From f38df2b319707b615e72d385706a6719bfad9d2d Mon Sep 17 00:00:00 2001 From: CyberMind-FR Date: Sat, 14 Feb 2026 13:21:27 +0100 Subject: [PATCH] feat(metablogizer): Enhance emancipate with WAF and path ACL integration - Add _emancipate_mitmproxy() to register domain in WAF routes - Add _emancipate_path_acl() to create secubox.in/gk2/{name} path routing - Auto-detect wildcard SSL coverage for *.gk2.secubox.in domains - Restart mitmproxy-in container after adding routes - Update help text with 7-step workflow Emancipate now handles full deployment: 1. DNS A record (Gandi/OVH) 2. Vortex DNS mesh publication 3. HAProxy vhost + backend 4. WAF/mitmproxy integration 5. Path ACL (secubox.in/gk2/{name}) 6. SSL certificate (or wildcard) 7. Zero-downtime reload Co-Authored-By: Claude Opus 4.5 --- .../files/usr/sbin/metablogizerctl | 85 +++++++++++++++++-- 1 file changed, 80 insertions(+), 5 deletions(-) diff --git a/package/secubox/secubox-app-metablogizer/files/usr/sbin/metablogizerctl b/package/secubox/secubox-app-metablogizer/files/usr/sbin/metablogizerctl index eca8cd35..bd00a82d 100644 --- a/package/secubox/secubox-app-metablogizer/files/usr/sbin/metablogizerctl +++ b/package/secubox/secubox-app-metablogizer/files/usr/sbin/metablogizerctl @@ -44,8 +44,10 @@ Site Commands: 1. DNS A record (Gandi/OVH) 2. Vortex DNS mesh publication 3. HAProxy vhost with SSL - 4. ACME certificate - 5. Zero-downtime reload + 4. WAF/mitmproxy integration + 5. Path ACL (secubox.in/gk2/{name}) + 6. SSL certificate (or wildcard) + 7. Zero-downtime reload Runtime Commands: runtime Show current runtime @@ -838,6 +840,65 @@ _emancipate_haproxy() { fi } +_emancipate_mitmproxy() { + local name="$1" + local domain="$2" + local port=$(uci_get site_${name}.port) + local routes_file="/srv/mitmproxy-in/haproxy-routes.json" + + log_info "[WAF] Adding $domain to mitmproxy routes" + + # Check if mitmproxy routes file exists + if [ ! -f "$routes_file" ]; then + log_warn "[WAF] mitmproxy routes file not found, skipping" + return 1 + fi + + # Add domain to mitmproxy routes using Python + python3 -c " +import json +try: + with open('$routes_file') as f: + data = json.load(f) + data['$domain'] = ['192.168.255.1', $port] + with open('$routes_file', 'w') as f: + json.dump(data, f, indent=2) + print('[WAF] Route added: $domain -> 192.168.255.1:$port') +except Exception as e: + print(f'[WAF] Error: {e}') +" 2>/dev/null + + # Restart mitmproxy-in container to reload routes + if command -v lxc-stop >/dev/null 2>&1; then + log_info "[WAF] Restarting mitmproxy-in container..." + lxc-stop -n mitmproxy-in 2>/dev/null + sleep 1 + lxc-start -n mitmproxy-in 2>/dev/null + sleep 2 + log_info "[WAF] mitmproxy-in restarted" + fi +} + +_emancipate_path_acl() { + local name="$1" + local backend_name="metablog_${name}" + + log_info "[PATH] Adding /gk2/$name path ACL to secubox.in" + + # Create path ACL for secubox.in/gk2/{name} + local acl_name="path_gk2_${name}" + uci set haproxy.${acl_name}=acl + uci set haproxy.${acl_name}.type="path_beg" + uci set haproxy.${acl_name}.pattern="/gk2/${name}" + uci set haproxy.${acl_name}.backend="$backend_name" + uci set haproxy.${acl_name}.host="secubox.in" + uci set haproxy.${acl_name}.enabled="1" + uci set haproxy.${acl_name}.waf_bypass="1" + + uci commit haproxy + log_info "[PATH] Path ACL created: secubox.in/gk2/$name -> $backend_name" +} + _emancipate_ssl() { local domain="$1" @@ -910,10 +971,24 @@ cmd_emancipate() { # Step 3: HAProxy vhost + backend _emancipate_haproxy "$name" "$domain" - # Step 4: SSL Certificate - _emancipate_ssl "$domain" + # Step 4: WAF/mitmproxy integration + _emancipate_mitmproxy "$name" "$domain" - # Step 5: Reload HAProxy + # Step 5: Path ACL for secubox.in/gk2/{name} + _emancipate_path_acl "$name" + + # Step 6: SSL Certificate (wildcard covers *.gk2.secubox.in) + # Only request if not covered by wildcard + case "$domain" in + *.gk2.secubox.in) + log_info "[SSL] Using wildcard certificate *.gk2.secubox.in" + ;; + *) + _emancipate_ssl "$domain" + ;; + esac + + # Step 7: Reload HAProxy _emancipate_reload # Mark site as emancipated