mirror of
https://github.com/CyberMind-FR/secubox-deb.git
synced 2026-07-01 10:47:30 +00:00
Compare commits
No commits in common. "f69384f1e0cb84215540be2326713b76553829c1" and "1139ce103eac73932e158a7febe190b68ab62c24" have entirely different histories.
f69384f1e0
...
1139ce103e
|
|
@ -12,29 +12,4 @@ twimg.com # Twitter / X media
|
||||||
licdn.com # LinkedIn media
|
licdn.com # LinkedIn media
|
||||||
sndcdn.com # SoundCloud audio
|
sndcdn.com # SoundCloud audio
|
||||||
scdn.co # Spotify audio
|
scdn.co # Spotify audio
|
||||||
pscdn.co # Spotify audio/podcast CDN
|
|
||||||
audio-ak-spotify-com.akamaized.net # Spotify audio (akamai shard)
|
|
||||||
mzstatic.com # Apple media / artwork
|
mzstatic.com # Apple media / artwork
|
||||||
# ── #651 broaden : more clearly-media/asset CDNs (video/image/audio only) ──
|
|
||||||
googleusercontent.com # Google user-uploaded media (photos/drive thumbs)
|
|
||||||
gvt1.com # Google video/large-asset delivery
|
|
||||||
ytimg.l.google.com # YouTube image edge
|
|
||||||
pinimg.com # Pinterest images
|
|
||||||
redditstatic.com # Reddit static assets
|
|
||||||
redditmedia.com # Reddit media
|
|
||||||
i.redd.it # Reddit images (NOT bare redd.it — that 301s to HTML pages)
|
|
||||||
v.redd.it # Reddit video
|
|
||||||
i.imgur.com # Imgur images (NOT apex imgur.com — that's a browse site)
|
|
||||||
media.giphy.com # Giphy media (NOT apex giphy.com — that's the site)
|
|
||||||
vimeocdn.com # Vimeo video/thumbnails
|
|
||||||
tiktokcdn.com # TikTok video/media
|
|
||||||
ttwstatic.com # TikTok static media
|
|
||||||
muscdn.com # TikTok (ByteDance) media CDN
|
|
||||||
phinf.pstatic.net # Naver media shard (NOT broad pstatic.net umbrella)
|
|
||||||
twitchcdn.net # Twitch video
|
|
||||||
ttvnw.net # Twitch video/static
|
|
||||||
jtvnw.net # Twitch emotes/static
|
|
||||||
phncdn.com # large video CDN
|
|
||||||
dmcdn.net # Dailymotion video
|
|
||||||
# NOTE: akamaihd.net intentionally NOT seeded — shared multi-tenant edge, not
|
|
||||||
# media-guaranteed; let autolearn promote it only if it proves never-HTML.
|
|
||||||
|
|
|
||||||
|
|
@ -1,17 +1,3 @@
|
||||||
secubox-toolbox (2.6.55-1~bookworm1) bookworm; urgency=medium
|
|
||||||
|
|
||||||
* perf(#651): broaden the media SNI-splice seed (11 → 35 video/image/audio
|
|
||||||
CDNs: reddit/imgur/giphy/vimeo/tiktok/twitch/dailymotion/pornhub/spotify…,
|
|
||||||
still media-only) so more heavy flows splice once armed.
|
|
||||||
* fix(#651): per-worker stats — the 4 mitm-wg workers each write
|
|
||||||
/run/secubox/splice.<port>.json instead of clobbering one shared file
|
|
||||||
(was undercounting); dropped the dead `mitm` counter.
|
|
||||||
* #651: helpful console feedback — one INFO summary line per ~5 s flush
|
|
||||||
(`tls-splice[<port>] mode=… spliced=N would_splice=M`) + a per-splice DEBUG
|
|
||||||
line, visible in journalctl for the mitm-wg workers.
