push.rocks/smartproxy
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(IPTablesProxy): Enhanced IPTablesProxy with multi-port and IPv6 support

Browse Source
This commit is contained in:
Philipp Kunz 2025-03-07 14:30:38 +00:00
parent d8585975a8
commit bbdea52677
7 changed files with 1907 additions and 603 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
changelog.md
View File

@ -1,5 +1,14 @@
# Changelog # Changelog
## 2025-03-07 - 3.29.0 - feat(IPTablesProxy)
Enhanced IPTablesProxy with multi-port and IPv6 support
- Added support for specifying multiple ports and port ranges, allowing for more complex network proxy configurations.
- Introduced IPv6 support to allow handling of IPv6 addressed networks.
- Implemented more detailed logging and error handling features to improve debugging capabilities.
- Enhanced integration options with NetworkProxy, allowing for a more seamless routing and termination process.
- Restructured the initialization and validation process to ensure robust handling of configuration settings.
## 2025-03-07 - 3.28.6 - fix(PortProxy) ## 2025-03-07 - 3.28.6 - fix(PortProxy)
Adjust default timeout settings and enhance keep-alive connection handling in PortProxy. Adjust default timeout settings and enhance keep-alive connection handling in PortProxy.

2
package.json
View File

@ -28,7 +28,7 @@
"@push.rocks/smartpromise": "^4.2.3", "@push.rocks/smartpromise": "^4.2.3",
"@push.rocks/smartrequest": "^2.0.23", "@push.rocks/smartrequest": "^2.0.23",
"@push.rocks/smartstring": "^4.0.15", "@push.rocks/smartstring": "^4.0.15",
"@tsclass/tsclass": "^4.4.0", "@tsclass/tsclass": "^4.4.3",
"@types/minimatch": "^5.1.2", "@types/minimatch": "^5.1.2",
"@types/ws": "^8.18.0", "@types/ws": "^8.18.0",
"acme-client": "^5.4.0", "acme-client": "^5.4.0",

38
pnpm-lock.yaml generated
View File

@ -24,8 +24,8 @@ importers:
specifier: ^4.0.15 specifier: ^4.0.15
version: 4.0.15 version: 4.0.15
'@tsclass/tsclass': '@tsclass/tsclass':
specifier: ^4.4.0 specifier: ^4.4.3
version: 4.4.0 version: 4.4.3
'@types/minimatch': '@types/minimatch':
specifier: ^5.1.2 specifier: ^5.1.2
version: 5.1.2 version: 5.1.2
@ -1316,8 +1316,8 @@ packages:
'@tsclass/tsclass@3.0.48': '@tsclass/tsclass@3.0.48':
resolution: {integrity: sha512-hC65UvDlp9qvsl6OcIZXz0JNiWZ0gyzsTzbXpg215sGxopgbkOLCr6E0s4qCTnweYm95gt2AdY95uP7M7kExaQ==} resolution: {integrity: sha512-hC65UvDlp9qvsl6OcIZXz0JNiWZ0gyzsTzbXpg215sGxopgbkOLCr6E0s4qCTnweYm95gt2AdY95uP7M7kExaQ==}
'@tsclass/tsclass@4.4.0': '@tsclass/tsclass@4.4.3':
resolution: {integrity: sha512-/T3qmxj28yRMM+0x9UtyBmrsJ66flviQEDg3M4kwmWuZQgbrDACa6JXdA0ieqfmuPOXDJRRDKcyKaKvKi2EdwA==} resolution: {integrity: sha512-Vhp+B1UsYlwXLhIeds++CXEeCwFgRzpput4YNM7Qyhr+UQgIMFRFAs2HSI3jEE5r9c1hR9G6MkSxi2U/CLyiaA==}
'@types/accepts@1.3.7': '@types/accepts@1.3.7':
resolution: {integrity: sha512-Pay9fq2lM2wXPWbteBsRAGiWH2hig4ZE2asK+mm7kUzlxRTfL961rj89I6zV/E3PcIkDqyuBEcMxFT7rccugeQ==} resolution: {integrity: sha512-Pay9fq2lM2wXPWbteBsRAGiWH2hig4ZE2asK+mm7kUzlxRTfL961rj89I6zV/E3PcIkDqyuBEcMxFT7rccugeQ==}
@ -3979,8 +3979,8 @@ packages:
resolution: {integrity: sha512-RAH822pAdBgcNMAfWnCBU3CFZcfZ/i1eZjwFU/dsLKumyuuP3niueg2UAukXYF0E2AAoc82ZSSf9J0WQBinzHA==} resolution: {integrity: sha512-RAH822pAdBgcNMAfWnCBU3CFZcfZ/i1eZjwFU/dsLKumyuuP3niueg2UAukXYF0E2AAoc82ZSSf9J0WQBinzHA==}
engines: {node: '>=12.20'} engines: {node: '>=12.20'}
type-fest@4.33.0: type-fest@4.37.0:
resolution: {integrity: sha512-s6zVrxuyKbbAsSAD5ZPTB77q4YIdRctkTbJ2/Dqlinwz+8ooH2gd+YA7VA6Pa93KML9GockVvoxjZ2vHP+mu8g==} resolution: {integrity: sha512-S/5/0kFftkq27FPNye0XM1e2NsnoD/3FS+pBmbjmmtLT6I+i344KoOf7pvXreaFsDamWeaJX55nczA1m5PsBDg==}
engines: {node: '>=16'} engines: {node: '>=16'}
type-is@1.6.18: type-is@1.6.18:
@ -4286,7 +4286,7 @@ snapshots:
'@push.rocks/taskbuffer': 3.1.7 '@push.rocks/taskbuffer': 3.1.7
'@push.rocks/webrequest': 3.0.37 '@push.rocks/webrequest': 3.0.37
'@push.rocks/webstore': 2.0.20 '@push.rocks/webstore': 2.0.20
'@tsclass/tsclass': 4.4.0 '@tsclass/tsclass': 4.4.3
'@types/express': 4.17.21 '@types/express': 4.17.21
body-parser: 1.20.3 body-parser: 1.20.3
cors: 2.8.5 cors: 2.8.5
@ -5420,7 +5420,7 @@ snapshots:
'@push.rocks/smartstring': 4.0.15 '@push.rocks/smartstring': 4.0.15
'@push.rocks/smartunique': 3.0.9 '@push.rocks/smartunique': 3.0.9
'@push.rocks/taskbuffer': 3.1.7 '@push.rocks/taskbuffer': 3.1.7
'@tsclass/tsclass': 4.4.0 '@tsclass/tsclass': 4.4.3
transitivePeerDependencies: transitivePeerDependencies:
- aws-crt - aws-crt
@ -5442,7 +5442,7 @@ snapshots:
'@pushrocks/smartjson': 4.0.6 '@pushrocks/smartjson': 4.0.6
'@pushrocks/smartpath': 5.0.5 '@pushrocks/smartpath': 5.0.5
'@pushrocks/smartpromise': 3.1.10 '@pushrocks/smartpromise': 3.1.10
'@tsclass/tsclass': 4.4.0 '@tsclass/tsclass': 4.4.3
mongodb: 4.17.2 mongodb: 4.17.2
transitivePeerDependencies: transitivePeerDependencies:
- aws-crt - aws-crt
@ -5492,7 +5492,7 @@ snapshots:
'@push.rocks/smartstream': 3.2.5 '@push.rocks/smartstream': 3.2.5
'@push.rocks/smartstring': 4.0.15 '@push.rocks/smartstring': 4.0.15
'@push.rocks/smartunique': 3.0.9 '@push.rocks/smartunique': 3.0.9
'@tsclass/tsclass': 4.4.0 '@tsclass/tsclass': 4.4.3
transitivePeerDependencies: transitivePeerDependencies:
- aws-crt - aws-crt
@ -5542,7 +5542,7 @@ snapshots:
'@push.rocks/smarttime': 4.1.1 '@push.rocks/smarttime': 4.1.1
'@push.rocks/smartunique': 3.0.9 '@push.rocks/smartunique': 3.0.9
'@push.rocks/taskbuffer': 3.1.7 '@push.rocks/taskbuffer': 3.1.7
'@tsclass/tsclass': 4.4.0 '@tsclass/tsclass': 4.4.3
mongodb: 6.13.0(@aws-sdk/credential-providers@3.741.0)(socks@2.8.3) mongodb: 6.13.0(@aws-sdk/credential-providers@3.741.0)(socks@2.8.3)
transitivePeerDependencies: transitivePeerDependencies:
- '@aws-sdk/credential-providers' - '@aws-sdk/credential-providers'
@ -5654,7 +5654,7 @@ snapshots:
'@push.rocks/smartlog-interfaces@3.0.2': '@push.rocks/smartlog-interfaces@3.0.2':
dependencies: dependencies:
'@api.global/typedrequest-interfaces': 2.0.2 '@api.global/typedrequest-interfaces': 2.0.2
'@tsclass/tsclass': 4.4.0 '@tsclass/tsclass': 4.4.3
'@push.rocks/smartlog@3.0.7': '@push.rocks/smartlog@3.0.7':
dependencies: dependencies:
@ -5768,7 +5768,7 @@ snapshots:
'@push.rocks/smartpromise': 4.2.3 '@push.rocks/smartpromise': 4.2.3
'@push.rocks/smartpuppeteer': 2.0.2 '@push.rocks/smartpuppeteer': 2.0.2
'@push.rocks/smartunique': 3.0.9 '@push.rocks/smartunique': 3.0.9
'@tsclass/tsclass': 4.4.0 '@tsclass/tsclass': 4.4.3
'@types/express': 5.0.0 '@types/express': 5.0.0
express: 4.21.2 express: 4.21.2
pdf-lib: 1.17.1 pdf-lib: 1.17.1
@ -5817,7 +5817,7 @@ snapshots:
'@push.rocks/smartbucket': 3.3.7 '@push.rocks/smartbucket': 3.3.7
'@push.rocks/smartfile': 11.2.0 '@push.rocks/smartfile': 11.2.0
'@push.rocks/smartpath': 5.0.18 '@push.rocks/smartpath': 5.0.18
'@tsclass/tsclass': 4.4.0 '@tsclass/tsclass': 4.4.3
'@types/s3rver': 3.7.4 '@types/s3rver': 3.7.4
s3rver: 3.7.1 s3rver: 3.7.1
transitivePeerDependencies: transitivePeerDependencies:
@ -5849,7 +5849,7 @@ snapshots:
'@push.rocks/smartxml': 1.1.1 '@push.rocks/smartxml': 1.1.1
'@push.rocks/smartyaml': 2.0.5 '@push.rocks/smartyaml': 2.0.5
'@push.rocks/webrequest': 3.0.37 '@push.rocks/webrequest': 3.0.37
'@tsclass/tsclass': 4.4.0 '@tsclass/tsclass': 4.4.3
'@push.rocks/smartsocket@2.0.27': '@push.rocks/smartsocket@2.0.27':
dependencies: dependencies:
@ -6008,7 +6008,7 @@ snapshots:
dependencies: dependencies:
'@pushrocks/smartdelay': 3.0.1 '@pushrocks/smartdelay': 3.0.1
'@pushrocks/smartpromise': 4.0.2 '@pushrocks/smartpromise': 4.0.2
'@tsclass/tsclass': 4.4.0 '@tsclass/tsclass': 4.4.3
'@push.rocks/webstore@2.0.20': '@push.rocks/webstore@2.0.20':
dependencies: dependencies:
@ -6572,9 +6572,9 @@ snapshots:
dependencies: dependencies:
type-fest: 2.19.0 type-fest: 2.19.0
'@tsclass/tsclass@4.4.0': '@tsclass/tsclass@4.4.3':
dependencies: dependencies:
type-fest: 4.33.0 type-fest: 4.37.0
'@types/accepts@1.3.7': '@types/accepts@1.3.7':
dependencies: dependencies:
@ -9711,7 +9711,7 @@ snapshots:
type-fest@2.19.0: {} type-fest@2.19.0: {}
type-fest@4.33.0: {} type-fest@4.37.0: {}
type-is@1.6.18: type-is@1.6.18:
dependencies: dependencies:

2
ts/00_commitinfo_data.ts
View File

@ -3,6 +3,6 @@
*/ */
export const commitinfo = { export const commitinfo = {
name: '@push.rocks/smartproxy', name: '@push.rocks/smartproxy',
version: '3.28.6', version: '3.29.0',
description: 'A powerful proxy package that effectively handles high traffic, with features such as SSL/TLS support, port proxying, WebSocket handling, and dynamic routing with authentication options.' description: 'A powerful proxy package that effectively handles high traffic, with features such as SSL/TLS support, port proxying, WebSocket handling, and dynamic routing with authentication options.'
} }

848
ts/classes.iptablesproxy.ts
View File

@ -3,43 +3,100 @@ import { promisify } from 'util';
const execAsync = promisify(exec); const execAsync = promisify(exec);
/**
* Represents a port range for forwarding
*/
export interface IPortRange {
from: number;
to: number;
}
/** /**
* Settings for IPTablesProxy. * Settings for IPTablesProxy.
*/ */
export interface IIpTableProxySettings { export interface IIpTableProxySettings {
fromPort: number; // Basic settings
toPort: number; fromPort: number | IPortRange | Array<number | IPortRange>; // Support single port, port range, or multiple ports/ranges
toPort: number | IPortRange | Array<number | IPortRange>;
toHost?: string; // Target host for proxying; defaults to 'localhost' toHost?: string; // Target host for proxying; defaults to 'localhost'
preserveSourceIP?: boolean; // If true, the original source IP is preserved.
deleteOnExit?: boolean; // If true, clean up marked iptables rules before process exit. // Advanced settings
preserveSourceIP?: boolean; // If true, the original source IP is preserved
deleteOnExit?: boolean; // If true, clean up marked iptables rules before process exit
protocol?: 'tcp' | 'udp' | 'all'; // Protocol to forward, defaults to 'tcp'
enableLogging?: boolean; // Enable detailed logging
ipv6Support?: boolean; // Enable IPv6 support (ip6tables)
// Source filtering
allowedSourceIPs?: string[]; // If provided, only these IPs are allowed
bannedSourceIPs?: string[]; // If provided, these IPs are blocked
// Rule management
forceCleanSlate?: boolean; // Clear all IPTablesProxy rules before starting
addJumpRule?: boolean; // Add a custom chain for cleaner rule management
checkExistingRules?: boolean; // Check if rules already exist before adding
// Integration with PortProxy/NetworkProxy
netProxyIntegration?: {
enabled: boolean;
redirectLocalhost?: boolean; // Redirect localhost traffic to NetworkProxy
sslTerminationPort?: number; // Port where NetworkProxy handles SSL termination
};
}
/**
* Represents a rule added to iptables
*/
interface IpTablesRule {
table: string;
chain: string;
command: string;
tag: string;
added: boolean;
} }
/** /**
* IPTablesProxy sets up iptables NAT rules to forward TCP traffic. * IPTablesProxy sets up iptables NAT rules to forward TCP traffic.
* It only supports basic port forwarding and uses iptables comments to tag rules. * Enhanced with multi-port support, IPv6, and integration with PortProxy/NetworkProxy.
*/ */
export class IPTablesProxy { export class IPTablesProxy {
public settings: IIpTableProxySettings; public settings: IIpTableProxySettings;
private rulesInstalled: boolean = false; private rules: IpTablesRule[] = [];
private ruleTag: string; private ruleTag: string;
private customChain: string | null = null;
constructor(settings: IIpTableProxySettings) { constructor(settings: IIpTableProxySettings) {
// Validate inputs to prevent command injection
this.validateSettings(settings);
// Set default settings
this.settings = { this.settings = {
...settings, ...settings,
toHost: settings.toHost || 'localhost', toHost: settings.toHost || 'localhost',
protocol: settings.protocol || 'tcp',
enableLogging: settings.enableLogging !== undefined ? settings.enableLogging : false,
ipv6Support: settings.ipv6Support !== undefined ? settings.ipv6Support : false,
checkExistingRules: settings.checkExistingRules !== undefined ? settings.checkExistingRules : true,
netProxyIntegration: settings.netProxyIntegration || { enabled: false }
}; };
// Generate a unique identifier for the rules added by this instance.
