- secubox-app-hexojs: LXC-containerized Hexo service with Node.js
- hexoctl control script for container/site management
- Bundled CyberMind theme with dark/light mode
- Theme presets (minimal, tech, portfolio)
- Post/page scaffolds
- luci-app-hexojs: Full CMS dashboard
- Overview with stats and quick actions
- Post editor with Markdown toolbar and preview
- Media library browser
- Categories and tags management
- Apps portfolio for CyberMind theme
- Build and deploy to GitHub Pages
- GitHub Sync wizard (clone, pull, push)
- Theme configuration and presets
- Site settings
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add secubox-app-tor (backend) and luci-app-tor-shield (frontend) packages
for Tor anonymization on OpenWrt.
Backend features:
- UCI configuration with presets (anonymous, selective, censored)
- procd init script with iptables transparent proxy
- torctl CLI tool for status, enable/disable, circuits, leak-test
- DNS over Tor and kill switch support
- Hidden services and bridge management
Frontend features:
- Modern purple/onion themed dashboard
- One-click master toggle with visual status
- Real-time circuit visualization (Guard -> Middle -> Exit)
- Hidden services (.onion) management with copy/QR
- Bridge configuration (obfs4, snowflake, meek-azure)
- Leak detection tests
- Advanced settings for ports and exit node restrictions
Note: LuCI package renamed to luci-app-tor-shield to avoid conflict
with existing luci-app-tor package in OpenWrt LuCI feeds.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Flask 1.1.2 requires specific old versions of dependencies:
- Jinja2==2.11.3 (escape moved in 3.1)
- markupsafe==1.1.1
- itsdangerous==1.1.0 (json removed in 2.x)
- Werkzeug==1.0.1
- click==7.1.2
- pybeerxml<2.0.0 (Parser import changed in 2.x)
- marshmallow<4.0.0
Also:
- Use pip-installed package instead of git repo mount
- Simplify LXC mounts to just data directories
Tested and working on OpenWrt 24.10.5.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add two new packages for self-hosted brewing controller support:
secubox-app-picobrew:
- LXC container-based PicoBrew Server installation
- Alpine Linux rootfs with Python/Flask environment
- UCI configuration for port, memory, brewing defaults
- procd service management with respawn
- Commands: install, uninstall, update, status, logs, shell
luci-app-picobrew:
- Modern dashboard UI with SecuBox styling
- Service controls (start/stop/restart/install/update)
- Real-time status monitoring and logs
- Settings page for server and brewing configuration
- RPCD backend with full API coverage
Supports PicoBrew Zymatic, Z, Pico C, and Pico Pro devices.
Repository: https://github.com/CyberMind-FR/picobrew-server
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The wizard.js was looking for a global QRCode object that doesn't exist.
Updated to import and use our qrcode module like other views do.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Changed from baseclass.extend() to simple object return pattern
to match other libraries (chart.js). The baseclass dependency
was causing the module to fail loading.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The JavaScript QR code fallback was limited to Version 5 (106 bytes max),
but WireGuard configs are typically 200-250 bytes. This caused QR code
generation to fail when the backend qrencode binary is not installed.
Changes:
- Auto-select optimal QR version (1-20) based on data length
- Support up to 858 bytes (Version 20)
- Proper Reed-Solomon error correction with dynamic generator polynomials
- Data interleaving for multiple EC blocks
- Alignment patterns for all versions
- Version info encoding for version 7+
- Quiet zone in SVG output
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Refactor CROWDSEC object to use luci.crowdsec-dashboard RPC instead of file.exec
- Add getNftablesStats() for accurate blocked IPs count from firewall bouncer
- Update updateDiskUsage() to use luci.system-hub.get_system_status RPC
- Update loadSystemLogs() to use luci.system-hub.get_logs RPC
- Add proper ACL permissions for luci.crowdsec-dashboard and luci.system-hub
- Bump version to 1.5.0-r3
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Downgrade golang.org/x/net from v0.44.0 to v0.33.0 (Go 1.23 compatible)
- Patch out http.Protocols usage (Go 1.24+ feature) from:
- pkg/acquisition/modules/http/run.go
- pkg/acquisition/modules/appsec/config.go
- pkg/acquisition/modules/kubernetesaudit/config.go
- pkg/apiserver/apiserver.go
- Patch strings.SplitSeq to strings.Split (Go 1.24+ iterator feature) in:
- cmd/crowdsec-cli/clisetup/acquisition.go
- cmd/crowdsec/flags.go
This fixes the build failure caused by CrowdSec 1.7.4 using Go 1.24+
features while OpenWrt SDK ships Go 1.23.x.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The -x flag requires exact process name match which doesn't work
reliably on OpenWrt/BusyBox. Removed -x from all pgrep calls in:
- luci-app-bandwidth-manager
- luci-app-secubox-security-threats
- luci-app-auth-guardian
- luci-app-media-flow
- luci-app-vhost-manager
- luci-app-network-modes
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add RPC call to fetch CrowdSec nftables statistics
- Replace Security Modules widget with IPs Blocked widget
- Show active/inactive status based on firewall bouncer health
- Add detailed breakdown in System Overview (IPv4/IPv6, CAPI/local)
- Gracefully handle missing CrowdSec dashboard package
