- Use separate -B and -p args for bind address and port
- Add hostname resolution by populating /etc/hosts dynamically
- Add --disable-autodiscover and --disable-check-update flags
- Fixes DNS resolution errors causing immediate container exit
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add secubox-app-glances and luci-app-glances packages:
secubox-app-glances:
- LXC container with nicolargo/glances:latest-full Docker image
- Web UI on port 61208, API on port 61209
- UCI configuration for monitoring options and alert thresholds
- glancesctl management script
luci-app-glances:
- Dashboard view with service status and quick actions
- Embedded Web UI view with iframe
- Settings view for configuration
- RPCD backend with proper ACL permissions
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add get_web_token to RPCD ACL permissions (was missing, causing 403)
- Add fallback token retrieval from container via lxc-attach
- Improve token capture regex to support alphanumeric tokens
- Fix startup script with background process + tee for reliable capture
- Add IP forwarding enablement for transparent proxy mode
- Fix bypass rule for traffic destined to router itself
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Consider sync OK when CAPI blocklists are active (capi_elements > 0)
even if local decisions = 0
- Add capi_elements_count to health response
- Fixes false "Out of sync" warning when using community blocklists
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- install_module now uses mmpmctl if available (has module registry)
- Fallback to manual git clone only with explicit URLs
- Add proper Node.js PATH for npm commands
- update_module also uses mmpmctl when available
- Fix npm PATH in both install and update functions
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Use `mmpm ui --start/--stop/--status` instead of `mmpm ui --port --host`
- MMPM v4 manages GUI via pm2, not direct execution
- Update status command to check pm2 status and get URL from mmpm
- Auto-install UI if not present when starting service
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add NODE_PATH variable for container npm/pm2 access
- Add run_mmpm helper function with proper PATH export
- Fix module install/remove/upgrade/search/list commands
- Fix MMPM GUI service start with proper PATH
- Fix list command to use --installed flag
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Update module list to match portal.js apps
- Add MagicMirror2 and MMPM to modules
- Add changelog entries for v0.15.0-alpha1 to alpha3
- Update roadmap with Certification CE/FCC and Phase 2 funding (2027)
- Update version badge to v0.15.0-alpha3
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Fix pip install with --break-system-packages for Debian Trixie PEP 668
- Fix MMPM binary path detection (/usr/local/bin/mmpm)
- Fix RPCD backend to detect MMPM UI status with correct PATH
- Add Services section to portal navigation
- Update MMPM commands to use full path in container
- Configure MMPM environment for /opt/magic_mirror
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add symlink from modules/default to __modules/default (Docker entrypoint logic)
- Copy CSS files from __css to css directory on startup
- Fix shebang escaping issue by using printf instead of heredoc for #!/bin/sh
- Bump release to 0.4.0-r7
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
New packages:
- secubox-app-magicmirror2 (0.4.0): MagicMirror² smart display platform
- LXC container with Docker image extraction
- mm2ctl CLI for management
- Support for gzip/zstd compressed layers
- Default port 8082
- luci-app-magicmirror2 (0.4.0): LuCI web interface
- Dashboard, modules, webui, settings views
- RPCD backend for service control
- Module management integration
- secubox-app-mmpm (0.2.0): MMPM package manager
- Installs MMPM in MagicMirror2 container
- mmpmctl CLI for module management
- Web GUI on port 7891
- luci-app-mmpm (0.2.0): LuCI interface for MMPM
- Dashboard with install/update controls
- Module search and management
- Embedded web GUI view
Portal integration:
- Added MagicMirror² and MMPM to Services section
- Portal version bumped to 0.6.0
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add PYTHONUNBUFFERED=1 to ensure mitmweb output is not buffered
- Use inline while loop to capture authentication token from startup output
- Fix RPCD backend to read token from correct path ($DATA_DIR/.mitmproxy_token)
- Add proper shell detection and symlink creation in Docker rootfs extraction
- Remove unnecessary exec in pipeline that prevented output capture
The mitmweb authentication token is now properly captured and available
to the LuCI Web UI view for iframe embedding.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The previous pipe approach didn't work because the while loop
runs in a subshell. Now using a background job to poll the log
file for the token while tee outputs to both console and log.
