" + uci set haproxy.${vhost_name}.backend="mitmproxy_inspector" + uci set haproxy.${vhost_name}.original_backend="$backend_name" uci set haproxy.${vhost_name}.ssl="1" uci set haproxy.${vhost_name}.ssl_redirect="1" uci set haproxy.${vhost_name}.acme="1" @@ -507,6 +549,9 @@ cmd_publish() { uci commit haproxy + # Add mitmproxy route for WAF forwarding + _add_mitmproxy_route "$domain" "$port" + # Regenerate HAProxy config and reload container (in background - takes ~90s with many vhosts) ( /usr/sbin/haproxyctl generate >/dev/null 2>&1 @@ -975,22 +1020,23 @@ _emancipate_haproxy() { uci set haproxy.${backend_name}.balance="roundrobin" uci set haproxy.${backend_name}.enabled="1" - # Create server + # Create server (use 127.0.0.1 for mitmproxy to reach uhttpd on host) local server_name="${backend_name}_srv" uci set haproxy.${server_name}=server uci set haproxy.${server_name}.backend="$backend_name" uci set haproxy.${server_name}.name="uhttpd" - uci set haproxy.${server_name}.address="192.168.255.1" + uci set haproxy.${server_name}.address="127.0.0.1" uci set haproxy.${server_name}.port="$port" uci set haproxy.${server_name}.weight="100" uci set haproxy.${server_name}.check="1" uci set haproxy.${server_name}.enabled="1" - # Create vhost with SSL + # Create vhost with SSL - route through mitmproxy for WAF inspection local vhost_name=$(echo "$domain" | tr '.-' '_') uci set haproxy.${vhost_name}=vhost uci set haproxy.${vhost_name}.domain="$domain" - uci set haproxy.${vhost_name}.backend="$backend_name" + uci set haproxy.${vhost_name}.backend="mitmproxy_inspector" + uci set haproxy.${vhost_name}.original_backend="$backend_name" uci set haproxy.${vhost_name}.ssl="1" uci set haproxy.${vhost_name}.ssl_redirect="1" uci set haproxy.${vhost_name}.acme="1"