- Add RPCD methods to mitmproxy: settings, save_settings, set_mode,
setup_firewall, clear_firewall
- Add apply_now parameter to tor-shield save_settings to restart
service and apply iptables rules immediately
- Update ACL files with new permissions
- Add Save & Apply button to tor-shield settings page
- Update api.js files to use correct RPCD method signatures
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The direct services provider was calling jsonfilter in a loop for each
listening port (~40 ports), causing XHR timeouts in the UI.
Changes:
- Disable direct provider by default (set enabled=0)
- Add limit of 20 services if enabled
- Skip common system ports (22, 53, 67, 68, 123, 547, 953)
- Add note about enabling via UCI if needed
The real services come from HAProxy vhosts and UCI published services.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Run Lyrion as nobody (uid 65534) via LXC init.uid/gid settings
- Use cgroup2 memory limit format (lxc.cgroup2.memory.max)
- Convert memory limit string (1G, 256M) to bytes for cgroup2
- Skip opkg install if LXC binaries already exist
- Set proper file ownership during rootfs creation
- Remove su command from start.sh (handled by LXC config)
Fixes the container crash loop caused by Lyrion refusing to run as root.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Tor Shield:
- Store current_preset in UCI when enabling with preset
- Return current_preset in status response
- Initialize currentPreset from stored UCI value on page load
Security Threats:
- Fix get_security_stats() firewall packet counting
- Use correct nftables chain names (input_wan, handle_reject)
- Fix grep -c exit code issue (returns 1 when no matches)
- Improve numeric validation (use tr -cd to strip non-digits)
- Add fallbacks for HAProxy socket paths
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- refresh_ips now fetches reverse DNS for exit IP
- Status includes exit_hostname from cache
- Dashboard displays hostname below exit IP
- get_exit_ip also returns hostname
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The expect: { success: false } was causing LuCI RPC to return false
instead of the actual response. Changed all expect declarations to
empty objects to get raw API responses.
Also improved error messages to show actual response for debugging.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Clicking a preset card now enables/restarts Tor with that preset
- Previously it only selected the preset for next toggle
- Added better error handling for toggle and preset changes
- Page reloads after successful preset change
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The toggle handler was receiving status captured at render time which
could be stale due to polling. Now fetches fresh status before deciding
to enable or disable, and does a full page reload after action.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The cumulative impact summary was showing zeros because it only checked
the plugins catalog. Now also counts:
- HAProxy vhosts directly from UCI
- Running LXC containers
- Running Docker containers
- Firewall WAN ACCEPT rules with ports
- DNSmasq entries
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Fix disabled buttons in Network Tweaks using conditional rendering
- Change AdGuard Home ports to avoid conflicts (web: 3003, dns: 5353)
- Add DNS & Proxy link from Tor Shield to Network Tweaks
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add always-visible toggle switch at top of dashboard
- Clear visual indication: green when protected, red when exposed
- Shows protection status text and toggle switch
- Easier one-click enable/disable of Tor protection
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add AdGuard Home status card with enable/disable and Open UI button
- Add setAdGuardEnabled RPCD method for Docker container control
- Rename section to "DNS & Proxy Services"
- Responsive grid layout for 3 service cards
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add CDN cache status card with enable/disable and restart buttons
- Add WPAD auto-proxy card with enable/disable toggle
- Add getProxyStatus, getWpadStatus, setWpadEnabled RPCD methods
- Move menu to Services section
- Update ACL for CDN cache and WPAD control
Also fixes:
- security-threats: Fix HAProxy socket path for connection stats
- tor-shield: Add missing ACL methods for excluded destinations
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add get_excluded_destinations() method to list bypassed destinations
- Add add_excluded_destination() to exclude IPs/CIDRs/domains from Tor
- Add remove_excluded_destination() to remove exclusions
- Add apply_exclusions() to restart tor-shield with new rules
- Domain resolution attempts to get IP for iptables compatibility
- Existing private network CIDRs (192.168/10/172.16/127) are default excluded
Also includes metablogizer fixes:
- reload_haproxy() helper function
- Server address uses 127.0.0.1 for uhttpd backends
- fix_permissions() on file uploads
PKG_RELEASE: tor-shield=3, metablogizer=3
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add reload_haproxy() helper function for consistent reloads
- Use 127.0.0.1 for uhttpd backend address instead of 192.168.255.1
- Call fix_permissions() on upload_file to ensure correct file access
- Update delete_site to use reload_haproxy helper
- Bump PKG_RELEASE to 3
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
BREAKING: Default policy changed from quarantine to open
- Disabled by default (was enabled)
- Default policy: open (was quarantine - blocked new devices!)
