push.rocks/smartproxy
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(performance): start with planning performance optimizations

Browse Source
This commit is contained in:
Philipp Kunz 2025-05-31 17:14:15 +00:00
parent af753ba1a8
commit 02603c3b07
6 changed files with 1397 additions and 1139 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
package.json
View File

@ -18,7 +18,7 @@
"@git.zone/tsbuild": "^2.6.4",
"@git.zone/tsrun": "^1.2.44",
"@git.zone/tstest": "^2.3.1",
"@types/node": "^22.15.24",
"@types/node": "^22.15.29",
"typescript": "^5.8.3"
},
"dependencies": {

69
pnpm-lock.yaml generated
View File

@ -70,8 +70,8 @@ importers:
specifier: ^2.3.1
version: 2.3.1(@aws-sdk/credential-providers@3.798.0)(socks@2.8.4)(typescript@5.8.3)
'@types/node':
specifier: ^22.15.24
version: 22.15.24
specifier: ^22.15.29
version: 22.15.29
typescript:
specifier: ^5.8.3
version: 5.8.3
@ -1635,11 +1635,11 @@ packages:
'@types/node-forge@1.3.11':
resolution: {integrity: sha512-FQx220y22OKNTqaByeBGqHWYz4cl94tpcxeFdvBo3wjG6XPBuZ0BNgNZRV5J5TFmmcsJ4IzsLkmGRiQbnYsBEQ==}
'@types/node@18.19.105':
resolution: {integrity: sha512-a+DrwD2VyzqQR2W0EVF8EaCh6Em4ilQAYLEPZnMNkQHXR7ziWW7RUhZMWZAgRpkDDAdUIcJOXSPJT/zBEwz3sA==}
'@types/node@18.19.110':
resolution: {integrity: sha512-WW2o4gTmREtSnqKty9nhqF/vA0GKd0V/rbC0OyjSk9Bz6bzlsXKT+i7WDdS/a0z74rfT2PO4dArVCSnapNLA5Q==}
'@types/node@22.15.24':
resolution: {integrity: sha512-w9CZGm9RDjzTh/D+hFwlBJ3ziUaVw7oufKA3vOFSOZlzmW9AkZnfjPb+DLnrV6qtgL/LNmP0/2zBNCFHL3F0ng==}
'@types/node@22.15.29':
resolution: {integrity: sha512-LNdjOkUDlU1RZb8e1kOIUpN1qQUlzGkEtbVNo53vbrwDg5om6oduhm4SiUaPW5ASTXhAiP0jInWG8Qx9fVlOeQ==}
'@types/ping@0.4.4':
resolution: {integrity: sha512-ifvo6w2f5eJYlXm+HiVx67iJe8WZp87sfa683nlqED5Vnt9Z93onkokNoWqOG21EaE8fMxyKPobE+mkPEyxsdw==}
@ -5708,6 +5708,7 @@ snapshots:
- '@aws-sdk/credential-providers'
- '@mongodb-js/zstd'
- '@nuxt/kit'
- aws-crt
- encoding
- gcp-metadata
- kerberos
@ -7097,27 +7098,27 @@ snapshots:
'@types/bn.js@5.1.6':
dependencies:
'@types/node': 22.15.24
'@types/node': 22.15.29
'@types/body-parser@1.19.5':
dependencies:
'@types/connect': 3.4.38
'@types/node': 22.15.24
'@types/node': 22.15.29
'@types/buffer-json@2.0.3': {}
'@types/clean-css@4.2.11':
dependencies:
'@types/node': 22.15.24
'@types/node': 22.15.29
source-map: 0.6.1
'@types/connect@3.4.38':
dependencies:
'@types/node': 22.15.24
'@types/node': 22.15.29
'@types/cors@2.8.18':
dependencies:
'@types/node': 22.15.24
'@types/node': 22.15.29
'@types/debug@4.1.12':
dependencies:
@ -7129,7 +7130,7 @@ snapshots:
'@types/dns-packet@5.6.5':
dependencies:
'@types/node': 22.15.24
'@types/node': 22.15.29
'@types/elliptic@6.4.18':
dependencies:
@ -7137,7 +7138,7 @@ snapshots:
'@types/express-serve-static-core@5.0.6':
dependencies:
'@types/node': 22.15.24
'@types/node': 22.15.29
'@types/qs': 6.9.18
'@types/range-parser': 1.2.7
'@types/send': 0.17.4
@ -7154,30 +7155,30 @@ snapshots:
'@types/from2@2.3.5':
dependencies:
'@types/node': 22.15.24
'@types/node': 22.15.29
'@types/fs-extra@11.0.4':
dependencies:
'@types/jsonfile': 6.1.4
'@types/node': 22.15.24
'@types/node': 22.15.29
'@types/fs-extra@9.0.13':
dependencies:
'@types/node': 22.15.24
'@types/node': 22.15.29
'@types/glob@7.2.0':
dependencies:
'@types/minimatch': 5.1.2
'@types/node': 22.15.24
'@types/node': 22.15.29
'@types/glob@8.1.0':
dependencies:
'@types/minimatch': 5.1.2
'@types/node': 22.15.24
'@types/node': 22.15.29
'@types/gunzip-maybe@1.4.2':
dependencies:
'@types/node': 22.15.24
'@types/node': 22.15.29
'@types/hast@3.0.4':
dependencies:
@ -7199,7 +7200,7 @@ snapshots:
'@types/jsonfile@6.1.4':
dependencies:
'@types/node': 22.15.24
'@types/node': 22.15.29
'@types/mdast@4.0.4':
dependencies:
@ -7217,18 +7218,18 @@ snapshots:
'@types/node-fetch@2.6.12':
dependencies:
'@types/node': 22.15.24
'@types/node': 22.15.29
form-data: 4.0.2
'@types/node-forge@1.3.11':
dependencies:
'@types/node': 22.15.24
'@types/node': 22.15.29
'@types/node@18.19.105':
'@types/node@18.19.110':
dependencies:
undici-types: 5.26.5
'@types/node@22.15.24':
'@types/node@22.15.29':
dependencies:
undici-types: 6.21.0
@ -7244,30 +7245,30 @@ snapshots:
'@types/s3rver@3.7.4':
dependencies:
'@types/node': 22.15.24
'@types/node': 22.15.29
'@types/semver@7.7.0': {}
'@types/send@0.17.4':
dependencies:
'@types/mime': 1.3.5
