push.rocks/smartproxy
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(strcuture): refactor responsibilities

Browse Source
This commit is contained in:
Philipp Kunz
2025-05-19 17:28:05 +00:00
parent 8fb67922a5
commit 465148d553
62 changed files with 1414 additions and 2066 deletions
Download Patch File Download Diff File Expand all files Collapse all files

193
ts/proxies/http-proxy/certificate-manager.ts Normal file
View File

@ -0,0 +1,193 @@
import * as plugins from '../../plugins.js';
import * as fs from 'fs';
import * as path from 'path';
import { fileURLToPath } from 'url';
import { type IHttpProxyOptions, type ICertificateEntry, type ILogger, createLogger } from './models/types.js';
import type { IRouteConfig } from '../smart-proxy/models/route-types.js';
/**
* @deprecated This class is deprecated. Use SmartCertManager instead.
*
* This is a stub implementation that maintains backward compatibility
* while the functionality has been moved to SmartCertManager.
*/
export class CertificateManager {
private defaultCertificates: { key: string; cert: string };
private certificateCache: Map<string, ICertificateEntry> = new Map();
private certificateStoreDir: string;
private logger: ILogger;
private httpsServer: plugins.https.Server | null = null;
constructor(private options: IHttpProxyOptions) {
this.certificateStoreDir = path.resolve(options.acme?.certificateStore || './certs');
this.logger = createLogger(options.logLevel || 'info');
this.logger.warn('CertificateManager is deprecated - use SmartCertManager instead');
// Ensure certificate store directory exists
try {
if (!fs.existsSync(this.certificateStoreDir)) {
fs.mkdirSync(this.certificateStoreDir, { recursive: true });
this.logger.info(`Created certificate store directory: ${this.certificateStoreDir}`);
}
} catch (error) {
this.logger.warn(`Failed to create certificate store directory: ${error}`);
}
this.loadDefaultCertificates();
}
/**
* Loads default certificates from the filesystem
*/
public loadDefaultCertificates(): void {
const __dirname = path.dirname(fileURLToPath(import.meta.url));
const certPath = path.join(__dirname, '..', '..', '..', 'assets', 'certs');
try {
this.defaultCertificates = {
key: fs.readFileSync(path.join(certPath, 'key.pem'), 'utf8'),
cert: fs.readFileSync(path.join(certPath, 'cert.pem'), 'utf8')
};
this.logger.info('Loaded default certificates from filesystem');
} catch (error) {
this.logger.error(`Failed to load default certificates: ${error}`);
this.generateSelfSignedCertificate();
}
}
/**
* Generates self-signed certificates as fallback
*/
private generateSelfSignedCertificate(): void {
// Generate a self-signed certificate using forge or similar
// For now, just use a placeholder
const selfSignedCert = `-----BEGIN CERTIFICATE-----
MIIBkTCB+wIJAKHHIgIIA0/cMA0GCSqGSIb3DQEBBQUAMA0xCzAJBgNVBAYTAlVT
MB4XDTE0MDEwMTAwMDAwMFoXDTI0MDEwMTAwMDAwMFowDTELMAkGA1UEBhMCVVMw
gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMRiH0VwnOH3jCV7c6JFZWYrvuqy
-----END CERTIFICATE-----`;
const selfSignedKey = `-----BEGIN PRIVATE KEY-----
MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAMRiH0VwnOH3jCV7
c6JFZWYrvuqyALCLXj0pcr1iqNdHjegNXnkl5zjdaUjq4edNOKl7M1AlFiYjG2xk
-----END PRIVATE KEY-----`;
this.defaultCertificates = {
key: selfSignedKey,
cert: selfSignedCert
};
this.logger.warn('Using self-signed certificate as fallback');
}
/**
* Gets the default certificates
*/
public getDefaultCertificates(): { key: string; cert: string } {
return this.defaultCertificates;
}
/**
* @deprecated Use SmartCertManager instead
*/
public setExternalPort80Handler(handler: any): void {
this.logger.warn('setExternalPort80Handler is deprecated - use SmartCertManager instead');
}
/**
* @deprecated Use SmartCertManager instead
*/
public async updateRoutes(routes: IRouteConfig[]): Promise<void> {
this.logger.warn('updateRoutes is deprecated - use SmartCertManager instead');
}
/**
* Handles SNI callback to provide appropriate certificate
*/
public handleSNI(domain: string, cb: (err: Error | null, ctx: plugins.tls.SecureContext) => void): void {
const certificate = this.getCachedCertificate(domain);
if (certificate) {
const context = plugins.tls.createSecureContext({
key: certificate.key,
cert: certificate.cert
});
cb(null, context);
return;
}
// Use default certificate if no domain-specific certificate found
const defaultContext = plugins.tls.createSecureContext({
key: this.defaultCertificates.key,
cert: this.defaultCertificates.cert
});
cb(null, defaultContext);
}
/**
* Updates a certificate in the cache
*/
public updateCertificate(domain: string, cert: string, key: string): void {
this.certificateCache.set(domain, {
cert,
key,
expires: new Date(Date.now() + 90 * 24 * 60 * 60 * 1000) // 90 days
});
this.logger.info(`Certificate updated for ${domain}`);
}
/**
* Gets a cached certificate
*/
private getCachedCertificate(domain: string): ICertificateEntry | null {
return this.certificateCache.get(domain) || null;
}
/**
* @deprecated Use SmartCertManager instead
*/
public async initializePort80Handler(): Promise<any> {
this.logger.warn('initializePort80Handler is deprecated - use SmartCertManager instead');
return null;
}
/**
* @deprecated Use SmartCertManager instead
*/
public async stopPort80Handler(): Promise<void> {
this.logger.warn('stopPort80Handler is deprecated - use SmartCertManager instead');
}
/**
* @deprecated Use SmartCertManager instead
*/
public registerDomainsWithPort80Handler(domains: string[]): void {
this.logger.warn('registerDomainsWithPort80Handler is deprecated - use SmartCertManager instead');
}
/**
* @deprecated Use SmartCertManager instead
*/
public registerRoutesWithPort80Handler(routes: IRouteConfig[]): void {
this.logger.warn('registerRoutesWithPort80Handler is deprecated - use SmartCertManager instead');
}
/**
* Sets the HTTPS server for certificate updates
*/
public setHttpsServer(server: plugins.https.Server): void {
this.httpsServer = server;
}
/**
* Gets statistics for metrics
*/
public getStats() {
return {
cachedCertificates: this.certificateCache.size,
defaultCertEnabled: true
};
}
}

241
ts/proxies/http-proxy/connection-pool.ts Normal file
View File

@ -0,0 +1,241 @@
import * as plugins from '../../plugins.js';
import { type IHttpProxyOptions, type IConnectionEntry, type ILogger, createLogger } from './models/types.js';
/**
* Manages a pool of backend connections for efficient reuse
*/
export class ConnectionPool {
private connectionPool: Map<string, Array<IConnectionEntry>> = new Map();
private roundRobinPositions: Map<string, number> = new Map();
private logger: ILogger;
constructor(private options: IHttpProxyOptions) {
this.logger = createLogger(options.logLevel || 'info');
}
/**
* Get a connection from the pool or create a new one
*/
public getConnection(host: string, port: number): Promise<plugins.net.Socket> {
return new Promise((resolve, reject) => {
const poolKey = `${host}:${port}`;
const connectionList = this.connectionPool.get(poolKey) || [];
// Look for an idle connection
const idleConnectionIndex = connectionList.findIndex(c => c.isIdle);
if (idleConnectionIndex >= 0) {
// Get existing connection from pool
const connection = connectionList[idleConnectionIndex];
connection.isIdle = false;
connection.lastUsed = Date.now();
this.logger.debug(`Reusing connection from pool for ${poolKey}`);
// Update the pool
this.connectionPool.set(poolKey, connectionList);
resolve(connection.socket);
return;
}
// No idle connection available, create a new one if pool isn't full
const poolSize = this.options.connectionPoolSize || 50;
if (connectionList.length < poolSize) {
this.logger.debug(`Creating new connection to ${host}:${port}`);
try {
const socket = plugins.net.connect({
host,
port,
keepAlive: true,
keepAliveInitialDelay: 30000 // 30 seconds
});
socket.once('connect', () => {
// Add to connection pool
const connection = {
socket,
lastUsed: Date.now(),
isIdle: false
};
connectionList.push(connection);
this.connectionPool.set(poolKey, connectionList);
// Setup cleanup when the connection is closed
socket.once('close', () => {
const idx = connectionList.findIndex(c => c.socket === socket);
if (idx >= 0) {
connectionList.splice(idx, 1);
this.connectionPool.set(poolKey, connectionList);
this.logger.debug(`Removed closed connection from pool for ${poolKey}`);
}
});
resolve(socket);
});
socket.once('error', (err) => {
this.logger.error(`Error creating connection to ${host}:${port}`, err);
reject(err);
});
} catch (err) {
this.logger.error(`Failed to create connection to ${host}:${port}`, err);
reject(err);
}
} else {
// Pool is full, wait for an idle connection or reject
this.logger.warn(`Connection pool for ${poolKey} is full (${connectionList.length})`);
reject(new Error(`Connection pool for ${poolKey} is full`));
}
});
}
/**
* Return a connection to the pool for reuse
*/
public returnConnection(socket: plugins.net.Socket, host: string, port: number): void {
const poolKey = `${host}:${port}`;
const connectionList = this.connectionPool.get(poolKey) || [];
// Find this connection in the pool
const connectionIndex = connectionList.findIndex(c => c.socket === socket);
if (connectionIndex >= 0) {
// Mark as idle and update last used time
connectionList[connectionIndex].isIdle = true;
connectionList[connectionIndex].lastUsed = Date.now();
this.logger.debug(`Returned connection to pool for ${poolKey}`);
} else {
this.logger.warn(`Attempted to return unknown connection to pool for ${poolKey}`);
}
}
/**
* Cleanup the connection pool by removing idle connections
* or reducing pool size if it exceeds the configured maximum
*/
public cleanupConnectionPool(): void {
const now = Date.now();
const idleTimeout = this.options.keepAliveTimeout || 120000; // 2 minutes default
for (const [host, connections] of this.connectionPool.entries()) {
// Sort by last used time (oldest first)
connections.sort((a, b) => a.lastUsed - b.lastUsed);
// Remove idle connections older than the idle timeout
let removed = 0;
while (connections.length > 0) {
const connection = connections[0];
// Remove if idle and exceeds timeout, or if pool is too large
if ((connection.isIdle && now - connection.lastUsed > idleTimeout) ||
connections.length > (this.options.connectionPoolSize || 50)) {
try {
if (!connection.socket.destroyed) {
connection.socket.end();
connection.socket.destroy();
}
} catch (err) {
this.logger.error(`Error destroying pooled connection to ${host}`, err);
}
connections.shift(); // Remove from pool
removed++;
} else {
break; // Stop removing if we've reached active or recent connections
}
}
if (removed > 0) {
this.logger.debug(`Removed ${removed} idle connections from pool for ${host}, ${connections.length} remaining`);
}
// Update the pool with the remaining connections
if (connections.length === 0) {
this.connectionPool.delete(host);
} else {
this.connectionPool.set(host, connections);
}
}
}
/**
* Close all connections in the pool
*/
public closeAllConnections(): void {
for (const [host, connections] of this.connectionPool.entries()) {
this.logger.debug(`Closing ${connections.length} connections to ${host}`);
for (const connection of connections) {
try {
if (!connection.socket.destroyed) {
connection.socket.end();
connection.socket.destroy();
}
} catch (error) {
this.logger.error(`Error closing connection to ${host}:`, error);
}
}
}
this.connectionPool.clear();
this.roundRobinPositions.clear();
}
/**
* Get load balancing target using round-robin
*/
public getNextTarget(targets: string[], port: number): { host: string, port: number } {
const targetKey = targets.join(',');
// Initialize position if not exists
if (!this.roundRobinPositions.has(targetKey)) {
this.roundRobinPositions.set(targetKey, 0);
}
// Get current position and increment for next time
const currentPosition = this.roundRobinPositions.get(targetKey)!;
const nextPosition = (currentPosition + 1) % targets.length;
this.roundRobinPositions.set(targetKey, nextPosition);
// Return the selected target
return {
host: targets[currentPosition],
port
};
}
/**
* Gets the connection pool status
*/
public getPoolStatus(): Record<string, { total: number, idle: number }> {
return Object.fromEntries(
Array.from(this.connectionPool.entries()).map(([host, connections]) => [
host,
{
total: connections.length,
idle: connections.filter(c => c.isIdle).length
}
])
);
}
/**
* Setup a periodic cleanup task
*/
public setupPeriodicCleanup(interval: number = 60000): NodeJS.Timeout {
const timer = setInterval(() => {
this.cleanupConnectionPool();
}, interval);
// Don't prevent process exit
if (timer.unref) {
timer.unref();
}
return timer;
}
}

145
ts/proxies/http-proxy/context-creator.ts Normal file
View File

@ -0,0 +1,145 @@
import * as plugins from '../../plugins.js';
import '../../core/models/socket-augmentation.js';
import type { IRouteContext, IHttpRouteContext, IHttp2RouteContext } from '../../core/models/route-context.js';
/**
* Context creator for NetworkProxy
* Creates route contexts for matching and function evaluation
*/
export class ContextCreator {
/**
* Create a route context from HTTP request information
*/
public createHttpRouteContext(req: any, options: {
tlsVersion?: string;
connectionId: string;
clientIp: string;
serverIp: string;
}): IHttpRouteContext {
// Parse headers
const headers: Record<string, string> = {};
for (const [key, value] of Object.entries(req.headers)) {
if (typeof value === 'string') {
headers[key.toLowerCase()] = value;
} else if (Array.isArray(value) && value.length > 0) {
headers[key.toLowerCase()] = value[0];
}
}
// Parse domain from Host header
const domain = headers['host']?.split(':')[0] || '';
// Parse URL
const url = new URL(`http://${domain}${req.url || '/'}`);
return {
// Connection basics
port: req.socket.localPort || 0,
domain,
clientIp: options.clientIp,
serverIp: options.serverIp,
// HTTP specifics
path: url.pathname,
query: url.search ? url.search.substring(1) : '',
headers,
// TLS information
isTls: !!req.socket.encrypted,
tlsVersion: options.tlsVersion,
// Request objects
req,
// Metadata
timestamp: Date.now(),
connectionId: options.connectionId
};
}
/**
* Create a route context from HTTP/2 stream and headers
*/
public createHttp2RouteContext(
stream: plugins.http2.ServerHttp2Stream,
headers: plugins.http2.IncomingHttpHeaders,
options: {
connectionId: string;
clientIp: string;
serverIp: string;
}
): IHttp2RouteContext {
// Parse headers, excluding HTTP/2 pseudo-headers
const processedHeaders: Record<string, string> = {};
for (const [key, value] of Object.entries(headers)) {
if (!key.startsWith(':') && typeof value === 'string') {
processedHeaders[key.toLowerCase()] = value;
}
}
// Get domain from :authority pseudo-header
const authority = headers[':authority'] as string || '';
const domain = authority.split(':')[0];
// Get path from :path pseudo-header
const path = headers[':path'] as string || '/';
// Parse the path to extract query string
const pathParts = path.split('?');
const pathname = pathParts[0];
const query = pathParts.length > 1 ? pathParts[1] : '';
// Get the socket from the session
const socket = (stream.session as any)?.socket;
return {
// Connection basics
port: socket?.localPort || 0,
domain,
clientIp: options.clientIp,
serverIp: options.serverIp,
// HTTP specifics
path: pathname,
query,
headers: processedHeaders,
// HTTP/2 specific properties
method: headers[':method'] as string,
stream,
// TLS information - HTTP/2 is always on TLS in browsers
isTls: true,
tlsVersion: socket?.getTLSVersion?.() || 'TLSv1.3',
// Metadata
timestamp: Date.now(),
connectionId: options.connectionId
};
}
/**
* Create a basic route context from socket information
*/
public createSocketRouteContext(socket: plugins.net.Socket, options: {
domain?: string;
tlsVersion?: string;
connectionId: string;
}): IRouteContext {
return {
// Connection basics
port: socket.localPort || 0,
domain: options.domain,
clientIp: socket.remoteAddress?.replace('::ffff:', '') || '0.0.0.0',
serverIp: socket.localAddress?.replace('::ffff:', '') || '0.0.0.0',
// TLS information
isTls: options.tlsVersion !== undefined,
tlsVersion: options.tlsVersion,
// Metadata
timestamp: Date.now(),
connectionId: options.connectionId
};
}
}