- Auto-zoning: disabled by default
- Auto-parking zone: lan_private (was guest)
- Night block schedule: disabled by default
- Threat auto-ban: disabled by default
Safety mechanisms added:
- MAX_BLOCKED_DEVICES limit (10) prevents mass blocking
- check_safety_limit() function validates before blocking
- clear_all_cg_rules() emergency function via RPCD
- safety_status RPCD method to check current state
UI improvements:
- Added warnings for restrictive policies
- Reordered options (safe options first)
- Clearer descriptions of consequences
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Move 9 service apps from admin/secubox/services/ to admin/services/:
- localai, lyrion, magicmirror2, mailinabox, mmpm
- nextcloud, ollama, vhost-manager, mitmproxy
Services now appear under standard LuCI Services menu for consistency.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Fix LAPI status check to dynamically read port from config
- Previously hardcoded wrong port (8080 vs 8180)
- Add comprehensive SecuBox feed documentation to README
- Document opkg configuration, HAProxy publishing, troubleshooting
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add get_network_info RPCD method:
- Public IPv4/IPv6 detection via external services
- Reverse DNS hostname lookup
- External port accessibility test (upstream router/ISP check)
- Enhance check_service_health:
- Compare DNS resolution against actual public IP
- Detect private IP misconfiguration (192.168.x.x pointing)
- Test external port reachability
- Add Network Connectivity panel to dashboard:
- Shows public IPs with hostnames
- External port 80/443 accessibility status
- Local firewall and HAProxy status
- Improve URL Readiness Checker:
- Display public IP info
- Show specific recommendations with IP addresses
- Detect and explain DNS pointing to private IP
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Document all features including:
- Health monitoring and URL readiness checker
- Service publishing workflow
- Health check API usage
- Troubleshooting guide for common issues
- UCI configuration reference
- RPCD methods reference
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add health check RPCD methods:
- check_service_health: Check DNS, cert, firewall for single domain
- check_all_health: Batch check all published services
- Add URL Readiness Checker wizard card to dashboard:
- Check if domain DNS resolves correctly
- Verify firewall ports 80/443 are open
- Check SSL certificate status
- Show actionable recommendations
- Display inline health status badges on service rows:
- DNS resolution status (ok/failed)
- Certificate expiry (ok/warning/critical/expired)
- Add health summary bar showing overall system status
- Add per-service health check button
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Automatically creates firewall rules for HAProxy when:
- Requesting a certificate (haproxyctl cert add)
- Publishing a service with a domain (service-registry)
Added firewall rules:
- HAProxy-HTTP: Allow port 80 from WAN (ACME challenges)
- HAProxy-HTTPS: Allow port 443 from WAN (HTTPS traffic)
Rules are only created if they don't exist, preventing duplicates.
