feat(nftables): Add NFTables integration for kernel-level forwarding and update documentation, tests, and helper functions
This commit is contained in:
@ -4,129 +4,122 @@ import { tap, expect } from '@push.rocks/tapbundle';
|
||||
import { SmartProxy } from '../ts/proxies/smart-proxy/index.js';
|
||||
import {
|
||||
createHttpRoute,
|
||||
createHttpsRoute,
|
||||
createPassthroughRoute,
|
||||
createRedirectRoute,
|
||||
createHttpsTerminateRoute,
|
||||
createHttpsPassthroughRoute,
|
||||
createHttpToHttpsRedirect,
|
||||
createBlockRoute,
|
||||
createCompleteHttpsServer,
|
||||
createLoadBalancerRoute,
|
||||
createHttpsServer,
|
||||
createPortRange,
|
||||
createSecurityConfig,
|
||||
createStaticFileRoute,
|
||||
createTestRoute
|
||||
} from '../ts/proxies/smart-proxy/route-helpers/index.js';
|
||||
createApiRoute,
|
||||
createWebSocketRoute
|
||||
} from '../ts/proxies/smart-proxy/utils/route-helpers.js';
|
||||
import type { IRouteConfig } from '../ts/proxies/smart-proxy/models/route-types.js';
|
||||
|
||||
// Test to demonstrate various route configurations using the new helpers
|
||||
tap.test('Route-based configuration examples', async (tools) => {
|
||||
// Example 1: HTTP-only configuration
|
||||
const httpOnlyRoute = createHttpRoute({
|
||||
domains: 'http.example.com',
|
||||
target: {
|
||||
const httpOnlyRoute = createHttpRoute(
|
||||
'http.example.com',
|
||||
{
|
||||
host: 'localhost',
|
||||
port: 3000
|
||||
},
|
||||
security: {
|
||||
ipAllowList: ['*'] // Allow all
|
||||
},
|
||||
name: 'Basic HTTP Route'
|
||||
});
|
||||
{
|
||||
name: 'Basic HTTP Route'
|
||||
}
|
||||
);
|
||||
|
||||
console.log('HTTP-only route created successfully:', httpOnlyRoute.name);
|
||||
expect(httpOnlyRoute.action.type).toEqual('forward');
|
||||
expect(httpOnlyRoute.match.domains).toEqual('http.example.com');
|
||||
|
||||
// Example 2: HTTPS Passthrough (SNI) configuration
|
||||
const httpsPassthroughRoute = createPassthroughRoute({
|
||||
domains: 'pass.example.com',
|
||||
target: {
|
||||
const httpsPassthroughRoute = createHttpsPassthroughRoute(
|
||||
'pass.example.com',
|
||||
{
|
||||
host: ['10.0.0.1', '10.0.0.2'], // Round-robin target IPs
|
||||
port: 443
|
||||
},
|
||||
security: {
|
||||
ipAllowList: ['*'] // Allow all
|
||||
},
|
||||
name: 'HTTPS Passthrough Route'
|
||||
});
|
||||
{
|
||||
name: 'HTTPS Passthrough Route'
|
||||
}
|
||||
);
|
||||
|
||||
expect(httpsPassthroughRoute).toBeTruthy();
|
||||
expect(httpsPassthroughRoute.action.tls?.mode).toEqual('passthrough');
|
||||
expect(Array.isArray(httpsPassthroughRoute.action.target?.host)).toBeTrue();
|
||||
|
||||
// Example 3: HTTPS Termination to HTTP Backend
|
||||
const terminateToHttpRoute = createHttpsRoute({
|
||||
domains: 'secure.example.com',
|
||||
target: {
|
||||
const terminateToHttpRoute = createHttpsTerminateRoute(
|
||||
'secure.example.com',
|
||||
{
|
||||
host: 'localhost',
|
||||
port: 8080
|
||||
},
|
||||
tlsMode: 'terminate',
|
||||
certificate: 'auto',
|
||||
headers: {
|
||||
'X-Forwarded-Proto': 'https'
|
||||
},
|
||||
security: {
|
||||
ipAllowList: ['*'] // Allow all
|
||||
},
|
||||
name: 'HTTPS Termination to HTTP Backend'
|
||||
});
|
||||
{
|
||||
certificate: 'auto',
|
||||
name: 'HTTPS Termination to HTTP Backend'
|
||||
}
|
||||