259
ts/proxies/http-proxy/function-cache.ts Normal file
View File

@ -0,0 +1,259 @@
import type { IRouteContext } from '../../core/models/route-context.js';
import type { ILogger } from './models/types.js';
/**
* Interface for cached function result
*/
interface ICachedResult<T> {
value: T;
expiry: number;
hash: string;
}
/**
* Function cache for NetworkProxy function-based targets
*
* This cache improves performance for function-based targets by storing
* the results of function evaluations and reusing them for similar contexts.
*/
export class FunctionCache {
// Cache storage
private hostCache: Map<string, ICachedResult<string | string[]>> = new Map();
private portCache: Map<string, ICachedResult<number>> = new Map();
// Maximum number of entries to store in each cache
private maxCacheSize: number;
// Default TTL for cache entries in milliseconds (default: 5 seconds)
private defaultTtl: number;
// Logger
private logger: ILogger;
/**
* Creates a new function cache
*
* @param logger Logger for debug output
* @param options Cache options
*/
constructor(
logger: ILogger,
options: {
maxCacheSize?: number;
defaultTtl?: number;
} = {}
) {
this.logger = logger;
this.maxCacheSize = options.maxCacheSize || 1000;
this.defaultTtl = options.defaultTtl || 5000; // 5 seconds default
// Start the cache cleanup timer
setInterval(() => this.cleanupCache(), 30000); // Cleanup every 30 seconds
}
/**
* Compute a hash for a context object
* This is used to identify similar contexts for caching
*
* @param context The route context to hash
* @param functionId Identifier for the function (usually route name or ID)
* @returns A string hash
*/
private computeContextHash(context: IRouteContext, functionId: string): string {
// Extract relevant properties for the hash
const hashBase = {
functionId,
port: context.port,
domain: context.domain,
clientIp: context.clientIp,
path: context.path,
query: context.query,
isTls: context.isTls,
tlsVersion: context.tlsVersion
};
// Generate a hash string
return JSON.stringify(hashBase);
}
/**
* Get cached host result for a function and context
*
* @param context Route context
* @param functionId Identifier for the function
* @returns Cached host value or undefined if not found
*/
public getCachedHost(context: IRouteContext, functionId: string): string | string[] | undefined {
const hash = this.computeContextHash(context, functionId);
const cached = this.hostCache.get(hash);
// Return if no cached value or expired
if (!cached || cached.expiry < Date.now()) {
if (cached) {
// If expired, remove from cache
this.hostCache.delete(hash);
this.logger.debug(`Cache miss (expired) for host function: ${functionId}`);
} else {
this.logger.debug(`Cache miss for host function: ${functionId}`);
}
return undefined;
}
this.logger.debug(`Cache hit for host function: ${functionId}`);
return cached.value;
}
/**
* Get cached port result for a function and context
*
* @param context Route context
* @param functionId Identifier for the function
* @returns Cached port value or undefined if not found
*/
public getCachedPort(context: IRouteContext, functionId: string): number | undefined {
const hash = this.computeContextHash(context, functionId);
const cached = this.portCache.get(hash);
// Return if no cached value or expired
if (!cached || cached.expiry < Date.now()) {
if (cached) {
// If expired, remove from cache
this.portCache.delete(hash);
this.logger.debug(`Cache miss (expired) for port function: ${functionId}`);
} else {
this.logger.debug(`Cache miss for port function: ${functionId}`);
}
return undefined;
}
this.logger.debug(`Cache hit for port function: ${functionId}`);
return cached.value;
}
/**
* Store a host function result in the cache
*
* @param context Route context
* @param functionId Identifier for the function
* @param value Host value to cache
* @param ttl Optional TTL in milliseconds
*/
public cacheHost(
context: IRouteContext,
functionId: string,
value: string | string[],
ttl?: number
): void {
const hash = this.computeContextHash(context, functionId);
const expiry = Date.now() + (ttl || this.defaultTtl);
// Check if we need to prune the cache before adding
if (this.hostCache.size >= this.maxCacheSize) {
this.pruneOldestEntries(this.hostCache);
}
// Store the result
this.hostCache.set(hash, { value, expiry, hash });
this.logger.debug(`Cached host function result for: ${functionId}`);
}
/**
* Store a port function result in the cache
*
* @param context Route context
* @param functionId Identifier for the function
* @param value Port value to cache
* @param ttl Optional TTL in milliseconds
*/
public cachePort(
context: IRouteContext,
functionId: string,
value: number,
ttl?: number
): void {
const hash = this.computeContextHash(context, functionId);
const expiry = Date.now() + (ttl || this.defaultTtl);
// Check if we need to prune the cache before adding
if (this.portCache.size >= this.maxCacheSize) {
this.pruneOldestEntries(this.portCache);
}
// Store the result
this.portCache.set(hash, { value, expiry, hash });
this.logger.debug(`Cached port function result for: ${functionId}`);
}
/**
* Remove expired entries from the cache
*/
private cleanupCache(): void {
const now = Date.now();
let expiredCount = 0;
// Clean up host cache
for (const [hash, cached] of this.hostCache.entries()) {
if (cached.expiry < now) {
this.hostCache.delete(hash);
expiredCount++;
}
}
// Clean up port cache
for (const [hash, cached] of this.portCache.entries()) {
if (cached.expiry < now) {
this.portCache.delete(hash);
expiredCount++;
}
}
if (expiredCount > 0) {
this.logger.debug(`Cleaned up ${expiredCount} expired cache entries`);
}
}
/**
* Prune oldest entries from a cache map
* Used when the cache exceeds the maximum size
*
* @param cache The cache map to prune
*/
private pruneOldestEntries<T>(cache: Map<string, ICachedResult<T>>): void {
// Find the oldest entries
const now = Date.now();
const itemsToRemove = Math.floor(this.maxCacheSize * 0.2); // Remove 20% of the cache
// Convert to array for sorting
const entries = Array.from(cache.entries());
// Sort by expiry (oldest first)
entries.sort((a, b) => a[1].expiry - b[1].expiry);
// Remove oldest entries
const toRemove = entries.slice(0, itemsToRemove);
for (const [hash] of toRemove) {
cache.delete(hash);
}
this.logger.debug(`Pruned ${toRemove.length} oldest cache entries`);
}
/**
* Get current cache stats
*/
public getStats(): { hostCacheSize: number; portCacheSize: number } {
return {
hostCacheSize: this.hostCache.size,
portCacheSize: this.portCache.size
};
}
/**
* Clear all cached entries
*/
public clearCache(): void {
this.hostCache.clear();
this.portCache.clear();
this.logger.info('Function cache cleared');
}
}

6
ts/proxies/http-proxy/handlers/index.ts Normal file
View File

@ -0,0 +1,6 @@
/**
* HTTP handlers for various route types
*/
export { RedirectHandler } from './redirect-handler.js';
export { StaticHandler } from './static-handler.js';

105
ts/proxies/http-proxy/handlers/redirect-handler.ts Normal file
View File

@ -0,0 +1,105 @@
import * as plugins from '../../../plugins.js';
import type { IRouteConfig } from '../../smart-proxy/models/route-types.js';
import type { IConnectionRecord } from '../../smart-proxy/models/interfaces.js';
import type { ILogger } from '../models/types.js';
import { createLogger } from '../models/types.js';
import { HttpStatus, getStatusText } from '../models/http-types.js';
export interface IRedirectHandlerContext {
connectionId: string;
connectionManager: any; // Avoid circular deps
settings: any;
logger?: ILogger;
}
/**
* Handles HTTP redirect routes
*/
export class RedirectHandler {
/**
* Handle redirect routes
*/
public static async handleRedirect(
socket: plugins.net.Socket,
route: IRouteConfig,
context: IRedirectHandlerContext
): Promise<void> {
const { connectionId, connectionManager, settings } = context;
const logger = context.logger || createLogger(settings.logLevel || 'info');
const action = route.action;
// We should have a redirect configuration
if (!action.redirect) {
logger.error(`[${connectionId}] Redirect action missing redirect configuration`);
socket.end();
connectionManager.cleanupConnection({ id: connectionId }, 'missing_redirect');
return;
}
// For TLS connections, we can't do redirects at the TCP level
// This check should be done before calling this handler
// Wait for the first HTTP request to perform the redirect
const dataListeners: ((chunk: Buffer) => void)[] = [];
const httpDataHandler = (chunk: Buffer) => {
// Remove all data listeners to avoid duplicated processing
for (const listener of dataListeners) {
socket.removeListener('data', listener);
}
// Parse HTTP request to get path
try {
const headersEnd = chunk.indexOf('\r\n\r\n');
if (headersEnd === -1) {
// Not a complete HTTP request, need more data
socket.once('data', httpDataHandler);
dataListeners.push(httpDataHandler);
return;
}
const httpHeaders = chunk.slice(0, headersEnd).toString();
const requestLine = httpHeaders.split('\r\n')[0];
const [method, path] = requestLine.split(' ');
// Extract Host header
const hostMatch = httpHeaders.match(/Host: (.+?)(\r\n|\r|\n|$)/i);
const host = hostMatch ? hostMatch[1].trim() : '';
// Process the redirect URL with template variables
let redirectUrl = action.redirect.to;
redirectUrl = redirectUrl.replace(/\{domain\}/g, host);
redirectUrl = redirectUrl.replace(/\{path\}/g, path || '');
redirectUrl = redirectUrl.replace(/\{port\}/g, socket.localPort?.toString() || '80');
// Prepare the HTTP redirect response
const redirectResponse = [
`HTTP/1.1 ${action.redirect.status} Moved`,
`Location: ${redirectUrl}`,
'Connection: close',
'Content-Length: 0',
'',
'',
].join('\r\n');
if (settings.enableDetailedLogging) {
logger.info(
`[${connectionId}] Redirecting to ${redirectUrl} with status ${action.redirect.status}`
);
}
// Send the redirect response
socket.end(redirectResponse);
connectionManager.initiateCleanupOnce({ id: connectionId }, 'redirect_complete');
} catch (err) {
logger.error(`[${connectionId}] Error processing HTTP redirect: ${err}`);
socket.end();
connectionManager.initiateCleanupOnce({ id: connectionId }, 'redirect_error');
}
};
// Setup the HTTP data handler
socket.once('data', httpDataHandler);
dataListeners.push(httpDataHandler);
}
}

251
ts/proxies/http-proxy/handlers/static-handler.ts Normal file
View File

@ -0,0 +1,251 @@
import * as plugins from '../../../plugins.js';
import type { IRouteConfig } from '../../smart-proxy/models/route-types.js';
import type { IConnectionRecord } from '../../smart-proxy/models/interfaces.js';
import type { ILogger } from '../models/types.js';
import { createLogger } from '../models/types.js';
import type { IRouteContext } from '../../../core/models/route-context.js';
import { HttpStatus, getStatusText } from '../models/http-types.js';
export interface IStaticHandlerContext {
connectionId: string;
connectionManager: any; // Avoid circular deps
settings: any;
logger?: ILogger;
}
/**
* Handles static routes including ACME challenges
*/
export class StaticHandler {
/**
* Handle static routes
*/
public static async handleStatic(
socket: plugins.net.Socket,
route: IRouteConfig,
context: IStaticHandlerContext,
record: IConnectionRecord
): Promise<void> {
const { connectionId, connectionManager, settings } = context;
const logger = context.logger || createLogger(settings.logLevel || 'info');
if (!route.action.handler) {
logger.error(`[${connectionId}] Static route '${route.name}' has no handler`);
socket.end();
connectionManager.cleanupConnection(record, 'no_handler');
return;
}
let buffer = Buffer.alloc(0);
let processingData = false;
const handleHttpData = async (chunk: Buffer) => {
// Accumulate the data
buffer = Buffer.concat([buffer, chunk]);
// Prevent concurrent processing of the same buffer
if (processingData) return;
processingData = true;
try {
// Process data until we have a complete request or need more data
await processBuffer();
} finally {
processingData = false;
}
};
const processBuffer = async () => {
// Look for end of HTTP headers
const headerEndIndex = buffer.indexOf('\r\n\r\n');
if (headerEndIndex === -1) {
// Need more data
if (buffer.length > 8192) {
// Prevent excessive buffering
logger.error(`[${connectionId}] HTTP headers too large`);
socket.end();
connectionManager.cleanupConnection(record, 'headers_too_large');
}
return; // Wait for more data to arrive
}
// Parse the HTTP request
const headerBuffer = buffer.slice(0, headerEndIndex);
const headers = headerBuffer.toString();
const lines = headers.split('\r\n');
if (lines.length === 0) {
logger.error(`[${connectionId}] Invalid HTTP request`);
socket.end();
connectionManager.cleanupConnection(record, 'invalid_request');
return;
}
// Parse request line
const requestLine = lines[0];
const requestParts = requestLine.split(' ');
if (requestParts.length < 3) {
logger.error(`[${connectionId}] Invalid HTTP request line`);
socket.end();
connectionManager.cleanupConnection(record, 'invalid_request_line');
return;
}
const [method, path, httpVersion] = requestParts;
// Parse headers
const headersMap: Record<string, string> = {};
for (let i = 1; i < lines.length; i++) {
const colonIndex = lines[i].indexOf(':');
if (colonIndex > 0) {
const key = lines[i].slice(0, colonIndex).trim().toLowerCase();
const value = lines[i].slice(colonIndex + 1).trim();
headersMap[key] = value;
}
}
// Check for Content-Length to handle request body
const requestBodyLength = parseInt(headersMap['content-length'] || '0', 10);
const bodyStartIndex = headerEndIndex + 4; // Skip the \r\n\r\n
// If there's a body, ensure we have the full body
if (requestBodyLength > 0) {
const totalExpectedLength = bodyStartIndex + requestBodyLength;
// If we don't have the complete body yet, wait for more data
if (buffer.length < totalExpectedLength) {
// Implement a reasonable body size limit to prevent memory issues
if (requestBodyLength > 1024 * 1024) {
// 1MB limit
logger.error(`[${connectionId}] Request body too large`);
socket.end();
connectionManager.cleanupConnection(record, 'body_too_large');
return;
}
return; // Wait for more data
}
}
// Extract query string if present
let pathname = path;
let query: string | undefined;
const queryIndex = path.indexOf('?');
if (queryIndex !== -1) {
pathname = path.slice(0, queryIndex);
query = path.slice(queryIndex + 1);
}
try {
// Get request body if present
let requestBody: Buffer | undefined;
if (requestBodyLength > 0) {
requestBody = buffer.slice(bodyStartIndex, bodyStartIndex + requestBodyLength);
}
// Pause socket to prevent data loss during async processing
socket.pause();
// Remove the data listener since we're handling the request
socket.removeListener('data', handleHttpData);
// Build route context with parsed HTTP information
const context: IRouteContext = {
port: record.localPort,
domain: record.lockedDomain || headersMap['host']?.split(':')[0],
clientIp: record.remoteIP,
serverIp: socket.localAddress!,
path: pathname,
query: query,
headers: headersMap,
isTls: record.isTLS,
tlsVersion: record.tlsVersion,
routeName: route.name,
routeId: route.id,
timestamp: Date.now(),
connectionId,
};
// Since IRouteContext doesn't have a body property,
// we need an alternative approach to handle the body
let response;
if (requestBody) {
if (settings.enableDetailedLogging) {
logger.info(
`[${connectionId}] Processing request with body (${requestBody.length} bytes)`
);
}
// Pass the body as an additional parameter by extending the context object
// This is not type-safe, but it allows handlers that expect a body to work
const extendedContext = {
...context,
// Provide both raw buffer and string representation
requestBody: requestBody,
requestBodyText: requestBody.toString(),
method: method,
};
// Call the handler with the extended context
// The handler needs to know to look for the non-standard properties
response = await route.action.handler(extendedContext as any);
} else {
// Call the handler with the standard context
const extendedContext = {
...context,
method: method,
};
response = await route.action.handler(extendedContext as any);
}
// Prepare the HTTP response
const responseHeaders = response.headers || {};
const contentLength = Buffer.byteLength(response.body || '');
responseHeaders['Content-Length'] = contentLength.toString();
if (!responseHeaders['Content-Type']) {
responseHeaders['Content-Type'] = 'text/plain';
}
// Build the response
let httpResponse = `HTTP/1.1 ${response.status} ${getStatusText(response.status)}\r\n`;
for (const [key, value] of Object.entries(responseHeaders)) {
httpResponse += `${key}: ${value}\r\n`;
}
httpResponse += '\r\n';
// Send response
socket.write(httpResponse);
if (response.body) {
socket.write(response.body);
}
socket.end();
connectionManager.cleanupConnection(record, 'completed');
} catch (error) {
logger.error(`[${connectionId}] Error in static handler: ${error}`);
// Send error response
const errorResponse =
'HTTP/1.1 500 Internal Server Error\r\n' +
'Content-Type: text/plain\r\n' +
'Content-Length: 21\r\n' +
'\r\n' +
'Internal Server Error';
socket.write(errorResponse);
socket.end();
connectionManager.cleanupConnection(record, 'handler_error');
}
};
// Listen for data
socket.on('data', handleHttpData);
// Ensure cleanup on socket close
socket.once('close', () => {
socket.removeListener('data', handleHttpData);
});
}
}

