push.rocks/smartproxy
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

better logging

Browse Source
This commit is contained in:
Juergen Kunz
2025-07-03 02:32:17 +00:00
parent 67aff4bb30
commit 5d011ba84c
18 changed files with 1604 additions and 410 deletions
Download Patch File Download Diff File Expand all files Collapse all files

138
ts/proxies/http-proxy/http-proxy.ts
View File

@ -17,6 +17,8 @@ import { WebSocketHandler } from './websocket-handler.js';
import { HttpRouter } from '../../routing/router/index.js';
import { cleanupSocket } from '../../core/utils/socket-utils.js';
import { FunctionCache } from './function-cache.js';
import { SecurityManager } from './security-manager.js';
import { connectionLogDeduplicator } from '../../core/utils/log-deduplicator.js';
/**
* HttpProxy provides a reverse proxy with TLS termination, WebSocket support,
@ -43,6 +45,7 @@ export class HttpProxy implements IMetricsTracker {
private router = new HttpRouter(); // Unified HTTP router
private routeManager: RouteManager;
private functionCache: FunctionCache;
private securityManager: SecurityManager;
// State tracking
public socketMap = new plugins.lik.ObjectMap<plugins.net.Socket>();
@ -113,6 +116,14 @@ export class HttpProxy implements IMetricsTracker {
maxCacheSize: this.options.functionCacheSize || 1000,
defaultTtl: this.options.functionCacheTtl || 5000
});
// Initialize security manager
this.securityManager = new SecurityManager(
this.logger,
[],
this.options.maxConnectionsPerIP || 100,
this.options.connectionRateLimitPerMinute || 300
);
// Initialize other components
this.certificateManager = new CertificateManager(this.options);
@ -269,14 +280,113 @@ export class HttpProxy implements IMetricsTracker {
*/
private setupConnectionTracking(): void {
this.httpsServer.on('connection', (connection: plugins.net.Socket) => {
// Check if max connections reached
let remoteIP = connection.remoteAddress || '';
const connectionId = Math.random().toString(36).substring(2, 15);
const isFromSmartProxy = this.options.portProxyIntegration && connection.remoteAddress?.includes('127.0.0.1');
// For SmartProxy connections, wait for CLIENT_IP header
if (isFromSmartProxy) {
let headerBuffer = Buffer.alloc(0);
let headerParsed = false;
const parseHeader = (data: Buffer) => {
if (headerParsed) return data;
headerBuffer = Buffer.concat([headerBuffer, data]);
const headerStr = headerBuffer.toString();
const headerEnd = headerStr.indexOf('\r\n');
if (headerEnd !== -1) {
const header = headerStr.substring(0, headerEnd);
if (header.startsWith('CLIENT_IP:')) {
remoteIP = header.substring(10); // Extract IP after "CLIENT_IP:"
this.logger.debug(`Extracted client IP from SmartProxy: ${remoteIP}`);
}
headerParsed = true;
// Store the real IP on the connection
(connection as any)._realRemoteIP = remoteIP;
// Validate the real IP
const ipValidation = this.securityManager.validateIP(remoteIP);
if (!ipValidation.allowed) {
connectionLogDeduplicator.log(
'ip-rejected',
'warn',
`HttpProxy connection rejected (via SmartProxy)`,
{ remoteIP, reason: ipValidation.reason, component: 'http-proxy' },
remoteIP
);
connection.destroy();
return null;
}
// Track connection by real IP
this.securityManager.trackConnectionByIP(remoteIP, connectionId);
// Return remaining data after header
return headerBuffer.slice(headerEnd + 2);
}
return null;
};
// Override the first data handler to parse header
const originalEmit = connection.emit;
connection.emit = function(event: string, ...args: any[]) {
if (event === 'data' && !headerParsed) {
const remaining = parseHeader(args[0]);
