push.rocks/smartproxy
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

BREAKING CHANGE(forwarding): Refactor unified forwarding API and remove redundant documentation. Removed docs/forwarding-system.md (its content is migrated into readme.md) and updated helper functions (e.g. replacing sniPassthrough with httpsPassthrough) to accept configuration objects. Legacy fields in domain configurations (allowedIPs, blockedIPs, useNetworkProxy, networkProxyPort, connectionTimeout) have been removed in favor of forwarding.security and advanced options. Tests and examples have been updated accordingly.

Browse Source
This commit is contained in:
Philipp Kunz
2025-05-09 15:39:15 +00:00
parent f00bae4631
commit 1a902a04fb
20 changed files with 441 additions and 434 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
ts/00_commitinfo_data.ts
View File

@ -3,6 +3,6 @@
*/
export const commitinfo = {
name: '@push.rocks/smartproxy',
version: '10.3.0',
version: '11.0.0',
description: 'A powerful proxy package that effectively handles high traffic, with features such as SSL/TLS support, port proxying, WebSocket handling, dynamic routing with authentication options, and automatic ACME certificate management.'
}

18
ts/common/port80-adapter.ts
View File

@ -1,26 +1,26 @@
import * as plugins from '../plugins.js';
import type {
IForwardConfig as ILegacyForwardConfig,
IDomainOptions
import type {
IForwardConfig as ILegacyForwardConfig,
IDomainOptions
} from './types.js';
import type {
IForwardConfig as INewForwardConfig
import type {
IForwardConfig
} from '../smartproxy/types/forwarding.types.js';
/**
* Converts a new forwarding configuration target to the legacy format
* Converts a forwarding configuration target to the legacy format
* for Port80Handler
*/
export function convertToLegacyForwardConfig(
forwardConfig: INewForwardConfig
forwardConfig: IForwardConfig
): ILegacyForwardConfig {
// Determine host from the target configuration
const host = Array.isArray(forwardConfig.target.host)
? forwardConfig.target.host[0] // Use the first host in the array
: forwardConfig.target.host;
return {
ip: host,
port: forwardConfig.target.port
@ -32,7 +32,7 @@ export function convertToLegacyForwardConfig(
*/
export function createPort80HandlerOptions(
domain: string,
forwardConfig: INewForwardConfig
forwardConfig: IForwardConfig
): IDomainOptions {
// Determine if we should redirect HTTP to HTTPS
let sslRedirect = false;

22
ts/examples/forwarding-example.ts
View File

@ -38,22 +38,30 @@ async function main() {
// Example 1: HTTP-only forwarding
await domainManager.addDomainConfig(
createDomainConfig('example.com', helpers.httpOnly('localhost', 3000))
createDomainConfig('example.com', helpers.httpOnly({
target: { host: 'localhost', port: 3000 }
}))
);
// Example 2: HTTPS termination with HTTP backend
await domainManager.addDomainConfig(
createDomainConfig('secure.example.com', helpers.tlsTerminateToHttp('localhost', 3000))
createDomainConfig('secure.example.com', helpers.tlsTerminateToHttp({
target: { host: 'localhost', port: 3000 }
}))
);
// Example 3: HTTPS termination with HTTPS backend
await domainManager.addDomainConfig(
createDomainConfig('api.example.com', helpers.tlsTerminateToHttps('localhost', 8443))
createDomainConfig('api.example.com', helpers.tlsTerminateToHttps({
target: { host: 'localhost', port: 8443 }
}))
);
// Example 4: SNI passthrough
await domainManager.addDomainConfig(
createDomainConfig('passthrough.example.com', helpers.sniPassthrough('10.0.0.5', 443))
createDomainConfig('passthrough.example.com', helpers.sniPassthrough({
target: { host: '10.0.0.5', port: 443 }
}))
);
// Example 5: Custom configuration for a more complex setup

