gandalf/secubox-openwrt
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
74825b4373
secubox-openwrt/.claude/WIP.md
CyberMind-FR 74825b4373 docs(WIP): Add HAProxy mitmproxy_inspector backend fix 
- Fixed missing server section in mitmproxy_inspector backend
- Fixed lyrion vhost routing through WAF instead of direct backend
- Fixed jellyfin route IP to container's veth address

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-03-07 16:08:05 +01:00

7.6 KiB
Raw Blame History

Work In Progress (Claude)

Last updated: 2026-03-07 (HAProxy mitmproxy_inspector Fix)

Architecture Reference: SecuBox Fanzine v3 — Les 4 Couches

Recently Completed

2026-03-07

  • HAProxy mitmproxy_inspector Backend Fix

    • mitmproxy_inspector backend had NO server section (causing 503 for all WAF vhosts)
    • Added UCI server section: mitmproxy_inspector_srv pointing to 192.168.255.1:8890
    • Fixed haproxyctl duplicate userlist warning and _emit_sorted_path_acls indentation
    • All vhosts now correctly routing through WAF

  • Lyrion Routing Fix

    • Changed lyrion vhost backend from lyrion_web to mitmproxy_inspector
    • Was bypassing WAF, now properly routed through mitmproxy-in

  • Jellyfin Route IP Fix

    • Fixed mitmproxy route: 192.168.255.1 → 192.168.255.31 (container's actual IP)
    • Jellyfin container has dedicated veth interface on br-lan

  • lldh360.maegia.tv Routing Fix

    • Fixed mitmproxy routes: 127.0.0.1 → 192.168.255.1 (all 187 routes updated)
    • Disabled SSL redirect (DNS record doesn't exist yet for ACME)
    • Restored HAProxy config from backup (haproxyctl generate was corrupted)
    • Site now accessible via HTTP on port 9003

  • cybaxe.gk2.secubox.in Port Conflict Fix

    • Changed port from 9000 to 9004 (9000 reserved for Lyrion Music Server)
    • Updated metablogizer, HAProxy backend, and mitmproxy routes
    • Created placeholder index.html (site content needs gitea sync)
    • Site now accessible via HTTPS

  • Mitmproxy-in Port Conflict Fix

    • Changed mitmproxy-in WAF port from 8889 to 8890
    • Port 8889 conflicted with avatar-tap Streamlit service
    • Updated HAProxy mitmproxy_inspector backend configuration
    • Fixed HAProxy runtime state caching via socket command

  • Vhosts Recovery

    • Started stopped LXC containers: jellyfin, jitsi, peertube, gotosocial, glances
    • Fixed glances container cgroup v2 config (cgroup.memory.limit_in_bytes → cgroup2.memory.max)
    • Fixed mitmproxy route IPs: 127.0.0.1 → 192.168.255.1 (LXC can't reach host localhost)
    • All 11 key vhosts now operational (jellyfin, social, glances, tube, meet, zoo, portal, cloud, photos, lyrion, streamlit)

  • Vhosts-Checker RPCD Fix

    • Fixed XHR timeout issue in LuCI dashboard
    • Root cause: jshn overhead for 226 vhosts + subshell issues with pipes
    • Solution: Direct JSON output with printf, temp file instead of pipes
    • Deployed ACL file for authentication

  • ROADMAP.md Generation

    • Created comprehensive roadmap from WIP and HISTORY analysis
    • Version milestones: v0.19 → v0.20 → v0.21 → v0.22 → v1.0
    • Critical path analysis and dependency graph
    • Resource requirements and risk register

  • Avatar-Tap Session Capture & Replay

    • Backend: secubox-avatar-tap - passive network tap via mitmproxy
    • CLI: avatar-tapctl with start/stop/list/replay/label/delete commands
    • LuCI: luci-app-avatar-tap KISS dashboard with session table
    • Features: Cookie/auth header capture, session replay, SQLite storage
    • Runs in Streamlit LXC container on port 8889 (mitmproxy-in moved to 8890)
    • Future: Nitrokey/GPG integration for secure replay authorization

  • PhotoPrism Photo Gallery Deployment

    • Linked /mnt/PHOTO (673GB, 391k photos) to PhotoPrism originals
    • Fixed HFS+ read-only mount issue (sidecar writes to storage/)
    • Indexing in progress: HEIC conversion, thumbnail generation, AI labels
    • HAProxy vhost + SSL cert for photos.gk2.secubox.in