if (remaining && remaining.length > 0) {
// Call original emit with remaining data
return originalEmit.apply(connection, ['data', remaining]);
} else if (headerParsed) {
// Header parsed but no remaining data
return true;
}
// Header not complete yet, suppress this data event
return true;
}
return originalEmit.apply(connection, [event, ...args]);
} as any;
} else {
// Direct connection - validate immediately
const ipValidation = this.securityManager.validateIP(remoteIP);
if (!ipValidation.allowed) {
connectionLogDeduplicator.log(
'ip-rejected',
'warn',
`HttpProxy connection rejected`,
{ remoteIP, reason: ipValidation.reason, component: 'http-proxy' },
remoteIP
);
connection.destroy();
return;
}
// Track connection by IP
this.securityManager.trackConnectionByIP(remoteIP, connectionId);
}
// Then check global max connections
if (this.socketMap.getArray().length >= this.options.maxConnections) {
this.logger.warn(`Max connections (${this.options.maxConnections}) reached, rejecting new connection`);
connectionLogDeduplicator.log(
'connection-rejected',
'warn',
'HttpProxy max connections reached',
{
reason: 'global-limit',
currentConnections: this.socketMap.getArray().length,
maxConnections: this.options.maxConnections,
component: 'http-proxy'
},
'http-proxy-global-limit'
);
connection.destroy();
return;
}
// Add connection to tracking
// Add connection to tracking with metadata
(connection as any)._connectionId = connectionId;
(connection as any)._remoteIP = remoteIP;
this.socketMap.add(connection);
this.connectedClients = this.socketMap.getArray().length;
@ -284,12 +394,12 @@ export class HttpProxy implements IMetricsTracker {
const localPort = connection.localPort || 0;
const remotePort = connection.remotePort || 0;
// If this connection is from a SmartProxy (usually indicated by it coming from localhost)
if (this.options.portProxyIntegration && connection.remoteAddress?.includes('127.0.0.1')) {
// If this connection is from a SmartProxy
if (isFromSmartProxy) {
this.portProxyConnections++;
this.logger.debug(`New connection from SmartProxy (local: ${localPort}, remote: ${remotePort})`);
this.logger.debug(`New connection from SmartProxy for client ${remoteIP} (local: ${localPort}, remote: ${remotePort})`);
} else {
this.logger.debug(`New direct connection (local: ${localPort}, remote: ${remotePort})`);
this.logger.debug(`New direct connection from ${remoteIP} (local: ${localPort}, remote: ${remotePort})`);
}
// Setup connection cleanup handlers
@ -298,12 +408,19 @@ export class HttpProxy implements IMetricsTracker {
this.socketMap.remove(connection);
this.connectedClients = this.socketMap.getArray().length;
// Remove IP tracking
const connId = (connection as any)._connectionId;
const connIP = (connection as any)._realRemoteIP || (connection as any)._remoteIP;
if (connId && connIP) {
this.securityManager.removeConnectionByIP(connIP, connId);
}
// If this was a SmartProxy connection, decrement the counter
if (this.options.portProxyIntegration && connection.remoteAddress?.includes('127.0.0.1')) {
this.portProxyConnections--;
}
this.logger.debug(`Connection closed. ${this.connectedClients} connections remaining`);
this.logger.debug(`Connection closed from ${connIP || 'unknown'}. ${this.connectedClients} connections remaining`);
}
};
@ -480,6 +597,9 @@ export class HttpProxy implements IMetricsTracker {
// Certificate management cleanup is handled by SmartCertManager
// Flush any pending deduplicated logs
connectionLogDeduplicator.flushAll();
// Close the HTTPS server
return new Promise((resolve) => {
this.httpsServer.close(() => {

