fix(PortProxy): Improve TLS renegotiation SNI handling by first checking if the new SNI is allowed under the existing domain config. If not, attempt to find an alternative domain config and update the locked domain accordingly; otherwise, terminate the connection on SNI mismatch.

This commit is contained in:
Philipp Kunz 2025-03-11 02:25:58 +00:00
parent 4225abe3c4
commit 788b444fcc
3 changed files with 71 additions and 35 deletions

View File

@ -1,5 +1,13 @@
# Changelog
## 2025-03-11 - 3.30.7 - fix(PortProxy)
Improve TLS renegotiation SNI handling by first checking if the new SNI is allowed under the existing domain config. If not, attempt to find an alternative domain config and update the locked domain accordingly; otherwise, terminate the connection on SNI mismatch.
- Added a preliminary check against the original domain config to allow re-handshakes if the new SNI matches allowed patterns.
- If the original config does not allow, search for an alternative domain config and validate IP rules.
- Update the locked domain when allowed, ensuring connection reuse with valid certificate context.
- Terminate the connection if no suitable domain config is found or IP restrictions are violated.
## 2025-03-11 - 3.30.6 - fix(PortProxy)
Improve TLS renegotiation handling in PortProxy by validating the new SNI against allowed domain configurations. If the new SNI is permitted based on existing IP rules, update the locked domain to allow connection reuse; otherwise, terminate the connection to prevent misrouting.

View File

@ -3,6 +3,6 @@
*/
export const commitinfo = {
name: '@push.rocks/smartproxy',
version: '3.30.6',
version: '3.30.7',
description: 'A powerful proxy package that effectively handles high traffic, with features such as SSL/TLS support, port proxying, WebSocket handling, and dynamic routing with authentication options.'
}

View File

@ -873,45 +873,73 @@ export class PortProxy {
// Check if the SNI has changed
if (newSNI && newSNI !== record.lockedDomain) {
// Instead of immediately terminating, check if the new SNI would be allowed
// by the same ruleset that allowed the initial connection
const newDomainConfig = this.settings.domainConfigs.find((config) =>
config.domains.some((d) => plugins.minimatch(newSNI, d))
);
// Always check whether the new SNI would be allowed by the EXISTING domain config first
// This ensures we're using the same ruleset that allowed the initial connection
let allowed = false;
// If we found a matching domain config, check IP rules
if (newDomainConfig) {
const effectiveAllowedIPs = [
...newDomainConfig.allowedIPs,
...(this.settings.defaultAllowedIPs || []),
];
const effectiveBlockedIPs = [
...(newDomainConfig.blockedIPs || []),
...(this.settings.defaultBlockedIPs || []),
];
// First check if the exact original domain config would allow this new SNI
if (record.domainConfig) {
// Check if the new SNI matches any domain pattern in the original domain config
allowed = record.domainConfig.domains.some(d => plugins.minimatch(newSNI, d));
// Check if the IP is allowed for the new domain
if (isGlobIPAllowed(record.remoteIP, effectiveAllowedIPs, effectiveBlockedIPs)) {
// Allow the domain switch - Chrome is reusing the connection for a different domain
if (this.settings.enableDetailedLogging) {
console.log(
`[${connectionId}] Rehandshake with new SNI: ${newSNI} (previously ${record.lockedDomain}). ` +
`New domain is allowed by rules, permitting connection reuse.`
);
}
// Update the locked domain to the new domain
record.lockedDomain = newSNI;
return;
if (allowed && this.settings.enableDetailedLogging) {
console.log(
`[${connectionId}] Rehandshake with new SNI: ${newSNI} matched existing domain config ` +
`patterns ${record.domainConfig.domains.join(', ')}. Allowing connection reuse.`
);
}
}
// If we get here, either no matching domain config was found or the IP is not allowed
console.log(
`[${connectionId}] Rehandshake detected with different SNI: ${newSNI} vs locked ${record.lockedDomain}. ` +
`New domain not allowed by rules. Terminating connection.`
);
this.initiateCleanupOnce(record, 'sni_mismatch');
// If not allowed by the existing domain config, try to find another domain config
if (!allowed) {
const newDomainConfig = this.settings.domainConfigs.find((config) =>
config.domains.some((d) => plugins.minimatch(newSNI, d))
);
// If we found a matching domain config, check IP rules
if (newDomainConfig) {
const effectiveAllowedIPs = [
...newDomainConfig.allowedIPs,
...(this.settings.defaultAllowedIPs || []),
];
const effectiveBlockedIPs = [
...(newDomainConfig.blockedIPs || []),
...(this.settings.defaultBlockedIPs || []),
];
// Check if the IP is allowed for the new domain
allowed = isGlobIPAllowed(record.remoteIP, effectiveAllowedIPs, effectiveBlockedIPs);
if (allowed && this.settings.enableDetailedLogging) {
console.log(
`[${connectionId}] Rehandshake with new SNI: ${newSNI} (previously ${record.lockedDomain}). ` +
`New domain is allowed by different domain config rules, permitting connection reuse.`
);
}
// Update the domain config reference to the new one
if (allowed) {
record.domainConfig = newDomainConfig;
}
}
}
if (allowed) {
// Update the locked domain to the new domain
record.lockedDomain = newSNI;
if (this.settings.enableDetailedLogging) {
console.log(
`[${connectionId}] Updated locked domain for connection from ${record.remoteIP} to: ${newSNI}`
);
}
} else {
// If we get here, either no matching domain config was found or the IP is not allowed
console.log(
`[${connectionId}] Rehandshake detected with different SNI: ${newSNI} vs locked ${record.lockedDomain}. ` +
`New domain not allowed by any rules. Terminating connection.`
);
this.initiateCleanupOnce(record, 'sni_mismatch');
}
} else if (newSNI && this.settings.enableDetailedLogging) {
console.log(
`[${connectionId}] Rehandshake detected with same SNI: ${newSNI}. Allowing.`