push.rocks/smartproxy
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(acme): Fix port 80 ACME management and challenge route concurrency issues by deduplicating port listeners, preserving challenge route state across certificate manager recreations, and adding mutex locks to route updates.

Browse Source
This commit is contained in:
Philipp Kunz
2025-05-19 03:40:58 +00:00
parent 0bd35c4fb3
commit 3fcdce611c
13 changed files with 1494 additions and 351 deletions
Download Patch File Download Diff File Expand all files Collapse all files

144
test/test.acme-configuration.node.ts
View File

@ -1,144 +0,0 @@
import { expect, tap } from '@push.rocks/tapbundle';
import { SmartProxy } from '../ts/proxies/smart-proxy/index.js';
let smartProxy: SmartProxy;
tap.test('should create SmartProxy with top-level ACME configuration', async () => {
smartProxy = new SmartProxy({
// Top-level ACME configuration
acme: {
email: 'test@example.com',
useProduction: false,
port: 80,
renewThresholdDays: 30
},
routes: [{
name: 'example.com',
match: { domains: 'example.com', ports: 443 },
action: {
type: 'forward',
target: { host: 'localhost', port: 8080 },
tls: {
mode: 'terminate',
certificate: 'auto' // Uses top-level ACME config
}
}
}]
});
expect(smartProxy).toBeInstanceOf(SmartProxy);
expect(smartProxy.settings.acme?.email).toEqual('test@example.com');
expect(smartProxy.settings.acme?.useProduction).toEqual(false);
});
tap.test('should support route-level ACME configuration', async () => {
const proxy = new SmartProxy({
routes: [{
name: 'custom.com',
match: { domains: 'custom.com', ports: 443 },
action: {
type: 'forward',
target: { host: 'localhost', port: 8080 },
tls: {
mode: 'terminate',
certificate: 'auto',
acme: { // Route-specific ACME config
email: 'custom@example.com',
useProduction: true
}
}
}
}]
});
expect(proxy).toBeInstanceOf(SmartProxy);
});
tap.test('should use top-level ACME as defaults and allow route overrides', async () => {
const proxy = new SmartProxy({
acme: {
email: 'default@example.com',
useProduction: false
},
routes: [{
name: 'default-route',
match: { domains: 'default.com', ports: 443 },
action: {
type: 'forward',
target: { host: 'localhost', port: 8080 },
tls: {
mode: 'terminate',
certificate: 'auto' // Uses top-level defaults
}
}
}, {
name: 'custom-route',
match: { domains: 'custom.com', ports: 443 },
action: {
type: 'forward',
target: { host: 'localhost', port: 8081 },
tls: {
mode: 'terminate',
certificate: 'auto',
acme: { // Override for this route
email: 'special@example.com',
useProduction: true
}
}
}
}]
});
expect(proxy.settings.acme?.email).toEqual('default@example.com');
});
tap.test('should validate ACME configuration warnings', async () => {
// Test missing email
let errorThrown = false;
try {
const proxy = new SmartProxy({
routes: [{
name: 'no-email',
match: { domains: 'test.com', ports: 443 },
action: {
type: 'forward',
target: { host: 'localhost', port: 8080 },
tls: {
mode: 'terminate',
certificate: 'auto' // No ACME email configured
}
}
}]
});
await proxy.start();
} catch (error) {
errorThrown = true;
expect(error.message).toInclude('ACME email is required');
}
expect(errorThrown).toBeTrue();
});
tap.test('should support accountEmail alias', async () => {
const proxy = new SmartProxy({
acme: {
accountEmail: 'account@example.com', // Using alias
useProduction: false
},
routes: [{
name: 'alias-test',
match: { domains: 'alias.com', ports: 443 },
action: {
type: 'forward',
target: { host: 'localhost', port: 8080 },
tls: {
mode: 'terminate',
certificate: 'auto'
}
}
}]
});
expect(proxy.settings.acme?.email).toEqual('account@example.com');
});
tap.start();

185