// Generate a unique identifier for the rules added by this instance
this.ruleTag = `IPTablesProxy:${Date.now()}:${Math.random().toString(36).substr(2, 5)}`; this.ruleTag = `IPTablesProxy:${Date.now()}:${Math.random().toString(36).substr(2, 5)}`;
// If deleteOnExit is true, register cleanup handlers. if (this.settings.addJumpRule) {
this.customChain = `IPTablesProxy_${Math.random().toString(36).substr(2, 5)}`;
}
// Register cleanup handlers if deleteOnExit is true
if (this.settings.deleteOnExit) { if (this.settings.deleteOnExit) {
const cleanup = () => { const cleanup = () => {
try { try {
IPTablesProxy.cleanSlateSync(); this.stopSync();
} catch (err) { } catch (err) {
console.error('Error cleaning iptables rules on exit:', err); console.error('Error cleaning iptables rules on exit:', err);
} }
}; };
process.on('exit', cleanup); process.on('exit', cleanup);
process.on('SIGINT', () => { process.on('SIGINT', () => {
cleanup(); cleanup();
@ -53,76 +110,591 @@ export class IPTablesProxy {
} }
/** /**
* Sets up iptables rules for port forwarding. * Validates settings to prevent command injection and ensure valid values
* The rules are tagged with a unique comment so that they can be identified later.
*/ */
public async start(): Promise<void> { private validateSettings(settings: IIpTableProxySettings): void {
const dnatCmd = `iptables -t nat -A PREROUTING -p tcp --dport ${this.settings.fromPort} ` + // Validate port numbers
`-j DNAT --to-destination ${this.settings.toHost}:${this.settings.toPort} ` + const validatePorts = (port: number | IPortRange | Array<number | IPortRange>) => {
`-m comment --comment "${this.ruleTag}:DNAT"`; if (Array.isArray(port)) {
try { port.forEach(p => validatePorts(p));
await execAsync(dnatCmd); return;
console.log(`Added iptables rule: ${dnatCmd}`);
this.rulesInstalled = true;
} catch (err) {
console.error(`Failed to add iptables DNAT rule: ${err}`);
throw err;
} }
// If preserveSourceIP is false, add a MASQUERADE rule. if (typeof port === 'number') {
if (!this.settings.preserveSourceIP) { if (port < 1 || port > 65535) {
const masqueradeCmd = `iptables -t nat -A POSTROUTING -p tcp -d ${this.settings.toHost} ` + throw new Error(`Invalid port number: ${port}`);
`--dport ${this.settings.toPort} -j MASQUERADE ` +
`-m comment --comment "${this.ruleTag}:MASQ"`;
try {
await execAsync(masqueradeCmd);
console.log(`Added iptables rule: ${masqueradeCmd}`);
} catch (err) {
console.error(`Failed to add iptables MASQUERADE rule: ${err}`);
// Roll back the DNAT rule if MASQUERADE fails.
try {
const rollbackCmd = `iptables -t nat -D PREROUTING -p tcp --dport ${this.settings.fromPort} ` +
`-j DNAT --to-destination ${this.settings.toHost}:${this.settings.toPort} ` +
`-m comment --comment "${this.ruleTag}:DNAT"`;
await execAsync(rollbackCmd);
this.rulesInstalled = false;
} catch (rollbackErr) {
console.error(`Rollback failed: ${rollbackErr}`);
} }
throw err; } else if (typeof port === 'object') {
if (port.from < 1 || port.from > 65535 || port.to < 1 || port.to > 65535 || port.from > port.to) {
throw new Error(`Invalid port range: ${port.from}-${port.to}`);
}
}
};
validatePorts(settings.fromPort);
validatePorts(settings.toPort);
// Define regex patterns at the method level so they're available throughout
const ipRegex = /^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))?$/;
const ipv6Regex = /^(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))(\/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8]))?$/;
// Validate IP addresses
const validateIPs = (ips?: string[]) => {
if (!ips) return;
for (const ip of ips) {
if (!ipRegex.test(ip) && !ipv6Regex.test(ip)) {
throw new Error(`Invalid IP address format: ${ip}`);
}
}
};
validateIPs(settings.allowedSourceIPs);
validateIPs(settings.bannedSourceIPs);
// Validate toHost - only allow hostnames or IPs
if (settings.toHost) {
const hostRegex = /^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$/;
if (!hostRegex.test(settings.toHost) && !ipRegex.test(settings.toHost) && !ipv6Regex.test(settings.toHost)) {
throw new Error(`Invalid host format: ${settings.toHost}`);
} }
} }
} }
/** /**
* Removes the iptables rules that were added in start(), by matching the unique comment. * Normalizes port specifications into an array of port ranges
*/
private normalizePortSpec(portSpec: number | IPortRange | Array<number | IPortRange>): IPortRange[] {
const result: IPortRange[] = [];
if (Array.isArray(portSpec)) {
// If it's an array, process each element
for (const spec of portSpec) {
result.push(...this.normalizePortSpec(spec));
}
} else if (typeof portSpec === 'number') {
// Single port becomes a range with the same start and end
result.push({ from: portSpec, to: portSpec });
} else {
// Already a range
result.push(portSpec);
}
return result;
}
/**
* Gets the appropriate iptables command based on settings
*/
private getIptablesCommand(isIpv6: boolean = false): string {
return isIpv6 ? 'ip6tables' : 'iptables';
}
/**
* Checks if a rule already exists in iptables
*/
private async ruleExists(table: string, command: string, isIpv6: boolean = false): Promise<boolean> {
try {
const iptablesCmd = this.getIptablesCommand(isIpv6);
const { stdout } = await execAsync(`${iptablesCmd}-save -t ${table}`);
// Convert the command to the format found in iptables-save output
// (This is a simplification - in reality, you'd need more parsing)
const rulePattern = command.replace(`${iptablesCmd} -t ${table} -A `, '-A ');
return stdout.split('\n').some(line => line.trim() === rulePattern);
} catch (err) {
this.log('error', `Failed to check if rule exists: ${err}`);
return false;
}
}
/**
* Sets up a custom chain for better rule management
*/
private async setupCustomChain(isIpv6: boolean = false): Promise<boolean> {
if (!this.customChain) return true;
const iptablesCmd = this.getIptablesCommand(isIpv6);
const table = 'nat';
try {
// Create the chain
await execAsync(`${iptablesCmd} -t ${table} -N ${this.customChain}`);
this.log('info', `Created custom chain: ${this.customChain}`);
// Add jump rule to PREROUTING chain
const jumpCommand = `${iptablesCmd} -t ${table} -A PREROUTING -j ${this.customChain} -m comment --comment "${this.ruleTag}:JUMP"`;
await execAsync(jumpCommand);
this.log('info', `Added jump rule to ${this.customChain}`);
// Store the jump rule
this.rules.push({
table,
chain: 'PREROUTING',
command: jumpCommand,
tag: `${this.ruleTag}:JUMP`,
added: true
});
return true;
} catch (err) {
this.log('error', `Failed to set up custom chain: ${err}`);
return false;
}
}
/**
* Add a source IP filter rule
*/
private async addSourceIPFilter(isIpv6: boolean = false): Promise<boolean> {
if (!this.settings.allowedSourceIPs && !this.settings.bannedSourceIPs) {
return true;
}
const iptablesCmd = this.getIptablesCommand(isIpv6);
const table = 'nat';