'@types/node': 22.15.24
'@types/node': 22.15.29
'@types/serve-static@1.15.7':
dependencies:
'@types/http-errors': 2.0.4
'@types/node': 22.15.24
'@types/node': 22.15.29
'@types/send': 0.17.4
'@types/symbol-tree@3.2.5': {}
'@types/tar-stream@2.2.3':
dependencies:
'@types/node': 22.15.24
'@types/node': 22.15.29
'@types/through2@2.0.41':
dependencies:
'@types/node': 22.15.24
'@types/node': 22.15.29
'@types/triple-beam@1.3.5': {}
@ -7291,18 +7292,18 @@ snapshots:
'@types/whatwg-url@8.2.2':
dependencies:
'@types/node': 22.15.24
'@types/node': 22.15.29
'@types/webidl-conversions': 7.0.3
'@types/which@3.0.4': {}
'@types/ws@8.18.1':
dependencies:
'@types/node': 22.15.24
'@types/node': 22.15.29
'@types/yauzl@2.10.3':
dependencies:
'@types/node': 22.15.24
'@types/node': 22.15.29
optional: true
'@ungap/structured-clone@1.3.0': {}
@ -7582,7 +7583,7 @@ snapshots:
cloudflare@4.2.0:
dependencies:
'@types/node': 18.19.105
'@types/node': 18.19.110
'@types/node-fetch': 2.6.12
abort-controller: 3.0.0
agentkeepalive: 4.6.0
@ -7835,7 +7836,7 @@ snapshots:
engine.io@6.6.4:
dependencies:
'@types/cors': 2.8.18
'@types/node': 22.15.24
'@types/node': 22.15.29
accepts: 1.3.8
base64id: 2.0.0
cookie: 0.7.2

26
readme.hints.md
View File

@ -318,4 +318,28 @@ const routes: IRouteConfig[] = [{
- Authentication requires TLS termination (cannot be enforced on passthrough/direct connections)
- Per-route connection limits are not yet implemented
- Security is defined at the route level (route.security), not in the action
- Route matching is based solely on match criteria; security is enforced after matching
- Route matching is based solely on match criteria; security is enforced after matching
## Performance Issues Investigation (v19.5.3+)
### Critical Blocking Operations Found
1. **Busy Wait Loop** in `ts/proxies/nftables-proxy/nftables-proxy.ts:235-238`
- Blocks entire event loop with `while (Date.now() < waitUntil) {}`
- Should use `await new Promise(resolve => setTimeout(resolve, delay))`
2. **Synchronous Filesystem Operations**
- Certificate management uses `fs.existsSync()`, `fs.mkdirSync()`, `fs.readFileSync()`
- NFTables proxy uses `execSync()` for system commands
- Certificate store uses `ensureDirSync()`, `fileExistsSync()`, `removeManySync()`
3. **Memory Leak Risks**
- Several `setInterval()` calls without storing references for cleanup
- Event listeners added without proper cleanup in error paths
- Missing `removeAllListeners()` calls in some connection cleanup scenarios
### Performance Recommendations
- Replace all sync filesystem operations with async alternatives
- Fix the busy wait loop immediately (critical event loop blocker)
- Add proper cleanup for all timers and event listeners
- Consider worker threads for CPU-intensive operations
- See `readme.problems.md` for detailed analysis and recommendations

1455
readme.plan.md
View File

File diff suppressed because it is too large Load Diff

764
readme.plan2.md
View File

@ -1,764 +0,0 @@
# SmartProxy Simplification Plan: Unify Action Types
## Summary
Complete removal of 'redirect', 'block', and 'static' action types, leaving only 'forward' and 'socket-handler'. All old code will be deleted entirely - no migration paths or backwards compatibility. Socket handlers will be enhanced to receive IRouteContext as a second parameter.
## Goal
Create a dramatically simpler SmartProxy with only two action types, where everything is either proxied (forward) or handled by custom code (socket-handler).
## Current State
```typescript
export type TRouteActionType = 'forward' | 'redirect' | 'block' | 'static' | 'socket-handler';
export type TSocketHandler = (socket: plugins.net.Socket) => void | Promise<void>;
```
## Target State
```typescript
export type TRouteActionType = 'forward' | 'socket-handler';
export type TSocketHandler = (socket: plugins.net.Socket, context: IRouteContext) => void | Promise<void>;
```
## Benefits
1. **Simpler API** - Only two action types to understand
2. **Unified handling** - Everything is either forwarding or custom socket handling
3. **More flexible** - Socket handlers can do anything the old types did and more
4. **Less code** - Remove specialized handlers and their dependencies
5. **Context aware** - Socket handlers get access to route context (domain, port, clientIp, etc.)