test/test.acme-state-manager.node.ts Normal file
View File

@ -0,0 +1,185 @@
import { expect, tap } from '@push.rocks/tapbundle';
import { AcmeStateManager } from '../ts/proxies/smart-proxy/acme-state-manager.js';
import type { IRouteConfig } from '../ts/proxies/smart-proxy/models/route-types.js';
tap.test('AcmeStateManager should track challenge routes correctly', async (tools) => {
const stateManager = new AcmeStateManager();
const challengeRoute: IRouteConfig = {
name: 'acme-challenge',
priority: 1000,
match: {
ports: 80,
path: '/.well-known/acme-challenge/*'
},
action: {
type: 'static',
handler: async () => ({ status: 200, body: 'challenge' })
}
};
// Initially no challenge routes
tools.expect(stateManager.isChallengeRouteActive()).toBeFalse();
tools.expect(stateManager.getActiveChallengeRoutes()).toHaveLength(0);
// Add challenge route
stateManager.addChallengeRoute(challengeRoute);
tools.expect(stateManager.isChallengeRouteActive()).toBeTrue();
tools.expect(stateManager.getActiveChallengeRoutes()).toHaveLength(1);
tools.expect(stateManager.getPrimaryChallengeRoute()).toEqual(challengeRoute);
// Remove challenge route
stateManager.removeChallengeRoute('acme-challenge');
tools.expect(stateManager.isChallengeRouteActive()).toBeFalse();
tools.expect(stateManager.getActiveChallengeRoutes()).toHaveLength(0);
tools.expect(stateManager.getPrimaryChallengeRoute()).toBeNull();
});
tap.test('AcmeStateManager should track port allocations', async (tools) => {
const stateManager = new AcmeStateManager();
const challengeRoute1: IRouteConfig = {
name: 'acme-challenge-1',
priority: 1000,
match: {
ports: 80,
path: '/.well-known/acme-challenge/*'
},
action: {
type: 'static'
}
};
const challengeRoute2: IRouteConfig = {
name: 'acme-challenge-2',
priority: 900,
match: {
ports: [80, 8080],
path: '/.well-known/acme-challenge/*'
},
action: {
type: 'static'
}
};
// Add first route
stateManager.addChallengeRoute(challengeRoute1);
tools.expect(stateManager.isPortAllocatedForAcme(80)).toBeTrue();
tools.expect(stateManager.isPortAllocatedForAcme(8080)).toBeFalse();
tools.expect(stateManager.getAcmePorts()).toEqual([80]);
// Add second route
stateManager.addChallengeRoute(challengeRoute2);
tools.expect(stateManager.isPortAllocatedForAcme(80)).toBeTrue();
tools.expect(stateManager.isPortAllocatedForAcme(8080)).toBeTrue();
tools.expect(stateManager.getAcmePorts()).toContain(80);
tools.expect(stateManager.getAcmePorts()).toContain(8080);
// Remove first route - port 80 should still be allocated
stateManager.removeChallengeRoute('acme-challenge-1');
tools.expect(stateManager.isPortAllocatedForAcme(80)).toBeTrue();
tools.expect(stateManager.isPortAllocatedForAcme(8080)).toBeTrue();
// Remove second route - all ports should be deallocated
stateManager.removeChallengeRoute('acme-challenge-2');
tools.expect(stateManager.isPortAllocatedForAcme(80)).toBeFalse();
tools.expect(stateManager.isPortAllocatedForAcme(8080)).toBeFalse();
tools.expect(stateManager.getAcmePorts()).toHaveLength(0);
});
tap.test('AcmeStateManager should select primary route by priority', async (tools) => {
const stateManager = new AcmeStateManager();
const lowPriorityRoute: IRouteConfig = {
name: 'low-priority',
priority: 100,
match: {
ports: 80
},
action: {
type: 'static'
}
};
const highPriorityRoute: IRouteConfig = {
name: 'high-priority',
priority: 2000,
match: {
ports: 80
},
action: {
type: 'static'
}
};
const defaultPriorityRoute: IRouteConfig = {
name: 'default-priority',
// No priority specified - should default to 0
match: {
ports: 80
},
action: {
type: 'static'
}
};
// Add low priority first
stateManager.addChallengeRoute(lowPriorityRoute);
