packages/secubox-toolbox-ng/cmd/sbxmitm/main.go

@@ -336,16 +336,7 @@ func (px *Proxy) mitmPipeline(tconn *tls.Conn, rawClient net.Conn, host, verdict
 	req.Header.Set("Accept-Encoding", "gzip")
 
 	// proxy upstream, inject into HTML bodies.
-	//
+	up := &http.Client{Timeout: 30 * time.Second}
-	// CheckRedirect: a MITM proxy must NOT follow 3xx itself — it relays the
-	// redirect to the client so the BROWSER follows it (correct URL bar, origin,
-	// cookie scope, method semantics). Go's http.Client follows by default, which
-	// would collapse a 301/302 into the final 200 under the original URL (wrong).
-	// Mirror mitmproxy's pass-through behaviour.
-	up := &http.Client{
-		Timeout:       30 * time.Second,
-		CheckRedirect: func(*http.Request, []*http.Request) error { return http.ErrUseLastResponse },
-	}
 	if dialHost != "" {
 		// Transparent: pin the TCP dial to the captured original-dst, do TLS with
 		// ServerName=host, verify the cert against host (verification stays ON).

packages/secubox-toolbox-ng/debian/changelog

@@ -1,12 +1,3 @@
-secubox-toolbox-ng (0.1.4-1~bookworm1) bookworm; urgency=medium
-
-  * proxy: do NOT follow upstream redirects — relay 3xx to the client so the
-    browser follows it (correct URL/origin/cookies). Go's default http.Client
-    followed them, collapsing 301/302 into a final 200 under the original URL.
-    (ref #662)
-
- -- Gerald KERMA <devel@cybermind.fr>  Wed, 18 Jun 2026 20:10:00 +0000
-
 secubox-toolbox-ng (0.1.3-1~bookworm1) bookworm; urgency=medium
 
   * banner: inject into COMPRESSED HTML too. Pin upstream Accept-Encoding to gzip

packages/secubox-toolbox/nftables.d/secubox-toolbox-wg-fanout.nft

@@ -3,12 +3,7 @@
 #
 # REPLACES the prerouting rules from secubox-toolbox-wg.nft :
 #   iif wg-toolbox tcp dport 443 dnat ip to 10.99.1.1:8081  (single port)
-# with a round-robin numgen mapping to ports 8091..8094.
+# with a round-robin numgen mapping to ports 8081..8084.
-#
-# #662 CUTOVER (2026-06-18): the fanout now targets the Go MITM engine
-# (secubox-toolbox-ng-worker@{1..4}, transparent on 10.99.1.1:809%i) instead
-# of the Python mitmproxy workers (808%i). Rollback = change 809x → 808x below
-# and `nft -f` this file (the Python workers are kept warm for that).
 #
 # Why numgen inc and not jhash : nftables 1.0.6 (Debian bookworm) doesn't
 # support `jhash` in numgen yet (lands in 1.0.7+).  `inc` is round-robin
@@ -30,20 +25,19 @@ table inet wg-toolbox {
         # Phase 9 (#501) — 4-worker round-robin DNAT.  numgen returns
         # 0..3 ; the map sends each to one of the 4 worker ports on
         # 10.99.1.1.  Conntrack pins the choice for the whole flow.
-        # #662: ports are 809x (Go engine), was 808x (Python).
         iif "wg-toolbox" tcp dport 443 dnat ip to 10.99.1.1 \
             : numgen inc mod 4 map {
-                0 : 8091,
+                0 : 8081,
-                1 : 8092,
+                1 : 8082,
-                2 : 8093,
+                2 : 8083,
-                3 : 8094
+                3 : 8084
             }
         iif "wg-toolbox" tcp dport 80 dnat ip to 10.99.1.1 \
             : numgen inc mod 4 map {
-                0 : 8091,
+                0 : 8081,
-                1 : 8092,
+                1 : 8082,
-                2 : 8093,
+                2 : 8083,
-                3 : 8094
+                3 : 8084
             }
 
         # Phase 7 (#498) — DNS DNAT for legacy peer configs that hand out