64
ts/smartproxy/classes.pp.connectionhandler.ts
View File

@ -11,7 +11,7 @@ import { TlsManager } from './classes.pp.tlsmanager.js';
import { NetworkProxyBridge } from './classes.pp.networkproxybridge.js';
import { TimeoutManager } from './classes.pp.timeoutmanager.js';
import { PortRangeManager } from './classes.pp.portrangemanager.js';
import type { IForwardingHandler } from './forwarding/forwarding.handler.js';
import type { IForwardingHandler } from './types/forwarding.types.js';
import type { ForwardingType } from './types/forwarding.types.js';
/**
@ -446,9 +446,8 @@ export class ConnectionHandler {
if (domainConfig) {
const ipRules = this.domainConfigManager.getEffectiveIPRules(domainConfig);
// Skip IP validation if allowedIPs is empty
// Perform IP validation using security rules
if (
domainConfig.allowedIPs.length > 0 &&
!this.securityManager.isIPAuthorized(
record.remoteIP,
ipRules.allowedIPs,
@ -497,10 +496,31 @@ export class ConnectionHandler {
// Only apply port-based rules if the incoming port is within one of the global port ranges.
if (this.portRangeManager.isPortInGlobalRanges(localPort)) {
if (this.portRangeManager.shouldUseGlobalForwarding(localPort)) {
// Create a virtual domain config for global forwarding with security settings
const globalDomainConfig = {
domains: ['global'],
forwarding: {
type: 'http-only' as ForwardingType,
target: {
host: this.settings.targetIP!,
port: this.settings.toPort
},
security: {
allowedIps: this.settings.defaultAllowedIPs || [],
blockedIps: this.settings.defaultBlockedIPs || []
}
},
};
// Use the same IP filtering mechanism as domain-specific configs
const ipRules = this.domainConfigManager.getEffectiveIPRules(globalDomainConfig);
if (
this.settings.defaultAllowedIPs &&
this.settings.defaultAllowedIPs.length > 0 &&
!this.securityManager.isIPAuthorized(record.remoteIP, this.settings.defaultAllowedIPs)
!this.securityManager.isIPAuthorized(
record.remoteIP,
ipRules.allowedIPs,
ipRules.blockedIPs
)
) {
console.log(
`[${connectionId}] Connection from ${record.remoteIP} rejected: IP ${record.remoteIP} not allowed in global default allowed list.`
@ -508,29 +528,21 @@ export class ConnectionHandler {
socket.end();
return;
}
if (this.settings.enableDetailedLogging) {
console.log(
`[${connectionId}] Port-based connection from ${record.remoteIP} on port ${localPort} forwarded to global target IP ${this.settings.targetIP}.`
);
}
setupConnection(
'',
undefined,
{
domains: ['global'],
allowedIPs: this.settings.defaultAllowedIPs || [],
blockedIPs: this.settings.defaultBlockedIPs || [],
targetIPs: [this.settings.targetIP!],
portRanges: [],
},
localPort
);
setupConnection('', undefined, globalDomainConfig, localPort);
return;
} else {
// Attempt to find a matching forced domain config based on the local port.
const forcedDomain = this.domainConfigManager.findDomainConfigForPort(localPort);
if (forcedDomain) {
// Get effective IP rules from the domain config's forwarding security settings
const ipRules = this.domainConfigManager.getEffectiveIPRules(forcedDomain);
if (
@ -690,10 +702,18 @@ export class ConnectionHandler {
initialDataReceived = true;
record.hasReceivedInitialData = true;
if (
this.settings.defaultAllowedIPs &&
this.settings.defaultAllowedIPs.length > 0 &&
!this.securityManager.isIPAuthorized(record.remoteIP, this.settings.defaultAllowedIPs)
// Create default security settings for non-SNI connections
const defaultSecurity = {
allowedIPs: this.settings.defaultAllowedIPs || [],
blockedIPs: this.settings.defaultBlockedIPs || []
};
if (defaultSecurity.allowedIPs.length > 0 &&
!this.securityManager.isIPAuthorized(
record.remoteIP,
defaultSecurity.allowedIPs,
defaultSecurity.blockedIPs
)
) {
return rejectIncomingConnection(
'rejected',