|
|
||||||
|
|
||||||
-- Gerald KERMA <devel@cybermind.fr> Thu, 18 Jun 2026 15:30:00 +0200
|
|
||||||
|
|
||||||
secubox-toolbox (2.6.54-1~bookworm1) bookworm; urgency=medium
|
secubox-toolbox (2.6.54-1~bookworm1) bookworm; urgency=medium
|
||||||
|
|
||||||
* feat(#649): selective SNI-splice (Lever A). New tls_splice addon (first in
|
* feat(#649): selective SNI-splice (Lever A). New tls_splice addon (first in
|
||||||
|
|
|
||||||
|
|
@ -37,14 +37,9 @@ LEARNED_PATH = os.environ.get("SECUBOX_SPLICE_LEARNED",
|
||||||
"/var/lib/secubox/toolbox/splice-learned.txt")
|
"/var/lib/secubox/toolbox/splice-learned.txt")
|
||||||
PURE_PATH = os.environ.get("SECUBOX_PURE_TRACKERS",
|
PURE_PATH = os.environ.get("SECUBOX_PURE_TRACKERS",
|
||||||
"/var/lib/secubox/toolbox/pure-trackers.txt")
|
"/var/lib/secubox/toolbox/pure-trackers.txt")
|
||||||
# #651 — per-worker stats file. The 4 mitm-wg workers are separate processes;
|
STATS = "/run/secubox/splice.json"
|
||||||
# a single shared splice.json was clobbered last-writer-wins (undercount). Key
|
|
||||||
# the file by this worker's listen port so each writes its own, and a reader
|
|
||||||
# sums splice.*.json. Falls back to a plain name for the legacy single process.
|
|
||||||
_PORT = os.environ.get("MITM_WG_LISTEN_PORT", "")
|
|
||||||
STATS = "/run/secubox/splice.%s.json" % _PORT if _PORT else "/run/secubox/splice.json"
|
|
||||||
|
|
||||||
_counts = {"spliced": 0, "would_splice": 0, "since": int(time.time())}
|
_counts = {"spliced": 0, "would_splice": 0, "mitm": 0, "since": int(time.time())}
|
||||||
_last_flush = 0.0
|
_last_flush = 0.0
|
||||||
|
|
||||||
# Learning observations are written off the proxy event loop (mirror
|
# Learning observations are written off the proxy event loop (mirror
|
||||||
|
|
@ -104,7 +99,6 @@ class TlsSplice:
|
||||||
if mode == "on":
|
if mode == "on":
|
||||||
data.ignore_connection = True
|
data.ignore_connection = True
|
||||||
_counts["spliced"] += 1
|
_counts["spliced"] += 1
|
||||||
log.debug("tls-splice spliced %s", sni)
|
|
||||||
else: # observe
|
else: # observe
|
||||||
_counts["would_splice"] += 1
|
_counts["would_splice"] += 1
|
||||||
log.info("tls-splice would-splice %s", sni)
|
log.info("tls-splice would-splice %s", sni)
|
||||||
|
|
@ -149,15 +143,6 @@ class TlsSplice:
|
||||||
json.dump({**_counts, "updated": int(now)}, f)
|
json.dump({**_counts, "updated": int(now)}, f)
|
||||||
except Exception:
|
except Exception:
|
||||||
pass
|
pass
|
||||||
# #651 — helpful, non-spammy console feedback: one INFO line per flush
|
|
||||||
# window (~5 s) showing this worker's running totals + active mode, so
|
|
||||||
# the splice activity is visible in `journalctl -u …mitm-wg-worker@*`.
|
|
||||||
try:
|
|
||||||
log.info("tls-splice[%s] mode=%s spliced=%d would_splice=%d",
|
|
||||||
_PORT or "single", _gf().get("tls_splice", "observe"),
|
|
||||||
_counts["spliced"], _counts["would_splice"])
|
|
||||||
except Exception:
|
|
||||||
pass
|
|
||||||
|
|
||||||
|
|
||||||
addons = [TlsSplice()]
|
addons = [TlsSplice()]
|
||||||
|
|
|
||||||
|
|
@ -107,11 +107,3 @@ def test_response_off_mode_skips(monkeypatch, tmp_path):
|
||||||
response=types.SimpleNamespace(headers={"content-type": "text/html"}))
|
response=types.SimpleNamespace(headers={"content-type": "text/html"}))
|
||||||
a.response(f)
|
a.response(f)
|
||||||
assert calls == [] # off → recorder disabled
|
assert calls == [] # off → recorder disabled
|
||||||
|
|
||||||
|
|
||||||
def test_stats_file_is_per_worker_port(monkeypatch):
|
|
||||||
import importlib
|
|
||||||
monkeypatch.setenv("MITM_WG_LISTEN_PORT", "8083")
|
|
||||||
import tls_splice; importlib.reload(tls_splice)
|
|
||||||
assert tls_splice.STATS == "/run/secubox/splice.8083.json"
|
|
||||||
assert "mitm" not in tls_splice._counts # dead counter removed
|
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue
Block a user