6. **Clean codebase** - No legacy code or migration paths
---
## Phase 1: Code to Remove
### 1.1 Action Type Handlers
- `RouteConnectionHandler.handleRedirectAction()`
- `RouteConnectionHandler.handleBlockAction()`
- `RouteConnectionHandler.handleStaticAction()`
### 1.2 Handler Classes
- `RedirectHandler` class (http-proxy/handlers/)
- `StaticHandler` class (http-proxy/handlers/)
### 1.3 Type Definitions
- 'redirect', 'block', 'static' from TRouteActionType
- IRouteRedirect interface
- IRouteStatic interface
- Related properties in IRouteAction
### 1.4 Helper Functions
- `createStaticFileRoute()`
- Any other helpers that create redirect/block/static routes
---
## Phase 2: Create Predefined Socket Handlers
### 2.1 Block Handler
```typescript
export const SocketHandlers = {
// ... existing handlers
/**
* Block connection immediately
*/
block: (message?: string) => (socket: plugins.net.Socket, context: IRouteContext) => {
// Can use context for logging or custom messages
const finalMessage = message || `Connection blocked from ${context.clientIp}`;
if (finalMessage) {
socket.write(finalMessage);
}
socket.end();
},
/**
* HTTP block response
*/
httpBlock: (statusCode: number = 403, message?: string) => (socket: plugins.net.Socket, context: IRouteContext) => {
// Can customize message based on context
const defaultMessage = `Access forbidden for ${context.domain || context.clientIp}`;
const finalMessage = message || defaultMessage;
const response = [
`HTTP/1.1 ${statusCode} ${finalMessage}`,
'Content-Type: text/plain',
`Content-Length: ${finalMessage.length}`,
'Connection: close',
'',
finalMessage
].join('\r\n');
socket.write(response);
socket.end();
}
};
```
### 2.2 Redirect Handler
```typescript
export const SocketHandlers = {
// ... existing handlers
/**
* HTTP redirect handler
*/
httpRedirect: (locationTemplate: string, statusCode: number = 301) => (socket: plugins.net.Socket, context: IRouteContext) => {
let buffer = '';
socket.once('data', (data) => {
buffer += data.toString();
// Parse HTTP request
const lines = buffer.split('\r\n');
const requestLine = lines[0];
const [method, path] = requestLine.split(' ');
// Use domain from context (more reliable than Host header)
const domain = context.domain || 'localhost';
const port = context.port;
// Replace placeholders in location using context
let finalLocation = locationTemplate
.replace('{domain}', domain)
.replace('{port}', String(port))
.replace('{path}', path)
.replace('{clientIp}', context.clientIp);
const message = `Redirecting to ${finalLocation}`;
const response = [
`HTTP/1.1 ${statusCode} ${statusCode === 301 ? 'Moved Permanently' : 'Found'}`,
`Location: ${finalLocation}`,
'Content-Type: text/plain',
`Content-Length: ${message.length}`,
'Connection: close',
'',
message
].join('\r\n');
socket.write(response);
socket.end();
});
}
};
```
### 2.3 Benefits of Context in Socket Handlers
With routeContext as a second parameter, socket handlers can:
- Access client IP for logging or rate limiting
- Use domain information for multi-tenant handling
- Check if connection is TLS and what version
- Access route name/ID for metrics
- Build more intelligent responses based on context
Example advanced handler:
```typescript
const rateLimitHandler = (maxRequests: number) => {
const ipCounts = new Map<string, number>();
return (socket: net.Socket, context: IRouteContext) => {
const count = (ipCounts.get(context.clientIp) || 0) + 1;
ipCounts.set(context.clientIp, count);
if (count > maxRequests) {
socket.write(`Rate limit exceeded for ${context.clientIp}\n`);
socket.end();
return;
}
// Process request...
};
};
```
---
## Phase 3: Update Helper Functions
### 3.1 Update createHttpToHttpsRedirect
```typescript
export function createHttpToHttpsRedirect(
domains: string | string[],
httpsPort: number = 443,
options: Partial<IRouteConfig> = {}
): IRouteConfig {
return {
name: options.name || `HTTP to HTTPS Redirect for ${Array.isArray(domains) ? domains.join(', ') : domains}`,
match: {
ports: options.match?.ports || 80,
domains
},
action: {
type: 'socket-handler',
socketHandler: SocketHandlers.httpRedirect(`https://{domain}:${httpsPort}{path}`, 301)
},
...options
};
}
```
### 3.2 Update createSocketHandlerRoute
```typescript
export function createSocketHandlerRoute(
domains: string | string[],
ports: TPortRange,
handler: TSocketHandler,
options: { name?: string; priority?: number; path?: string } = {}
): IRouteConfig {
return {
name: options.name || 'socket-handler-route',
priority: options.priority !== undefined ? options.priority : 50,
match: {
domains,
ports,
...(options.path && { path: options.path })
},
action: {
type: 'socket-handler',
socketHandler: handler
}
};
}
```
---
## Phase 4: Core Implementation Changes
### 4.1 Update Route Connection Handler
```typescript
// Remove these methods:
// - handleRedirectAction()
// - handleBlockAction()
// - handleStaticAction()
// Update switch statement to only have:
switch (route.action.type) {
case 'forward':
return this.handleForwardAction(socket, record, route, initialChunk);
case 'socket-handler':
this.handleSocketHandlerAction(socket, record, route, initialChunk);
return;
default:
logger.log('error', `Unknown action type '${(route.action as any).type}'`);
socket.end();
this.connectionManager.cleanupConnection(record, 'unknown_action');
}
```
### 4.2 Update Socket Handler to Pass Context
```typescript
private async handleSocketHandlerAction(
socket: plugins.net.Socket,
record: IConnectionRecord,
route: IRouteConfig,
initialChunk?: Buffer
): Promise<void> {
const connectionId = record.id;
// Create route context for the handler
const routeContext = this.createRouteContext({
connectionId: record.id,
port: record.localPort,
domain: record.lockedDomain,
clientIp: record.remoteIP,
serverIp: socket.localAddress || '',
isTls: record.isTLS || false,
tlsVersion: record.tlsVersion,
routeName: route.name,
routeId: route.id,
});
try {
// Call the handler with socket AND context
const result = route.action.socketHandler(socket, routeContext);
// Rest of implementation stays the same...
