push.rocks/smartproxy
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(rustproxy): introduce a Rust-powered proxy engine and workspace with core crates for proxy functionality, ACME/TLS support, passthrough and HTTP proxies, metrics, nftables integration, routing/security, management IPC, tests, and README updates

Browse Source
This commit is contained in:
Jürgen Kunz
2026-02-09 10:55:46 +00:00
parent a31fee41df
commit 1df3b7af4a
151 changed files with 16927 additions and 19432 deletions
Download Patch File Download Diff File Expand all files Collapse all files

112
ts/proxies/smart-proxy/acme-state-manager.ts
View File

@@ -1,112 +0,0 @@
import type { IRouteConfig } from './models/route-types.js';
/**
* Global state store for ACME operations
* Tracks active challenge routes and port allocations
*/
export class AcmeStateManager {
private activeChallengeRoutes: Map<string, IRouteConfig> = new Map();
private acmePortAllocations: Set<number> = new Set();
private primaryChallengeRoute: IRouteConfig | null = null;
/**
* Check if a challenge route is active
*/
public isChallengeRouteActive(): boolean {
return this.activeChallengeRoutes.size > 0;
}
/**
* Register a challenge route as active
*/
public addChallengeRoute(route: IRouteConfig): void {
this.activeChallengeRoutes.set(route.name, route);
// Track the primary challenge route
if (!this.primaryChallengeRoute || route.priority > (this.primaryChallengeRoute.priority || 0)) {
this.primaryChallengeRoute = route;
}
// Track port allocations
const ports = Array.isArray(route.match.ports) ? route.match.ports : [route.match.ports];
ports.forEach(port => this.acmePortAllocations.add(port));
}
/**
* Remove a challenge route
*/
public removeChallengeRoute(routeName: string): void {
const route = this.activeChallengeRoutes.get(routeName);
if (!route) return;
this.activeChallengeRoutes.delete(routeName);
// Update primary challenge route if needed
if (this.primaryChallengeRoute?.name === routeName) {
this.primaryChallengeRoute = null;
// Find new primary route with highest priority
let highestPriority = -1;
for (const [_, activeRoute] of this.activeChallengeRoutes) {
const priority = activeRoute.priority || 0;
if (priority > highestPriority) {
highestPriority = priority;
this.primaryChallengeRoute = activeRoute;
}
}
}
// Update port allocations - only remove if no other routes use this port
const ports = Array.isArray(route.match.ports) ? route.match.ports : [route.match.ports];
ports.forEach(port => {
let portStillUsed = false;
for (const [_, activeRoute] of this.activeChallengeRoutes) {
const activePorts = Array.isArray(activeRoute.match.ports) ?
activeRoute.match.ports : [activeRoute.match.ports];
if (activePorts.includes(port)) {
portStillUsed = true;
break;
}
}
if (!portStillUsed) {
this.acmePortAllocations.delete(port);
}
});
}
/**
* Get all active challenge routes
*/
public getActiveChallengeRoutes(): IRouteConfig[] {
return Array.from(this.activeChallengeRoutes.values());
}
/**
* Get the primary challenge route
*/
public getPrimaryChallengeRoute(): IRouteConfig | null {
return this.primaryChallengeRoute;
}
/**
* Check if a port is allocated for ACME
*/
public isPortAllocatedForAcme(port: number): boolean {
return this.acmePortAllocations.has(port);
}
/**
* Get all ACME ports
*/
public getAcmePorts(): number[] {
return Array.from(this.acmePortAllocations);
}
/**
* Clear all state (for shutdown or reset)
*/
public clear(): void {
this.activeChallengeRoutes.clear();
this.acmePortAllocations.clear();
this.primaryChallengeRoute = null;
}
}

92
ts/proxies/smart-proxy/cert-store.ts
View File

@@ -1,92 +0,0 @@
import * as plugins from '../../plugins.js';
import { AsyncFileSystem } from '../../core/utils/fs-utils.js';
import type { ICertificateData } from './certificate-manager.js';
export class CertStore {
constructor(private certDir: string) {}
public async initialize(): Promise<void> {
await AsyncFileSystem.ensureDir(this.certDir);
}
public async getCertificate(routeName: string): Promise<ICertificateData | null> {
const certPath = this.getCertPath(routeName);
const metaPath = `${certPath}/meta.json`;
if (!await AsyncFileSystem.exists(metaPath)) {
return null;
}
try {
const meta = await AsyncFileSystem.readJSON(metaPath);
const [cert, key] = await Promise.all([
AsyncFileSystem.readFile(`${certPath}/cert.pem`),
AsyncFileSystem.readFile(`${certPath}/key.pem`)
]);
let ca: string | undefined;
const caPath = `${certPath}/ca.pem`;
if (await AsyncFileSystem.exists(caPath)) {
ca = await AsyncFileSystem.readFile(caPath);
}
return {
cert,
key,
ca,
expiryDate: new Date(meta.expiryDate),
issueDate: new Date(meta.issueDate)
};
} catch (error) {
console.error(`Failed to load certificate for ${routeName}: ${error}`);
return null;
}
}
public async saveCertificate(
routeName: string,
certData: ICertificateData
): Promise<void> {
const certPath = this.getCertPath(routeName);
await AsyncFileSystem.ensureDir(certPath);
// Save certificate files in parallel
const savePromises = [
AsyncFileSystem.writeFile(`${certPath}/cert.pem`, certData.cert),
AsyncFileSystem.writeFile(`${certPath}/key.pem`, certData.key)
];
if (certData.ca) {
savePromises.push(
AsyncFileSystem.writeFile(`${certPath}/ca.pem`, certData.ca)
);
}
// Save metadata
const meta = {
expiryDate: certData.expiryDate.toISOString(),
issueDate: certData.issueDate.toISOString(),
savedAt: new Date().toISOString()
};
savePromises.push(
AsyncFileSystem.writeJSON(`${certPath}/meta.json`, meta)
);
await Promise.all(savePromises);
}
public async deleteCertificate(routeName: string): Promise<void> {
const certPath = this.getCertPath(routeName);
if (await AsyncFileSystem.isDirectory(certPath)) {
await AsyncFileSystem.removeDir(certPath);
}
}
private getCertPath(routeName: string): string {
// Sanitize route name for filesystem
const safeName = routeName.replace(/[^a-zA-Z0-9-_]/g, '_');
return `${this.certDir}/${safeName}`;
}
}

