History

CyberMind-FR 7889cbb7bc fix(mitmproxy): Check route file changes on every request Changed _check_interval from 10 to 1 to ensure new routes are picked up immediately when the haproxy-routes.json file is updated. This fixes the quick publish flow where new sites weren't accessible immediately because mitmproxy only checked for route changes every 10 requests. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>		2026-02-24 14:01:56 +01:00
..
files	feat(waf): Add CVE-2025-14528 router botnet detection	2026-02-24 11:04:05 +01:00
root	fix(mitmproxy): Check route file changes on every request	2026-02-24 14:01:56 +01:00
Makefile	feat(waf): Add comprehensive CVE detection patterns	2026-02-02 11:27:31 +01:00
README.md	feat(waf): Update WAF scenarios with 2024-2025 CVEs and OWASP threats	2026-02-12 05:02:57 +01:00

README.md

SecuBox mitmproxy App

LXC container with mitmproxy for HTTPS traffic inspection and threat detection.

Multi-Instance Support

SecuBox supports multiple mitmproxy instances for different traffic flows:

Instance	Purpose	Proxy Port	Web Port	Mode
out	LAN → Internet (outbound proxy)	8888	8089	transparent
in	WAN → Services (WAF/reverse)	8889	8090	upstream

Instance Commands

# List all instances
mitmproxyctl list-instances

# Status of specific instance
mitmproxyctl status out
mitmproxyctl status in

# Shell into instance
mitmproxyctl shell in

# Start/stop instances (via init.d)
/etc/init.d/mitmproxy start
/etc/init.d/mitmproxy stop

UCI Configuration

Instances are configured in /etc/config/mitmproxy:

config instance 'out'
    option enabled '1'
    option description 'LAN->Internet Proxy'
    option container_name 'mitmproxy-out'
    option proxy_port '8888'
    option web_port '8089'
    option mode 'transparent'

config instance 'in'
    option enabled '1'
    option description 'WAF/Reverse Proxy'
    option container_name 'mitmproxy-in'
    option proxy_port '8889'
    option web_port '8090'
    option mode 'upstream'
    option haproxy_backend '1'

Components

Component	Description
LXC Containers	Debian-based containers with mitmproxy (one per instance)
secubox_analytics.py	Threat detection addon for mitmproxy
haproxy_router.py	HAProxy backend routing addon
CrowdSec Integration	Threat logging for automatic IP banning

Threat Detection Patterns

Attack Types Detected

Category	Patterns
SQL Injection	UNION SELECT, OR 1=1, SLEEP(), BENCHMARK()
XSS	`<script>`, event handlers, javascript: URLs
Command Injection	; cat, \| ls, backticks, $()
Path Traversal	../, %2e%2e/, file://
SSRF	Internal IPs, metadata endpoints
XXE	<!ENTITY, SYSTEM, file://
LDAP Injection	)(
Log4Shell	${jndi:, ${env:, ldap://
SSTI	{{...}}, ${...}, <%...%>
Prototype Pollution	proto, constructor[
GraphQL Abuse	Deep nesting, introspection
JWT Attacks	alg:none, exposed tokens

CVE Detection

CVE	Description
CVE-2021-44228	Log4Shell (Log4j RCE)
CVE-2021-41773	Apache path traversal
CVE-2022-22965	Spring4Shell
CVE-2023-34362	MOVEit SQL injection
CVE-2024-3400	PAN-OS command injection
CVE-2024-21887	Ivanti Connect Secure
CVE-2024-1709	ScreenConnect auth bypass
CVE-2024-27198	TeamCity auth bypass

Scanner Detection

Detects security scanners: sqlmap, nikto, nuclei, burpsuite, nmap, dirb, gobuster, ffuf, etc.

CrowdSec Integration

Threats are logged to /data/threats.log (mounted as /srv/mitmproxy/threats.log on host).