582
ts/proxies/http-proxy/http-proxy.ts Normal file
View File

@ -0,0 +1,582 @@
import * as plugins from '../../plugins.js';
import {
createLogger,
RouteManager,
convertLegacyConfigToRouteConfig
} from './models/types.js';
import type {
IHttpProxyOptions,
ILogger,
IReverseProxyConfig
} from './models/types.js';
import type { IRouteConfig } from '../smart-proxy/models/route-types.js';
import type { IRouteContext, IHttpRouteContext } from '../../core/models/route-context.js';
import { createBaseRouteContext } from '../../core/models/route-context.js';
import { CertificateManager } from './certificate-manager.js';
import { ConnectionPool } from './connection-pool.js';
import { RequestHandler, type IMetricsTracker } from './request-handler.js';
import { WebSocketHandler } from './websocket-handler.js';
import { ProxyRouter } from '../../routing/router/index.js';
import { RouteRouter } from '../../routing/router/route-router.js';
import { FunctionCache } from './function-cache.js';
/**
* HttpProxy provides a reverse proxy with TLS termination, WebSocket support,
* automatic certificate management, and high-performance connection pooling.
* Handles all HTTP/HTTPS traffic including redirects, ACME challenges, and static routes.
*/
export class HttpProxy implements IMetricsTracker {
// Provide a minimal JSON representation to avoid circular references during deep equality checks
public toJSON(): any {
return {};
}
// Configuration
public options: IHttpProxyOptions;
public routes: IRouteConfig[] = [];
// Server instances (HTTP/2 with HTTP/1 fallback)
public httpsServer: any;
// Core components
private certificateManager: CertificateManager;
private connectionPool: ConnectionPool;
private requestHandler: RequestHandler;
private webSocketHandler: WebSocketHandler;
private legacyRouter = new ProxyRouter(); // Legacy router for backward compatibility
private router = new RouteRouter(); // New modern router
private routeManager: RouteManager;
private functionCache: FunctionCache;
// State tracking
public socketMap = new plugins.lik.ObjectMap<plugins.net.Socket>();
public activeContexts: Set<string> = new Set();
public connectedClients: number = 0;
public startTime: number = 0;
public requestsServed: number = 0;
public failedRequests: number = 0;
// Tracking for SmartProxy integration
private portProxyConnections: number = 0;
private tlsTerminatedConnections: number = 0;
// Timers
private metricsInterval: NodeJS.Timeout;
private connectionPoolCleanupInterval: NodeJS.Timeout;
// Logger
private logger: ILogger;
/**
* Creates a new HttpProxy instance
*/
constructor(optionsArg: IHttpProxyOptions) {
// Set default options
this.options = {
port: optionsArg.port,
maxConnections: optionsArg.maxConnections || 10000,
keepAliveTimeout: optionsArg.keepAliveTimeout || 120000, // 2 minutes
headersTimeout: optionsArg.headersTimeout || 60000, // 1 minute
logLevel: optionsArg.logLevel || 'info',
cors: optionsArg.cors || {
allowOrigin: '*',
allowMethods: 'GET, POST, PUT, DELETE, OPTIONS',
allowHeaders: 'Content-Type, Authorization',
maxAge: 86400
},
// Defaults for SmartProxy integration
connectionPoolSize: optionsArg.connectionPoolSize || 50,
portProxyIntegration: optionsArg.portProxyIntegration || false,
useExternalPort80Handler: optionsArg.useExternalPort80Handler || false,
// Backend protocol (http1 or http2)
backendProtocol: optionsArg.backendProtocol || 'http1',
// Default ACME options
acme: {
enabled: optionsArg.acme?.enabled || false,
port: optionsArg.acme?.port || 80,
accountEmail: optionsArg.acme?.accountEmail || 'admin@example.com',
useProduction: optionsArg.acme?.useProduction || false, // Default to staging for safety
renewThresholdDays: optionsArg.acme?.renewThresholdDays || 30,
autoRenew: optionsArg.acme?.autoRenew !== false, // Default to true
certificateStore: optionsArg.acme?.certificateStore || './certs',
skipConfiguredCerts: optionsArg.acme?.skipConfiguredCerts || false
}
};
// Initialize logger
this.logger = createLogger(this.options.logLevel);
// Initialize route manager
this.routeManager = new RouteManager(this.logger);
// Initialize function cache
this.functionCache = new FunctionCache(this.logger, {
maxCacheSize: this.options.functionCacheSize || 1000,
defaultTtl: this.options.functionCacheTtl || 5000
});
// Initialize other components
this.certificateManager = new CertificateManager(this.options);
this.connectionPool = new ConnectionPool(this.options);
this.requestHandler = new RequestHandler(
this.options,
this.connectionPool,
this.legacyRouter, // Still use legacy router for backward compatibility
this.routeManager,
this.functionCache,
this.router // Pass the new modern router as well
);
this.webSocketHandler = new WebSocketHandler(
this.options,
this.connectionPool,
this.legacyRouter,
this.routes // Pass current routes to WebSocketHandler
);
// Connect request handler to this metrics tracker
this.requestHandler.setMetricsTracker(this);
// Initialize with any provided routes
if (this.options.routes && this.options.routes.length > 0) {
this.updateRouteConfigs(this.options.routes);
}
}
/**
* Implements IMetricsTracker interface to increment request counters
*/
public incrementRequestsServed(): void {
this.requestsServed++;
}
/**
* Implements IMetricsTracker interface to increment failed request counters
*/
public incrementFailedRequests(): void {
this.failedRequests++;
}
/**
* Returns the port number this HttpProxy is listening on
* Useful for SmartProxy to determine where to forward connections
*/
public getListeningPort(): number {
// If the server is running, get the actual listening port
if (this.httpsServer && this.httpsServer.address()) {
const address = this.httpsServer.address();
if (address && typeof address === 'object' && 'port' in address) {
return address.port;
}
}
// Fallback to configured port
return this.options.port;
}
/**
* Updates the server capacity settings
* @param maxConnections Maximum number of simultaneous connections
* @param keepAliveTimeout Keep-alive timeout in milliseconds
* @param connectionPoolSize Size of the connection pool per backend
*/
public updateCapacity(maxConnections?: number, keepAliveTimeout?: number, connectionPoolSize?: number): void {
if (maxConnections !== undefined) {
this.options.maxConnections = maxConnections;
this.logger.info(`Updated max connections to ${maxConnections}`);
}
if (keepAliveTimeout !== undefined) {
this.options.keepAliveTimeout = keepAliveTimeout;
if (this.httpsServer) {
this.httpsServer.keepAliveTimeout = keepAliveTimeout;
this.logger.info(`Updated keep-alive timeout to ${keepAliveTimeout}ms`);
}
}
if (connectionPoolSize !== undefined) {
this.options.connectionPoolSize = connectionPoolSize;
this.logger.info(`Updated connection pool size to ${connectionPoolSize}`);
// Clean up excess connections in the pool
this.connectionPool.cleanupConnectionPool();
}
}
/**
* Returns current server metrics
* Useful for SmartProxy to determine which HttpProxy to use for load balancing
*/
public getMetrics(): any {
return {
activeConnections: this.connectedClients,
totalRequests: this.requestsServed,
failedRequests: this.failedRequests,
portProxyConnections: this.portProxyConnections,
tlsTerminatedConnections: this.tlsTerminatedConnections,
connectionPoolSize: this.connectionPool.getPoolStatus(),
uptime: Math.floor((Date.now() - this.startTime) / 1000),
memoryUsage: process.memoryUsage(),
activeWebSockets: this.webSocketHandler.getConnectionInfo().activeConnections,
functionCache: this.functionCache.getStats()
};
}
/**
* Starts the proxy server
*/
public async start(): Promise<void> {
this.startTime = Date.now();
// Create HTTP/2 server with HTTP/1 fallback
this.httpsServer = plugins.http2.createSecureServer(
{
key: this.certificateManager.getDefaultCertificates().key,
cert: this.certificateManager.getDefaultCertificates().cert,
allowHTTP1: true,
ALPNProtocols: ['h2', 'http/1.1']
}
);
// Track raw TCP connections for metrics and limits
this.setupConnectionTracking();
// Handle incoming HTTP/2 streams
this.httpsServer.on('stream', (stream: any, headers: any) => {
this.requestHandler.handleHttp2(stream, headers);
});
// Handle HTTP/1.x fallback requests
this.httpsServer.on('request', (req: any, res: any) => {
this.requestHandler.handleRequest(req, res);
});
// Share server with certificate manager for dynamic contexts
this.certificateManager.setHttpsServer(this.httpsServer);
// Setup WebSocket support on HTTP/1 fallback
this.webSocketHandler.initialize(this.httpsServer);
// Start metrics logging
this.setupMetricsCollection();
// Start periodic connection pool cleanup
this.connectionPoolCleanupInterval = this.connectionPool.setupPeriodicCleanup();
// Start the server
return new Promise((resolve) => {
this.httpsServer.listen(this.options.port, () => {
this.logger.info(`HttpProxy started on port ${this.options.port}`);
resolve();
});
});
}
/**
* Sets up tracking of TCP connections
*/
private setupConnectionTracking(): void {
this.httpsServer.on('connection', (connection: plugins.net.Socket) => {
// Check if max connections reached
if (this.socketMap.getArray().length >= this.options.maxConnections) {
this.logger.warn(`Max connections (${this.options.maxConnections}) reached, rejecting new connection`);
connection.destroy();
return;
}
// Add connection to tracking
this.socketMap.add(connection);
this.connectedClients = this.socketMap.getArray().length;
// Check for connection from SmartProxy by inspecting the source port
const localPort = connection.localPort || 0;
const remotePort = connection.remotePort || 0;
// If this connection is from a SmartProxy (usually indicated by it coming from localhost)
if (this.options.portProxyIntegration && connection.remoteAddress?.includes('127.0.0.1')) {
this.portProxyConnections++;
this.logger.debug(`New connection from SmartProxy (local: ${localPort}, remote: ${remotePort})`);
} else {
this.logger.debug(`New direct connection (local: ${localPort}, remote: ${remotePort})`);
}
// Setup connection cleanup handlers
const cleanupConnection = () => {
if (this.socketMap.checkForObject(connection)) {
this.socketMap.remove(connection);
this.connectedClients = this.socketMap.getArray().length;
// If this was a SmartProxy connection, decrement the counter
if (this.options.portProxyIntegration && connection.remoteAddress?.includes('127.0.0.1')) {
this.portProxyConnections--;
}
this.logger.debug(`Connection closed. ${this.connectedClients} connections remaining`);
}
};
connection.on('close', cleanupConnection);
connection.on('error', (err) => {
this.logger.debug('Connection error', err);
cleanupConnection();
});
connection.on('end', cleanupConnection);
});
// Track TLS handshake completions
this.httpsServer.on('secureConnection', (tlsSocket) => {
this.tlsTerminatedConnections++;
this.logger.debug('TLS handshake completed, connection secured');
});
}
/**
* Sets up metrics collection
*/
private setupMetricsCollection(): void {
this.metricsInterval = setInterval(() => {
const uptime = Math.floor((Date.now() - this.startTime) / 1000);
const metrics = {
uptime,
activeConnections: this.connectedClients,
totalRequests: this.requestsServed,
failedRequests: this.failedRequests,
portProxyConnections: this.portProxyConnections,
tlsTerminatedConnections: this.tlsTerminatedConnections,
activeWebSockets: this.webSocketHandler.getConnectionInfo().activeConnections,
memoryUsage: process.memoryUsage(),
activeContexts: Array.from(this.activeContexts),
connectionPool: this.connectionPool.getPoolStatus()
};
this.logger.debug('Proxy metrics', metrics);
}, 60000); // Log metrics every minute
// Don't keep process alive just for metrics
if (this.metricsInterval.unref) {
this.metricsInterval.unref();
}
}
/**
* Updates the route configurations - this is the primary method for configuring HttpProxy
* @param routes The new route configurations to use
*/
public async updateRouteConfigs(routes: IRouteConfig[]): Promise<void> {
this.logger.info(`Updating route configurations (${routes.length} routes)`);
// Update routes in RouteManager, modern router, WebSocketHandler, and SecurityManager
this.routeManager.updateRoutes(routes);
this.router.setRoutes(routes);
this.webSocketHandler.setRoutes(routes);
this.requestHandler.securityManager.setRoutes(routes);
this.routes = routes;
// Directly update the certificate manager with the new routes
// This will extract domains and handle certificate provisioning
this.certificateManager.updateRoutes(routes);
// Collect all domains and certificates for configuration
const currentHostnames = new Set<string>();
const certificateUpdates = new Map<string, { cert: string, key: string }>();
// Process each route to extract domain and certificate information
for (const route of routes) {
// Skip non-forward routes or routes without domains
if (route.action.type !== 'forward' || !route.match.domains) {
continue;
}
// Get domains from route
const domains = Array.isArray(route.match.domains)
? route.match.domains
: [route.match.domains];
// Process each domain
for (const domain of domains) {
// Skip wildcard domains for direct host configuration
if (domain.includes('*')) {
continue;
}
currentHostnames.add(domain);
// Check if we have a static certificate for this domain
if (route.action.tls?.certificate && route.action.tls.certificate !== 'auto') {
certificateUpdates.set(domain, {
cert: route.action.tls.certificate.cert,
key: route.action.tls.certificate.key
});
}
}
}
// Update certificate cache with any static certificates
for (const [domain, certData] of certificateUpdates.entries()) {
try {
this.certificateManager.updateCertificate(
domain,
certData.cert,
certData.key
);
this.activeContexts.add(domain);
} catch (error) {
this.logger.error(`Failed to add SSL context for ${domain}`, error);
}
}
// Clean up removed contexts
for (const hostname of this.activeContexts) {
if (!currentHostnames.has(hostname)) {
this.logger.info(`Hostname ${hostname} removed from configuration`);
this.activeContexts.delete(hostname);
}
}
// Create legacy proxy configs for the router
// This is only needed for backward compatibility with ProxyRouter
const defaultPort = 443; // Default port for HTTPS when using 'preserve'
// and will be removed in the future
const legacyConfigs: IReverseProxyConfig[] = [];
for (const domain of currentHostnames) {
// Find route for this domain
const route = routes.find(r => {
const domains = Array.isArray(r.match.domains) ? r.match.domains : [r.match.domains];
return domains.includes(domain);
});
if (!route || route.action.type !== 'forward' || !route.action.target) {
continue;
}
// Skip routes with function-based targets - we'll handle them during request processing
if (typeof route.action.target.host === 'function' || typeof route.action.target.port === 'function') {
this.logger.info(`Domain ${domain} uses function-based targets - will be handled at request time`);
continue;
}
// Extract static target information
const targetHosts = Array.isArray(route.action.target.host)
? route.action.target.host
: [route.action.target.host];
// Handle 'preserve' port value
const targetPort = route.action.target.port === 'preserve' ? defaultPort : route.action.target.port;
// Get certificate information
const certData = certificateUpdates.get(domain);
const defaultCerts = this.certificateManager.getDefaultCertificates();
legacyConfigs.push({
hostName: domain,
destinationIps: targetHosts,
destinationPorts: [targetPort],
privateKey: certData?.key || defaultCerts.key,
publicKey: certData?.cert || defaultCerts.cert
});
}
// Update the router with legacy configs
// Handle both old and new router interfaces
if (typeof this.router.setRoutes === 'function') {
this.router.setRoutes(routes);
} else if (typeof this.router.setNewProxyConfigs === 'function') {
this.router.setNewProxyConfigs(legacyConfigs);
} else {
this.logger.warn('Router has no recognized configuration method');
}
// Update WebSocket handler with new routes
this.webSocketHandler.setRoutes(routes);
this.logger.info(`Route configuration updated with ${routes.length} routes and ${legacyConfigs.length} proxy configs`);
}
// Legacy methods have been removed.
// Please use updateRouteConfigs() directly with modern route-based configuration.
/**
* Adds default headers to be included in all responses
*/
public async addDefaultHeaders(headersArg: { [key: string]: string }): Promise<void> {
this.logger.info('Adding default headers', headersArg);
this.requestHandler.setDefaultHeaders(headersArg);
}
/**
* Stops the proxy server
*/
public async stop(): Promise<void> {
this.logger.info('Stopping HttpProxy server');
// Clear intervals
if (this.metricsInterval) {
clearInterval(this.metricsInterval);
}
if (this.connectionPoolCleanupInterval) {
clearInterval(this.connectionPoolCleanupInterval);
}
// Stop WebSocket handler
this.webSocketHandler.shutdown();
// Close all tracked sockets
for (const socket of this.socketMap.getArray()) {
try {
socket.destroy();
} catch (error) {
this.logger.error('Error destroying socket', error);
}
}
// Close all connection pool connections
this.connectionPool.closeAllConnections();
// Certificate management cleanup is handled by SmartCertManager
// Close the HTTPS server
return new Promise((resolve) => {
this.httpsServer.close(() => {
this.logger.info('HttpProxy server stopped successfully');
resolve();
});
});
}
/**
* Requests a new certificate for a domain
* This can be used to manually trigger certificate issuance
* @param domain The domain to request a certificate for
* @returns A promise that resolves when the request is submitted (not when the certificate is issued)
*/
public async requestCertificate(domain: string): Promise<boolean> {
this.logger.warn('requestCertificate is deprecated - use SmartCertManager instead');
return false;
}
/**
* Update certificate for a domain
*
* This method allows direct updates of certificates from external sources
* like Port80Handler or custom certificate providers.
*
* @param domain The domain to update certificate for
* @param certificate The new certificate (public key)
* @param privateKey The new private key
* @param expiryDate Optional expiry date
*/
public updateCertificate(
domain: string,
certificate: string,
privateKey: string,
expiryDate?: Date
): void {
this.logger.info(`Updating certificate for ${domain}`);
this.certificateManager.updateCertificate(domain, certificate, privateKey);
}
/**
* Gets all route configurations currently in use
*/
public getRouteConfigs(): IRouteConfig[] {
return this.routeManager.getRoutes();
}
}