tools.expect(stateManager.getPrimaryChallengeRoute()?.name).toEqual('low-priority');
// Add high priority - should become primary
stateManager.addChallengeRoute(highPriorityRoute);
tools.expect(stateManager.getPrimaryChallengeRoute()?.name).toEqual('high-priority');
// Add default priority - primary should remain high priority
stateManager.addChallengeRoute(defaultPriorityRoute);
tools.expect(stateManager.getPrimaryChallengeRoute()?.name).toEqual('high-priority');
// Remove high priority - primary should fall back to low priority
stateManager.removeChallengeRoute('high-priority');
tools.expect(stateManager.getPrimaryChallengeRoute()?.name).toEqual('low-priority');
});
tap.test('AcmeStateManager should handle clear operation', async (tools) => {
const stateManager = new AcmeStateManager();
const challengeRoute1: IRouteConfig = {
name: 'route-1',
match: {
ports: [80, 443]
},
action: {
type: 'static'
}
};
const challengeRoute2: IRouteConfig = {
name: 'route-2',
match: {
ports: 8080
},
action: {
type: 'static'
}
};
// Add routes
stateManager.addChallengeRoute(challengeRoute1);
stateManager.addChallengeRoute(challengeRoute2);
// Verify state before clear
tools.expect(stateManager.isChallengeRouteActive()).toBeTrue();
tools.expect(stateManager.getActiveChallengeRoutes()).toHaveLength(2);
tools.expect(stateManager.getAcmePorts()).toHaveLength(3);
// Clear all state
stateManager.clear();
// Verify state after clear
tools.expect(stateManager.isChallengeRouteActive()).toBeFalse();
tools.expect(stateManager.getActiveChallengeRoutes()).toHaveLength(0);
tools.expect(stateManager.getAcmePorts()).toHaveLength(0);
tools.expect(stateManager.getPrimaryChallengeRoute()).toBeNull();
});
export default tap;

345
test/test.port80-management.node.ts Normal file
View File

@ -0,0 +1,345 @@
import { expect, tap } from '@push.rocks/tapbundle';
import { SmartProxy } from '../ts/index.js';
tap.test('should not double-register port 80 when user route and ACME use same port', async (tools) => {
tools.timeout(5000);
let port80AddCount = 0;
const activePorts = new Set<number>();
const settings = {
port: 9901,
routes: [
{
name: 'user-route',
match: {
ports: [80]
},
action: {
type: 'forward' as const,
targetUrl: 'http://localhost:3000'
}
},
{
name: 'acme-route',
match: {
ports: [443]
},
action: {
type: 'forward' as const,
targetUrl: 'https://localhost:3001',
tls: {
mode: 'terminate' as const,
certificate: 'auto'
}
}
}
],
acme: {
email: 'test@test.com',
port: 80 // ACME on same port as user route
}
};
const proxy = new SmartProxy(settings);
// Mock the port manager to track port additions
(proxy as any).portManager = {
addPort: async (port: number) => {
if (activePorts.has(port)) {
// This is the deduplication behavior we're testing
return;
}
activePorts.add(port);
if (port === 80) {
port80AddCount++;
}
},
addPorts: async (ports: number[]) => {
for (const port of ports) {
await (proxy as any).portManager.addPort(port);
}
},
removePort: async (port: number) => {
activePorts.delete(port);
},
updatePorts: async (requiredPorts: Set<number>) => {
const portsToRemove = [];
for (const port of activePorts) {
if (!requiredPorts.has(port)) {
portsToRemove.push(port);
}
}
const portsToAdd = [];
for (const port of requiredPorts) {
if (!activePorts.has(port)) {
portsToAdd.push(port);
}
}
for (const port of portsToRemove) {
await (proxy as any).portManager.removePort(port);
}
for (const port of portsToAdd) {
await (proxy as any).portManager.addPort(port);
}
},
setShuttingDown: () => {},
getPortForRoutes: () => new Map(),
closeAll: async () => { activePorts.clear(); },
stop: async () => { await (proxy as any).portManager.closeAll(); }
};
// Mock NFTables