const chain = this.customChain || 'PREROUTING';
try {
// Add banned IPs first (explicit deny)
if (this.settings.bannedSourceIPs && this.settings.bannedSourceIPs.length > 0) {
for (const ip of this.settings.bannedSourceIPs) {
const command = `${iptablesCmd} -t ${table} -A ${chain} -s ${ip} -j DROP -m comment --comment "${this.ruleTag}:BANNED"`;
// Check if rule already exists
if (this.settings.checkExistingRules && await this.ruleExists(table, command, isIpv6)) {
this.log('info', `Rule already exists, skipping: ${command}`);
continue;
}
await execAsync(command);
this.log('info', `Added banned IP rule: ${command}`);
this.rules.push({
table,
chain,
command,
tag: `${this.ruleTag}:BANNED`,
added: true
});
}
}
// Add allowed IPs (explicit allow)
if (this.settings.allowedSourceIPs && this.settings.allowedSourceIPs.length > 0) {
// First add a default deny for all
const denyAllCommand = `${iptablesCmd} -t ${table} -A ${chain} -p ${this.settings.protocol} -j DROP -m comment --comment "${this.ruleTag}:DENY_ALL"`;
// Add allow rules for specific IPs
for (const ip of this.settings.allowedSourceIPs) {
const command = `${iptablesCmd} -t ${table} -A ${chain} -s ${ip} -p ${this.settings.protocol} -j ACCEPT -m comment --comment "${this.ruleTag}:ALLOWED"`;
// Check if rule already exists
if (this.settings.checkExistingRules && await this.ruleExists(table, command, isIpv6)) {
this.log('info', `Rule already exists, skipping: ${command}`);
continue;
}
await execAsync(command);
this.log('info', `Added allowed IP rule: ${command}`);
this.rules.push({
table,
chain,
command,
tag: `${this.ruleTag}:ALLOWED`,
added: true
});
}
// Now add the default deny after all allows
if (this.settings.checkExistingRules && await this.ruleExists(table, denyAllCommand, isIpv6)) {
this.log('info', `Rule already exists, skipping: ${denyAllCommand}`);
} else {
await execAsync(denyAllCommand);
this.log('info', `Added default deny rule: ${denyAllCommand}`);
this.rules.push({
table,
chain,
command: denyAllCommand,
tag: `${this.ruleTag}:DENY_ALL`,
added: true
});
}
}
return true;
} catch (err) {
this.log('error', `Failed to add source IP filter rules: ${err}`);
return false;
}
}
/**
* Adds a port forwarding rule
*/
private async addPortForwardingRule(
fromPortRange: IPortRange,
toPortRange: IPortRange,
isIpv6: boolean = false
): Promise<boolean> {
const iptablesCmd = this.getIptablesCommand(isIpv6);
const table = 'nat';
const chain = this.customChain || 'PREROUTING';
try {
// Handle single port case
if (fromPortRange.from === fromPortRange.to && toPortRange.from === toPortRange.to) {
// Single port forward
const command = `${iptablesCmd} -t ${table} -A ${chain} -p ${this.settings.protocol} --dport ${fromPortRange.from} ` +
`-j DNAT --to-destination ${this.settings.toHost}:${toPortRange.from} ` +
`-m comment --comment "${this.ruleTag}:DNAT"`;
// Check if rule already exists
if (this.settings.checkExistingRules && await this.ruleExists(table, command, isIpv6)) {
this.log('info', `Rule already exists, skipping: ${command}`);
} else {
await execAsync(command);
this.log('info', `Added port forwarding rule: ${command}`);
this.rules.push({
table,
chain,
command,
tag: `${this.ruleTag}:DNAT`,
added: true
});
}
} else if (fromPortRange.to - fromPortRange.from === toPortRange.to - toPortRange.from) {
// Port range forward with equal ranges
const command = `${iptablesCmd} -t ${table} -A ${chain} -p ${this.settings.protocol} --dport ${fromPortRange.from}:${fromPortRange.to} ` +
`-j DNAT --to-destination ${this.settings.toHost}:${toPortRange.from}-${toPortRange.to} ` +
`-m comment --comment "${this.ruleTag}:DNAT_RANGE"`;
// Check if rule already exists
if (this.settings.checkExistingRules && await this.ruleExists(table, command, isIpv6)) {
this.log('info', `Rule already exists, skipping: ${command}`);
} else {
await execAsync(command);
this.log('info', `Added port range forwarding rule: ${command}`);
this.rules.push({
table,
chain,
command,
tag: `${this.ruleTag}:DNAT_RANGE`,
added: true
});
}
} else {
// Unequal port ranges need individual rules
for (let i = 0; i <= fromPortRange.to - fromPortRange.from; i++) {
const fromPort = fromPortRange.from + i;
const toPort = toPortRange.from + i % (toPortRange.to - toPortRange.from + 1);
const command = `${iptablesCmd} -t ${table} -A ${chain} -p ${this.settings.protocol} --dport ${fromPort} ` +
`-j DNAT --to-destination ${this.settings.toHost}:${toPort} ` +
`-m comment --comment "${this.ruleTag}:DNAT_INDIVIDUAL"`;
// Check if rule already exists
if (this.settings.checkExistingRules && await this.ruleExists(table, command, isIpv6)) {
this.log('info', `Rule already exists, skipping: ${command}`);
continue;
}
await execAsync(command);
this.log('info', `Added individual port forwarding rule: ${command}`);
this.rules.push({
table,
chain,
command,
tag: `${this.ruleTag}:DNAT_INDIVIDUAL`,
added: true
});
}
}
// If preserveSourceIP is false, add a MASQUERADE rule
if (!this.settings.preserveSourceIP) {
// For port range
const masqCommand = `${iptablesCmd} -t nat -A POSTROUTING -p ${this.settings.protocol} -d ${this.settings.toHost} ` +
`--dport ${toPortRange.from}:${toPortRange.to} -j MASQUERADE ` +
`-m comment --comment "${this.ruleTag}:MASQ"`;
// Check if rule already exists
if (this.settings.checkExistingRules && await this.ruleExists('nat', masqCommand, isIpv6)) {
this.log('info', `Rule already exists, skipping: ${masqCommand}`);
} else {
await execAsync(masqCommand);
this.log('info', `Added MASQUERADE rule: ${masqCommand}`);
this.rules.push({
table: 'nat',
chain: 'POSTROUTING',
command: masqCommand,
tag: `${this.ruleTag}:MASQ`,
added: true
});
}
}
return true;
} catch (err) {
this.log('error', `Failed to add port forwarding rule: ${err}`);
// Try to roll back any rules that were already added
await this.rollbackRules();
return false;
}
}
/**
* Special handling for NetworkProxy integration
*/
private async setupNetworkProxyIntegration(isIpv6: boolean = false): Promise<boolean> {
if (!this.settings.netProxyIntegration?.enabled) {
return true;
}
const netProxyConfig = this.settings.netProxyIntegration;
const iptablesCmd = this.getIptablesCommand(isIpv6);
const table = 'nat';
const chain = this.customChain || 'PREROUTING';
try {
// If redirectLocalhost is true, set up special rule to redirect localhost traffic to NetworkProxy
if (netProxyConfig.redirectLocalhost && netProxyConfig.sslTerminationPort) {
const redirectCommand = `${iptablesCmd} -t ${table} -A OUTPUT -p tcp -d 127.0.0.1 -j REDIRECT ` +
`--to-port ${netProxyConfig.sslTerminationPort} ` +
`-m comment --comment "${this.ruleTag}:NETPROXY_REDIRECT"`;
// Check if rule already exists
if (this.settings.checkExistingRules && await this.ruleExists(table, redirectCommand, isIpv6)) {
this.log('info', `Rule already exists, skipping: ${redirectCommand}`);