Bump release to r13.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add get_web_token RPCD method to retrieve auth token
- Create webui.js view that embeds mitmweb in an iframe
- Capture auth token at startup and save to file
- Add Web UI navigation to all mitmproxy views
- Fix PATH for /usr/local/bin in Docker image
- Change default port from 8080 to 8888 (avoid CrowdSec conflict)
secubox-app-mitmproxy: bump to r12
luci-app-mitmproxy: bump to r2
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Recent mitmproxy versions require web authentication by default.
Disable it with --set web_password= for easier LAN access.
Bump release to r11.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Port 8080 conflicts with CrowdSec API. Using 8888 as default.
Also removes --flow-detail option not available in latest mitmproxy.
Bump release to r10.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Extract rootfs directly from mitmproxy/mitmproxy Docker image.
This provides the latest mitmproxy with all Rust components pre-compiled.
No more version compatibility issues - uses whatever version is in
the official Docker image.
Bump release to r8.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
mitmproxy 7.0.4 doesn't support the --flow-detail option which was
causing the startup script to fail.
Bump release to r7.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
mitmproxy 8.x has dataclass compatibility issues with Python 3.11
in the grpc contentviews module.
Bump release to r6.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
werkzeug 3.0+ removed url_quote from werkzeug.urls which breaks
Flask imports in mitmproxy 8.1.1.
Bump release to r5.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
zstandard requires gcc to compile. Added build-base and dev packages
for compilation, then remove them after pip install to save space.
Bump release to r4.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- mitmproxy 9.x requires mitmproxy-wireguard (Rust)
- mitmproxy 10.x requires mitmproxy_rs (Rust)
- mitmproxy 8.1.1 is the last version without any Rust dependencies
Bump release to r3.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
mitmproxy 10.x requires mitmproxy_rs which needs Rust compilation.
mitmproxy 9.0.1 is the last pure-Python version that works in Alpine
chroot without /proc mounted.
Bump release to r2.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
mitmproxy 10.2+ requires mitmproxy_rs which needs Rust 1.80+, but
Alpine 3.19 only has Rust 1.76. Using mitmproxy 10.1.6 which is the
last pure-Python version without Rust requirements.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
mitmproxy 10.2+ requires mitmproxy_rs which needs Rust.
Install rust and cargo from Alpine packages, compile mitmproxy,
then remove build deps to save space.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
mitmproxy_rs now requires Rust compilation which fails in chroot
environment without /proc mounted. Switch to Alpine's pre-built
mitmproxy package from the community repository.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add nftables transparent mode support with automatic REDIRECT rules
- Create SecuBox Python filter addon for CDN/Media/Ad tracking
- Add whitelist/bypass configuration for IPs and domains
- Expand UCI config with transparent, whitelist, filtering sections
- Update RPCD backend with new config methods and firewall control
- Update LuCI settings view with all new configuration options
- Add new API methods: firewall_setup, firewall_clear, list management
Features:
- Transparent proxy with nftables integration
- CDN tracking (Cloudflare, Akamai, Fastly, etc.)
- Media streaming tracking (YouTube, Netflix, Spotify)
- Ad/tracker blocking
- IP and domain whitelist bypass
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Move UCI defaults script for auto-registration to cs-firewall-bouncer
- Remove redundant secubox-app-crowdsec-bouncer wrapper package
- Update luci-app-crowdsec-dashboard reference to new package name
- Increment PKG_RELEASE to 3
The defaults script handles:
- Automatic bouncer registration with CrowdSec LAPI
- Interface detection for LAN/WAN
- API key generation and UCI config update
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
luci-app-crowdsec-dashboard is more complete with:
- Overview, Setup Wizard, WAF/AppSec, Metrics views
- Proper location in SecuBox > Security menu
- Bouncers management
luci-app-secubox-crowdsec was a simpler duplicate in Services menu.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Create mitmproxyctl script with LXC container management
- Alpine Linux rootfs with Python and mitmproxy via pip
- Support for regular, transparent, upstream, and reverse proxy modes
- UCI configuration for proxy_port, web_port, memory_limit, etc.