} catch (error) {
// Error handling...
}
}
```
### 4.3 Clean Up Imports and Exports
- Remove imports of deleted handler classes
- Update index.ts files to remove exports
- Clean up any unused imports
---
## Phase 5: Test Updates
### 5.1 Remove Old Tests
- Delete tests for redirect action type
- Delete tests for block action type
- Delete tests for static action type
### 5.2 Add New Socket Handler Tests
- Test block socket handler with context
- Test HTTP redirect socket handler with context
- Test that context is properly passed to all handlers
---
## Phase 6: Documentation Updates
### 6.1 Update README.md
- Remove documentation for redirect, block, static action types
- Document the two remaining action types: forward and socket-handler
- Add examples using socket handlers with context
### 6.2 Update Type Documentation
```typescript
/**
* Route action types
* - 'forward': Proxy the connection to a target host:port
* - 'socket-handler': Pass the socket to a custom handler function
*/
export type TRouteActionType = 'forward' | 'socket-handler';
/**
* Socket handler function
* @param socket - The incoming socket connection
* @param context - Route context with connection information
*/
export type TSocketHandler = (socket: net.Socket, context: IRouteContext) => void | Promise<void>;
```
### 6.3 Example Documentation
```typescript
// Example: Block connections from specific IPs
const ipBlocker = (socket: net.Socket, context: IRouteContext) => {
if (context.clientIp.startsWith('192.168.')) {
socket.write('Internal IPs not allowed\n');
socket.end();
return;
}
// Forward to backend...
};
// Example: Domain-based routing
const domainRouter = (socket: net.Socket, context: IRouteContext) => {
const backend = context.domain === 'api.example.com' ? 'api-server' : 'web-server';
// Forward to appropriate backend...
};
```
---
## Implementation Steps
1. **Update TSocketHandler type** (15 minutes)
- Add IRouteContext as second parameter
- Update type definition in route-types.ts
2. **Update socket handler implementation** (30 minutes)
- Create routeContext in handleSocketHandlerAction
- Pass context to socket handler function
- Update all existing socket handlers in route-helpers.ts
3. **Remove old action types** (30 minutes)
- Remove 'redirect', 'block', 'static' from TRouteActionType
- Remove IRouteRedirect, IRouteStatic interfaces
- Clean up IRouteAction interface
4. **Delete old handlers** (45 minutes)
- Delete handleRedirectAction, handleBlockAction, handleStaticAction methods
- Delete RedirectHandler and StaticHandler classes
- Remove imports and exports
5. **Update route connection handler** (30 minutes)
- Simplify switch statement to only handle 'forward' and 'socket-handler'
- Remove all references to deleted action types
6. **Create new socket handlers** (30 minutes)
- Implement SocketHandlers.block() with context
- Implement SocketHandlers.httpBlock() with context
- Implement SocketHandlers.httpRedirect() with context
7. **Update helper functions** (30 minutes)
- Update createHttpToHttpsRedirect to use socket handler
- Delete createStaticFileRoute entirely
- Update any other affected helpers
8. **Clean up tests** (1.5 hours)
- Delete all tests for removed action types
- Update socket handler tests to verify context parameter
- Add new tests for block/redirect socket handlers
9. **Update documentation** (30 minutes)
- Update README.md
- Update type documentation
- Add examples of context usage
**Total estimated time: ~5 hours**
---
## Considerations
### Benefits
- **Dramatically simpler API** - Only 2 action types instead of 5
- **Consistent handling model** - Everything is either forwarding or custom handling
- **More powerful** - Socket handlers with context can do much more than old static types
- **Less code to maintain** - Removing hundreds of lines of specialized handler code
- **Better extensibility** - Easy to add new socket handlers for any use case
- **Context awareness** - All handlers get full connection context
### Trade-offs
- Static file serving removed (users should use nginx/apache behind proxy)
- HTTP-specific logic (redirects) now in socket handlers (but more flexible)
- Slightly more verbose configuration for simple blocks/redirects
### Why This Approach
1. **Simplicity wins** - Two concepts are easier to understand than five
2. **Power through context** - Socket handlers with context are more capable
3. **Clean break** - No migration paths means cleaner code
4. **Future proof** - Easy to add new handlers without changing core
---
## Code Examples: Before and After
### Block Action
```typescript
// BEFORE
{
action: { type: 'block' }
}
// AFTER
{
action: {
type: 'socket-handler',
socketHandler: SocketHandlers.block()
}
}
```
### HTTP Redirect
```typescript
// BEFORE
{
action: {
type: 'redirect',
redirect: {
to: 'https://{domain}:443{path}',
status: 301
}
}
}
// AFTER
{
action: {
type: 'socket-handler',
socketHandler: SocketHandlers.httpRedirect('https://{domain}:443{path}', 301)
}
}
```
### Custom Handler with Context
```typescript
// NEW CAPABILITY - Access to full context
{
action: {
type: 'socket-handler',
socketHandler: (socket, context) => {
console.log(`Connection from ${context.clientIp} to ${context.domain}:${context.port}`);
// Custom handling based on context...
