From 32d875aed955f55b924e77fdbe6d256df070fbbe Mon Sep 17 00:00:00 2001
From: Philipp Kunz <code@philkunz.com>
Date: Fri, 21 Feb 2025 18:54:40 +0000
Subject: [PATCH] fix(PortProxy): Fixed handling of SNI domain connections and
 IP allowance checks

---
 changelog.md               |  7 +++++++
 ts/00_commitinfo_data.ts   |  2 +-
 ts/smartproxy.portproxy.ts | 42 +++++++++++++++++++-------------------
 3 files changed, 29 insertions(+), 22 deletions(-)

diff --git a/changelog.md b/changelog.md
index 7b9e26c..4fe34d3 100644
--- a/changelog.md
+++ b/changelog.md
@@ -1,5 +1,12 @@
 # Changelog
 
+## 2025-02-21 - 3.4.4 - fix(PortProxy)
+Fixed handling of SNI domain connections and IP allowance checks
+
+- Improved logic for handling SNI domain checks, ensuring IPs are correctly verified.
+- Fixed issue where default allowed IPs were not being checked correctly for non-SNI connections.
+- Revised the SNICallback behavior to handle connections more gracefully when domain configurations are unavailable.
+
 ## 2025-02-21 - 3.4.3 - fix(PortProxy)
 Fixed indentation issue and ensured proper cleanup of sockets in PortProxy
 
diff --git a/ts/00_commitinfo_data.ts b/ts/00_commitinfo_data.ts
index 5fe371f..3c40f55 100644
--- a/ts/00_commitinfo_data.ts
+++ b/ts/00_commitinfo_data.ts
@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@push.rocks/smartproxy',
-  version: '3.4.3',
+  version: '3.4.4',
   description: 'a proxy for handling high workloads of proxying'
 }
diff --git a/ts/smartproxy.portproxy.ts b/ts/smartproxy.portproxy.ts
index 1469b03..214a508 100644
--- a/ts/smartproxy.portproxy.ts
+++ b/ts/smartproxy.portproxy.ts
@@ -73,9 +73,8 @@ export class PortProxy {
             console.log(`SNI request for domain: ${serverName}`);
             const domainConfig = findMatchingDomain(serverName);
             if (!domainConfig) {
-              console.log(`SNI rejected: No matching domain config for ${serverName}`);
-              cb(new Error(`No configuration for domain: ${serverName}`));
-              return;
+              // Always allow SNI for default IPs, even if domain doesn't match
+              console.log(`SNI domain ${serverName} not found, will check IP during connection`);
             }
             // Create context with the provided TLS settings
             const ctx = plugins.tls.createSecureContext(this.settings);
@@ -88,31 +87,32 @@ export class PortProxy {
       const remoteIP = from.remoteAddress || '';
       let serverName = '';
 
+      // First check if this IP is in the default allowed list
+      const isDefaultAllowed = this.settings.defaultAllowedIPs && isAllowed(remoteIP, this.settings.defaultAllowedIPs);
+
       if (this.settings.sniEnabled && from instanceof plugins.tls.TLSSocket) {
         serverName = (from as any).servername || '';
         console.log(`TLS Connection from ${remoteIP} for domain: ${serverName}`);
       }
 
-      // For TLS connections, we've already validated the domain in SNICallback
-      if (!this.settings.sniEnabled || from instanceof plugins.tls.TLSSocket) {
-        const domainConfig = serverName ? findMatchingDomain(serverName) : undefined;
-
+      // If IP is in defaultAllowedIPs, allow the connection regardless of SNI
+      if (isDefaultAllowed) {
+        console.log(`Connection allowed: IP ${remoteIP} is in default allowed list`);
+      } else if (this.settings.sniEnabled && serverName) {
+        // For SNI connections that aren't in default list, check domain-specific rules
+        const domainConfig = findMatchingDomain(serverName);
         if (!domainConfig) {
-          // If no matching domain config found, check default IPs if available
-          if (!this.settings.defaultAllowedIPs || !isAllowed(remoteIP, this.settings.defaultAllowedIPs)) {
-            console.log(`Connection rejected: No matching domain config for ${serverName || 'non-SNI'} from IP ${remoteIP}`);
-            from.end();
-            return;
-          }
-        } else {
-          // Check if IP is allowed for this domain
-          if (!isAllowed(remoteIP, domainConfig.allowedIPs)) {
-            console.log(`Connection rejected: IP ${remoteIP} not allowed for domain ${serverName}`);
-            from.end();
-            return;
-          }
+          console.log(`Connection rejected: No matching domain config for ${serverName} from IP ${remoteIP}`);
+          from.end();
+          return;
         }
-      } else if (!this.settings.defaultAllowedIPs || !isAllowed(remoteIP, this.settings.defaultAllowedIPs)) {
+        if (!isAllowed(remoteIP, domainConfig.allowedIPs)) {
+          console.log(`Connection rejected: IP ${remoteIP} not allowed for domain ${serverName}`);
+          from.end();
+          return;
+        }
+      } else {
+        // Non-SNI connection and not in default list
         console.log(`Connection rejected: IP ${remoteIP} not allowed for non-SNI connection`);
         from.end();
         return;