} else {
await execAsync(redirectCommand);
this.log('info', `Added NetworkProxy redirection rule: ${redirectCommand}`);
this.rules.push({
table,
chain: 'OUTPUT',
command: redirectCommand,
tag: `${this.ruleTag}:NETPROXY_REDIRECT`,
added: true
});
}
}
return true;
} catch (err) {
this.log('error', `Failed to set up NetworkProxy integration: ${err}`);
return false;
}
}
/**
* Rolls back rules that were added in case of error
*/
private async rollbackRules(): Promise<void> {
// Process rules in reverse order (LIFO)
for (let i = this.rules.length - 1; i >= 0; i--) {
const rule = this.rules[i];
if (rule.added) {
try {
// Convert -A (add) to -D (delete)
const deleteCommand = rule.command.replace('-A', '-D');
await execAsync(deleteCommand);
this.log('info', `Rolled back rule: ${deleteCommand}`);
rule.added = false;
} catch (err) {
this.log('error', `Failed to roll back rule: ${err}`);
}
}
}
}
/**
* Sets up iptables rules for port forwarding with enhanced features
*/
public async start(): Promise<void> {
// Optionally clean the slate first
if (this.settings.forceCleanSlate) {
await IPTablesProxy.cleanSlate();
}
// First set up any custom chains
if (this.settings.addJumpRule) {
const chainSetupSuccess = await this.setupCustomChain();
if (!chainSetupSuccess) {
throw new Error('Failed to set up custom chain');
}
// For IPv6 if enabled
if (this.settings.ipv6Support) {
const chainSetupSuccessIpv6 = await this.setupCustomChain(true);
if (!chainSetupSuccessIpv6) {
this.log('warn', 'Failed to set up IPv6 custom chain, continuing with IPv4 only');
}
}
}
// Add source IP filters
await this.addSourceIPFilter();
if (this.settings.ipv6Support) {
await this.addSourceIPFilter(true);
}
// Set up NetworkProxy integration if enabled
if (this.settings.netProxyIntegration?.enabled) {
const netProxySetupSuccess = await this.setupNetworkProxyIntegration();
if (!netProxySetupSuccess) {
this.log('warn', 'Failed to set up NetworkProxy integration');
}
if (this.settings.ipv6Support) {
await this.setupNetworkProxyIntegration(true);
}
}
// Normalize port specifications
const fromPortRanges = this.normalizePortSpec(this.settings.fromPort);
const toPortRanges = this.normalizePortSpec(this.settings.toPort);
// Handle the case where fromPort and toPort counts don't match
if (fromPortRanges.length !== toPortRanges.length) {
if (toPortRanges.length === 1) {
// If there's only one toPort, use it for all fromPorts
for (const fromRange of fromPortRanges) {
await this.addPortForwardingRule(fromRange, toPortRanges[0]);
if (this.settings.ipv6Support) {
await this.addPortForwardingRule(fromRange, toPortRanges[0], true);
}
}
} else {
throw new Error('Mismatched port counts: fromPort and toPort arrays must have equal length or toPort must be a single value');
}
} else {
// Add port forwarding rules for each port specification
for (let i = 0; i < fromPortRanges.length; i++) {
await this.addPortForwardingRule(fromPortRanges[i], toPortRanges[i]);
if (this.settings.ipv6Support) {
await this.addPortForwardingRule(fromPortRanges[i], toPortRanges[i], true);
}
}
}
// Final check - ensure we have at least one rule added
if (this.rules.filter(r => r.added).length === 0) {
throw new Error('No rules were added');
}
}
/**
* Removes all added iptables rules
*/ */
public async stop(): Promise<void> { public async stop(): Promise<void> {
if (!this.rulesInstalled) return; // Process rules in reverse order (LIFO)
for (let i = this.rules.length - 1; i >= 0; i--) {
const rule = this.rules[i];
const dnatDelCmd = `iptables -t nat -D PREROUTING -p tcp --dport ${this.settings.fromPort} ` + if (rule.added) {
`-j DNAT --to-destination ${this.settings.toHost}:${this.settings.toPort} ` +
`-m comment --comment "${this.ruleTag}:DNAT"`;
try { try {
await execAsync(dnatDelCmd); // Convert -A (add) to -D (delete)
console.log(`Removed iptables rule: ${dnatDelCmd}`); const deleteCommand = rule.command.replace('-A', '-D');
await execAsync(deleteCommand);
this.log('info', `Removed rule: ${deleteCommand}`);
rule.added = false;
} catch (err) { } catch (err) {
console.error(`Failed to remove iptables DNAT rule: ${err}`); this.log('error', `Failed to remove rule: ${err}`);
}
}
} }
if (!this.settings.preserveSourceIP) { // If we created a custom chain, we need to clean it up
const masqueradeDelCmd = `iptables -t nat -D POSTROUTING -p tcp -d ${this.settings.toHost} ` + if (this.customChain) {
`--dport ${this.settings.toPort} -j MASQUERADE ` +
`-m comment --comment "${this.ruleTag}:MASQ"`;
try { try {
await execAsync(masqueradeDelCmd); // First flush the chain
console.log(`Removed iptables rule: ${masqueradeDelCmd}`); await execAsync(`iptables -t nat -F ${this.customChain}`);
this.log('info', `Flushed custom chain: ${this.customChain}`);
// Then delete it
await execAsync(`iptables -t nat -X ${this.customChain}`);
this.log('info', `Deleted custom chain: ${this.customChain}`);
// Same for IPv6 if enabled
if (this.settings.ipv6Support) {
try {
await execAsync(`ip6tables -t nat -F ${this.customChain}`);
await execAsync(`ip6tables -t nat -X ${this.customChain}`);
this.log('info', `Deleted IPv6 custom chain: ${this.customChain}`);
} catch (err) { } catch (err) {
console.error(`Failed to remove iptables MASQUERADE rule: ${err}`); this.log('error', `Failed to delete IPv6 custom chain: ${err}`);
}
}
} catch (err) {
this.log('error', `Failed to delete custom chain: ${err}`);
} }
} }
this.rulesInstalled = false; // Clear rules array
this.rules = [];
}
/**
* Synchronous version of stop, for use in exit handlers
*/
public stopSync(): void {
// Process rules in reverse order (LIFO)
for (let i = this.rules.length - 1; i >= 0; i--) {
const rule = this.rules[i];
if (rule.added) {
try {
// Convert -A (add) to -D (delete)
const deleteCommand = rule.command.replace('-A', '-D');
execSync(deleteCommand);
this.log('info', `Removed rule: ${deleteCommand}`);
rule.added = false;
} catch (err) {
this.log('error', `Failed to remove rule: ${err}`);
}
}
}
// If we created a custom chain, we need to clean it up
if (this.customChain) {
try {
// First flush the chain
execSync(`iptables -t nat -F ${this.customChain}`);
// Then delete it
execSync(`iptables -t nat -X ${this.customChain}`);
this.log('info', `Deleted custom chain: ${this.customChain}`);
// Same for IPv6 if enabled
if (this.settings.ipv6Support) {
try {
execSync(`ip6tables -t nat -F ${this.customChain}`);
execSync(`ip6tables -t nat -X ${this.customChain}`);
} catch (err) {
// IPv6 failures are non-critical
}
}
} catch (err) {
this.log('error', `Failed to delete custom chain: ${err}`);
}
}
// Clear rules array
this.rules = [];
} }
/** /**
@ -130,16 +702,62 @@ export class IPTablesProxy {
* It looks for rules with comments containing "IPTablesProxy:". * It looks for rules with comments containing "IPTablesProxy:".