}
}
}
```
---
## Detailed Implementation Tasks
### Step 1: Update TSocketHandler Type (15 minutes)
- [x] Open `ts/proxies/smart-proxy/models/route-types.ts`
- [x] Find line 14: `export type TSocketHandler = (socket: plugins.net.Socket) => void | Promise<void>;`
- [x] Import IRouteContext at top of file: `import type { IRouteContext } from '../../../core/models/route-context.js';`
- [x] Update TSocketHandler to: `export type TSocketHandler = (socket: plugins.net.Socket, context: IRouteContext) => void | Promise<void>;`
- [x] Save file
### Step 2: Update Socket Handler Implementation (30 minutes)
- [x] Open `ts/proxies/smart-proxy/route-connection-handler.ts`
- [x] Find `handleSocketHandlerAction` method (around line 790)
- [x] Add route context creation after line 809:
```typescript
// Create route context for the handler
const routeContext = this.createRouteContext({
connectionId: record.id,
port: record.localPort,
domain: record.lockedDomain,
clientIp: record.remoteIP,
serverIp: socket.localAddress || '',
isTls: record.isTLS || false,
tlsVersion: record.tlsVersion,
routeName: route.name,
routeId: route.id,
});
```
- [x] Update line 812 from `const result = route.action.socketHandler(socket);`
- [x] To: `const result = route.action.socketHandler(socket, routeContext);`
- [x] Save file
### Step 3: Update Existing Socket Handlers in route-helpers.ts (20 minutes)
- [x] Open `ts/proxies/smart-proxy/utils/route-helpers.ts`
- [x] Update `echo` handler (line 856):
- From: `echo: (socket: plugins.net.Socket) => {`
- To: `echo: (socket: plugins.net.Socket, context: IRouteContext) => {`
- [x] Update `proxy` handler (line 864):
- From: `proxy: (targetHost: string, targetPort: number) => (socket: plugins.net.Socket) => {`
- To: `proxy: (targetHost: string, targetPort: number) => (socket: plugins.net.Socket, context: IRouteContext) => {`
- [x] Update `lineProtocol` handler (line 879):
- From: `lineProtocol: (handler: (line: string, socket: plugins.net.Socket) => void) => (socket: plugins.net.Socket) => {`
- To: `lineProtocol: (handler: (line: string, socket: plugins.net.Socket) => void) => (socket: plugins.net.Socket, context: IRouteContext) => {`
- [ ] Update `httpResponse` handler (line 896):
- From: `httpResponse: (statusCode: number, body: string) => (socket: plugins.net.Socket) => {`
- To: `httpResponse: (statusCode: number, body: string) => (socket: plugins.net.Socket, context: IRouteContext) => {`
- [ ] Save file
### Step 4: Remove Old Action Types from Type Definitions (15 minutes)
- [ ] Open `ts/proxies/smart-proxy/models/route-types.ts`
- [ ] Find line with TRouteActionType (around line 10)
- [ ] Change from: `export type TRouteActionType = 'forward' | 'redirect' | 'block' | 'static' | 'socket-handler';`
- [ ] To: `export type TRouteActionType = 'forward' | 'socket-handler';`
- [ ] Find and delete IRouteRedirect interface (around line 123-126)
- [ ] Find and delete IRouteStatic interface (if exists)
- [ ] Find IRouteAction interface
- [ ] Remove these properties:
- `redirect?: IRouteRedirect;`
- `static?: IRouteStatic;`
- [ ] Save file
### Step 5: Delete Handler Classes (15 minutes)
- [ ] Delete file: `ts/proxies/http-proxy/handlers/redirect-handler.ts`
- [ ] Delete file: `ts/proxies/http-proxy/handlers/static-handler.ts`
- [ ] Open `ts/proxies/http-proxy/handlers/index.ts`
- [ ] Delete all content (the file only exports RedirectHandler and StaticHandler)
- [ ] Save empty file or delete it
### Step 6: Remove Handler Methods from RouteConnectionHandler (30 minutes)
- [ ] Open `ts/proxies/smart-proxy/route-connection-handler.ts`
- [ ] Find and delete entire `handleRedirectAction` method (around line 723)
- [ ] Find and delete entire `handleBlockAction` method (around line 750)
- [ ] Find and delete entire `handleStaticAction` method (around line 773)
- [ ] Remove imports at top:
- `import { RedirectHandler, StaticHandler } from '../http-proxy/handlers/index.js';`
- [ ] Save file
### Step 7: Update Switch Statement (15 minutes)
- [ ] Still in `route-connection-handler.ts`
- [ ] Find switch statement (around line 388)
- [ ] Remove these cases:
- `case 'redirect': return this.handleRedirectAction(...)`
- `case 'block': return this.handleBlockAction(...)`
- `case 'static': this.handleStaticAction(...); return;`
- [ ] Verify only 'forward' and 'socket-handler' cases remain
- [ ] Save file
### Step 8: Add New Socket Handlers to route-helpers.ts (30 minutes)
- [ ] Open `ts/proxies/smart-proxy/utils/route-helpers.ts`
- [ ] Add import at top: `import type { IRouteContext } from '../../../core/models/route-context.js';`
- [ ] Add to SocketHandlers object:
```typescript
/**
* Block connection immediately
*/
block: (message?: string) => (socket: plugins.net.Socket, context: IRouteContext) => {
const finalMessage = message || `Connection blocked from ${context.clientIp}`;
if (finalMessage) {
socket.write(finalMessage);
}
socket.end();
},
/**
* HTTP block response
*/
httpBlock: (statusCode: number = 403, message?: string) => (socket: plugins.net.Socket, context: IRouteContext) => {
const defaultMessage = `Access forbidden for ${context.domain || context.clientIp}`;
const finalMessage = message || defaultMessage;
const response = [
`HTTP/1.1 ${statusCode} ${finalMessage}`,
'Content-Type: text/plain',
`Content-Length: ${finalMessage.length}`,
'Connection: close',
'',
finalMessage
].join('\r\n');
socket.write(response);
socket.end();
},
/**
* HTTP redirect handler
*/
httpRedirect: (locationTemplate: string, statusCode: number = 301) => (socket: plugins.net.Socket, context: IRouteContext) => {
let buffer = '';
socket.once('data', (data) => {
buffer += data.toString();
const lines = buffer.split('\r\n');
const requestLine = lines[0];