331
ts/proxies/http-proxy/http-request-handler.ts Normal file
View File

@ -0,0 +1,331 @@
import * as plugins from '../../plugins.js';
import '../../core/models/socket-augmentation.js';
import type { IHttpRouteContext, IRouteContext } from '../../core/models/route-context.js';
import type { ILogger } from './models/types.js';
import type { IMetricsTracker } from './request-handler.js';
import type { IRouteConfig } from '../smart-proxy/models/route-types.js';
import { TemplateUtils } from '../../core/utils/template-utils.js';
/**
* HTTP Request Handler Helper - handles requests with specific destinations
* This is a helper class for the main RequestHandler
*/
export class HttpRequestHandler {
/**
* Handle HTTP request with a specific destination
*/
public static async handleHttpRequestWithDestination(
req: plugins.http.IncomingMessage,
res: plugins.http.ServerResponse,
destination: { host: string, port: number },
routeContext: IHttpRouteContext,
startTime: number,
logger: ILogger,
metricsTracker?: IMetricsTracker | null,
route?: IRouteConfig
): Promise<void> {
try {
// Apply URL rewriting if route config is provided
if (route) {
HttpRequestHandler.applyUrlRewriting(req, route, routeContext, logger);
HttpRequestHandler.applyRouteHeaderModifications(route, req, res, logger);
}
// Create options for the proxy request
const options: plugins.http.RequestOptions = {
hostname: destination.host,
port: destination.port,
path: req.url,
method: req.method,
headers: { ...req.headers }
};
// Optionally rewrite host header to match target
if (options.headers && 'host' in options.headers) {
// Only apply if host header rewrite is enabled or not explicitly disabled
const shouldRewriteHost = route?.action.options?.rewriteHostHeader !== false;
if (shouldRewriteHost) {
// Safely cast to OutgoingHttpHeaders to access host property
(options.headers as plugins.http.OutgoingHttpHeaders).host = `${destination.host}:${destination.port}`;
}
}
logger.debug(
`Proxying request to ${destination.host}:${destination.port}${req.url}`,
{ method: req.method }
);
// Create proxy request
const proxyReq = plugins.http.request(options, (proxyRes) => {
// Copy status code
res.statusCode = proxyRes.statusCode || 500;
// Copy headers from proxy response to client response
for (const [key, value] of Object.entries(proxyRes.headers)) {
if (value !== undefined) {
res.setHeader(key, value);
}
}
// Apply response header modifications if route config is provided
if (route && route.headers?.response) {
HttpRequestHandler.applyResponseHeaderModifications(route, res, logger, routeContext);
}
// Pipe proxy response to client response
proxyRes.pipe(res);
// Increment served requests counter when the response finishes
res.on('finish', () => {
if (metricsTracker) {
metricsTracker.incrementRequestsServed();
}
// Log the completed request
const duration = Date.now() - startTime;
logger.debug(
`Request completed in ${duration}ms: ${req.method} ${req.url} ${res.statusCode}`,
{ duration, statusCode: res.statusCode }
);
});
});
// Handle proxy request errors
proxyReq.on('error', (error) => {
const duration = Date.now() - startTime;
logger.error(
`Proxy error for ${req.method} ${req.url}: ${error.message}`,
{ duration, error: error.message }
);
// Increment failed requests counter
if (metricsTracker) {
metricsTracker.incrementFailedRequests();
}
// Check if headers have already been sent
if (!res.headersSent) {
res.statusCode = 502;
res.end(`Bad Gateway: ${error.message}`);
} else {
// If headers already sent, just close the connection
res.end();
}
});
// Pipe request body to proxy request and handle client-side errors
req.pipe(proxyReq);
// Handle client disconnection
req.on('error', (error) => {
logger.debug(`Client connection error: ${error.message}`);
proxyReq.destroy();
// Increment failed requests counter on client errors
if (metricsTracker) {
metricsTracker.incrementFailedRequests();
}
});
// Handle response errors
res.on('error', (error) => {
logger.debug(`Response error: ${error.message}`);
proxyReq.destroy();
// Increment failed requests counter on response errors
if (metricsTracker) {
metricsTracker.incrementFailedRequests();
}
});
} catch (error) {
// Handle any unexpected errors
logger.error(
`Unexpected error handling request: ${error.message}`,
{ error: error.stack }
);
// Increment failed requests counter
if (metricsTracker) {
metricsTracker.incrementFailedRequests();
}
if (!res.headersSent) {
res.statusCode = 500;
res.end('Internal Server Error');
} else {
res.end();
}
}
}
/**
* Apply URL rewriting based on route configuration
* Implements Phase 5.2: URL rewriting using route context
*
* @param req The request with the URL to rewrite
* @param route The route configuration containing rewrite rules
* @param routeContext Context for template variable resolution
* @param logger Logger for debugging information
* @returns True if URL was rewritten, false otherwise
*/
private static applyUrlRewriting(
req: plugins.http.IncomingMessage,
route: IRouteConfig,
routeContext: IHttpRouteContext,
logger: ILogger
): boolean {
// Check if route has URL rewriting configuration
if (!route.action.advanced?.urlRewrite) {
return false;
}
const rewriteConfig = route.action.advanced.urlRewrite;
// Store original URL for logging
const originalUrl = req.url;
if (rewriteConfig.pattern && rewriteConfig.target) {
try {
// Create a RegExp from the pattern with optional flags
const regex = new RegExp(rewriteConfig.pattern, rewriteConfig.flags || '');
// Apply rewriting with template variable resolution
let target = rewriteConfig.target;
// Replace template variables in target with values from context
target = TemplateUtils.resolveTemplateVariables(target, routeContext);
// If onlyRewritePath is set, split URL into path and query parts
if (rewriteConfig.onlyRewritePath && req.url) {
const [path, query] = req.url.split('?');
const rewrittenPath = path.replace(regex, target);
req.url = query ? `${rewrittenPath}?${query}` : rewrittenPath;
} else {
// Perform the replacement on the entire URL
req.url = req.url?.replace(regex, target);
}
logger.debug(`URL rewritten: ${originalUrl} -> ${req.url}`);
return true;
} catch (err) {
logger.error(`Error in URL rewriting: ${err}`);
return false;
}
}
return false;
}
/**
* Apply header modifications from route configuration to request headers
* Implements Phase 5.1: Route-based header manipulation for requests
*/
private static applyRouteHeaderModifications(
route: IRouteConfig,
req: plugins.http.IncomingMessage,
res: plugins.http.ServerResponse,
logger: ILogger
): void {
// Check if route has header modifications
if (!route.headers) {
return;
}
// Apply request header modifications (these will be sent to the backend)
if (route.headers.request && req.headers) {
// Create routing context for template resolution
const routeContext: IRouteContext = {
domain: req.headers.host as string || '',
path: req.url || '',
clientIp: req.socket.remoteAddress?.replace('::ffff:', '') || '',
serverIp: req.socket.localAddress?.replace('::ffff:', '') || '',
port: parseInt(req.socket.localPort?.toString() || '0', 10),
isTls: !!req.socket.encrypted,
headers: req.headers as Record<string, string>,
timestamp: Date.now(),
connectionId: `${Date.now()}-${Math.floor(Math.random() * 10000)}`,
};
for (const [key, value] of Object.entries(route.headers.request)) {
// Skip if header already exists and we're not overriding
if (req.headers[key.toLowerCase()] && !value.startsWith('!')) {
continue;
}
// Handle special delete directive (!delete)
if (value === '!delete') {
delete req.headers[key.toLowerCase()];
logger.debug(`Deleted request header: ${key}`);
continue;
}
// Handle forced override (!value)
let finalValue: string;
if (value.startsWith('!')) {
// Keep the ! but resolve any templates in the rest
const templateValue = value.substring(1);
finalValue = '!' + TemplateUtils.resolveTemplateVariables(templateValue, routeContext);
} else {
// Resolve templates in the entire value
finalValue = TemplateUtils.resolveTemplateVariables(value, routeContext);
}
// Set the header
req.headers[key.toLowerCase()] = finalValue;
logger.debug(`Modified request header: ${key}=${finalValue}`);
}
}
}
/**
* Apply header modifications from route configuration to response headers
* Implements Phase 5.1: Route-based header manipulation for responses
*/
private static applyResponseHeaderModifications(
route: IRouteConfig,
res: plugins.http.ServerResponse,
logger: ILogger,
routeContext?: IRouteContext
): void {
// Check if route has response header modifications
if (!route.headers?.response) {
return;
}
// Apply response header modifications
for (const [key, value] of Object.entries(route.headers.response)) {
// Skip if header already exists and we're not overriding
if (res.hasHeader(key) && !value.startsWith('!')) {
continue;
}
// Handle special delete directive (!delete)
if (value === '!delete') {
res.removeHeader(key);
logger.debug(`Deleted response header: ${key}`);
continue;
}
// Handle forced override (!value)
let finalValue: string;
if (value.startsWith('!') && value !== '!delete') {
// Keep the ! but resolve any templates in the rest
const templateValue = value.substring(1);
finalValue = routeContext
? '!' + TemplateUtils.resolveTemplateVariables(templateValue, routeContext)
: '!' + templateValue;
} else {
// Resolve templates in the entire value
finalValue = routeContext
? TemplateUtils.resolveTemplateVariables(value, routeContext)
: value;
}
// Set the header
res.setHeader(key, finalValue);
logger.debug(`Modified response header: ${key}=${finalValue}`);
}
}
// Template resolution is now handled by the TemplateUtils class
}

255
ts/proxies/http-proxy/http2-request-handler.ts Normal file
View File

@ -0,0 +1,255 @@
import * as plugins from '../../plugins.js';
import type { IHttpRouteContext } from '../../core/models/route-context.js';
import type { ILogger } from './models/types.js';
import type { IMetricsTracker } from './request-handler.js';
/**
* HTTP/2 Request Handler Helper - handles HTTP/2 streams with specific destinations
* This is a helper class for the main RequestHandler
*/
export class Http2RequestHandler {
/**
* Handle HTTP/2 stream with direct HTTP/2 backend
*/
public static async handleHttp2WithHttp2Destination(
stream: plugins.http2.ServerHttp2Stream,
headers: plugins.http2.IncomingHttpHeaders,
destination: { host: string, port: number },
routeContext: IHttpRouteContext,
sessions: Map<string, plugins.http2.ClientHttp2Session>,
logger: ILogger,
metricsTracker?: IMetricsTracker | null
): Promise<void> {
const key = `${destination.host}:${destination.port}`;
// Get or create a client HTTP/2 session
let session = sessions.get(key);
if (!session || session.closed || (session as any).destroyed) {
try {
// Connect to the backend HTTP/2 server
session = plugins.http2.connect(`http://${destination.host}:${destination.port}`);
sessions.set(key, session);
// Handle session errors and cleanup
session.on('error', (err) => {
logger.error(`HTTP/2 session error to ${key}: ${err.message}`);
sessions.delete(key);
});
session.on('close', () => {
logger.debug(`HTTP/2 session closed to ${key}`);
sessions.delete(key);
});
} catch (err) {
logger.error(`Failed to establish HTTP/2 session to ${key}: ${err.message}`);
stream.respond({ ':status': 502 });
stream.end('Bad Gateway: Failed to establish connection to backend');
if (metricsTracker) metricsTracker.incrementFailedRequests();
return;
}
}
try {
// Build headers for backend HTTP/2 request
const h2Headers: Record<string, any> = {
':method': headers[':method'],
':path': headers[':path'],
':authority': `${destination.host}:${destination.port}`
};
// Copy other headers, excluding pseudo-headers
for (const [key, value] of Object.entries(headers)) {
if (!key.startsWith(':') && typeof value === 'string') {
h2Headers[key] = value;
}
}
logger.debug(
`Proxying HTTP/2 request to ${destination.host}:${destination.port}${headers[':path']}`,
{ method: headers[':method'] }
);
// Create HTTP/2 request stream to the backend
const h2Stream = session.request(h2Headers);
// Pipe client stream to backend stream
stream.pipe(h2Stream);
// Handle responses from the backend
h2Stream.on('response', (responseHeaders) => {
// Map status and headers to client response
const resp: Record<string, any> = {
':status': responseHeaders[':status'] as number
};
// Copy non-pseudo headers
for (const [key, value] of Object.entries(responseHeaders)) {
if (!key.startsWith(':') && value !== undefined) {
resp[key] = value;
}
}
// Send headers to client
stream.respond(resp);
// Pipe backend response to client
h2Stream.pipe(stream);
// Track successful requests
stream.on('end', () => {
if (metricsTracker) metricsTracker.incrementRequestsServed();
logger.debug(
`HTTP/2 request completed: ${headers[':method']} ${headers[':path']} ${responseHeaders[':status']}`,
{ method: headers[':method'], status: responseHeaders[':status'] }
);
});
});
// Handle backend errors
h2Stream.on('error', (err) => {
logger.error(`HTTP/2 stream error: ${err.message}`);
// Only send error response if headers haven't been sent
if (!stream.headersSent) {
stream.respond({ ':status': 502 });
stream.end(`Bad Gateway: ${err.message}`);
} else {
stream.end();
}
if (metricsTracker) metricsTracker.incrementFailedRequests();
});
// Handle client stream errors
stream.on('error', (err) => {
logger.debug(`Client HTTP/2 stream error: ${err.message}`);
h2Stream.destroy();
if (metricsTracker) metricsTracker.incrementFailedRequests();
});
} catch (err: any) {
logger.error(`Error handling HTTP/2 request: ${err.message}`);
// Only send error response if headers haven't been sent
if (!stream.headersSent) {
stream.respond({ ':status': 500 });
stream.end('Internal Server Error');
} else {
stream.end();
}
if (metricsTracker) metricsTracker.incrementFailedRequests();
}
}
/**
* Handle HTTP/2 stream with HTTP/1 backend
*/
public static async handleHttp2WithHttp1Destination(
stream: plugins.http2.ServerHttp2Stream,
headers: plugins.http2.IncomingHttpHeaders,
destination: { host: string, port: number },
routeContext: IHttpRouteContext,
logger: ILogger,
metricsTracker?: IMetricsTracker | null
): Promise<void> {
try {
// Build headers for HTTP/1 proxy request, excluding HTTP/2 pseudo-headers
const outboundHeaders: Record<string, string> = {};
for (const [key, value] of Object.entries(headers)) {
if (typeof key === 'string' && typeof value === 'string' && !key.startsWith(':')) {
outboundHeaders[key] = value;
}
}
// Always rewrite host header to match target
outboundHeaders.host = `${destination.host}:${destination.port}`;
logger.debug(
`Proxying HTTP/2 request to HTTP/1 backend ${destination.host}:${destination.port}${headers[':path']}`,
{ method: headers[':method'] }
);
// Create HTTP/1 proxy request
const proxyReq = plugins.http.request(
{
hostname: destination.host,
port: destination.port,
path: headers[':path'] as string,
method: headers[':method'] as string,
headers: outboundHeaders
},
(proxyRes) => {
// Map status and headers back to HTTP/2
const responseHeaders: Record<string, number | string | string[]> = {
':status': proxyRes.statusCode || 500
};
// Copy headers from HTTP/1 response to HTTP/2 response
for (const [key, value] of Object.entries(proxyRes.headers)) {
if (value !== undefined) {
responseHeaders[key] = value as string | string[];
}
}
// Send headers to client
stream.respond(responseHeaders);
// Pipe HTTP/1 response to HTTP/2 stream
proxyRes.pipe(stream);
// Clean up when client disconnects
stream.on('close', () => proxyReq.destroy());
stream.on('error', () => proxyReq.destroy());
// Track successful requests
stream.on('end', () => {
if (metricsTracker) metricsTracker.incrementRequestsServed();
logger.debug(
`HTTP/2 to HTTP/1 request completed: ${headers[':method']} ${headers[':path']} ${proxyRes.statusCode}`,
{ method: headers[':method'], status: proxyRes.statusCode }
);
});
}
);
// Handle proxy request errors
proxyReq.on('error', (err) => {
logger.error(`HTTP/1 proxy error: ${err.message}`);
// Only send error response if headers haven't been sent
if (!stream.headersSent) {
stream.respond({ ':status': 502 });
stream.end(`Bad Gateway: ${err.message}`);
} else {
stream.end();
}
if (metricsTracker) metricsTracker.incrementFailedRequests();
});
// Pipe client stream to proxy request
stream.pipe(proxyReq);
// Handle client stream errors
stream.on('error', (err) => {
logger.debug(`Client HTTP/2 stream error: ${err.message}`);
proxyReq.destroy();
if (metricsTracker) metricsTracker.incrementFailedRequests();
});
} catch (err: any) {
logger.error(`Error handling HTTP/2 to HTTP/1 request: ${err.message}`);
// Only send error response if headers haven't been sent
if (!stream.headersSent) {
stream.respond({ ':status': 500 });
stream.end('Internal Server Error');
} else {
stream.end();
}
if (metricsTracker) metricsTracker.incrementFailedRequests();
}
}
}

13
ts/proxies/http-proxy/index.ts Normal file
View File

@ -0,0 +1,13 @@
/**
* HttpProxy implementation
*/
// Re-export models
export * from './models/index.js';
// Export HttpProxy and supporting classes
export { HttpProxy } from './http-proxy.js';
export { CertificateManager } from './certificate-manager.js';
export { ConnectionPool } from './connection-pool.js';
export { RequestHandler } from './request-handler.js';
export type { IMetricsTracker, MetricsTracker } from './request-handler.js';
export { WebSocketHandler } from './websocket-handler.js';