*/ */
public static async cleanSlate(): Promise<void> { public static async cleanSlate(): Promise<void> {
await IPTablesProxy.cleanSlateInternal();
// Also clean IPv6 rules
await IPTablesProxy.cleanSlateInternal(true);
}
/**
* Internal implementation of cleanSlate with IPv6 support
*/
private static async cleanSlateInternal(isIpv6: boolean = false): Promise<void> {
const iptablesCmd = isIpv6 ? 'ip6tables' : 'iptables';
try { try {
const { stdout } = await execAsync('iptables-save -t nat'); const { stdout } = await execAsync(`${iptablesCmd}-save -t nat`);
const lines = stdout.split('\n'); const lines = stdout.split('\n');
const proxyLines = lines.filter(line => line.includes('IPTablesProxy:')); const proxyLines = lines.filter(line => line.includes('IPTablesProxy:'));
// First, find and remove any custom chains
const customChains = new Set<string>();
const jumpRules: string[] = [];
for (const line of proxyLines) { for (const line of proxyLines) {
if (line.includes('IPTablesProxy:JUMP')) {
// Extract chain name from jump rule
const match = line.match(/\s+-j\s+(\S+)\s+/);
if (match && match[1].startsWith('IPTablesProxy_')) {
customChains.add(match[1]);
jumpRules.push(line);
}
}
}
// Remove jump rules first
for (const line of jumpRules) {
const trimmedLine = line.trim(); const trimmedLine = line.trim();
if (trimmedLine.startsWith('-A')) { if (trimmedLine.startsWith('-A')) {
// Replace the "-A" with "-D" to form a deletion command. // Replace the "-A" with "-D" to form a deletion command
const deleteRule = trimmedLine.replace('-A', '-D'); const deleteRule = trimmedLine.replace('-A', '-D');
const cmd = `iptables -t nat ${deleteRule}`; const cmd = `${iptablesCmd} -t nat ${deleteRule}`;
try {
await execAsync(cmd);
console.log(`Cleaned up iptables jump rule: ${cmd}`);
} catch (err) {
console.error(`Failed to remove iptables jump rule: ${cmd}`, err);
}
}
}
// Then remove all other rules
for (const line of proxyLines) {
if (!line.includes('IPTablesProxy:JUMP')) { // Skip jump rules we already handled
const trimmedLine = line.trim();
if (trimmedLine.startsWith('-A')) {
// Replace the "-A" with "-D" to form a deletion command
const deleteRule = trimmedLine.replace('-A', '-D');
const cmd = `${iptablesCmd} -t nat ${deleteRule}`;
try { try {
await execAsync(cmd); await execAsync(cmd);
console.log(`Cleaned up iptables rule: ${cmd}`); console.log(`Cleaned up iptables rule: ${cmd}`);
@ -148,8 +766,24 @@ export class IPTablesProxy {
} }
} }
} }
}
// Finally clean up custom chains
for (const chain of customChains) {
try {
// Flush the chain
await execAsync(`${iptablesCmd} -t nat -F ${chain}`);
console.log(`Flushed custom chain: ${chain}`);
// Delete the chain
await execAsync(`${iptablesCmd} -t nat -X ${chain}`);
console.log(`Deleted custom chain: ${chain}`);
} catch (err) { } catch (err) {
console.error(`Failed to run iptables-save: ${err}`); console.error(`Failed to delete custom chain ${chain}:`, err);
}
}
} catch (err) {
console.error(`Failed to run ${iptablesCmd}-save: ${err}`);
} }
} }
@ -159,15 +793,61 @@ export class IPTablesProxy {
* This method is intended for use in process exit handlers. * This method is intended for use in process exit handlers.
*/ */
public static cleanSlateSync(): void { public static cleanSlateSync(): void {
IPTablesProxy.cleanSlateSyncInternal();
// Also clean IPv6 rules
IPTablesProxy.cleanSlateSyncInternal(true);
}
/**
* Internal implementation of cleanSlateSync with IPv6 support
*/
private static cleanSlateSyncInternal(isIpv6: boolean = false): void {
const iptablesCmd = isIpv6 ? 'ip6tables' : 'iptables';
try { try {
const stdout = execSync('iptables-save -t nat').toString(); const stdout = execSync(`${iptablesCmd}-save -t nat`).toString();
const lines = stdout.split('\n'); const lines = stdout.split('\n');
const proxyLines = lines.filter(line => line.includes('IPTablesProxy:')); const proxyLines = lines.filter(line => line.includes('IPTablesProxy:'));
// First, find and remove any custom chains
const customChains = new Set<string>();
const jumpRules: string[] = [];
for (const line of proxyLines) { for (const line of proxyLines) {
if (line.includes('IPTablesProxy:JUMP')) {
// Extract chain name from jump rule
const match = line.match(/\s+-j\s+(\S+)\s+/);
if (match && match[1].startsWith('IPTablesProxy_')) {
customChains.add(match[1]);
jumpRules.push(line);
}
}
}
// Remove jump rules first
for (const line of jumpRules) {
const trimmedLine = line.trim();
if (trimmedLine.startsWith('-A')) {
// Replace the "-A" with "-D" to form a deletion command
const deleteRule = trimmedLine.replace('-A', '-D');
const cmd = `${iptablesCmd} -t nat ${deleteRule}`;
try {
execSync(cmd);
console.log(`Cleaned up iptables jump rule: ${cmd}`);
} catch (err) {
console.error(`Failed to remove iptables jump rule: ${cmd}`, err);
}
}
}
// Then remove all other rules
for (const line of proxyLines) {
if (!line.includes('IPTablesProxy:JUMP')) { // Skip jump rules we already handled
const trimmedLine = line.trim(); const trimmedLine = line.trim();
if (trimmedLine.startsWith('-A')) { if (trimmedLine.startsWith('-A')) {
const deleteRule = trimmedLine.replace('-A', '-D'); const deleteRule = trimmedLine.replace('-A', '-D');
const cmd = `iptables -t nat ${deleteRule}`; const cmd = `${iptablesCmd} -t nat ${deleteRule}`;
try { try {
execSync(cmd); execSync(cmd);
console.log(`Cleaned up iptables rule: ${cmd}`); console.log(`Cleaned up iptables rule: ${cmd}`);
@ -176,8 +856,46 @@ export class IPTablesProxy {
} }
} }
} }
}
// Finally clean up custom chains
for (const chain of customChains) {
try {
// Flush the chain
execSync(`${iptablesCmd} -t nat -F ${chain}`);
// Delete the chain
execSync(`${iptablesCmd} -t nat -X ${chain}`);
console.log(`Deleted custom chain: ${chain}`);
} catch (err) { } catch (err) {
console.error(`Failed to run iptables-save: ${err}`); console.error(`Failed to delete custom chain ${chain}:`, err);
}
}
} catch (err) {
console.error(`Failed to run ${iptablesCmd}-save: ${err}`);
}
}
/**
* Logging utility that respects the enableLogging setting
*/
private log(level: 'info' | 'warn' | 'error', message: string): void {
if (!this.settings.enableLogging && level === 'info') {
return;
}
const timestamp = new Date().toISOString();
switch (level) {
case 'info':
console.log(`[${timestamp}] [INFO] ${message}`);
break;
case 'warn':
console.warn(`[${timestamp}] [WARN] ${message}`);
break;
case 'error':
console.error(`[${timestamp}] [ERROR] ${message}`);
break;
} }
} }
} }

422
ts/classes.networkproxy.ts
View File

@ -16,6 +16,10 @@ export interface INetworkProxyOptions {
allowHeaders?: string; allowHeaders?: string;
maxAge?: number; maxAge?: number;
}; };
// New settings for PortProxy integration
connectionPoolSize?: number; // Maximum connections to maintain in the pool to each backend
portProxyIntegration?: boolean; // Flag to indicate this proxy is used by PortProxy
} }
interface IWebSocketWithHeartbeat extends plugins.wsDefault { interface IWebSocketWithHeartbeat extends plugins.wsDefault {
@ -42,14 +46,26 @@ export class NetworkProxy {
public requestsServed: number = 0; public requestsServed: number = 0;
public failedRequests: number = 0; public failedRequests: number = 0;
// New tracking for PortProxy integration
private portProxyConnections: number = 0;
private tlsTerminatedConnections: number = 0;
// Timers and intervals // Timers and intervals
private heartbeatInterval: NodeJS.Timeout; private heartbeatInterval: NodeJS.Timeout;
private metricsInterval: NodeJS.Timeout; private metricsInterval: NodeJS.Timeout;
private connectionPoolCleanupInterval: NodeJS.Timeout;
// Certificates // Certificates
private defaultCertificates: { key: string; cert: string }; private defaultCertificates: { key: string; cert: string };
private certificateCache: Map<string, { key: string; cert: string; expires?: Date }> = new Map(); private certificateCache: Map<string, { key: string; cert: string; expires?: Date }> = new Map();
// New connection pool for backend connections
private connectionPool: Map<string, Array<{
socket: plugins.net.Socket;
lastUsed: number;
isIdle: boolean;
}>> = new Map();
/** /**
* Creates a new NetworkProxy instance * Creates a new NetworkProxy instance
*/ */
@ -66,7 +82,10 @@ export class NetworkProxy {
allowMethods: 'GET, POST, PUT, DELETE, OPTIONS', allowMethods: 'GET, POST, PUT, DELETE, OPTIONS',
