push.rocks/smartproxy
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

BREAKING CHANGE(IRouteSecurity): Consolidate duplicated IRouteSecurity interfaces by unifying property names

Browse Source
This commit is contained in:
Philipp Kunz
2025-05-15 09:34:01 +00:00
parent 1067177d82
commit 35d7dfcedf
12 changed files with 206 additions and 238 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
ts/proxies/smart-proxy/models/interfaces.ts
View File

@ -27,8 +27,8 @@ export interface ISmartProxyOptions {
port: number; // Default port to use when not specified in routes
};
security?: {
allowedIps?: string[]; // Default allowed IPs
blockedIps?: string[]; // Default blocked IPs
ipAllowList?: string[]; // Default allowed IPs
ipBlockList?: string[]; // Default blocked IPs
maxConnections?: number; // Default max connections
};
preserveSourceIP?: boolean; // Default source IP preservation

58
ts/proxies/smart-proxy/models/route-types.ts
View File

@ -112,13 +112,39 @@ export interface IRouteAuthentication {
}
/**
* Security options for route actions
* Security options for routes
*/
export interface IRouteSecurity {
allowedIps?: string[];
blockedIps?: string[];
maxConnections?: number;
// Access control lists
ipAllowList?: string[]; // IP addresses that are allowed to connect
ipBlockList?: string[]; // IP addresses that are blocked from connecting
// Connection limits
maxConnections?: number; // Maximum concurrent connections
// Authentication
authentication?: IRouteAuthentication;
// Rate limiting
rateLimit?: IRouteRateLimit;
// Authentication methods
basicAuth?: {
enabled: boolean;
users: Array<{ username: string; password: string }>;
realm?: string;
excludePaths?: string[];
};
jwtAuth?: {
enabled: boolean;
secret: string;
algorithm?: string;
issuer?: string;
audience?: string;
expiresIn?: number;
excludePaths?: string[];
};
}
/**
@ -247,29 +273,7 @@ export interface IRouteRateLimit {
errorMessage?: string;
}
/**
* Security features for routes
*/
export interface IRouteSecurity {
rateLimit?: IRouteRateLimit;
basicAuth?: {
enabled: boolean;
users: Array<{ username: string; password: string }>;
realm?: string;
excludePaths?: string[];
};
jwtAuth?: {
enabled: boolean;
secret: string;
algorithm?: string;
issuer?: string;
audience?: string;
expiresIn?: number;
excludePaths?: string[];
};
ipAllowList?: string[];
ipBlockList?: string[];
}
// IRouteSecurity is defined above - unified definition is used for all routes
/**
* CORS configuration for a route

6
ts/proxies/smart-proxy/route-connection-handler.ts
View File

@ -289,11 +289,11 @@ export class RouteConnectionHandler {
// Check default security settings
const defaultSecuritySettings = this.settings.defaults?.security;
if (defaultSecuritySettings) {
if (defaultSecuritySettings.allowedIps && defaultSecuritySettings.allowedIps.length > 0) {
if (defaultSecuritySettings.ipAllowList && defaultSecuritySettings.ipAllowList.length > 0) {
const isAllowed = this.securityManager.isIPAuthorized(
remoteIP,
defaultSecuritySettings.allowedIps,
defaultSecuritySettings.blockedIps || []
defaultSecuritySettings.ipAllowList,
defaultSecuritySettings.ipBlockList || []
);
if (!isAllowed) {

8
ts/proxies/smart-proxy/route-manager.ts
View File

@ -213,8 +213,8 @@ export class RouteManager extends plugins.EventEmitter {
}
// Check blocked IPs first
if (security.blockedIps && security.blockedIps.length > 0) {
for (const pattern of security.blockedIps) {
if (security.ipBlockList && security.ipBlockList.length > 0) {
for (const pattern of security.ipBlockList) {
if (this.matchIpPattern(pattern, clientIp)) {
return false; // IP is blocked
}
@ -222,8 +222,8 @@ export class RouteManager extends plugins.EventEmitter {
}
// If there are allowed IPs, check them
if (security.allowedIps && security.allowedIps.length > 0) {
for (const pattern of security.allowedIps) {
if (security.ipAllowList && security.ipAllowList.length > 0) {
for (const pattern of security.ipAllowList) {
if (this.matchIpPattern(pattern, clientIp)) {
return true; // IP is allowed
}

15
ts/proxies/smart-proxy/security-manager.ts
View File

@ -63,16 +63,15 @@ export class SecurityManager {
}
/**
* Check if an IP is authorized using forwarding security rules
* Check if an IP is authorized using security rules
*
* This method is used to determine if an IP is allowed to connect, based on security
* rules configured in the forwarding configuration. The allowed and blocked IPs are
* typically derived from domain.forwarding.security.allowedIps and blockedIps through
* DomainConfigManager.getEffectiveIPRules().
* rules configured in the route configuration. The allowed and blocked IPs are
* typically derived from route.security.ipAllowList and ipBlockList.
*
* @param ip - The IP address to check
* @param allowedIPs - Array of allowed IP patterns from forwarding.security.allowedIps
* @param blockedIPs - Array of blocked IP patterns from forwarding.security.blockedIps
* @param allowedIPs - Array of allowed IP patterns from security.ipAllowList
* @param blockedIPs - Array of blocked IP patterns from security.ipBlockList
* @returns true if IP is authorized, false if blocked
*/
public isIPAuthorized(ip: string, allowedIPs: string[], blockedIPs: string[] = []): boolean {
@ -94,10 +93,10 @@ export class SecurityManager {
* Check if the IP matches any of the glob patterns from security configuration
*
* This method checks IP addresses against glob patterns and handles IPv4/IPv6 normalization.
* It's used to implement IP filtering based on the forwarding.security configuration.
* It's used to implement IP filtering based on the route.security configuration.
*
* @param ip - The IP address to check
* @param patterns - Array of glob patterns from forwarding.security.allowedIps or blockedIps
* @param patterns - Array of glob patterns from security.ipAllowList or ipBlockList
* @returns true if IP matches any pattern, false otherwise
*/
private isGlobIPMatch(ip: string, patterns: string[]): boolean {