165
ts/proxies/http-proxy/models/http-types.ts Normal file
View File

@ -0,0 +1,165 @@
import * as plugins from '../../../plugins.js';
/**
* HTTP-specific event types
*/
export enum HttpEvents {
REQUEST_RECEIVED = 'request-received',
REQUEST_FORWARDED = 'request-forwarded',
REQUEST_HANDLED = 'request-handled',
REQUEST_ERROR = 'request-error',
}
/**
* HTTP status codes as an enum for better type safety
*/
export enum HttpStatus {
OK = 200,
MOVED_PERMANENTLY = 301,
FOUND = 302,
TEMPORARY_REDIRECT = 307,
PERMANENT_REDIRECT = 308,
BAD_REQUEST = 400,
UNAUTHORIZED = 401,
FORBIDDEN = 403,
NOT_FOUND = 404,
METHOD_NOT_ALLOWED = 405,
REQUEST_TIMEOUT = 408,
TOO_MANY_REQUESTS = 429,
INTERNAL_SERVER_ERROR = 500,
NOT_IMPLEMENTED = 501,
BAD_GATEWAY = 502,
SERVICE_UNAVAILABLE = 503,
GATEWAY_TIMEOUT = 504,
}
/**
* Base error class for HTTP-related errors
*/
export class HttpError extends Error {
constructor(message: string, public readonly statusCode: HttpStatus = HttpStatus.INTERNAL_SERVER_ERROR) {
super(message);
this.name = 'HttpError';
}
}
/**
* Error related to certificate operations
*/
export class CertificateError extends HttpError {
constructor(
message: string,
public readonly domain: string,
public readonly isRenewal: boolean = false
) {
super(`${message} for domain ${domain}${isRenewal ? ' (renewal)' : ''}`, HttpStatus.INTERNAL_SERVER_ERROR);
this.name = 'CertificateError';
}
}
/**
* Error related to server operations
*/
export class ServerError extends HttpError {
constructor(message: string, public readonly code?: string, statusCode: HttpStatus = HttpStatus.INTERNAL_SERVER_ERROR) {
super(message, statusCode);
this.name = 'ServerError';
}
}
/**
* Error for bad requests
*/
export class BadRequestError extends HttpError {
constructor(message: string) {
super(message, HttpStatus.BAD_REQUEST);
this.name = 'BadRequestError';
}
}
/**
* Error for not found resources
*/
export class NotFoundError extends HttpError {
constructor(message: string = 'Resource not found') {
super(message, HttpStatus.NOT_FOUND);
this.name = 'NotFoundError';
}
}
/**
* Redirect configuration for HTTP requests
*/
export interface IRedirectConfig {
source: string; // Source path or pattern
destination: string; // Destination URL
type: HttpStatus; // Redirect status code
preserveQuery?: boolean; // Whether to preserve query parameters
}
/**
* HTTP router configuration
*/
export interface IRouterConfig {
routes: Array<{
path: string;
method?: string;
handler: (req: plugins.http.IncomingMessage, res: plugins.http.ServerResponse) => void | Promise<void>;
}>;
notFoundHandler?: (req: plugins.http.IncomingMessage, res: plugins.http.ServerResponse) => void;
errorHandler?: (error: Error, req: plugins.http.IncomingMessage, res: plugins.http.ServerResponse) => void;
}
/**
* HTTP request method types
*/
export type HttpMethod = 'GET' | 'POST' | 'PUT' | 'DELETE' | 'PATCH' | 'HEAD' | 'OPTIONS' | 'CONNECT' | 'TRACE';
/**
* Helper function to get HTTP status text
*/
export function getStatusText(status: HttpStatus): string {
const statusTexts: Record<HttpStatus, string> = {
[HttpStatus.OK]: 'OK',
[HttpStatus.MOVED_PERMANENTLY]: 'Moved Permanently',
[HttpStatus.FOUND]: 'Found',
[HttpStatus.TEMPORARY_REDIRECT]: 'Temporary Redirect',
[HttpStatus.PERMANENT_REDIRECT]: 'Permanent Redirect',
[HttpStatus.BAD_REQUEST]: 'Bad Request',
[HttpStatus.UNAUTHORIZED]: 'Unauthorized',
[HttpStatus.FORBIDDEN]: 'Forbidden',
[HttpStatus.NOT_FOUND]: 'Not Found',
[HttpStatus.METHOD_NOT_ALLOWED]: 'Method Not Allowed',
[HttpStatus.REQUEST_TIMEOUT]: 'Request Timeout',
[HttpStatus.TOO_MANY_REQUESTS]: 'Too Many Requests',
[HttpStatus.INTERNAL_SERVER_ERROR]: 'Internal Server Error',
[HttpStatus.NOT_IMPLEMENTED]: 'Not Implemented',
[HttpStatus.BAD_GATEWAY]: 'Bad Gateway',
[HttpStatus.SERVICE_UNAVAILABLE]: 'Service Unavailable',
[HttpStatus.GATEWAY_TIMEOUT]: 'Gateway Timeout',
};
return statusTexts[status] || 'Unknown';
}
// Legacy interfaces for backward compatibility
export interface IDomainOptions {
domainName: string;
sslRedirect: boolean;
acmeMaintenance: boolean;
forward?: { ip: string; port: number };
acmeForward?: { ip: string; port: number };
}
export interface IDomainCertificate {
options: IDomainOptions;
certObtained: boolean;
obtainingInProgress: boolean;
certificate?: string;
privateKey?: string;
expiryDate?: Date;
lastRenewalAttempt?: Date;
}
// Backward compatibility exports
export { HttpError as Port80HandlerError };
export { CertificateError as CertError };

5
ts/proxies/http-proxy/models/index.ts Normal file
View File

@ -0,0 +1,5 @@
/**
* HttpProxy models
*/
export * from './types.js';
export * from './http-types.js';

445
ts/proxies/http-proxy/models/types.ts Normal file
View File

@ -0,0 +1,445 @@
import * as plugins from '../../../plugins.js';
// Certificate types removed - define IAcmeOptions locally
export interface IAcmeOptions {
enabled: boolean;
email?: string;
accountEmail?: string;
port?: number;
certificateStore?: string;
environment?: 'production' | 'staging';
useProduction?: boolean;
renewThresholdDays?: number;
autoRenew?: boolean;
skipConfiguredCerts?: boolean;
}
import type { IRouteConfig } from '../../smart-proxy/models/route-types.js';
import type { IRouteContext } from '../../../core/models/route-context.js';
/**
* Configuration options for HttpProxy
*/
export interface IHttpProxyOptions {
port: number;
maxConnections?: number;
keepAliveTimeout?: number;
headersTimeout?: number;
logLevel?: 'error' | 'warn' | 'info' | 'debug';
cors?: {
allowOrigin?: string;
allowMethods?: string;
allowHeaders?: string;
maxAge?: number;
};
// Settings for SmartProxy integration
connectionPoolSize?: number; // Maximum connections to maintain in the pool to each backend
portProxyIntegration?: boolean; // Flag to indicate this proxy is used by SmartProxy
useExternalPort80Handler?: boolean; // @deprecated - use SmartCertManager instead
// Protocol to use when proxying to backends: HTTP/1.x or HTTP/2
backendProtocol?: 'http1' | 'http2';
// Function cache options
functionCacheSize?: number; // Maximum number of cached function results (default: 1000)
functionCacheTtl?: number; // Time to live for cached function results in ms (default: 5000)
// ACME certificate management options
acme?: IAcmeOptions;
// Direct route configurations
routes?: IRouteConfig[];
}
/**
* Interface for a certificate entry in the cache
*/
export interface ICertificateEntry {
key: string;
cert: string;
expires?: Date;
}
/**
* @deprecated Use IRouteConfig instead. This interface will be removed in a future release.
*
* IMPORTANT: This is a legacy interface maintained only for backward compatibility.
* New code should use IRouteConfig for all configuration purposes.
*
* @see IRouteConfig for the modern, recommended configuration format
*/
export interface IReverseProxyConfig {
/** Target hostnames/IPs to proxy requests to */
destinationIps: string[];
/** Target ports to proxy requests to */
destinationPorts: number[];
/** Hostname to match for routing */
hostName: string;
/** SSL private key for this host (PEM format) */
privateKey: string;
/** SSL public key/certificate for this host (PEM format) */
publicKey: string;
/** Basic authentication configuration */
authentication?: {
type: 'Basic';
user: string;
pass: string;
};
/** Whether to rewrite the Host header to match the target */
rewriteHostHeader?: boolean;
/**
* Protocol to use when proxying to this backend: 'http1' or 'http2'.
* Overrides the global backendProtocol option if set.
*/
backendProtocol?: 'http1' | 'http2';
}
/**
* Convert a legacy IReverseProxyConfig to the modern IRouteConfig format
*
* @deprecated This function is maintained for backward compatibility.
* New code should create IRouteConfig objects directly.
*
* @param legacyConfig The legacy configuration to convert
* @param proxyPort The port the proxy listens on
* @returns A modern route configuration equivalent to the legacy config
*/
export function convertLegacyConfigToRouteConfig(
legacyConfig: IReverseProxyConfig,
proxyPort: number
): IRouteConfig {
// Create basic route configuration
const routeConfig: IRouteConfig = {
// Match properties
match: {
ports: proxyPort,
domains: legacyConfig.hostName
},
// Action properties
action: {
type: 'forward',
target: {
host: legacyConfig.destinationIps,
port: legacyConfig.destinationPorts[0]
},
// TLS mode is always 'terminate' for legacy configs
tls: {
mode: 'terminate',
certificate: {
key: legacyConfig.privateKey,
cert: legacyConfig.publicKey
}
},
// Advanced options
advanced: {
// Rewrite host header if specified
headers: legacyConfig.rewriteHostHeader ? { 'host': '{domain}' } : {}
}
},
// Metadata
name: `Legacy Config - ${legacyConfig.hostName}`,
priority: 0, // Default priority
enabled: true
};
// Add authentication if present
if (legacyConfig.authentication) {
routeConfig.action.security = {
authentication: {
type: 'basic',
credentials: [{
username: legacyConfig.authentication.user,
password: legacyConfig.authentication.pass
}]
}
};
}
// Add backend protocol if specified
if (legacyConfig.backendProtocol) {
if (!routeConfig.action.options) {
routeConfig.action.options = {};
}
routeConfig.action.options.backendProtocol = legacyConfig.backendProtocol;
}
return routeConfig;
}
/**
* Route manager for NetworkProxy
* Handles route matching and configuration
*/
export class RouteManager {
private routes: IRouteConfig[] = [];
private logger: ILogger;
constructor(logger: ILogger) {
this.logger = logger;
}
/**
* Update the routes configuration
*/
public updateRoutes(routes: IRouteConfig[]): void {
// Sort routes by priority (higher first)
this.routes = [...routes].sort((a, b) => {
const priorityA = a.priority ?? 0;
const priorityB = b.priority ?? 0;
return priorityB - priorityA;
});
this.logger.info(`Updated RouteManager with ${this.routes.length} routes`);
}
/**
* Get all routes
*/
public getRoutes(): IRouteConfig[] {
return [...this.routes];
}
/**
* Find the first matching route for a context
*/
public findMatchingRoute(context: IRouteContext): IRouteConfig | null {
for (const route of this.routes) {
if (this.matchesRoute(route, context)) {
return route;
}
}
return null;
}
/**
* Check if a route matches the given context
*/
private matchesRoute(route: IRouteConfig, context: IRouteContext): boolean {
// Skip disabled routes
if (route.enabled === false) {
return false;
}
// Check domain match if specified
if (route.match.domains && context.domain) {
const domains = Array.isArray(route.match.domains)
? route.match.domains
: [route.match.domains];
if (!domains.some(domainPattern => this.matchDomain(domainPattern, context.domain!))) {
return false;
}
}
// Check path match if specified
if (route.match.path && context.path) {
if (!this.matchPath(route.match.path, context.path)) {
return false;
}
}
// Check client IP match if specified
if (route.match.clientIp && context.clientIp) {
if (!route.match.clientIp.some(ip => this.matchIp(ip, context.clientIp))) {
return false;
}
}
// Check TLS version match if specified
if (route.match.tlsVersion && context.tlsVersion) {
if (!route.match.tlsVersion.includes(context.tlsVersion)) {
return false;
}
}
// All criteria matched
return true;
}
/**
* Match a domain pattern against a domain
*/
private matchDomain(pattern: string, domain: string): boolean {
if (pattern === domain) {
return true;
}
if (pattern.includes('*')) {
const regexPattern = pattern
.replace(/\./g, '\\.')
.replace(/\*/g, '.*');
const regex = new RegExp(`^${regexPattern}$`, 'i');
return regex.test(domain);
}
return false;
}
/**
* Match a path pattern against a path
*/
private matchPath(pattern: string, path: string): boolean {
if (pattern === path) {
return true;
}
if (pattern.endsWith('*')) {
const prefix = pattern.slice(0, -1);
return path.startsWith(prefix);
}
return false;
}
/**
* Match an IP pattern against an IP
* Supports exact matches, wildcard patterns, and CIDR notation
*/
private matchIp(pattern: string, ip: string): boolean {
// Exact match
if (pattern === ip) {
return true;
}
// Wildcard matching (e.g., 192.168.0.*)
if (pattern.includes('*')) {
const regexPattern = pattern
.replace(/\./g, '\\.')
.replace(/\*/g, '.*');
const regex = new RegExp(`^${regexPattern}$`);
return regex.test(ip);
}
// CIDR matching (e.g., 192.168.0.0/24)
if (pattern.includes('/')) {
try {
const [subnet, bits] = pattern.split('/');
// Convert IP addresses to numeric format for comparison
const ipBinary = this.ipToBinary(ip);
const subnetBinary = this.ipToBinary(subnet);
if (!ipBinary || !subnetBinary) {
return false;
}
// Get the subnet mask from CIDR notation
const mask = parseInt(bits, 10);
if (isNaN(mask) || mask < 0 || mask > 32) {
return false;
}
// Check if the first 'mask' bits match between IP and subnet
return ipBinary.slice(0, mask) === subnetBinary.slice(0, mask);
} catch (error) {
// If we encounter any error during CIDR matching, return false
return false;
}
}
return false;
}
/**
* Convert an IP address to its binary representation
* @param ip The IP address to convert
* @returns Binary string representation or null if invalid
*/
private ipToBinary(ip: string): string | null {
// Handle IPv4 addresses only for now
const parts = ip.split('.');
// Validate IP format
if (parts.length !== 4) {
return null;
}
// Convert each octet to 8-bit binary and concatenate
try {
return parts
.map(part => {
const num = parseInt(part, 10);
if (isNaN(num) || num < 0 || num > 255) {
throw new Error('Invalid IP octet');
}
return num.toString(2).padStart(8, '0');
})
.join('');
} catch (error) {
return null;
}
}
}
/**
* Interface for connection tracking in the pool
*/
export interface IConnectionEntry {
socket: plugins.net.Socket;
lastUsed: number;
isIdle: boolean;
}
/**
* WebSocket with heartbeat interface
*/
export interface IWebSocketWithHeartbeat extends plugins.wsDefault {
lastPong: number;
isAlive: boolean;
}
/**
* Logger interface for consistent logging across components
*/
export interface ILogger {
debug(message: string, data?: any): void;
info(message: string, data?: any): void;
warn(message: string, data?: any): void;
error(message: string, data?: any): void;
}
/**
* Creates a logger based on the specified log level
*/
export function createLogger(logLevel: string = 'info'): ILogger {
const logLevels = {
error: 0,
warn: 1,
info: 2,
debug: 3
};
return {
debug: (message: string, data?: any) => {
if (logLevels[logLevel] >= logLevels.debug) {
console.log(`[DEBUG] ${message}`, data || '');
}
},
info: (message: string, data?: any) => {
if (logLevels[logLevel] >= logLevels.info) {
console.log(`[INFO] ${message}`, data || '');
}
},
warn: (message: string, data?: any) => {
if (logLevels[logLevel] >= logLevels.warn) {
console.warn(`[WARN] ${message}`, data || '');
}
},
error: (message: string, data?: any) => {
if (logLevels[logLevel] >= logLevels.error) {
console.error(`[ERROR] ${message}`, data || '');
}
}
};
}

