feat(IPTablesProxy): Enhanced IPTablesProxy with multi-port and IPv6 support
This commit is contained in:
parent
d8585975a8
commit
bbdea52677
@ -1,5 +1,14 @@
|
|||||||
# Changelog
|
# Changelog
|
||||||
|
|
||||||
|
## 2025-03-07 - 3.29.0 - feat(IPTablesProxy)
|
||||||
|
Enhanced IPTablesProxy with multi-port and IPv6 support
|
||||||
|
|
||||||
|
- Added support for specifying multiple ports and port ranges, allowing for more complex network proxy configurations.
|
||||||
|
- Introduced IPv6 support to allow handling of IPv6 addressed networks.
|
||||||
|
- Implemented more detailed logging and error handling features to improve debugging capabilities.
|
||||||
|
- Enhanced integration options with NetworkProxy, allowing for a more seamless routing and termination process.
|
||||||
|
- Restructured the initialization and validation process to ensure robust handling of configuration settings.
|
||||||
|
|
||||||
## 2025-03-07 - 3.28.6 - fix(PortProxy)
|
## 2025-03-07 - 3.28.6 - fix(PortProxy)
|
||||||
Adjust default timeout settings and enhance keep-alive connection handling in PortProxy.
|
Adjust default timeout settings and enhance keep-alive connection handling in PortProxy.
|
||||||
|
|
||||||
|
@ -28,7 +28,7 @@
|
|||||||
"@push.rocks/smartpromise": "^4.2.3",
|
"@push.rocks/smartpromise": "^4.2.3",
|
||||||
"@push.rocks/smartrequest": "^2.0.23",
|
"@push.rocks/smartrequest": "^2.0.23",
|
||||||
"@push.rocks/smartstring": "^4.0.15",
|
"@push.rocks/smartstring": "^4.0.15",
|
||||||
"@tsclass/tsclass": "^4.4.0",
|
"@tsclass/tsclass": "^4.4.3",
|
||||||
"@types/minimatch": "^5.1.2",
|
"@types/minimatch": "^5.1.2",
|
||||||
"@types/ws": "^8.18.0",
|
"@types/ws": "^8.18.0",
|
||||||
"acme-client": "^5.4.0",
|
"acme-client": "^5.4.0",
|
||||||
|
38
pnpm-lock.yaml
generated
38
pnpm-lock.yaml
generated
@ -24,8 +24,8 @@ importers:
|
|||||||
specifier: ^4.0.15
|
specifier: ^4.0.15
|
||||||
version: 4.0.15
|
version: 4.0.15
|
||||||
'@tsclass/tsclass':
|
'@tsclass/tsclass':
|
||||||
specifier: ^4.4.0
|
specifier: ^4.4.3
|
||||||
version: 4.4.0
|
version: 4.4.3
|
||||||
'@types/minimatch':
|
'@types/minimatch':
|
||||||
specifier: ^5.1.2
|
specifier: ^5.1.2
|
||||||
version: 5.1.2
|
version: 5.1.2
|
||||||
@ -1316,8 +1316,8 @@ packages:
|
|||||||
'@tsclass/tsclass@3.0.48':
|
'@tsclass/tsclass@3.0.48':
|
||||||
resolution: {integrity: sha512-hC65UvDlp9qvsl6OcIZXz0JNiWZ0gyzsTzbXpg215sGxopgbkOLCr6E0s4qCTnweYm95gt2AdY95uP7M7kExaQ==}
|