89
ts/smartproxy/classes.pp.domainconfigmanager.ts
View File

@ -1,8 +1,7 @@
import * as plugins from '../plugins.js';
import type { IDomainConfig, ISmartProxyOptions } from './classes.pp.interfaces.js';
import type { ForwardingType, IForwardConfig } from './types/forwarding.types.js';
import type { ForwardingType, IForwardConfig, IForwardingHandler } from './types/forwarding.types.js';
import { ForwardingHandlerFactory } from './forwarding/forwarding.factory.js';
import type { IForwardingHandler } from './forwarding/forwarding.handler.js';
/**
* Manages domain configurations and target selection
@ -79,10 +78,12 @@ export class DomainConfigManager {
*/
public findDomainConfigForPort(port: number): IDomainConfig | undefined {
return this.settings.domainConfigs.find(
(domain) =>
domain.portRanges &&
domain.portRanges.length > 0 &&
this.isPortInRanges(port, domain.portRanges)
(domain) => {
const portRanges = domain.forwarding?.advanced?.portRanges;
return portRanges &&
portRanges.length > 0 &&
this.isPortInRanges(port, portRanges);
}
);
}
@ -111,6 +112,14 @@ export class DomainConfigManager {
return this.settings.targetIP || 'localhost';
}
/**
* Get target host with round-robin support (for tests)
* This is just an alias for getTargetIP for easier test compatibility
*/
public getTargetHost(domainConfig: IDomainConfig): string {
return this.getTargetIP(domainConfig);
}
/**
* Get target port from domain config
*/
@ -122,16 +131,9 @@ export class DomainConfigManager {
* Checks if a domain should use NetworkProxy
*/
public shouldUseNetworkProxy(domainConfig: IDomainConfig): boolean {
// Check forwarding type first
const forwardingType = this.getForwardingType(domainConfig);
if (forwardingType === 'https-terminate-to-http' ||
forwardingType === 'https-terminate-to-https') {
return true;
}
// Fall back to legacy setting
return !!domainConfig.useNetworkProxy;
return forwardingType === 'https-terminate-to-http' ||
forwardingType === 'https-terminate-to-https';
}
/**
@ -143,17 +145,14 @@ export class DomainConfigManager {
return undefined;
}
// Check forwarding config first
if (domainConfig.forwarding?.advanced?.networkProxyPort) {
return domainConfig.forwarding.advanced.networkProxyPort;
}
// Fall back to legacy setting
return domainConfig.networkProxyPort || this.settings.networkProxyPort;
return domainConfig.forwarding.advanced?.networkProxyPort || this.settings.networkProxyPort;
}
/**
* Get effective allowed and blocked IPs for a domain
*
* This method combines domain-specific security rules from the forwarding configuration
* with global security defaults when necessary.
*/
public getEffectiveIPRules(domainConfig: IDomainConfig): {
allowedIPs: string[],
@ -163,31 +162,33 @@ export class DomainConfigManager {
const allowedIPs: string[] = [];
const blockedIPs: string[] = [];
// Add IPs from forwarding security settings
// Add IPs from forwarding security settings if available
if (domainConfig.forwarding?.security?.allowedIps) {
allowedIPs.push(...domainConfig.forwarding.security.allowedIps);
} else {
// If no allowed IPs are specified in forwarding config and global defaults exist, use them
if (this.settings.defaultAllowedIPs && this.settings.defaultAllowedIPs.length > 0) {
allowedIPs.push(...this.settings.defaultAllowedIPs);
} else {
// Default to allow all if no specific rules
allowedIPs.push('*');
}
}
// Add blocked IPs from forwarding security settings if available
if (domainConfig.forwarding?.security?.blockedIps) {
blockedIPs.push(...domainConfig.forwarding.security.blockedIps);
}
// Add legacy settings
if (domainConfig.allowedIPs.length > 0) {
allowedIPs.push(...domainConfig.allowedIPs);
}
if (domainConfig.blockedIPs && domainConfig.blockedIPs.length > 0) {
blockedIPs.push(...domainConfig.blockedIPs);
}
// Add global defaults
if (this.settings.defaultAllowedIPs && this.settings.defaultAllowedIPs.length > 0) {
allowedIPs.push(...this.settings.defaultAllowedIPs);
}
// Always add global blocked IPs, even if domain has its own rules
// This ensures that global blocks take precedence
if (this.settings.defaultBlockedIPs && this.settings.defaultBlockedIPs.length > 0) {
blockedIPs.push(...this.settings.defaultBlockedIPs);
// Add only unique IPs that aren't already in the list
for (const ip of this.settings.defaultBlockedIPs) {
if (!blockedIPs.includes(ip)) {
blockedIPs.push(ip);
}
}
}
return {
@ -200,16 +201,10 @@ export class DomainConfigManager {
* Get connection timeout for a domain
*/
public getConnectionTimeout(domainConfig?: IDomainConfig): number {
// First check forwarding configuration for timeout
if (domainConfig?.forwarding?.advanced?.timeout) {
if (domainConfig?.forwarding.advanced?.timeout) {
return domainConfig.forwarding.advanced.timeout;
}
// Fall back to legacy connectionTimeout
if (domainConfig?.connectionTimeout) {
return domainConfig.connectionTimeout;
}
return this.settings.maxConnectionLifetime || 86400000; // 24 hours default
}
@ -217,10 +212,6 @@ export class DomainConfigManager {
* Creates a forwarding handler for a domain configuration
*/
private createForwardingHandler(domainConfig: IDomainConfig): IForwardingHandler {
if (!domainConfig.forwarding) {
throw new Error(`Domain config for ${domainConfig.domains.join(', ')} has no forwarding configuration`);
}
// Create a new handler using the factory
const handler = ForwardingHandlerFactory.createHandler(domainConfig.forwarding);