4
ts/proxies/http-proxy/models/types.ts
View File

@ -45,6 +45,10 @@ export interface IHttpProxyOptions {
// Direct route configurations
routes?: IRouteConfig[];
// Rate limiting and security
maxConnectionsPerIP?: number; // Maximum simultaneous connections from a single IP
connectionRateLimitPerMinute?: number; // Max new connections per minute from a single IP
}
/**

137
ts/proxies/http-proxy/security-manager.ts
View File

@ -14,7 +14,14 @@ export class SecurityManager {
// Store rate limits per route and key
private rateLimits: Map<string, Map<string, { count: number, expiry: number }>> = new Map();
constructor(private logger: ILogger, private routes: IRouteConfig[] = []) {}
// Connection tracking by IP
private connectionsByIP: Map<string, Set<string>> = new Map();
private connectionRateByIP: Map<string, number[]> = new Map();
constructor(private logger: ILogger, private routes: IRouteConfig[] = [], private maxConnectionsPerIP: number = 100, private connectionRateLimitPerMinute: number = 300) {
// Start periodic cleanup for connection tracking
this.startPeriodicIpCleanup();
}
/**
* Update the routes configuration
@ -295,4 +302,132 @@ export class SecurityManager {
return false;
}
}
/**
* Get connections count by IP
*/
public getConnectionCountByIP(ip: string): number {
return this.connectionsByIP.get(ip)?.size || 0;
}
/**
* Check and update connection rate for an IP
* @returns true if within rate limit, false if exceeding limit
*/
public checkConnectionRate(ip: string): boolean {
const now = Date.now();
const minute = 60 * 1000;
if (!this.connectionRateByIP.has(ip)) {
this.connectionRateByIP.set(ip, [now]);
return true;
}
// Get timestamps and filter out entries older than 1 minute
const timestamps = this.connectionRateByIP.get(ip)!.filter((time) => now - time < minute);
timestamps.push(now);
this.connectionRateByIP.set(ip, timestamps);
// Check if rate exceeds limit
return timestamps.length <= this.connectionRateLimitPerMinute;
}
/**
* Track connection by IP
*/
public trackConnectionByIP(ip: string, connectionId: string): void {
if (!this.connectionsByIP.has(ip)) {
this.connectionsByIP.set(ip, new Set());
}
this.connectionsByIP.get(ip)!.add(connectionId);
}
/**
* Remove connection tracking for an IP
*/
public removeConnectionByIP(ip: string, connectionId: string): void {
if (this.connectionsByIP.has(ip)) {
const connections = this.connectionsByIP.get(ip)!;
connections.delete(connectionId);
if (connections.size === 0) {
this.connectionsByIP.delete(ip);
}
}
}
/**
* Check if IP should be allowed considering connection rate and max connections
* @returns Object with result and reason
*/
public validateIP(ip: string): { allowed: boolean; reason?: string } {
// Check connection count limit
if (this.getConnectionCountByIP(ip) >= this.maxConnectionsPerIP) {
return {
allowed: false,
reason: `Maximum connections per IP (${this.maxConnectionsPerIP}) exceeded`
};
}
// Check connection rate limit
if (!this.checkConnectionRate(ip)) {
return {
allowed: false,
reason: `Connection rate limit (${this.connectionRateLimitPerMinute}/min) exceeded`
};
}
return { allowed: true };
}
/**
* Clears all IP tracking data (for shutdown)
*/
public clearIPTracking(): void {
this.connectionsByIP.clear();
this.connectionRateByIP.clear();
}
/**
* Start periodic cleanup of IP tracking data
*/
private startPeriodicIpCleanup(): void {
// Clean up IP tracking data every minute
setInterval(() => {
this.performIpCleanup();
}, 60000).unref();
}
/**
* Perform cleanup of expired IP data
*/
private performIpCleanup(): void {
const now = Date.now();
const minute = 60 * 1000;
let cleanedRateLimits = 0;
let cleanedIPs = 0;
// Clean up expired rate limit timestamps
for (const [ip, timestamps] of this.connectionRateByIP.entries()) {
const validTimestamps = timestamps.filter(time => now - time < minute);
if (validTimestamps.length === 0) {
this.connectionRateByIP.delete(ip);
cleanedRateLimits++;
} else if (validTimestamps.length < timestamps.length) {
this.connectionRateByIP.set(ip, validTimestamps);
}
}
// Clean up IPs with no active connections
for (const [ip, connections] of this.connectionsByIP.entries()) {
if (connections.size === 0) {
this.connectionsByIP.delete(ip);
cleanedIPs++;
}
}
if (cleanedRateLimits > 0 || cleanedIPs > 0) {
this.logger.debug(`IP cleanup: removed ${cleanedIPs} IPs and ${cleanedRateLimits} rate limits`);
}
}
}