);
|
||||
|
||||
// Create the HTTP to HTTPS redirect for this domain
|
||||
const httpToHttpsRedirect = createHttpToHttpsRedirect({
|
||||
domains: 'secure.example.com',
|
||||
name: 'HTTP to HTTPS Redirect for secure.example.com'
|
||||
});
|
||||
const httpToHttpsRedirect = createHttpToHttpsRedirect(
|
||||
'secure.example.com',
|
||||
443,
|
||||
{
|
||||
name: 'HTTP to HTTPS Redirect for secure.example.com'
|
||||
}
|
||||
);
|
||||
|
||||
expect(terminateToHttpRoute).toBeTruthy();
|
||||
expect(terminateToHttpRoute.action.tls?.mode).toEqual('terminate');
|
||||
expect(terminateToHttpRoute.action.advanced?.headers?.['X-Forwarded-Proto']).toEqual('https');
|
||||
expect(httpToHttpsRedirect.action.type).toEqual('redirect');
|
||||
|
||||
// Example 4: Load Balancer with HTTPS
|
||||
const loadBalancerRoute = createLoadBalancerRoute({
|
||||
domains: 'proxy.example.com',
|
||||
targets: ['internal-api-1.local', 'internal-api-2.local'],
|
||||
targetPort: 8443,
|
||||
tlsMode: 'terminate-and-reencrypt',
|
||||
certificate: 'auto',
|
||||
headers: {
|
||||
'X-Original-Host': '{domain}'
|
||||
},
|
||||
security: {
|
||||
ipAllowList: ['10.0.0.0/24', '192.168.1.0/24'],
|
||||
maxConnections: 1000
|
||||
},
|
||||
name: 'Load Balanced HTTPS Route'
|
||||
});
|
||||
const loadBalancerRoute = createLoadBalancerRoute(
|
||||
'proxy.example.com',
|
||||
['internal-api-1.local', 'internal-api-2.local'],
|
||||
8443,
|
||||
{
|
||||
tls: {
|
||||
mode: 'terminate-and-reencrypt',
|
||||
certificate: 'auto'
|
||||
},
|
||||
name: 'Load Balanced HTTPS Route'
|
||||
}
|
||||
);
|
||||
|
||||
expect(loadBalancerRoute).toBeTruthy();
|
||||
expect(loadBalancerRoute.action.tls?.mode).toEqual('terminate-and-reencrypt');
|
||||
expect(Array.isArray(loadBalancerRoute.action.target?.host)).toBeTrue();
|
||||
expect(loadBalancerRoute.action.security?.ipAllowList?.length).toEqual(2);
|
||||
|
||||
// Example 5: Block specific IPs
|
||||
const blockRoute = createBlockRoute({
|
||||
ports: [80, 443],
|
||||
clientIp: ['192.168.5.0/24'],
|
||||
name: 'Block Suspicious IPs',
|
||||
priority: 1000 // High priority to ensure it's evaluated first
|
||||
});
|
||||
// Example 5: API Route
|
||||
const apiRoute = createApiRoute(
|
||||
'api.example.com',
|
||||
'/api',
|
||||
{ host: 'localhost', port: 8081 },
|
||||
{
|
||||
name: 'API Route',
|
||||
useTls: true,
|
||||
addCorsHeaders: true
|
||||
}
|
||||
);
|
||||
|
||||
expect(blockRoute.action.type).toEqual('block');
|
||||
expect(blockRoute.match.clientIp?.length).toEqual(1);
|
||||
expect(blockRoute.priority).toEqual(1000);
|
||||
expect(apiRoute.action.type).toEqual('forward');
|
||||
expect(apiRoute.match.path).toBeTruthy();
|
||||
|
||||
// Example 6: Complete HTTPS Server with HTTP Redirect
|
||||
const httpsServerRoutes = createHttpsServer({
|
||||
domains: 'complete.example.com',
|
||||
target: {
|
||||
const httpsServerRoutes = createCompleteHttpsServer(
|
||||
'complete.example.com',
|
||||
{
|
||||
host: 'localhost',
|
||||
port: 8080
|
||||
},
|
||||
certificate: 'auto',
|
||||
name: 'Complete HTTPS Server'
|
||||
});
|
||||
{
|
||||
certificate: 'auto',
|
||||
name: 'Complete HTTPS Server'
|
||||
}
|
||||
);
|
||||
|
||||
expect(Array.isArray(httpsServerRoutes)).toBeTrue();
|
||||
