gandalf/secubox-openwrt
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
418cb2c76e
secubox-openwrt/package/secubox/secubox-app-mitmproxy
History
CyberMind-FR 418cb2c76e fix(mitmproxy): Fix SSRF false positives for internal traffic 
SSRF detection was triggering on any request to internal IPs
(192.168.x.x, 10.x.x.x, etc.) because it was checking the target
URL itself. Now only checks query parameters and request body for
SSRF patterns, which is where actual SSRF attacks occur.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-14 05:38:26 +01:00
..
files fix(mitmproxy): Fix SSRF false positives for internal traffic 2026-02-14 05:38:26 +01:00
root fix(waf): Add LuCI whitelist and moderate sensitivity mode 2026-02-09 16:47:17 +01:00
Makefile feat(waf): Add comprehensive CVE detection patterns 2026-02-02 11:27:31 +01:00
README.md feat(waf): Update WAF scenarios with 2024-2025 CVEs and OWASP threats 2026-02-12 05:02:57 +01:00

README.md

SecuBox mitmproxy App

LXC container with mitmproxy for HTTPS traffic inspection and threat detection.

Multi-Instance Support

SecuBox supports multiple mitmproxy instances for different traffic flows:

Instance Purpose Proxy Port Web Port Mode
out LAN → Internet (outbound proxy) 8888 8089 transparent
in WAN → Services (WAF/reverse) 8889 8090 upstream

Instance Commands

# List all instances
mitmproxyctl list-instances

# Status of specific instance
mitmproxyctl status out
mitmproxyctl status in

# Shell into instance
mitmproxyctl shell in

# Start/stop instances (via init.d)
/etc/init.d/mitmproxy start
/etc/init.d/mitmproxy stop

UCI Configuration

Instances are configured in /etc/config/mitmproxy:

config instance 'out'
    option enabled '1'
    option description 'LAN->Internet Proxy'
    option container_name 'mitmproxy-out'
    option proxy_port '8888'
    option web_port '8089'
    option mode 'transparent'

config instance 'in'
    option enabled '1'
    option description 'WAF/Reverse Proxy'
    option container_name 'mitmproxy-in'
    option proxy_port '8889'
    option web_port '8090'
    option mode 'upstream'
    option haproxy_backend '1'

Components

Component Description
LXC Containers Debian-based containers with mitmproxy (one per instance)
secubox_analytics.py Threat detection addon for mitmproxy
haproxy_router.py HAProxy backend routing addon
CrowdSec Integration Threat logging for automatic IP banning

Threat Detection Patterns

Attack Types Detected

Category Patterns
SQL Injection UNION SELECT, OR 1=1, SLEEP(), BENCHMARK()
XSS <script>, event handlers, javascript: URLs
Command Injection ; cat, | ls, backticks, $()
Path Traversal ../, %2e%2e/, file://
SSRF Internal IPs, metadata endpoints
XXE <!ENTITY, SYSTEM, file://
LDAP Injection )(
Log4Shell ${jndi:, ${env:, ldap://
SSTI {{...}}, ${...}, <%...%>
Prototype Pollution proto, constructor[
GraphQL Abuse Deep nesting, introspection
JWT Attacks alg:none, exposed tokens

CVE Detection

CVE Description
CVE-2021-44228 Log4Shell (Log4j RCE)
CVE-2021-41773 Apache path traversal
CVE-2022-22965 Spring4Shell
CVE-2023-34362 MOVEit SQL injection
CVE-2024-3400 PAN-OS command injection
CVE-2024-21887 Ivanti Connect Secure
CVE-2024-1709 ScreenConnect auth bypass
CVE-2024-27198 TeamCity auth bypass

Scanner Detection

Detects security scanners: sqlmap, nikto, nuclei, burpsuite, nmap, dirb, gobuster, ffuf, etc.

CrowdSec Integration

Threats are logged to /data/threats.log (mounted as /srv/mitmproxy/threats.log on host).

