feat(classes.portproxy): Enhanced PortProxy to support initial data timeout and improved IP handling

2025-03-03 01:50:30 +00:00 · 2025-03-03 01:50:30 +00:00 · 191c8ac0e6
commit 191c8ac0e6
parent 3ab483d164
3 changed files with 113 additions and 31 deletions
--- a/changelog.md
+++ b/changelog.md
@ -1,5 +1,13 @@
 # Changelog

+## 2025-03-03 - 3.22.0 - feat(classes.portproxy)
+Enhanced PortProxy to support initial data timeout and improved IP handling
+
+- Added `initialDataTimeout` to PortProxy settings for handling data flow in chained proxies.
+- Improved IP validation by allowing relaxed checks in chained proxy setups.
+- Introduced dynamic logging for connection lifecycle and proxy configurations.
+- Enhanced timeout handling for better proxy resilience.
+
 ## 2025-03-03 - 3.21.0 - feat(PortProxy)
 Enhancements to connection management in PortProxy

--- a/ts/00_commitinfo_data.ts
+++ b/ts/00_commitinfo_data.ts
@ -3,6 +3,6 @@
 */
 export const commitinfo = {
  name: '@push.rocks/smartproxy',
-  version: '3.21.0',
+  version: '3.22.0',
  description: 'A powerful proxy package that effectively handles high traffic, with features such as SSL/TLS support, port proxying, WebSocket handling, and dynamic routing with authentication options.'
 }
--- a/ts/classes.portproxy.ts
+++ b/ts/classes.portproxy.ts
@ -23,6 +23,7 @@ export interface IPortProxySettings extends plugins.tls.TlsOptions {
  globalPortRanges: Array<{ from: number; to: number }>; // Global allowed port ranges
  forwardAllGlobalRanges?: boolean; // When true, forwards all connections on global port ranges to the global targetIP
  gracefulShutdownTimeout?: number; // (ms) maximum time to wait for connections to close during shutdown
+  initialDataTimeout?: number; // (ms) timeout for receiving initial data, useful for chained proxies
 }

 /**
@ -163,6 +164,9 @@ export class PortProxy {
      maxConnectionLifetime: settingsArg.maxConnectionLifetime || 600000,
      gracefulShutdownTimeout: settingsArg.gracefulShutdownTimeout || 30000,
    };
+    
+    // Debug logging for constructor settings
+    console.log(`PortProxy initialized with targetIP: ${this.settings.targetIP}, toPort: ${this.settings.toPort}, fromPort: ${this.settings.fromPort}, sniEnabled: ${this.settings.sniEnabled}`);
  }

  private incrementTerminationStat(side: 'incoming' | 'outgoing', reason: string): void {
@ -320,17 +324,30 @@ export class PortProxy {
        initiateCleanupOnce(reason);
      };

-      // Set an initial timeout immediately
-      const initialTimeout = setTimeout(() => {
-        if (!initialDataReceived) {
-          console.log(`Initial connection timeout for ${remoteIP} (no data received)`);
-          if (incomingTerminationReason === null) {
-            incomingTerminationReason = 'initial_timeout';
-            this.incrementTerminationStat('incoming', 'initial_timeout');
+      // Set an initial timeout only if SNI is enabled or this is not a chained proxy
+      // For chained proxies, we need to allow more time for data to flow through
+      const initialTimeoutMs = this.settings.initialDataTimeout || 
+                             (this.settings.sniEnabled ? 15000 : 0); // Increased timeout for SNI, disabled for non-SNI by default
+      
+      let initialTimeout: NodeJS.Timeout | null = null;
+      
+      if (initialTimeoutMs > 0) {
+        console.log(`Setting initial data timeout of ${initialTimeoutMs}ms for connection from ${remoteIP}`);
+        initialTimeout = setTimeout(() => {
+          if (!initialDataReceived) {
+            console.log(`Initial connection timeout for ${remoteIP} (no data received after ${initialTimeoutMs}ms)`);
+            if (incomingTerminationReason === null) {
+              incomingTerminationReason = 'initial_timeout';
+              this.incrementTerminationStat('incoming', 'initial_timeout');
+            }
+            initiateCleanupOnce('initial_timeout');
          }
-          initiateCleanupOnce('initial_timeout');
-        }
-      }, 5000);
+        }, initialTimeoutMs);
+      } else {
+        console.log(`No initial timeout set for connection from ${remoteIP} (likely chained proxy)`);
+        // Mark as received immediately if we're not waiting for data
+        initialDataReceived = true;
+      }

