push.rocks/smartproxy
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(security): critical security and stability fixes
Some checks failed
Default (tags) / security (push) Successful in 1m2s
Details
Default (tags) / test (push) Failing after 46m14s
Details
Default (tags) / release (push) Has been skipped
Details
Default (tags) / metadata (push) Has been skipped
Details

Browse Source
This commit is contained in:
Jürgen Kunz
2025-08-14 14:30:54 +00:00
parent 6eac957baf
commit 5fbcf81c2c
19 changed files with 1647 additions and 1301 deletions
Download Patch File Download Diff File Expand all files Collapse all files

336
ts/proxies/smart-proxy/smart-proxy.ts
View File

@@ -25,6 +25,12 @@ import type { IRouteConfig } from './models/route-types.js';
// Import mutex for route update synchronization
import { Mutex } from './utils/mutex.js';
// Import route validator
import { RouteValidator } from './utils/route-validator.js';
// Import route orchestrator for route management
import { RouteOrchestrator } from './route-orchestrator.js';
// Import ACME state manager
import { AcmeStateManager } from './acme-state-manager.js';
@@ -66,12 +72,15 @@ export class SmartProxy extends plugins.EventEmitter {
// Global challenge route tracking
private globalChallengeRouteActive: boolean = false;
private routeUpdateLock: any = null; // Will be initialized as AsyncMutex
private routeUpdateLock: Mutex;
public acmeStateManager: AcmeStateManager;
// Metrics collector
public metricsCollector: MetricsCollector;
// Route orchestrator for managing route updates
private routeOrchestrator: RouteOrchestrator;
// Track port usage across route updates
private portUsageMap: Map<number, Set<string>> = new Map();
@@ -175,6 +184,15 @@ export class SmartProxy extends plugins.EventEmitter {
error: (message: string, data?: any) => logger.log('error', message, data)
};
// Validate initial routes
if (this.settings.routes && this.settings.routes.length > 0) {
const validation = RouteValidator.validateRoutes(this.settings.routes);
if (!validation.valid) {
RouteValidator.logValidationErrors(validation.errors);
throw new Error(`Initial route validation failed: ${validation.errors.size} route(s) have errors`);
}
}
this.routeManager = new RouteManager({
logger: loggerAdapter,
enableDetailedLogging: this.settings.enableDetailedLogging,
@@ -206,6 +224,16 @@ export class SmartProxy extends plugins.EventEmitter {
sampleIntervalMs: this.settings.metrics?.sampleIntervalMs,
retentionSeconds: this.settings.metrics?.retentionSeconds
});
// Initialize route orchestrator for managing route updates
this.routeOrchestrator = new RouteOrchestrator(
this.portManager,
this.routeManager,
this.httpProxyBridge,
this.nftablesManager,
null, // certManager will be set later
loggerAdapter
);
}
/**
@@ -354,8 +382,8 @@ export class SmartProxy extends plugins.EventEmitter {
// Get listening ports from RouteManager
const listeningPorts = this.routeManager.getListeningPorts();
// Initialize port usage tracking
this.portUsageMap = this.updatePortUsageMap(this.settings.routes);
// Initialize port usage tracking using RouteOrchestrator
this.portUsageMap = this.routeOrchestrator.updatePortUsageMap(this.settings.routes);
// Log port usage for startup
logger.log('info', `SmartProxy starting with ${listeningPorts.length} ports: ${listeningPorts.join(', ')}`, {
@@ -516,7 +544,7 @@ export class SmartProxy extends plugins.EventEmitter {
logger.log('info', 'All servers closed. Cleaning up active connections...');
// Clean up all active connections
this.connectionManager.clearConnections();
await this.connectionManager.clearConnections();
// Stop HttpProxy
await this.httpProxyBridge.stop();
@@ -527,6 +555,10 @@ export class SmartProxy extends plugins.EventEmitter {
// Stop metrics collector
this.metricsCollector.stop();
// Clean up ProtocolDetector singleton
const detection = await import('../../detection/index.js');
detection.ProtocolDetector.destroy();
// Flush any pending deduplicated logs
connectionLogDeduplicator.flushAll();
@@ -606,202 +638,46 @@ export class SmartProxy extends plugins.EventEmitter {
try {
logger.log('info', `Updating routes (${newRoutes.length} routes)`, {
routeCount: newRoutes.length,
component: 'route-manager'
component: 'smart-proxy'
});
} catch (error) {
// Silently handle logging errors
console.log(`[INFO] Updating routes (${newRoutes.length} routes)`);
}
// Track port usage before and after updates
const oldPortUsage = this.updatePortUsageMap(this.settings.routes);
const newPortUsage = this.updatePortUsageMap(newRoutes);
// Get the lists of currently listening ports and new ports needed
const currentPorts = new Set(this.portManager.getListeningPorts());
const newPortsSet = new Set(newPortUsage.keys());
// Log the port usage for debugging
try {
logger.log('debug', `Current listening ports: ${Array.from(currentPorts).join(', ')}`, {