- procd init script for service management
- Update luci-app-mitmproxy RPCD backend for LXC container status
Ports:
- 8080: Proxy port
- 8081: Web interface (mitmweb)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add perl-template-toolkit and perl-file-slurp dependencies
- Remove bundled Template.pm (conflicts with system version 3.101)
- Add Devel::Peek stub module for runtime inspection
- Fix lxc_logs() to read logs from container via lxc-attach
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Update Lyrion download URLs to downloads.lms-community.org
- Switch from noCPAN to full tarball (noCPAN missing modules)
- Replace perl-image-scale with perl-gd + imagemagick (Alpine)
- Remove conflicting bundled CPAN modules (DBD::SQLite, XML::Parser, YAML, DBI)
- Add Image::Scale stub module for artwork resizing
- Fix permissions for nobody user on /config and /var/log/lyrion
- Add missing perl-digest-sha1 and perl-sub-name dependencies
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Removed unrealistic items (AI Threat Detection, Mobile App, Cloud) and
replaced with practical goals based on current module progress:
- Network Modes 1.0 (currently at 35%)
- SecuBox Hub 1.0 (currently at 31%)
- Multi-WAN Failover
- Documentation
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Fixed incorrect year (2025 -> 2026) in changelog dates
- Added v0.15.0-rc2 changelog entry for CrowdSec firewall bouncer fix
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The init script created nftables sets and chains but never added the
actual DROP rules to block traffic from blacklisted IPs. This caused
the bouncer to populate sets correctly but traffic was never blocked.
Added DROP rules for:
- IPv4 input chain (crowdsec-blacklists)
- IPv4 forward chain (crowdsec-blacklists)
- IPv6 input chain (crowdsec6-blacklists)
- IPv6 forward chain (crowdsec6-blacklists)
Each rule respects the deny_log and deny_action configuration options.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
OpenWrt uses a restricted PATH that doesn't include system binaries.
The kernel headers build step requires rsync, which fails with Error 127.
This fix automatically creates a symlink to the system rsync in
staging_dir/host/bin/ at the start of firmware and toolchain builds.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add target/compile step to build kernel and prepare target environment
- Add golang/host/compile step to build host Go compiler for Go packages
- Combine tools/install and toolchain/install with target/compile for complete prereq build
- Use print_warning instead of error for non-fatal build issues
This fixes the toolchain build to properly support Go packages
(secubox-app-cs-firewall-bouncer, secubox-app-crowdsec) which require
the host Go compiler.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Rename crowdsec-firewall-bouncer to secubox-app-cs-firewall-bouncer
- Rename secubox-auth-logger to secubox-app-auth-logger
- Delete secubox-crowdsec-setup (merged into other packages)
- Fix circular dependencies in luci-app-secubox-crowdsec
- Fix dependency chain in secubox-app-crowdsec-bouncer
- Add consolidated get_overview API to crowdsec-dashboard
- Improve crowdsec-dashboard overview performance
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The new get_overview RPC method was missing from the ACL file,
causing "Access denied" errors in the frontend.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Consolidate multiple dashboard API calls into a single get_overview RPC
method to reduce network overhead and improve page load performance.
The frontend now transforms the consolidated response to maintain
compatibility with existing view logic. Also increases poll interval
from 30s to 60s.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Fix typo seccubox_logs -> secubox_logs
- Get country data from alerts (source.cn) instead of decisions
- Display CrowdSec logs instead of non-existent secubox.log
- Rename "SecuBox Log Tail" to "CrowdSec Logs"
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
CrowdSec decisions don't contain country data. GeoIP enricher adds
country info to alerts (source.cn or source.country field).
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