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Remove -q (quiet) flag from wget to show download errors
- Use architecture-specific tarball (60MB) instead of multi-arch (126MB)
- Add fallback to multi-arch tarball if ARM download fails
- Add explicit error messages for download and extraction failures
- Verify download file exists and is non-empty before extraction
The previous -q flag was hiding the actual wget error, making it
difficult to diagnose download failures in the chroot environment.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- lxc_create_rootfs now checks for Lyrion installation (slimserver.pl)
instead of just Alpine (alpine-release) to detect complete installs
- Auto-cleanup incomplete installations where Alpine downloaded but
Lyrion failed to install (e.g., network issues during chroot)
- Add verification after installation to confirm Lyrion was installed
- Add 'destroy' command to manually clean up failed installations
- Bump version to 2.0.1
This fixes the issue where 'lyrionctl install' would report success
when Alpine was downloaded but the chroot setup script failed silently.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Use L.url() for proper ubus endpoint URL
- Pass messages as array instead of JSON string
- Add credentials and better error handling
- Fix AbortController error handling
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Change default API port from 8080 to 8081
- Increase chat API timeout to 120 seconds (LLMs can be slow on ARM)
- Use custom fetch-based chat call with AbortController for timeout control
- Fix wget/curl timeout for RPCD backend
Resolves "XHR request timed out" errors when using chat with TinyLlama.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Replace Docker/LXC-based approach with direct binary download
- Download LocalAI v2.25.0 binary from GitHub releases
- Add localaictl CLI for install, model management, and service control
- Change default port to 8081 (avoid CrowdSec conflict on 8080)
- Remove secubox-app-localai-wb (merged into secubox-app-localai)
- Add model presets: tinyllama, phi2, mistral
Usage:
localaictl install
localaictl model-install tinyllama
/etc/init.d/localai enable && /etc/init.d/localai start
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
New package for building LocalAI from source with llama-cpp backend:
- localai-wb-ctl: On-device build management
- check: Verify build prerequisites
- install-deps: Install build dependencies
- build: Compile LocalAI with llama-cpp
- Model management, service control
- build-sdk.sh: Cross-compile script for SDK
- Uses OpenWrt toolchain for ARM64
- Produces optimized binary with llama-cpp
Alternative to Docker-based secubox-app-localai for native builds.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
New LuCI application for Ollama management:
- Dashboard with service status and controls
- Model management (pull, remove, list)
- Chat interface with model selection
- Settings page for configuration
Files:
- RPCD backend (luci.ollama)
- Dashboard, Models, Chat, Settings views
- ACL and menu definitions
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Download Docker image layers directly via Registry API
- No dockerd or podman daemon required anymore
- Same approach as mitmproxy and magicmirror2 packages
- All backends included (llama-cpp, whisper, etc.)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Updated default version from v2.25.0 to v3.10.0
- Fixed binary URL format: local-ai-v3.10.0-linux-arm64
- Updated Docker image tag to v3.10.0-ffmpeg
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add runtime_is_working() to verify daemon connectivity
- Falls back to standalone binary with helpful message if daemon not running
- Provides hint: /etc/init.d/dockerd start
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
When using `localaictl install --lxc`:
1. If podman/docker available: extracts rootfs from Docker image
- Includes ALL backends (llama-cpp, whisper, etc.)
- Creates LXC container with full LocalAI capabilities
2. If no docker/podman: falls back to standalone binary
- Limited backend support
This gives the best of both worlds:
- LXC lightweight container management
- Full Docker image backends
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- is_running() now checks LXC with lxc-info before Docker/Podman
- get_status() calculates uptime from LXC container PID
- Order: LXC -> Podman -> Docker -> native process
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Update is_running() to detect Docker/Podman containers
- Fix get_status() uptime calculation for containers
- Improve do_chat() with better error messages and logging
- Use curl if available for API calls (more reliable than wget POST)
- Add debug logging to syslog (logger -t localai-chat)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
LocalAI changes:
- Rewrite localaictl to use Docker/Podman instead of standalone binary
- Use localai/localai:v2.25.0-ffmpeg image with all backends included
- Fix llama-cpp backend not found issue
- Auto-detect podman or docker runtime
- Update UCI config with Docker settings
New Ollama package:
- Add secubox-app-ollama as lighter alternative to LocalAI
- Native ARM64 support with backends included
- Simple CLI: ollamactl pull/run/list
- Docker image ~1GB vs 2-4GB for LocalAI
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The LuCI rpc.declare with expect: { models: [] } returns the array
directly, not wrapped in {models: [...]}. Fixed all views to handle
this correctly.
