fix(PortProxy): Improved IP validation logic in PortProxy to ensure correct domain matching and fallback

changelog.md

@@ -1,5 +1,12 @@
 # Changelog
 
+## 2025-02-27 - 3.16.7 - fix(PortProxy)
+Improved IP validation logic in PortProxy to ensure correct domain matching and fallback
+
+- Refactored the setupConnection function inside PortProxy to enhance IP address validation.
+- Domain-specific allowed IP preference is applied before default list lookup.
+- Removed redundant condition checks to streamline connection rejection paths.
+
 ## 2025-02-27 - 3.16.6 - fix(PortProxy)
 Optimize connection cleanup logic in PortProxy by removing unnecessary delays.
 

ts/00_commitinfo_data.ts

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@push.rocks/smartproxy',
-  version: '3.16.6',
+  version: '3.16.7',
   description: 'A robust and versatile proxy package designed to handle high workloads, offering features like SSL redirection, port proxying, WebSocket support, and customizable routing and authentication.'
 }

ts/classes.portproxy.ts

@@ -211,18 +211,20 @@ export class PortProxy {
        */
       const setupConnection = (serverName: string, initialChunk?: Buffer, forcedDomain?: IDomainConfig, overridePort?: number) => {
         // If a forcedDomain is provided (port-based routing), use it; otherwise, use SNI-based lookup.
-        const domainConfig = forcedDomain ? forcedDomain : (serverName ? this.settings.domains.find(config => plugins.minimatch(serverName, config.domain)) : undefined);
-        const defaultAllowed = this.settings.defaultAllowedIPs && isAllowed(remoteIP, this.settings.defaultAllowedIPs);
+        const domainConfig = forcedDomain
+          ? forcedDomain
+          : (serverName ? this.settings.domains.find(config => plugins.minimatch(serverName, config.domain)) : undefined);
 
-        if (!defaultAllowed && serverName && !forcedDomain) {
-          if (!domainConfig) {
-            return rejectIncomingConnection('rejected', `Connection rejected: No matching domain config for ${serverName} from ${remoteIP}`);
-          }
+        // New check: if a matching domain config exists, use its allowedIPs in preference.
+        if (domainConfig) {
           if (!isAllowed(remoteIP, domainConfig.allowedIPs)) {
-            return rejectIncomingConnection('rejected', `Connection rejected: IP ${remoteIP} not allowed for domain ${serverName}`);
+            return rejectIncomingConnection('rejected', `Connection rejected: IP ${remoteIP} not allowed for domain ${domainConfig.domain}`);
+          }
+        } else if (this.settings.defaultAllowedIPs) {
+          // Fallback to default allowed IPs if no domain config is found.
+          if (!isAllowed(remoteIP, this.settings.defaultAllowedIPs)) {
+            return rejectIncomingConnection('rejected', `Connection rejected: IP ${remoteIP} not allowed by default allowed list`);
           }
-        } else if (defaultAllowed && !serverName) {
-          console.log(`Connection allowed: IP ${remoteIP} is in default allowed list`);
         }
         const targetHost = domainConfig?.targetIP || this.settings.targetIP!;
         const connectionOptions: plugins.net.NetConnectOpts = {
@@ -334,8 +336,7 @@ export class PortProxy {
             domain => domain.portRanges && domain.portRanges.length > 0 && isPortInRanges(localPort, domain.portRanges)
           );
           if (forcedDomain) {
-            const defaultAllowed = this.settings.defaultAllowedIPs && isAllowed(remoteIP, this.settings.defaultAllowedIPs);
-            if (!defaultAllowed && !isAllowed(remoteIP, forcedDomain.allowedIPs)) {
+            if (!isAllowed(remoteIP, forcedDomain.allowedIPs)) {
               console.log(`Connection from ${remoteIP} rejected: IP not allowed for domain ${forcedDomain.domain} on port ${localPort}.`);
               socket.end();
               return;