CrowdSec scenarios:

secubox/mitmproxy-attack - Bans after 3 high/critical attacks
secubox/mitmproxy-scanner - Bans aggressive scanners
secubox/mitmproxy-ssrf - Bans external SSRF attempts
secubox/mitmproxy-cve - Immediate ban for CVE exploits

GeoIP

Install GeoLite2-Country.mmdb to /srv/mitmproxy/ for country detection:

curl -sL "https://github.com/P3TERX/GeoLite.mmdb/raw/download/GeoLite2-Country.mmdb" \
  -o /srv/mitmproxy/GeoLite2-Country.mmdb

File Paths

Path	Description
`/srv/mitmproxy/`	Host bind mount directory
`/srv/mitmproxy/threats.log`	CrowdSec threat log
`/srv/mitmproxy/addons/`	mitmproxy addon scripts
`/srv/mitmproxy/GeoLite2-Country.mmdb`	GeoIP database

HAProxy Integration & Routing

Traffic Flow Architecture

┌─────────────────────────────────────────────────────────────────┐
│                      INTERNET                                   │
└─────────────────────────────────────────────────────────────────┘
                              │
                              ▼
┌─────────────────────────────────────────────────────────────────┐
│  HAProxy (ports 80/443)                                         │
│  ┌─────────────────────────────────────────────────────────┐   │
│  │ Frontend: Receives HTTPS requests                        │   │
│  │ ACL: Route by Host header to vhosts                      │   │
│  └─────────────────────────────────────────────────────────┘   │
│                              │                                  │
│                              ▼                                  │
│  ┌─────────────────────────────────────────────────────────┐   │
│  │ Backend: mitmproxy_inspector (127.0.0.1:8889)            │   │
│  └─────────────────────────────────────────────────────────┘   │
└─────────────────────────────────────────────────────────────────┘
                              │
                              ▼
┌─────────────────────────────────────────────────────────────────┐
│  mitmproxy LXC Container (port 8889)                            │
│  ┌─────────────────────────────────────────────────────────┐   │
│  │ haproxy_router.py: Routes by Host header                 │   │
│  │ secubox_analytics.py: Threat detection                   │   │
│  └─────────────────────────────────────────────────────────┘   │
│                              │                                  │
│           Logs threats to /data/threats.log                     │
└─────────────────────────────────────────────────────────────────┘
                              │
                              ▼
┌─────────────────────────────────────────────────────────────────┐
│  Backend Services                                               │
│  ┌──────────┐  ┌──────────┐  ┌──────────┐  ┌──────────┐        │
│  │  Gitea   │  │ Streamlit│  │ Glances  │  │  LuCI    │        │
│  │  :3000   │  │  :8501   │  │  :61208  │  │  :8081   │        │
│  └──────────┘  └──────────┘  └──────────┘  └──────────┘        │
└─────────────────────────────────────────────────────────────────┘

Sync Routes Command

Syncs HAProxy vhost configurations to mitmproxy routing table:

mitmproxyctl sync-routes

This generates /srv/mitmproxy/haproxy-routes.json:

{
  "devel.cybermind.fr": ["192.168.255.1", 3000],
  "play.cybermind.fr": ["192.168.255.1", 8501],
  "glances.maegia.tv": ["192.168.255.1", 61208],
  "factory.maegia.tv": ["192.168.255.1", 7331]
}

HAProxy Integration Commands

Command	Description
`mitmproxyctl haproxy-enable`	Enable threat inspection for all vhosts
`mitmproxyctl haproxy-disable`	Disable inspection, restore direct backends
`mitmproxyctl sync-routes`	Regenerate routes from current HAProxy config

Enabling HAProxy Inspection

# Enable inspection mode
mitmproxyctl haproxy-enable

# This will:
# 1. Create mitmproxy_inspector backend (127.0.0.1:8889)
# 2. Store original backends in UCI (haproxy.$vhost.original_backend)
# 3. Redirect all vhosts through mitmproxy
# 4. Sync route mappings
# 5. Restart services

Ports

Port	Instance	Service
8888	out	Proxy port (LAN outbound)
8889	in	Proxy port (HAProxy/WAF)
8089	out	mitmweb UI (outbound)
8090	in	mitmweb UI (WAF)

haproxy_router.py Addon

The router addon:

Loads routes from /data/haproxy-routes.json
Routes requests by Host header to real backends
Stores original host in flow.metadata['original_host']
Falls back to LuCI (127.0.0.1:8081) for unknown hosts

Route File Format

{
  "hostname": ["ip", port],
  "*.wildcard.domain": ["ip", port]
}

Supports wildcard matching with *.domain.tld patterns.

Dependencies

lxc - Container runtime
crowdsec - Threat intelligence (optional)
geoip2 - Python GeoIP library (optional)