895
ts/proxies/smart-proxy/certificate-manager.ts
View File

@@ -1,895 +0,0 @@
import * as plugins from '../../plugins.js';
import { HttpProxy } from '../http-proxy/index.js';
import type { IRouteConfig, IRouteTls } from './models/route-types.js';
import type { IAcmeOptions } from './models/interfaces.js';
import { CertStore } from './cert-store.js';
import type { AcmeStateManager } from './acme-state-manager.js';
import { logger } from '../../core/utils/logger.js';
import { SocketHandlers } from './utils/route-helpers.js';
export interface ICertStatus {
domain: string;
status: 'valid' | 'pending' | 'expired' | 'error';
expiryDate?: Date;
issueDate?: Date;
source: 'static' | 'acme' | 'custom';
error?: string;
}
export interface ICertificateData {
cert: string;
key: string;
ca?: string;
expiryDate: Date;
issueDate: Date;
source?: 'static' | 'acme' | 'custom';
}
export class SmartCertManager {
private certStore: CertStore;
private smartAcme: plugins.smartacme.SmartAcme | null = null;
private httpProxy: HttpProxy | null = null;
private renewalTimer: NodeJS.Timeout | null = null;
private pendingChallenges: Map<string, string> = new Map();
private challengeRoute: IRouteConfig | null = null;
// Track certificate status by route name
private certStatus: Map<string, ICertStatus> = new Map();
// Global ACME defaults from top-level configuration
private globalAcmeDefaults: IAcmeOptions | null = null;
// Callback to update SmartProxy routes for challenges
private updateRoutesCallback?: (routes: IRouteConfig[]) => Promise<void>;
// Flag to track if challenge route is currently active
private challengeRouteActive: boolean = false;
// Flag to track if provisioning is in progress
private isProvisioning: boolean = false;
// ACME state manager reference
private acmeStateManager: AcmeStateManager | null = null;
// Custom certificate provision function
private certProvisionFunction?: (domain: string) => Promise<plugins.tsclass.network.ICert | 'http01'>;
// Whether to fallback to ACME if custom provision fails
private certProvisionFallbackToAcme: boolean = true;
constructor(
private routes: IRouteConfig[],
private certDir: string = './certs',
private acmeOptions?: {
email?: string;
useProduction?: boolean;
port?: number;
},
private initialState?: {
challengeRouteActive?: boolean;
}
) {
this.certStore = new CertStore(certDir);
// Apply initial state if provided
if (initialState) {
this.challengeRouteActive = initialState.challengeRouteActive || false;
}
}
public setHttpProxy(httpProxy: HttpProxy): void {
this.httpProxy = httpProxy;
}
/**
* Set the ACME state manager
*/
public setAcmeStateManager(stateManager: AcmeStateManager): void {
this.acmeStateManager = stateManager;
}
/**
* Set global ACME defaults from top-level configuration
*/
public setGlobalAcmeDefaults(defaults: IAcmeOptions): void {
this.globalAcmeDefaults = defaults;
}
/**
* Set custom certificate provision function
*/
public setCertProvisionFunction(fn: (domain: string) => Promise<plugins.tsclass.network.ICert | 'http01'>): void {
this.certProvisionFunction = fn;
}
/**
* Set whether to fallback to ACME if custom provision fails
*/
public setCertProvisionFallbackToAcme(fallback: boolean): void {
this.certProvisionFallbackToAcme = fallback;
}
/**
* Update the routes array to keep it in sync with SmartProxy
* This prevents stale route data when adding/removing challenge routes
*/
public setRoutes(routes: IRouteConfig[]): void {
this.routes = routes;
}
/**
* Set callback for updating routes (used for challenge routes)
*/
public setUpdateRoutesCallback(callback: (routes: IRouteConfig[]) => Promise<void>): void {
this.updateRoutesCallback = callback;
try {
logger.log('debug', 'Route update callback set successfully', { component: 'certificate-manager' });
} catch (error) {
// Silently handle logging errors
console.log('[DEBUG] Route update callback set successfully');
}
}
/**
* Initialize certificate manager and provision certificates for all routes
*/
public async initialize(): Promise<void> {
// Create certificate directory if it doesn't exist
await this.certStore.initialize();
// Initialize SmartAcme if we have any ACME routes
const hasAcmeRoutes = this.routes.some(r =>
r.action.tls?.certificate === 'auto'
);
if (hasAcmeRoutes && this.acmeOptions?.email) {
// Create HTTP-01 challenge handler
const http01Handler = new plugins.smartacme.handlers.Http01MemoryHandler();
// Set up challenge handler integration with our routing
this.setupChallengeHandler(http01Handler);
// Create SmartAcme instance with built-in MemoryCertManager and HTTP-01 handler
this.smartAcme = new plugins.smartacme.SmartAcme({
accountEmail: this.acmeOptions.email,
environment: this.acmeOptions.useProduction ? 'production' : 'integration',
certManager: new plugins.smartacme.certmanagers.MemoryCertManager(),
challengeHandlers: [http01Handler]
});
await this.smartAcme.start();
// Add challenge route once at initialization if not already active
if (!this.challengeRouteActive) {
logger.log('info', 'Adding ACME challenge route during initialization', { component: 'certificate-manager' });
await this.addChallengeRoute();
} else {
logger.log('info', 'Challenge route already active from previous instance', { component: 'certificate-manager' });
}
}
// Skip automatic certificate provisioning during initialization
// This will be called later after ports are listening
logger.log('info', 'Certificate manager initialized. Deferring certificate provisioning until after ports are listening.', { component: 'certificate-manager' });
// Start renewal timer
this.startRenewalTimer();
}
/**
* Provision certificates for all routes that need them
*/
public async provisionAllCertificates(): Promise<void> {
const certRoutes = this.routes.filter(r =>
r.action.tls?.mode === 'terminate' ||
r.action.tls?.mode === 'terminate-and-reencrypt'
);
// Set provisioning flag to prevent concurrent operations
this.isProvisioning = true;
try {
for (const route of certRoutes) {
try {
await this.provisionCertificate(route, true); // Allow concurrent since we're managing it here
} catch (error) {
logger.log('error', `Failed to provision certificate for route ${route.name}`, { routeName: route.name, error, component: 'certificate-manager' });
}
}
} finally {
this.isProvisioning = false;
}
}
/**
* Provision certificate for a single route
*/
public async provisionCertificate(route: IRouteConfig, allowConcurrent: boolean = false): Promise<void> {
const tls = route.action.tls;
if (!tls || (tls.mode !== 'terminate' && tls.mode !== 'terminate-and-reencrypt')) {
return;
}
// Check if provisioning is already in progress (prevent concurrent provisioning)
if (!allowConcurrent && this.isProvisioning) {
logger.log('info', `Certificate provisioning already in progress, skipping ${route.name}`, { routeName: route.name, component: 'certificate-manager' });
return;
}
const domains = this.extractDomainsFromRoute(route);
if (domains.length === 0) {
logger.log('warn', `Route ${route.name} has TLS termination but no domains`, { routeName: route.name, component: 'certificate-manager' });
return;
}
const primaryDomain = domains[0];
if (tls.certificate === 'auto') {
// ACME certificate
await this.provisionAcmeCertificate(route, domains);
} else if (typeof tls.certificate === 'object') {
// Static certificate
await this.provisionStaticCertificate(route, primaryDomain, tls.certificate);
}
}
/**
* Provision ACME certificate
*/
private async provisionAcmeCertificate(
route: IRouteConfig,
domains: string[]
): Promise<void> {
const primaryDomain = domains[0];
const routeName = route.name || primaryDomain;
// Check if we already have a valid certificate
const existingCert = await this.certStore.getCertificate(routeName);
if (existingCert && this.isCertificateValid(existingCert)) {
logger.log('info', `Using existing valid certificate for ${primaryDomain}`, { domain: primaryDomain, component: 'certificate-manager' });
await this.applyCertificate(primaryDomain, existingCert);
this.updateCertStatus(routeName, 'valid', existingCert.source || 'acme', existingCert);
return;
}
// Check for custom provision function first
if (this.certProvisionFunction) {
try {
logger.log('info', `Attempting custom certificate provision for ${primaryDomain}`, { domain: primaryDomain, component: 'certificate-manager' });
const result = await this.certProvisionFunction(primaryDomain);
if (result === 'http01') {
logger.log('info', `Custom function returned 'http01', falling back to Let's Encrypt for ${primaryDomain}`, { domain: primaryDomain, component: 'certificate-manager' });
// Continue with existing ACME logic below
} else {
// Use custom certificate
const customCert = result as plugins.tsclass.network.ICert;
// Convert to internal certificate format
const certData: ICertificateData = {
cert: customCert.publicKey,
key: customCert.privateKey,
ca: '',
issueDate: new Date(),
expiryDate: this.extractExpiryDate(customCert.publicKey),
source: 'custom'
};
// Store and apply certificate
await this.certStore.saveCertificate(routeName, certData);
await this.applyCertificate(primaryDomain, certData);
this.updateCertStatus(routeName, 'valid', 'custom', certData);
logger.log('info', `Custom certificate applied for ${primaryDomain}`, {
domain: primaryDomain,
expiryDate: certData.expiryDate,
component: 'certificate-manager'
});
return;
}
} catch (error) {
logger.log('error', `Custom cert provision failed for ${primaryDomain}: ${error.message}`, {
domain: primaryDomain,
error: error.message,
component: 'certificate-manager'
});
// Check if we should fallback to ACME
if (!this.certProvisionFallbackToAcme) {
throw error;
}
logger.log('info', `Falling back to Let's Encrypt for ${primaryDomain}`, { domain: primaryDomain, component: 'certificate-manager' });
}
}
if (!this.smartAcme) {
throw new Error(
'SmartAcme not initialized. This usually means no ACME email was provided. ' +
'Please ensure you have configured ACME with an email address either:\n' +
'1. In the top-level "acme" configuration\n' +
'2. In the route\'s "tls.acme" configuration'
);
}
// Apply renewal threshold from global defaults or route config
const renewThreshold = route.action.tls?.acme?.renewBeforeDays ||
this.globalAcmeDefaults?.renewThresholdDays ||
30;
logger.log('info', `Requesting ACME certificate for ${domains.join(', ')} (renew ${renewThreshold} days before expiry)`, { domains: domains.join(', '), renewThreshold, component: 'certificate-manager' });
this.updateCertStatus(routeName, 'pending', 'acme');
try {
// Challenge route should already be active from initialization
// No need to add it for each certificate
// Determine if we should request a wildcard certificate
// Only request wildcards if:
// 1. The primary domain is not already a wildcard
// 2. The domain has multiple parts (can have subdomains)
// 3. We have DNS-01 challenge support (required for wildcards)
const hasDnsChallenge = (this.smartAcme as any).challengeHandlers?.some((handler: any) =>
handler.getSupportedTypes && handler.getSupportedTypes().includes('dns-01')
);
const shouldIncludeWildcard = !primaryDomain.startsWith('*.') &&
primaryDomain.includes('.') &&
primaryDomain.split('.').length >= 2 &&
hasDnsChallenge;
if (shouldIncludeWildcard) {
logger.log('info', `Requesting wildcard certificate for ${primaryDomain} (DNS-01 available)`, { domain: primaryDomain, challengeType: 'DNS-01', component: 'certificate-manager' });
}
// Use smartacme to get certificate with optional wildcard
const cert = await this.smartAcme.getCertificateForDomain(
primaryDomain,
shouldIncludeWildcard ? { includeWildcard: true } : undefined
);
// SmartAcme's Cert object has these properties:
// - publicKey: The certificate PEM string
// - privateKey: The private key PEM string
// - csr: Certificate signing request
// - validUntil: Timestamp in milliseconds
// - domainName: The domain name
const certData: ICertificateData = {
cert: cert.publicKey,
key: cert.privateKey,
ca: cert.publicKey, // Use same as cert for now
expiryDate: new Date(cert.validUntil),
issueDate: new Date(cert.created),
source: 'acme'
};
await this.certStore.saveCertificate(routeName, certData);
await this.applyCertificate(primaryDomain, certData);
this.updateCertStatus(routeName, 'valid', 'acme', certData);
logger.log('info', `Successfully provisioned ACME certificate for ${primaryDomain}`, { domain: primaryDomain, component: 'certificate-manager' });
} catch (error) {
logger.log('error', `Failed to provision ACME certificate for ${primaryDomain}: ${error.message}`, { domain: primaryDomain, error: error.message, component: 'certificate-manager' });
this.updateCertStatus(routeName, 'error', 'acme', undefined, error.message);
throw error;
}
}
/**
* Provision static certificate
*/
private async provisionStaticCertificate(
route: IRouteConfig,
domain: string,
certConfig: { key: string; cert: string; keyFile?: string; certFile?: string }
): Promise<void> {
const routeName = route.name || domain;
try {
let key: string = certConfig.key;
let cert: string = certConfig.cert;
// Load from files if paths are provided
const smartFileFactory = plugins.smartfile.SmartFileFactory.nodeFs();
if (certConfig.keyFile) {
const keyFile = await smartFileFactory.fromFilePath(certConfig.keyFile);
key = keyFile.contents.toString();
}
if (certConfig.certFile) {
const certFile = await smartFileFactory.fromFilePath(certConfig.certFile);
cert = certFile.contents.toString();
}
// Parse certificate to get dates
const expiryDate = this.extractExpiryDate(cert);
const issueDate = new Date(); // Current date as issue date
const certData: ICertificateData = {
cert,
key,
expiryDate,
issueDate,
source: 'static'
};
// Save to store for consistency
await this.certStore.saveCertificate(routeName, certData);
await this.applyCertificate(domain, certData);
this.updateCertStatus(routeName, 'valid', 'static', certData);
logger.log('info', `Successfully loaded static certificate for ${domain}`, { domain, component: 'certificate-manager' });
} catch (error) {
logger.log('error', `Failed to provision static certificate for ${domain}: ${error.message}`, { domain, error: error.message, component: 'certificate-manager' });
this.updateCertStatus(routeName, 'error', 'static', undefined, error.message);
throw error;
}
}
/**
* Apply certificate to HttpProxy
*/
private async applyCertificate(domain: string, certData: ICertificateData): Promise<void> {
if (!this.httpProxy) {
logger.log('warn', `HttpProxy not set, cannot apply certificate for domain ${domain}`, { domain, component: 'certificate-manager' });
return;
}
// Apply certificate to HttpProxy
this.httpProxy.updateCertificate(domain, certData.cert, certData.key);
// Also apply for wildcard if it's a subdomain
if (domain.includes('.') && !domain.startsWith('*.')) {
const parts = domain.split('.');
if (parts.length >= 2) {
const wildcardDomain = `*.${parts.slice(-2).join('.')}`;
this.httpProxy.updateCertificate(wildcardDomain, certData.cert, certData.key);
}
}
}
/**
* Extract domains from route configuration
*/
private extractDomainsFromRoute(route: IRouteConfig): string[] {
if (!route.match.domains) {
return [];
}
const domains = Array.isArray(route.match.domains)
? route.match.domains
: [route.match.domains];
// Filter out wildcards and patterns
return domains.filter(d =>
!d.includes('*') &&
!d.includes('{') &&
d.includes('.')
);
}
/**
* Check if certificate is valid
*/
private isCertificateValid(cert: ICertificateData): boolean {
const now = new Date();
// Use renewal threshold from global defaults or fallback to 30 days
const renewThresholdDays = this.globalAcmeDefaults?.renewThresholdDays || 30;
const expiryThreshold = new Date(now.getTime() + renewThresholdDays * 24 * 60 * 60 * 1000);
return cert.expiryDate > expiryThreshold;
}
/**
* Extract expiry date from a PEM certificate
*/
private extractExpiryDate(_certPem: string): Date {
// For now, we'll default to 90 days for custom certificates
// In production, you might want to use a proper X.509 parser
// or require the custom cert provider to include expiry info
logger.log('info', 'Using default 90-day expiry for custom certificate', {
component: 'certificate-manager'
});
return new Date(Date.now() + 90 * 24 * 60 * 60 * 1000);
}
/**
* Add challenge route to SmartProxy
*
* This method adds a special route for ACME HTTP-01 challenges, which typically uses port 80.
* Since we may already be listening on port 80 for regular routes, we need to be
* careful about how we add this route to avoid binding conflicts.
*/
private async addChallengeRoute(): Promise<void> {
// Check with state manager first - avoid duplication
if (this.acmeStateManager && this.acmeStateManager.isChallengeRouteActive()) {
try {
logger.log('info', 'Challenge route already active in global state, skipping', { component: 'certificate-manager' });
} catch (error) {
// Silently handle logging errors
console.log('[INFO] Challenge route already active in global state, skipping');
}
this.challengeRouteActive = true;
return;
}
if (this.challengeRouteActive) {
try {
logger.log('info', 'Challenge route already active locally, skipping', { component: 'certificate-manager' });
} catch (error) {
// Silently handle logging errors
console.log('[INFO] Challenge route already active locally, skipping');
}
return;
}
if (!this.updateRoutesCallback) {
throw new Error('No route update callback set');
}
if (!this.challengeRoute) {
throw new Error('Challenge route not initialized');
}
// Get the challenge port
const challengePort = this.globalAcmeDefaults?.port || 80;
// Check if any existing routes are already using this port
// This helps us determine if we need to create a new binding or can reuse existing one
const portInUseByRoutes = this.routes.some(route => {
const routePorts = Array.isArray(route.match.ports) ? route.match.ports : [route.match.ports];
return routePorts.some(p => {
// Handle both number and port range objects
if (typeof p === 'number') {
return p === challengePort;
} else if (typeof p === 'object' && 'from' in p && 'to' in p) {
// Port range case - check if challengePort is in range
return challengePort >= p.from && challengePort <= p.to;
}
return false;
});
});
try {
// Log whether port is already in use by other routes
if (portInUseByRoutes) {
try {
logger.log('info', `Port ${challengePort} is already used by another route, merging ACME challenge route`, {
port: challengePort,
component: 'certificate-manager'
});
} catch (error) {
// Silently handle logging errors
console.log(`[INFO] Port ${challengePort} is already used by another route, merging ACME challenge route`);
}
} else {
try {
logger.log('info', `Adding new ACME challenge route on port ${challengePort}`, {
port: challengePort,
component: 'certificate-manager'
});
} catch (error) {
// Silently handle logging errors
console.log(`[INFO] Adding new ACME challenge route on port ${challengePort}`);
}
}
// Add the challenge route to the existing routes
const challengeRoute = this.challengeRoute;
const updatedRoutes = [...this.routes, challengeRoute];
// With the re-ordering of start(), port binding should already be done
// This updateRoutes call should just add the route without binding again
await this.updateRoutesCallback(updatedRoutes);
// Keep local routes in sync after updating
this.routes = updatedRoutes;
this.challengeRouteActive = true;
// Register with state manager
if (this.acmeStateManager) {
this.acmeStateManager.addChallengeRoute(challengeRoute);
}
try {
logger.log('info', 'ACME challenge route successfully added', { component: 'certificate-manager' });
} catch (error) {
// Silently handle logging errors
console.log('[INFO] ACME challenge route successfully added');
}
} catch (error) {
// Enhanced error handling based on error type
if ((error as any).code === 'EADDRINUSE') {
try {
logger.log('warn', `Challenge port ${challengePort} is unavailable - it's already in use by another process. Consider configuring a different ACME port.`, {
port: challengePort,
error: (error as Error).message,
component: 'certificate-manager'
});
} catch (logError) {
// Silently handle logging errors
console.log(`[WARN] Challenge port ${challengePort} is unavailable - it's already in use by another process. Consider configuring a different ACME port.`);
}
// Provide a more informative and actionable error message
throw new Error(
`ACME HTTP-01 challenge port ${challengePort} is already in use by another process. ` +
`Please configure a different port using the acme.port setting (e.g., 8080).`
);
} else if (error.message && error.message.includes('EADDRINUSE')) {
// Some Node.js versions embed the error code in the message rather than the code property
try {
logger.log('warn', `Port ${challengePort} conflict detected: ${error.message}`, {
port: challengePort,
component: 'certificate-manager'
});
} catch (logError) {
// Silently handle logging errors
console.log(`[WARN] Port ${challengePort} conflict detected: ${error.message}`);
}
// More detailed error message with suggestions
throw new Error(
`ACME HTTP challenge port ${challengePort} conflict detected. ` +
`To resolve this issue, try one of these approaches:\n` +
`1. Configure a different port in ACME settings (acme.port)\n` +
`2. Add a regular route that uses port ${challengePort} before initializing the certificate manager\n` +
`3. Stop any other services that might be using port ${challengePort}`
);
}
// Log and rethrow other types of errors
try {
logger.log('error', `Failed to add challenge route: ${(error as Error).message}`, {
error: (error as Error).message,
component: 'certificate-manager'
});
} catch (logError) {
// Silently handle logging errors
console.log(`[ERROR] Failed to add challenge route: ${(error as Error).message}`);
}
throw error;
}
}
/**
* Remove challenge route from SmartProxy
*/
private async removeChallengeRoute(): Promise<void> {
if (!this.challengeRouteActive) {
try {
logger.log('info', 'Challenge route not active, skipping removal', { component: 'certificate-manager' });
} catch (error) {
// Silently handle logging errors
console.log('[INFO] Challenge route not active, skipping removal');
}
return;
}
if (!this.updateRoutesCallback) {
return;
}
try {
const filteredRoutes = this.routes.filter(r => r.name !== 'acme-challenge');
await this.updateRoutesCallback(filteredRoutes);
// Keep local routes in sync after updating
this.routes = filteredRoutes;
this.challengeRouteActive = false;
// Remove from state manager
if (this.acmeStateManager) {
this.acmeStateManager.removeChallengeRoute('acme-challenge');
}
try {
logger.log('info', 'ACME challenge route successfully removed', { component: 'certificate-manager' });
} catch (error) {
// Silently handle logging errors
console.log('[INFO] ACME challenge route successfully removed');
}
} catch (error) {
try {
logger.log('error', `Failed to remove challenge route: ${error.message}`, { error: error.message, component: 'certificate-manager' });
} catch (logError) {
// Silently handle logging errors
console.log(`[ERROR] Failed to remove challenge route: ${error.message}`);
}
// Reset the flag even on error to avoid getting stuck
this.challengeRouteActive = false;
throw error;
}
}
/**
* Start renewal timer
*/
private startRenewalTimer(): void {
// Check for renewals every 12 hours
this.renewalTimer = setInterval(() => {
this.checkAndRenewCertificates();
}, 12 * 60 * 60 * 1000);
// Unref the timer so it doesn't keep the process alive
if (this.renewalTimer.unref) {
this.renewalTimer.unref();
}
// Also do an immediate check
this.checkAndRenewCertificates();
}
/**
* Check and renew certificates that are expiring
*/
private async checkAndRenewCertificates(): Promise<void> {
for (const route of this.routes) {
if (route.action.tls?.certificate === 'auto') {
const routeName = route.name || this.extractDomainsFromRoute(route)[0];
const cert = await this.certStore.getCertificate(routeName);
if (cert && !this.isCertificateValid(cert)) {
logger.log('info', `Certificate for ${routeName} needs renewal`, { routeName, component: 'certificate-manager' });
try {
await this.provisionCertificate(route);
} catch (error) {
logger.log('error', `Failed to renew certificate for ${routeName}: ${error.message}`, { routeName, error: error.message, component: 'certificate-manager' });
}
}
}
}
}
/**
* Update certificate status
*/
private updateCertStatus(
routeName: string,
status: ICertStatus['status'],
source: ICertStatus['source'],
certData?: ICertificateData,
error?: string
): void {
this.certStatus.set(routeName, {
domain: routeName,
status,
source,
expiryDate: certData?.expiryDate,
issueDate: certData?.issueDate,
error
});
}
/**
* Get certificate status for a route
*/
public getCertificateStatus(routeName: string): ICertStatus | undefined {
return this.certStatus.get(routeName);
}
/**
* Force renewal of a certificate
*/
public async renewCertificate(routeName: string): Promise<void> {
const route = this.routes.find(r => r.name === routeName);
if (!route) {
throw new Error(`Route ${routeName} not found`);
}
// Remove existing certificate to force renewal
await this.certStore.deleteCertificate(routeName);
await this.provisionCertificate(route);
}
/**
* Setup challenge handler integration with SmartProxy routing
*/
private setupChallengeHandler(http01Handler: plugins.smartacme.handlers.Http01MemoryHandler): void {
// Use challenge port from global config or default to 80
const challengePort = this.globalAcmeDefaults?.port || 80;
// Create a challenge route that delegates to SmartAcme's HTTP-01 handler
const challengeRoute: IRouteConfig = {
name: 'acme-challenge',
priority: 1000, // High priority
match: {
ports: challengePort,
path: '/.well-known/acme-challenge/*'
},
action: {
type: 'socket-handler',
socketHandler: SocketHandlers.httpServer((req, res) => {
// Extract the token from the path
const token = req.url?.split('/').pop();
if (!token) {
res.status(404);
res.send('Not found');
return;
}
// Create mock request/response objects for SmartAcme
let responseData: any = null;
const mockReq = {
url: req.url,
method: req.method,
headers: req.headers
};
const mockRes = {
statusCode: 200,
setHeader: (name: string, value: string) => {},
end: (data: any) => {
responseData = data;
}
};
// Use SmartAcme's handler
const handleAcme = () => {
http01Handler.handleRequest(mockReq as any, mockRes as any, () => {
// Not handled by ACME
res.status(404);
res.send('Not found');
});
// Give it a moment to process, then send response
setTimeout(() => {
if (responseData) {
res.header('Content-Type', 'text/plain');
res.send(String(responseData));
} else {
res.status(404);
res.send('Not found');
}
}, 100);
};
handleAcme();
})
}
};
// Store the challenge route to add it when needed
this.challengeRoute = challengeRoute;
}
/**
* Stop certificate manager
*/
public async stop(): Promise<void> {
if (this.renewalTimer) {
clearInterval(this.renewalTimer);
this.renewalTimer = null;
}
// Always remove challenge route on shutdown
if (this.challengeRoute) {
logger.log('info', 'Removing ACME challenge route during shutdown', { component: 'certificate-manager' });
await this.removeChallengeRoute();
}
if (this.smartAcme) {
await this.smartAcme.stop();
}
// Clear any pending challenges
if (this.pendingChallenges.size > 0) {
this.pendingChallenges.clear();
}
}
/**
* Get ACME options (for recreating after route updates)
*/
public getAcmeOptions(): { email?: string; useProduction?: boolean; port?: number } | undefined {
return this.acmeOptions;
}
/**
* Get certificate manager state
*/
public getState(): { challengeRouteActive: boolean } {
return {
challengeRouteActive: this.challengeRouteActive
};
}
}

