gandalf/secubox-openwrt
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
b1c34021db
secubox-openwrt/package/secubox/secubox-app-mitmproxy/files/etc/config/mitmproxy
CyberMind-FR e58f479cd4 feat(waf): Update WAF scenarios with 2024-2025 CVEs and OWASP threats 
Add detection patterns for latest actively exploited vulnerabilities:
- CVE-2025-55182 (React2Shell, CVSS 10.0)
- CVE-2025-8110 (Gogs RCE), CVE-2025-53770 (SharePoint)
- CVE-2025-52691 (SmarterMail), CVE-2025-40551 (SolarWinds)
- CVE-2024-47575 (FortiManager), CVE-2024-21887 (Ivanti)
- CVE-2024-3400, CVE-2024-0012, CVE-2024-9474 (PAN-OS)

New attack categories based on OWASP Top 10 2025:
- HTTP Request Smuggling (TE.CL/CL.TE conflicts)
- AI/LLM Prompt Injection (ChatML, instruction markers)
- WAF Bypass techniques (Unicode normalization, double encoding)
- Supply Chain attacks (CI/CD poisoning, dependency confusion)
- Extended SSTI (Jinja2, Freemarker, Velocity, Thymeleaf)
- API Abuse (BOLA/IDOR, mass assignment)

CrowdSec scenarios split into 11 separate files for reliability.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-12 05:02:57 +01:00

179 lines
5.6 KiB
Plaintext
Raw Blame History

config mitmproxy 'main'
option enabled '0'
option runtime 'lxc'
# Legacy single-instance settings (deprecated, use instances below)
option proxy_port '8888'
option web_port '8081'
option web_host '0.0.0.0'
option data_path '/srv/mitmproxy'
option memory_limit '256M'
option mode 'regular'
option ssl_insecure '0'
option anticache '0'
option anticomp '0'
option flow_detail '1'
# OUT Instance - LAN to Internet (transparent/forward proxy)
config instance 'out'
option enabled '1'
option description 'LAN->Internet Proxy'
option container_name 'mitmproxy-out'
option proxy_port '8888'
option web_port '8089'
option web_host '0.0.0.0'
option data_path '/srv/mitmproxy-out'
option memory_limit '256M'
option mode 'transparent'
option ssl_insecure '0'
option anticache '0'
option anticomp '0'
# IN Instance - WAN to Services (WAF/reverse proxy)
config instance 'in'
option enabled '1'
option description 'WAF/Reverse Proxy'
option container_name 'mitmproxy-in'
option proxy_port '8889'
option web_port '8090'
option web_host '0.0.0.0'
option data_path '/srv/mitmproxy-in'
option memory_limit '256M'
option mode 'upstream'
option ssl_insecure '0'
option anticache '0'
option anticomp '0'
# HAProxy sends traffic here
option haproxy_backend '1'
# WAN Protection Mode - protect services exposed to internet
# Acts as WAF/reverse proxy for incoming WAN traffic
config wan_protection 'wan_protection'
# Enable WAN protection mode (acts as WAF for incoming traffic)
option enabled '0'
# WAN interface name (incoming traffic interface)
option wan_interface 'wan'
# Ports to intercept on WAN (HTTP)
option wan_http_port '80'
# Ports to intercept on WAN (HTTPS)
option wan_https_port '443'
# Feed detected threats to CrowdSec for automatic blocking
option crowdsec_feed '1'
# Block requests from known bot scanners immediately
option block_bots '0'
# Rate limiting: max requests per IP per minute (0=disabled)
option rate_limit '0'
# Auto-ban configuration - automatically ban IPs via CrowdSec
config autoban 'autoban'
# Enable automatic banning of detected threats
option enabled '0'
# Ban duration (e.g., 1h, 4h, 24h, 7d)
option ban_duration '4h'
# Minimum severity to trigger auto-ban: critical, high, medium
option min_severity 'critical'
# Auto-ban on CVE exploit attempts
option ban_cve_exploits '1'
# Auto-ban SQL injection attempts
option ban_sqli '1'
# Auto-ban command injection attempts
option ban_cmdi '1'
# Auto-ban path traversal attempts
option ban_traversal '1'
# Auto-ban known vulnerability scanners
option ban_scanners '1'
# Auto-ban on rate limit exceeded
option ban_rate_limit '0'
# Whitelist IPs from auto-ban (comma-separated)
option whitelist ''
#
# Sensitivity level: aggressive, moderate, permissive
# - aggressive: Ban immediately on first detection (critical threats only)
# - moderate: Ban after repeated attempts within minutes (default)
# - permissive: Ban after persistent attempts over longer period
option sensitivity 'moderate'
#
# Aggressive level: Immediate ban on first critical threat
# (CVE exploits, SQL injection, command injection always trigger immediately)
#
# Moderate level thresholds
# Ban after N attempts within the time window
option moderate_threshold '3'
option moderate_window '300'
#
# Permissive level thresholds
# Ban after N attempts within the time window
option permissive_threshold '5'
option permissive_window '3600'
# LAN Transparent mode settings (outbound traffic interception)
config transparent 'transparent'
option enabled '0'
# Interface to intercept traffic from (e.g., br-lan)
option interface 'br-lan'
# Redirect HTTP traffic (port 80)
option redirect_http '1'
# Redirect HTTPS traffic (port 443)
option redirect_https '1'
# Custom HTTP port (default 80)
option http_port '80'
# Custom HTTPS port (default 443)
option https_port '443'
# DPI Mirror Mode - feed traffic to network inspection engines
config dpi_mirror 'dpi_mirror'
option enabled '0'
# Interface for DPI mirroring (netifyd/ndpid listens on this)
option dpi_interface 'br-lan'
# Enable DPI for WAN traffic (incoming)
option mirror_wan '0'
# Enable DPI for LAN traffic (outgoing)
option mirror_lan '0'
# Whitelist/bypass - IPs and domains that bypass the proxy
config whitelist 'whitelist'
option enabled '1'
# Bypass local networks by default
list bypass_ip '10.0.0.0/8'
list bypass_ip '172.16.0.0/12'
list bypass_ip '192.168.0.0/16'
list bypass_ip '127.0.0.0/8'
# Bypass sensitive domains (banking, medical, etc.)
list bypass_domain 'banking'
list bypass_domain 'paypal.com'
list bypass_domain 'stripe.com'
# Add custom bypasses here
# list bypass_ip 'x.x.x.x'
# list bypass_domain 'example.com'
# HAProxy backend inspection mode
config haproxy_router 'haproxy_router'
option enabled '0'
# Port HAProxy sends traffic to
option listen_port '8889'
# Enable threat detection on HAProxy traffic
option threat_detection '1'
# Routes file (auto-generated from HAProxy UCI)
option routes_file '/srv/mitmproxy/haproxy-routes.json'
# CDN/MediaFlow filtering addon
config filtering 'filtering'
option enabled '0'
# Log all requests to JSON file
option log_requests '1'
# Filter CDN traffic (e.g., cloudflare, akamai, fastly)
option filter_cdn '0'
# Filter streaming media
option filter_media '0'
# Block ads and trackers
option block_ads '0'
# Custom filter script path
option addon_script '/data/addons/secubox_analytics.py'
# Capture settings
config capture 'capture'
option save_flows '0'
option capture_request_headers '1'
option capture_response_headers '1'
option capture_request_body '0'
option capture_response_body '0'
Reference in New Issue View Git Blame Copy Permalink