push.rocks/smartproxy
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(CertificateManager): Implement on-demand certificate retrieval for missing SNI certificates. When no certificate is found for a TLS ClientHello, the system now automatically registers the domain with the Port80Handler to trigger ACME issuance and immediately falls back to using the default certificate to complete the handshake. Additionally, HTTP requests on port 80 for unrecognized domains now return a 503 indicating that certificate issuance is in progress.

Browse Source
This commit is contained in:
Philipp Kunz
2025-05-05 17:03:22 +00:00
parent 036d522048
commit 0f356c9bbf
7 changed files with 83 additions and 113 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
ts/00_commitinfo_data.ts
View File

@ -3,6 +3,6 @@
*/
export const commitinfo = {
name: '@push.rocks/smartproxy',
version: '10.1.0',
version: '10.2.0',
description: 'A powerful proxy package that effectively handles high traffic, with features such as SSL/TLS support, port proxying, WebSocket handling, dynamic routing with authentication options, and automatic ACME certificate management.'
}

15
ts/networkproxy/classes.np.certificatemanager.ts
View File

@ -183,7 +183,6 @@ export class CertificateManager {
// Check if we have a certificate for this domain
const certs = this.certificateCache.get(domain);
if (certs) {
try {
// Create TLS context with the cached certificate
@ -191,7 +190,6 @@ export class CertificateManager {
key: certs.key,
cert: certs.cert
});
this.logger.debug(`Using cached certificate for ${domain}`);
cb(null, context);
return;
@ -199,6 +197,19 @@ export class CertificateManager {
this.logger.error(`Error creating secure context for ${domain}:`, err);
}
}
// No existing certificate: trigger dynamic provisioning via Port80Handler
if (this.port80Handler) {
try {
this.logger.info(`Triggering on-demand certificate retrieval for ${domain}`);
this.port80Handler.addDomain({
domainName: domain,
sslRedirect: false,
acmeMaintenance: true
});
} catch (err) {
this.logger.error(`Error registering domain for on-demand certificate: ${domain}`, err);
}
}
// Check if we should trigger certificate issuance
if (this.options.acme?.enabled && this.port80Handler && !domain.includes('*')) {

102
ts/port80handler/classes.port80handler.ts
View File

@ -247,66 +247,6 @@ export class Port80Handler extends plugins.EventEmitter {
}
}
/**
* Sets a certificate for a domain directly (for externally obtained certificates)
* @param domain The domain for the certificate
* @param certificate The certificate (PEM format)
* @param privateKey The private key (PEM format)
* @param expiryDate Optional expiry date
*/
public setCertificate(domain: string, certificate: string, privateKey: string, expiryDate?: Date): void {
if (!domain || !certificate || !privateKey) {
throw new Port80HandlerError('Domain, certificate and privateKey are required');
}
// Don't allow setting certificates for glob patterns
if (this.isGlobPattern(domain)) {
throw new Port80HandlerError('Cannot set certificate for glob pattern domains');
}
let domainInfo = this.domainCertificates.get(domain);
if (!domainInfo) {
// Create default domain options if not already configured
const defaultOptions: IDomainOptions = {
domainName: domain,
sslRedirect: true,
acmeMaintenance: true
};
domainInfo = {
options: defaultOptions,
certObtained: false,
obtainingInProgress: false
};
this.domainCertificates.set(domain, domainInfo);
}
domainInfo.certificate = certificate;
domainInfo.privateKey = privateKey;
domainInfo.certObtained = true;
domainInfo.obtainingInProgress = false;
if (expiryDate) {
domainInfo.expiryDate = expiryDate;
} else {
// Extract expiry date from certificate
domainInfo.expiryDate = this.extractExpiryDateFromCertificate(certificate, domain);
}
console.log(`Certificate set for ${domain}`);
// (Persistence of certificates moved to CertProvisioner)
// Emit certificate event
this.emitCertificateEvent(Port80HandlerEvents.CERTIFICATE_ISSUED, {
domain,
certificate,
privateKey,
expiryDate: domainInfo.expiryDate || this.getDefaultExpiryDate()
});
}
/**
* Gets the certificate for a domain if it exists
* @param domain The domain to get the certificate for
@ -409,9 +349,19 @@ export class Port80Handler extends plugins.EventEmitter {
// Extract domain (ignoring any port in the Host header)
const domain = hostHeader.split(':')[0];
// Dynamic provisioning: if domain not yet managed, register for ACME and return 503
if (!this.domainCertificates.has(domain)) {
try {
this.addDomain({ domainName: domain, sslRedirect: false, acmeMaintenance: true });
} catch (err) {
console.error(`Error registering domain for on-demand provisioning: ${err}`);
}
res.statusCode = 503;
res.end('Certificate issuance in progress');
return;
}
// Get domain config, using glob pattern matching if needed
const domainMatch = this.getDomainInfoForRequest(domain);
if (!domainMatch) {
res.statusCode = 404;
res.end('Domain not configured');
@ -715,36 +665,6 @@ export class Port80Handler extends plugins.EventEmitter {
return result;
}
/**
* Gets information about managed domains
* @returns Array of domain information
*/
public getManagedDomains(): Array<{
domain: string;
isGlobPattern: boolean;
hasCertificate: boolean;
hasForwarding: boolean;
sslRedirect: boolean;
acmeMaintenance: boolean;
}> {
return Array.from(this.domainCertificates.entries()).map(([domain, info]) => ({
domain,
isGlobPattern: this.isGlobPattern(domain),
hasCertificate: info.certObtained,
hasForwarding: !!info.options.forward,
sslRedirect: info.options.sslRedirect,
acmeMaintenance: info.options.acmeMaintenance
}));
}
/**
* Gets configuration details
* @returns Current configuration
*/
public getConfig(): Required<IAcmeOptions> {
return { ...this.options };
}
/**
* Request a certificate renewal for a specific domain.
* @param domain The domain to renew.