809
ts/proxies/smart-proxy/connection-manager.ts
View File

@@ -1,809 +0,0 @@
import * as plugins from '../../plugins.js';
import type { IConnectionRecord } from './models/interfaces.js';
import { logger } from '../../core/utils/logger.js';
import { connectionLogDeduplicator } from '../../core/utils/log-deduplicator.js';
import { LifecycleComponent } from '../../core/utils/lifecycle-component.js';
import { cleanupSocket } from '../../core/utils/socket-utils.js';
import { WrappedSocket } from '../../core/models/wrapped-socket.js';
import { ProtocolDetector } from '../../detection/index.js';
import type { SmartProxy } from './smart-proxy.js';
/**
* Manages connection lifecycle, tracking, and cleanup with performance optimizations
*/
export class ConnectionManager extends LifecycleComponent {
private connectionRecords: Map<string, IConnectionRecord> = new Map();
private terminationStats: {
incoming: Record<string, number>;
outgoing: Record<string, number>;
} = { incoming: {}, outgoing: {} };
// Performance optimization: Track connections needing inactivity check
private nextInactivityCheck: Map<string, number> = new Map();
// Connection limits
private readonly maxConnections: number;
private readonly cleanupBatchSize: number = 100;
// Cleanup queue for batched processing
private cleanupQueue: Set<string> = new Set();
private cleanupTimer: NodeJS.Timeout | null = null;
private isProcessingCleanup: boolean = false;
// Route-level connection tracking
private connectionsByRoute: Map<string, Set<string>> = new Map();
constructor(
private smartProxy: SmartProxy
) {
super();
// Set reasonable defaults for connection limits
this.maxConnections = smartProxy.settings.defaults?.security?.maxConnections || 10000;
// Start inactivity check timer if not disabled
if (!smartProxy.settings.disableInactivityCheck) {
this.startInactivityCheckTimer();
}
}
/**
* Generate a unique connection ID
*/
public generateConnectionId(): string {
return Math.random().toString(36).substring(2, 15) +
Math.random().toString(36).substring(2, 15);
}
/**
* Create and track a new connection
* Accepts either a regular net.Socket or a WrappedSocket for transparent PROXY protocol support
*
* @param socket - The socket for the connection
* @param options - Optional configuration
* @param options.connectionId - Pre-generated connection ID (for atomic IP tracking)
* @param options.skipIpTracking - Skip IP tracking (if already done atomically)
*/
public createConnection(
socket: plugins.net.Socket | WrappedSocket,
options?: { connectionId?: string; skipIpTracking?: boolean }
): IConnectionRecord | null {
// Enforce connection limit
if (this.connectionRecords.size >= this.maxConnections) {
// Use deduplicated logging for connection limit
connectionLogDeduplicator.log(
'connection-rejected',
'warn',
'Global connection limit reached',
{
reason: 'global-limit',
currentConnections: this.connectionRecords.size,
maxConnections: this.maxConnections,
component: 'connection-manager'
},
'global-limit'
);
socket.destroy();
return null;
}
const connectionId = options?.connectionId || this.generateConnectionId();
const remoteIP = socket.remoteAddress || '';
const remotePort = socket.remotePort || 0;
const localPort = socket.localPort || 0;
const now = Date.now();
const record: IConnectionRecord = {
id: connectionId,
incoming: socket,
outgoing: null,
incomingStartTime: now,
lastActivity: now,
connectionClosed: false,
pendingData: [],
pendingDataSize: 0,
bytesReceived: 0,
bytesSent: 0,
remoteIP,
remotePort,
localPort,
isTLS: false,
tlsHandshakeComplete: false,
hasReceivedInitialData: false,
hasKeepAlive: false,
incomingTerminationReason: null,
outgoingTerminationReason: null,
usingNetworkProxy: false,
isBrowserConnection: false,
domainSwitches: 0
};
this.trackConnection(connectionId, record, options?.skipIpTracking);
return record;
}
/**
* Track an existing connection
* @param connectionId - The connection ID
* @param record - The connection record
* @param skipIpTracking - Skip IP tracking if already done atomically
*/
public trackConnection(connectionId: string, record: IConnectionRecord, skipIpTracking?: boolean): void {
this.connectionRecords.set(connectionId, record);
if (!skipIpTracking) {
this.smartProxy.securityManager.trackConnectionByIP(record.remoteIP, connectionId);
}
// Schedule inactivity check
if (!this.smartProxy.settings.disableInactivityCheck) {
this.scheduleInactivityCheck(connectionId, record);
}
}
/**
* Schedule next inactivity check for a connection
*/
private scheduleInactivityCheck(connectionId: string, record: IConnectionRecord): void {
let timeout = this.smartProxy.settings.inactivityTimeout!;
if (record.hasKeepAlive) {
if (this.smartProxy.settings.keepAliveTreatment === 'immortal') {
// Don't schedule check for immortal connections
return;
} else if (this.smartProxy.settings.keepAliveTreatment === 'extended') {
const multiplier = this.smartProxy.settings.keepAliveInactivityMultiplier || 6;
timeout = timeout * multiplier;
}
}
const checkTime = Date.now() + timeout;
this.nextInactivityCheck.set(connectionId, checkTime);
}
/**
* Start the inactivity check timer
*/
private startInactivityCheckTimer(): void {
// Check more frequently (every 10 seconds) to catch zombies and stuck connections faster
this.setInterval(() => {
this.performOptimizedInactivityCheck();
}, 10000);
// Note: LifecycleComponent's setInterval already calls unref()
}
/**
* Get a connection by ID
*/
public getConnection(connectionId: string): IConnectionRecord | undefined {
return this.connectionRecords.get(connectionId);
}
/**
* Get all active connections
*/
public getConnections(): Map<string, IConnectionRecord> {
return this.connectionRecords;
}
/**
* Get count of active connections
*/
public getConnectionCount(): number {
return this.connectionRecords.size;
}
/**
* Track connection by route
*/
public trackConnectionByRoute(routeId: string, connectionId: string): void {
if (!this.connectionsByRoute.has(routeId)) {
this.connectionsByRoute.set(routeId, new Set());
}
this.connectionsByRoute.get(routeId)!.add(connectionId);
}
/**
* Remove connection tracking for a route
*/
public removeConnectionByRoute(routeId: string, connectionId: string): void {
if (this.connectionsByRoute.has(routeId)) {
const connections = this.connectionsByRoute.get(routeId)!;
connections.delete(connectionId);
if (connections.size === 0) {
this.connectionsByRoute.delete(routeId);
}
}
}
/**
* Get connection count by route
*/
public getConnectionCountByRoute(routeId: string): number {
return this.connectionsByRoute.get(routeId)?.size || 0;
}
/**
* Initiates cleanup once for a connection
*/
public initiateCleanupOnce(record: IConnectionRecord, reason: string = 'normal'): void {
// Use deduplicated logging for cleanup events
connectionLogDeduplicator.log(
'connection-cleanup',
'info',
`Connection cleanup: ${reason}`,
{
connectionId: record.id,
remoteIP: record.remoteIP,
reason,
component: 'connection-manager'
},
reason
);
if (record.incomingTerminationReason == null) {
record.incomingTerminationReason = reason;
this.incrementTerminationStat('incoming', reason);
}
// Add to cleanup queue for batched processing
this.queueCleanup(record.id);
}
/**
* Queue a connection for cleanup
*/
private queueCleanup(connectionId: string): void {
// Check if connection is already being processed
const record = this.connectionRecords.get(connectionId);
if (!record || record.connectionClosed) {
// Already cleaned up or doesn't exist, skip
return;
}
this.cleanupQueue.add(connectionId);
// Process immediately if queue is getting large and not already processing
if (this.cleanupQueue.size >= this.cleanupBatchSize && !this.isProcessingCleanup) {
this.processCleanupQueue();
} else if (!this.cleanupTimer && !this.isProcessingCleanup) {
// Otherwise, schedule batch processing
this.cleanupTimer = this.setTimeout(() => {
this.processCleanupQueue();
}, 100);
}
}
/**
* Process the cleanup queue in batches
*/
private processCleanupQueue(): void {
// Prevent concurrent processing
if (this.isProcessingCleanup) {
return;
}
this.isProcessingCleanup = true;
if (this.cleanupTimer) {
this.clearTimeout(this.cleanupTimer);
this.cleanupTimer = null;
}
try {
// Take a snapshot of items to process
const toCleanup = Array.from(this.cleanupQueue).slice(0, this.cleanupBatchSize);
// Remove only the items we're processing from the queue
for (const connectionId of toCleanup) {
this.cleanupQueue.delete(connectionId);
const record = this.connectionRecords.get(connectionId);
if (record) {
this.cleanupConnection(record, record.incomingTerminationReason || 'normal');
}
}
} finally {
// Always reset the processing flag
this.isProcessingCleanup = false;
// Check if more items were added while we were processing
if (this.cleanupQueue.size > 0) {
this.cleanupTimer = this.setTimeout(() => {
this.processCleanupQueue();
}, 10);
}
}
}
/**
* Clean up a connection record
*/
public cleanupConnection(record: IConnectionRecord, reason: string = 'normal'): void {
if (!record.connectionClosed) {
record.connectionClosed = true;
// Remove from inactivity check
this.nextInactivityCheck.delete(record.id);
// Track connection termination
this.smartProxy.securityManager.removeConnectionByIP(record.remoteIP, record.id);
// Remove from route tracking
if (record.routeId) {
this.removeConnectionByRoute(record.routeId, record.id);
}
// Remove from metrics tracking
if (this.smartProxy.metricsCollector) {
this.smartProxy.metricsCollector.removeConnection(record.id);
}
// Clean up protocol detection fragments
const context = ProtocolDetector.createConnectionContext({
sourceIp: record.remoteIP,
sourcePort: record.incoming?.remotePort || 0,
destIp: record.incoming?.localAddress || '',
destPort: record.localPort,
socketId: record.id
});
// Clean up any pending detection fragments for this connection
ProtocolDetector.cleanupConnection(context);
if (record.cleanupTimer) {
clearTimeout(record.cleanupTimer);
record.cleanupTimer = undefined;
}
// Calculate metrics once
const duration = Date.now() - record.incomingStartTime;
const logData = {
connectionId: record.id,
remoteIP: record.remoteIP,
localPort: record.localPort,
reason,
duration: plugins.prettyMs(duration),
bytes: { in: record.bytesReceived, out: record.bytesSent },
tls: record.isTLS,
keepAlive: record.hasKeepAlive,
usingNetworkProxy: record.usingNetworkProxy,
domainSwitches: record.domainSwitches || 0,
component: 'connection-manager'
};
// Remove all data handlers to make sure we clean up properly
if (record.incoming) {
try {
record.incoming.removeAllListeners('data');
record.renegotiationHandler = undefined;
} catch (err) {
logger.log('error', `Error removing data handlers: ${err}`, {
connectionId: record.id,
error: err,
component: 'connection-manager'
});
}
}
// Handle socket cleanup - check if sockets are still active
const cleanupPromises: Promise<void>[] = [];
if (record.incoming) {
// Extract underlying socket if it's a WrappedSocket
const incomingSocket = record.incoming instanceof WrappedSocket ? record.incoming.socket : record.incoming;
if (!record.incoming.writable || record.incoming.destroyed) {
// Socket is not active, clean up immediately
cleanupPromises.push(cleanupSocket(incomingSocket, `${record.id}-incoming`, { immediate: true }));
} else {
// Socket is still active, allow graceful cleanup
cleanupPromises.push(cleanupSocket(incomingSocket, `${record.id}-incoming`, { allowDrain: true, gracePeriod: 5000 }));
}
}
if (record.outgoing) {
// Extract underlying socket if it's a WrappedSocket
const outgoingSocket = record.outgoing instanceof WrappedSocket ? record.outgoing.socket : record.outgoing;
if (!record.outgoing.writable || record.outgoing.destroyed) {
// Socket is not active, clean up immediately
cleanupPromises.push(cleanupSocket(outgoingSocket, `${record.id}-outgoing`, { immediate: true }));
} else {
// Socket is still active, allow graceful cleanup
cleanupPromises.push(cleanupSocket(outgoingSocket, `${record.id}-outgoing`, { allowDrain: true, gracePeriod: 5000 }));
}
}
// Wait for cleanup to complete
Promise.all(cleanupPromises).catch(err => {
logger.log('error', `Error during socket cleanup: ${err}`, {
connectionId: record.id,
error: err,
component: 'connection-manager'
});
});
// Clear pendingData to avoid memory leaks
record.pendingData = [];
record.pendingDataSize = 0;
// Remove the record from the tracking map
this.connectionRecords.delete(record.id);
// Use deduplicated logging for connection termination
if (this.smartProxy.settings.enableDetailedLogging) {
// For detailed logging, include more info but still deduplicate by IP+reason
connectionLogDeduplicator.log(
'connection-terminated',
'info',
`Connection terminated: ${record.remoteIP}:${record.localPort}`,
{
...logData,
duration_ms: duration,
bytesIn: record.bytesReceived,
bytesOut: record.bytesSent
},
`${record.remoteIP}-${reason}`
);
} else {
// For normal logging, deduplicate by termination reason
connectionLogDeduplicator.log(
'connection-terminated',
'info',
`Connection terminated`,
{
remoteIP: record.remoteIP,
reason,
activeConnections: this.connectionRecords.size,
component: 'connection-manager'
},
reason // Group by termination reason
);
}
}
}
/**
* Creates a generic error handler for incoming or outgoing sockets
*/
public handleError(side: 'incoming' | 'outgoing', record: IConnectionRecord) {
return (err: Error) => {
const code = (err as any).code;
let reason = 'error';
const now = Date.now();
const connectionDuration = now - record.incomingStartTime;
const lastActivityAge = now - record.lastActivity;
// Update activity tracking
if (side === 'incoming') {
record.lastActivity = now;
this.scheduleInactivityCheck(record.id, record);
}
const errorData = {
connectionId: record.id,
side,
remoteIP: record.remoteIP,
error: err.message,
duration: plugins.prettyMs(connectionDuration),
lastActivity: plugins.prettyMs(lastActivityAge),
component: 'connection-manager'
};
switch (code) {
case 'ECONNRESET':
reason = 'econnreset';
logger.log('warn', `ECONNRESET on ${side}: ${record.remoteIP}`, errorData);
break;
case 'ETIMEDOUT':
reason = 'etimedout';
logger.log('warn', `ETIMEDOUT on ${side}: ${record.remoteIP}`, errorData);
break;
default:
logger.log('error', `Error on ${side}: ${record.remoteIP} - ${err.message}`, errorData);
}
if (side === 'incoming' && record.incomingTerminationReason == null) {
record.incomingTerminationReason = reason;
this.incrementTerminationStat('incoming', reason);
} else if (side === 'outgoing' && record.outgoingTerminationReason == null) {
record.outgoingTerminationReason = reason;
this.incrementTerminationStat('outgoing', reason);
}
this.initiateCleanupOnce(record, reason);
};
}
/**
* Creates a generic close handler for incoming or outgoing sockets
*/
public handleClose(side: 'incoming' | 'outgoing', record: IConnectionRecord) {
return () => {
if (this.smartProxy.settings.enableDetailedLogging) {
logger.log('info', `Connection closed on ${side} side`, {
connectionId: record.id,
side,
remoteIP: record.remoteIP,
component: 'connection-manager'
});
}
if (side === 'incoming' && record.incomingTerminationReason == null) {
record.incomingTerminationReason = 'normal';
this.incrementTerminationStat('incoming', 'normal');
} else if (side === 'outgoing' && record.outgoingTerminationReason == null) {
record.outgoingTerminationReason = 'normal';
this.incrementTerminationStat('outgoing', 'normal');
record.outgoingClosedTime = Date.now();
}
this.initiateCleanupOnce(record, 'closed_' + side);
};
}
/**
* Increment termination statistics
*/
public incrementTerminationStat(side: 'incoming' | 'outgoing', reason: string): void {
this.terminationStats[side][reason] = (this.terminationStats[side][reason] || 0) + 1;
}
/**
* Get termination statistics
*/
public getTerminationStats(): { incoming: Record<string, number>; outgoing: Record<string, number> } {
return this.terminationStats;
}
/**
* Optimized inactivity check - only checks connections that are due
*/
private performOptimizedInactivityCheck(): void {
const now = Date.now();
const connectionsToCheck: string[] = [];
// Find connections that need checking
for (const [connectionId, checkTime] of this.nextInactivityCheck) {
if (checkTime <= now) {
connectionsToCheck.push(connectionId);
}
}
// Also check ALL connections for zombie state (destroyed sockets but not cleaned up)
// This is critical for proxy chains where sockets can be destroyed without events
for (const [connectionId, record] of this.connectionRecords) {
if (!record.connectionClosed) {
const incomingDestroyed = record.incoming?.destroyed || false;
const outgoingDestroyed = record.outgoing?.destroyed || false;
// Check for zombie connections: both sockets destroyed but connection not cleaned up
if (incomingDestroyed && outgoingDestroyed) {
logger.log('warn', `Zombie connection detected: ${connectionId} - both sockets destroyed but not cleaned up`, {
connectionId,
remoteIP: record.remoteIP,
age: plugins.prettyMs(now - record.incomingStartTime),
component: 'connection-manager'
});
// Clean up immediately
this.cleanupConnection(record, 'zombie_cleanup');
continue;
}
// Check for half-zombie: one socket destroyed
if (incomingDestroyed || outgoingDestroyed) {
const age = now - record.incomingStartTime;
// Use longer grace period for encrypted connections (5 minutes vs 30 seconds)
const gracePeriod = record.isTLS ? 300000 : 30000;
// Also ensure connection is old enough to avoid premature cleanup
if (age > gracePeriod && age > 10000) {
logger.log('warn', `Half-zombie connection detected: ${connectionId} - ${incomingDestroyed ? 'incoming' : 'outgoing'} destroyed`, {
connectionId,
remoteIP: record.remoteIP,
age: plugins.prettyMs(age),
incomingDestroyed,
outgoingDestroyed,
isTLS: record.isTLS,
gracePeriod: plugins.prettyMs(gracePeriod),
component: 'connection-manager'
});
// Clean up
this.cleanupConnection(record, 'half_zombie_cleanup');
}
}
// Check for stuck connections: no data sent back to client
if (!record.connectionClosed && record.outgoing && record.bytesReceived > 0 && record.bytesSent === 0) {
const age = now - record.incomingStartTime;
// Use longer grace period for encrypted connections (5 minutes vs 60 seconds)
const stuckThreshold = record.isTLS ? 300000 : 60000;
// If connection is older than threshold and no data sent back, likely stuck
if (age > stuckThreshold) {
logger.log('warn', `Stuck connection detected: ${connectionId} - received ${record.bytesReceived} bytes but sent 0 bytes`, {
connectionId,
remoteIP: record.remoteIP,
age: plugins.prettyMs(age),
bytesReceived: record.bytesReceived,
targetHost: record.targetHost,
targetPort: record.targetPort,
isTLS: record.isTLS,
threshold: plugins.prettyMs(stuckThreshold),
component: 'connection-manager'
});
// Set termination reason and increment stats
if (record.incomingTerminationReason == null) {
record.incomingTerminationReason = 'stuck_no_response';
this.incrementTerminationStat('incoming', 'stuck_no_response');
}
// Clean up
this.cleanupConnection(record, 'stuck_no_response');
}
}
}
}
// Process only connections that need checking
for (const connectionId of connectionsToCheck) {
const record = this.connectionRecords.get(connectionId);
if (!record || record.connectionClosed) {
this.nextInactivityCheck.delete(connectionId);
continue;
}
const inactivityTime = now - record.lastActivity;
// Use extended timeout for extended-treatment keep-alive connections
let effectiveTimeout = this.smartProxy.settings.inactivityTimeout!;
if (record.hasKeepAlive && this.smartProxy.settings.keepAliveTreatment === 'extended') {
const multiplier = this.smartProxy.settings.keepAliveInactivityMultiplier || 6;
effectiveTimeout = effectiveTimeout * multiplier;
}
if (inactivityTime > effectiveTimeout) {
// For keep-alive connections, issue a warning first
if (record.hasKeepAlive && !record.inactivityWarningIssued) {
logger.log('warn', `Keep-alive connection inactive: ${record.remoteIP}`, {
connectionId,
remoteIP: record.remoteIP,
inactiveFor: plugins.prettyMs(inactivityTime),
component: 'connection-manager'
});
record.inactivityWarningIssued = true;
// Reschedule check for 10 minutes later
this.nextInactivityCheck.set(connectionId, now + 600000);
// Try to stimulate activity with a probe packet
if (record.outgoing && !record.outgoing.destroyed) {
try {
record.outgoing.write(Buffer.alloc(0));
} catch (err) {
logger.log('error', `Error sending probe packet: ${err}`, {
connectionId,
error: err,
component: 'connection-manager'
});
}
}
} else {
// Close the connection
logger.log('warn', `Closing inactive connection: ${record.remoteIP}`, {
connectionId,
remoteIP: record.remoteIP,
inactiveFor: plugins.prettyMs(inactivityTime),
hasKeepAlive: record.hasKeepAlive,
component: 'connection-manager'
});
this.cleanupConnection(record, 'inactivity');
}
} else {
// Reschedule next check
this.scheduleInactivityCheck(connectionId, record);
}
// Parity check: if outgoing socket closed and incoming remains active
// Increased from 2 minutes to 30 minutes for long-lived connections
if (
record.outgoingClosedTime &&
!record.incoming.destroyed &&
!record.connectionClosed &&
now - record.outgoingClosedTime > 1800000 // 30 minutes
) {
// Only close if no data activity for 10 minutes
if (now - record.lastActivity > 600000) {
logger.log('warn', `Parity check failed after extended timeout: ${record.remoteIP}`, {
connectionId,
remoteIP: record.remoteIP,
timeElapsed: plugins.prettyMs(now - record.outgoingClosedTime),
inactiveFor: plugins.prettyMs(now - record.lastActivity),
component: 'connection-manager'
});
this.cleanupConnection(record, 'parity_check');
}
}
}
}
/**
* Legacy method for backward compatibility
*/
public performInactivityCheck(): void {
this.performOptimizedInactivityCheck();
}
/**
* Clear all connections (for shutdown)
*/
public async clearConnections(): Promise<void> {
// Delegate to LifecycleComponent's cleanup
await this.cleanup();
}
/**
* Override LifecycleComponent's onCleanup method
*/
protected async onCleanup(): Promise<void> {
// Process connections in batches to avoid blocking
const connections = Array.from(this.connectionRecords.values());
const batchSize = 100;
let index = 0;
const processBatch = () => {
const batch = connections.slice(index, index + batchSize);
for (const record of batch) {
try {
if (record.cleanupTimer) {
clearTimeout(record.cleanupTimer);
record.cleanupTimer = undefined;
}
// Immediate destruction using socket-utils
const shutdownPromises: Promise<void>[] = [];
if (record.incoming) {
const incomingSocket = record.incoming instanceof WrappedSocket ? record.incoming.socket : record.incoming;
shutdownPromises.push(cleanupSocket(incomingSocket, `${record.id}-incoming-shutdown`, { immediate: true }));
}
if (record.outgoing) {
const outgoingSocket = record.outgoing instanceof WrappedSocket ? record.outgoing.socket : record.outgoing;
shutdownPromises.push(cleanupSocket(outgoingSocket, `${record.id}-outgoing-shutdown`, { immediate: true }));
}
// Don't wait for shutdown cleanup in this batch processing
Promise.all(shutdownPromises).catch(() => {});
} catch (err) {
logger.log('error', `Error during connection cleanup: ${err}`, {
connectionId: record.id,
error: err,
component: 'connection-manager'
});
}
}
index += batchSize;
// Continue with next batch if needed
if (index < connections.length) {
setImmediate(processBatch);
} else {
// Clear all maps
this.connectionRecords.clear();
this.nextInactivityCheck.clear();
this.cleanupQueue.clear();
this.terminationStats = { incoming: {}, outgoing: {} };
}
};
// Start batch processing
setImmediate(processBatch);
}
}