resolution: {integrity: sha512-hC65UvDlp9qvsl6OcIZXz0JNiWZ0gyzsTzbXpg215sGxopgbkOLCr6E0s4qCTnweYm95gt2AdY95uP7M7kExaQ==}
|
||||||
|
|
||||||
'@tsclass/tsclass@4.4.0':
|
'@tsclass/tsclass@4.4.3':
|
||||||
resolution: {integrity: sha512-/T3qmxj28yRMM+0x9UtyBmrsJ66flviQEDg3M4kwmWuZQgbrDACa6JXdA0ieqfmuPOXDJRRDKcyKaKvKi2EdwA==}
|
resolution: {integrity: sha512-Vhp+B1UsYlwXLhIeds++CXEeCwFgRzpput4YNM7Qyhr+UQgIMFRFAs2HSI3jEE5r9c1hR9G6MkSxi2U/CLyiaA==}
|
||||||
|
|
||||||
'@types/accepts@1.3.7':
|
'@types/accepts@1.3.7':
|
||||||
resolution: {integrity: sha512-Pay9fq2lM2wXPWbteBsRAGiWH2hig4ZE2asK+mm7kUzlxRTfL961rj89I6zV/E3PcIkDqyuBEcMxFT7rccugeQ==}
|
resolution: {integrity: sha512-Pay9fq2lM2wXPWbteBsRAGiWH2hig4ZE2asK+mm7kUzlxRTfL961rj89I6zV/E3PcIkDqyuBEcMxFT7rccugeQ==}
|
||||||
@ -3979,8 +3979,8 @@ packages:
|
|||||||
resolution: {integrity: sha512-RAH822pAdBgcNMAfWnCBU3CFZcfZ/i1eZjwFU/dsLKumyuuP3niueg2UAukXYF0E2AAoc82ZSSf9J0WQBinzHA==}
|
resolution: {integrity: sha512-RAH822pAdBgcNMAfWnCBU3CFZcfZ/i1eZjwFU/dsLKumyuuP3niueg2UAukXYF0E2AAoc82ZSSf9J0WQBinzHA==}
|
||||||
engines: {node: '>=12.20'}
|
engines: {node: '>=12.20'}
|
||||||
|
|
||||||
type-fest@4.33.0:
|
type-fest@4.37.0:
|
||||||
resolution: {integrity: sha512-s6zVrxuyKbbAsSAD5ZPTB77q4YIdRctkTbJ2/Dqlinwz+8ooH2gd+YA7VA6Pa93KML9GockVvoxjZ2vHP+mu8g==}
|
resolution: {integrity: sha512-S/5/0kFftkq27FPNye0XM1e2NsnoD/3FS+pBmbjmmtLT6I+i344KoOf7pvXreaFsDamWeaJX55nczA1m5PsBDg==}
|
||||||
engines: {node: '>=16'}
|
engines: {node: '>=16'}
|
||||||
|
|
||||||
type-is@1.6.18:
|
type-is@1.6.18:
|
||||||
@ -4286,7 +4286,7 @@ snapshots:
|
|||||||
'@push.rocks/taskbuffer': 3.1.7
|
'@push.rocks/taskbuffer': 3.1.7
|
||||||
'@push.rocks/webrequest': 3.0.37
|
'@push.rocks/webrequest': 3.0.37
|
||||||
'@push.rocks/webstore': 2.0.20
|
'@push.rocks/webstore': 2.0.20
|
||||||
'@tsclass/tsclass': 4.4.0
|
'@tsclass/tsclass': 4.4.3
|
||||||
'@types/express': 4.17.21
|
'@types/express': 4.17.21
|
||||||
body-parser: 1.20.3
|
body-parser: 1.20.3
|
||||||
cors: 2.8.5
|
cors: 2.8.5
|
||||||
@ -5420,7 +5420,7 @@ snapshots:
|
|||||||
'@push.rocks/smartstring': 4.0.15
|
'@push.rocks/smartstring': 4.0.15
|
||||||
'@push.rocks/smartunique': 3.0.9
|
'@push.rocks/smartunique': 3.0.9
|
||||||
'@push.rocks/taskbuffer': 3.1.7
|
'@push.rocks/taskbuffer': 3.1.7
|
||||||
'@tsclass/tsclass': 4.4.0
|
'@tsclass/tsclass': 4.4.3
|
||||||
transitivePeerDependencies:
|
transitivePeerDependencies:
|
||||||
- aws-crt
|
- aws-crt
|
||||||
|
|
||||||
@ -5442,7 +5442,7 @@ snapshots:
|
|||||||
'@pushrocks/smartjson': 4.0.6
|
'@pushrocks/smartjson': 4.0.6