const [method, path] = requestLine.split(' ');
const domain = context.domain || 'localhost';
const port = context.port;
let finalLocation = locationTemplate
.replace('{domain}', domain)
.replace('{port}', String(port))
.replace('{path}', path)
.replace('{clientIp}', context.clientIp);
const message = `Redirecting to ${finalLocation}`;
const response = [
`HTTP/1.1 ${statusCode} ${statusCode === 301 ? 'Moved Permanently' : 'Found'}`,
`Location: ${finalLocation}`,
'Content-Type: text/plain',
`Content-Length: ${message.length}`,
'Connection: close',
'',
message
].join('\r\n');
socket.write(response);
socket.end();
});
}
```
- [x] Save file
### Step 9: Update Helper Functions (20 minutes)
- [x] Still in `route-helpers.ts`
- [x] Update `createHttpToHttpsRedirect` function (around line 109):
- Change the action to use socket handler:
```typescript
action: {
type: 'socket-handler',
socketHandler: SocketHandlers.httpRedirect(`https://{domain}:${httpsPort}{path}`, 301)
}
```
- [x] Delete entire `createStaticFileRoute` function (lines 277-322)
- [x] Save file
### Step 10: Update Test Files (1.5 hours)
#### 10.1 Update Socket Handler Tests
- [x] Open `test/test.socket-handler.ts`
- [x] Update all handler functions to accept context parameter
- [x] Open `test/test.socket-handler.simple.ts`
- [x] Update handler to accept context parameter
- [x] Open `test/test.socket-handler-race.ts`
- [x] Update handler to accept context parameter
#### 10.2 Find and Update/Delete Redirect Tests
- [x] Search for files containing `type: 'redirect'` in test directory
- [x] For each file:
- [x] If it's a redirect-specific test, delete the file
- [x] If it's a mixed test, update redirect actions to use socket handlers
- [x] Files to check:
- [x] `test/test.route-redirects.ts` - deleted entire file
- [x] `test/test.forwarding.ts` - update any redirect tests
- [x] `test/test.forwarding.examples.ts` - update any redirect tests
- [x] `test/test.route-config.ts` - update any redirect tests
#### 10.3 Find and Update/Delete Block Tests
- [x] Search for files containing `type: 'block'` in test directory
- [x] Update or delete as appropriate
#### 10.4 Find and Delete Static Tests
- [x] Search for files containing `type: 'static'` in test directory
- [x] Delete static-specific test files
- [x] Remove static tests from mixed test files
### Step 11: Clean Up Imports and Exports (20 minutes)
- [x] Open `ts/proxies/smart-proxy/utils/index.ts`
- [x] Ensure route-helpers.ts is exported
- [x] Remove any exports of deleted functions
- [x] Open `ts/index.ts`
- [x] Remove any exports of deleted types/interfaces
- [x] Search for any remaining imports of RedirectHandler or StaticHandler
- [x] Remove any found imports
### Step 12: Documentation Updates (30 minutes)
- [x] Update README.md:
- [x] Remove any mention of redirect, block, static action types
- [x] Add examples of socket handlers with context
- [x] Document the two action types: forward and socket-handler
- [x] Update any JSDoc comments in modified files
- [x] Add examples showing context usage
### Step 13: Final Verification (15 minutes)
- [x] Run build: `pnpm build`
- [x] Fix any compilation errors
- [x] Run tests: `pnpm test`
- [x] Fix any failing tests
- [x] Search codebase for any remaining references to:
- [x] 'redirect' action type
- [x] 'block' action type
- [x] 'static' action type
- [x] RedirectHandler
- [x] StaticHandler
- [x] IRouteRedirect
- [x] IRouteStatic
### Step 14: Test New Functionality (30 minutes)
- [x] Create test for block socket handler with context
- [x] Create test for httpBlock socket handler with context
- [x] Create test for httpRedirect socket handler with context
- [x] Verify context is properly passed in all scenarios
---
## Files to be Modified/Deleted
### Files to Modify:
1. `ts/proxies/smart-proxy/models/route-types.ts` - Update types
2. `ts/proxies/smart-proxy/route-connection-handler.ts` - Remove handlers, update switch
3. `ts/proxies/smart-proxy/utils/route-helpers.ts` - Update handlers, add new ones
4. `ts/proxies/http-proxy/handlers/index.ts` - Remove exports
5. Various test files - Update to use socket handlers
### Files to Delete:
1. `ts/proxies/http-proxy/handlers/redirect-handler.ts`
2. `ts/proxies/http-proxy/handlers/static-handler.ts`
3. `test/test.route-redirects.ts` (likely)
4. Any static-specific test files
### Test Files Requiring Updates (15 files found):
- test/test.acme-http01-challenge.ts
- test/test.logger-error-handling.ts
- test/test.port80-management.node.ts
- test/test.route-update-callback.node.ts
- test/test.acme-state-manager.node.ts
- test/test.acme-route-creation.ts
- test/test.forwarding.ts
- test/test.route-redirects.ts
- test/test.forwarding.examples.ts
- test/test.acme-simple.ts
- test/test.acme-http-challenge.ts
- test/test.certificate-provisioning.ts
- test/test.route-config.ts
- test/test.route-utils.ts
- test/test.certificate-simple.ts
---
## Success Criteria
- ✅ Only 'forward' and 'socket-handler' action types remain
- ✅ Socket handlers receive IRouteContext as second parameter
- ✅ All old handler code completely removed
- ✅ Redirect functionality works via context-aware socket handlers
- ✅ Block functionality works via context-aware socket handlers
- ✅ All tests updated and passing
- ✅ Documentation updated with new examples
- ✅ No performance regression
- ✅ Cleaner, simpler codebase

220
readme.problems.md
View File

@ -1,86 +1,170 @@
# SmartProxy Module Problems
# SmartProxy Performance Issues Report
Based on test analysis, the following potential issues have been identified in the SmartProxy module:
## Executive Summary
This report identifies performance issues and blocking operations in the SmartProxy codebase that could impact scalability and responsiveness under high load.