27
ts/smartproxy/classes.pp.portrangemanager.ts
View File

@ -84,8 +84,10 @@ export class PortRangeManager {
} | undefined {
for (let i = 0; i < this.settings.domainConfigs.length; i++) {
const domain = this.settings.domainConfigs[i];
if (domain.portRanges) {
for (const range of domain.portRanges) {
// Get port ranges from forwarding.advanced if available
const portRanges = domain.forwarding?.advanced?.portRanges;
if (portRanges && portRanges.length > 0) {
for (const range of portRanges) {
if (port >= range.from && port <= range.to) {
return { domainIndex: i, range };
}
@ -129,17 +131,20 @@ export class PortRangeManager {
// Add domain-specific port ranges
for (const domain of this.settings.domainConfigs) {
if (domain.portRanges) {
for (const range of domain.portRanges) {
// Get port ranges from forwarding.advanced
const portRanges = domain.forwarding?.advanced?.portRanges;
if (portRanges && portRanges.length > 0) {
for (const range of portRanges) {
for (let port = range.from; port <= range.to; port++) {
ports.add(port);
}
}
}
// Add domain-specific NetworkProxy port if configured
if (domain.useNetworkProxy && domain.networkProxyPort) {
ports.add(domain.networkProxyPort);
// Add domain-specific NetworkProxy port if configured in forwarding.advanced
const networkProxyPort = domain.forwarding?.advanced?.networkProxyPort;
if (networkProxyPort) {
ports.add(networkProxyPort);
}
}
@ -170,8 +175,10 @@ export class PortRangeManager {
// Track domain-specific port ranges
for (const domain of this.settings.domainConfigs) {
if (domain.portRanges) {
for (const range of domain.portRanges) {
// Get port ranges from forwarding.advanced
const portRanges = domain.forwarding?.advanced?.portRanges;
if (portRanges && portRanges.length > 0) {
for (const range of portRanges) {
for (let port = range.from; port <= range.to; port++) {
if (!portMappings.has(port)) {
portMappings.set(port, []);