|
||||||
'@pushrocks/smartpath': 5.0.5
|
'@pushrocks/smartpath': 5.0.5
|
||||||
'@pushrocks/smartpromise': 3.1.10
|
'@pushrocks/smartpromise': 3.1.10
|
||||||
'@tsclass/tsclass': 4.4.0
|
'@tsclass/tsclass': 4.4.3
|
||||||
mongodb: 4.17.2
|
mongodb: 4.17.2
|
||||||
transitivePeerDependencies:
|
transitivePeerDependencies:
|
||||||
- aws-crt
|
- aws-crt
|
||||||
@ -5492,7 +5492,7 @@ snapshots:
|
|||||||
'@push.rocks/smartstream': 3.2.5
|
'@push.rocks/smartstream': 3.2.5
|
||||||
'@push.rocks/smartstring': 4.0.15
|
'@push.rocks/smartstring': 4.0.15
|
||||||
'@push.rocks/smartunique': 3.0.9
|
'@push.rocks/smartunique': 3.0.9
|
||||||
'@tsclass/tsclass': 4.4.0
|
'@tsclass/tsclass': 4.4.3
|
||||||
transitivePeerDependencies:
|
transitivePeerDependencies:
|
||||||
- aws-crt
|
- aws-crt
|
||||||
|
|
||||||
@ -5542,7 +5542,7 @@ snapshots:
|
|||||||
'@push.rocks/smarttime': 4.1.1
|
'@push.rocks/smarttime': 4.1.1
|
||||||
'@push.rocks/smartunique': 3.0.9
|
'@push.rocks/smartunique': 3.0.9
|
||||||
'@push.rocks/taskbuffer': 3.1.7
|
'@push.rocks/taskbuffer': 3.1.7
|
||||||
'@tsclass/tsclass': 4.4.0
|
'@tsclass/tsclass': 4.4.3
|
||||||
mongodb: 6.13.0(@aws-sdk/credential-providers@3.741.0)(socks@2.8.3)
|
mongodb: 6.13.0(@aws-sdk/credential-providers@3.741.0)(socks@2.8.3)
|
||||||
transitivePeerDependencies:
|
transitivePeerDependencies:
|
||||||
- '@aws-sdk/credential-providers'
|
- '@aws-sdk/credential-providers'
|
||||||
@ -5654,7 +5654,7 @@ snapshots:
|
|||||||
'@push.rocks/smartlog-interfaces@3.0.2':
|
'@push.rocks/smartlog-interfaces@3.0.2':
|
||||||
dependencies:
|
dependencies:
|
||||||
'@api.global/typedrequest-interfaces': 2.0.2
|
'@api.global/typedrequest-interfaces': 2.0.2
|
||||||
'@tsclass/tsclass': 4.4.0
|
'@tsclass/tsclass': 4.4.3
|
||||||
|
|
||||||
'@push.rocks/smartlog@3.0.7':
|
'@push.rocks/smartlog@3.0.7':
|
||||||
dependencies:
|
dependencies:
|
||||||
@ -5768,7 +5768,7 @@ snapshots:
|
|||||||
'@push.rocks/smartpromise': 4.2.3
|
'@push.rocks/smartpromise': 4.2.3
|
||||||
'@push.rocks/smartpuppeteer': 2.0.2
|
'@push.rocks/smartpuppeteer': 2.0.2
|
||||||
'@push.rocks/smartunique': 3.0.9
|
'@push.rocks/smartunique': 3.0.9
|
||||||
'@tsclass/tsclass': 4.4.0
|
'@tsclass/tsclass': 4.4.3
|
||||||
'@types/express': 5.0.0
|
'@types/express': 5.0.0
|
||||||
express: 4.21.2
|
express: 4.21.2
|
||||||
pdf-lib: 1.17.1
|
pdf-lib: 1.17.1
|
||||||
@ -5817,7 +5817,7 @@ snapshots:
|
|||||||
'@push.rocks/smartbucket': 3.3.7
|
'@push.rocks/smartbucket': 3.3.7
|
||||||
'@push.rocks/smartfile': 11.2.0