- models.js: Check Array.isArray(data) first
- dashboard.js: Extract array from results[1] directly
- chat.js: Same array handling fix
Version: 0.1.0-r12
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add secubox-app-localai package with LXC container support for LocalAI service
- Add luci-app-localai with dashboard, chat, models and settings views
- Implement RPCD backend for LocalAI API integration via /v1/models and /v1/chat/completions
- Use direct RPC declarations in LuCI views for reliable frontend communication
- Add LocalAI and Glances to secubox-portal services page
- Move Glances from services to monitoring section
Packages:
- secubox-app-localai: 0.1.0-r1
- luci-app-localai: 0.1.0-r8
- luci-app-secubox-portal: 0.6.0-r5
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Improve Services tab with pgrep-based status detection
- Add service enable/disable toggle buttons
- Add port forwards table to Firewall tab
- Add process list to System tab
- Add CrowdSec alerts table
- Reorganize quick actions into grouped layout
- Add Flush DNS, Sync NTP, and LuCI Admin shortcuts
- Change URL path from /secubox-dashboard/ to /secubox/
- Bump version to 1.4.1 (v2.4)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Use separate -B and -p args for bind address and port
- Add hostname resolution by populating /etc/hosts dynamically
- Add --disable-autodiscover and --disable-check-update flags
- Fixes DNS resolution errors causing immediate container exit
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add secubox-app-glances and luci-app-glances packages:
secubox-app-glances:
- LXC container with nicolargo/glances:latest-full Docker image
- Web UI on port 61208, API on port 61209
- UCI configuration for monitoring options and alert thresholds
- glancesctl management script
luci-app-glances:
- Dashboard view with service status and quick actions
- Embedded Web UI view with iframe
- Settings view for configuration
- RPCD backend with proper ACL permissions
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add get_web_token to RPCD ACL permissions (was missing, causing 403)
- Add fallback token retrieval from container via lxc-attach
- Improve token capture regex to support alphanumeric tokens
- Fix startup script with background process + tee for reliable capture
- Add IP forwarding enablement for transparent proxy mode
- Fix bypass rule for traffic destined to router itself
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Consider sync OK when CAPI blocklists are active (capi_elements > 0)
even if local decisions = 0
- Add capi_elements_count to health response
- Fixes false "Out of sync" warning when using community blocklists
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- install_module now uses mmpmctl if available (has module registry)
- Fallback to manual git clone only with explicit URLs
- Add proper Node.js PATH for npm commands
- update_module also uses mmpmctl when available
- Fix npm PATH in both install and update functions
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Use `mmpm ui --start/--stop/--status` instead of `mmpm ui --port --host`
- MMPM v4 manages GUI via pm2, not direct execution
- Update status command to check pm2 status and get URL from mmpm
- Auto-install UI if not present when starting service
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add NODE_PATH variable for container npm/pm2 access
- Add run_mmpm helper function with proper PATH export
- Fix module install/remove/upgrade/search/list commands
- Fix MMPM GUI service start with proper PATH
- Fix list command to use --installed flag
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Update module list to match portal.js apps
- Add MagicMirror2 and MMPM to modules
- Add changelog entries for v0.15.0-alpha1 to alpha3
- Update roadmap with Certification CE/FCC and Phase 2 funding (2027)
- Update version badge to v0.15.0-alpha3
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Fix pip install with --break-system-packages for Debian Trixie PEP 668
- Fix MMPM binary path detection (/usr/local/bin/mmpm)
- Fix RPCD backend to detect MMPM UI status with correct PATH
- Add Services section to portal navigation
- Update MMPM commands to use full path in container
- Configure MMPM environment for /opt/magic_mirror
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add symlink from modules/default to __modules/default (Docker entrypoint logic)
- Copy CSS files from __css to css directory on startup
- Fix shebang escaping issue by using printf instead of heredoc for #!/bin/sh
- Bump release to 0.4.0-r7
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
New packages:
- secubox-app-magicmirror2 (0.4.0): MagicMirror² smart display platform
- LXC container with Docker image extraction
- mm2ctl CLI for management
- Support for gzip/zstd compressed layers
- Default port 8082
- luci-app-magicmirror2 (0.4.0): LuCI web interface
- Dashboard, modules, webui, settings views
- RPCD backend for service control
- Module management integration
- secubox-app-mmpm (0.2.0): MMPM package manager
- Installs MMPM in MagicMirror2 container
- mmpmctl CLI for module management
- Web GUI on port 7891
- luci-app-mmpm (0.2.0): LuCI interface for MMPM
- Dashboard with install/update controls
- Module search and management
- Embedded web GUI view
Portal integration:
- Added MagicMirror² and MMPM to Services section
- Portal version bumped to 0.6.0
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add PYTHONUNBUFFERED=1 to ensure mitmweb output is not buffered
- Use inline while loop to capture authentication token from startup output
- Fix RPCD backend to read token from correct path ($DATA_DIR/.mitmproxy_token)
- Add proper shell detection and symlink creation in Docker rootfs extraction
- Remove unnecessary exec in pipeline that prevented output capture
The mitmweb authentication token is now properly captured and available
to the LuCI Web UI view for iframe embedding.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The previous pipe approach didn't work because the while loop
runs in a subshell. Now using a background job to poll the log
file for the token while tee outputs to both console and log.
