feat(haproxy): Add global WAF routing option

Add `waf_enabled` and `waf_backend` options to haproxy.main config.
When waf_enabled=1, all vhost and path-based routing goes through
the WAF backend (default: mitmproxy_inspector) instead of directly
to service backends.

This enables global traffic inspection through mitmproxy WAF while
maintaining proper routing via haproxy_router addon.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

package/secubox/secubox-app-haproxy/files/usr/sbin/haproxyctl

@@ -123,6 +123,8 @@ load_config() {
 	maxconn="$(uci_get main.maxconn)" || maxconn="4096"
 	log_level="$(uci_get main.log_level)" || log_level="warning"
 	default_backend="$(uci_get main.default_backend)" || default_backend="default_luci"
+	waf_enabled="$(uci_get main.waf_enabled)" || waf_enabled="0"
+	waf_backend="$(uci_get main.waf_backend)" || waf_backend="mitmproxy_inspector"
 
 	CERTS_PATH="$data_path/certs"
 	CONFIG_PATH="$data_path/config"
@@ -719,11 +721,13 @@ _emit_sorted_path_acls() {
 				;;
 		esac
 
-		# Generate use_backend rule
+		# Generate use_backend rule (use WAF backend if enabled)
+		local effective_backend="$backend"
+		[ "$waf_enabled" = "1" ] && effective_backend="$waf_backend"
 		if [ -n "$host_acl_name" ]; then
-			echo "    use_backend $backend if host_${host_acl_name} ${acl_name}"
+			echo "    use_backend $effective_backend if host_${host_acl_name} ${acl_name}"
 		else
-			echo "    use_backend $backend if ${acl_name}"
+			echo "    use_backend $effective_backend if ${acl_name}"
 		fi
 	done
 
@@ -782,7 +786,10 @@ _add_vhost_acl() {
 			echo "    acl host_${acl_name} hdr(host) -i $domain"
 			;;
 	esac
-	echo "    use_backend $backend if host_${acl_name}"
+	# Use WAF backend if enabled, otherwise use original backend
+	local effective_backend="$backend"
+	[ "$waf_enabled" = "1" ] && effective_backend="$waf_backend"
+	echo "    use_backend $effective_backend if host_${acl_name}"
 }
 
 _generate_backends() {