Firewall reloads automatically after rule creation.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Certificate issuance now uses webroot mode instead of standalone:
- HAProxy routes /.well-known/acme-challenge/ to local ACME webserver
- Added acme_challenge backend on port 8402
- Uses busybox httpd to serve challenge files
- No HAProxy restart required during certificate requests
- Config auto-regenerates before cert request to ensure ACME backend
This eliminates downtime during certificate issuance and allows
multiple concurrent certificate requests.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
HAProxy Certificates:
- Add async certificate request API (start_cert_request, get_cert_task)
- Non-blocking ACME requests with background processing
- Real-time progress tracking with phases (starting → validating → requesting → verifying → complete)
- Add staging vs production mode toggle for ACME
- New modern UI with visual progress indicators
- Task persistence and polling support
Service Registry:
- Fix QR codes using api.qrserver.com (Google Charts deprecated)
- Fix form prefill with proper _new section selectors
- Add change event dispatch for LuCI form bindings
- Update landing page generator with working QR API
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Remove expect clause from RPC declarations to get raw response
- Add proper error handling with catch blocks for all RPC calls
- Fix landing page generator to chmod 644 after generation
- Fixes "No Services Found" issue in dashboard
- Fixes "Forbidden" error when accessing landing page
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Implement Service Registry LuCI app for unified service management:
- RPCD backend aggregating services from HAProxy, Tor, netstat, LXC
- One-click publish to clearnet (HAProxy+ACME) and/or Tor hidden service
- Static landing page generator with QR codes for all URLs
- LuCI dashboard with service grid, quick publish form
- CLI tool (secubox-registry) for command-line management
- Share buttons for X, Telegram, WhatsApp
RPCD methods: list_services, publish_service, unpublish_service,
generate_landing_page, get_qr_data, list_categories
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Fix tor-shield/api.js: Use baseclass.extend() pattern correctly
- Fix tor-shield ACL: Add missing 'restart' write permission
- Fix secubox-app-tor: Disable conflicting default tor init in postinst
- Move metablogizer menu from secubox/services to admin/services
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The RPC declaration with `expect: { sites: [] }` extracts the array
directly, so data[1] IS the sites array, not an object with .sites property.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add /etc/config/metablogizer with default settings
- Update Makefile to install config as conffile
- Fixes 404 error when accessing MetaBlogizer in LuCI
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- CrowdSec Dashboard: Add bouncer_count, geoip_enabled, acquisition_count,
scenario_count fields to get_overview and get_health_check RPCD functions
- MetaBlogizer: Fix menu path to admin/secubox/services/metablogizer
- Portal: Add MetaBlogizer and Gitea to apps registry for services section
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The dashboard was showing 0 decisions because `cscli decisions list`
only returns local decisions, not CAPI blocklist entries.
Fixed by:
- Parsing CAPI decision counts from `cscli metrics` output
- Added separate local_decisions and capi_decisions fields
- Updated overview to show "CAPI Blocklist" and "Local Bans" separately
- Fixed get_capi_metrics to use metrics parsing instead of decisions list
This correctly shows ~15,000 CAPI blocklist IPs instead of 0.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Change evt.Line contains -> evt.Line.Raw contains in parsers
(pipeline.Line type requires .Raw accessor for string operations)
- Remove invalid filter: field from acquisition configs
(filter belongs in parsers, not acquisition files)
Fixes CrowdSec v1.7.6 startup failures.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
New luci-app-metablogizer package replacing metabolizer with simplified
static site publishing:
- RPCD backend with create/delete/sync site methods
- Auto HAProxy vhost creation with SSL/ACME
- Nginx LXC container integration for serving static files
- Git sync from Gitea repositories
- QR code generation for published URLs
- Social share buttons (Twitter, LinkedIn, Facebook, Telegram, WhatsApp, Email)
- Drag-and-drop file upload UI
- SecuBox light theme styling
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Bump CrowdSec version from 1.7.4 to 1.7.6
- Add modernc.org/sqlite v1.34.2 vendor module (Go 1.21 compatible)
- Patch strings.SplitSeq in hubtest for Go 1.23 compatibility
- Add replace directive for sqlite to use vendored version
Built and tested: crowdsec_1.7.6-r1_aarch64_cortex-a72.ipk (80MB)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- README.md: Update to v0.16.0 with all 38 modules categorized
- CHANGELOG.md: Create comprehensive changelog (v0.12.0-v0.16.0)
- CLAUDE.md: Add toolchain build rules for Go/CGO packages
- secubox-tools/README.md: Add SDK vs toolchain build guidance
- TODO-ANALYSE.md: Mark completed tasks, update health score
- HISTORY.md: Document ARM64 toolchain discovery, multi-instance
- dev-status-widget.js: Update stats (38 modules, 1500 commits)
SDK builds produce LSE atomics that crash on some ARM64 CPUs.
Go/CGO packages (crowdsec, netifyd) must use full toolchain.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
CrowdSec:
- Change LAPI default port from 8080 to 8180 (avoid Docker conflict)
- Update bouncer config, init script, and RPCD dashboard
- Fix port detection hex value (1FF4 for 8180)
Streamlit:
- Complete rewrite with folder-based app structure
- Multi-instance support (multiple apps on different ports)
- Gitea integration (clone, pull, setup commands)
- Auto-install requirements.txt with hash-based caching
HexoJS:
- Multi-instance support with folder structure
- Multiple blog instances on different ports
HAProxy:
- Auto-generate fallback backends (luci, apps, default_luci)
- Add --server letsencrypt to ACME commands
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