Bump release to r13.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add get_web_token RPCD method to retrieve auth token
- Create webui.js view that embeds mitmweb in an iframe
- Capture auth token at startup and save to file
- Add Web UI navigation to all mitmproxy views
- Fix PATH for /usr/local/bin in Docker image
- Change default port from 8080 to 8888 (avoid CrowdSec conflict)
secubox-app-mitmproxy: bump to r12
luci-app-mitmproxy: bump to r2
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Recent mitmproxy versions require web authentication by default.
Disable it with --set web_password= for easier LAN access.
Bump release to r11.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Port 8080 conflicts with CrowdSec API. Using 8888 as default.
Also removes --flow-detail option not available in latest mitmproxy.
Bump release to r10.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Extract rootfs directly from mitmproxy/mitmproxy Docker image.
This provides the latest mitmproxy with all Rust components pre-compiled.
No more version compatibility issues - uses whatever version is in
the official Docker image.
Bump release to r8.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
mitmproxy 7.0.4 doesn't support the --flow-detail option which was
causing the startup script to fail.
Bump release to r7.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
mitmproxy 8.x has dataclass compatibility issues with Python 3.11
in the grpc contentviews module.
Bump release to r6.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
werkzeug 3.0+ removed url_quote from werkzeug.urls which breaks
Flask imports in mitmproxy 8.1.1.
Bump release to r5.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
zstandard requires gcc to compile. Added build-base and dev packages
for compilation, then remove them after pip install to save space.
Bump release to r4.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- mitmproxy 9.x requires mitmproxy-wireguard (Rust)
- mitmproxy 10.x requires mitmproxy_rs (Rust)
- mitmproxy 8.1.1 is the last version without any Rust dependencies
Bump release to r3.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
mitmproxy 10.x requires mitmproxy_rs which needs Rust compilation.
mitmproxy 9.0.1 is the last pure-Python version that works in Alpine
chroot without /proc mounted.
Bump release to r2.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
mitmproxy 10.2+ requires mitmproxy_rs which needs Rust 1.80+, but
Alpine 3.19 only has Rust 1.76. Using mitmproxy 10.1.6 which is the
last pure-Python version without Rust requirements.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
mitmproxy 10.2+ requires mitmproxy_rs which needs Rust.
Install rust and cargo from Alpine packages, compile mitmproxy,
then remove build deps to save space.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
mitmproxy_rs now requires Rust compilation which fails in chroot
environment without /proc mounted. Switch to Alpine's pre-built
mitmproxy package from the community repository.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add nftables transparent mode support with automatic REDIRECT rules
- Create SecuBox Python filter addon for CDN/Media/Ad tracking
- Add whitelist/bypass configuration for IPs and domains
- Expand UCI config with transparent, whitelist, filtering sections
- Update RPCD backend with new config methods and firewall control
- Update LuCI settings view with all new configuration options
- Add new API methods: firewall_setup, firewall_clear, list management
Features:
- Transparent proxy with nftables integration
- CDN tracking (Cloudflare, Akamai, Fastly, etc.)
- Media streaming tracking (YouTube, Netflix, Spotify)
- Ad/tracker blocking
- IP and domain whitelist bypass
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Move UCI defaults script for auto-registration to cs-firewall-bouncer
- Remove redundant secubox-app-crowdsec-bouncer wrapper package
- Update luci-app-crowdsec-dashboard reference to new package name
- Increment PKG_RELEASE to 3
The defaults script handles:
- Automatic bouncer registration with CrowdSec LAPI
- Interface detection for LAN/WAN
- API key generation and UCI config update
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
luci-app-crowdsec-dashboard is more complete with:
- Overview, Setup Wizard, WAF/AppSec, Metrics views
- Proper location in SecuBox > Security menu
- Bouncers management
luci-app-secubox-crowdsec was a simpler duplicate in Services menu.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Create mitmproxyctl script with LXC container management
- Alpine Linux rootfs with Python and mitmproxy via pip
- Support for regular, transparent, upstream, and reverse proxy modes
- UCI configuration for proxy_port, web_port, memory_limit, etc.