CrowdSec scenarios:

  • secubox/mitmproxy-attack - Bans after 3 high/critical attacks
  • secubox/mitmproxy-scanner - Bans aggressive scanners
  • secubox/mitmproxy-ssrf - Bans external SSRF attempts
  • secubox/mitmproxy-cve - Immediate ban for CVE exploits

GeoIP

Install GeoLite2-Country.mmdb to /srv/mitmproxy/ for country detection:

curl -sL "https://github.com/P3TERX/GeoLite.mmdb/raw/download/GeoLite2-Country.mmdb" \
  -o /srv/mitmproxy/GeoLite2-Country.mmdb

File Paths

Path Description
/srv/mitmproxy/ Host bind mount directory
/srv/mitmproxy/threats.log CrowdSec threat log
/srv/mitmproxy/addons/ mitmproxy addon scripts
/srv/mitmproxy/GeoLite2-Country.mmdb GeoIP database

HAProxy Integration & Routing

Traffic Flow Architecture

┌─────────────────────────────────────────────────────────────────┐
│                      INTERNET                                   │
└─────────────────────────────────────────────────────────────────┘
                              │
                              ▼
┌─────────────────────────────────────────────────────────────────┐
│  HAProxy (ports 80/443)                                         │
│  ┌─────────────────────────────────────────────────────────┐   │
│  │ Frontend: Receives HTTPS requests                        │   │
│  │ ACL: Route by Host header to vhosts                      │   │
│  └─────────────────────────────────────────────────────────┘   │
│                              │                                  │
│                              ▼                                  │
│  ┌─────────────────────────────────────────────────────────┐   │
│  │ Backend: mitmproxy_inspector (127.0.0.1:8889)            │   │
│  └─────────────────────────────────────────────────────────┘   │
└─────────────────────────────────────────────────────────────────┘
                              │
                              ▼
┌─────────────────────────────────────────────────────────────────┐
│  mitmproxy LXC Container (port 8889)                            │
│  ┌─────────────────────────────────────────────────────────┐   │
│  │ haproxy_router.py: Routes by Host header                 │   │
│  │ secubox_analytics.py: Threat detection                   │   │
│  └─────────────────────────────────────────────────────────┘   │
│                              │                                  │
│           Logs threats to /data/threats.log                     │
└─────────────────────────────────────────────────────────────────┘
                              │
                              ▼
┌─────────────────────────────────────────────────────────────────┐
│  Backend Services                                               │
│  ┌──────────┐  ┌──────────┐  ┌──────────┐  ┌──────────┐        │
│  │  Gitea   │  │ Streamlit│  │ Glances  │  │  LuCI    │        │
│  │  :3000   │  │  :8501   │  │  :61208  │  │  :8081   │        │
│  └──────────┘  └──────────┘  └──────────┘  └──────────┘        │
└─────────────────────────────────────────────────────────────────┘

Sync Routes Command

Syncs HAProxy vhost configurations to mitmproxy routing table:

mitmproxyctl sync-routes

This generates /srv/mitmproxy/haproxy-routes.json:

{
  "devel.cybermind.fr": ["192.168.255.1", 3000],
  "play.cybermind.fr": ["192.168.255.1", 8501],
  "glances.maegia.tv": ["192.168.255.1", 61208],
  "factory.maegia.tv": ["192.168.255.1", 7331]
}

HAProxy Integration Commands

Command Description
mitmproxyctl haproxy-enable Enable threat inspection for all vhosts
mitmproxyctl haproxy-disable Disable inspection, restore direct backends
mitmproxyctl sync-routes Regenerate routes from current HAProxy config

Enabling HAProxy Inspection

# Enable inspection mode
mitmproxyctl haproxy-enable

# This will:
# 1. Create mitmproxy_inspector backend (127.0.0.1:8889)
# 2. Store original backends in UCI (haproxy.$vhost.original_backend)
# 3. Redirect all vhosts through mitmproxy
# 4. Sync route mappings
# 5. Restart services

Ports

Port Instance Service
8888 out Proxy port (LAN outbound)
8889 in Proxy port (HAProxy/WAF)
8089 out mitmweb UI (outbound)
8090 in mitmweb UI (WAF)

haproxy_router.py Addon

The router addon:

  • Loads routes from /data/haproxy-routes.json
  • Routes requests by Host header to real backends
  • Stores original host in flow.metadata['original_host']
  • Falls back to LuCI (127.0.0.1:8081) for unknown hosts

Route File Format

{
  "hostname": ["ip", port],
  "*.wildcard.domain": ["ip", port]
}

Supports wildcard matching with *.domain.tld patterns.

Dependencies

  • lxc - Container runtime
  • crowdsec - Threat intelligence (optional)
  • geoip2 - Python GeoIP library (optional)