fix(metablogizer): Route new sites through mitmproxy for WAF inspection
- Changed vhost backend from direct metablog_* to mitmproxy_inspector - Added original_backend tracking for mitmproxy route resolution - Changed server address from 192.168.255.1 to 127.0.0.1 - Added _add_mitmproxy_route helper for route registration - Fixed both cmd_publish() and _emancipate_haproxy() functions This ensures all newly published sites go through WAF inspection rather than bypassing security checks. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
parent
e1f2a0e885
commit
c8a5e1c19a
@ -442,6 +442,47 @@ EOF
|
|||||||
lxc-attach -n "$NGINX_LXC" -- nginx -s reload 2>/dev/null || true
|
lxc-attach -n "$NGINX_LXC" -- nginx -s reload 2>/dev/null || true
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# Add mitmproxy route for WAF forwarding
|
||||||
|
_add_mitmproxy_route() {
|
||||||
|
local domain="$1"
|
||||||
|
local port="$2"
|
||||||
|
local routes_file="/srv/mitmproxy-in/haproxy-routes.json"
|
||||||
|
|
||||||
|
# mitmproxy reaches uhttpd on host via 127.0.0.1
|
||||||
|
local host_ip="127.0.0.1"
|
||||||
|
|
||||||
|
# Direct JSON update
|
||||||
|
if [ -f "$routes_file" ] && command -v python3 >/dev/null 2>&1; then
|
||||||
|
python3 -c "
|
||||||
|
import json
|
||||||
|
try:
|
||||||
|
with open('$routes_file', 'r') as f:
|
||||||
|
routes = json.load(f)
|
||||||
|
routes['$domain'] = ['$host_ip', $port]
|
||||||
|
with open('$routes_file', 'w') as f:
|
||||||
|
json.dump(routes, f, indent=2)
|
||||||
|
except Exception as e:
|
||||||
|
pass
|
||||||
|
" 2>/dev/null
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Also update the main mitmproxy routes file
|
||||||
|
local main_routes="/srv/mitmproxy/haproxy-routes.json"
|
||||||
|
if [ -f "$main_routes" ] && command -v python3 >/dev/null 2>&1; then
|
||||||
|
python3 -c "
|
||||||
|
import json
|
||||||
|
try:
|
||||||
|
with open('$main_routes', 'r') as f:
|
||||||
|
routes = json.load(f)
|
||||||
|
routes['$domain'] = ['$host_ip', $port]
|
||||||
|
with open('$main_routes', 'w') as f:
|
||||||
|
json.dump(routes, f, indent=2)
|
||||||
|
except Exception as e:
|
||||||
|
pass
|
||||||
|
" 2>/dev/null
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
cmd_publish() {
|
cmd_publish() {
|
||||||
local name="$1"
|
local name="$1"
|
||||||
[ -z "$name" ] && { log_error "Site name required"; return 1; }
|
[ -z "$name" ] && { log_error "Site name required"; return 1; }
|
||||||
@ -484,22 +525,23 @@ cmd_publish() {
|
|||||||
uci set haproxy.${backend_name}.balance="roundrobin"
|
uci set haproxy.${backend_name}.balance="roundrobin"
|
||||||
uci set haproxy.${backend_name}.enabled="1"
|
uci set haproxy.${backend_name}.enabled="1"
|
||||||
|
|
||||||
# Create HAProxy server
|
# Create HAProxy server (use 127.0.0.1 for mitmproxy to reach uhttpd on host)
|
||||||
local server_name="${backend_name}_srv"
|
local server_name="${backend_name}_srv"
|
||||||
uci set haproxy.${server_name}=server
|
uci set haproxy.${server_name}=server
|
||||||
uci set haproxy.${server_name}.backend="$backend_name"
|
uci set haproxy.${server_name}.backend="$backend_name"
|
||||||
uci set haproxy.${server_name}.name="uhttpd"
|
uci set haproxy.${server_name}.name="uhttpd"
|
||||||
uci set haproxy.${server_name}.address="192.168.255.1"
|
uci set haproxy.${server_name}.address="127.0.0.1"
|
||||||
uci set haproxy.${server_name}.port="$port"
|
uci set haproxy.${server_name}.port="$port"
|
||||||
uci set haproxy.${server_name}.weight="100"
|
uci set haproxy.${server_name}.weight="100"
|
||||||
uci set haproxy.${server_name}.check="1"
|
uci set haproxy.${server_name}.check="1"
|
||||||
uci set haproxy.${server_name}.enabled="1"
|