- procd init script for service management
- Update luci-app-mitmproxy RPCD backend for LXC container status
Ports:
- 8080: Proxy port
- 8081: Web interface (mitmweb)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add perl-template-toolkit and perl-file-slurp dependencies
- Remove bundled Template.pm (conflicts with system version 3.101)
- Add Devel::Peek stub module for runtime inspection
- Fix lxc_logs() to read logs from container via lxc-attach
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Update Lyrion download URLs to downloads.lms-community.org
- Switch from noCPAN to full tarball (noCPAN missing modules)
- Replace perl-image-scale with perl-gd + imagemagick (Alpine)
- Remove conflicting bundled CPAN modules (DBD::SQLite, XML::Parser, YAML, DBI)
- Add Image::Scale stub module for artwork resizing
- Fix permissions for nobody user on /config and /var/log/lyrion
- Add missing perl-digest-sha1 and perl-sub-name dependencies
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Removed unrealistic items (AI Threat Detection, Mobile App, Cloud) and
replaced with practical goals based on current module progress:
- Network Modes 1.0 (currently at 35%)
- SecuBox Hub 1.0 (currently at 31%)
- Multi-WAN Failover
- Documentation
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Fixed incorrect year (2025 -> 2026) in changelog dates
- Added v0.15.0-rc2 changelog entry for CrowdSec firewall bouncer fix
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The init script created nftables sets and chains but never added the
actual DROP rules to block traffic from blacklisted IPs. This caused
the bouncer to populate sets correctly but traffic was never blocked.
Added DROP rules for:
- IPv4 input chain (crowdsec-blacklists)
- IPv4 forward chain (crowdsec-blacklists)
- IPv6 input chain (crowdsec6-blacklists)
- IPv6 forward chain (crowdsec6-blacklists)
Each rule respects the deny_log and deny_action configuration options.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Rename crowdsec-firewall-bouncer to secubox-app-cs-firewall-bouncer
- Rename secubox-auth-logger to secubox-app-auth-logger
- Delete secubox-crowdsec-setup (merged into other packages)
- Fix circular dependencies in luci-app-secubox-crowdsec
- Fix dependency chain in secubox-app-crowdsec-bouncer
- Add consolidated get_overview API to crowdsec-dashboard
- Improve crowdsec-dashboard overview performance
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The new get_overview RPC method was missing from the ACL file,
causing "Access denied" errors in the frontend.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Consolidate multiple dashboard API calls into a single get_overview RPC
method to reduce network overhead and improve page load performance.
The frontend now transforms the consolidated response to maintain
compatibility with existing view logic. Also increases poll interval
from 30s to 60s.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Fix typo seccubox_logs -> secubox_logs
- Get country data from alerts (source.cn) instead of decisions
- Display CrowdSec logs instead of non-existent secubox.log
- Rename "SecuBox Log Tail" to "CrowdSec Logs"
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
CrowdSec decisions don't contain country data. GeoIP enricher adds
country info to alerts (source.cn or source.country field).
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Adds "Connexion" link at the end of the public menu to redirect
to the admin authentication page.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Replace github.com/gkerma/secubox-openwrt with
github.com/CyberMind-FR/secubox-openwrt across all files.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add devstatus.js with modules list, roadmap, and changelog
- Reorder public pages: Crowdfunding (10), Bug Bounty (20), Dev Status (30)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The 403 error was caused by missing ACL file. Added
luci-app-secubox-portal.json with read permissions for
luci.secubox and luci.system-hub ubus methods.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Move Debug Console from Client Guardian to System Hub
- Add Auto-Zoning Rules dedicated view in Client Guardian
- Add public pages for Bug Bounty and Crowdfunding (no ACL)
- Fix auth-logger to only detect real login attempts
- Add private IP whitelist for CrowdSec (RFC1918 ranges)
- Update navigation menus across all apps
- Bump secubox-auth-logger to v1.2.2
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- v2.0.0: Multi-runtime support with auto-detection
- LXC preferred when available (150MB RAM vs 300MB for Docker)
- New lyrionctl commands: runtime, shell
- Alpine Linux rootfs creation for LXC
- UCI config: runtime option (auto/docker/lxc)
- Memory limit configuration via cgroups
- Updated plugin manifest with runtime info
Runtime selection:
option runtime 'auto' - Auto-detect (LXC preferred)
option runtime 'docker' - Force Docker
option runtime 'lxc' - Force LXC
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add explicit 644 permissions for overview.js and dashboard.css
- Fixes HTTP 403 error when accessing the view
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add sync command to synchronize packages from package/secubox to local-feed
- Add local-feed deletion to clean-all command
- Add missing packages to package/secubox:
- luci-app-secubox-crowdsec
- secubox-crowdsec-setup
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- v1.2.1: Remove timestamp generation (ucode time functions unavailable)
- Use simple format: secubox-auth[1]: authentication failure for...