|
'@push.rocks/smartfile': 11.2.0
|
||||||
'@push.rocks/smartpath': 5.0.18
|
'@push.rocks/smartpath': 5.0.18
|
||||||
'@tsclass/tsclass': 4.4.0
|
'@tsclass/tsclass': 4.4.3
|
||||||
'@types/s3rver': 3.7.4
|
'@types/s3rver': 3.7.4
|
||||||
s3rver: 3.7.1
|
s3rver: 3.7.1
|
||||||
transitivePeerDependencies:
|
transitivePeerDependencies:
|
||||||
@ -5849,7 +5849,7 @@ snapshots:
|
|||||||
'@push.rocks/smartxml': 1.1.1
|
'@push.rocks/smartxml': 1.1.1
|
||||||
'@push.rocks/smartyaml': 2.0.5
|
'@push.rocks/smartyaml': 2.0.5
|
||||||
'@push.rocks/webrequest': 3.0.37
|
'@push.rocks/webrequest': 3.0.37
|
||||||
'@tsclass/tsclass': 4.4.0
|
'@tsclass/tsclass': 4.4.3
|
||||||
|
|
||||||
'@push.rocks/smartsocket@2.0.27':
|
'@push.rocks/smartsocket@2.0.27':
|
||||||
dependencies:
|
dependencies:
|
||||||
@ -6008,7 +6008,7 @@ snapshots:
|
|||||||
dependencies:
|
dependencies:
|
||||||
'@pushrocks/smartdelay': 3.0.1
|
'@pushrocks/smartdelay': 3.0.1
|
||||||
'@pushrocks/smartpromise': 4.0.2
|
'@pushrocks/smartpromise': 4.0.2
|
||||||
'@tsclass/tsclass': 4.4.0
|
'@tsclass/tsclass': 4.4.3
|
||||||
|
|
||||||
'@push.rocks/webstore@2.0.20':
|
'@push.rocks/webstore@2.0.20':
|
||||||
dependencies:
|
dependencies:
|
||||||
@ -6572,9 +6572,9 @@ snapshots:
|
|||||||
dependencies:
|
dependencies:
|
||||||
type-fest: 2.19.0
|
type-fest: 2.19.0
|
||||||
|
|
||||||
'@tsclass/tsclass@4.4.0':
|
'@tsclass/tsclass@4.4.3':
|
||||||
dependencies:
|
dependencies:
|
||||||
type-fest: 4.33.0
|
type-fest: 4.37.0
|
||||||
|
|
||||||
'@types/accepts@1.3.7':
|
'@types/accepts@1.3.7':
|
||||||
dependencies:
|
dependencies:
|
||||||
@ -9711,7 +9711,7 @@ snapshots:
|
|||||||
|
|
||||||
type-fest@2.19.0: {}
|
type-fest@2.19.0: {}
|
||||||
|
|
||||||
type-fest@4.33.0: {}
|
type-fest@4.37.0: {}
|
||||||
|
|
||||||
type-is@1.6.18:
|
type-is@1.6.18:
|
||||||
dependencies:
|
dependencies:
|
||||||
|
@ -3,6 +3,6 @@
|
|||||||
*/
|
*/
|
||||||
export const commitinfo = {
|
export const commitinfo = {
|
||||||
name: '@push.rocks/smartproxy',
|
name: '@push.rocks/smartproxy',
|
||||||
version: '3.28.6',
|
version: '3.29.0',
|
||||||
description: 'A powerful proxy package that effectively handles high traffic, with features such as SSL/TLS support, port proxying, WebSocket handling, and dynamic routing with authentication options.'
|
description: 'A powerful proxy package that effectively handles high traffic, with features such as SSL/TLS support, port proxying, WebSocket handling, and dynamic routing with authentication options.'