uci set haproxy.${server_name}.enabled="1"
|
||||||
|
|
||||||
# Create HAProxy vhost
|
# Create HAProxy vhost - route through mitmproxy for WAF inspection
|
||||||
local vhost_name=$(echo "$domain" | tr '.-' '_')
|
local vhost_name=$(echo "$domain" | tr '.-' '_')
|
||||||
uci set haproxy.${vhost_name}=vhost
|
uci set haproxy.${vhost_name}=vhost
|
||||||
uci set haproxy.${vhost_name}.domain="$domain"
|
uci set haproxy.${vhost_name}.domain="$domain"
|
||||||
uci set haproxy.${vhost_name}.backend="$backend_name"
|
uci set haproxy.${vhost_name}.backend="mitmproxy_inspector"
|
||||||
|
uci set haproxy.${vhost_name}.original_backend="$backend_name"
|
||||||
uci set haproxy.${vhost_name}.ssl="1"
|
uci set haproxy.${vhost_name}.ssl="1"
|
||||||
uci set haproxy.${vhost_name}.ssl_redirect="1"
|
uci set haproxy.${vhost_name}.ssl_redirect="1"
|
||||||
uci set haproxy.${vhost_name}.acme="1"
|
uci set haproxy.${vhost_name}.acme="1"
|
||||||
@ -507,6 +549,9 @@ cmd_publish() {
|
|||||||
|
|
||||||
uci commit haproxy
|
uci commit haproxy
|
||||||
|
|
||||||
|
# Add mitmproxy route for WAF forwarding
|
||||||
|
_add_mitmproxy_route "$domain" "$port"
|
||||||
|
|
||||||
# Regenerate HAProxy config and reload container (in background - takes ~90s with many vhosts)
|
# Regenerate HAProxy config and reload container (in background - takes ~90s with many vhosts)
|
||||||
(
|
(
|
||||||
/usr/sbin/haproxyctl generate >/dev/null 2>&1
|
/usr/sbin/haproxyctl generate >/dev/null 2>&1
|
||||||
@ -975,22 +1020,23 @@ _emancipate_haproxy() {
|
|||||||
uci set haproxy.${backend_name}.balance="roundrobin"
|
uci set haproxy.${backend_name}.balance="roundrobin"
|
||||||
uci set haproxy.${backend_name}.enabled="1"
|
uci set haproxy.${backend_name}.enabled="1"
|
||||||
|
|
||||||
# Create server
|
# Create server (use 127.0.0.1 for mitmproxy to reach uhttpd on host)
|
||||||
local server_name="${backend_name}_srv"
|
local server_name="${backend_name}_srv"
|
||||||
uci set haproxy.${server_name}=server
|
uci set haproxy.${server_name}=server
|
||||||
uci set haproxy.${server_name}.backend="$backend_name"
|
uci set haproxy.${server_name}.backend="$backend_name"
|
||||||
uci set haproxy.${server_name}.name="uhttpd"
|
uci set haproxy.${server_name}.name="uhttpd"
|
||||||
uci set haproxy.${server_name}.address="192.168.255.1"
|
uci set haproxy.${server_name}.address="127.0.0.1"
|
||||||
uci set haproxy.${server_name}.port="$port"
|
uci set haproxy.${server_name}.port="$port"
|
||||||
uci set haproxy.${server_name}.weight="100"
|
uci set haproxy.${server_name}.weight="100"
|
||||||
uci set haproxy.${server_name}.check="1"
|
uci set haproxy.${server_name}.check="1"
|
||||||
uci set haproxy.${server_name}.enabled="1"
|
uci set haproxy.${server_name}.enabled="1"
|
||||||
|
|
||||||
# Create vhost with SSL
|
# Create vhost with SSL - route through mitmproxy for WAF inspection
|
||||||
local vhost_name=$(echo "$domain" | tr '.-' '_')
|
local vhost_name=$(echo "$domain" | tr '.-' '_')
|
||||||
uci set haproxy.${vhost_name}=vhost
|
uci set haproxy.${vhost_name}=vhost
|
||||||
uci set haproxy.${vhost_name}.domain="$domain"
|
uci set haproxy.${vhost_name}.domain="$domain"
|
||||||
uci set haproxy.${vhost_name}.backend="$backend_name"
|
uci set haproxy.${vhost_name}.backend="mitmproxy_inspector"
|
||||||
|
uci set haproxy.${vhost_name}.original_backend="$backend_name"
|
||||||
uci set haproxy.${vhost_name}.ssl="1"
|
uci set haproxy.${vhost_name}.ssl="1"
|
||||||
uci set haproxy.${vhost_name}.ssl_redirect="1"
|
uci set haproxy.${vhost_name}.ssl_redirect="1"
|
||||||
uci set haproxy.${vhost_name}.acme="1"
|
uci set haproxy.${vhost_name}.acme="1"
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user