New methods for threats monitor dashboard:
- bans: Get CrowdSec decisions with counts by source
Returns total, mitmproxy_autoban, crowdsec counts + full bans array
- unban: Remove ban by IP address
Updates ACL to include new methods for LuCI access.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Track requests, threats, protocols per subdomain
- Record HTTP methods, status codes, top URIs, countries
- New RPCD method: subdomain_metrics
- Metrics auto-saved to /tmp/secubox-subdomain-metrics.json
- Add wan_setup/wan_clear to ACL write permissions
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
grep -c returns exit code 1 when no matches found (even though it
outputs 0), causing `|| echo 0` to append an extra 0 and corrupt
the JSON response. This broke ubus calls and LuCI status display.
Use `: ${var:=0}` pattern instead to provide defaults.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add WAF-like functionality to mitmproxy for protecting services exposed
to the internet. Incoming WAN traffic is redirected through mitmproxy
for threat detection before reaching backend services.
Features:
- WAN protection mode with nftables rules for incoming traffic
- Enhanced bot scanner detection with 50+ scanner signatures
- Behavioral detection for config/admin/backup/shell hunting
- CrowdSec integration with new scenarios for bot scanners
- LuCI interface for WAN protection configuration
- DPI mirror mode support (secondary feature)
New CrowdSec scenarios:
- secubox/mitmproxy-botscan: Detect automated reconnaissance
- secubox/mitmproxy-shell-hunter: Detect shell/backdoor hunting
- secubox/mitmproxy-config-hunter: Detect credential file hunting
- secubox/mitmproxy-suspicious-ua: Detect suspicious user agents
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Change analytics addon to write threats to /data/threats.log (bind-mounted to host)
- Add CrowdSec acquisition config to read from /srv/mitmproxy/threats.log
- Add parser for mitmproxy JSON threat logs with source_ip in Meta
- Add scenarios for web attacks, scanners, SSRF, and CVE exploits
- Update RPCD to read alerts from host-visible path without lxc-attach
This enables automatic IP banning when mitmproxy detects:
- SQL injection, XSS, command injection (capacity: 3, ban: 15m)
- Path traversal, XXE, LDAP injection, Log4Shell
- Aggressive web scanning (capacity: 10, ban: 10m)
- SSRF attempts from external IPs (capacity: 5, ban: 10m)
- Known CVE exploits (immediate trigger, ban: 30m)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The RPCD was looking for alerts in /tmp/secubox-mitm-alerts.json but
the analytics addon writes to /var/log/crowdsec/secubox-mitm.log in
JSONL format (one JSON object per line).
Changes:
- RPCD: Read from container's /var/log/crowdsec/secubox-mitm.log
- RPCD: Convert JSONL to JSON array using awk
- JS: Handle new field names (source_ip, timestamp, request)
Alerts now display correctly in LuCI dashboard.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add HAProxy → mitmproxy → Backend inspection chain for filtering
all vhost traffic through mitmproxy with threat detection
- Add haproxy_router.py addon for Host-based request routing
- Add mitmproxyctl commands: sync-routes, haproxy-enable, haproxy-disable
- Add auth token to status response for Web UI auto-authentication
- Add HAProxy Backend Inspection section to LuCI status page with
enable/disable/sync controls
- Add HAProxy Router settings section to LuCI settings page
- LXC container now supports dual-port mode (8888 + 8889 for HAProxy)
- Token displayed with copy button in dashboard
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add RPCD methods to mitmproxy: settings, save_settings, set_mode,
setup_firewall, clear_firewall
- Add apply_now parameter to tor-shield save_settings to restart
service and apply iptables rules immediately
- Update ACL files with new permissions
- Add Save & Apply button to tor-shield settings page
- Update api.js files to use correct RPCD method signatures
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add get_web_token to RPCD ACL permissions (was missing, causing 403)
- Add fallback token retrieval from container via lxc-attach
- Improve token capture regex to support alphanumeric tokens
- Fix startup script with background process + tee for reliable capture
- Add IP forwarding enablement for transparent proxy mode
- Fix bypass rule for traffic destined to router itself
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add PYTHONUNBUFFERED=1 to ensure mitmweb output is not buffered
- Use inline while loop to capture authentication token from startup output
- Fix RPCD backend to read token from correct path ($DATA_DIR/.mitmproxy_token)
- Add proper shell detection and symlink creation in Docker rootfs extraction
- Remove unnecessary exec in pipeline that prevented output capture
The mitmweb authentication token is now properly captured and available
to the LuCI Web UI view for iframe embedding.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add get_web_token RPCD method to retrieve auth token
- Create webui.js view that embeds mitmweb in an iframe
- Capture auth token at startup and save to file
- Add Web UI navigation to all mitmproxy views
- Fix PATH for /usr/local/bin in Docker image
- Change default port from 8080 to 8888 (avoid CrowdSec conflict)
secubox-app-mitmproxy: bump to r12
luci-app-mitmproxy: bump to r2
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add nftables transparent mode support with automatic REDIRECT rules
- Create SecuBox Python filter addon for CDN/Media/Ad tracking
- Add whitelist/bypass configuration for IPs and domains
- Expand UCI config with transparent, whitelist, filtering sections
- Update RPCD backend with new config methods and firewall control
- Update LuCI settings view with all new configuration options
- Add new API methods: firewall_setup, firewall_clear, list management
Features:
- Transparent proxy with nftables integration
- CDN tracking (Cloudflare, Akamai, Fastly, etc.)
- Media streaming tracking (YouTube, Netflix, Spotify)
- Ad/tracker blocking
- IP and domain whitelist bypass
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Create mitmproxyctl script with LXC container management
- Alpine Linux rootfs with Python and mitmproxy via pip
- Support for regular, transparent, upstream, and reverse proxy modes
- UCI configuration for proxy_port, web_port, memory_limit, etc.
- procd init script for service management
- Update luci-app-mitmproxy RPCD backend for LXC container status
Ports:
- 8080: Proxy port
- 8081: Web interface (mitmweb)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Portal Integration:
- Add mitmproxy to Security section with service status tracking
- Add vhost-manager to new Services section
- Add Services section to portal navigation header
- Update path detection for security/mitmproxy and services/vhosts
mitmproxy Changes:
- Move menu from admin/secubox/mitmproxy to admin/secubox/security/mitmproxy
- Update view navigation links to use new path structure
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
New packages for full URL/cookie/header capture via MITM proxy:
secubox-app-mitmproxy:
- Downloads mitmproxy v11.1.2 binary for aarch64
- Transparent proxy mode with iptables integration
- mitmweb UI on port 8081
- Auto CA certificate generation
- mitmproxyctl CLI management tool
luci-app-mitmproxy:
- SecuBox themed dashboard with red color scheme
- Real-time request capture view
- Top hosts statistics
- CA certificate management
- Full UCI settings interface
- RPCD backend for ubus API
This enables full HTTP/HTTPS inspection including:
- Complete URLs (not just hostnames like nDPId)
- Cookies and headers
- Request/response bodies
- Flow recording for replay
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