34
ts/smartproxy/classes.pp.securitymanager.ts
View File

@ -63,45 +63,69 @@ export class SecurityManager {
}
/**
* Check if an IP is allowed using glob patterns
* Check if an IP is authorized using forwarding security rules
*
* This method is used to determine if an IP is allowed to connect, based on security
* rules configured in the forwarding configuration. The allowed and blocked IPs are
* typically derived from domain.forwarding.security.allowedIps and blockedIps through
* DomainConfigManager.getEffectiveIPRules().
*
* @param ip - The IP address to check
* @param allowedIPs - Array of allowed IP patterns from forwarding.security.allowedIps
* @param blockedIPs - Array of blocked IP patterns from forwarding.security.blockedIps
* @returns true if IP is authorized, false if blocked
*/
public isIPAuthorized(ip: string, allowedIPs: string[], blockedIPs: string[] = []): boolean {
// Skip IP validation if allowedIPs is empty
if (!ip || (allowedIPs.length === 0 && blockedIPs.length === 0)) {
return true;
}
// First check if IP is blocked
// First check if IP is blocked - blocked IPs take precedence
if (blockedIPs.length > 0 && this.isGlobIPMatch(ip, blockedIPs)) {
return false;
}
// Then check if IP is allowed
return this.isGlobIPMatch(ip, allowedIPs);
}
/**
* Check if the IP matches any of the glob patterns
* Check if the IP matches any of the glob patterns from security configuration
*
* This method checks IP addresses against glob patterns and handles IPv4/IPv6 normalization.
* It's used to implement IP filtering based on the forwarding.security configuration.
*
* @param ip - The IP address to check
* @param patterns - Array of glob patterns from forwarding.security.allowedIps or blockedIps
* @returns true if IP matches any pattern, false otherwise
*/
private isGlobIPMatch(ip: string, patterns: string[]): boolean {
if (!ip || !patterns || patterns.length === 0) return false;
// Handle IPv4/IPv6 normalization for proper matching
const normalizeIP = (ip: string): string[] => {
if (!ip) return [];
// Handle IPv4-mapped IPv6 addresses (::ffff:127.0.0.1)
if (ip.startsWith('::ffff:')) {
const ipv4 = ip.slice(7);
return [ip, ipv4];
}
// Handle IPv4 addresses by also checking IPv4-mapped form
if (/^\d{1,3}(\.\d{1,3}){3}$/.test(ip)) {
return [ip, `::ffff:${ip}`];
}
return [ip];
};
// Normalize the IP being checked
const normalizedIPVariants = normalizeIP(ip);
if (normalizedIPVariants.length === 0) return false;
// Normalize the pattern IPs for consistent comparison
const expandedPatterns = patterns.flatMap(normalizeIP);
// Check for any match between normalized IP variants and patterns
return normalizedIPVariants.some((ipVariant) =>
expandedPatterns.some((pattern) => plugins.minimatch(ipVariant, pattern))
);

6
ts/smartproxy/classes.pp.timeoutmanager.ts
View File

@ -61,9 +61,9 @@ export class TimeoutManager {
* Calculate effective max lifetime based on connection type
*/
public getEffectiveMaxLifetime(record: IConnectionRecord): number {
// Use domain-specific timeout if available
const baseTimeout = record.domainConfig?.connectionTimeout ||
this.settings.maxConnectionLifetime ||
// Use domain-specific timeout from forwarding.advanced if available
const baseTimeout = record.domainConfig?.forwarding?.advanced?.timeout ||
this.settings.maxConnectionLifetime ||
86400000; // 24 hours default
// For immortal keep-alive connections, use an extremely long lifetime