|
||||||
}
|
}
|
||||||
|
@ -3,43 +3,100 @@ import { promisify } from 'util';
|
|||||||
|
|
||||||
const execAsync = promisify(exec);
|
const execAsync = promisify(exec);
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Represents a port range for forwarding
|
||||||
|
*/
|
||||||
|
export interface IPortRange {
|
||||||
|
from: number;
|
||||||
|
to: number;
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Settings for IPTablesProxy.
|
* Settings for IPTablesProxy.
|
||||||
*/
|
*/
|
||||||
export interface IIpTableProxySettings {
|
export interface IIpTableProxySettings {
|
||||||
fromPort: number;
|
// Basic settings
|
||||||
toPort: number;
|
fromPort: number | IPortRange | Array<number | IPortRange>; // Support single port, port range, or multiple ports/ranges
|
||||||
|
toPort: number | IPortRange | Array<number | IPortRange>;
|
||||||
toHost?: string; // Target host for proxying; defaults to 'localhost'
|
toHost?: string; // Target host for proxying; defaults to 'localhost'
|
||||||
preserveSourceIP?: boolean; // If true, the original source IP is preserved.
|
|
||||||
deleteOnExit?: boolean; // If true, clean up marked iptables rules before process exit.
|
// Advanced settings
|
||||||
|
preserveSourceIP?: boolean; // If true, the original source IP is preserved
|
||||||
|
deleteOnExit?: boolean; // If true, clean up marked iptables rules before process exit
|
||||||
|
protocol?: 'tcp' | 'udp' | 'all'; // Protocol to forward, defaults to 'tcp'
|
||||||
|
enableLogging?: boolean; // Enable detailed logging
|
||||||
|
ipv6Support?: boolean; // Enable IPv6 support (ip6tables)
|
||||||
|
|
||||||
|
// Source filtering
|
||||||
|
allowedSourceIPs?: string[]; // If provided, only these IPs are allowed
|
||||||
|
bannedSourceIPs?: string[]; // If provided, these IPs are blocked
|
||||||
|
|
||||||
|
// Rule management
|
||||||
|
forceCleanSlate?: boolean; // Clear all IPTablesProxy rules before starting
|
||||||
|
addJumpRule?: boolean; // Add a custom chain for cleaner rule management
|
||||||
|
checkExistingRules?: boolean; // Check if rules already exist before adding
|
||||||
|
|
||||||
|
// Integration with PortProxy/NetworkProxy
|
||||||
|
netProxyIntegration?: {
|
||||||
|
enabled: boolean;
|
||||||
|
redirectLocalhost?: boolean; // Redirect localhost traffic to NetworkProxy
|
||||||
|
sslTerminationPort?: number; // Port where NetworkProxy handles SSL termination
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Represents a rule added to iptables
|
||||||
|
*/
|
||||||
|
interface IpTablesRule {
|
||||||
|
table: string;
|
||||||
|
chain: string;
|
||||||
|
command: string;
|
||||||
|
tag: string;
|
||||||
|
added: boolean;
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* IPTablesProxy sets up iptables NAT rules to forward TCP traffic.
|
* IPTablesProxy sets up iptables NAT rules to forward TCP traffic.
|
||||||
* It only supports basic port forwarding and uses iptables comments to tag rules.
|
* Enhanced with multi-port support, IPv6, and integration with PortProxy/NetworkProxy.
|
||||||
*/
|
*/
|
||||||
export class IPTablesProxy {
|
export class IPTablesProxy {
|
||||||
public settings: IIpTableProxySettings;
|
public settings: IIpTableProxySettings;
|
||||||
private rulesInstalled: boolean = false;
|
private rules: IpTablesRule[] = [];
|
||||||
private ruleTag: string;
|
private ruleTag: string;
|
||||||
|
private customChain: string | null = null;
|
||||||
|
|
||||||
constructor(settings: IIpTableProxySettings) {
|
constructor(settings: IIpTableProxySettings) {
|
||||||
|
// Validate inputs to prevent command injection
|
||||||
|
this.validateSettings(settings);
|
||||||
|
|
||||||
|
// Set default settings
|
||||||
this.settings = {
|
this.settings = {
|
||||||
...settings,
|
...settings,
|
||||||
toHost: settings.toHost || 'localhost',
|
toHost: settings.toHost || 'localhost',
|
||||||
|
protocol: settings.protocol || 'tcp',
|
||||||
|
enableLogging: settings.enableLogging !== undefined ? settings.enableLogging : false,
|
||||||
|
ipv6Support: settings.ipv6Support !== undefined ? settings.ipv6Support : false,
|
||||||
|
checkExistingRules: settings.checkExistingRules !== undefined ? settings.checkExistingRules : true,
|
||||||
|
netProxyIntegration: settings.netProxyIntegration || { enabled: false }
|
||||||
};
|
};
|
||||||
// Generate a unique identifier for the rules added by this instance.
