config mitmproxy 'main' option enabled '0' option runtime 'lxc' # Legacy single-instance settings (deprecated, use instances below) option proxy_port '8888' option web_port '8081' option web_host '0.0.0.0' option data_path '/srv/mitmproxy' option memory_limit '256M' option mode 'regular' option ssl_insecure '0' option anticache '0' option anticomp '0' option flow_detail '1' # OUT Instance - LAN to Internet (transparent/forward proxy) config instance 'out' option enabled '1' option description 'LAN->Internet Proxy' option container_name 'mitmproxy-out' option proxy_port '8888' option web_port '8089' option web_host '0.0.0.0' option data_path '/srv/mitmproxy-out' option memory_limit '256M' option mode 'transparent' option ssl_insecure '0' option anticache '0' option anticomp '0' # IN Instance - WAN to Services (WAF/reverse proxy) config instance 'in' option enabled '1' option description 'WAF/Reverse Proxy' option container_name 'mitmproxy-in' option proxy_port '8889' option web_port '8090' option web_host '0.0.0.0' option data_path '/srv/mitmproxy-in' option memory_limit '256M' option mode 'upstream' option ssl_insecure '0' option anticache '0' option anticomp '0' # HAProxy sends traffic here option haproxy_backend '1' # WAN Protection Mode - protect services exposed to internet # Acts as WAF/reverse proxy for incoming WAN traffic config wan_protection 'wan_protection' # Enable WAN protection mode (acts as WAF for incoming traffic) option enabled '0' # WAN interface name (incoming traffic interface) option wan_interface 'wan' # Ports to intercept on WAN (HTTP) option wan_http_port '80' # Ports to intercept on WAN (HTTPS) option wan_https_port '443' # Feed detected threats to CrowdSec for automatic blocking option crowdsec_feed '1' # Block requests from known bot scanners immediately option block_bots '0' # Rate limiting: max requests per IP per minute (0=disabled) option rate_limit '0' # Auto-ban configuration - automatically ban IPs via CrowdSec config autoban 'autoban' # Enable automatic banning of detected threats option enabled '1' # Ban duration (e.g., 1h, 4h, 24h, 7d) option ban_duration '4h' # Minimum severity to trigger auto-ban: critical, high, medium option min_severity 'high' # Auto-ban on CVE exploit attempts option ban_cve_exploits '1' # Auto-ban SQL injection attempts option ban_sqli '1' # Auto-ban command injection attempts option ban_cmdi '1' # Auto-ban path traversal attempts option ban_traversal '1' # Auto-ban known vulnerability scanners option ban_scanners '1' # Auto-ban on rate limit exceeded option ban_rate_limit '0' # Auto-ban VoIP/SIP attacks option ban_voip '1' # Auto-ban XMPP/Jabber attacks option ban_xmpp '1' # Whitelist IPs from auto-ban (comma-separated) # Default: localhost, router IP, common admin IPs option whitelist '127.0.0.1,192.168.255.1,192.168.1.1' # # Sensitivity level: aggressive, moderate, permissive # - aggressive: Ban immediately on first detection (critical threats only) # - moderate: Ban after repeated attempts within minutes (default) # - permissive: Ban after persistent attempts over longer period option sensitivity 'moderate' # # Aggressive level: Immediate ban on first critical threat # (CVE exploits, SQL injection, command injection always trigger immediately) # # Moderate level thresholds # Ban after N attempts within the time window option moderate_threshold '3' option moderate_window '300' # # Permissive level thresholds # Ban after N attempts within the time window option permissive_threshold '5' option permissive_window '3600' # LAN Transparent mode settings (outbound traffic interception) config transparent 'transparent' option enabled '0' # Interface to intercept traffic from (e.g., br-lan) option interface 'br-lan' # Redirect HTTP traffic (port 80) option redirect_http '1' # Redirect HTTPS traffic (port 443) option redirect_https '1' # Custom HTTP port (default 80) option http_port '80' # Custom HTTPS port (default 443) option https_port '443' # DPI Mirror Mode - feed traffic to network inspection engines config dpi_mirror 'dpi_mirror' option enabled '0' # Interface for DPI mirroring (netifyd/ndpid listens on this) option dpi_interface 'br-lan' # Enable DPI for WAN traffic (incoming) option mirror_wan '0' # Enable DPI for LAN traffic (outgoing) option mirror_lan '0' # Whitelist/bypass - IPs and domains that bypass the proxy config whitelist 'whitelist' option enabled '1' # Bypass local networks by default list bypass_ip '10.0.0.0/8' list bypass_ip '172.16.0.0/12' list bypass_ip '192.168.0.0/16' list bypass_ip '127.0.0.0/8' # Bypass sensitive domains (banking, medical, etc.) list bypass_domain 'banking' list bypass_domain 'paypal.com' list bypass_domain 'stripe.com' # Add custom bypasses here # list bypass_ip 'x.x.x.x' # list bypass_domain 'example.com' # HAProxy backend inspection mode config haproxy_router 'haproxy_router' option enabled '0' # Port HAProxy sends traffic to option listen_port '8889' # Enable threat detection on HAProxy traffic option threat_detection '1' # Routes file (auto-generated from HAProxy UCI) option routes_file '/srv/mitmproxy/haproxy-routes.json' # CDN/MediaFlow filtering addon config filtering 'filtering' option enabled '0' # Log all requests to JSON file option log_requests '1' # Filter CDN traffic (e.g., cloudflare, akamai, fastly) option filter_cdn '0' # Filter streaming media option filter_media '0' # Block ads and trackers option block_ads '0' # Custom filter script path option addon_script '/data/addons/secubox_analytics.py' # Capture settings config capture 'capture' option save_flows '0' option capture_request_headers '1' option capture_response_headers '1' option capture_request_body '0' option capture_response_body '0' # WAF Rules - enable/disable categories config waf_rules 'waf_rules' option enabled '1' # Core attack patterns option sqli '1' option xss '1' option lfi '1' option rce '1' # CVE exploits option cve_2024 '1' # Scanner detection option scanners '1' # Application-specific option webmail '1' option api_abuse '1' # VoIP/XMPP protection option voip '1' option xmpp '1' option cve_voip '1' option cve_xmpp '1' # Router/IoT botnet protection (CVE-2025-14528, Mirai variants) option router_botnet '1'