213
ts/proxies/smart-proxy/http-proxy-bridge.ts
View File

@@ -1,213 +0,0 @@
import * as plugins from '../../plugins.js';
import { HttpProxy } from '../http-proxy/index.js';
import { setupBidirectionalForwarding } from '../../core/utils/socket-utils.js';
import type { IConnectionRecord } from './models/interfaces.js';
import type { IRouteConfig } from './models/route-types.js';
import { WrappedSocket } from '../../core/models/wrapped-socket.js';
import type { SmartProxy } from './smart-proxy.js';
export class HttpProxyBridge {
private httpProxy: HttpProxy | null = null;
constructor(private smartProxy: SmartProxy) {}
/**
* Get the HttpProxy instance
*/
public getHttpProxy(): HttpProxy | null {
return this.httpProxy;
}
/**
* Initialize HttpProxy instance
*/
public async initialize(): Promise<void> {
if (!this.httpProxy && this.smartProxy.settings.useHttpProxy && this.smartProxy.settings.useHttpProxy.length > 0) {
const httpProxyOptions: any = {
port: this.smartProxy.settings.httpProxyPort!,
portProxyIntegration: true,
logLevel: this.smartProxy.settings.enableDetailedLogging ? 'debug' : 'info'
};
this.httpProxy = new HttpProxy(httpProxyOptions);
console.log(`Initialized HttpProxy on port ${this.smartProxy.settings.httpProxyPort}`);
// Apply route configurations to HttpProxy
await this.syncRoutesToHttpProxy(this.smartProxy.settings.routes || []);
}
}
/**
* Sync routes to HttpProxy
*/
public async syncRoutesToHttpProxy(routes: IRouteConfig[]): Promise<void> {
if (!this.httpProxy) return;
// Convert routes to HttpProxy format
const httpProxyConfigs = routes
.filter(route => {
// Check if this route matches any of the specified network proxy ports
const routePorts = Array.isArray(route.match.ports)
? route.match.ports
: [route.match.ports];
return routePorts.some(port =>
this.smartProxy.settings.useHttpProxy?.includes(port)
);
})
.map(route => this.routeToHttpProxyConfig(route));
// Apply configurations to HttpProxy
await this.httpProxy.updateRouteConfigs(httpProxyConfigs);
}
/**
* Convert route to HttpProxy configuration
*/
private routeToHttpProxyConfig(route: IRouteConfig): any {
// Convert route to HttpProxy domain config format
let domain = '*';
if (route.match.domains) {
if (Array.isArray(route.match.domains)) {
domain = route.match.domains[0] || '*';
} else {
domain = route.match.domains;
}
}
return {
...route, // Keep the original route structure
match: {
...route.match,
domains: domain // Ensure domains is always set for HttpProxy
}
};
}
/**
* Check if connection should use HttpProxy
*/
public shouldUseHttpProxy(connection: IConnectionRecord, routeMatch: any): boolean {
// Only use HttpProxy for TLS termination
return (
routeMatch.route.action.tls?.mode === 'terminate' ||
routeMatch.route.action.tls?.mode === 'terminate-and-reencrypt'
) && this.httpProxy !== null;
}
/**
* Forward connection to HttpProxy
*/
public async forwardToHttpProxy(
connectionId: string,
socket: plugins.net.Socket | WrappedSocket,
record: IConnectionRecord,
initialChunk: Buffer,
httpProxyPort: number,
cleanupCallback: (reason: string) => void
): Promise<void> {
if (!this.httpProxy) {
throw new Error('HttpProxy not initialized');
}
// Check if client socket is already destroyed before proceeding
const underlyingSocket = socket instanceof WrappedSocket ? socket.socket : socket;
if (underlyingSocket.destroyed) {
console.log(`[${connectionId}] Client socket already destroyed, skipping HttpProxy forwarding`);
cleanupCallback('client_disconnected_before_proxy');
return;
}
const proxySocket = new plugins.net.Socket();
// Handle client disconnect during proxy connection setup
const clientDisconnectHandler = () => {
console.log(`[${connectionId}] Client disconnected during HttpProxy connection setup`);
proxySocket.destroy();
cleanupCallback('client_disconnected_during_setup');
};
underlyingSocket.once('close', clientDisconnectHandler);
try {
await new Promise<void>((resolve, reject) => {
proxySocket.connect(httpProxyPort, 'localhost', () => {
console.log(`[${connectionId}] Connected to HttpProxy for termination`);
resolve();
});
proxySocket.on('error', reject);
});
} finally {
// Remove the disconnect handler after connection attempt
underlyingSocket.removeListener('close', clientDisconnectHandler);
}
// Double-check client socket is still connected after async operation
if (underlyingSocket.destroyed) {
console.log(`[${connectionId}] Client disconnected while connecting to HttpProxy`);
proxySocket.destroy();
cleanupCallback('client_disconnected_after_proxy_connect');
return;
}
// Send client IP information header first (custom protocol)
// Format: "CLIENT_IP:<ip>\r\n"
const clientIPHeader = Buffer.from(`CLIENT_IP:${record.remoteIP}\r\n`);
proxySocket.write(clientIPHeader);
// Send initial chunk if present
if (initialChunk) {
// Count the initial chunk bytes
record.bytesReceived += initialChunk.length;
if (this.smartProxy.metricsCollector) {
this.smartProxy.metricsCollector.recordBytes(record.id, initialChunk.length, 0);
}
proxySocket.write(initialChunk);
}
// Use centralized bidirectional forwarding (underlyingSocket already extracted above)
setupBidirectionalForwarding(underlyingSocket, proxySocket, {
onClientData: (chunk) => {
// Update stats - this is the ONLY place bytes are counted for HttpProxy connections
if (record) {
record.bytesReceived += chunk.length;
if (this.smartProxy.metricsCollector) {
this.smartProxy.metricsCollector.recordBytes(record.id, chunk.length, 0);
}
}
},
onServerData: (chunk) => {
// Update stats - this is the ONLY place bytes are counted for HttpProxy connections
if (record) {
record.bytesSent += chunk.length;
if (this.smartProxy.metricsCollector) {
this.smartProxy.metricsCollector.recordBytes(record.id, 0, chunk.length);
}
}
},
onCleanup: (reason) => {
cleanupCallback(reason);
},
enableHalfOpen: false // Close both when one closes (required for proxy chains)
});
}
/**
* Start HttpProxy
*/
public async start(): Promise<void> {
if (this.httpProxy) {
await this.httpProxy.start();
}
}
/**
* Stop HttpProxy
*/
public async stop(): Promise<void> {
if (this.httpProxy) {
await this.httpProxy.stop();
this.httpProxy = null;
}
}
}

19
ts/proxies/smart-proxy/index.ts
View File

@@ -1,7 +1,7 @@
/**
* SmartProxy implementation
*
* Version 14.0.0: Unified Route-Based Configuration API
* Version 23.0.0: Rust-backed proxy engine
*/
// Re-export models
export * from './models/index.js';
@@ -9,21 +9,14 @@ export * from './models/index.js';
// Export the main SmartProxy class
export { SmartProxy } from './smart-proxy.js';
// Export core supporting classes
export { ConnectionManager } from './connection-manager.js';
export { SecurityManager } from './security-manager.js';
export { TimeoutManager } from './timeout-manager.js';
export { TlsManager } from './tls-manager.js';
export { HttpProxyBridge } from './http-proxy-bridge.js';
// Export Rust bridge and helpers
export { RustProxyBridge } from './rust-proxy-bridge.js';
export { RoutePreprocessor } from './route-preprocessor.js';
export { SocketHandlerServer } from './socket-handler-server.js';
export { RustMetricsAdapter } from './rust-metrics-adapter.js';
// Export route-based components
export { SharedRouteManager as RouteManager } from '../../core/routing/route-manager.js';
export { RouteConnectionHandler } from './route-connection-handler.js';
export { NFTablesManager } from './nftables-manager.js';
export { RouteOrchestrator } from './route-orchestrator.js';
// Export certificate management
export { SmartCertManager } from './certificate-manager.js';
// Export all helper functions from the utils directory
export * from './utils/index.js';

453
ts/proxies/smart-proxy/metrics-collector.ts
View File

@@ -1,453 +0,0 @@
import * as plugins from '../../plugins.js';
import type { SmartProxy } from './smart-proxy.js';
import type {
IMetrics,
IThroughputData,
IThroughputHistoryPoint,
IByteTracker
} from './models/metrics-types.js';
import { ThroughputTracker } from './throughput-tracker.js';
import { logger } from '../../core/utils/logger.js';
/**
* Collects and provides metrics for SmartProxy with clean API
*/
export class MetricsCollector implements IMetrics {
// Throughput tracking
private throughputTracker: ThroughputTracker;
private routeThroughputTrackers = new Map<string, ThroughputTracker>();
private ipThroughputTrackers = new Map<string, ThroughputTracker>();
// Request tracking
private requestTimestamps: number[] = [];
private totalRequests: number = 0;
// Connection byte tracking for per-route/IP metrics
private connectionByteTrackers = new Map<string, IByteTracker>();
// Subscriptions
private samplingInterval?: NodeJS.Timeout;
private connectionSubscription?: plugins.smartrx.rxjs.Subscription;
// Configuration
private readonly sampleIntervalMs: number;
private readonly retentionSeconds: number;
// Track connection durations for percentile calculations
private connectionDurations: number[] = [];
private bytesInArray: number[] = [];
private bytesOutArray: number[] = [];
constructor(
private smartProxy: SmartProxy,
config?: {
sampleIntervalMs?: number;
retentionSeconds?: number;
}
) {
this.sampleIntervalMs = config?.sampleIntervalMs || 1000;
this.retentionSeconds = config?.retentionSeconds || 3600;
this.throughputTracker = new ThroughputTracker(this.retentionSeconds);
}
// Connection metrics implementation
public connections = {
active: (): number => {
return this.smartProxy.connectionManager.getConnectionCount();
},
total: (): number => {
const stats = this.smartProxy.connectionManager.getTerminationStats();
let total = this.smartProxy.connectionManager.getConnectionCount();
for (const reason in stats.incoming) {
total += stats.incoming[reason];
}
return total;
},
byRoute: (): Map<string, number> => {
const routeCounts = new Map<string, number>();
const connections = this.smartProxy.connectionManager.getConnections();
for (const [_, record] of connections) {
const routeName = (record as any).routeName ||
record.routeConfig?.name ||
'unknown';
const current = routeCounts.get(routeName) || 0;
routeCounts.set(routeName, current + 1);
}
return routeCounts;
},
byIP: (): Map<string, number> => {
const ipCounts = new Map<string, number>();
for (const [_, record] of this.smartProxy.connectionManager.getConnections()) {
const ip = record.remoteIP;
const current = ipCounts.get(ip) || 0;
ipCounts.set(ip, current + 1);
}
return ipCounts;
},
topIPs: (limit: number = 10): Array<{ ip: string; count: number }> => {
const ipCounts = this.connections.byIP();
return Array.from(ipCounts.entries())
.sort((a, b) => b[1] - a[1])
.slice(0, limit)
.map(([ip, count]) => ({ ip, count }));
}
};
// Throughput metrics implementation
public throughput = {
instant: (): IThroughputData => {
return this.throughputTracker.getRate(1);
},
recent: (): IThroughputData => {
return this.throughputTracker.getRate(10);
},
average: (): IThroughputData => {
return this.throughputTracker.getRate(60);
},
custom: (seconds: number): IThroughputData => {
return this.throughputTracker.getRate(seconds);
},
history: (seconds: number): Array<IThroughputHistoryPoint> => {
return this.throughputTracker.getHistory(seconds);
},
byRoute: (windowSeconds: number = 1): Map<string, IThroughputData> => {
const routeThroughput = new Map<string, IThroughputData>();
// Get throughput from each route's dedicated tracker
for (const [route, tracker] of this.routeThroughputTrackers) {
const rate = tracker.getRate(windowSeconds);
if (rate.in > 0 || rate.out > 0) {
routeThroughput.set(route, rate);
}
}
return routeThroughput;
},
byIP: (windowSeconds: number = 1): Map<string, IThroughputData> => {
const ipThroughput = new Map<string, IThroughputData>();
// Get throughput from each IP's dedicated tracker
for (const [ip, tracker] of this.ipThroughputTrackers) {
const rate = tracker.getRate(windowSeconds);
if (rate.in > 0 || rate.out > 0) {
ipThroughput.set(ip, rate);
}
}
return ipThroughput;
}
};
// Request metrics implementation
public requests = {
perSecond: (): number => {
const now = Date.now();
const oneSecondAgo = now - 1000;
// Clean old timestamps
this.requestTimestamps = this.requestTimestamps.filter(ts => ts > now - 60000);
// Count requests in last second
const recentRequests = this.requestTimestamps.filter(ts => ts > oneSecondAgo);
return recentRequests.length;
},
perMinute: (): number => {
const now = Date.now();
const oneMinuteAgo = now - 60000;
// Count requests in last minute
const recentRequests = this.requestTimestamps.filter(ts => ts > oneMinuteAgo);
return recentRequests.length;
},
total: (): number => {
return this.totalRequests;
}
};
// Totals implementation
public totals = {
bytesIn: (): number => {
let total = 0;
// Sum from all active connections
for (const [_, record] of this.smartProxy.connectionManager.getConnections()) {
total += record.bytesReceived;
}
// TODO: Add historical data from terminated connections
return total;
},
bytesOut: (): number => {
let total = 0;
// Sum from all active connections
for (const [_, record] of this.smartProxy.connectionManager.getConnections()) {
total += record.bytesSent;
}
// TODO: Add historical data from terminated connections
return total;
},
connections: (): number => {
return this.connections.total();
}
};
// Helper to calculate percentiles from an array
private calculatePercentile(arr: number[], percentile: number): number {
if (arr.length === 0) return 0;
const sorted = [...arr].sort((a, b) => a - b);
const index = Math.floor((sorted.length - 1) * percentile);
return sorted[index];
}
// Percentiles implementation
public percentiles = {
connectionDuration: (): { p50: number; p95: number; p99: number } => {
return {
p50: this.calculatePercentile(this.connectionDurations, 0.5),
p95: this.calculatePercentile(this.connectionDurations, 0.95),
p99: this.calculatePercentile(this.connectionDurations, 0.99)
};
},
bytesTransferred: (): {
in: { p50: number; p95: number; p99: number };
out: { p50: number; p95: number; p99: number };
} => {
return {
in: {
p50: this.calculatePercentile(this.bytesInArray, 0.5),
p95: this.calculatePercentile(this.bytesInArray, 0.95),
p99: this.calculatePercentile(this.bytesInArray, 0.99)
},
out: {
p50: this.calculatePercentile(this.bytesOutArray, 0.5),
p95: this.calculatePercentile(this.bytesOutArray, 0.95),
p99: this.calculatePercentile(this.bytesOutArray, 0.99)
}
};
}
};
/**
* Record a new request
*/
public recordRequest(connectionId: string, routeName: string, remoteIP: string): void {
const now = Date.now();
this.requestTimestamps.push(now);
this.totalRequests++;
// Initialize byte tracker for this connection
this.connectionByteTrackers.set(connectionId, {
connectionId,
routeName,
remoteIP,
bytesIn: 0,
bytesOut: 0,
startTime: now,
lastUpdate: now
});
// Cleanup old request timestamps
if (this.requestTimestamps.length > 5000) {
// First try to clean up old timestamps (older than 1 minute)
const cutoff = now - 60000;
this.requestTimestamps = this.requestTimestamps.filter(ts => ts > cutoff);
// If still too many, enforce hard cap of 5000 most recent
if (this.requestTimestamps.length > 5000) {
this.requestTimestamps = this.requestTimestamps.slice(-5000);
}
}
}
/**
* Record bytes transferred for a connection
*/
public recordBytes(connectionId: string, bytesIn: number, bytesOut: number): void {
// Update global throughput tracker
this.throughputTracker.recordBytes(bytesIn, bytesOut);
// Update connection-specific tracker
const tracker = this.connectionByteTrackers.get(connectionId);
if (tracker) {
tracker.bytesIn += bytesIn;
tracker.bytesOut += bytesOut;
tracker.lastUpdate = Date.now();
// Update per-route throughput tracker
let routeTracker = this.routeThroughputTrackers.get(tracker.routeName);
if (!routeTracker) {
routeTracker = new ThroughputTracker(this.retentionSeconds);
this.routeThroughputTrackers.set(tracker.routeName, routeTracker);
}
routeTracker.recordBytes(bytesIn, bytesOut);
// Update per-IP throughput tracker
let ipTracker = this.ipThroughputTrackers.get(tracker.remoteIP);
if (!ipTracker) {
ipTracker = new ThroughputTracker(this.retentionSeconds);
this.ipThroughputTrackers.set(tracker.remoteIP, ipTracker);
}
ipTracker.recordBytes(bytesIn, bytesOut);
}
}
/**
* Clean up tracking for a closed connection
*/
public removeConnection(connectionId: string): void {
const tracker = this.connectionByteTrackers.get(connectionId);
if (tracker) {
// Calculate connection duration
const duration = Date.now() - tracker.startTime;
// Add to arrays for percentile calculations (bounded to prevent memory growth)
const MAX_SAMPLES = 5000;
this.connectionDurations.push(duration);
if (this.connectionDurations.length > MAX_SAMPLES) {
this.connectionDurations.shift();
}
this.bytesInArray.push(tracker.bytesIn);
if (this.bytesInArray.length > MAX_SAMPLES) {
this.bytesInArray.shift();
}
this.bytesOutArray.push(tracker.bytesOut);
if (this.bytesOutArray.length > MAX_SAMPLES) {
this.bytesOutArray.shift();
}
}
this.connectionByteTrackers.delete(connectionId);
}
/**
* Start the metrics collector
*/
public start(): void {
if (!this.smartProxy.routeConnectionHandler) {
throw new Error('MetricsCollector: RouteConnectionHandler not available');
}
// Start periodic sampling
this.samplingInterval = setInterval(() => {
// Sample global throughput
this.throughputTracker.takeSample();
// Sample per-route throughput
for (const [_, tracker] of this.routeThroughputTrackers) {
tracker.takeSample();
}
// Sample per-IP throughput
for (const [_, tracker] of this.ipThroughputTrackers) {
tracker.takeSample();
}
// Clean up old connection trackers (connections closed more than 5 minutes ago)
const cutoff = Date.now() - 300000;
for (const [id, tracker] of this.connectionByteTrackers) {
if (tracker.lastUpdate < cutoff) {
this.connectionByteTrackers.delete(id);
}
}
// Clean up unused route trackers
const activeRoutes = new Set(Array.from(this.connectionByteTrackers.values()).map(t => t.routeName));
for (const [route, _] of this.routeThroughputTrackers) {
if (!activeRoutes.has(route)) {
this.routeThroughputTrackers.delete(route);
}
}
// Clean up unused IP trackers
const activeIPs = new Set(Array.from(this.connectionByteTrackers.values()).map(t => t.remoteIP));
for (const [ip, _] of this.ipThroughputTrackers) {
if (!activeIPs.has(ip)) {
this.ipThroughputTrackers.delete(ip);
}
}
}, this.sampleIntervalMs);
// Unref the interval so it doesn't keep the process alive
if (this.samplingInterval.unref) {
this.samplingInterval.unref();
}
// Subscribe to new connections
this.connectionSubscription = this.smartProxy.routeConnectionHandler.newConnectionSubject.subscribe({
next: (record) => {
const routeName = record.routeConfig?.name || 'unknown';
this.recordRequest(record.id, routeName, record.remoteIP);
if (this.smartProxy.settings?.enableDetailedLogging) {
logger.log('debug', `MetricsCollector: New connection recorded`, {
connectionId: record.id,
remoteIP: record.remoteIP,
routeName,
component: 'metrics'
});
}
},
error: (err) => {
logger.log('error', `MetricsCollector: Error in connection subscription`, {
error: err.message,
component: 'metrics'
});
}
});
logger.log('debug', 'MetricsCollector started', { component: 'metrics' });
}
/**
* Stop the metrics collector
*/
public stop(): void {
if (this.samplingInterval) {
clearInterval(this.samplingInterval);
this.samplingInterval = undefined;
}
if (this.connectionSubscription) {
this.connectionSubscription.unsubscribe();
this.connectionSubscription = undefined;
}
logger.log('debug', 'MetricsCollector stopped', { component: 'metrics' });
}
/**
* Alias for stop() for compatibility
*/
public destroy(): void {
this.stop();
}
}