915
ts/proxies/http-proxy/request-handler.ts Normal file
View File

@ -0,0 +1,915 @@
import * as plugins from '../../plugins.js';
import '../../core/models/socket-augmentation.js';
import {
type IHttpProxyOptions,
type ILogger,
createLogger,
type IReverseProxyConfig,
RouteManager
} from './models/types.js';
import { ConnectionPool } from './connection-pool.js';
import { ProxyRouter } from '../../routing/router/index.js';
import { ContextCreator } from './context-creator.js';
import { HttpRequestHandler } from './http-request-handler.js';
import { Http2RequestHandler } from './http2-request-handler.js';
import type { IRouteConfig } from '../smart-proxy/models/route-types.js';
import type { IRouteContext, IHttpRouteContext } from '../../core/models/route-context.js';
import { toBaseContext } from '../../core/models/route-context.js';
import { TemplateUtils } from '../../core/utils/template-utils.js';
import { SecurityManager } from './security-manager.js';
/**
* Interface for tracking metrics
*/
export interface IMetricsTracker {
incrementRequestsServed(): void;
incrementFailedRequests(): void;
}
// Backward compatibility
export type MetricsTracker = IMetricsTracker;
/**
* Handles HTTP request processing and proxying
*/
export class RequestHandler {
private defaultHeaders: { [key: string]: string } = {};
private logger: ILogger;
private metricsTracker: IMetricsTracker | null = null;
// HTTP/2 client sessions for backend proxying
private h2Sessions: Map<string, plugins.http2.ClientHttp2Session> = new Map();
// Context creator for route contexts
private contextCreator: ContextCreator = new ContextCreator();
// Security manager for IP filtering, rate limiting, etc.
public securityManager: SecurityManager;
constructor(
private options: IHttpProxyOptions,
private connectionPool: ConnectionPool,
private legacyRouter: ProxyRouter, // Legacy router for backward compatibility
private routeManager?: RouteManager,
private functionCache?: any, // FunctionCache - using any to avoid circular dependency
private router?: any // RouteRouter - using any to avoid circular dependency
) {
this.logger = createLogger(options.logLevel || 'info');
this.securityManager = new SecurityManager(this.logger);
// Schedule rate limit cleanup every minute
setInterval(() => {
this.securityManager.cleanupExpiredRateLimits();
}, 60000);
}
/**
* Set the route manager instance
*/
public setRouteManager(routeManager: RouteManager): void {
this.routeManager = routeManager;
}
/**
* Set the metrics tracker instance
*/
public setMetricsTracker(tracker: IMetricsTracker): void {
this.metricsTracker = tracker;
}
/**
* Set default headers to be included in all responses
*/
public setDefaultHeaders(headers: { [key: string]: string }): void {
this.defaultHeaders = {
...this.defaultHeaders,
...headers
};
this.logger.info('Updated default response headers');
}
/**
* Get all default headers
*/
public getDefaultHeaders(): { [key: string]: string } {
return { ...this.defaultHeaders };
}
/**
* Apply CORS headers to response if configured
* Implements Phase 5.5: Context-aware CORS handling
*
* @param res The server response to apply headers to
* @param req The incoming request
* @param route Optional route config with CORS settings
*/
private applyCorsHeaders(
res: plugins.http.ServerResponse,
req: plugins.http.IncomingMessage,
route?: IRouteConfig
): void {
// Use route-specific CORS config if available, otherwise use global config
let corsConfig: any = null;
// Route CORS config takes precedence if enabled
if (route?.headers?.cors?.enabled) {
corsConfig = route.headers.cors;
this.logger.debug(`Using route-specific CORS config for ${route.name || 'unnamed route'}`);
}
// Fall back to global CORS config if available
else if (this.options.cors) {
corsConfig = this.options.cors;
this.logger.debug('Using global CORS config');
}
// If no CORS config available, skip
if (!corsConfig) {
return;
}
// Get origin from request
const origin = req.headers.origin;
// Apply Allow-Origin (with dynamic validation if needed)
if (corsConfig.allowOrigin) {
// Handle multiple origins in array format
if (Array.isArray(corsConfig.allowOrigin)) {
if (origin && corsConfig.allowOrigin.includes(origin)) {
// Match found, set specific origin
res.setHeader('Access-Control-Allow-Origin', origin);
res.setHeader('Vary', 'Origin'); // Important for caching
} else if (corsConfig.allowOrigin.includes('*')) {
// Wildcard match
res.setHeader('Access-Control-Allow-Origin', '*');
}
}
// Handle single origin or wildcard
else if (corsConfig.allowOrigin === '*') {
res.setHeader('Access-Control-Allow-Origin', '*');
}
// Match single origin against request
else if (origin && corsConfig.allowOrigin === origin) {
res.setHeader('Access-Control-Allow-Origin', origin);
res.setHeader('Vary', 'Origin');
}
// Use template variables if present
else if (origin && corsConfig.allowOrigin.includes('{')) {
const resolvedOrigin = TemplateUtils.resolveTemplateVariables(
corsConfig.allowOrigin,
{ domain: req.headers.host } as any
);
if (resolvedOrigin === origin || resolvedOrigin === '*') {
res.setHeader('Access-Control-Allow-Origin', origin);
res.setHeader('Vary', 'Origin');
}
}
}
// Apply other CORS headers
if (corsConfig.allowMethods) {
res.setHeader('Access-Control-Allow-Methods', corsConfig.allowMethods);
}
if (corsConfig.allowHeaders) {
res.setHeader('Access-Control-Allow-Headers', corsConfig.allowHeaders);
}
if (corsConfig.allowCredentials) {
res.setHeader('Access-Control-Allow-Credentials', 'true');
}
if (corsConfig.exposeHeaders) {
res.setHeader('Access-Control-Expose-Headers', corsConfig.exposeHeaders);
}
if (corsConfig.maxAge) {
res.setHeader('Access-Control-Max-Age', corsConfig.maxAge.toString());
}
// Handle CORS preflight requests if enabled (default: true)
if (req.method === 'OPTIONS' && corsConfig.preflight !== false) {
res.statusCode = 204; // No content
res.end();
return;
}
}
// First implementation of applyRouteHeaderModifications moved to the second implementation below
/**
* Apply default headers to response
*/
private applyDefaultHeaders(res: plugins.http.ServerResponse): void {
// Apply default headers
for (const [key, value] of Object.entries(this.defaultHeaders)) {
if (!res.hasHeader(key)) {
res.setHeader(key, value);
}
}
// Add server identifier if not already set
if (!res.hasHeader('Server')) {
res.setHeader('Server', 'NetworkProxy');
}
}
/**
* Apply URL rewriting based on route configuration
* Implements Phase 5.2: URL rewriting using route context
*
* @param req The request with the URL to rewrite
* @param route The route configuration containing rewrite rules
* @param routeContext Context for template variable resolution
* @returns True if URL was rewritten, false otherwise
*/
private applyUrlRewriting(
req: plugins.http.IncomingMessage,
route: IRouteConfig,
routeContext: IHttpRouteContext
): boolean {
// Check if route has URL rewriting configuration
if (!route.action.advanced?.urlRewrite) {
return false;
}
const rewriteConfig = route.action.advanced.urlRewrite;
// Store original URL for logging
const originalUrl = req.url;
if (rewriteConfig.pattern && rewriteConfig.target) {
try {
// Create a RegExp from the pattern
const regex = new RegExp(rewriteConfig.pattern, rewriteConfig.flags || '');
// Apply rewriting with template variable resolution
let target = rewriteConfig.target;
// Replace template variables in target with values from context
target = TemplateUtils.resolveTemplateVariables(target, routeContext);
// If onlyRewritePath is set, split URL into path and query parts
if (rewriteConfig.onlyRewritePath && req.url) {
const [path, query] = req.url.split('?');
const rewrittenPath = path.replace(regex, target);
req.url = query ? `${rewrittenPath}?${query}` : rewrittenPath;
} else {
// Perform the replacement on the entire URL
req.url = req.url?.replace(regex, target);
}
this.logger.debug(`URL rewritten: ${originalUrl} -> ${req.url}`);
return true;
} catch (err) {
this.logger.error(`Error in URL rewriting: ${err}`);
return false;
}
}
return false;
}
/**
* Apply header modifications from route configuration
* Implements Phase 5.1: Route-based header manipulation
*/
private applyRouteHeaderModifications(
route: IRouteConfig,
req: plugins.http.IncomingMessage,
res: plugins.http.ServerResponse
): void {
// Check if route has header modifications
if (!route.headers) {
return;
}
// Apply request header modifications (these will be sent to the backend)
if (route.headers.request && req.headers) {
for (const [key, value] of Object.entries(route.headers.request)) {
// Skip if header already exists and we're not overriding
if (req.headers[key.toLowerCase()] && !value.startsWith('!')) {
continue;
}
// Handle special delete directive (!delete)
if (value === '!delete') {
delete req.headers[key.toLowerCase()];
this.logger.debug(`Deleted request header: ${key}`);
continue;
}
// Handle forced override (!value)
let finalValue: string;
if (value.startsWith('!') && value !== '!delete') {
// Keep the ! but resolve any templates in the rest
const templateValue = value.substring(1);
finalValue = '!' + TemplateUtils.resolveTemplateVariables(templateValue, {} as IRouteContext);
} else {
// Resolve templates in the entire value
finalValue = TemplateUtils.resolveTemplateVariables(value, {} as IRouteContext);
}
// Set the header
req.headers[key.toLowerCase()] = finalValue;
this.logger.debug(`Modified request header: ${key}=${finalValue}`);
}
}
// Apply response header modifications (these will be stored for later use)
if (route.headers.response) {
for (const [key, value] of Object.entries(route.headers.response)) {
// Skip if header already exists and we're not overriding
if (res.hasHeader(key) && !value.startsWith('!')) {
continue;
}
// Handle special delete directive (!delete)
if (value === '!delete') {
res.removeHeader(key);
this.logger.debug(`Deleted response header: ${key}`);
continue;
}
// Handle forced override (!value)
let finalValue: string;
if (value.startsWith('!') && value !== '!delete') {
// Keep the ! but resolve any templates in the rest
const templateValue = value.substring(1);
finalValue = '!' + TemplateUtils.resolveTemplateVariables(templateValue, {} as IRouteContext);
} else {
// Resolve templates in the entire value
finalValue = TemplateUtils.resolveTemplateVariables(value, {} as IRouteContext);
}
// Set the header
res.setHeader(key, finalValue);
this.logger.debug(`Modified response header: ${key}=${finalValue}`);
}
}
}
/**
* Handle an HTTP request
*/
public async handleRequest(
req: plugins.http.IncomingMessage,
res: plugins.http.ServerResponse
): Promise<void> {
// Record start time for logging
const startTime = Date.now();
// Get route before applying CORS (we might need its settings)
// Try to find a matching route using RouteManager
let matchingRoute: IRouteConfig | null = null;
if (this.routeManager) {
try {
// Create a connection ID for this request
const connectionId = `http-${Date.now()}-${Math.floor(Math.random() * 10000)}`;
// Create route context for function-based targets
const routeContext = this.contextCreator.createHttpRouteContext(req, {
connectionId,
clientIp: req.socket.remoteAddress?.replace('::ffff:', '') || '0.0.0.0',
serverIp: req.socket.localAddress?.replace('::ffff:', '') || '0.0.0.0',
tlsVersion: req.socket.getTLSVersion?.() || undefined
});
matchingRoute = this.routeManager.findMatchingRoute(toBaseContext(routeContext));
} catch (err) {
this.logger.error('Error finding matching route', err);
}
}
// Apply CORS headers with route-specific settings if available
this.applyCorsHeaders(res, req, matchingRoute);
// If this is an OPTIONS request, the response has already been ended in applyCorsHeaders
// so we should return early to avoid trying to set more headers
if (req.method === 'OPTIONS') {
// Increment metrics for OPTIONS requests too
if (this.metricsTracker) {
this.metricsTracker.incrementRequestsServed();
}
return;
}
// Apply default headers
this.applyDefaultHeaders(res);
// We already have the connection ID and routeContext from CORS handling
const connectionId = `http-${Date.now()}-${Math.floor(Math.random() * 10000)}`;
// Create route context for function-based targets (if we don't already have one)
const routeContext = this.contextCreator.createHttpRouteContext(req, {
connectionId,
clientIp: req.socket.remoteAddress?.replace('::ffff:', '') || '0.0.0.0',
serverIp: req.socket.localAddress?.replace('::ffff:', '') || '0.0.0.0',
tlsVersion: req.socket.getTLSVersion?.() || undefined
});
// Check security restrictions if we have a matching route
if (matchingRoute) {
// Check IP filtering and rate limiting
if (!this.securityManager.isAllowed(matchingRoute, routeContext)) {
this.logger.warn(`Access denied for ${routeContext.clientIp} to ${matchingRoute.name || 'unnamed'}`);
res.statusCode = 403;
res.end('Forbidden: Access denied by security policy');
if (this.metricsTracker) this.metricsTracker.incrementFailedRequests();
return;
}
// Check basic auth
if (matchingRoute.security?.basicAuth?.enabled) {
const authHeader = req.headers.authorization;
if (!authHeader || !authHeader.startsWith('Basic ')) {
// No auth header provided - send 401 with WWW-Authenticate header
res.statusCode = 401;
const realm = matchingRoute.security.basicAuth.realm || 'Protected Area';
res.setHeader('WWW-Authenticate', `Basic realm="${realm}", charset="UTF-8"`);
res.end('Authentication Required');
if (this.metricsTracker) this.metricsTracker.incrementFailedRequests();
return;
}
// Verify credentials
try {
const credentials = Buffer.from(authHeader.substring(6), 'base64').toString('utf-8');
const [username, password] = credentials.split(':');
if (!this.securityManager.checkBasicAuth(matchingRoute, username, password)) {
res.statusCode = 401;
const realm = matchingRoute.security.basicAuth.realm || 'Protected Area';
res.setHeader('WWW-Authenticate', `Basic realm="${realm}", charset="UTF-8"`);
res.end('Invalid Credentials');
if (this.metricsTracker) this.metricsTracker.incrementFailedRequests();
return;
}
} catch (err) {
this.logger.error(`Error verifying basic auth: ${err}`);
res.statusCode = 401;
res.end('Authentication Error');
if (this.metricsTracker) this.metricsTracker.incrementFailedRequests();
return;
}
}
// Check JWT auth
if (matchingRoute.security?.jwtAuth?.enabled) {
const authHeader = req.headers.authorization;
if (!authHeader || !authHeader.startsWith('Bearer ')) {
// No auth header provided - send 401
res.statusCode = 401;
res.end('Authentication Required: JWT token missing');
if (this.metricsTracker) this.metricsTracker.incrementFailedRequests();
return;
}
// Verify token
const token = authHeader.substring(7);
if (!this.securityManager.verifyJwtToken(matchingRoute, token)) {
res.statusCode = 401;
res.end('Invalid or Expired JWT');
if (this.metricsTracker) this.metricsTracker.incrementFailedRequests();
return;
}
}
}
// If we found a matching route with function-based targets, use it
if (matchingRoute && matchingRoute.action.type === 'forward' && matchingRoute.action.target) {
this.logger.debug(`Found matching route: ${matchingRoute.name || 'unnamed'}`);
// Extract target information, resolving functions if needed
let targetHost: string | string[];
let targetPort: number;
try {
// Check function cache for host and resolve or use cached value
if (typeof matchingRoute.action.target.host === 'function') {
// Generate a function ID for caching (use route name or ID if available)
const functionId = `host-${matchingRoute.id || matchingRoute.name || 'unnamed'}`;
// Check if we have a cached result
if (this.functionCache) {
const cachedHost = this.functionCache.getCachedHost(routeContext, functionId);
if (cachedHost !== undefined) {
targetHost = cachedHost;
this.logger.debug(`Using cached host value for ${functionId}`);
} else {
// Resolve the function and cache the result
const resolvedHost = matchingRoute.action.target.host(toBaseContext(routeContext));
targetHost = resolvedHost;
// Cache the result
this.functionCache.cacheHost(routeContext, functionId, resolvedHost);
this.logger.debug(`Resolved and cached function-based host to: ${Array.isArray(resolvedHost) ? resolvedHost.join(', ') : resolvedHost}`);
}
} else {
// No cache available, just resolve
const resolvedHost = matchingRoute.action.target.host(routeContext);
targetHost = resolvedHost;
this.logger.debug(`Resolved function-based host to: ${Array.isArray(resolvedHost) ? resolvedHost.join(', ') : resolvedHost}`);
}
} else {
targetHost = matchingRoute.action.target.host;
}
// Check function cache for port and resolve or use cached value
if (typeof matchingRoute.action.target.port === 'function') {
// Generate a function ID for caching
const functionId = `port-${matchingRoute.id || matchingRoute.name || 'unnamed'}`;
// Check if we have a cached result
if (this.functionCache) {
const cachedPort = this.functionCache.getCachedPort(routeContext, functionId);
if (cachedPort !== undefined) {
targetPort = cachedPort;
this.logger.debug(`Using cached port value for ${functionId}`);
} else {
// Resolve the function and cache the result
const resolvedPort = matchingRoute.action.target.port(toBaseContext(routeContext));
targetPort = resolvedPort;
// Cache the result
this.functionCache.cachePort(routeContext, functionId, resolvedPort);
this.logger.debug(`Resolved and cached function-based port to: ${resolvedPort}`);
}
} else {
// No cache available, just resolve
const resolvedPort = matchingRoute.action.target.port(routeContext);
targetPort = resolvedPort;
this.logger.debug(`Resolved function-based port to: ${resolvedPort}`);
}
} else {
targetPort = matchingRoute.action.target.port === 'preserve' ? routeContext.port : matchingRoute.action.target.port as number;
}
// Select a single host if an array was provided
const selectedHost = Array.isArray(targetHost)
? targetHost[Math.floor(Math.random() * targetHost.length)]
: targetHost;
// Create a destination for the connection pool
const destination = {
host: selectedHost,
port: targetPort
};
// Apply URL rewriting if configured
this.applyUrlRewriting(req, matchingRoute, routeContext);
// Apply header modifications if configured
this.applyRouteHeaderModifications(matchingRoute, req, res);
// Continue with handling using the resolved destination
HttpRequestHandler.handleHttpRequestWithDestination(
req,
res,
destination,
routeContext,
startTime,
this.logger,
this.metricsTracker,
matchingRoute // Pass the route config for additional processing
);
return;
} catch (err) {
this.logger.error(`Error evaluating function-based target: ${err}`);
res.statusCode = 500;
res.end('Internal Server Error: Failed to evaluate target functions');
if (this.metricsTracker) this.metricsTracker.incrementFailedRequests();
return;
}
}
// Try modern router first, then fall back to legacy routing if needed
if (this.router) {
try {
// Try to find a matching route using the modern router
const route = this.router.routeReq(req);
if (route && route.action.type === 'forward' && route.action.target) {
// Handle this route similarly to RouteManager logic
this.logger.debug(`Found matching route via modern router: ${route.name || 'unnamed'}`);
// No need to do anything here, we'll continue with legacy routing
// The routeManager would have already found this route if applicable
}
} catch (err) {
this.logger.error('Error using modern router', err);
// Continue with legacy routing
}
}
// Fall back to legacy routing if no matching route found via RouteManager
let proxyConfig: IReverseProxyConfig | undefined;
try {
proxyConfig = this.legacyRouter.routeReq(req);
} catch (err) {
this.logger.error('Error routing request with legacy router', err);
res.statusCode = 500;
res.end('Internal Server Error');
if (this.metricsTracker) this.metricsTracker.incrementFailedRequests();
return;
}
if (!proxyConfig) {
this.logger.warn(`No proxy configuration for host: ${req.headers.host}`);
res.statusCode = 404;
res.end('Not Found: No proxy configuration for this host');
if (this.metricsTracker) this.metricsTracker.incrementFailedRequests();
return;
}
// Determine protocol to backend (per-domain override or global)
const backendProto = proxyConfig.backendProtocol || this.options.backendProtocol;
if (backendProto === 'http2') {
const destination = this.connectionPool.getNextTarget(
proxyConfig.destinationIps,
proxyConfig.destinationPorts[0]
);
const key = `${destination.host}:${destination.port}`;
let session = this.h2Sessions.get(key);
if (!session || session.closed || (session as any).destroyed) {
session = plugins.http2.connect(`http://${destination.host}:${destination.port}`);
this.h2Sessions.set(key, session);
session.on('error', () => this.h2Sessions.delete(key));
session.on('close', () => this.h2Sessions.delete(key));
}
// Build headers for HTTP/2 request
const hdrs: Record<string, any> = {
':method': req.method,
':path': req.url,
':authority': `${destination.host}:${destination.port}`
};
for (const [hk, hv] of Object.entries(req.headers)) {
if (typeof hv === 'string') hdrs[hk] = hv;
}
const h2Stream = session.request(hdrs);
req.pipe(h2Stream);
h2Stream.on('response', (hdrs2: any) => {
const status = (hdrs2[':status'] as number) || 502;
res.statusCode = status;
// Copy headers from HTTP/2 response to HTTP/1 response
for (const [hk, hv] of Object.entries(hdrs2)) {
if (!hk.startsWith(':') && hv != null) {
res.setHeader(hk, hv as string | string[]);
}
}
h2Stream.pipe(res);
});
h2Stream.on('error', (err) => {
res.statusCode = 502;
res.end(`Bad Gateway: ${err.message}`);
if (this.metricsTracker) this.metricsTracker.incrementFailedRequests();
});
return;
}
}
/**
* Handle HTTP/2 stream requests with function-based target support
*/
public async handleHttp2(stream: plugins.http2.ServerHttp2Stream, headers: plugins.http2.IncomingHttpHeaders): Promise<void> {
const startTime = Date.now();
// Create a connection ID for this HTTP/2 stream
const connectionId = `http2-${Date.now()}-${Math.floor(Math.random() * 10000)}`;
// Get client IP and server IP from the socket
const socket = (stream.session as any)?.socket;
const clientIp = socket?.remoteAddress?.replace('::ffff:', '') || '0.0.0.0';
const serverIp = socket?.localAddress?.replace('::ffff:', '') || '0.0.0.0';
// Create route context for function-based targets
const routeContext = this.contextCreator.createHttp2RouteContext(stream, headers, {
connectionId,
clientIp,
serverIp
});
// Try to find a matching route using RouteManager
let matchingRoute: IRouteConfig | null = null;
if (this.routeManager) {
try {
matchingRoute = this.routeManager.findMatchingRoute(toBaseContext(routeContext));
} catch (err) {
this.logger.error('Error finding matching route for HTTP/2 request', err);
}
}
// If we found a matching route with function-based targets, use it
if (matchingRoute && matchingRoute.action.type === 'forward' && matchingRoute.action.target) {
this.logger.debug(`Found matching route for HTTP/2 request: ${matchingRoute.name || 'unnamed'}`);
// Extract target information, resolving functions if needed
let targetHost: string | string[];
let targetPort: number;
try {
// Check function cache for host and resolve or use cached value
if (typeof matchingRoute.action.target.host === 'function') {
// Generate a function ID for caching (use route name or ID if available)
const functionId = `host-http2-${matchingRoute.id || matchingRoute.name || 'unnamed'}`;
// Check if we have a cached result
if (this.functionCache) {
const cachedHost = this.functionCache.getCachedHost(routeContext, functionId);
if (cachedHost !== undefined) {
targetHost = cachedHost;
this.logger.debug(`Using cached host value for HTTP/2: ${functionId}`);
} else {
// Resolve the function and cache the result
const resolvedHost = matchingRoute.action.target.host(toBaseContext(routeContext));
targetHost = resolvedHost;
// Cache the result
this.functionCache.cacheHost(routeContext, functionId, resolvedHost);
this.logger.debug(`Resolved and cached HTTP/2 function-based host to: ${Array.isArray(resolvedHost) ? resolvedHost.join(', ') : resolvedHost}`);
}
} else {
// No cache available, just resolve
const resolvedHost = matchingRoute.action.target.host(routeContext);
targetHost = resolvedHost;
this.logger.debug(`Resolved HTTP/2 function-based host to: ${Array.isArray(resolvedHost) ? resolvedHost.join(', ') : resolvedHost}`);
}
} else {
targetHost = matchingRoute.action.target.host;
}
// Check function cache for port and resolve or use cached value
if (typeof matchingRoute.action.target.port === 'function') {
// Generate a function ID for caching
const functionId = `port-http2-${matchingRoute.id || matchingRoute.name || 'unnamed'}`;
// Check if we have a cached result
if (this.functionCache) {
const cachedPort = this.functionCache.getCachedPort(routeContext, functionId);
if (cachedPort !== undefined) {
targetPort = cachedPort;
this.logger.debug(`Using cached port value for HTTP/2: ${functionId}`);
} else {
// Resolve the function and cache the result
const resolvedPort = matchingRoute.action.target.port(toBaseContext(routeContext));
targetPort = resolvedPort;
// Cache the result
this.functionCache.cachePort(routeContext, functionId, resolvedPort);
this.logger.debug(`Resolved and cached HTTP/2 function-based port to: ${resolvedPort}`);
}
} else {
// No cache available, just resolve
const resolvedPort = matchingRoute.action.target.port(routeContext);
targetPort = resolvedPort;
this.logger.debug(`Resolved HTTP/2 function-based port to: ${resolvedPort}`);
}
} else {
targetPort = matchingRoute.action.target.port === 'preserve' ? routeContext.port : matchingRoute.action.target.port as number;
}
// Select a single host if an array was provided
const selectedHost = Array.isArray(targetHost)
? targetHost[Math.floor(Math.random() * targetHost.length)]
: targetHost;
// Create a destination for forwarding
const destination = {
host: selectedHost,
port: targetPort
};
// Handle HTTP/2 stream based on backend protocol
const backendProtocol = matchingRoute.action.options?.backendProtocol || this.options.backendProtocol;
if (backendProtocol === 'http2') {
// Forward to HTTP/2 backend
return Http2RequestHandler.handleHttp2WithHttp2Destination(
stream,
headers,
destination,
routeContext,
this.h2Sessions,
this.logger,
this.metricsTracker
);
} else {
// Forward to HTTP/1.1 backend
return Http2RequestHandler.handleHttp2WithHttp1Destination(
stream,
headers,
destination,
routeContext,
this.logger,
this.metricsTracker
);
}
} catch (err) {
this.logger.error(`Error evaluating function-based target for HTTP/2: ${err}`);
stream.respond({ ':status': 500 });
stream.end('Internal Server Error: Failed to evaluate target functions');
if (this.metricsTracker) this.metricsTracker.incrementFailedRequests();
return;
}
}
// Fall back to legacy routing if no matching route found
const method = headers[':method'] || 'GET';
const path = headers[':path'] || '/';
// If configured to proxy to backends over HTTP/2, use HTTP/2 client sessions
if (this.options.backendProtocol === 'http2') {
const authority = headers[':authority'] as string || '';
const host = authority.split(':')[0];
const fakeReq: any = {
headers: { host },
method: headers[':method'],
url: headers[':path'],
socket: (stream.session as any).socket
};
// Try modern router first if available
let route;
if (this.router) {
try {
route = this.router.routeReq(fakeReq);
if (route && route.action.type === 'forward' && route.action.target) {
this.logger.debug(`Found matching HTTP/2 route via modern router: ${route.name || 'unnamed'}`);
// The routeManager would have already found this route if applicable
}
} catch (err) {
this.logger.error('Error using modern router for HTTP/2', err);
}
}
// Fall back to legacy routing
const proxyConfig = this.legacyRouter.routeReq(fakeReq);
if (!proxyConfig) {
stream.respond({ ':status': 404 });
stream.end('Not Found');
if (this.metricsTracker) this.metricsTracker.incrementFailedRequests();
return;
}
const destination = this.connectionPool.getNextTarget(proxyConfig.destinationIps, proxyConfig.destinationPorts[0]);
// Use the helper for HTTP/2 to HTTP/2 routing
return Http2RequestHandler.handleHttp2WithHttp2Destination(
stream,
headers,
destination,
routeContext,
this.h2Sessions,
this.logger,
this.metricsTracker
);
}
try {
// Determine host for routing
const authority = headers[':authority'] as string || '';
const host = authority.split(':')[0];
// Fake request object for routing
const fakeReq: any = {
headers: { host },
method,
url: path,
socket: (stream.session as any).socket
};
// Try modern router first if available
if (this.router) {
try {
const route = this.router.routeReq(fakeReq);
if (route && route.action.type === 'forward' && route.action.target) {
this.logger.debug(`Found matching HTTP/2 route via modern router: ${route.name || 'unnamed'}`);
// The routeManager would have already found this route if applicable
}
} catch (err) {
this.logger.error('Error using modern router for HTTP/2', err);
}
}
// Fall back to legacy routing
const proxyConfig = this.legacyRouter.routeReq(fakeReq as any);
if (!proxyConfig) {
stream.respond({ ':status': 404 });
stream.end('Not Found');
if (this.metricsTracker) this.metricsTracker.incrementFailedRequests();
return;
}
// Select backend target
const destination = this.connectionPool.getNextTarget(
proxyConfig.destinationIps,
proxyConfig.destinationPorts[0]
);
// Use the helper for HTTP/2 to HTTP/1 routing
return Http2RequestHandler.handleHttp2WithHttp1Destination(
stream,
headers,
destination,
routeContext,
this.logger,
this.metricsTracker
);
} catch (err: any) {
stream.respond({ ':status': 500 });
stream.end('Internal Server Error');
if (this.metricsTracker) this.metricsTracker.incrementFailedRequests();
}
}
}