      socket.on('error', (err: Error) => {
        const errorMessage = initialDataReceived
@ -341,6 +358,17 @@ export class PortProxy {
        // Clear the initial timeout if it exists
        if (initialTimeout) {
          clearTimeout(initialTimeout);
+          initialTimeout = null;
+        }
+        
+        // For premature errors, we need to handle them explicitly 
+        // since the standard error handlers might not be set up yet
+        if (!initialDataReceived) {
+          if (incomingTerminationReason === null) {
+            incomingTerminationReason = 'premature_error';
+            this.incrementTerminationStat('incoming', 'premature_error');
+          }
+          initiateCleanupOnce('premature_error');
        }
      });

@ -420,25 +448,34 @@ export class PortProxy {
            ) : undefined);

        // Effective IP check: merge allowed IPs with default allowed, and remove blocked IPs.
+        // In a chained proxy, relax IP validation unless explicitly configured
+        // If this is the first proxy in the chain, normal validation applies
        if (domainConfig) {
-          const effectiveAllowedIPs: string[] = [
-            ...domainConfig.allowedIPs,
-            ...(this.settings.defaultAllowedIPs || [])
-          ];
-          const effectiveBlockedIPs: string[] = [
-            ...(domainConfig.blockedIPs || []),
-            ...(this.settings.defaultBlockedIPs || [])
-          ];
-          if (!isGlobIPAllowed(remoteIP, effectiveAllowedIPs, effectiveBlockedIPs)) {
-            return rejectIncomingConnection('rejected', `Connection rejected: IP ${remoteIP} not allowed for domain ${domainConfig.domains.join(', ')}`);
+          // Has specific domain config - check IP restrictions only if allowedIPs is non-empty
+          if (domainConfig.allowedIPs.length > 0) {
+            const effectiveAllowedIPs: string[] = [
+              ...domainConfig.allowedIPs,
+              ...(this.settings.defaultAllowedIPs || [])
+            ];
+            const effectiveBlockedIPs: string[] = [
+              ...(domainConfig.blockedIPs || []),
+              ...(this.settings.defaultBlockedIPs || [])
+            ];
+            if (!isGlobIPAllowed(remoteIP, effectiveAllowedIPs, effectiveBlockedIPs)) {
+              return rejectIncomingConnection('rejected', `Connection rejected: IP ${remoteIP} not allowed for domain ${domainConfig.domains.join(', ')}`);
+            }
+          } else {
+            console.log(`Domain config for ${domainConfig.domains.join(', ')} has empty allowedIPs, skipping IP validation`);
          }
        } else if (this.settings.defaultAllowedIPs && this.settings.defaultAllowedIPs.length > 0) {
+          // No domain config but has default IP restrictions
          if (!isGlobIPAllowed(remoteIP, this.settings.defaultAllowedIPs, this.settings.defaultBlockedIPs || [])) {
            return rejectIncomingConnection('rejected', `Connection rejected: IP ${remoteIP} not allowed by default allowed list`);
          }
        } else {
-          // No domain config and no default allowed IPs - reject the connection
-          return rejectIncomingConnection('no_config', `Connection rejected: No matching domain configuration or default allowed IPs for ${remoteIP}`);
+          // No domain config and no default allowed IPs
+          // In a chained proxy setup, we'll allow this connection 
+          console.log(`No specific IP restrictions found for ${remoteIP}. Allowing connection in potential chained proxy setup.`);
        }

        const targetHost = domainConfig ? this.getTargetIP(domainConfig) : this.settings.targetIP!;
@ -454,7 +491,7 @@ export class PortProxy {
        let connectionTimeout: NodeJS.Timeout | null = null;
        let connectionSucceeded = false;
        