10
ts/proxies/smart-proxy/models/interfaces.ts
View File

@@ -99,10 +99,6 @@ export interface ISmartProxyOptions {
keepAliveInactivityMultiplier?: number; // Multiplier for inactivity timeout for keep-alive connections
extendedKeepAliveLifetime?: number; // Extended lifetime for keep-alive connections (ms)
// HttpProxy integration
useHttpProxy?: number[]; // Array of ports to forward to HttpProxy
httpProxyPort?: number; // Port where HttpProxy is listening (default: 8443)
// Metrics configuration
metrics?: {
enabled?: boolean;
@@ -139,6 +135,12 @@ export interface ISmartProxyOptions {
* Default: true
*/
certProvisionFallbackToAcme?: boolean;
/**
* Path to the RustProxy binary. If not set, the binary is located
* automatically via env var, platform package, local build, or PATH.
*/
rustBinaryPath?: string;
}
/**

271
ts/proxies/smart-proxy/nftables-manager.ts
View File

@@ -1,271 +0,0 @@
import * as plugins from '../../plugins.js';
import { NfTablesProxy } from '../nftables-proxy/nftables-proxy.js';
import type {
NfTableProxyOptions,
PortRange,
NfTablesStatus
} from '../nftables-proxy/models/interfaces.js';
import type {
IRouteConfig,
TPortRange,
INfTablesOptions
} from './models/route-types.js';
import type { SmartProxy } from './smart-proxy.js';
/**
* Manages NFTables rules based on SmartProxy route configurations
*
* This class bridges the gap between SmartProxy routes and the NFTablesProxy,
* allowing high-performance kernel-level packet forwarding for routes that
* specify NFTables as their forwarding engine.
*/
export class NFTablesManager {
private rulesMap: Map<string, NfTablesProxy> = new Map();
/**
* Creates a new NFTablesManager
*
* @param smartProxy The SmartProxy instance
*/
constructor(private smartProxy: SmartProxy) {}
/**
* Provision NFTables rules for a route
*
* @param route The route configuration
* @returns A promise that resolves to true if successful, false otherwise
*/
public async provisionRoute(route: IRouteConfig): Promise<boolean> {
// Generate a unique ID for this route
const routeId = this.generateRouteId(route);
// Skip if route doesn't use NFTables
if (route.action.forwardingEngine !== 'nftables') {
return true;
}
// Create NFTables options from route configuration
const nftOptions = this.createNfTablesOptions(route);
// Create and start an NFTablesProxy instance
const proxy = new NfTablesProxy(nftOptions);
try {
await proxy.start();
this.rulesMap.set(routeId, proxy);
return true;
} catch (err) {
console.error(`Failed to provision NFTables rules for route ${route.name || 'unnamed'}: ${err.message}`);
return false;
}
}
/**
* Remove NFTables rules for a route
*
* @param route The route configuration
* @returns A promise that resolves to true if successful, false otherwise
*/
public async deprovisionRoute(route: IRouteConfig): Promise<boolean> {
const routeId = this.generateRouteId(route);
const proxy = this.rulesMap.get(routeId);
if (!proxy) {
return true; // Nothing to remove
}
try {
await proxy.stop();
this.rulesMap.delete(routeId);
return true;
} catch (err) {
console.error(`Failed to deprovision NFTables rules for route ${route.name || 'unnamed'}: ${err.message}`);
return false;
}
}
/**
* Update NFTables rules when route changes
*
* @param oldRoute The previous route configuration
* @param newRoute The new route configuration
* @returns A promise that resolves to true if successful, false otherwise
*/
public async updateRoute(oldRoute: IRouteConfig, newRoute: IRouteConfig): Promise<boolean> {
// Remove old rules and add new ones
await this.deprovisionRoute(oldRoute);
return this.provisionRoute(newRoute);
}
/**
* Generate a unique ID for a route
*
* @param route The route configuration
* @returns A unique ID string
*/
private generateRouteId(route: IRouteConfig): string {
// Generate a unique ID based on route properties
// Include the route name, match criteria, and a timestamp
const matchStr = JSON.stringify({
ports: route.match.ports,
domains: route.match.domains
});
return `${route.name || 'unnamed'}-${matchStr}-${route.id || Date.now().toString()}`;
}
/**
* Create NFTablesProxy options from a route configuration
*
* @param route The route configuration
* @returns NFTableProxyOptions object
*/
private createNfTablesOptions(route: IRouteConfig): NfTableProxyOptions {
const { action } = route;
// Ensure we have targets
if (!action.targets || action.targets.length === 0) {
throw new Error('Route must have targets to use NFTables forwarding');
}
// NFTables can only handle a single target, so we use the first target without match criteria
// or the first target if all have match criteria
const defaultTarget = action.targets.find(t => !t.match) || action.targets[0];
// Convert port specifications
const fromPorts = this.expandPortRange(route.match.ports);
// Determine target port
let toPorts: number | PortRange | Array<number | PortRange>;
if (defaultTarget.port === 'preserve') {
// 'preserve' means use the same ports as the source
toPorts = fromPorts;
} else if (typeof defaultTarget.port === 'function') {
// For function-based ports, we can't determine at setup time
// Use the "preserve" approach and let NFTables handle it
toPorts = fromPorts;
} else {
toPorts = defaultTarget.port;
}
// Determine target host
let toHost: string;
if (typeof defaultTarget.host === 'function') {
// Can't determine at setup time, use localhost as a placeholder
// and rely on run-time handling
toHost = 'localhost';
} else if (Array.isArray(defaultTarget.host)) {
// Use first host for now - NFTables will do simple round-robin
toHost = defaultTarget.host[0];
} else {
toHost = defaultTarget.host;
}
// Create options
const options: NfTableProxyOptions = {
fromPort: fromPorts,
toPort: toPorts,
toHost: toHost,
protocol: action.nftables?.protocol || 'tcp',
preserveSourceIP: action.nftables?.preserveSourceIP !== undefined ?
action.nftables.preserveSourceIP :
this.smartProxy.settings.preserveSourceIP,
useIPSets: action.nftables?.useIPSets !== false,
useAdvancedNAT: action.nftables?.useAdvancedNAT,
enableLogging: this.smartProxy.settings.enableDetailedLogging,
deleteOnExit: true,
tableName: action.nftables?.tableName || 'smartproxy'
};
// Add security-related options
if (route.security?.ipAllowList?.length) {
options.ipAllowList = route.security.ipAllowList;
}
if (route.security?.ipBlockList?.length) {
options.ipBlockList = route.security.ipBlockList;
}
// Add QoS options
if (action.nftables?.maxRate || action.nftables?.priority) {
options.qos = {
enabled: true,
maxRate: action.nftables.maxRate,
priority: action.nftables.priority
};
}
return options;
}
/**
* Expand port range specifications
*
* @param ports The port range specification
* @returns Expanded port range
*/
private expandPortRange(ports: TPortRange): number | PortRange | Array<number | PortRange> {
// Process different port specifications
if (typeof ports === 'number') {
return ports;
} else if (Array.isArray(ports)) {
const result: Array<number | PortRange> = [];
for (const item of ports) {
if (typeof item === 'number') {
result.push(item);
} else if ('from' in item && 'to' in item) {
result.push({ from: item.from, to: item.to });
}
}
return result;
} else if (typeof ports === 'object' && ports !== null && 'from' in ports && 'to' in ports) {
return { from: (ports as any).from, to: (ports as any).to };
}
// Fallback to port 80 if something went wrong
console.warn('Invalid port range specification, using port 80 as fallback');
return 80;
}
/**
* Get status of all managed rules
*
* @returns A promise that resolves to a record of NFTables status objects
*/
public async getStatus(): Promise<Record<string, NfTablesStatus>> {
const result: Record<string, NfTablesStatus> = {};
for (const [routeId, proxy] of this.rulesMap.entries()) {
result[routeId] = await proxy.getStatus();
}
return result;
}
/**
* Check if a route is currently provisioned
*
* @param route The route configuration
* @returns True if the route is provisioned, false otherwise
*/
public isRouteProvisioned(route: IRouteConfig): boolean {
const routeId = this.generateRouteId(route);
return this.rulesMap.has(routeId);
}
/**
* Stop all NFTables rules
*
* @returns A promise that resolves when all rules have been stopped
*/
public async stop(): Promise<void> {
// Stop all NFTables proxies
const stopPromises = Array.from(this.rulesMap.values()).map(proxy => proxy.stop());
await Promise.all(stopPromises);
this.rulesMap.clear();
}
}

358
ts/proxies/smart-proxy/port-manager.ts
View File

@@ -1,358 +0,0 @@
import * as plugins from '../../plugins.js';
import { logger } from '../../core/utils/logger.js';
import { cleanupSocket } from '../../core/utils/socket-utils.js';
import type { SmartProxy } from './smart-proxy.js';
/**
* PortManager handles the dynamic creation and removal of port listeners
*
* This class provides methods to add and remove listening ports at runtime,
* allowing SmartProxy to adapt to configuration changes without requiring
* a full restart.
*
* It includes a reference counting system to track how many routes are using
* each port, so ports can be automatically released when they are no longer needed.
*/
export class PortManager {
private servers: Map<number, plugins.net.Server> = new Map();
private isShuttingDown: boolean = false;
// Track how many routes are using each port
private portRefCounts: Map<number, number> = new Map();
/**
* Create a new PortManager
*
* @param smartProxy The SmartProxy instance
*/
constructor(
private smartProxy: SmartProxy
) {}
/**
* Start listening on a specific port
*
* @param port The port number to listen on
* @returns Promise that resolves when the server is listening or rejects on error
*/
public async addPort(port: number): Promise<void> {
// Check if we're already listening on this port
if (this.servers.has(port)) {
// Port is already bound, just increment the reference count
this.incrementPortRefCount(port);
try {
logger.log('debug', `PortManager: Port ${port} is already bound by SmartProxy, reusing binding`, {
port,
component: 'port-manager'
});
} catch (e) {
console.log(`[DEBUG] PortManager: Port ${port} is already bound by SmartProxy, reusing binding`);
}
return;
}
// Initialize reference count for new port
this.portRefCounts.set(port, 1);
// Create a server for this port
const server = plugins.net.createServer((socket) => {
// Check if shutting down
if (this.isShuttingDown) {
cleanupSocket(socket, 'port-manager-shutdown', { immediate: true });
return;
}
// Delegate to route connection handler
this.smartProxy.routeConnectionHandler.handleConnection(socket);
}).on('error', (err: Error) => {
try {
logger.log('error', `Server Error on port ${port}: ${err.message}`, {
port,
error: err.message,
component: 'port-manager'
});
} catch (e) {
console.error(`[ERROR] Server Error on port ${port}: ${err.message}`);
}
});
// Start listening on the port
return new Promise<void>((resolve, reject) => {
server.listen(port, () => {
const isHttpProxyPort = this.smartProxy.settings.useHttpProxy?.includes(port);
try {
logger.log('info', `SmartProxy -> OK: Now listening on port ${port}${
isHttpProxyPort ? ' (HttpProxy forwarding enabled)' : ''
}`, {
port,
isHttpProxyPort: !!isHttpProxyPort,
component: 'port-manager'
});
} catch (e) {
console.log(`[INFO] SmartProxy -> OK: Now listening on port ${port}${
isHttpProxyPort ? ' (HttpProxy forwarding enabled)' : ''
}`);
}
// Store the server reference
this.servers.set(port, server);
resolve();
}).on('error', (err) => {
// Check if this is an external conflict
const { isConflict, isExternal } = this.isPortConflict(err);
if (isConflict && !isExternal) {
// This is an internal conflict (port already bound by SmartProxy)
// This shouldn't normally happen because we check servers.has(port) above
logger.log('warn', `Port ${port} binding conflict: already in use by SmartProxy`, {
port,
component: 'port-manager'
});
// Still increment reference count to maintain tracking
this.incrementPortRefCount(port);
resolve();
return;
}
// Log the error and propagate it
logger.log('error', `Failed to listen on port ${port}: ${err.message}`, {
port,
error: err.message,
code: (err as any).code,
component: 'port-manager'
});
// Clean up reference count since binding failed
this.portRefCounts.delete(port);
reject(err);
});
});
}
/**
* Stop listening on a specific port
*
* @param port The port to stop listening on
* @returns Promise that resolves when the server is closed
*/
public async removePort(port: number): Promise<void> {
// Decrement the reference count first
const newRefCount = this.decrementPortRefCount(port);
// If there are still references to this port, keep it open
if (newRefCount > 0) {
logger.log('debug', `PortManager: Port ${port} still has ${newRefCount} references, keeping open`, {
port,
refCount: newRefCount,
component: 'port-manager'
});
return;
}
// Get the server for this port
const server = this.servers.get(port);
if (!server) {
logger.log('warn', `PortManager: Not listening on port ${port}`, {
port,
component: 'port-manager'
});
// Ensure reference count is reset
this.portRefCounts.delete(port);
return;
}
// Close the server
return new Promise<void>((resolve) => {
server.close((err) => {
if (err) {
logger.log('error', `Error closing server on port ${port}: ${err.message}`, {
port,
error: err.message,
component: 'port-manager'
});
} else {
logger.log('info', `SmartProxy -> Stopped listening on port ${port}`, {
port,
component: 'port-manager'
});
}
// Remove the server reference and clean up reference counting
this.servers.delete(port);
this.portRefCounts.delete(port);
resolve();
});
});
}
/**
* Add multiple ports at once
*
* @param ports Array of ports to add
* @returns Promise that resolves when all servers are listening
*/
public async addPorts(ports: number[]): Promise<void> {
const uniquePorts = [...new Set(ports)];
await Promise.all(uniquePorts.map(port => this.addPort(port)));
}
/**
* Remove multiple ports at once
*
* @param ports Array of ports to remove
* @returns Promise that resolves when all servers are closed
*/
public async removePorts(ports: number[]): Promise<void> {
const uniquePorts = [...new Set(ports)];
await Promise.all(uniquePorts.map(port => this.removePort(port)));
}
/**
* Update listening ports to match the provided list
*
* This will add any ports that aren't currently listening,
* and remove any ports that are no longer needed.
*
* @param ports Array of ports that should be listening
* @returns Promise that resolves when all operations are complete
*/
public async updatePorts(ports: number[]): Promise<void> {
const targetPorts = new Set(ports);
const currentPorts = new Set(this.servers.keys());
// Find ports to add and remove
const portsToAdd = ports.filter(port => !currentPorts.has(port));
const portsToRemove = Array.from(currentPorts).filter(port => !targetPorts.has(port));
// Log the changes
if (portsToAdd.length > 0) {
console.log(`PortManager: Adding new listeners for ports: ${portsToAdd.join(', ')}`);
}
if (portsToRemove.length > 0) {
console.log(`PortManager: Removing listeners for ports: ${portsToRemove.join(', ')}`);
}
// Add and remove ports
await this.removePorts(portsToRemove);
await this.addPorts(portsToAdd);
}
/**
* Get all ports that are currently listening
*
* @returns Array of port numbers
*/
public getListeningPorts(): number[] {
return Array.from(this.servers.keys());
}
/**
* Mark the port manager as shutting down
*/
public setShuttingDown(isShuttingDown: boolean): void {
this.isShuttingDown = isShuttingDown;
}
/**
* Close all listening servers
*
* @returns Promise that resolves when all servers are closed
*/
public async closeAll(): Promise<void> {
const allPorts = Array.from(this.servers.keys());
await this.removePorts(allPorts);
}
/**
* Get all server instances (for testing or debugging)
*/
public getServers(): Map<number, plugins.net.Server> {
return new Map(this.servers);
}
/**
* Check if a port is bound by this SmartProxy instance
*
* @param port The port number to check
* @returns True if the port is currently bound by SmartProxy
*/
public isPortBoundBySmartProxy(port: number): boolean {
return this.servers.has(port);
}
/**
* Get the current reference count for a port
*
* @param port The port number to check
* @returns The number of routes using this port, 0 if none
*/
public getPortRefCount(port: number): number {
return this.portRefCounts.get(port) || 0;
}
/**
* Increment the reference count for a port
*
* @param port The port number to increment
* @returns The new reference count
*/
public incrementPortRefCount(port: number): number {
const currentCount = this.portRefCounts.get(port) || 0;
const newCount = currentCount + 1;
this.portRefCounts.set(port, newCount);
logger.log('debug', `Port ${port} reference count increased to ${newCount}`, {
port,
refCount: newCount,
component: 'port-manager'
});
return newCount;
}
/**
* Decrement the reference count for a port
*
* @param port The port number to decrement
* @returns The new reference count
*/
public decrementPortRefCount(port: number): number {
const currentCount = this.portRefCounts.get(port) || 0;
if (currentCount <= 0) {
logger.log('warn', `Attempted to decrement reference count for port ${port} below zero`, {
port,
component: 'port-manager'
});
return 0;
}
const newCount = currentCount - 1;
this.portRefCounts.set(port, newCount);
logger.log('debug', `Port ${port} reference count decreased to ${newCount}`, {
port,
refCount: newCount,
component: 'port-manager'
});
return newCount;
}
/**
* Determine if a port binding error is due to an external or internal conflict
*
* @param error The error object from a failed port binding
* @returns Object indicating if this is a conflict and if it's external
*/
private isPortConflict(error: any): { isConflict: boolean; isExternal: boolean } {
if (error.code !== 'EADDRINUSE') {
return { isConflict: false, isExternal: false };
}
// Check if we already have this port
const isBoundInternally = this.servers.has(Number(error.port));
return { isConflict: true, isExternal: !isBoundInternally };
}
}