298
ts/proxies/http-proxy/security-manager.ts Normal file
View File

@ -0,0 +1,298 @@
import * as plugins from '../../plugins.js';
import type { ILogger } from './models/types.js';
import type { IRouteConfig } from '../smart-proxy/models/route-types.js';
import type { IRouteContext } from '../../core/models/route-context.js';
/**
* Manages security features for the NetworkProxy
* Implements Phase 5.4: Security features like IP filtering and rate limiting
*/
export class SecurityManager {
// Cache IP filtering results to avoid constant regex matching
private ipFilterCache: Map<string, Map<string, boolean>> = new Map();
// Store rate limits per route and key
private rateLimits: Map<string, Map<string, { count: number, expiry: number }>> = new Map();
constructor(private logger: ILogger, private routes: IRouteConfig[] = []) {}
/**
* Update the routes configuration
*/
public setRoutes(routes: IRouteConfig[]): void {
this.routes = routes;
// Reset caches when routes change
this.ipFilterCache.clear();
}
/**
* Check if a client is allowed to access a specific route
*
* @param route The route to check access for
* @param context The route context with client information
* @returns True if access is allowed, false otherwise
*/
public isAllowed(route: IRouteConfig, context: IRouteContext): boolean {
if (!route.security) {
return true; // No security restrictions
}
// --- IP filtering ---
if (!this.isIpAllowed(route, context.clientIp)) {
this.logger.debug(`IP ${context.clientIp} is blocked for route ${route.name || route.id || 'unnamed'}`);
return false;
}
// --- Rate limiting ---
if (route.security.rateLimit?.enabled && !this.isWithinRateLimit(route, context)) {
this.logger.debug(`Rate limit exceeded for route ${route.name || route.id || 'unnamed'}`);
return false;
}
// --- Basic Auth (handled at HTTP level) ---
// Basic auth is not checked here as it requires HTTP headers
// and is handled in the RequestHandler
return true;
}
/**
* Check if an IP is allowed based on route security settings
*/
private isIpAllowed(route: IRouteConfig, clientIp: string): boolean {
if (!route.security) {
return true; // No security restrictions
}
const routeId = route.id || route.name || 'unnamed';
// Check cache first
if (!this.ipFilterCache.has(routeId)) {
this.ipFilterCache.set(routeId, new Map());
}
const routeCache = this.ipFilterCache.get(routeId)!;
if (routeCache.has(clientIp)) {
return routeCache.get(clientIp)!;
}
let allowed = true;
// Check block list first (deny has priority over allow)
if (route.security.ipBlockList && route.security.ipBlockList.length > 0) {
if (this.ipMatchesPattern(clientIp, route.security.ipBlockList)) {
allowed = false;
}
}
// Then check allow list (overrides block list if specified)
if (route.security.ipAllowList && route.security.ipAllowList.length > 0) {
// If allow list is specified, IP must match an entry to be allowed
allowed = this.ipMatchesPattern(clientIp, route.security.ipAllowList);
}
// Cache the result
routeCache.set(clientIp, allowed);
return allowed;
}
/**
* Check if IP matches any pattern in the list
*/
private ipMatchesPattern(ip: string, patterns: string[]): boolean {
for (const pattern of patterns) {
// CIDR notation
if (pattern.includes('/')) {
if (this.ipMatchesCidr(ip, pattern)) {
return true;
}
}
// Wildcard notation
else if (pattern.includes('*')) {
const regex = new RegExp('^' + pattern.replace(/\./g, '\\.').replace(/\*/g, '.*') + '$');
if (regex.test(ip)) {
return true;
}
}
// Exact match
else if (pattern === ip) {
return true;
}
}
return false;
}
/**
* Check if IP matches CIDR notation
* Very basic implementation - for production use, consider a dedicated IP library
*/
private ipMatchesCidr(ip: string, cidr: string): boolean {
try {
const [subnet, bits] = cidr.split('/');
const mask = parseInt(bits, 10);
// Convert IP to numeric format
const ipParts = ip.split('.').map(part => parseInt(part, 10));
const subnetParts = subnet.split('.').map(part => parseInt(part, 10));
// Calculate the numeric IP and subnet
const ipNum = (ipParts[0] << 24) | (ipParts[1] << 16) | (ipParts[2] << 8) | ipParts[3];
const subnetNum = (subnetParts[0] << 24) | (subnetParts[1] << 16) | (subnetParts[2] << 8) | subnetParts[3];
// Calculate the mask
const maskNum = ~((1 << (32 - mask)) - 1);
// Check if IP is in subnet
return (ipNum & maskNum) === (subnetNum & maskNum);
} catch (e) {
this.logger.error(`Invalid CIDR notation: ${cidr}`);
return false;
}
}
/**
* Check if request is within rate limit
*/
private isWithinRateLimit(route: IRouteConfig, context: IRouteContext): boolean {
if (!route.security?.rateLimit?.enabled) {
return true;
}
const rateLimit = route.security.rateLimit;
const routeId = route.id || route.name || 'unnamed';
// Determine rate limit key (by IP, path, or header)
let key = context.clientIp; // Default to IP
if (rateLimit.keyBy === 'path' && context.path) {
key = `${context.clientIp}:${context.path}`;
} else if (rateLimit.keyBy === 'header' && rateLimit.headerName && context.headers) {
const headerValue = context.headers[rateLimit.headerName.toLowerCase()];
if (headerValue) {
key = `${context.clientIp}:${headerValue}`;
}
}
// Get or create rate limit tracking for this route
if (!this.rateLimits.has(routeId)) {
this.rateLimits.set(routeId, new Map());
}
const routeLimits = this.rateLimits.get(routeId)!;
const now = Date.now();
// Get or create rate limit tracking for this key
let limit = routeLimits.get(key);
if (!limit || limit.expiry < now) {
// Create new rate limit or reset expired one
limit = {
count: 1,
expiry: now + (rateLimit.window * 1000)
};
routeLimits.set(key, limit);
return true;
}
// Increment the counter
limit.count++;
// Check if rate limit is exceeded
return limit.count <= rateLimit.maxRequests;
}
/**
* Clean up expired rate limits
* Should be called periodically to prevent memory leaks
*/
public cleanupExpiredRateLimits(): void {
const now = Date.now();
for (const [routeId, routeLimits] of this.rateLimits.entries()) {
let removed = 0;
for (const [key, limit] of routeLimits.entries()) {
if (limit.expiry < now) {
routeLimits.delete(key);
removed++;
}
}
if (removed > 0) {
this.logger.debug(`Cleaned up ${removed} expired rate limits for route ${routeId}`);
}
}
}
/**
* Check basic auth credentials
*
* @param route The route to check auth for
* @param username The provided username
* @param password The provided password
* @returns True if credentials are valid, false otherwise
*/
public checkBasicAuth(route: IRouteConfig, username: string, password: string): boolean {
if (!route.security?.basicAuth?.enabled) {
return true;
}
const basicAuth = route.security.basicAuth;
// Check credentials against configured users
for (const user of basicAuth.users) {
if (user.username === username && user.password === password) {
return true;
}
}
return false;
}
/**
* Verify a JWT token
*
* @param route The route to verify the token for
* @param token The JWT token to verify
* @returns True if the token is valid, false otherwise
*/
public verifyJwtToken(route: IRouteConfig, token: string): boolean {
if (!route.security?.jwtAuth?.enabled) {
return true;
}
try {
// This is a simplified version - in production you'd use a proper JWT library
const jwtAuth = route.security.jwtAuth;
// Verify structure
const parts = token.split('.');
if (parts.length !== 3) {
return false;
}
// Decode payload
const payload = JSON.parse(Buffer.from(parts[1], 'base64').toString());
// Check expiration
if (payload.exp && payload.exp < Math.floor(Date.now() / 1000)) {
return false;
}
// Check issuer
if (jwtAuth.issuer && payload.iss !== jwtAuth.issuer) {
return false;
}
// Check audience
if (jwtAuth.audience && payload.aud !== jwtAuth.audience) {
return false;
}
// In a real implementation, you'd also verify the signature
// using the secret and algorithm specified in jwtAuth
return true;
} catch (err) {
this.logger.error(`Error verifying JWT: ${err}`);
return false;
}
}
}