(proxy as any).nftablesManager = {
ensureNFTablesSetup: async () => {},
stop: async () => {}
};
// Mock certificate manager to prevent ACME
(proxy as any).createCertificateManager = async function(routes: any[], certDir: string, acmeOptions: any) {
const certManager = {
routes: routes,
globalAcmeDefaults: acmeOptions,
updateRoutesCallback: null as any,
challengeRouteActive: false,
setUpdateRoutesCallback: function(callback: any) {
this.updateRoutesCallback = callback;
},
setNetworkProxy: function() {},
setGlobalAcmeDefaults: function(defaults: any) {
this.globalAcmeDefaults = defaults;
},
initialize: async function() {
const hasAcmeRoutes = routes.some((r: any) =>
r.action.tls?.certificate === 'auto'
);
if (hasAcmeRoutes && acmeOptions?.email) {
const challengeRoute = {
name: 'acme-challenge',
priority: 1000,
match: {
ports: acmeOptions.port || 80,
path: '/.well-known/acme-challenge/*'
},
action: {
type: 'static',
handler: async () => ({ status: 200, body: 'challenge' })
}
};
const updatedRoutes = [...routes, challengeRoute];
if (this.updateRoutesCallback) {
await this.updateRoutesCallback(updatedRoutes);
}
this.challengeRouteActive = true;
}
},
getAcmeOptions: function() {
return acmeOptions;
},
stop: async function() {}
};
certManager.setUpdateRoutesCallback(async (routes: any[]) => {
await this.updateRoutes(routes);
});
await certManager.initialize();
return certManager;
};
// Mock admin server to prevent binding
(proxy as any).startAdminServer = async function() {
this.servers.set(this.settings.port, {
port: this.settings.port,
close: async () => {}
});
};
try {
await proxy.start();
// Verify that port 80 was added only once
tools.expect(port80AddCount).toEqual(1);
} finally {
await proxy.stop();
}
});
tap.test('should handle ACME on different port than user routes', async (tools) => {
tools.timeout(5000);
const portAddHistory: number[] = [];
const activePorts = new Set<number>();
const settings = {
port: 9902,
routes: [
{
name: 'user-route',
match: {
ports: [80]
},
action: {
type: 'forward' as const,
targetUrl: 'http://localhost:3000'
}
},
{
name: 'acme-route',
match: {
ports: [443]
},
action: {
type: 'forward' as const,
targetUrl: 'https://localhost:3001',
tls: {
mode: 'terminate' as const,
certificate: 'auto'
}
}
}
],
acme: {
email: 'test@test.com',
port: 8080 // ACME on different port than user routes
}
};
const proxy = new SmartProxy(settings);
// Mock the port manager
(proxy as any).portManager = {
addPort: async (port: number) => {
if (!activePorts.has(port)) {
activePorts.add(port);
portAddHistory.push(port);
}
},
addPorts: async (ports: number[]) => {
for (const port of ports) {
await (proxy as any).portManager.addPort(port);
}
},
removePort: async (port: number) => {
activePorts.delete(port);
},
updatePorts: async (requiredPorts: Set<number>) => {
for (const port of requiredPorts) {
await (proxy as any).portManager.addPort(port);
}
},
setShuttingDown: () => {},
getPortForRoutes: () => new Map(),
closeAll: async () => { activePorts.clear(); },
stop: async () => { await (proxy as any).portManager.closeAll(); }
};
// Mock NFTables
(proxy as any).nftablesManager = {
ensureNFTablesSetup: async () => {},
stop: async () => {}
};
// Mock certificate manager
(proxy as any).createCertificateManager = async function(routes: any[], certDir: string, acmeOptions: any) {
const certManager = {
routes: routes,
globalAcmeDefaults: acmeOptions,
updateRoutesCallback: null as any,
challengeRouteActive: false,
setUpdateRoutesCallback: function(callback: any) {
this.updateRoutesCallback = callback;
},
setNetworkProxy: function() {},
setGlobalAcmeDefaults: function(defaults: any) {