1712
ts/proxies/smart-proxy/route-connection-handler.ts
View File

File diff suppressed because it is too large Load Diff

297
ts/proxies/smart-proxy/route-orchestrator.ts
View File

@@ -1,297 +0,0 @@
import { logger } from '../../core/utils/logger.js';
import type { IRouteConfig } from './models/route-types.js';
import type { ILogger } from '../http-proxy/models/types.js';
import { RouteValidator } from './utils/route-validator.js';
import { Mutex } from './utils/mutex.js';
import type { PortManager } from './port-manager.js';
import type { SharedRouteManager as RouteManager } from '../../core/routing/route-manager.js';
import type { HttpProxyBridge } from './http-proxy-bridge.js';
import type { NFTablesManager } from './nftables-manager.js';
import type { SmartCertManager } from './certificate-manager.js';
/**
* Orchestrates route updates and coordination between components
* Extracted from SmartProxy to reduce class complexity
*/
export class RouteOrchestrator {
private routeUpdateLock: Mutex;
private portManager: PortManager;
private routeManager: RouteManager;
private httpProxyBridge: HttpProxyBridge;
private nftablesManager: NFTablesManager;
private certManager: SmartCertManager | null = null;
private logger: ILogger;
constructor(
portManager: PortManager,
routeManager: RouteManager,
httpProxyBridge: HttpProxyBridge,
nftablesManager: NFTablesManager,
certManager: SmartCertManager | null,
logger: ILogger
) {
this.portManager = portManager;
this.routeManager = routeManager;
this.httpProxyBridge = httpProxyBridge;
this.nftablesManager = nftablesManager;
this.certManager = certManager;
this.logger = logger;
this.routeUpdateLock = new Mutex();
}
/**
* Set or update certificate manager reference
*/
public setCertManager(certManager: SmartCertManager | null): void {
this.certManager = certManager;
}
/**
* Get certificate manager reference
*/
public getCertManager(): SmartCertManager | null {
return this.certManager;
}
/**
* Update routes with validation and coordination
*/
public async updateRoutes(
oldRoutes: IRouteConfig[],
newRoutes: IRouteConfig[],
options: {
acmePort?: number;
acmeOptions?: any;
acmeState?: any;
globalChallengeRouteActive?: boolean;
createCertificateManager?: (
routes: IRouteConfig[],
certStore: string,
acmeOptions?: any,
initialState?: any
) => Promise<SmartCertManager>;
verifyChallengeRouteRemoved?: () => Promise<void>;
} = {}
): Promise<{
portUsageMap: Map<number, Set<string>>;
newChallengeRouteActive: boolean;
newCertManager?: SmartCertManager;
}> {
return this.routeUpdateLock.runExclusive(async () => {
// Validate route configurations
const validation = RouteValidator.validateRoutes(newRoutes);
if (!validation.valid) {
RouteValidator.logValidationErrors(validation.errors);
throw new Error(`Route validation failed: ${validation.errors.size} route(s) have errors`);
}
// Track port usage before and after updates
const oldPortUsage = this.updatePortUsageMap(oldRoutes);
const newPortUsage = this.updatePortUsageMap(newRoutes);
// Get the lists of currently listening ports and new ports needed
const currentPorts = new Set(this.portManager.getListeningPorts());
const newPortsSet = new Set(newPortUsage.keys());
// Log the port usage for debugging
this.logger.debug(`Current listening ports: ${Array.from(currentPorts).join(', ')}`);
this.logger.debug(`Ports needed for new routes: ${Array.from(newPortsSet).join(', ')}`);
// Find orphaned ports - ports that no longer have any routes
const orphanedPorts = this.findOrphanedPorts(oldPortUsage, newPortUsage);
// Find new ports that need binding (only ports that we aren't already listening on)
const newBindingPorts = Array.from(newPortsSet).filter(p => !currentPorts.has(p));
// Check for ACME challenge port to give it special handling
const acmePort = options.acmePort || 80;
const acmePortNeeded = newPortsSet.has(acmePort);
const acmePortListed = newBindingPorts.includes(acmePort);
if (acmePortNeeded && acmePortListed) {
this.logger.info(`Adding ACME challenge port ${acmePort} to routes`);
}
// Update NFTables routes
await this.updateNfTablesRoutes(oldRoutes, newRoutes);
// Update routes in RouteManager
this.routeManager.updateRoutes(newRoutes);
// Release orphaned ports first to free resources
if (orphanedPorts.length > 0) {
this.logger.info(`Releasing ${orphanedPorts.length} orphaned ports: ${orphanedPorts.join(', ')}`);
await this.portManager.removePorts(orphanedPorts);
}
// Add new ports if needed
if (newBindingPorts.length > 0) {
this.logger.info(`Binding to ${newBindingPorts.length} new ports: ${newBindingPorts.join(', ')}`);
// Handle port binding with improved error recovery
try {
await this.portManager.addPorts(newBindingPorts);
} catch (error) {
// Special handling for port binding errors
if ((error as any).code === 'EADDRINUSE') {
const port = (error as any).port || newBindingPorts[0];
const isAcmePort = port === acmePort;
if (isAcmePort) {
this.logger.warn(`Could not bind to ACME challenge port ${port}. It may be in use by another application.`);
// Re-throw with more helpful message
throw new Error(
`ACME challenge port ${port} is already in use by another application. ` +
`Configure a different port in settings.acme.port (e.g., 8080) or free up port ${port}.`
);
}
}
// Re-throw the original error for other cases
throw error;
}
}
// If HttpProxy is initialized, resync the configurations
if (this.httpProxyBridge.getHttpProxy()) {
await this.httpProxyBridge.syncRoutesToHttpProxy(newRoutes);
}
// Update certificate manager if needed
let newCertManager: SmartCertManager | undefined;
let newChallengeRouteActive = options.globalChallengeRouteActive || false;
if (this.certManager && options.createCertificateManager) {
const existingAcmeOptions = this.certManager.getAcmeOptions();
const existingState = this.certManager.getState();
// Store global state before stopping
newChallengeRouteActive = existingState.challengeRouteActive;
// Keep certificate manager routes in sync before stopping
this.certManager.setRoutes(newRoutes);
await this.certManager.stop();
// Verify the challenge route has been properly removed
if (options.verifyChallengeRouteRemoved) {
await options.verifyChallengeRouteRemoved();
}
// Create new certificate manager with preserved state
newCertManager = await options.createCertificateManager(
newRoutes,
'./certs',
existingAcmeOptions,
{ challengeRouteActive: newChallengeRouteActive }
);
this.certManager = newCertManager;
}
return {
portUsageMap: newPortUsage,
newChallengeRouteActive,
newCertManager
};
});
}
/**
* Update port usage map based on the provided routes
*/
public updatePortUsageMap(routes: IRouteConfig[]): Map<number, Set<string>> {
const portUsage = new Map<number, Set<string>>();
for (const route of routes) {
// Get the ports for this route
const portsConfig = Array.isArray(route.match.ports)
? route.match.ports
: [route.match.ports];
// Expand port range objects to individual port numbers
const expandedPorts: number[] = [];
for (const portConfig of portsConfig) {
if (typeof portConfig === 'number') {
expandedPorts.push(portConfig);
} else if (typeof portConfig === 'object' && 'from' in portConfig && 'to' in portConfig) {
// Expand the port range
for (let p = portConfig.from; p <= portConfig.to; p++) {
expandedPorts.push(p);
}
}
}
// Use route name if available, otherwise generate a unique ID
const routeName = route.name || `unnamed_${Math.random().toString(36).substring(2, 9)}`;
// Add each port to the usage map
for (const port of expandedPorts) {
if (!portUsage.has(port)) {
portUsage.set(port, new Set());
}
portUsage.get(port)!.add(routeName);
}
}
// Log port usage for debugging
for (const [port, routes] of portUsage.entries()) {
this.logger.debug(`Port ${port} is used by ${routes.size} routes: ${Array.from(routes).join(', ')}`);
}
return portUsage;
}
/**
* Find ports that have no routes in the new configuration
*/
private findOrphanedPorts(oldUsage: Map<number, Set<string>>, newUsage: Map<number, Set<string>>): number[] {
const orphanedPorts: number[] = [];
for (const [port, routes] of oldUsage.entries()) {
if (!newUsage.has(port) || newUsage.get(port)!.size === 0) {
orphanedPorts.push(port);
}
}
return orphanedPorts;
}
/**
* Update NFTables routes
*/
private async updateNfTablesRoutes(oldRoutes: IRouteConfig[], newRoutes: IRouteConfig[]): Promise<void> {
// Get existing routes that use NFTables and update them
const oldNfTablesRoutes = oldRoutes.filter(
r => r.action.forwardingEngine === 'nftables'
);
const newNfTablesRoutes = newRoutes.filter(
r => r.action.forwardingEngine === 'nftables'
);
// Update existing NFTables routes
for (const oldRoute of oldNfTablesRoutes) {
const newRoute = newNfTablesRoutes.find(r => r.name === oldRoute.name);
if (!newRoute) {
// Route was removed
await this.nftablesManager.deprovisionRoute(oldRoute);
} else {
// Route was updated
await this.nftablesManager.updateRoute(oldRoute, newRoute);
}
}
// Add new NFTables routes
for (const newRoute of newNfTablesRoutes) {
const oldRoute = oldNfTablesRoutes.find(r => r.name === newRoute.name);
if (!oldRoute) {
// New route
await this.nftablesManager.provisionRoute(newRoute);
}
}
}
}

122
ts/proxies/smart-proxy/route-preprocessor.ts Normal file
View File

@@ -0,0 +1,122 @@
import type { IRouteConfig, IRouteAction, IRouteTarget } from './models/route-types.js';
import { logger } from '../../core/utils/logger.js';
/**
* Preprocesses routes before sending them to Rust.
*
* Strips non-serializable fields (functions, callbacks) and classifies
* routes that must be handled by TypeScript (socket-handler, dynamic host/port).
*/
export class RoutePreprocessor {
/**
* Map of route name/id → original route config (with JS functions preserved).
* Used by the socket handler server to look up the original handler.
*/
private originalRoutes = new Map<string, IRouteConfig>();
/**
* Preprocess routes for the Rust binary.
*
* - Routes with `socketHandler` callbacks are marked as socket-handler type
* (Rust will relay these back to TS)
* - Routes with dynamic `host`/`port` functions are converted to socket-handler
* type (Rust relays, TS resolves the function)
* - Non-serializable fields are stripped
* - Original routes are preserved in the local map for handler lookup
*/
public preprocessForRust(routes: IRouteConfig[]): IRouteConfig[] {
this.originalRoutes.clear();
return routes.map((route, index) => this.preprocessRoute(route, index));
}
/**
* Get the original route config (with JS functions) by route name or id.
*/
public getOriginalRoute(routeKey: string): IRouteConfig | undefined {
return this.originalRoutes.get(routeKey);
}
/**
* Get all original routes that have socket handlers or dynamic functions.
*/
public getHandlerRoutes(): Map<string, IRouteConfig> {
return new Map(this.originalRoutes);
}
private preprocessRoute(route: IRouteConfig, index: number): IRouteConfig {
const routeKey = route.name || route.id || `route_${index}`;
// Check if this route needs TS-side handling
const needsTsHandling = this.routeNeedsTsHandling(route);
if (needsTsHandling) {
// Store the original route for handler lookup
this.originalRoutes.set(routeKey, route);
}
// Create a clean copy for Rust
const cleanRoute: IRouteConfig = {
...route,
action: this.cleanAction(route.action, routeKey, needsTsHandling),
};
// Ensure we have a name for handler lookup
if (!cleanRoute.name && !cleanRoute.id) {
cleanRoute.name = routeKey;
}
return cleanRoute;
}
private routeNeedsTsHandling(route: IRouteConfig): boolean {
// Socket handler routes always need TS
if (route.action.type === 'socket-handler' && route.action.socketHandler) {
return true;
}
// Routes with dynamic host/port functions need TS
if (route.action.targets) {
for (const target of route.action.targets) {
if (typeof target.host === 'function' || typeof target.port === 'function') {
return true;
}
}
}
return false;
}
private cleanAction(action: IRouteAction, routeKey: string, needsTsHandling: boolean): IRouteAction {
const cleanAction: IRouteAction = { ...action };
if (needsTsHandling) {
// Convert to socket-handler type for Rust (Rust will relay back to TS)
cleanAction.type = 'socket-handler';
// Remove the JS handler (not serializable)
delete (cleanAction as any).socketHandler;
}
// Clean targets - replace functions with static values
if (cleanAction.targets) {
cleanAction.targets = cleanAction.targets.map(t => this.cleanTarget(t));
}
return cleanAction;
}
private cleanTarget(target: IRouteTarget): IRouteTarget {
const clean: IRouteTarget = { ...target };
// Replace function host with placeholder
if (typeof clean.host === 'function') {
clean.host = 'localhost';
}
// Replace function port with placeholder
if (typeof clean.port === 'function') {
clean.port = 0;
}
return clean;
}
}

112
ts/proxies/smart-proxy/rust-binary-locator.ts Normal file
View File

@@ -0,0 +1,112 @@
import * as plugins from '../../plugins.js';
import { logger } from '../../core/utils/logger.js';
/**
* Locates the RustProxy binary using a priority-ordered search strategy:
* 1. SMARTPROXY_RUST_BINARY environment variable
* 2. Platform-specific optional npm package
* 3. Local development build at ./rust/target/release/rustproxy
* 4. System PATH
*/
export class RustBinaryLocator {
private cachedPath: string | null = null;
/**
* Find the RustProxy binary path.
* Returns null if no binary is available.
*/
public async findBinary(): Promise<string | null> {
if (this.cachedPath !== null) {
return this.cachedPath;
}
const path = await this.searchBinary();
this.cachedPath = path;
return path;
}
/**
* Clear the cached binary path (e.g., after a failed launch).
*/
public clearCache(): void {
this.cachedPath = null;
}
private async searchBinary(): Promise<string | null> {
// 1. Environment variable override
const envPath = process.env.SMARTPROXY_RUST_BINARY;
if (envPath) {
if (await this.isExecutable(envPath)) {
logger.log('info', `RustProxy binary found via SMARTPROXY_RUST_BINARY: ${envPath}`, { component: 'rust-locator' });
return envPath;
}
logger.log('warn', `SMARTPROXY_RUST_BINARY set but not executable: ${envPath}`, { component: 'rust-locator' });
}
// 2. Platform-specific optional npm package
const platformBinary = await this.findPlatformPackageBinary();
if (platformBinary) {
logger.log('info', `RustProxy binary found in platform package: ${platformBinary}`, { component: 'rust-locator' });
return platformBinary;
}
// 3. Local development build
const localPaths = [
plugins.path.resolve(process.cwd(), 'rust/target/release/rustproxy'),
plugins.path.resolve(process.cwd(), 'rust/target/debug/rustproxy'),
];
for (const localPath of localPaths) {
if (await this.isExecutable(localPath)) {
logger.log('info', `RustProxy binary found at local path: ${localPath}`, { component: 'rust-locator' });
return localPath;
}
}
// 4. System PATH
const systemPath = await this.findInPath('rustproxy');
if (systemPath) {
logger.log('info', `RustProxy binary found in system PATH: ${systemPath}`, { component: 'rust-locator' });
return systemPath;
}
logger.log('error', 'No RustProxy binary found. Set SMARTPROXY_RUST_BINARY, install the platform package, or build with: cd rust && cargo build --release', { component: 'rust-locator' });
return null;
}
private async findPlatformPackageBinary(): Promise<string | null> {
const platform = process.platform;
const arch = process.arch;
const packageName = `@push.rocks/smartproxy-${platform}-${arch}`;
try {
// Try to resolve the platform-specific package
const packagePath = require.resolve(`${packageName}/rustproxy`);
if (await this.isExecutable(packagePath)) {
return packagePath;
}
} catch {
// Package not installed - expected for development
}
return null;
}
private async isExecutable(filePath: string): Promise<boolean> {
try {
await plugins.fs.promises.access(filePath, plugins.fs.constants.X_OK);
return true;
} catch {
return false;
}
}
private async findInPath(binaryName: string): Promise<string | null> {
const pathDirs = (process.env.PATH || '').split(plugins.path.delimiter);
for (const dir of pathDirs) {
const fullPath = plugins.path.join(dir, binaryName);
if (await this.isExecutable(fullPath)) {
return fullPath;
}
}
return null;
}
}