20
ts/smartproxy/classes.smartproxy.ts
View File

@ -12,7 +12,6 @@ import { Port80Handler } from '../port80handler/classes.port80handler.js';
import { CertProvisioner } from './classes.pp.certprovisioner.js';
import type { ICertificateData } from '../common/types.js';
import { buildPort80Handler } from '../common/acmeFactory.js';
import { ensureForwardingConfig } from './forwarding/legacy-converter.js';
import type { ForwardingType } from './types/forwarding.types.js';
import { createPort80HandlerOptions } from '../common/port80-adapter.js';
@ -159,8 +158,8 @@ export class SmartProxy extends plugins.EventEmitter {
return;
}
// Pre-process domain configs to ensure they all have forwarding configurations
this.settings.domainConfigs = this.settings.domainConfigs.map(config => ensureForwardingConfig(config));
// Process domain configs
// Note: ensureForwardingConfig is no longer needed since forwarding is now required
// Initialize domain config manager with the processed configs
this.domainConfigManager.updateDomainConfigs(this.settings.domainConfigs);
@ -412,11 +411,8 @@ export class SmartProxy extends plugins.EventEmitter {
public async updateDomainConfigs(newDomainConfigs: IDomainConfig[]): Promise<void> {
console.log(`Updating domain configurations (${newDomainConfigs.length} configs)`);
// Ensure each domain config has a valid forwarding configuration
const processedConfigs = newDomainConfigs.map(config => ensureForwardingConfig(config));
// Update domain configs in DomainConfigManager
this.domainConfigManager.updateDomainConfigs(processedConfigs);
this.domainConfigManager.updateDomainConfigs(newDomainConfigs);
// If NetworkProxy is initialized, resync the configurations
if (this.networkProxyBridge.getNetworkProxy()) {
@ -425,15 +421,15 @@ export class SmartProxy extends plugins.EventEmitter {
// If Port80Handler is running, provision certificates based on forwarding type
if (this.port80Handler && this.settings.acme?.enabled) {
for (const domainConfig of processedConfigs) {
for (const domainConfig of newDomainConfigs) {
// Skip certificate provisioning for http-only or passthrough configs that don't need certs
const forwardingType = domainConfig.forwarding?.type as ForwardingType;
const forwardingType = domainConfig.forwarding.type;
const needsCertificate =
forwardingType === 'https-terminate-to-http' ||
forwardingType === 'https-terminate-to-https';
// Skip certificate provisioning if ACME is explicitly disabled for this domain
const acmeDisabled = domainConfig.forwarding?.acme?.enabled === false;
const acmeDisabled = domainConfig.forwarding.acme?.enabled === false;
if (!needsCertificate || acmeDisabled) {
if (this.settings.enableDetailedLogging) {
@ -447,7 +443,7 @@ export class SmartProxy extends plugins.EventEmitter {
let provision: string | plugins.tsclass.network.ICert = 'http01';
// Check for ACME forwarding configuration in the domain
const forwardAcmeChallenges = domainConfig.forwarding?.acme?.forwardChallenges;
const forwardAcmeChallenges = domainConfig.forwarding.acme?.forwardChallenges;
if (this.settings.certProvisionFunction) {
try {
@ -467,7 +463,7 @@ export class SmartProxy extends plugins.EventEmitter {
}
// Create Port80Handler options from the forwarding configuration
const port80Config = createPort80HandlerOptions(domain, domainConfig.forwarding!);
const port80Config = createPort80HandlerOptions(domain, domainConfig.forwarding);
this.port80Handler.addDomain(port80Config);
console.log(`Registered domain ${domain} with Port80Handler for HTTP-01`);

27
ts/smartproxy/forwarding/domain-config.ts
View File

@ -1,25 +1,14 @@
import type { IForwardConfig } from '../types/forwarding.types.js';
/**
* Updated domain configuration with unified forwarding configuration
* Domain configuration with unified forwarding configuration
*/
export interface IDomainConfig {
// Core properties - domain patterns
domains: string[];
// Unified forwarding configuration
forwarding: IForwardConfig;
// Legacy security properties that will be migrated to forwarding.security
allowedIPs?: string[];
blockedIPs?: string[];
// Legacy NetworkProxy properties
useNetworkProxy?: boolean;
networkProxyPort?: number;
// Legacy timeout property
connectionTimeout?: number;
}
/**
@ -27,19 +16,13 @@ export interface IDomainConfig {
*/
export function createDomainConfig(
domains: string | string[],
forwarding: IForwardConfig,
security?: {
allowedIPs?: string[];
blockedIPs?: string[];
}
forwarding: IForwardConfig
): IDomainConfig {
// Normalize domains to an array
const domainArray = Array.isArray(domains) ? domains : [domains];
return {
domains: domainArray,
forwarding,
allowedIPs: security?.allowedIPs || ['*'],
blockedIPs: security?.blockedIPs
forwarding
};
}

6
ts/smartproxy/forwarding/index.ts
View File

@ -17,7 +17,7 @@ export {
httpOnly,
tlsTerminateToHttp,
tlsTerminateToHttps,
sniPassthrough
httpsPassthrough
} from '../types/forwarding.types.js';
// Export domain configuration
@ -41,12 +41,12 @@ import {
httpOnly,
tlsTerminateToHttp,
tlsTerminateToHttps,
sniPassthrough
httpsPassthrough
} from '../types/forwarding.types.js';
export const helpers = {
httpOnly,
tlsTerminateToHttp,
tlsTerminateToHttps,
sniPassthrough
sniPassthrough: httpsPassthrough // Alias for backward compatibility
};