this.globalAcmeDefaults = defaults;
},
initialize: async function() {
const hasAcmeRoutes = routes.some((r: any) =>
r.action.tls?.certificate === 'auto'
);
if (hasAcmeRoutes && acmeOptions?.email) {
const challengeRoute = {
name: 'acme-challenge',
priority: 1000,
match: {
ports: acmeOptions.port || 80,
path: '/.well-known/acme-challenge/*'
},
action: {
type: 'static',
handler: async () => ({ status: 200, body: 'challenge' })
}
};
const updatedRoutes = [...routes, challengeRoute];
if (this.updateRoutesCallback) {
await this.updateRoutesCallback(updatedRoutes);
}
this.challengeRouteActive = true;
}
},
getAcmeOptions: function() {
return acmeOptions;
},
stop: async function() {}
};
certManager.setUpdateRoutesCallback(async (routes: any[]) => {
await this.updateRoutes(routes);
});
await certManager.initialize();
return certManager;
};
// Mock admin server
(proxy as any).startAdminServer = async function() {
this.servers.set(this.settings.port, {
port: this.settings.port,
close: async () => {}
});
};
try {
await proxy.start();
// Verify that all expected ports were added
tools.expect(portAddHistory).toInclude(80); // User route
tools.expect(portAddHistory).toInclude(443); // TLS route
tools.expect(portAddHistory).toInclude(8080); // ACME challenge
} finally {
await proxy.stop();
}
});
export default tap;

328
test/test.race-conditions.node.ts Normal file
View File

@ -0,0 +1,328 @@
import { expect, tap } from '@push.rocks/tapbundle';
import { SmartProxy } from '../ts/index.js';
tap.test('should handle concurrent route updates without race conditions', async (tools) => {
tools.timeout(10000);
const settings = {
port: 6001,
routes: [
{
name: 'initial-route',
match: {
ports: 80
},
action: {
type: 'forward' as const,
targetUrl: 'http://localhost:3000'
}
}
],
acme: {
email: 'test@test.com',
port: 80
}
};
const proxy = new SmartProxy(settings);
await proxy.start();
// Simulate concurrent route updates
const updates = [];
for (let i = 0; i < 5; i++) {
updates.push(proxy.updateRoutes([
...settings.routes,
{
name: `route-${i}`,
match: {
ports: [443]
},
action: {
type: 'forward' as const,
targetUrl: `https://localhost:${3001 + i}`,
tls: {
mode: 'terminate' as const,
certificate: 'auto'
}
}
}
]));
}
// All updates should complete without errors
await Promise.all(updates);
// Verify final state
const currentRoutes = proxy['settings'].routes;
tools.expect(currentRoutes.length).toBeGreaterThan(1);
await proxy.stop();
});
tap.test('should preserve certificate manager state during rapid updates', async (tools) => {
tools.timeout(10000);
const settings = {
port: 6002,
routes: [
{
name: 'test-route',
match: {
ports: [443]
},
action: {
type: 'forward' as const,
targetUrl: 'https://localhost:3001',
tls: {
mode: 'terminate' as const,
certificate: 'auto'
}
}
}
],
acme: {
email: 'test@test.com',
port: 80
}
};
const proxy = new SmartProxy(settings);
await proxy.start();
// Get initial certificate manager reference
const initialCertManager = proxy['certManager'];
tools.expect(initialCertManager).not.toBeNull();
// Perform rapid route updates
for (let i = 0; i < 3; i++) {
await proxy.updateRoutes([
...settings.routes,
{
name: `extra-route-${i}`,
match: {
ports: [8000 + i]
},
action: {
type: 'forward' as const,
targetUrl: `http://localhost:${4000 + i}`
}
}
]);
}
// Certificate manager should be recreated but state preserved
const finalCertManager = proxy['certManager'];
tools.expect(finalCertManager).not.toBeNull();
tools.expect(finalCertManager).not.toEqual(initialCertManager);
await proxy.stop();
});
tap.test('should handle challenge route state correctly across recreations', async (tools) => {
tools.timeout(10000);
let challengeRouteAddCount = 0;