|
|
||||||
|
// Generate a unique identifier for the rules added by this instance
|
||||||
this.ruleTag = `IPTablesProxy:${Date.now()}:${Math.random().toString(36).substr(2, 5)}`;
|
this.ruleTag = `IPTablesProxy:${Date.now()}:${Math.random().toString(36).substr(2, 5)}`;
|
||||||
|
|
||||||
// If deleteOnExit is true, register cleanup handlers.
|
if (this.settings.addJumpRule) {
|
||||||
|
this.customChain = `IPTablesProxy_${Math.random().toString(36).substr(2, 5)}`;
|
||||||
|
}
|
||||||
|
|
||||||
|
// Register cleanup handlers if deleteOnExit is true
|
||||||
if (this.settings.deleteOnExit) {
|
if (this.settings.deleteOnExit) {
|
||||||
const cleanup = () => {
|
const cleanup = () => {
|
||||||
try {
|
try {
|
||||||
IPTablesProxy.cleanSlateSync();
|
this.stopSync();
|
||||||
} catch (err) {
|
} catch (err) {
|
||||||
console.error('Error cleaning iptables rules on exit:', err);
|
console.error('Error cleaning iptables rules on exit:', err);
|
||||||
}
|
}
|
||||||
};
|
};
|
||||||
|
|
||||||
process.on('exit', cleanup);
|
process.on('exit', cleanup);
|
||||||
process.on('SIGINT', () => {
|
process.on('SIGINT', () => {
|
||||||
cleanup();
|
cleanup();
|
||||||
@ -53,76 +110,591 @@ export class IPTablesProxy {
|
|||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Sets up iptables rules for port forwarding.
|
* Validates settings to prevent command injection and ensure valid values
|
||||||
* The rules are tagged with a unique comment so that they can be identified later.
|
|
||||||
*/
|
*/
|
||||||
public async start(): Promise<void> {
|
private validateSettings(settings: IIpTableProxySettings): void {
|
||||||
const dnatCmd = `iptables -t nat -A PREROUTING -p tcp --dport ${this.settings.fromPort} ` +
|
// Validate port numbers
|
||||||
`-j DNAT --to-destination ${this.settings.toHost}:${this.settings.toPort} ` +
|
const validatePorts = (port: number | IPortRange | Array<number | IPortRange>) => {
|
||||||
`-m comment --comment "${this.ruleTag}:DNAT"`;
|
if (Array.isArray(port)) {
|
||||||
try {
|
port.forEach(p => validatePorts(p));
|
||||||
await execAsync(dnatCmd);
|
return;
|
||||||
console.log(`Added iptables rule: ${dnatCmd}`);
|
|
||||||
this.rulesInstalled = true;
|
|
||||||
} catch (err) {
|
|
||||||
console.error(`Failed to add iptables DNAT rule: ${err}`);
|
|
||||||
throw err;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// If preserveSourceIP is false, add a MASQUERADE rule.