- Update parser to use raw line parsing with custom label type
- Change acquisition from type:syslog to type:secubox-auth
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- secubox-auth-logger v1.2.0: Patch LuCI ucode dispatcher.uc to log
authentication failures server-side instead of relying on JS hooks
- crowdsec-firewall-bouncer: Add helper function for UCI list reading
and default to eth1, br-lan, br-wan interfaces to ensure WAN traffic
is checked against the blocklist
- Update postrm to properly restore dispatcher backup on uninstall
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add CGI hook to capture client IP during failed auth attempts
- Add JavaScript hook to intercept ubus session.login failures
- Add rpcd plugin for ubus-based auth logging
- Update CrowdSec parser for case-insensitive matching
- Inject JS hook into LuCI theme headers on install
This enables CrowdSec to detect and block brute-force attacks
on the LuCI web interface, which previously only logged
successful authentications.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add Local Protection Mode banner when CAPI unavailable (LAPI still works)
- Save enrollment key to UCI config for future repairs
- Improve text contrast in wizard (better readability)
- Simplify LAPI repair function based on official OpenWrt approach
- Never delete CAPI credentials to avoid rate-limiting
- Add get_settings/save_settings RPC methods
- Bump version to 0.7.0-r27
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add automatic restart after successful console enrollment
- Update wizard UI to inform user about validation on app.crowdsec.net
- Service must restart after enrollment is validated on CrowdSec Console
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Service restarts during bouncer registration and service start can
cause XHR connections to abort. Treat these as success since the
operation likely completed.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
New wizard approach:
- Automatic health check on load (LAPI, CAPI, Bouncer, nftables, collections)
- Single configuration page with all options visible
- Only repairs what's broken
- No hub update without CAPI connection
- Single "Apply Configuration" button at the end
- Progress bar during apply
- Summary of what was done at completion
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The RPC method was returning "Access denied" because it was missing
from the rpcd ACL configuration.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Large package feed files exceed GitHub's 100MB limit.
These are build artifacts that should be generated locally.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add get_public_ips method to secubox-core rpcd backend
- Fetch public IPs from multiple services with fallback
- Display in new "Public IP Addresses" panel on dashboard
- Auto-update IPs on poll refresh
- Bump luci-app-secubox to 0.7.1-r2
- Bump secubox-core to 0.10.0-r4
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Treat XHR abort as success when CrowdSec restarts after acquisition config
- Auto-advance to Step 5 after brief delay
- Bump to 0.7.0-r21
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- repair_lapi() now removes stale online_api_credentials.yaml and retries
- New repair_capi() function for dedicated CAPI repair
- console_enroll() handles CAPI credential cleanup before retry
- Added repairCapi API method in frontend
- Bump luci-app-crowdsec-dashboard to 0.7.0-r20
- Add openwrt-luci-bf.yaml scenario for LuCI brute force detection
- Add secubox-auth-acquis.yaml acquisition config
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The serviceWarning variable was null when CrowdSec is running, and
LuCI's E() function rendered it as literal "null" text. Fixed by
using empty fragment when no warning needed.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The refreshView() call was aborting the pending configureAcquisition
XHR request by triggering new API calls. Now only updates the button
state without a full view refresh.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
CrowdSec on OpenWrt doesn't support "source: command" acquisition.
Changed to file-based acquisition reading /var/log/messages.
Also configures busybox syslog to write to file automatically.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
When SSH logging is enabled in the wizard, automatically:
- Set dropbear.@dropbear[0].verbose=1 to log auth failures
- Restart dropbear to apply changes
This ensures CrowdSec can detect SSH brute force attempts.
Without verbose mode, Dropbear doesn't log failed auth to syslog.
Also enable uhttpd syslog when HTTP logging is enabled.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Parse ndpid-apps.json array format [{name: "TLS.YouTube", ...}]
- Use jq contains() instead of test() regex (ONIGURUMA not available on OpenWrt)
- Filter streaming services: YouTube, Netflix, Spotify, AppleiTunes, etc.