  • Service Fixes & HAProxy Vhosts

    • Fixed Lyrion music mount: /mnt/MUSIC (1.6TB) now accessible
    • Fixed Portal routing (was 503, now working)
    • Added missing vhosts: lyrion.gk2.secubox.in, streamlit.gk2.secubox.in
    • Requested and installed SSL certs for all 3 new domains
    • Fixed ACME webroot configuration (uhttpd home path)

  • Source Code Updates

    • Updated default paths: Lyrion→/mnt/MUSIC, PhotoPrism→/mnt/PHOTO
    • Committed and pushed to master

2026-03-06

  • PhotoPrism Private Photo Gallery

    • Backend: secubox-app-photoprism with LXC container (Debian Bookworm)
    • CLI: photoprismctl with install/start/stop/index/import/emancipate commands
    • LuCI: luci-app-photoprism KISS dashboard with stats and actions
    • Features: AI face recognition, object detection, places/maps
    • HAProxy integration via mitmproxy (WAF-safe, no bypass)
    • SQLite database (simpler, no external DB), FFmpeg transcoding, HEIC support
    • Dependencies: libvips42 for image processing

  • AI Gateway /login Command

    • CLI: aigatewayctl login [provider] - Interactive or scripted provider authentication
    • Validates credentials against provider API before saving
    • Rollback on validation failure (preserves previous credentials)
    • Format warnings: Claude keys should start with sk-ant-, OpenAI with sk-
    • RPCD: login method for LuCI frontend integration
    • ACL: Added write permission for login method

2026-03-04

  • SBOM Pipeline for CRA Annex I Compliance

    • scripts/check-sbom-prereqs.sh - Prerequisites validation
    • scripts/sbom-generate.sh - Multi-source SBOM generation
    • scripts/sbom-audit-feed.sh - PKG_HASH/PKG_LICENSE feed audit
    • .github/workflows/sbom-release.yml - GitHub Actions with CVE gating
    • SECURITY.md - CRA Art. 13 §6 compliant vulnerability disclosure

  • AI Gateway Full-Stack Implementation

    • 3-tier data classification: LOCAL_ONLY, SANITIZED, CLOUD_DIRECT
    • Provider routing: LocalAI > Mistral EU > Claude > OpenAI > Gemini > xAI
    • aigatewayctl CLI with classify/sanitize/provider/audit commands
    • luci-app-ai-gateway with 4 KISS-themed views

2026-03-03

  • Comprehensive Service Audit

    • WAF Enforcement: Disabled waf_bypass on 21 vhosts
    • Container Autostart: Enabled on 9 essential containers
    • Glances Fix: Resolved cgroup mount issue
    • 18 LXC Containers Running

  • Vortex DNS Firewall Phases 1-4

    • Threat intel aggregator, SQLite blocklist, dnsmasq integration
    • HTTP/HTTPS sinkhole server for infected client detection
    • DNS Guard AI detection integration
    • Mesh threat sharing via secubox-p2p blockchain

  • Image Builder Validation

    • Validated secubox-image.sh, secubox-sysupgrade.sh
    • Fixed curl redirect issue: Added -L flag

2026-03-02

  • Reverse MWAN WireGuard v2 - Phase 2
    • LuCI Dashboard for Mesh Uplinks
    • 9 RPC methods for uplink management
    • 10-second live polling

2026-03-01

  • Reverse MWAN WireGuard v2 - Phase 1

    • WireGuard mesh peers as backup internet uplinks via mwan3 failover
    • wgctl CLI: uplink list/add/remove/status/test/failover
    • UCI config for global and per-uplink settings

  • Nextcloud Integration Enhancements

    • WAF-safe SSL routing, scheduled backups, SMTP integration
    • CalDAV/CardDAV/WebDAV connection info display

In Progress

  • Vortex DNS - Meshed multi-dynamic subdomain delegation (DONE 2026-02-05)
    • secubox-vortex-dns package with vortexctl CLI
    • Master/slave hierarchical DNS delegation
    • Wildcard domain management

Next Up

v1.1+ Extended Mesh

  1. WAF Auto-Ban Tuning (optional, as-needed)
    • Sensitivity threshold adjustment based on production traffic

Backlog

  • SSMTP / mail host / MX record management (v2)

Strategic Documents

  • SecuBox_LocalAI_Strategic_Analysis.html — AI Management Layer roadmap
  • SecuBox_AI_Gateway_Hybrid_Architecture.html — Hybrid Local/Cloud architecture
  • SecuBox_MirrorNetworking_Paradigm_Reversal.html — EnigmaBox autopsy → MirrorNet
  • SecuBox_Fanzine_v3_Feb2026.html — 4-layer architecture overview

Blockers / Risks

  • No automated regression tests for LuCI views; manual verification required after SCP deploy.
  • Guacamole ARM64 pre-built binaries not readily available.