allowHeaders: 'Content-Type, Authorization', allowHeaders: 'Content-Type, Authorization',
maxAge: 86400 maxAge: 86400
} },
// New defaults for PortProxy integration
connectionPoolSize: optionsArg.connectionPoolSize || 50,
portProxyIntegration: optionsArg.portProxyIntegration || false
}; };
this.loadDefaultCertificates(); this.loadDefaultCertificates();
@ -104,6 +123,213 @@ export class NetworkProxy {
} }
} }
/**
* Returns the port number this NetworkProxy is listening on
* Useful for PortProxy to determine where to forward connections
*/
public getListeningPort(): number {
return this.options.port;
}
/**
* Updates the server capacity settings
* @param maxConnections Maximum number of simultaneous connections
* @param keepAliveTimeout Keep-alive timeout in milliseconds
* @param connectionPoolSize Size of the connection pool per backend
*/
public updateCapacity(maxConnections?: number, keepAliveTimeout?: number, connectionPoolSize?: number): void {
if (maxConnections !== undefined) {
this.options.maxConnections = maxConnections;
this.log('info', `Updated max connections to ${maxConnections}`);
}
if (keepAliveTimeout !== undefined) {
this.options.keepAliveTimeout = keepAliveTimeout;
if (this.httpsServer) {
this.httpsServer.keepAliveTimeout = keepAliveTimeout;
this.log('info', `Updated keep-alive timeout to ${keepAliveTimeout}ms`);
}
}
if (connectionPoolSize !== undefined) {
this.options.connectionPoolSize = connectionPoolSize;
this.log('info', `Updated connection pool size to ${connectionPoolSize}`);
// Cleanup excess connections in the pool if the size was reduced
this.cleanupConnectionPool();
}
}
/**
* Returns current server metrics
* Useful for PortProxy to determine which NetworkProxy to use for load balancing
*/
public getMetrics(): any {
return {
activeConnections: this.connectedClients,
totalRequests: this.requestsServed,
failedRequests: this.failedRequests,
portProxyConnections: this.portProxyConnections,
tlsTerminatedConnections: this.tlsTerminatedConnections,
connectionPoolSize: Array.from(this.connectionPool.entries()).reduce((acc, [host, connections]) => {
acc[host] = connections.length;
return acc;
}, {} as Record<string, number>),
uptime: Math.floor((Date.now() - this.startTime) / 1000),
memoryUsage: process.memoryUsage(),
activeWebSockets: this.wsServer?.clients.size || 0
};
}
/**
* Cleanup the connection pool by removing idle connections
* or reducing pool size if it exceeds the configured maximum
*/
private cleanupConnectionPool(): void {
const now = Date.now();
const idleTimeout = this.options.keepAliveTimeout || 120000; // 2 minutes default
for (const [host, connections] of this.connectionPool.entries()) {
// Sort by last used time (oldest first)
connections.sort((a, b) => a.lastUsed - b.lastUsed);
// Remove idle connections older than the idle timeout
let removed = 0;
while (connections.length > 0) {
const connection = connections[0];
// Remove if idle and exceeds timeout, or if pool is too large
if ((connection.isIdle && now - connection.lastUsed > idleTimeout) ||
connections.length > this.options.connectionPoolSize!) {
try {
if (!connection.socket.destroyed) {
connection.socket.end();
connection.socket.destroy();
}
} catch (err) {
this.log('error', `Error destroying pooled connection to ${host}`, err);
}
connections.shift(); // Remove from pool
removed++;
} else {
break; // Stop removing if we've reached active or recent connections
}
}
if (removed > 0) {
this.log('debug', `Removed ${removed} idle connections from pool for ${host}, ${connections.length} remaining`);
}
// Update the pool with the remaining connections
if (connections.length === 0) {
this.connectionPool.delete(host);
} else {
this.connectionPool.set(host, connections);
}
}
}
/**
* Get a connection from the pool or create a new one
*/
private getConnectionFromPool(host: string, port: number): Promise<plugins.net.Socket> {
return new Promise((resolve, reject) => {
const poolKey = `${host}:${port}`;
const connectionList = this.connectionPool.get(poolKey) || [];
// Look for an idle connection
const idleConnectionIndex = connectionList.findIndex(c => c.isIdle);
if (idleConnectionIndex >= 0) {
// Get existing connection from pool
const connection = connectionList[idleConnectionIndex];
connection.isIdle = false;
connection.lastUsed = Date.now();
this.log('debug', `Reusing connection from pool for ${poolKey}`);
// Update the pool
this.connectionPool.set(poolKey, connectionList);
resolve(connection.socket);
return;
}
// No idle connection available, create a new one if pool isn't full
if (connectionList.length < this.options.connectionPoolSize!) {
this.log('debug', `Creating new connection to ${host}:${port}`);
try {
const socket = plugins.net.connect({
host,
port,
keepAlive: true,
keepAliveInitialDelay: 30000 // 30 seconds
});
socket.once('connect', () => {
// Add to connection pool
const connection = {
socket,
lastUsed: Date.now(),
isIdle: false
};
connectionList.push(connection);
this.connectionPool.set(poolKey, connectionList);
// Setup cleanup when the connection is closed
socket.once('close', () => {
const idx = connectionList.findIndex(c => c.socket === socket);
if (idx >= 0) {
connectionList.splice(idx, 1);
this.connectionPool.set(poolKey, connectionList);
this.log('debug', `Removed closed connection from pool for ${poolKey}`);
}
});
resolve(socket);
});
socket.once('error', (err) => {
this.log('error', `Error creating connection to ${host}:${port}`, err);
reject(err);
});
} catch (err) {
this.log('error', `Failed to create connection to ${host}:${port}`, err);
reject(err);
}
} else {
// Pool is full, wait for an idle connection or reject
this.log('warn', `Connection pool for ${poolKey} is full (${connectionList.length})`);
reject(new Error(`Connection pool for ${poolKey} is full`));
}
});
}
/**
* Return a connection to the pool for reuse
*/
private returnConnectionToPool(socket: plugins.net.Socket, host: string, port: number): void {
const poolKey = `${host}:${port}`;
const connectionList = this.connectionPool.get(poolKey) || [];
// Find this connection in the pool
const connectionIndex = connectionList.findIndex(c => c.socket === socket);
if (connectionIndex >= 0) {
// Mark as idle and update last used time
connectionList[connectionIndex].isIdle = true;
connectionList[connectionIndex].lastUsed = Date.now();
this.log('debug', `Returned connection to pool for ${poolKey}`);
} else {
this.log('warn', `Attempted to return unknown connection to pool for ${poolKey}`);
}
}
/** /**
* Starts the proxy server * Starts the proxy server
*/ */
@ -132,6 +358,9 @@ export class NetworkProxy {
// Start metrics collection // Start metrics collection
this.setupMetricsCollection(); this.setupMetricsCollection();
// Setup connection pool cleanup interval
this.setupConnectionPoolCleanup();
// Start the server // Start the server
return new Promise((resolve) => { return new Promise((resolve) => {
this.httpsServer.listen(this.options.port, () => { this.httpsServer.listen(this.options.port, () => {
@ -156,13 +385,31 @@ export class NetworkProxy {
// Add connection to tracking // Add connection to tracking
this.socketMap.add(connection); this.socketMap.add(connection);
this.connectedClients = this.socketMap.getArray().length; this.connectedClients = this.socketMap.getArray().length;
this.log('debug', `New connection. Currently ${this.connectedClients} active connections`);
// Check for connection from PortProxy by inspecting the source port
// This is a heuristic - in a production environment you might use a more robust method
const localPort = connection.localPort;
const remotePort = connection.remotePort;
// If this connection is from a PortProxy (usually indicated by it coming from localhost)
if (this.options.portProxyIntegration && connection.remoteAddress?.includes('127.0.0.1')) {
this.portProxyConnections++;
this.log('debug', `New connection from PortProxy (local: ${localPort}, remote: ${remotePort})`);
} else {
this.log('debug', `New direct connection (local: ${localPort}, remote: ${remotePort})`);
}
// Setup connection cleanup handlers // Setup connection cleanup handlers
const cleanupConnection = () => { const cleanupConnection = () => {
if (this.socketMap.checkForObject(connection)) { if (this.socketMap.checkForObject(connection)) {