- Aggregate streams by app name (combine TLS.YouTube + QUIC.YouTube)
- Estimate quality based on data volume (SD/HD/FHD)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add SecuBox dark theme initialization to all views (dashboard, alerts,
clients, services, history)
- Fix flow count detection by using jsonfilter instead of jq (OpenWrt native)
- Prioritize /var/run/netifyd/status.json for ndpid-compat flow data
- Remove filtering expect{} from API.getActiveStreams() RPC declaration
- Update CLAUDE.md with jsonfilter usage guidelines for OpenWrt
The dashboard now correctly displays:
- Total Flows count from nDPId via ndpid-compat
- nDPId/Netifyd status indicators
- SecuBox dark theme with portal header
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Change 'config main' to 'config ndpid main' for proper section naming
- Change 'config compat' to 'config ndpid compat'
- Enable ndpid by default (enabled='1')
- Init scripts expect named sections, not typed sections
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Scan ALL nftables sets (CAPI, cscli, etc.) instead of just base set
- Display blocked IPs count by origin (Community vs Local)
- Show sample of blocked IPs with Unban button
- Add ipv4_capi_count, ipv4_cscli_count, ipv4_total_count to API response
- Support for 14,000+ community blocklist IPs
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add health_check API with LAPI/CAPI/Console status verification
- Add capi_metrics API for community blocklist statistics
- Add hub_available, install_hub_item, remove_hub_item APIs
- Add System Health panel to overview with visual status indicators
- Add CAPI Blocklist section showing community vs local decisions
- Add Installed Collections card with version display
- Fix settings.js syntax error (missing comma)
- Fix metrics.js null display in acquisition statistics
- Update ACL file with new RPC method permissions
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Rebuilt all luci-app-* and secubox-app-* packages for aarch64-cortex-a72
- Updated local-build.sh with FORCE=1 to bypass rsync prereq check
- Removed packages that failed SDK build (require full buildroot)
- Updated Packages index and apps-local.json manifest
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Include all built .ipk packages in luci-app-secubox-bonus
- Generate Packages index and apps-local.json manifest
- Remove .gitignore to allow package tracking
- Enables offline package installation via SecuBox > Local Packages
Packages included:
- 27 luci-app-* packages
- 11 secubox-app-* packages
- luci-theme-secubox
- secubox-core
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Create /etc/opkg/customfeeds.conf with secubox feed pre-configured
- Install file via Makefile instead of postinst script
- Mark as conffile to preserve user modifications on upgrade
- Add .gitignore to exclude built .ipk files from git tracking
(packages are embedded at build time by embed_local_feed)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add embed_local_feed() to local-build.sh that copies built packages
into bonus app as /www/secubox-feed/ for offline installation
- Generate Packages index and apps-local.json manifest for opkg
- Add RPCD backend (luci.secubox-store) for package install/remove
- Add LuCI view for browsing and managing local packages
- Fix OPENWRT_ONLY_PACKAGES to allow secubox-app-* wrappers in SDK build
- Remove experimental python3-* packages (unfinished mitmproxy native plan)
- Set rootfs partition size to 16GB for larger overlay
- Bump luci-app-secubox-bonus to v0.2.0
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
New package: crowdsec-firewall-bouncer (v0.0.34)
- Based on official OpenWrt package from openwrt/packages
- Full nftables integration with IPv4/IPv6 support
- Timeout-based sets for automatic ban expiration
- Input and forward chain filtering
- Interface-based filtering
- procd service management with ujail support
- UCI configuration
Init script features:
- Creates nftables tables: crowdsec (IPv4), crowdsec6 (IPv6)
- Creates timeout-enabled sets for blocklists
- Generates YAML config from UCI settings
- Automatic cleanup on service stop
Updated secubox-app-crowdsec-bouncer to v0.0.32
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
New features:
- New RPCD method: acquisition_metrics for detailed stats
- Realtime metrics display with 10-second polling
- Visual stat cards: lines read, parsed, unparsed, buckets
- Parse rate progress bar with color coding
- Active acquisition sources badges
- Rate calculation (events/sec) between polls
- Live update indicator with timestamp
API changes:
- Added getAcquisitionMetrics() to API layer
- Added acquisition_metrics to ACL permissions
Bumped version to 0.7.0-17
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
OpenWrt uses logd by default which doesn't write to files.
CrowdSec file-based acquisition needs /var/log/messages to exist.
Changes:
- Init script: setup_syslog() configures log_file before each start
- Defaults script: setup_syslog_file() configures at install time
- openwrt-syslog.yaml: Remove non-existent /var/log/syslog reference
The init script sets:
uci set system.@system[0].log_file='/var/log/messages'
uci set system.@system[0].log_size='512'
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Native OpenWrt package for zstandard compression library.
Can be used as alternative to pip installation.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The zstandard package required by mitmproxy 8.1.1 doesn't have musllinux
wheels in older versions, causing pip to try compiling from source which
fails without gcc on the router.
Fix: Pre-install zstandard 0.23.0 which has musllinux aarch64 wheels
before installing mitmproxy.
