From 4a0792142f78dc68464f30b676d059e77c64795a Mon Sep 17 00:00:00 2001 From: Philipp Kunz Date: Thu, 27 Feb 2025 15:41:03 +0000 Subject: [PATCH] fix(PortProxy): Fix IP filtering for domain and global default allowed lists and improve port-based routing logic. --- changelog.md | 7 +++++++ ts/00_commitinfo_data.ts | 2 +- ts/classes.portproxy.ts | 9 ++++----- 3 files changed, 12 insertions(+), 6 deletions(-) diff --git a/changelog.md b/changelog.md index 2705905..24f7107 100644 --- a/changelog.md +++ b/changelog.md @@ -1,5 +1,12 @@ # Changelog +## 2025-02-27 - 3.16.8 - fix(PortProxy) +Fix IP filtering for domain and global default allowed lists and improve port-based routing logic. + +- Improved logic to prioritize domain-specific allowed IPs over global defaults. +- Fixed port-based rules application to handle global port ranges more effectively. +- Enhanced rejection handling for unauthorized IP addresses in both domain-specific and default global lists. + ## 2025-02-27 - 3.16.7 - fix(PortProxy) Improved IP validation logic in PortProxy to ensure correct domain matching and fallback diff --git a/ts/00_commitinfo_data.ts b/ts/00_commitinfo_data.ts index 3ace47a..2df5fa3 100644 --- a/ts/00_commitinfo_data.ts +++ b/ts/00_commitinfo_data.ts @@ -3,6 +3,6 @@ */ export const commitinfo = { name: '@push.rocks/smartproxy', - version: '3.16.7', + version: '3.16.8', description: 'A robust and versatile proxy package designed to handle high workloads, offering features like SSL redirection, port proxying, WebSocket support, and customizable routing and authentication.' } diff --git a/ts/classes.portproxy.ts b/ts/classes.portproxy.ts index 0288d0c..33f8031 100644 --- a/ts/classes.portproxy.ts +++ b/ts/classes.portproxy.ts @@ -215,13 +215,13 @@ export class PortProxy { ? forcedDomain : (serverName ? this.settings.domains.find(config => plugins.minimatch(serverName, config.domain)) : undefined); - // New check: if a matching domain config exists, use its allowedIPs in preference. + // If a matching domain config exists, check its allowedIPs. if (domainConfig) { if (!isAllowed(remoteIP, domainConfig.allowedIPs)) { return rejectIncomingConnection('rejected', `Connection rejected: IP ${remoteIP} not allowed for domain ${domainConfig.domain}`); } } else if (this.settings.defaultAllowedIPs) { - // Fallback to default allowed IPs if no domain config is found. + // Only check default allowed IPs if no domain config matched. if (!isAllowed(remoteIP, this.settings.defaultAllowedIPs)) { return rejectIncomingConnection('rejected', `Connection rejected: IP ${remoteIP} not allowed by default allowed list`); } @@ -313,9 +313,8 @@ export class PortProxy { }; // --- PORT RANGE-BASED HANDLING --- - // If the local port is one of the globally listened ports, we may have port-based rules. - if (this.settings.globalPortRanges && this.settings.globalPortRanges.length > 0) { - // If forwardAllGlobalRanges is enabled, always forward using the global targetIP. + // Only apply port-based rules if the incoming port is within one of the global port ranges. + if (this.settings.globalPortRanges && isPortInRanges(localPort, this.settings.globalPortRanges)) { if (this.settings.forwardAllGlobalRanges) { if (this.settings.defaultAllowedIPs && !isAllowed(remoteIP, this.settings.defaultAllowedIPs)) { console.log(`Connection from ${remoteIP} rejected: IP ${remoteIP} not allowed in global default allowed list.`);