136
ts/proxies/smart-proxy/rust-metrics-adapter.ts Normal file
View File

@@ -0,0 +1,136 @@
import type { IMetrics, IThroughputData, IThroughputHistoryPoint } from './models/metrics-types.js';
import type { RustProxyBridge } from './rust-proxy-bridge.js';
/**
* Adapts Rust JSON metrics to the IMetrics interface.
*
* Polls the Rust binary periodically via the bridge and caches the result.
* All IMetrics getters read from the cache synchronously.
* Fields not yet in Rust (percentiles, per-IP, history) return zero/empty.
*/
export class RustMetricsAdapter implements IMetrics {
private bridge: RustProxyBridge;
private cache: any = null;
private pollTimer: ReturnType<typeof setInterval> | null = null;
private pollIntervalMs: number;
// Cumulative totals tracked across polls
private cumulativeBytesIn = 0;
private cumulativeBytesOut = 0;
private cumulativeConnections = 0;
constructor(bridge: RustProxyBridge, pollIntervalMs = 1000) {
this.bridge = bridge;
this.pollIntervalMs = pollIntervalMs;
}
public startPolling(): void {
if (this.pollTimer) return;
this.pollTimer = setInterval(async () => {
try {
this.cache = await this.bridge.getMetrics();
// Update cumulative totals
if (this.cache) {
this.cumulativeBytesIn = this.cache.totalBytesIn ?? this.cache.total_bytes_in ?? 0;
this.cumulativeBytesOut = this.cache.totalBytesOut ?? this.cache.total_bytes_out ?? 0;
this.cumulativeConnections = this.cache.totalConnections ?? this.cache.total_connections ?? 0;
}
} catch {
// Ignore poll errors (bridge may be shutting down)
}
}, this.pollIntervalMs);
if (this.pollTimer.unref) {
this.pollTimer.unref();
}
}
public stopPolling(): void {
if (this.pollTimer) {
clearInterval(this.pollTimer);
this.pollTimer = null;
}
}
// --- IMetrics implementation ---
public connections = {
active: (): number => {
return this.cache?.activeConnections ?? this.cache?.active_connections ?? 0;
},
total: (): number => {
return this.cumulativeConnections;
},
byRoute: (): Map<string, number> => {
return new Map();
},
byIP: (): Map<string, number> => {
return new Map();
},
topIPs: (_limit?: number): Array<{ ip: string; count: number }> => {
return [];
},
};
public throughput = {
instant: (): IThroughputData => {
return { in: this.cache?.bytesInPerSecond ?? 0, out: this.cache?.bytesOutPerSecond ?? 0 };
},
recent: (): IThroughputData => {
return this.throughput.instant();
},
average: (): IThroughputData => {
return this.throughput.instant();
},
custom: (_seconds: number): IThroughputData => {
return this.throughput.instant();
},
history: (_seconds: number): Array<IThroughputHistoryPoint> => {
return [];
},
byRoute: (_windowSeconds?: number): Map<string, IThroughputData> => {
return new Map();
},
byIP: (_windowSeconds?: number): Map<string, IThroughputData> => {
return new Map();
},
};
public requests = {
perSecond: (): number => {
return this.cache?.requestsPerSecond ?? 0;
},
perMinute: (): number => {
return (this.cache?.requestsPerSecond ?? 0) * 60;
},
total: (): number => {
return this.cache?.totalRequests ?? this.cache?.total_requests ?? 0;
},
};
public totals = {
bytesIn: (): number => {
return this.cumulativeBytesIn;
},
bytesOut: (): number => {
return this.cumulativeBytesOut;
},
connections: (): number => {
return this.cumulativeConnections;
},
};
public percentiles = {
connectionDuration: (): { p50: number; p95: number; p99: number } => {
return { p50: 0, p95: 0, p99: 0 };
},
bytesTransferred: (): {
in: { p50: number; p95: number; p99: number };
out: { p50: number; p95: number; p99: number };
} => {
return {
in: { p50: 0, p95: 0, p99: 0 },
out: { p50: 0, p95: 0, p99: 0 },
};
},
};
}

278
ts/proxies/smart-proxy/rust-proxy-bridge.ts Normal file
View File

@@ -0,0 +1,278 @@
import * as plugins from '../../plugins.js';
import { logger } from '../../core/utils/logger.js';
import { RustBinaryLocator } from './rust-binary-locator.js';
import type { IRouteConfig } from './models/route-types.js';
import { ChildProcess, spawn } from 'child_process';
import { createInterface, Interface as ReadlineInterface } from 'readline';
/**
* Management request sent to the Rust binary via stdin.
*/
interface IManagementRequest {
id: string;
method: string;
params: Record<string, any>;
}
/**
* Management response received from the Rust binary via stdout.
*/
interface IManagementResponse {
id: string;
success: boolean;
result?: any;
error?: string;
}
/**
* Management event received from the Rust binary (unsolicited).
*/
interface IManagementEvent {
event: string;
data: any;
}
/**
* Bridge between TypeScript SmartProxy and the Rust binary.
* Communicates via JSON-over-stdin/stdout IPC protocol.
*/
export class RustProxyBridge extends plugins.EventEmitter {
private locator = new RustBinaryLocator();
private process: ChildProcess | null = null;
private readline: ReadlineInterface | null = null;
private pendingRequests = new Map<string, {
resolve: (value: any) => void;
reject: (error: Error) => void;
timer: NodeJS.Timeout;
}>();
private requestCounter = 0;
private isRunning = false;
private binaryPath: string | null = null;
private readonly requestTimeoutMs = 30000;
/**
* Spawn the Rust binary in management mode.
* Returns true if the binary was found and spawned successfully.
*/
public async spawn(): Promise<boolean> {
this.binaryPath = await this.locator.findBinary();
if (!this.binaryPath) {
return false;
}
return new Promise<boolean>((resolve) => {
try {
this.process = spawn(this.binaryPath!, ['--management'], {
stdio: ['pipe', 'pipe', 'pipe'],
env: { ...process.env },
});
// Handle stderr (logging from Rust goes here)
this.process.stderr?.on('data', (data: Buffer) => {
const lines = data.toString().split('\n').filter(l => l.trim());
for (const line of lines) {
logger.log('debug', `[rustproxy] ${line}`, { component: 'rust-bridge' });
}
});
// Handle stdout (JSON IPC)
this.readline = createInterface({ input: this.process.stdout! });
this.readline.on('line', (line: string) => {
this.handleLine(line.trim());
});
// Handle process exit
this.process.on('exit', (code, signal) => {
logger.log('info', `RustProxy process exited (code=${code}, signal=${signal})`, { component: 'rust-bridge' });
this.cleanup();
this.emit('exit', code, signal);
});
this.process.on('error', (err) => {
logger.log('error', `RustProxy process error: ${err.message}`, { component: 'rust-bridge' });
this.cleanup();
resolve(false);
});
// Wait for the 'ready' event from Rust
const readyTimeout = setTimeout(() => {
logger.log('error', 'RustProxy did not send ready event within 10s', { component: 'rust-bridge' });
this.kill();
resolve(false);
}, 10000);
this.once('management:ready', () => {
clearTimeout(readyTimeout);
this.isRunning = true;
logger.log('info', 'RustProxy bridge connected', { component: 'rust-bridge' });
resolve(true);
});
} catch (err: any) {
logger.log('error', `Failed to spawn RustProxy: ${err.message}`, { component: 'rust-bridge' });
resolve(false);
}
});
}
/**
* Send a management command to the Rust process and wait for the response.
*/
public async sendCommand(method: string, params: Record<string, any> = {}): Promise<any> {
if (!this.process || !this.isRunning) {
throw new Error('RustProxy bridge is not running');
}
const id = `req_${++this.requestCounter}`;
const request: IManagementRequest = { id, method, params };
return new Promise<any>((resolve, reject) => {
const timer = setTimeout(() => {
this.pendingRequests.delete(id);
reject(new Error(`RustProxy command '${method}' timed out after ${this.requestTimeoutMs}ms`));
}, this.requestTimeoutMs);
this.pendingRequests.set(id, { resolve, reject, timer });
const json = JSON.stringify(request) + '\n';
this.process!.stdin!.write(json, (err) => {
if (err) {
clearTimeout(timer);
this.pendingRequests.delete(id);
reject(new Error(`Failed to write to RustProxy stdin: ${err.message}`));
}
});
});
}
// Convenience methods for each management command
public async startProxy(config: any): Promise<void> {
await this.sendCommand('start', { config });
}
public async stopProxy(): Promise<void> {
await this.sendCommand('stop');
}
public async updateRoutes(routes: IRouteConfig[]): Promise<void> {
await this.sendCommand('updateRoutes', { routes });
}
public async getMetrics(): Promise<any> {
return this.sendCommand('getMetrics');
}
public async getStatistics(): Promise<any> {
return this.sendCommand('getStatistics');
}
public async provisionCertificate(routeName: string): Promise<void> {
await this.sendCommand('provisionCertificate', { routeName });
}
public async renewCertificate(routeName: string): Promise<void> {
await this.sendCommand('renewCertificate', { routeName });
}
public async getCertificateStatus(routeName: string): Promise<any> {
return this.sendCommand('getCertificateStatus', { routeName });
}
public async getListeningPorts(): Promise<number[]> {
const result = await this.sendCommand('getListeningPorts');
return result?.ports ?? [];
}
public async getNftablesStatus(): Promise<any> {
return this.sendCommand('getNftablesStatus');
}
public async setSocketHandlerRelay(socketPath: string): Promise<void> {
await this.sendCommand('setSocketHandlerRelay', { socketPath });
}
public async addListeningPort(port: number): Promise<void> {
await this.sendCommand('addListeningPort', { port });
}
public async removeListeningPort(port: number): Promise<void> {
await this.sendCommand('removeListeningPort', { port });
}
public async loadCertificate(domain: string, cert: string, key: string, ca?: string): Promise<void> {
await this.sendCommand('loadCertificate', { domain, cert, key, ca });
}
/**
* Kill the Rust process.
*/
public kill(): void {
if (this.process) {
this.process.kill('SIGTERM');
// Force kill after 5 seconds
setTimeout(() => {
if (this.process) {
this.process.kill('SIGKILL');
}
}, 5000).unref();
}
}
/**
* Whether the bridge is currently running.
*/
public get running(): boolean {
return this.isRunning;
}
private handleLine(line: string): void {
if (!line) return;
let parsed: any;
try {
parsed = JSON.parse(line);
} catch {
logger.log('warn', `Non-JSON output from RustProxy: ${line}`, { component: 'rust-bridge' });
return;
}
// Check if it's an event (has 'event' field)
if ('event' in parsed) {
const event = parsed as IManagementEvent;
this.emit(`management:${event.event}`, event.data);
return;
}
// Otherwise it's a response (has 'id' field)
if ('id' in parsed) {
const response = parsed as IManagementResponse;
const pending = this.pendingRequests.get(response.id);
if (pending) {
clearTimeout(pending.timer);
this.pendingRequests.delete(response.id);
if (response.success) {
pending.resolve(response.result);
} else {
pending.reject(new Error(response.error || 'Unknown error from RustProxy'));
}
}
}
}
private cleanup(): void {
this.isRunning = false;
this.process = null;
if (this.readline) {
this.readline.close();
this.readline = null;
}
// Reject all pending requests
for (const [id, pending] of this.pendingRequests) {
clearTimeout(pending.timer);
pending.reject(new Error('RustProxy process exited'));
}
this.pendingRequests.clear();
}
}

269
ts/proxies/smart-proxy/security-manager.ts
View File

@@ -1,269 +0,0 @@
import * as plugins from '../../plugins.js';
import type { SmartProxy } from './smart-proxy.js';
import { connectionLogDeduplicator } from '../../core/utils/log-deduplicator.js';
import { isIPAuthorized, normalizeIP } from '../../core/utils/security-utils.js';
/**
* Handles security aspects like IP tracking, rate limiting, and authorization
* for SmartProxy. This is a lightweight wrapper that uses shared utilities.
*/
export class SecurityManager {
private connectionsByIP: Map<string, Set<string>> = new Map();
private connectionRateByIP: Map<string, number[]> = new Map();
private cleanupInterval: NodeJS.Timeout | null = null;
constructor(private smartProxy: SmartProxy) {
// Start periodic cleanup every 60 seconds
this.startPeriodicCleanup();
}
/**
* Get connections count by IP (checks normalized variants)
*/
public getConnectionCountByIP(ip: string): number {
// Check all normalized variants of the IP
const variants = normalizeIP(ip);
for (const variant of variants) {
const connections = this.connectionsByIP.get(variant);
if (connections) {
return connections.size;
}
}
return 0;
}
/**
* Check and update connection rate for an IP
* @returns true if within rate limit, false if exceeding limit
*/
public checkConnectionRate(ip: string): boolean {
const now = Date.now();
const minute = 60 * 1000;
// Find existing rate tracking (check normalized variants)
const variants = normalizeIP(ip);
let existingKey: string | null = null;
for (const variant of variants) {
if (this.connectionRateByIP.has(variant)) {
existingKey = variant;
break;
}
}
const key = existingKey || ip;
if (!this.connectionRateByIP.has(key)) {
this.connectionRateByIP.set(key, [now]);
return true;
}
// Get timestamps and filter out entries older than 1 minute
const timestamps = this.connectionRateByIP.get(key)!.filter((time) => now - time < minute);
timestamps.push(now);
this.connectionRateByIP.set(key, timestamps);
// Check if rate exceeds limit
return timestamps.length <= this.smartProxy.settings.connectionRateLimitPerMinute!;
}
/**
* Track connection by IP
*/
public trackConnectionByIP(ip: string, connectionId: string): void {
// Check if any variant already exists
const variants = normalizeIP(ip);
let existingKey: string | null = null;
for (const variant of variants) {
if (this.connectionsByIP.has(variant)) {
existingKey = variant;
break;
}
}
const key = existingKey || ip;
if (!this.connectionsByIP.has(key)) {
this.connectionsByIP.set(key, new Set());
}
this.connectionsByIP.get(key)!.add(connectionId);
}
/**
* Remove connection tracking for an IP
*/
public removeConnectionByIP(ip: string, connectionId: string): void {
// Check all variants to find where the connection is tracked
const variants = normalizeIP(ip);
for (const variant of variants) {
if (this.connectionsByIP.has(variant)) {
const connections = this.connectionsByIP.get(variant)!;
connections.delete(connectionId);
if (connections.size === 0) {
this.connectionsByIP.delete(variant);
}
break;
}
}
}
/**
* Check if an IP is authorized using security rules
*
* This method is used to determine if an IP is allowed to connect, based on security
* rules configured in the route configuration. The allowed and blocked IPs are
* typically derived from route.security.ipAllowList and ipBlockList.
*
* @param ip - The IP address to check
* @param allowedIPs - Array of allowed IP patterns from security.ipAllowList
* @param blockedIPs - Array of blocked IP patterns from security.ipBlockList
* @returns true if IP is authorized, false if blocked
*/
public isIPAuthorized(ip: string, allowedIPs: string[], blockedIPs: string[] = []): boolean {
return isIPAuthorized(ip, allowedIPs, blockedIPs);
}
/**
* Check if IP should be allowed considering connection rate and max connections
* @returns Object with result and reason
*/
public validateIP(ip: string): { allowed: boolean; reason?: string } {
// Check connection count limit
if (
this.smartProxy.settings.maxConnectionsPerIP &&
this.getConnectionCountByIP(ip) >= this.smartProxy.settings.maxConnectionsPerIP
) {
return {
allowed: false,
reason: `Maximum connections per IP (${this.smartProxy.settings.maxConnectionsPerIP}) exceeded`
};
}
// Check connection rate limit
if (
this.smartProxy.settings.connectionRateLimitPerMinute &&
!this.checkConnectionRate(ip)
) {
return {
allowed: false,
reason: `Connection rate limit (${this.smartProxy.settings.connectionRateLimitPerMinute}/min) exceeded`
};
}
return { allowed: true };
}
/**
* Atomically validate an IP and track the connection if allowed.
* This prevents race conditions where concurrent connections could bypass per-IP limits.
*
* @param ip - The IP address to validate
* @param connectionId - The connection ID to track if validation passes
* @returns Object with validation result and reason
*/
public validateAndTrackIP(ip: string, connectionId: string): { allowed: boolean; reason?: string } {
// Check connection count limit BEFORE tracking
if (
this.smartProxy.settings.maxConnectionsPerIP &&
this.getConnectionCountByIP(ip) >= this.smartProxy.settings.maxConnectionsPerIP
) {
return {
allowed: false,
reason: `Maximum connections per IP (${this.smartProxy.settings.maxConnectionsPerIP}) exceeded`
};
}
// Check connection rate limit
if (
this.smartProxy.settings.connectionRateLimitPerMinute &&
!this.checkConnectionRate(ip)
) {
return {
allowed: false,
reason: `Connection rate limit (${this.smartProxy.settings.connectionRateLimitPerMinute}/min) exceeded`
};
}
// Validation passed - immediately track to prevent race conditions
this.trackConnectionByIP(ip, connectionId);
return { allowed: true };
}
/**
* Clears all IP tracking data (for shutdown)
*/
public clearIPTracking(): void {
if (this.cleanupInterval) {
clearInterval(this.cleanupInterval);
this.cleanupInterval = null;
}
this.connectionsByIP.clear();
this.connectionRateByIP.clear();
}
/**
* Start periodic cleanup of expired data
*/
private startPeriodicCleanup(): void {
this.cleanupInterval = setInterval(() => {
this.performCleanup();
}, 60000); // Run every minute
// Unref the timer so it doesn't keep the process alive
if (this.cleanupInterval.unref) {
this.cleanupInterval.unref();
}
}
/**
* Perform cleanup of expired rate limits and empty IP entries
*/
private performCleanup(): void {
const now = Date.now();
const minute = 60 * 1000;
let cleanedRateLimits = 0;
let cleanedIPs = 0;
// Clean up expired rate limit timestamps
for (const [ip, timestamps] of this.connectionRateByIP.entries()) {
const validTimestamps = timestamps.filter(time => now - time < minute);
if (validTimestamps.length === 0) {
// No valid timestamps, remove the IP entry
this.connectionRateByIP.delete(ip);
cleanedRateLimits++;
} else if (validTimestamps.length < timestamps.length) {
// Some timestamps expired, update with valid ones
this.connectionRateByIP.set(ip, validTimestamps);
}
}
// Clean up IPs with no active connections
for (const [ip, connections] of this.connectionsByIP.entries()) {
if (connections.size === 0) {
this.connectionsByIP.delete(ip);
cleanedIPs++;
}
}
// Log cleanup stats if anything was cleaned
if (cleanedRateLimits > 0 || cleanedIPs > 0) {
if (this.smartProxy.settings.enableDetailedLogging) {
connectionLogDeduplicator.log(
'ip-cleanup',
'debug',
'IP tracking cleanup completed',
{
cleanedRateLimits,
cleanedIPs,
remainingIPs: this.connectionsByIP.size,
remainingRateLimits: this.connectionRateByIP.size,
component: 'security-manager'
},
'periodic-cleanup'
);
}
}
}
}