|
if (typeof port === 'number') {
|
||||||
if (!this.settings.preserveSourceIP) {
|
if (port < 1 || port > 65535) {
|
||||||
const masqueradeCmd = `iptables -t nat -A POSTROUTING -p tcp -d ${this.settings.toHost} ` +
|
throw new Error(`Invalid port number: ${port}`);
|
||||||
`--dport ${this.settings.toPort} -j MASQUERADE ` +
|
|
||||||
`-m comment --comment "${this.ruleTag}:MASQ"`;
|
|
||||||
try {
|
|
||||||
await execAsync(masqueradeCmd);
|
|
||||||
console.log(`Added iptables rule: ${masqueradeCmd}`);
|
|
||||||
} catch (err) {
|
|
||||||
console.error(`Failed to add iptables MASQUERADE rule: ${err}`);
|
|
||||||
// Roll back the DNAT rule if MASQUERADE fails.
|
|
||||||
try {
|
|
||||||
const rollbackCmd = `iptables -t nat -D PREROUTING -p tcp --dport ${this.settings.fromPort} ` +
|
|
||||||
`-j DNAT --to-destination ${this.settings.toHost}:${this.settings.toPort} ` +
|
|
||||||
`-m comment --comment "${this.ruleTag}:DNAT"`;
|
|
||||||
await execAsync(rollbackCmd);
|
|
||||||
this.rulesInstalled = false;
|
|
||||||
} catch (rollbackErr) {
|
|
||||||
console.error(`Rollback failed: ${rollbackErr}`);
|
|
||||||
}
|
}
|
||||||
throw err;
|
} else if (typeof port === 'object') {
|
||||||
|
if (port.from < 1 || port.from > 65535 || port.to < 1 || port.to > 65535 || port.from > port.to) {
|
||||||
|
throw new Error(`Invalid port range: ${port.from}-${port.to}`);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
};
|
||||||
|
|
||||||
|
validatePorts(settings.fromPort);
|
||||||
|
validatePorts(settings.toPort);
|
||||||
|
|
||||||
|
// Define regex patterns at the method level so they're available throughout
|
||||||
|
const ipRegex = /^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))?$/;
|
||||||
|
const ipv6Regex = /^(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))(\/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8]))?$/;
|
||||||
|
|
||||||
|
// Validate IP addresses
|
||||||
|
const validateIPs = (ips?: string[]) => {
|
||||||
|
if (!ips) return;
|
||||||
|
|
||||||
|
for (const ip of ips) {
|
||||||
|
if (!ipRegex.test(ip) && !ipv6Regex.test(ip)) {
|
||||||
|
throw new Error(`Invalid IP address format: ${ip}`);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
};
|
||||||
|
|
||||||
|
validateIPs(settings.allowedSourceIPs);
|
||||||
|
validateIPs(settings.bannedSourceIPs);
|
||||||
|
|
||||||
|
// Validate toHost - only allow hostnames or IPs
|
||||||
|
if (settings.toHost) {
|
||||||
|
const hostRegex = /^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$/;
|
||||||
|
if (!hostRegex.test(settings.toHost) && !ipRegex.test(settings.toHost) && !ipv6Regex.test(settings.toHost)) {
|
||||||
|
throw new Error(`Invalid host format: ${settings.toHost}`);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Removes the iptables rules that were added in start(), by matching the unique comment.