expect(httpsServerRoutes.length).toEqual(2); // HTTPS route and HTTP redirect
|
||||
@ -134,35 +127,32 @@ tap.test('Route-based configuration examples', async (tools) => {
|
||||
expect(httpsServerRoutes[1].action.type).toEqual('redirect');
|
||||
|
||||
// Example 7: Static File Server
|
||||
const staticFileRoute = createStaticFileRoute({
|
||||
domains: 'static.example.com',
|
||||
targetDirectory: '/var/www/static',
|
||||
tlsMode: 'terminate',
|
||||
certificate: 'auto',
|
||||
headers: {
|
||||
'Cache-Control': 'public, max-age=86400'
|
||||
},
|
||||
name: 'Static File Server'
|
||||
});
|
||||
|
||||
expect(staticFileRoute.action.advanced?.staticFiles?.directory).toEqual('/var/www/static');
|
||||
expect(staticFileRoute.action.advanced?.headers?.['Cache-Control']).toEqual('public, max-age=86400');
|
||||
|
||||
// Example 8: Test Route for Debugging
|
||||
const testRoute = createTestRoute({
|
||||
ports: 8000,
|
||||
domains: 'test.example.com',
|
||||
response: {
|
||||
status: 200,
|
||||
headers: {
|
||||
'Content-Type': 'application/json'
|
||||
},
|
||||
body: JSON.stringify({ status: 'ok', message: 'API is working!' })
|
||||
const staticFileRoute = createStaticFileRoute(
|
||||
'static.example.com',
|
||||
'/var/www/static',
|
||||
{
|
||||
serveOnHttps: true,
|
||||
certificate: 'auto',
|
||||
name: 'Static File Server'
|
||||
}
|
||||
});
|
||||
);
|
||||
|
||||
expect(testRoute.match.ports).toEqual(8000);
|
||||
expect(testRoute.action.advanced?.testResponse?.status).toEqual(200);
|
||||
expect(staticFileRoute.action.type).toEqual('static');
|
||||
expect(staticFileRoute.action.static?.root).toEqual('/var/www/static');
|
||||
|
||||
// Example 8: WebSocket Route
|
||||
const webSocketRoute = createWebSocketRoute(
|
||||
'ws.example.com',
|
||||
'/ws',
|
||||
{ host: 'localhost', port: 8082 },
|
||||
{
|
||||
useTls: true,
|
||||
name: 'WebSocket Route'
|
||||
}
|
||||
);
|
||||
|
||||
expect(webSocketRoute.action.type).toEqual('forward');
|
||||
expect(webSocketRoute.action.websocket?.enabled).toBeTrue();
|
||||
|
||||
// Create a SmartProxy instance with all routes
|
||||
const allRoutes: IRouteConfig[] = [
|
||||
@ -171,27 +161,21 @@ tap.test('Route-based configuration examples', async (tools) => {
|
||||
terminateToHttpRoute,
|
||||
httpToHttpsRedirect,
|
||||
loadBalancerRoute,
|
||||
blockRoute,
|
||||
apiRoute,
|
||||
...httpsServerRoutes,
|
||||
staticFileRoute,
|
||||
testRoute
|
||||
webSocketRoute
|
||||
];
|
||||
|
||||
// We're not actually starting the SmartProxy in this test,
|
||||
// just verifying that the configuration is valid
|
||||
const smartProxy = new SmartProxy({
|
||||
routes: allRoutes,
|
||||
acme: {
|
||||
email: 'admin@example.com',
|
||||
termsOfServiceAgreed: true,
|
||||
directoryUrl: 'https://acme-staging-v02.api.letsencrypt.org/directory'
|
||||
}
|
||||
routes: allRoutes
|
||||
});
|
||||
|
||||
console.log(`Smart Proxy configured with ${allRoutes.length} routes`);
|
||||
|
||||
// Verify our example proxy was created correctly
|
||||
expect(smartProxy).toBeTruthy();
|
||||
// Just verify that all routes are configured correctly
|
||||
console.log(`Created ${allRoutes.length} example routes`);
|
||||
expect(allRoutes.length).toEqual(8);
|
||||
});
|
||||
|
||||
export default tap.start();
|
||||
Reference in New Issue
Block a user