1075
ts/proxies/smart-proxy/smart-proxy.ts
View File

File diff suppressed because it is too large Load Diff

178
ts/proxies/smart-proxy/socket-handler-server.ts Normal file
View File

@@ -0,0 +1,178 @@
import * as plugins from '../../plugins.js';
import { logger } from '../../core/utils/logger.js';
import type { IRouteConfig, IRouteContext } from './models/route-types.js';
import type { RoutePreprocessor } from './route-preprocessor.js';
/**
* Unix domain socket server that receives relayed connections from the Rust proxy.
*
* When Rust encounters a route of type `socket-handler`, it connects to this
* Unix socket, sends a JSON metadata line, then proxies the raw TCP bytes.
* This server reads the metadata, finds the original JS handler, builds an
* IRouteContext, and hands the socket to the handler.
*/
export class SocketHandlerServer {
private server: plugins.net.Server | null = null;
private socketPath: string;
private preprocessor: RoutePreprocessor;
constructor(preprocessor: RoutePreprocessor) {
this.preprocessor = preprocessor;
this.socketPath = `/tmp/smartproxy-relay-${process.pid}.sock`;
}
/**
* The Unix socket path this server listens on.
*/
public getSocketPath(): string {
return this.socketPath;
}
/**
* Start listening for relayed connections from Rust.
*/
public async start(): Promise<void> {
// Clean up stale socket file
try {
await plugins.fs.promises.unlink(this.socketPath);
} catch {
// Ignore if doesn't exist
}
return new Promise<void>((resolve, reject) => {
this.server = plugins.net.createServer((socket) => {
this.handleConnection(socket);
});
this.server.on('error', (err) => {
logger.log('error', `SocketHandlerServer error: ${err.message}`, { component: 'socket-handler-server' });
});
this.server.listen(this.socketPath, () => {
logger.log('info', `SocketHandlerServer listening on ${this.socketPath}`, { component: 'socket-handler-server' });
resolve();
});
this.server.on('error', reject);
});
}
/**
* Stop the server and clean up.
*/
public async stop(): Promise<void> {
if (this.server) {
return new Promise<void>((resolve) => {
this.server!.close(() => {
this.server = null;
// Clean up socket file
plugins.fs.unlink(this.socketPath, () => resolve());
});
});
}
}
/**
* Handle an incoming relayed connection from Rust.
*
* Protocol: Rust sends a single JSON line with metadata, then raw bytes follow.
* JSON format: { "routeKey": "my-route", "remoteIP": "1.2.3.4", "remotePort": 12345,
* "localPort": 443, "isTLS": true, "domain": "example.com" }
*/
private handleConnection(socket: plugins.net.Socket): void {
let metadataBuffer = '';
let metadataParsed = false;
const onData = (chunk: Buffer) => {
if (metadataParsed) return;
metadataBuffer += chunk.toString('utf8');
const newlineIndex = metadataBuffer.indexOf('\n');
if (newlineIndex === -1) {
// Haven't received full metadata line yet
if (metadataBuffer.length > 8192) {
logger.log('error', 'Socket handler metadata too large, closing', { component: 'socket-handler-server' });
socket.destroy();
}
return;
}
metadataParsed = true;
socket.removeListener('data', onData);
const metadataJson = metadataBuffer.slice(0, newlineIndex);
const remainingData = metadataBuffer.slice(newlineIndex + 1);
let metadata: any;
try {
metadata = JSON.parse(metadataJson);
} catch {
logger.log('error', `Invalid socket handler metadata JSON: ${metadataJson.slice(0, 200)}`, { component: 'socket-handler-server' });
socket.destroy();
return;
}
this.dispatchToHandler(socket, metadata, remainingData);
};
socket.on('data', onData);
socket.on('error', (err) => {
logger.log('error', `Socket handler relay error: ${err.message}`, { component: 'socket-handler-server' });
});
}
/**
* Dispatch a relayed connection to the appropriate JS handler.
*/
private dispatchToHandler(socket: plugins.net.Socket, metadata: any, remainingData: string): void {
const routeKey = metadata.routeKey as string;
if (!routeKey) {
logger.log('error', 'Socket handler relay missing routeKey', { component: 'socket-handler-server' });
socket.destroy();
return;
}
const originalRoute = this.preprocessor.getOriginalRoute(routeKey);
if (!originalRoute) {
logger.log('error', `No handler found for route: ${routeKey}`, { component: 'socket-handler-server' });
socket.destroy();
return;
}
const handler = originalRoute.action.socketHandler;
if (!handler) {
logger.log('error', `Route ${routeKey} has no socketHandler`, { component: 'socket-handler-server' });
socket.destroy();
return;
}
// Build route context
const context: IRouteContext = {
port: metadata.localPort || 0,
domain: metadata.domain,
clientIp: metadata.remoteIP || 'unknown',
serverIp: '0.0.0.0',
path: metadata.path,
isTls: metadata.isTLS || false,
tlsVersion: metadata.tlsVersion,
routeName: originalRoute.name,
routeId: originalRoute.id,
timestamp: Date.now(),
connectionId: metadata.connectionId || `relay-${Date.now()}`,
};
// If there was remaining data after the metadata line, push it back
if (remainingData.length > 0) {
socket.unshift(Buffer.from(remainingData, 'utf8'));
}
// Call the handler
try {
handler(socket, context);
} catch (err: any) {
logger.log('error', `Socket handler threw for route ${routeKey}: ${err.message}`, { component: 'socket-handler-server' });
socket.destroy();
}
}
}

138
ts/proxies/smart-proxy/throughput-tracker.ts
View File

@@ -1,138 +0,0 @@
import type { IThroughputSample, IThroughputData, IThroughputHistoryPoint } from './models/metrics-types.js';
/**
* Tracks throughput data using time-series sampling
*/
export class ThroughputTracker {
private samples: IThroughputSample[] = [];
private readonly maxSamples: number;
private accumulatedBytesIn: number = 0;
private accumulatedBytesOut: number = 0;
private lastSampleTime: number = 0;
constructor(retentionSeconds: number = 3600) {
// Keep samples for the retention period at 1 sample per second
this.maxSamples = retentionSeconds;
}
/**
* Record bytes transferred (called on every data transfer)
*/
public recordBytes(bytesIn: number, bytesOut: number): void {
this.accumulatedBytesIn += bytesIn;
this.accumulatedBytesOut += bytesOut;
}
/**
* Take a sample of accumulated bytes (called every second)
*/
public takeSample(): void {
const now = Date.now();
// Record accumulated bytes since last sample
this.samples.push({
timestamp: now,
bytesIn: this.accumulatedBytesIn,
bytesOut: this.accumulatedBytesOut
});
// Reset accumulators
this.accumulatedBytesIn = 0;
this.accumulatedBytesOut = 0;
this.lastSampleTime = now;
// Maintain circular buffer - remove oldest samples
if (this.samples.length > this.maxSamples) {
this.samples.shift();
}
}
/**
* Get throughput rate over specified window (bytes per second)
*/
public getRate(windowSeconds: number): IThroughputData {
if (this.samples.length === 0) {
return { in: 0, out: 0 };
}
const now = Date.now();
const windowStart = now - (windowSeconds * 1000);
// Find samples within the window
const relevantSamples = this.samples.filter(s => s.timestamp > windowStart);
if (relevantSamples.length === 0) {
return { in: 0, out: 0 };
}
// Calculate total bytes in window
const totalBytesIn = relevantSamples.reduce((sum, s) => sum + s.bytesIn, 0);
const totalBytesOut = relevantSamples.reduce((sum, s) => sum + s.bytesOut, 0);
// Use actual number of seconds covered by samples for accurate rate
const oldestSampleTime = relevantSamples[0].timestamp;
const newestSampleTime = relevantSamples[relevantSamples.length - 1].timestamp;
const actualSeconds = Math.max(1, (newestSampleTime - oldestSampleTime) / 1000 + 1);
return {
in: Math.round(totalBytesIn / actualSeconds),
out: Math.round(totalBytesOut / actualSeconds)
};
}
/**
* Get throughput history for specified duration
*/
public getHistory(durationSeconds: number): IThroughputHistoryPoint[] {
const now = Date.now();
const startTime = now - (durationSeconds * 1000);
// Filter samples within duration
const relevantSamples = this.samples.filter(s => s.timestamp > startTime);
// Convert to history points with per-second rates
const history: IThroughputHistoryPoint[] = [];
for (let i = 0; i < relevantSamples.length; i++) {
const sample = relevantSamples[i];
// For the first sample or samples after gaps, we can't calculate rate
if (i === 0 || sample.timestamp - relevantSamples[i - 1].timestamp > 2000) {
history.push({
timestamp: sample.timestamp,
in: sample.bytesIn,
out: sample.bytesOut
});
} else {
// Calculate rate based on time since previous sample
const prevSample = relevantSamples[i - 1];
const timeDelta = (sample.timestamp - prevSample.timestamp) / 1000;
history.push({
timestamp: sample.timestamp,
in: Math.round(sample.bytesIn / timeDelta),
out: Math.round(sample.bytesOut / timeDelta)
});
}
}
return history;
}
/**
* Clear all samples
*/
public clear(): void {
this.samples = [];
this.accumulatedBytesIn = 0;
this.accumulatedBytesOut = 0;
this.lastSampleTime = 0;
}
/**
* Get sample count for debugging
*/
public getSampleCount(): number {
return this.samples.length;
}
}

196
ts/proxies/smart-proxy/timeout-manager.ts
View File

@@ -1,196 +0,0 @@
import type { IConnectionRecord } from './models/interfaces.js';
import type { SmartProxy } from './smart-proxy.js';
/**
* Manages timeouts and inactivity tracking for connections
*/
export class TimeoutManager {
constructor(private smartProxy: SmartProxy) {}
/**
* Ensure timeout values don't exceed Node.js max safe integer
*/
public ensureSafeTimeout(timeout: number): number {
const MAX_SAFE_TIMEOUT = 2147483647; // Maximum safe value (2^31 - 1)
return Math.min(Math.floor(timeout), MAX_SAFE_TIMEOUT);
}
/**
* Generate a slightly randomized timeout to prevent thundering herd
*/
public randomizeTimeout(baseTimeout: number, variationPercent: number = 5): number {
const safeBaseTimeout = this.ensureSafeTimeout(baseTimeout);
const variation = safeBaseTimeout * (variationPercent / 100);
return this.ensureSafeTimeout(
safeBaseTimeout + Math.floor(Math.random() * variation * 2) - variation
);
}
/**
* Update connection activity timestamp
*/
public updateActivity(record: IConnectionRecord): void {
record.lastActivity = Date.now();
// Clear any inactivity warning
if (record.inactivityWarningIssued) {
record.inactivityWarningIssued = false;
}
}
/**
* Calculate effective inactivity timeout based on connection type
*/
public getEffectiveInactivityTimeout(record: IConnectionRecord): number {
let effectiveTimeout = this.smartProxy.settings.inactivityTimeout || 14400000; // 4 hours default
// For immortal keep-alive connections, use an extremely long timeout
if (record.hasKeepAlive && this.smartProxy.settings.keepAliveTreatment === 'immortal') {
return Number.MAX_SAFE_INTEGER;
}
// For extended keep-alive connections, apply multiplier
if (record.hasKeepAlive && this.smartProxy.settings.keepAliveTreatment === 'extended') {
const multiplier = this.smartProxy.settings.keepAliveInactivityMultiplier || 6;
effectiveTimeout = effectiveTimeout * multiplier;
}
return this.ensureSafeTimeout(effectiveTimeout);
}
/**
* Calculate effective max lifetime based on connection type
*/
public getEffectiveMaxLifetime(record: IConnectionRecord): number {
// Use route-specific timeout if available from the routeConfig
const baseTimeout = record.routeConfig?.action.advanced?.timeout ||
this.smartProxy.settings.maxConnectionLifetime ||
86400000; // 24 hours default
// For immortal keep-alive connections, use an extremely long lifetime
if (record.hasKeepAlive && this.smartProxy.settings.keepAliveTreatment === 'immortal') {
return Number.MAX_SAFE_INTEGER;
}
// For extended keep-alive connections, use the extended lifetime setting
if (record.hasKeepAlive && this.smartProxy.settings.keepAliveTreatment === 'extended') {
return this.ensureSafeTimeout(
this.smartProxy.settings.extendedKeepAliveLifetime || 7 * 24 * 60 * 60 * 1000 // 7 days default
);
}
// Apply randomization if enabled
if (this.smartProxy.settings.enableRandomizedTimeouts) {
return this.randomizeTimeout(baseTimeout);
}
return this.ensureSafeTimeout(baseTimeout);
}
/**
* Setup connection timeout
* @returns The cleanup timer
*/
public setupConnectionTimeout(
record: IConnectionRecord,
onTimeout: (record: IConnectionRecord, reason: string) => void
): NodeJS.Timeout | null {
// Clear any existing timer
if (record.cleanupTimer) {
clearTimeout(record.cleanupTimer);
}
// Skip timeout for immortal keep-alive connections
if (record.hasKeepAlive && this.smartProxy.settings.keepAliveTreatment === 'immortal') {
return null;
}
// Calculate effective timeout
const effectiveLifetime = this.getEffectiveMaxLifetime(record);
// Set up the timeout
const timer = setTimeout(() => {
// Call the provided callback
onTimeout(record, 'connection_timeout');
}, effectiveLifetime);
// Make sure timeout doesn't keep the process alive
if (timer.unref) {
timer.unref();
}
return timer;
}
/**
* Check for inactivity on a connection
* @returns Object with check results
*/
public checkInactivity(record: IConnectionRecord): {
isInactive: boolean;
shouldWarn: boolean;
inactivityTime: number;
effectiveTimeout: number;
} {
// Skip for connections with inactivity check disabled
if (this.smartProxy.settings.disableInactivityCheck) {
return {
isInactive: false,
shouldWarn: false,
inactivityTime: 0,
effectiveTimeout: 0
};
}
// Skip for immortal keep-alive connections
if (record.hasKeepAlive && this.smartProxy.settings.keepAliveTreatment === 'immortal') {
return {
isInactive: false,
shouldWarn: false,
inactivityTime: 0,
effectiveTimeout: 0
};
}
const now = Date.now();
const inactivityTime = now - record.lastActivity;
const effectiveTimeout = this.getEffectiveInactivityTimeout(record);
// Check if inactive
const isInactive = inactivityTime > effectiveTimeout;
// For keep-alive connections, we should warn first
const shouldWarn = record.hasKeepAlive &&
isInactive &&
!record.inactivityWarningIssued;
return {
isInactive,
shouldWarn,
inactivityTime,
effectiveTimeout
};
}
/**
* Apply socket timeout settings
*/
public applySocketTimeouts(record: IConnectionRecord): void {
// Skip for immortal keep-alive connections
if (record.hasKeepAlive && this.smartProxy.settings.keepAliveTreatment === 'immortal') {
// Disable timeouts completely for immortal connections
record.incoming.setTimeout(0);
if (record.outgoing) {
record.outgoing.setTimeout(0);
}
return;
}
// Apply normal timeouts
const timeout = this.ensureSafeTimeout(this.smartProxy.settings.socketTimeout || 3600000); // 1 hour default
record.incoming.setTimeout(timeout);
if (record.outgoing) {
record.outgoing.setTimeout(timeout);
}
}
}

171
ts/proxies/smart-proxy/tls-manager.ts
View File

@@ -1,171 +0,0 @@
import * as plugins from '../../plugins.js';
import { SniHandler } from '../../tls/sni/sni-handler.js';
import { ProtocolDetector, TlsDetector } from '../../detection/index.js';
import type { SmartProxy } from './smart-proxy.js';
/**
* Interface for connection information used for SNI extraction
*/
interface IConnectionInfo {
sourceIp: string;
sourcePort: number;
destIp: string;
destPort: number;
}
/**
* Manages TLS-related operations including SNI extraction and validation
*/
export class TlsManager {
constructor(private smartProxy: SmartProxy) {}
/**
* Check if a data chunk appears to be a TLS handshake
*/
public isTlsHandshake(chunk: Buffer): boolean {
return SniHandler.isTlsHandshake(chunk);
}
/**
* Check if a data chunk appears to be a TLS ClientHello
*/
public isClientHello(chunk: Buffer): boolean {
return SniHandler.isClientHello(chunk);
}
/**
* Extract Server Name Indication (SNI) from TLS handshake
*/
public extractSNI(
chunk: Buffer,
connInfo: IConnectionInfo,
previousDomain?: string
): string | undefined {
// Use the SniHandler to process the TLS packet
return SniHandler.processTlsPacket(
chunk,
connInfo,
this.smartProxy.settings.enableTlsDebugLogging || false,
previousDomain
);
}
/**
* Check for SNI mismatch during renegotiation
*/
public checkRenegotiationSNI(
chunk: Buffer,
connInfo: IConnectionInfo,
expectedDomain: string,
connectionId: string
): { hasMismatch: boolean; extractedSNI?: string } {
// Only process if this looks like a TLS ClientHello
if (!this.isClientHello(chunk)) {
return { hasMismatch: false };
}
try {
// Extract SNI with renegotiation support
const newSNI = SniHandler.extractSNIWithResumptionSupport(
chunk,
connInfo,
this.smartProxy.settings.enableTlsDebugLogging || false
);
// Skip if no SNI was found
if (!newSNI) return { hasMismatch: false };
// Check for SNI mismatch
if (newSNI !== expectedDomain) {
if (this.smartProxy.settings.enableTlsDebugLogging) {
console.log(
`[${connectionId}] Renegotiation with different SNI: ${expectedDomain} -> ${newSNI}. ` +
`Terminating connection - SNI domain switching is not allowed.`
);
}
return { hasMismatch: true, extractedSNI: newSNI };
} else if (this.smartProxy.settings.enableTlsDebugLogging) {
console.log(
`[${connectionId}] Renegotiation detected with same SNI: ${newSNI}. Allowing.`
);
}
} catch (err) {
console.log(
`[${connectionId}] Error processing ClientHello: ${err}. Allowing connection to continue.`
);
}
return { hasMismatch: false };
}
/**
* Create a renegotiation handler function for a connection
*/
public createRenegotiationHandler(
connectionId: string,
lockedDomain: string,
connInfo: IConnectionInfo,
onMismatch: (connectionId: string, reason: string) => void
): (chunk: Buffer) => void {
return (chunk: Buffer) => {
const result = this.checkRenegotiationSNI(chunk, connInfo, lockedDomain, connectionId);
if (result.hasMismatch) {
onMismatch(connectionId, 'sni_mismatch');
}
};
}
/**
* Analyze TLS connection for browser fingerprinting
* This helps identify browser vs non-browser connections
*/
public analyzeClientHello(chunk: Buffer): {
isBrowserConnection: boolean;
isRenewal: boolean;
hasSNI: boolean;
} {
// Default result
const result = {
isBrowserConnection: false,
isRenewal: false,
hasSNI: false
};
try {
// Check if it's a ClientHello
if (!this.isClientHello(chunk)) {
return result;
}
// Check for session resumption
const resumptionInfo = SniHandler.hasSessionResumption(
chunk,
this.smartProxy.settings.enableTlsDebugLogging || false
);
// Extract SNI
const sni = SniHandler.extractSNI(
chunk,
this.smartProxy.settings.enableTlsDebugLogging || false
);
// Update result
result.isRenewal = resumptionInfo.isResumption;
result.hasSNI = !!sni;
// Browsers typically:
// 1. Send SNI extension
// 2. Have a variety of extensions (ALPN, etc.)
// 3. Use standard cipher suites
// ...more complex heuristics could be implemented here
// Simple heuristic: presence of SNI suggests browser
result.isBrowserConnection = !!sni;
return result;
} catch (err) {
console.log(`Error analyzing ClientHello: ${err}`);
return result;
}
}
}