this.socketMap.remove(connection); this.socketMap.remove(connection);
this.connectedClients = this.socketMap.getArray().length; this.connectedClients = this.socketMap.getArray().length;
// If this was a PortProxy connection, decrement the counter
if (this.options.portProxyIntegration && connection.remoteAddress?.includes('127.0.0.1')) {
this.portProxyConnections--;
}
this.log('debug', `Connection closed. ${this.connectedClients} connections remaining`); this.log('debug', `Connection closed. ${this.connectedClients} connections remaining`);
} }
}; };
@ -178,6 +425,12 @@ export class NetworkProxy {
cleanupConnection(); cleanupConnection();
}); });
}); });
// Track TLS handshake completions
this.httpsServer.on('secureConnection', (tlsSocket) => {
this.tlsTerminatedConnections++;
this.log('debug', 'TLS handshake completed, connection secured');
});
} }
/** /**
@ -228,15 +481,36 @@ export class NetworkProxy {
activeConnections: this.connectedClients, activeConnections: this.connectedClients,
totalRequests: this.requestsServed, totalRequests: this.requestsServed,
failedRequests: this.failedRequests, failedRequests: this.failedRequests,
portProxyConnections: this.portProxyConnections,
tlsTerminatedConnections: this.tlsTerminatedConnections,
activeWebSockets: this.wsServer?.clients.size || 0, activeWebSockets: this.wsServer?.clients.size || 0,
memoryUsage: process.memoryUsage(), memoryUsage: process.memoryUsage(),
activeContexts: Array.from(this.activeContexts) activeContexts: Array.from(this.activeContexts),
connectionPool: Object.fromEntries(
Array.from(this.connectionPool.entries()).map(([host, connections]) => [
host,
{
total: connections.length,
idle: connections.filter(c => c.isIdle).length
}
])
)
}; };
this.log('debug', 'Proxy metrics', metrics); this.log('debug', 'Proxy metrics', metrics);
}, 60000); // Log metrics every minute }, 60000); // Log metrics every minute
} }
/**
* Sets up connection pool cleanup
*/
private setupConnectionPoolCleanup(): void {
// Clean up idle connections every minute
this.connectionPoolCleanupInterval = setInterval(() => {
this.cleanupConnectionPool();
}, 60000); // 1 minute
}
/** /**
* Handles an incoming WebSocket connection * Handles an incoming WebSocket connection
*/ */
@ -410,12 +684,27 @@ export class NetworkProxy {
} }
} }
// Determine if we should use connection pooling
const useConnectionPool = this.options.portProxyIntegration &&
originRequest.socket.remoteAddress?.includes('127.0.0.1');
// Construct destination URL // Construct destination URL
const destinationUrl = `http://${destinationConfig.destinationIp}:${destinationConfig.destinationPort}${originRequest.url}`; const destinationUrl = `http://${destinationConfig.destinationIp}:${destinationConfig.destinationPort}${originRequest.url}`;
this.log('debug', `[${reqId}] Proxying to ${destinationUrl}`);
// Forward the request if (useConnectionPool) {
this.log('debug', `[${reqId}] Proxying to ${destinationUrl} (using connection pool)`);
await this.forwardRequestUsingConnectionPool(
reqId,
originRequest,
originResponse,
destinationConfig.destinationIp,
destinationConfig.destinationPort,
originRequest.url
);
} else {
this.log('debug', `[${reqId}] Proxying to ${destinationUrl}`);
await this.forwardRequest(reqId, originRequest, originResponse, destinationUrl); await this.forwardRequest(reqId, originRequest, originResponse, destinationUrl);
}
const processingTime = Date.now() - startTime; const processingTime = Date.now() - startTime;
this.log('debug', `[${reqId}] Request completed in ${processingTime}ms`); this.log('debug', `[${reqId}] Request completed in ${processingTime}ms`);
@ -488,7 +777,105 @@ export class NetworkProxy {
} }
/** /**
* Forwards a request to the destination * Forwards a request to the destination using connection pool
* for optimized connection reuse from PortProxy
*/
private async forwardRequestUsingConnectionPool(
reqId: string,
originRequest: plugins.http.IncomingMessage,
originResponse: plugins.http.ServerResponse,
host: string,
port: number,
path: string
): Promise<void> {
try {
// Try to get a connection from the pool
const socket = await this.getConnectionFromPool(host, port);
// Create an HTTP client request using the pooled socket
const reqOptions = {
createConnection: () => socket,
host,
port,
path,
method: originRequest.method,
headers: this.prepareForwardHeaders(originRequest),
timeout: 30000 // 30 second timeout
};
const proxyReq = plugins.http.request(reqOptions);
// Handle timeouts
proxyReq.on('timeout', () => {
this.log('warn', `[${reqId}] Request to ${host}:${port}${path} timed out`);
proxyReq.destroy();
});
// Handle errors
proxyReq.on('error', (err) => {
this.log('error', `[${reqId}] Error in proxy request to ${host}:${port}${path}`, err);
// Check if the client response is still writable
if (!originResponse.writableEnded) {
this.sendErrorResponse(originResponse, 502, 'Bad Gateway: Error communicating with upstream server');
}
// Don't return the socket to the pool on error
try {
if (!socket.destroyed) {
socket.destroy();
}
} catch (socketErr) {
this.log('error', `[${reqId}] Error destroying socket after request error`, socketErr);
}
});
// Forward request body
originRequest.pipe(proxyReq);
// Handle response
proxyReq.on('response', (proxyRes) => {
// Copy status and headers
originResponse.statusCode = proxyRes.statusCode;
for (const [name, value] of Object.entries(proxyRes.headers)) {
if (value !== undefined) {
originResponse.setHeader(name, value);
}
}
// Forward the response body
proxyRes.pipe(originResponse);
// Return connection to pool when the response completes
proxyRes.on('end', () => {
if (!socket.destroyed) {
this.returnConnectionToPool(socket, host, port);
}
});
proxyRes.on('error', (err) => {
this.log('error', `[${reqId}] Error in proxy response from ${host}:${port}${path}`, err);
// Don't return the socket to the pool on error
try {
if (!socket.destroyed) {
socket.destroy();
}
} catch (socketErr) {
this.log('error', `[${reqId}] Error destroying socket after response error`, socketErr);
}
});
});
} catch (error) {
this.log('error', `[${reqId}] Error setting up pooled connection to ${host}:${port}`, error);
this.sendErrorResponse(originResponse, 502, 'Bad Gateway: Unable to reach upstream server');
throw error;
}
}
/**
* Forwards a request to the destination (standard method)
*/ */
private async forwardRequest( private async forwardRequest(
reqId: string, reqId: string,
@ -532,6 +919,11 @@ export class NetworkProxy {
// Add proxy-specific headers // Add proxy-specific headers
safeHeaders['X-Proxy-Id'] = `NetworkProxy-${this.options.port}`; safeHeaders['X-Proxy-Id'] = `NetworkProxy-${this.options.port}`;
// If this is coming from PortProxy, add a header to indicate that
if (this.options.portProxyIntegration && req.socket.remoteAddress?.includes('127.0.0.1')) {
safeHeaders['X-PortProxy-Forwarded'] = 'true';
}
// Remove sensitive headers we don't want to forward // Remove sensitive headers we don't want to forward
const sensitiveHeaders = ['connection', 'upgrade', 'http2-settings']; const sensitiveHeaders = ['connection', 'upgrade', 'http2-settings'];
for (const header of sensitiveHeaders) { for (const header of sensitiveHeaders) {
@ -778,6 +1170,10 @@ export class NetworkProxy {
clearInterval(this.metricsInterval); clearInterval(this.metricsInterval);
} }
if (this.connectionPoolCleanupInterval) {
clearInterval(this.connectionPoolCleanupInterval);
}
// Close WebSocket server if exists // Close WebSocket server if exists
if (this.wsServer) { if (this.wsServer) {
for (const client of this.wsServer.clients) { for (const client of this.wsServer.clients) {
@ -798,6 +1194,20 @@ export class NetworkProxy {
} }
} }
// Close all connection pool connections
for (const [host, connections] of this.connectionPool.entries()) {
for (const connection of connections) {
try {
if (!connection.socket.destroyed) {
connection.socket.destroy();
}
} catch (error) {
this.log('error', `Error destroying pooled connection to ${host}`, error);
}
}
}
this.connectionPool.clear();
// Close the HTTPS server // Close the HTTPS server
return new Promise((resolve) => { return new Promise((resolve) => {
this.httpsServer.close(() => { this.httpsServer.close(() => {

1135
ts/classes.portproxy.ts
View File

File diff suppressed because it is too large Load Diff