fix(PortProxy): Improve TLS renegotiation SNI handling by first checking if the new SNI is allowed under the existing domain config. If not, attempt to find an alternative domain config and update the locked domain accordingly; otherwise, terminate the connection on SNI mismatch.

changelog.md

@@ -1,5 +1,13 @@
 # Changelog
 
+## 2025-03-11 - 3.30.7 - fix(PortProxy)
+Improve TLS renegotiation SNI handling by first checking if the new SNI is allowed under the existing domain config. If not, attempt to find an alternative domain config and update the locked domain accordingly; otherwise, terminate the connection on SNI mismatch.
+
+- Added a preliminary check against the original domain config to allow re-handshakes if the new SNI matches allowed patterns.
+- If the original config does not allow, search for an alternative domain config and validate IP rules.
+- Update the locked domain when allowed, ensuring connection reuse with valid certificate context.
+- Terminate the connection if no suitable domain config is found or IP restrictions are violated.
+
 ## 2025-03-11 - 3.30.6 - fix(PortProxy)
 Improve TLS renegotiation handling in PortProxy by validating the new SNI against allowed domain configurations. If the new SNI is permitted based on existing IP rules, update the locked domain to allow connection reuse; otherwise, terminate the connection to prevent misrouting.
 

ts/00_commitinfo_data.ts

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@push.rocks/smartproxy',
-  version: '3.30.6',
+  version: '3.30.7',
   description: 'A powerful proxy package that effectively handles high traffic, with features such as SSL/TLS support, port proxying, WebSocket handling, and dynamic routing with authentication options.'
 }

ts/classes.portproxy.ts

@@ -873,8 +873,25 @@ export class PortProxy {
               
               // Check if the SNI has changed
               if (newSNI && newSNI !== record.lockedDomain) {
-                // Instead of immediately terminating, check if the new SNI would be allowed
-                // by the same ruleset that allowed the initial connection
+                // Always check whether the new SNI would be allowed by the EXISTING domain config first
+                // This ensures we're using the same ruleset that allowed the initial connection
+                let allowed = false;
+                
+                // First check if the exact original domain config would allow this new SNI
+                if (record.domainConfig) {
+                  // Check if the new SNI matches any domain pattern in the original domain config
+                  allowed = record.domainConfig.domains.some(d => plugins.minimatch(newSNI, d));
+                  
+                  if (allowed && this.settings.enableDetailedLogging) {
+                    console.log(
+                      `[${connectionId}] Rehandshake with new SNI: ${newSNI} matched existing domain config ` +
+                      `patterns ${record.domainConfig.domains.join(', ')}. Allowing connection reuse.`
+                    );
+                  }
+                }
+                
+                // If not allowed by the existing domain config, try to find another domain config
+                if (!allowed) {
                   const newDomainConfig = this.settings.domainConfigs.find((config) =>
                     config.domains.some((d) => plugins.minimatch(newSNI, d))
                   );
@@ -891,27 +908,38 @@ export class PortProxy {
                     ];
                     
                     // Check if the IP is allowed for the new domain
-                  if (isGlobIPAllowed(record.remoteIP, effectiveAllowedIPs, effectiveBlockedIPs)) {
-                    // Allow the domain switch - Chrome is reusing the connection for a different domain
-                    if (this.settings.enableDetailedLogging) {
+                    allowed = isGlobIPAllowed(record.remoteIP, effectiveAllowedIPs, effectiveBlockedIPs);
+                    
+                    if (allowed && this.settings.enableDetailedLogging) {
                       console.log(
                         `[${connectionId}] Rehandshake with new SNI: ${newSNI} (previously ${record.lockedDomain}). ` +
-                        `New domain is allowed by rules, permitting connection reuse.`
+                        `New domain is allowed by different domain config rules, permitting connection reuse.`
                       );
                     }
                     
-                    // Update the locked domain to the new domain
-                    record.lockedDomain = newSNI;
-                    return;
+                    // Update the domain config reference to the new one
+                    if (allowed) {
+                      record.domainConfig = newDomainConfig;
+                    }
                   }
                 }
                 
+                if (allowed) {
+                  // Update the locked domain to the new domain
+                  record.lockedDomain = newSNI;
+                  if (this.settings.enableDetailedLogging) {
+                    console.log(
+                      `[${connectionId}] Updated locked domain for connection from ${record.remoteIP} to: ${newSNI}`
+                    );
+                  }
+                } else {
                   // If we get here, either no matching domain config was found or the IP is not allowed
                   console.log(
                     `[${connectionId}] Rehandshake detected with different SNI: ${newSNI} vs locked ${record.lockedDomain}. ` +
-                  `New domain not allowed by rules. Terminating connection.`
+                    `New domain not allowed by any rules. Terminating connection.`
                   );
                   this.initiateCleanupOnce(record, 'sni_mismatch');
+                }
               } else if (newSNI && this.settings.enableDetailedLogging) {
                 console.log(
                   `[${connectionId}] Rehandshake detected with same SNI: ${newSNI}. Allowing.`