## 1. HttpProxy Route Configuration Issue
**Location**: `ts/proxies/http-proxy/http-proxy.ts:380`
**Problem**: The HttpProxy is trying to read the 'type' property of an undefined object when updating route configurations.
**Evidence**: `test.http-forwarding-fix.ts` fails with:
```
TypeError: Cannot read properties of undefined (reading 'type')
at HttpProxy.updateRouteConfigs (/mnt/data/lossless/push.rocks/smartproxy/ts/proxies/http-proxy/http-proxy.ts:380:24)
```
**Impact**: Routes with `useHttpProxy` configuration may not work properly.
## Critical Issues
## 2. Connection Forwarding Issues
**Problem**: Basic TCP forwarding appears to not be working correctly after the simplification to just 'forward' and 'socket-handler' action types.
**Evidence**: Multiple forwarding tests timeout waiting for data to be forwarded:
- `test.forwarding-fix-verification.ts` - times out waiting for forwarded data
- `test.connection-forwarding.ts` - times out on SNI-based forwarding
**Impact**: The 'forward' action type may not be properly forwarding connections to target servers.
### 1. **Synchronous Filesystem Operations**
These operations block the event loop and should be replaced with async alternatives:
## 3. Missing Certificate Manager Methods
**Problem**: Tests expect `provisionAllCertificates` method on certificate manager but it may not exist or may not be properly initialized.
**Evidence**: Multiple tests fail with "this.certManager.provisionAllCertificates is not a function"
**Impact**: Certificate provisioning may not work as expected.
#### Certificate Management
- `ts/proxies/http-proxy/certificate-manager.ts:29`: `fs.existsSync()`
- `ts/proxies/http-proxy/certificate-manager.ts:30`: `fs.mkdirSync()`
- `ts/proxies/http-proxy/certificate-manager.ts:49-50`: `fs.readFileSync()` for loading certificates
## 4. Route Update Mechanism
**Problem**: The route update mechanism may have issues preserving certificate manager callbacks and other state.
**Evidence**: Tests specifically designed to verify callback preservation after route updates.
**Impact**: Dynamic route updates might break certificate management functionality.
#### NFTables Proxy
- `ts/proxies/nftables-proxy/nftables-proxy.ts`: Multiple uses of `execSync()` for system commands
- `ts/proxies/nftables-proxy/nftables-proxy.ts`: Multiple `fs.writeFileSync()` and `fs.unlinkSync()` operations
## 5. Route-Specific Security Not Fully Implemented
**Problem**: While the route definitions support security configurations (ipAllowList, ipBlockList, authentication), these are not being enforced at the route level.
**Evidence**:
- SecurityManager has methods like `isIPAuthorized` for route-specific security
- Route connection handler only checks global IP validation, not route-specific security rules
- No evidence of route.action.security being checked when handling connections
**Impact**: Route-specific security rules defined in configuration are not enforced, potentially allowing unauthorized access.
**Status**: ✅ FIXED - Route-specific IP allow/block lists are now enforced when a route is matched. Authentication is logged as not enforceable for non-terminated connections.
**Additional Fix**: Removed security checks from route matching logic - security is now properly enforced AFTER a route is matched, not during matching.
#### Certificate Store
- `ts/proxies/smart-proxy/cert-store.ts:8`: `ensureDirSync()`
- `ts/proxies/smart-proxy/cert-store.ts:15,31,76`: `fileExistsSync()`
- `ts/proxies/smart-proxy/cert-store.ts:77`: `removeManySync()`
## 6. Security Property Location Consolidation
**Problem**: Security was defined in two places - route.security and route.action.security - causing confusion.
**Status**: ✅ FIXED - Consolidated to only route.security. Removed action.security from types and updated all references.
### 2. **Event Loop Blocking Operations**
#### Busy Wait Loop
- `ts/proxies/nftables-proxy/nftables-proxy.ts:235-238`:
```typescript
const waitUntil = Date.now() + retryDelayMs;
while (Date.now() < waitUntil) {
// busy wait - blocks event loop completely
}
```
This is extremely problematic as it blocks the entire Node.js event loop.
### 3. **Potential Memory Leaks**
#### Timer Management Issues
Several timers are created without proper cleanup:
- `ts/proxies/http-proxy/function-cache.ts`: `setInterval()` without storing reference for cleanup
- `ts/proxies/http-proxy/request-handler.ts`: `setInterval()` for rate limit cleanup without cleanup
- `ts/core/utils/shared-security-manager.ts`: `cleanupInterval` stored but no cleanup method
#### Event Listener Accumulation
- Multiple instances of event listeners being added without corresponding cleanup
- Connection handlers add listeners without always removing them on connection close
### 4. **Connection Pool Management**
#### ConnectionPool (ts/proxies/http-proxy/connection-pool.ts)
**Good practices observed:**
- Proper connection lifecycle management
- Periodic cleanup of idle connections
- Connection limits enforcement
**Potential issues:**
- No backpressure mechanism when pool is full
- Synchronous sorting operation in `cleanupConnectionPool()` could be slow with many connections
### 5. **Resource Management Issues**
#### Socket Cleanup
- Some error paths don't properly clean up sockets
- Missing `removeAllListeners()` in some error scenarios could lead to memory leaks
#### Timeout Management
- Inconsistent timeout handling across different components
- Some sockets created without timeout settings
### 6. **JSON Operations on Large Objects**
- `ts/proxies/smart-proxy/cert-store.ts:21`: `JSON.parse()` on certificate metadata
- `ts/proxies/smart-proxy/cert-store.ts:71`: `JSON.stringify()` with pretty printing
- `ts/proxies/http-proxy/function-cache.ts:76`: `JSON.stringify()` for cache keys (called frequently)
## Recommendations
1. **Verify Forward Action Implementation**: Check that the 'forward' action type properly establishes bidirectional data flow between client and target server. ✅ FIXED - Basic forwarding now works correctly.