const settings = {
port: 6003,
routes: [
{
name: 'acme-route',
match: {
ports: [443]
},
action: {
type: 'forward' as const,
targetUrl: 'https://localhost:3001',
tls: {
mode: 'terminate' as const,
certificate: 'auto'
}
}
}
],
acme: {
email: 'test@test.com',
port: 80
}
};
const proxy = new SmartProxy(settings);
// Mock the route update to count challenge route additions
const originalUpdateRoutes = proxy['updateRoutes'].bind(proxy);
proxy['updateRoutes'] = async (routes: any[]) => {
if (routes.some(r => r.name === 'acme-challenge')) {
challengeRouteAddCount++;
}
return originalUpdateRoutes(routes);
};
await proxy.start();
// Multiple route updates
for (let i = 0; i < 3; i++) {
await proxy.updateRoutes([
...settings.routes,
{
name: `dynamic-route-${i}`,
match: {
ports: [9000 + i]
},
action: {
type: 'forward' as const,
targetUrl: `http://localhost:${5000 + i}`
}
}
]);
}
// Challenge route should only be added once during initial start
tools.expect(challengeRouteAddCount).toEqual(1);
await proxy.stop();
});
tap.test('should prevent port conflicts during certificate manager recreation', async (tools) => {
tools.timeout(10000);
const settings = {
port: 6004,
routes: [
{
name: 'http-route',
match: {
ports: [80]
},
action: {
type: 'forward' as const,
targetUrl: 'http://localhost:3000'
}
},
{
name: 'https-route',
match: {
ports: [443]
},
action: {
type: 'forward' as const,
targetUrl: 'https://localhost:3001',
tls: {
mode: 'terminate' as const,
certificate: 'auto'
}
}
}
],
acme: {
email: 'test@test.com',
port: 80 // Same as user route
}
};
const proxy = new SmartProxy(settings);
// Track port operations
let port80AddCount = 0;
const originalPortManager = proxy['portManager'];
const originalAddPort = originalPortManager.addPort.bind(originalPortManager);
originalPortManager.addPort = async (port: number) => {
if (port === 80) {
port80AddCount++;
}
return originalAddPort(port);
};
await proxy.start();
// Update routes multiple times
for (let i = 0; i < 3; i++) {
await proxy.updateRoutes([
...settings.routes,
{
name: `temp-route-${i}`,
match: {
ports: [7000 + i]
},
action: {
type: 'forward' as const,
targetUrl: `http://localhost:${6000 + i}`
}
}
]);
}
// Port 80 should be maintained properly without conflicts
tools.expect(port80AddCount).toBeGreaterThan(0);
await proxy.stop();
});
tap.test('should handle mutex locking correctly', async (tools) => {
tools.timeout(10000);
const settings = {
port: 6005,
routes: [
{
name: 'test-route',
match: {
ports: [80]
},
action: {
type: 'forward' as const,
targetUrl: 'http://localhost:3000'
}
}
]
};
const proxy = new SmartProxy(settings);
await proxy.start();
let updateStartCount = 0;
let updateEndCount = 0;
// Wrap updateRoutes to track concurrent execution
const originalUpdateRoutes = proxy['updateRoutes'].bind(proxy);
proxy['updateRoutes'] = async (routes: any[]) => {
updateStartCount++;
const startCount = updateStartCount;
const endCount = updateEndCount;
// If mutex is working, start count should never be more than end count + 1
tools.expect(startCount).toBeLessThanOrEqual(endCount + 1);
const result = await originalUpdateRoutes(routes);
updateEndCount++;
return result;
};
// Trigger multiple concurrent updates
const updates = [];
for (let i = 0; i < 5; i++) {
updates.push(proxy.updateRoutes([
...settings.routes,
{
name: `concurrent-route-${i}`,
match: {
ports: [2000 + i]
},
action: {
type: 'forward' as const,
targetUrl: `http://localhost:${3000 + i}`
}
}
]));
}
await Promise.all(updates);
// All updates should have completed
tools.expect(updateStartCount).toEqual(5);
tools.expect(updateEndCount).toEqual(5);
await proxy.stop();
});
export default tap;