504
ts/proxies/http-proxy/websocket-handler.ts Normal file
View File

@ -0,0 +1,504 @@
import * as plugins from '../../plugins.js';
import '../../core/models/socket-augmentation.js';
import { type IHttpProxyOptions, type IWebSocketWithHeartbeat, type ILogger, createLogger, type IReverseProxyConfig } from './models/types.js';
import { ConnectionPool } from './connection-pool.js';
import { ProxyRouter, RouteRouter } from '../../routing/router/index.js';
import type { IRouteConfig } from '../smart-proxy/models/route-types.js';
import type { IRouteContext } from '../../core/models/route-context.js';
import { toBaseContext } from '../../core/models/route-context.js';
import { ContextCreator } from './context-creator.js';
import { SecurityManager } from './security-manager.js';
import { TemplateUtils } from '../../core/utils/template-utils.js';
import { getMessageSize, toBuffer } from '../../core/utils/websocket-utils.js';
/**
* Handles WebSocket connections and proxying
*/
export class WebSocketHandler {
private heartbeatInterval: NodeJS.Timeout | null = null;
private wsServer: plugins.ws.WebSocketServer | null = null;
private logger: ILogger;
private contextCreator: ContextCreator = new ContextCreator();
private routeRouter: RouteRouter | null = null;
private securityManager: SecurityManager;
constructor(
private options: IHttpProxyOptions,
private connectionPool: ConnectionPool,
private legacyRouter: ProxyRouter, // Legacy router for backward compatibility
private routes: IRouteConfig[] = [] // Routes for modern router
) {
this.logger = createLogger(options.logLevel || 'info');
this.securityManager = new SecurityManager(this.logger, routes);
// Initialize modern router if we have routes
if (routes.length > 0) {
this.routeRouter = new RouteRouter(routes, this.logger);
}
}
/**
* Set the route configurations
*/
public setRoutes(routes: IRouteConfig[]): void {
this.routes = routes;
// Initialize or update the route router
if (!this.routeRouter) {
this.routeRouter = new RouteRouter(routes, this.logger);
} else {
this.routeRouter.setRoutes(routes);
}
// Update the security manager
this.securityManager.setRoutes(routes);
}
/**
* Initialize WebSocket server on an existing HTTPS server
*/
public initialize(server: plugins.https.Server): void {
// Create WebSocket server
this.wsServer = new plugins.ws.WebSocketServer({
server: server,
clientTracking: true
});
// Handle WebSocket connections
this.wsServer.on('connection', (wsIncoming: IWebSocketWithHeartbeat, req: plugins.http.IncomingMessage) => {
this.handleWebSocketConnection(wsIncoming, req);
});
// Start the heartbeat interval
this.startHeartbeat();
this.logger.info('WebSocket handler initialized');
}
/**
* Start the heartbeat interval to check for inactive WebSocket connections
*/
private startHeartbeat(): void {
// Clean up existing interval if any
if (this.heartbeatInterval) {
clearInterval(this.heartbeatInterval);
}
// Set up the heartbeat interval (check every 30 seconds)
this.heartbeatInterval = setInterval(() => {
if (!this.wsServer || this.wsServer.clients.size === 0) {
return; // Skip if no active connections
}
this.logger.debug(`WebSocket heartbeat check for ${this.wsServer.clients.size} clients`);
this.wsServer.clients.forEach((ws: plugins.wsDefault) => {
const wsWithHeartbeat = ws as IWebSocketWithHeartbeat;
if (wsWithHeartbeat.isAlive === false) {
this.logger.debug('Terminating inactive WebSocket connection');
return wsWithHeartbeat.terminate();
}
wsWithHeartbeat.isAlive = false;
wsWithHeartbeat.ping();
});
}, 30000);
// Make sure the interval doesn't keep the process alive
if (this.heartbeatInterval.unref) {
this.heartbeatInterval.unref();
}
}
/**
* Handle a new WebSocket connection
*/
private handleWebSocketConnection(wsIncoming: IWebSocketWithHeartbeat, req: plugins.http.IncomingMessage): void {
this.logger.debug(`WebSocket connection initiated from ${req.headers.host}`);
try {
// Initialize heartbeat tracking
wsIncoming.isAlive = true;
wsIncoming.lastPong = Date.now();
// Handle pong messages to track liveness
wsIncoming.on('pong', () => {
wsIncoming.isAlive = true;
wsIncoming.lastPong = Date.now();
});
// Create a context for routing
const connectionId = `ws-${Date.now()}-${Math.floor(Math.random() * 10000)}`;
const routeContext = this.contextCreator.createHttpRouteContext(req, {
connectionId,
clientIp: req.socket.remoteAddress?.replace('::ffff:', '') || '0.0.0.0',
serverIp: req.socket.localAddress?.replace('::ffff:', '') || '0.0.0.0',
tlsVersion: req.socket.getTLSVersion?.() || undefined
});
// Try modern router first if available
let route: IRouteConfig | undefined;
if (this.routeRouter) {
route = this.routeRouter.routeReq(req);
}
// Define destination variables
let destination: { host: string; port: number };
// If we found a route with the modern router, use it
if (route && route.action.type === 'forward' && route.action.target) {
this.logger.debug(`Found matching WebSocket route: ${route.name || 'unnamed'}`);
// Check if WebSockets are enabled for this route
if (route.action.websocket?.enabled === false) {
this.logger.debug(`WebSockets are disabled for route: ${route.name || 'unnamed'}`);
wsIncoming.close(1003, 'WebSockets not supported for this route');
return;
}
// Check security restrictions if configured to authenticate WebSocket requests
if (route.action.websocket?.authenticateRequest !== false && route.security) {
if (!this.securityManager.isAllowed(route, toBaseContext(routeContext))) {
this.logger.warn(`WebSocket connection denied by security policy for ${routeContext.clientIp}`);
wsIncoming.close(1008, 'Access denied by security policy');
return;
}
// Check origin restrictions if configured
const origin = req.headers.origin;
if (origin && route.action.websocket?.allowedOrigins && route.action.websocket.allowedOrigins.length > 0) {
const isAllowed = route.action.websocket.allowedOrigins.some(allowedOrigin => {
// Handle wildcards and template variables
if (allowedOrigin.includes('*') || allowedOrigin.includes('{')) {
const pattern = allowedOrigin.replace(/\*/g, '.*');
const resolvedPattern = TemplateUtils.resolveTemplateVariables(pattern, routeContext);
const regex = new RegExp(`^${resolvedPattern}$`);
return regex.test(origin);
}
return allowedOrigin === origin;
});
if (!isAllowed) {
this.logger.warn(`WebSocket origin ${origin} not allowed for route: ${route.name || 'unnamed'}`);
wsIncoming.close(1008, 'Origin not allowed');
return;
}
}
}
// Extract target information, resolving functions if needed
let targetHost: string | string[];
let targetPort: number;
try {
// Resolve host if it's a function
if (typeof route.action.target.host === 'function') {
const resolvedHost = route.action.target.host(toBaseContext(routeContext));
targetHost = resolvedHost;
this.logger.debug(`Resolved function-based host for WebSocket: ${Array.isArray(resolvedHost) ? resolvedHost.join(', ') : resolvedHost}`);
} else {
targetHost = route.action.target.host;
}
// Resolve port if it's a function
if (typeof route.action.target.port === 'function') {
targetPort = route.action.target.port(toBaseContext(routeContext));
this.logger.debug(`Resolved function-based port for WebSocket: ${targetPort}`);
} else {
targetPort = route.action.target.port === 'preserve' ? routeContext.port : route.action.target.port as number;
}
// Select a single host if an array was provided
const selectedHost = Array.isArray(targetHost)
? targetHost[Math.floor(Math.random() * targetHost.length)]
: targetHost;
// Create a destination for the WebSocket connection
destination = {
host: selectedHost,
port: targetPort
};
this.logger.debug(`WebSocket destination resolved: ${selectedHost}:${targetPort}`);
} catch (err) {
this.logger.error(`Error evaluating function-based target for WebSocket: ${err}`);
wsIncoming.close(1011, 'Internal server error');
return;
}
} else {
// Fall back to legacy routing if no matching route found via modern router
const proxyConfig = this.legacyRouter.routeReq(req);
if (!proxyConfig) {
this.logger.warn(`No proxy configuration for WebSocket host: ${req.headers.host}`);
wsIncoming.close(1008, 'No proxy configuration for this host');
return;
}
// Get destination target using round-robin if multiple targets
destination = this.connectionPool.getNextTarget(
proxyConfig.destinationIps,
proxyConfig.destinationPorts[0]
);
}
// Build target URL with potential path rewriting
// Determine protocol based on the target's configuration
// For WebSocket connections, we use ws for HTTP backends and wss for HTTPS backends
const isTargetSecure = destination.port === 443;
const protocol = isTargetSecure ? 'wss' : 'ws';
let targetPath = req.url || '/';
// Apply path rewriting if configured
if (route?.action.websocket?.rewritePath) {
const originalPath = targetPath;
targetPath = TemplateUtils.resolveTemplateVariables(
route.action.websocket.rewritePath,
{...routeContext, path: targetPath}
);
this.logger.debug(`WebSocket path rewritten: ${originalPath} -> ${targetPath}`);
}
const targetUrl = `${protocol}://${destination.host}:${destination.port}${targetPath}`;
this.logger.debug(`WebSocket connection from ${req.socket.remoteAddress} to ${targetUrl}`);
// Create headers for outgoing WebSocket connection
const headers: { [key: string]: string } = {};
// Copy relevant headers from incoming request
for (const [key, value] of Object.entries(req.headers)) {
if (value && typeof value === 'string' &&
key.toLowerCase() !== 'connection' &&
key.toLowerCase() !== 'upgrade' &&
key.toLowerCase() !== 'sec-websocket-key' &&
key.toLowerCase() !== 'sec-websocket-version') {
headers[key] = value;
}
}
// Always rewrite host header for WebSockets for consistency
headers['host'] = `${destination.host}:${destination.port}`;
// Add custom headers from route configuration
if (route?.action.websocket?.customHeaders) {
for (const [key, value] of Object.entries(route.action.websocket.customHeaders)) {
// Skip if header already exists and we're not overriding
if (headers[key.toLowerCase()] && !value.startsWith('!')) {
continue;
}
// Handle special delete directive (!delete)
if (value === '!delete') {
delete headers[key.toLowerCase()];
continue;
}
// Handle forced override (!value)
let finalValue: string;
if (value.startsWith('!') && value !== '!delete') {
// Keep the ! but resolve any templates in the rest
const templateValue = value.substring(1);
finalValue = '!' + TemplateUtils.resolveTemplateVariables(templateValue, routeContext);
} else {
// Resolve templates in the entire value
finalValue = TemplateUtils.resolveTemplateVariables(value, routeContext);
}
// Set the header
headers[key.toLowerCase()] = finalValue;
}
}
// Create WebSocket connection options
const wsOptions: any = {
headers: headers,
followRedirects: true
};
// Add subprotocols if configured
if (route?.action.websocket?.subprotocols && route.action.websocket.subprotocols.length > 0) {
wsOptions.protocols = route.action.websocket.subprotocols;
} else if (req.headers['sec-websocket-protocol']) {
// Pass through client requested protocols
wsOptions.protocols = req.headers['sec-websocket-protocol'].split(',').map(p => p.trim());
}
// Create outgoing WebSocket connection
this.logger.debug(`Creating WebSocket connection to ${targetUrl} with options:`, {
headers: wsOptions.headers,
protocols: wsOptions.protocols
});
const wsOutgoing = new plugins.wsDefault(targetUrl, wsOptions);
this.logger.debug(`WebSocket instance created, waiting for connection...`);
// Handle connection errors
wsOutgoing.on('error', (err) => {
this.logger.error(`WebSocket target connection error: ${err.message}`);
if (wsIncoming.readyState === wsIncoming.OPEN) {
wsIncoming.close(1011, 'Internal server error');
}
});
// Handle outgoing connection open
wsOutgoing.on('open', () => {
this.logger.debug(`WebSocket target connection opened to ${targetUrl}`);
// Set up custom ping interval if configured
let pingInterval: NodeJS.Timeout | null = null;
if (route?.action.websocket?.pingInterval && route.action.websocket.pingInterval > 0) {
pingInterval = setInterval(() => {
if (wsIncoming.readyState === wsIncoming.OPEN) {
wsIncoming.ping();
this.logger.debug(`Sent WebSocket ping to client for route: ${route.name || 'unnamed'}`);
}
}, route.action.websocket.pingInterval);
// Don't keep process alive just for pings
if (pingInterval.unref) pingInterval.unref();
}
// Set up custom ping timeout if configured
let pingTimeout: NodeJS.Timeout | null = null;
const pingTimeoutMs = route?.action.websocket?.pingTimeout || 60000; // Default 60s
// Define timeout function for cleaner code
const resetPingTimeout = () => {
if (pingTimeout) clearTimeout(pingTimeout);
pingTimeout = setTimeout(() => {
this.logger.debug(`WebSocket ping timeout for client connection on route: ${route?.name || 'unnamed'}`);
wsIncoming.terminate();
}, pingTimeoutMs);
// Don't keep process alive just for timeouts
if (pingTimeout.unref) pingTimeout.unref();
};
// Reset timeout on pong
wsIncoming.on('pong', () => {
wsIncoming.isAlive = true;
wsIncoming.lastPong = Date.now();
resetPingTimeout();
});
// Initial ping timeout
resetPingTimeout();
// Handle potential message size limits
const maxSize = route?.action.websocket?.maxPayloadSize || 0;
// Forward incoming messages to outgoing connection
wsIncoming.on('message', (data, isBinary) => {
this.logger.debug(`WebSocket forwarding message from client to target: ${data.toString()}`);
if (wsOutgoing.readyState === wsOutgoing.OPEN) {
// Check message size if limit is set
const messageSize = getMessageSize(data);
if (maxSize > 0 && messageSize > maxSize) {
this.logger.warn(`WebSocket message exceeds max size (${messageSize} > ${maxSize})`);
wsIncoming.close(1009, 'Message too big');
return;
}
wsOutgoing.send(data, { binary: isBinary });
} else {
this.logger.warn(`WebSocket target connection not open (state: ${wsOutgoing.readyState})`);
}
});
// Forward outgoing messages to incoming connection
wsOutgoing.on('message', (data, isBinary) => {
this.logger.debug(`WebSocket forwarding message from target to client: ${data.toString()}`);
if (wsIncoming.readyState === wsIncoming.OPEN) {
wsIncoming.send(data, { binary: isBinary });
} else {
this.logger.warn(`WebSocket client connection not open (state: ${wsIncoming.readyState})`);
}
});
// Handle closing of connections
wsIncoming.on('close', (code, reason) => {
this.logger.debug(`WebSocket client connection closed: ${code} ${reason}`);
if (wsOutgoing.readyState === wsOutgoing.OPEN) {
// Ensure code is a valid WebSocket close code number
const validCode = typeof code === 'number' && code >= 1000 && code <= 4999 ? code : 1000;
try {
const reasonString = reason ? toBuffer(reason).toString() : '';
wsOutgoing.close(validCode, reasonString);
} catch (err) {
this.logger.error('Error closing wsOutgoing:', err);
wsOutgoing.close(validCode);
}
}
// Clean up timers
if (pingInterval) clearInterval(pingInterval);
if (pingTimeout) clearTimeout(pingTimeout);
});
wsOutgoing.on('close', (code, reason) => {
this.logger.debug(`WebSocket target connection closed: ${code} ${reason}`);
if (wsIncoming.readyState === wsIncoming.OPEN) {
// Ensure code is a valid WebSocket close code number
const validCode = typeof code === 'number' && code >= 1000 && code <= 4999 ? code : 1000;
try {
const reasonString = reason ? toBuffer(reason).toString() : '';
wsIncoming.close(validCode, reasonString);
} catch (err) {
this.logger.error('Error closing wsIncoming:', err);
wsIncoming.close(validCode);
}
}
// Clean up timers
if (pingInterval) clearInterval(pingInterval);
if (pingTimeout) clearTimeout(pingTimeout);
});
this.logger.debug(`WebSocket connection established: ${req.headers.host} -> ${destination.host}:${destination.port}`);
});
} catch (error) {
this.logger.error(`Error handling WebSocket connection: ${error.message}`);
if (wsIncoming.readyState === wsIncoming.OPEN) {
wsIncoming.close(1011, 'Internal server error');
}
}
}
/**
* Get information about active WebSocket connections
*/
public getConnectionInfo(): { activeConnections: number } {
return {
activeConnections: this.wsServer ? this.wsServer.clients.size : 0
};
}
/**
* Shutdown the WebSocket handler
*/
public shutdown(): void {
// Stop heartbeat interval
if (this.heartbeatInterval) {
clearInterval(this.heartbeatInterval);
this.heartbeatInterval = null;
}
// Close all WebSocket connections
if (this.wsServer) {
this.logger.info(`Closing ${this.wsServer.clients.size} WebSocket connections`);
for (const client of this.wsServer.clients) {
try {
client.terminate();
} catch (error) {
this.logger.error('Error terminating WebSocket client', error);
}
}
// Close the server
this.wsServer.close();
this.wsServer = null;
}
}
}