2025-05-09 21:21:28 +00:00
|
|
|
import * as plugins from '../../plugins.js';
|
2025-05-09 22:46:53 +00:00
|
|
|
import type { ISmartProxyOptions } from './models/interfaces.js';
|
2025-03-14 09:53:25 +00:00
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Handles security aspects like IP tracking, rate limiting, and authorization
|
|
|
|
|
*/
|
|
|
|
|
export class SecurityManager {
|
|
|
|
|
private connectionsByIP: Map<string, Set<string>> = new Map();
|
|
|
|
|
private connectionRateByIP: Map<string, number[]> = new Map();
|
2025-05-09 21:21:28 +00:00
|
|
|
|
2025-05-09 22:46:53 +00:00
|
|
|
constructor(private settings: ISmartProxyOptions) {}
|
2025-03-14 09:53:25 +00:00
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Get connections count by IP
|
|
|
|
|
*/
|
|
|
|
|
public getConnectionCountByIP(ip: string): number {
|
|
|
|
|
return this.connectionsByIP.get(ip)?.size || 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Check and update connection rate for an IP
|
|
|
|
|
* @returns true if within rate limit, false if exceeding limit
|
|
|
|
|
*/
|
|
|
|
|
public checkConnectionRate(ip: string): boolean {
|
|
|
|
|
const now = Date.now();
|
|
|
|
|
const minute = 60 * 1000;
|
|
|
|
|
|
|
|
|
|
if (!this.connectionRateByIP.has(ip)) {
|
|
|
|
|
this.connectionRateByIP.set(ip, [now]);
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Get timestamps and filter out entries older than 1 minute
|
|
|
|
|
const timestamps = this.connectionRateByIP.get(ip)!.filter((time) => now - time < minute);
|
|
|
|
|
timestamps.push(now);
|
|
|
|
|
this.connectionRateByIP.set(ip, timestamps);
|
|
|
|
|
|
|
|
|
|
// Check if rate exceeds limit
|
|
|
|
|
return timestamps.length <= this.settings.connectionRateLimitPerMinute!;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Track connection by IP
|
|
|
|
|
*/
|
|
|
|
|
public trackConnectionByIP(ip: string, connectionId: string): void {
|
|
|
|
|
if (!this.connectionsByIP.has(ip)) {
|
|
|
|
|
this.connectionsByIP.set(ip, new Set());
|
|
|
|
|
}
|
|
|
|
|
this.connectionsByIP.get(ip)!.add(connectionId);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Remove connection tracking for an IP
|
|
|
|
|
*/
|
|
|
|
|
public removeConnectionByIP(ip: string, connectionId: string): void {
|
|
|
|
|
if (this.connectionsByIP.has(ip)) {
|
|
|
|
|
const connections = this.connectionsByIP.get(ip)!;
|
|
|
|
|
connections.delete(connectionId);
|
|
|
|
|
if (connections.size === 0) {
|
|
|
|
|
this.connectionsByIP.delete(ip);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
2025-05-09 15:39:15 +00:00
|
|
|
* Check if an IP is authorized using forwarding security rules
|
|
|
|
|
*
|
|
|
|
|
* This method is used to determine if an IP is allowed to connect, based on security
|
|
|
|
|
* rules configured in the forwarding configuration. The allowed and blocked IPs are
|
|
|
|
|
* typically derived from domain.forwarding.security.allowedIps and blockedIps through
|
|
|
|
|
* DomainConfigManager.getEffectiveIPRules().
|
|
|
|
|
*
|
|
|
|
|
* @param ip - The IP address to check
|
|
|
|
|
* @param allowedIPs - Array of allowed IP patterns from forwarding.security.allowedIps
|
|
|
|
|
* @param blockedIPs - Array of blocked IP patterns from forwarding.security.blockedIps
|
|
|
|
|
* @returns true if IP is authorized, false if blocked
|
2025-03-14 09:53:25 +00:00
|
|
|
*/
|
|
|
|
|
public isIPAuthorized(ip: string, allowedIPs: string[], blockedIPs: string[] = []): boolean {
|
|
|
|
|
// Skip IP validation if allowedIPs is empty
|
|
|
|
|
if (!ip || (allowedIPs.length === 0 && blockedIPs.length === 0)) {
|
|
|
|
|
return true;
|
|
|
|
|
}
|
2025-05-09 15:39:15 +00:00
|
|
|
|
|
|
|
|
// First check if IP is blocked - blocked IPs take precedence
|
2025-03-14 09:53:25 +00:00
|
|
|
if (blockedIPs.length > 0 && this.isGlobIPMatch(ip, blockedIPs)) {
|
|
|
|
|
return false;
|
|
|
|
|
}
|
2025-05-09 15:39:15 +00:00
|
|
|
|
2025-03-14 09:53:25 +00:00
|
|
|
// Then check if IP is allowed
|
|
|
|
|
return this.isGlobIPMatch(ip, allowedIPs);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
2025-05-09 15:39:15 +00:00
|
|
|
* Check if the IP matches any of the glob patterns from security configuration
|
|
|
|
|
*
|
|
|
|
|
* This method checks IP addresses against glob patterns and handles IPv4/IPv6 normalization.