Changes:
- Bump version to 2.1.0
- Revert to pip-based installation (native build requires full toolchain)
- Add zstandard 0.23.0 pre-install step in postinst
- Restore wrapper scripts for mitmproxy/mitmdump/mitmweb
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add OpenWrt .config for mvebu/cortexa72 target
- Update .gitignore
- Update Claude settings
- Minor portal.js update
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
mitmproxy 9.x requires mitmproxy-wireguard (Rust).
Version 8.1.1 is pure Python and works on OpenWrt.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
mitmproxy 10.x requires mitmproxy-rs which needs Rust compiler.
Version 9.0.1 is pure Python and works on OpenWrt.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
LuCI requires modules to use baseclass.extend() pattern.
Fixed "factory yields invalid constructor" error.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Portal Integration:
- Add mitmproxy to Security section with service status tracking
- Add vhost-manager to new Services section
- Add Services section to portal navigation header
- Update path detection for security/mitmproxy and services/vhosts
mitmproxy Changes:
- Move menu from admin/secubox/mitmproxy to admin/secubox/security/mitmproxy
- Update view navigation links to use new path structure
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
mitmproxy 11.x requires Python 3.12 which is not available on OpenWrt.
Version 10.4.2 is the last stable release supporting Python 3.10+.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Switch to runtime pip installation instead of build-time
- Remove complex build dependencies (python3-package.mk)
- Add wrapper scripts for mitmproxy, mitmdump, mitmweb
- Postinst installs mitmproxy==11.1.3 via pip on device
- Supports all architectures with PKGARCH:=all
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Update mitmproxy to v11.1.3
- Build from Python source (no prebuilt arm64 binaries)
- Add Python dependencies
- Add mitmproxy to local-build.sh and sync-openwrt-packages.sh
- Set PKGARCH:=all for Python package
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
New packages for full URL/cookie/header capture via MITM proxy:
secubox-app-mitmproxy:
- Downloads mitmproxy v11.1.2 binary for aarch64
- Transparent proxy mode with iptables integration
- mitmweb UI on port 8081
- Auto CA certificate generation
- mitmproxyctl CLI management tool
luci-app-mitmproxy:
- SecuBox themed dashboard with red color scheme
- Real-time request capture view
- Top hosts statistics
- CA certificate management
- Full UCI settings interface
- RPCD backend for ubus API
This enables full HTTP/HTTPS inspection including:
- Complete URLs (not just hostnames like nDPId)
- Cookies and headers
- Request/response bodies
- Flow recording for replay
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
OpenWrt jq is compiled without ONIGURUMA regex library, so test()
function doesn't work. Replace all regex patterns with contains()
for streaming service detection.
- Use ascii_downcase + contains() for pattern matching
- Define is_streaming, get_category, get_quality as jq functions
- Detects: YouTube, Netflix, Spotify, WhatsApp, Discord, Zoom, etc.
- Bump version to 0.6.2
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Remove PKG_FILE_MODES that caused chown build errors
- Add missing $(eval $(call BuildPackage)) macro
- Add explicit install rules for all resources
- Bump version to 0.6.1
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Portal (luci-app-secubox-portal):
- Fix service status showing 0/9 by checking if init scripts exist
- Only count installed services in status display
- Use pgrep fallback when init script status fails
nDPId Dashboard (luci-app-ndpid):
- Add default /etc/config/ndpid configuration
- Add /etc/init.d/ndpid-compat init script
- Enable compat service in postinst for app detection
- Fix Makefile to install init script and config
CrowdSec Dashboard:
- Add CLAUDE.md with OpenWrt-specific guidelines (pgrep without -x)
- CSS fixes for hiding LuCI left menu in all views
- LAPI repair improvements with retry logic
New Packages:
- secubox-app-crowdsec: OpenWrt-native CrowdSec package
- secubox-app-netifyd: Netifyd DPI integration
- luci-app-secubox: Core SecuBox hub
- luci-theme-secubox: Custom theme
Removed:
- luci-app-secubox-crowdsec (replaced by crowdsec-dashboard)
- secubox-crowdsec-setup (functionality moved to dashboard)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Stop CrowdSec before repair for clean state
- Create all required directories with proper permissions
- Regenerate local_api_credentials.yaml if missing
- Wait for LAPI port 8080 with retries before machine registration
- Use 30s timeout for repair operations
- Add retry logic for final LAPI verification
- Better error reporting with detailed steps
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Instead of trying to parse opkg output directly, use the same
secubox-appstore list --json command that the modules page uses.
This ensures consistent installation detection across both views.
The get_appstore_apps method now:
1. Gets modules list from secubox-appstore (which properly detects installed packages)
2. Merges installation status into catalog apps
3. Returns apps with correct installed/enabled/status fields
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