ports: Array.from(currentPorts),
component: 'smart-proxy'
});
logger.log('debug', `Ports needed for new routes: ${Array.from(newPortsSet).join(', ')}`, {
ports: Array.from(newPortsSet),
component: 'smart-proxy'
});
} catch (error) {
// Silently handle logging errors
console.log(`[DEBUG] Current listening ports: ${Array.from(currentPorts).join(', ')}`);
console.log(`[DEBUG] Ports needed for new routes: ${Array.from(newPortsSet).join(', ')}`);
// Update route orchestrator dependencies if cert manager changed
if (this.certManager && !this.routeOrchestrator.getCertManager()) {
this.routeOrchestrator.setCertManager(this.certManager);
}
// Find orphaned ports - ports that no longer have any routes
const orphanedPorts = this.findOrphanedPorts(oldPortUsage, newPortUsage);
// Find new ports that need binding (only ports that we aren't already listening on)
const newBindingPorts = Array.from(newPortsSet).filter(p => !currentPorts.has(p));
// Check for ACME challenge port to give it special handling
const acmePort = this.settings.acme?.port || 80;
const acmePortNeeded = newPortsSet.has(acmePort);
const acmePortListed = newBindingPorts.includes(acmePort);
if (acmePortNeeded && acmePortListed) {
try {
logger.log('info', `Adding ACME challenge port ${acmePort} to routes`, {
port: acmePort,
component: 'smart-proxy'
});
} catch (error) {
// Silently handle logging errors
console.log(`[INFO] Adding ACME challenge port ${acmePort} to routes`);
// Delegate the complex route update logic to RouteOrchestrator
const updateResult = await this.routeOrchestrator.updateRoutes(
this.settings.routes,
newRoutes,
{
acmePort: this.settings.acme?.port || 80,
acmeOptions: this.certManager?.getAcmeOptions(),
acmeState: this.certManager?.getState(),
globalChallengeRouteActive: this.globalChallengeRouteActive,
createCertificateManager: this.createCertificateManager.bind(this),
verifyChallengeRouteRemoved: this.verifyChallengeRouteRemoved.bind(this)
}
}
// Get existing routes that use NFTables and update them
const oldNfTablesRoutes = this.settings.routes.filter(
r => r.action.forwardingEngine === 'nftables'
);
const newNfTablesRoutes = newRoutes.filter(
r => r.action.forwardingEngine === 'nftables'
);
// Update existing NFTables routes
for (const oldRoute of oldNfTablesRoutes) {
const newRoute = newNfTablesRoutes.find(r => r.name === oldRoute.name);
if (!newRoute) {
// Route was removed
await this.nftablesManager.deprovisionRoute(oldRoute);
} else {
// Route was updated
await this.nftablesManager.updateRoute(oldRoute, newRoute);
}
}
// Add new NFTables routes
for (const newRoute of newNfTablesRoutes) {
const oldRoute = oldNfTablesRoutes.find(r => r.name === newRoute.name);
if (!oldRoute) {
// New route
await this.nftablesManager.provisionRoute(newRoute);
}
}
// Update routes in RouteManager
this.routeManager.updateRoutes(newRoutes);
// Release orphaned ports first to free resources
if (orphanedPorts.length > 0) {
try {
logger.log('info', `Releasing ${orphanedPorts.length} orphaned ports: ${orphanedPorts.join(', ')}`, {
ports: orphanedPorts,
component: 'smart-proxy'
});
} catch (error) {
// Silently handle logging errors
console.log(`[INFO] Releasing ${orphanedPorts.length} orphaned ports: ${orphanedPorts.join(', ')}`);
}
await this.portManager.removePorts(orphanedPorts);
}
// Add new ports if needed
if (newBindingPorts.length > 0) {
try {
logger.log('info', `Binding to ${newBindingPorts.length} new ports: ${newBindingPorts.join(', ')}`, {
ports: newBindingPorts,
component: 'smart-proxy'
});
} catch (error) {
// Silently handle logging errors
console.log(`[INFO] Binding to ${newBindingPorts.length} new ports: ${newBindingPorts.join(', ')}`);
}
// Handle port binding with improved error recovery
try {
await this.portManager.addPorts(newBindingPorts);
} catch (error) {
// Special handling for port binding errors
// This provides better diagnostics for ACME challenge port conflicts
if ((error as any).code === 'EADDRINUSE') {
const port = (error as any).port || newBindingPorts[0];
const isAcmePort = port === acmePort;
if (isAcmePort) {
try {
logger.log('warn', `Could not bind to ACME challenge port ${port}. It may be in use by another application.`, {
port,
component: 'smart-proxy'
});
} catch (logError) {
console.log(`[WARN] Could not bind to ACME challenge port ${port}. It may be in use by another application.`);
}
// Re-throw with more helpful message
throw new Error(
`ACME challenge port ${port} is already in use by another application. ` +
`Configure a different port in settings.acme.port (e.g., 8080) or free up port ${port}.`
);
}
}
// Re-throw the original error for other cases
throw error;
}
}
// Update settings with the new routes
this.settings.routes = newRoutes;
// Save the new port usage map for future reference
this.portUsageMap = newPortUsage;
// If HttpProxy is initialized, resync the configurations