|
|
|
|
|
* It's used to implement IP filtering based on the forwarding.security configuration.
|
|
|
|
|
*
|
|
|
|
|
* @param ip - The IP address to check
|
|
|
|
|
* @param patterns - Array of glob patterns from forwarding.security.allowedIps or blockedIps
|
|
|
|
|
* @returns true if IP matches any pattern, false otherwise
|
2025-03-14 09:53:25 +00:00
|
|
|
*/
|
|
|
|
|
private isGlobIPMatch(ip: string, patterns: string[]): boolean {
|
|
|
|
|
if (!ip || !patterns || patterns.length === 0) return false;
|
|
|
|
|
|
2025-05-09 15:39:15 +00:00
|
|
|
// Handle IPv4/IPv6 normalization for proper matching
|
2025-03-14 09:53:25 +00:00
|
|
|
const normalizeIP = (ip: string): string[] => {
|
|
|
|
|
if (!ip) return [];
|
2025-05-09 15:39:15 +00:00
|
|
|
// Handle IPv4-mapped IPv6 addresses (::ffff:127.0.0.1)
|
2025-03-14 09:53:25 +00:00
|
|
|
if (ip.startsWith('::ffff:')) {
|
|
|
|
|
const ipv4 = ip.slice(7);
|
|
|
|
|
return [ip, ipv4];
|
|
|
|
|
}
|
2025-05-09 15:39:15 +00:00
|
|
|
// Handle IPv4 addresses by also checking IPv4-mapped form
|
2025-03-14 09:53:25 +00:00
|
|
|
if (/^\d{1,3}(\.\d{1,3}){3}$/.test(ip)) {
|
|
|
|
|
return [ip, `::ffff:${ip}`];
|
|
|
|
|
}
|
|
|
|
|
return [ip];
|
|
|
|
|
};
|
|
|
|
|
|
2025-05-09 15:39:15 +00:00
|
|
|
// Normalize the IP being checked
|
2025-03-14 09:53:25 +00:00
|
|
|
const normalizedIPVariants = normalizeIP(ip);
|
|
|
|
|
if (normalizedIPVariants.length === 0) return false;
|
|
|
|
|
|
2025-05-09 15:39:15 +00:00
|
|
|
// Normalize the pattern IPs for consistent comparison
|
2025-03-14 09:53:25 +00:00
|
|
|
const expandedPatterns = patterns.flatMap(normalizeIP);
|
2025-05-09 15:39:15 +00:00
|
|
|
|
|
|
|
|
// Check for any match between normalized IP variants and patterns
|
2025-03-14 09:53:25 +00:00
|
|
|
return normalizedIPVariants.some((ipVariant) =>
|
|
|
|
|
expandedPatterns.some((pattern) => plugins.minimatch(ipVariant, pattern))
|
|
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Check if IP should be allowed considering connection rate and max connections
|
|
|
|
|
* @returns Object with result and reason
|
|
|
|
|
*/
|
|
|
|
|
public validateIP(ip: string): { allowed: boolean; reason?: string } {
|
|
|
|
|
// Check connection count limit
|
|
|
|
|
if (
|
|
|
|
|
this.settings.maxConnectionsPerIP &&
|
|
|
|
|
this.getConnectionCountByIP(ip) >= this.settings.maxConnectionsPerIP
|
|
|
|
|
) {
|
|
|
|
|
return {
|
|
|
|
|
allowed: false,
|
|
|
|
|
reason: `Maximum connections per IP (${this.settings.maxConnectionsPerIP}) exceeded`
|
|
|
|
|
};
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Check connection rate limit
|
|
|
|
|
if (
|
|
|
|
|
this.settings.connectionRateLimitPerMinute &&
|
|
|
|
|
!this.checkConnectionRate(ip)
|
|
|
|
|
) {
|
|
|
|
|
return {
|
|
|
|
|
allowed: false,
|
|
|
|
|
reason: `Connection rate limit (${this.settings.connectionRateLimitPerMinute}/min) exceeded`
|
|
|
|
|
};
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return { allowed: true };
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Clears all IP tracking data (for shutdown)
|
|
|
|
|
*/
|
|
|
|
|
public clearIPTracking(): void {
|
|
|
|
|
this.connectionsByIP.clear();
|
|
|
|
|
this.connectionRateByIP.clear();
|
|
|
|
|
}
|
|
|
|
|
}
|