-        // Set connection timeout
+        // Set connection timeout - longer for chained proxies
        connectionTimeout = setTimeout(() => {
          if (!connectionSucceeded) {
            console.log(`Connection timeout connecting to ${targetHost}:${connectionOptions.port} for ${remoteIP}`);
@ -464,7 +501,7 @@ export class PortProxy {
            }
            initiateCleanupOnce('connection_timeout');
          }
-        }, 5000);
+        }, 10000); // Increased from 5s to 10s to accommodate chained proxies

        console.log(`Attempting to connect to ${targetHost}:${connectionOptions.port} for client ${remoteIP}...`);
        
@ -620,14 +657,38 @@ export class PortProxy {

      // --- FALLBACK: SNI-BASED HANDLING (or default when SNI is disabled) ---
      if (this.settings.sniEnabled) {
+        // If using SNI, we need to wait for data to establish the connection
+        if (initialDataReceived) {
+          console.log(`Initial data already marked as received for ${remoteIP}, but SNI is enabled. This is unexpected.`);
+        }
+        
        initialDataReceived = false;
-
+        
+        console.log(`Waiting for TLS ClientHello from ${remoteIP} to extract SNI...`);
        socket.once('data', (chunk: Buffer) => {
+          if (initialTimeout) {
+            clearTimeout(initialTimeout);
+            initialTimeout = null;
+          }
+          
          initialDataReceived = true;
-          const serverName = extractSNI(chunk) || '';
+          console.log(`Received initial data from ${remoteIP}, length: ${chunk.length} bytes`);
+          
+          let serverName = '';
+          try {
+            // Only try to extract SNI if the chunk looks like a TLS ClientHello
+            if (chunk.length > 5 && chunk.readUInt8(0) === 22) {
+              serverName = extractSNI(chunk) || '';
+              console.log(`Extracted SNI: "${serverName}" from connection ${remoteIP}`);
+            } else {
+              console.log(`Data from ${remoteIP} doesn't appear to be a TLS ClientHello. First byte: ${chunk.length > 0 ? chunk.readUInt8(0) : 'N/A'}`);
+            }
+          } catch (err) {
+            console.log(`Error extracting SNI from chunk: ${err}. Proceeding without SNI.`);
+          }
+          
          // Lock the connection to the negotiated SNI.
          connectionRecord.lockedDomain = serverName;
-          console.log(`Received connection from ${remoteIP} with SNI: ${serverName}`);
          
          // Delay adding the renegotiation listener until the next tick,
          // so the initial ClientHello is not reprocessed.
@ -653,10 +714,23 @@ export class PortProxy {
          setupConnection(serverName, chunk);
        });
      } else {
-        initialDataReceived = true;
-        if (!this.settings.defaultAllowedIPs || !isAllowed(remoteIP, this.settings.defaultAllowedIPs)) {
-          return rejectIncomingConnection('rejected', `Connection rejected: IP ${remoteIP} not allowed for non-SNI connection`);
+        // Non-SNI mode: we can proceed immediately without waiting for data
+        if (initialTimeout) {
+          clearTimeout(initialTimeout);
+          initialTimeout = null;
        }
+        
+        initialDataReceived = true;
+        console.log(`SNI disabled for connection from ${remoteIP}, proceeding directly to connection setup`);
+        
+        // Check IP restrictions only if explicitly configured
+        if (this.settings.defaultAllowedIPs && this.settings.defaultAllowedIPs.length > 0) {
+          if (!isAllowed(remoteIP, this.settings.defaultAllowedIPs)) {
+            return rejectIncomingConnection('rejected', `Connection rejected: IP ${remoteIP} not allowed for non-SNI connection`);
+          }
+        }
+        
+        // Proceed with connection setup
        setupConnection('');
      }
    };