if (this.httpProxyBridge.getHttpProxy()) {
await this.httpProxyBridge.syncRoutesToHttpProxy(newRoutes);
}
// Update certificate manager with new routes
if (this.certManager) {
const existingAcmeOptions = this.certManager.getAcmeOptions();
const existingState = this.certManager.getState();
// Store global state before stopping
this.globalChallengeRouteActive = existingState.challengeRouteActive;
// Only stop the cert manager if absolutely necessary
// First check if there's an ACME route on the same port already
const acmePort = existingAcmeOptions?.port || 80;
const acmePortInUse = newPortUsage.has(acmePort) && newPortUsage.get(acmePort)!.size > 0;
try {
logger.log('debug', `ACME port ${acmePort} ${acmePortInUse ? 'is' : 'is not'} already in use by other routes`, {
port: acmePort,
inUse: acmePortInUse,
component: 'smart-proxy'
});
} catch (error) {
// Silently handle logging errors
console.log(`[DEBUG] ACME port ${acmePort} ${acmePortInUse ? 'is' : 'is not'} already in use by other routes`);
}
await this.certManager.stop();
// Verify the challenge route has been properly removed
await this.verifyChallengeRouteRemoved();
// Create new certificate manager with preserved state
this.certManager = await this.createCertificateManager(
newRoutes,
'./certs',
existingAcmeOptions,
{ challengeRouteActive: this.globalChallengeRouteActive }
);
// Update global state from orchestrator results
this.globalChallengeRouteActive = updateResult.newChallengeRouteActive;
// Update port usage map from orchestrator
this.portUsageMap = updateResult.portUsageMap;
// If certificate manager was recreated, update our reference
if (updateResult.newCertManager) {
this.certManager = updateResult.newCertManager;
// Update the orchestrator's reference too
this.routeOrchestrator.setCertManager(this.certManager);
}
});
}
@@ -822,87 +698,7 @@ export class SmartProxy extends plugins.EventEmitter {
await this.certManager.provisionCertificate(route);
}
/**
* Update the port usage map based on the provided routes
*
* This tracks which ports are used by which routes, allowing us to
* detect when a port is no longer needed and can be released.
*/
private updatePortUsageMap(routes: IRouteConfig[]): Map<number, Set<string>> {
// Reset the usage map
const portUsage = new Map<number, Set<string>>();
for (const route of routes) {
// Get the ports for this route
const portsConfig = Array.isArray(route.match.ports)
? route.match.ports
: [route.match.ports];
// Expand port range objects to individual port numbers
const expandedPorts: number[] = [];
for (const portConfig of portsConfig) {
if (typeof portConfig === 'number') {
expandedPorts.push(portConfig);
} else if (typeof portConfig === 'object' && 'from' in portConfig && 'to' in portConfig) {
// Expand the port range
for (let p = portConfig.from; p <= portConfig.to; p++) {
expandedPorts.push(p);
}
}
}
// Use route name if available, otherwise generate a unique ID
const routeName = route.name || `unnamed_${Math.random().toString(36).substring(2, 9)}`;
// Add each port to the usage map
for (const port of expandedPorts) {
if (!portUsage.has(port)) {
portUsage.set(port, new Set());
}
portUsage.get(port)!.add(routeName);
}
}
// Log port usage for debugging
for (const [port, routes] of portUsage.entries()) {
try {
logger.log('debug', `Port ${port} is used by ${routes.size} routes: ${Array.from(routes).join(', ')}`, {
port,
routeCount: routes.size,
component: 'smart-proxy'
});
} catch (error) {
// Silently handle logging errors
console.log(`[DEBUG] Port ${port} is used by ${routes.size} routes: ${Array.from(routes).join(', ')}`);
}
}
return portUsage;
}
/**
* Find ports that have no routes in the new configuration
*/
private findOrphanedPorts(oldUsage: Map<number, Set<string>>, newUsage: Map<number, Set<string>>): number[] {
const orphanedPorts: number[] = [];
for (const [port, routes] of oldUsage.entries()) {
if (!newUsage.has(port) || newUsage.get(port)!.size === 0) {
orphanedPorts.push(port);
try {
logger.log('info', `Port ${port} no longer has any associated routes, will be released`, {
port,
component: 'smart-proxy'
});
} catch (error) {
// Silently handle logging errors
console.log(`[INFO] Port ${port} no longer has any associated routes, will be released`);
}
}
}
return orphanedPorts;
}
// Port usage tracking methods moved to RouteOrchestrator
/**
* Force renewal of a certificate
@@ -1024,9 +820,9 @@ export class SmartProxy extends plugins.EventEmitter {
terminationStats,
acmeEnabled: !!this.certManager,
port80HandlerPort: this.certManager ? 80 : null,
routes: this.routeManager.getListeningPorts().length,
listeningPorts: this.portManager.getListeningPorts(),
activePorts: this.portManager.getListeningPorts().length
routeCount: this.settings.routes.length,
activePorts: this.portManager.getListeningPorts().length,
listeningPorts: this.portManager.getListeningPorts()
};
}