### Immediate Actions (High Priority)
2. **Fix HttpProxy Route Handling**: Ensure that route objects passed to HttpProxy.updateRouteConfigs have the expected structure with all required properties. ✅ FIXED - Routes now preserve their structure.
1. **Replace Synchronous Operations**
```typescript
// Instead of:
if (fs.existsSync(path)) { ... }
// Use:
try {
await fs.promises.access(path);
// file exists
} catch {
// file doesn't exist
}
```
3. **Review Certificate Manager API**: Ensure all expected methods exist and are properly documented.
2. **Fix Busy Wait Loop**
```typescript
// Instead of:
while (Date.now() < waitUntil) { }
// Use:
await new Promise(resolve => setTimeout(resolve, retryDelayMs));
```
4. **Add Integration Tests**: Many unit tests are testing internal implementation details. Consider adding more integration tests that test the public API.
3. **Add Timer Cleanup**
```typescript
class Component {
private cleanupTimer?: NodeJS.Timeout;
start() {
this.cleanupTimer = setInterval(() => { ... }, 60000);
}
stop() {
if (this.cleanupTimer) {
clearInterval(this.cleanupTimer);
this.cleanupTimer = undefined;
}
}
}
```
5. **Implement Route-Specific Security**: Add security checks when a route is matched to enforce route-specific IP allow/block lists and authentication rules. ✅ FIXED - IP allow/block lists are now enforced at the route level.
### Medium Priority
6. **Fix TLS Detection Logic**: The connection handler was treating all connections as TLS. This has been partially fixed but needs proper testing for all TLS modes.
1. **Optimize JSON Operations**
- Cache JSON.stringify results for frequently used objects
- Consider using faster hashing for cache keys (e.g., crypto.createHash)
- Use streaming JSON parsers for large objects
## 7. HTTP Domain Matching Issue
**Problem**: Routes with domain restrictions fail to match HTTP connections because domain information is only available after HTTP headers are received, but route matching happens immediately upon connection.
**Evidence**:
- `test.http-port8080-forwarding.ts` - "No route found for connection on port 8080" despite having a matching route
- HTTP connections provide domain info via the Host header, which arrives after the initial TCP connection
- Route matching in `handleInitialData` happens before HTTP headers are parsed
**Impact**: HTTP routes with domain restrictions cannot be matched, forcing users to remove domain restrictions for HTTP routes.
**Root Cause**: For non-TLS connections, SmartProxy attempts to match routes immediately, but the domain information needed for matching is only available after parsing HTTP headers.
**Status**: ✅ FIXED - Added skipDomainCheck parameter to route matching for HTTP proxy ports. When a port is configured with useHttpProxy and the connection is not TLS, domain validation is skipped at the initial route matching stage, allowing the HttpProxy to handle domain-based routing after headers are received.
2. **Improve Connection Pool**
- Implement backpressure/queueing when pool is full
- Use a heap or priority queue for connection management instead of sorting
## 8. HttpProxy Plain HTTP Forwarding Issue
**Problem**: HttpProxy is an HTTPS server but SmartProxy forwards plain HTTP connections to it via `useHttpProxy` configuration.
**Evidence**:
- `test.http-port8080-forwarding.ts` - Connection immediately closed after forwarding to HttpProxy
- HttpProxy is created with `http2.createSecureServer` expecting TLS connections
- SmartProxy forwards raw HTTP data to HttpProxy's HTTPS port
**Impact**: Plain HTTP connections cannot be handled by HttpProxy, despite `useHttpProxy` configuration suggesting this should work.
**Root Cause**: Design mismatch - HttpProxy is designed for HTTPS/TLS termination, not plain HTTP forwarding.
**Status**: Documented. The `useHttpProxy` configuration should only be used for ports that receive TLS connections requiring termination. For plain HTTP forwarding, use direct forwarding without HttpProxy.
3. **Standardize Resource Cleanup**
- Create a base class for components with lifecycle management
- Ensure all event listeners are removed on cleanup
- Add abort controllers for better cancellation support
## 9. Route Security Configuration Location Issue
**Problem**: Tests were placing security configuration in `route.action.security` instead of `route.security`.
**Evidence**:
- `test.route-security.ts` - IP block list test failing because security was in wrong location
- IRouteConfig interface defines security at route level, not inside action
**Impact**: Security rules defined in action.security were ignored, causing tests to fail.
**Status**: ✅ FIXED - Updated tests to place security configuration at the correct location (route.security).
### Long-term Improvements
1. **Worker Threads**
- Move CPU-intensive operations to worker threads
- Consider using worker pools for NFTables operations
2. **Monitoring and Metrics**
- Add performance monitoring for event loop lag
- Track connection pool utilization
- Monitor memory usage patterns
3. **Graceful Degradation**
- Implement circuit breakers for backend connections
- Add request queuing with overflow protection
- Implement adaptive timeout strategies
## Impact Assessment
These issues primarily affect:
- **Scalability**: Blocking operations limit concurrent connection handling
- **Responsiveness**: Event loop blocking causes latency spikes
- **Stability**: Memory leaks could cause crashes under sustained load
- **Resource Usage**: Inefficient resource management increases memory/CPU usage
## Testing Recommendations
1. Load test with high connection counts (10k+ concurrent)
2. Monitor event loop lag under stress
3. Test long-running scenarios to detect memory leaks
4. Benchmark with async vs sync operations to measure improvement
## Conclusion
While SmartProxy has good architectural design and many best practices, the identified blocking operations and resource management issues could significantly impact performance under high load. The most critical issues (busy wait loop and synchronous filesystem operations) should be addressed immediately.