|
* Normalizes port specifications into an array of port ranges
|
||||||
|
*/
|
||||||
|
private normalizePortSpec(portSpec: number | IPortRange | Array<number | IPortRange>): IPortRange[] {
|
||||||
|
const result: IPortRange[] = [];
|
||||||
|
|
||||||
|
if (Array.isArray(portSpec)) {
|
||||||
|
// If it's an array, process each element
|
||||||
|
for (const spec of portSpec) {
|
||||||
|
result.push(...this.normalizePortSpec(spec));
|
||||||
|
}
|
||||||
|
} else if (typeof portSpec === 'number') {
|
||||||
|
// Single port becomes a range with the same start and end
|
||||||
|
result.push({ from: portSpec, to: portSpec });
|
||||||
|
} else {
|
||||||
|
// Already a range
|
||||||
|
result.push(portSpec);
|
||||||
|
}
|
||||||
|
|
||||||
|
return result;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Gets the appropriate iptables command based on settings
|
||||||
|
*/
|
||||||
|
private getIptablesCommand(isIpv6: boolean = false): string {
|
||||||
|
return isIpv6 ? 'ip6tables' : 'iptables';
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Checks if a rule already exists in iptables
|
||||||
|
*/
|
||||||
|
private async ruleExists(table: string, command: string, isIpv6: boolean = false): Promise<boolean> {
|
||||||
|
try {
|
||||||
|
const iptablesCmd = this.getIptablesCommand(isIpv6);
|
||||||
|
const { stdout } = await execAsync(`${iptablesCmd}-save -t ${table}`);
|
||||||
|
// Convert the command to the format found in iptables-save output
|
||||||
|
// (This is a simplification - in reality, you'd need more parsing)
|
||||||
|
const rulePattern = command.replace(`${iptablesCmd} -t ${table} -A `, '-A ');
|
||||||
|
return stdout.split('\n').some(line => line.trim() === rulePattern);
|
||||||
|
} catch (err) {
|
||||||
|
this.log('error', `Failed to check if rule exists: ${err}`);
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Sets up a custom chain for better rule management
|
||||||
|
*/
|
||||||
|
private async setupCustomChain(isIpv6: boolean = false): Promise<boolean> {
|
||||||
|
if (!this.customChain) return true;
|
||||||
|
|
||||||
|
const iptablesCmd = this.getIptablesCommand(isIpv6);
|
||||||
|
const table = 'nat';
|
||||||
|
|
||||||
|
try {
|
||||||
|
// Create the chain
|
||||||
|
await execAsync(`${iptablesCmd} -t ${table} -N ${this.customChain}`);
|
||||||
|
this.log('info', `Created custom chain: ${this.customChain}`);
|
||||||
|
|
||||||
|
// Add jump rule to PREROUTING chain
|
||||||
|
const jumpCommand = `${iptablesCmd} -t ${table} -A PREROUTING -j ${this.customChain} -m comment --comment "${this.ruleTag}:JUMP"`;
|
||||||
|
await execAsync(jumpCommand);
|
||||||
|
this.log('info', `Added jump rule to ${this.customChain}`);
|
||||||
|
|
||||||
|
// Store the jump rule
|
||||||
|
this.rules.push({
|
||||||
|
table,
|
||||||
|
chain: 'PREROUTING',
|
||||||
|
command: jumpCommand,
|
||||||
|
tag: `${this.ruleTag}:JUMP`,
|
||||||
|
added: true
|
||||||
|
});
|
||||||
|
|
||||||
|
return true;
|
||||||
|
} catch (err) {
|
||||||
|
this.log('error', `Failed to set up custom chain: ${err}`);
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Add a source IP filter rule
|
||||||
|
*/
|
||||||
|
private async addSourceIPFilter(isIpv6: boolean = false): Promise<boolean> {
|
||||||
|
if (!this.settings.allowedSourceIPs && !this.settings.bannedSourceIPs) {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
const iptablesCmd = this.getIptablesCommand(isIpv6);
|
||||||
|
const table = 'nat';
|
||||||
|
const chain = this.customChain || 'PREROUTING';
|
||||||
|
|
||||||
|
try {
|
||||||
|
// Add banned IPs first (explicit deny)
|
||||||
|
if (this.settings.bannedSourceIPs && this.settings.bannedSourceIPs.length > 0) {
|
||||||
|
for (const ip of this.settings.bannedSourceIPs) {
|
||||||
|
const command = `${iptablesCmd} -t ${table} -A ${chain} -s ${ip} -j DROP -m comment --comment "${this.ruleTag}:BANNED"`;
|
||||||
|
|
||||||
|
// Check if rule already exists
|
||||||
|
if (this.settings.checkExistingRules && await this.ruleExists(table, command, isIpv6)) {
|
||||||
|
this.log('info', `Rule already exists, skipping: ${command}`);
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
|
await execAsync(command);
|
||||||
|
this.log('info', `Added banned IP rule: ${command}`);
|
||||||
|
|
||||||
|
this.rules.push({
|
||||||
|
table,
|
||||||
|
chain,
|
||||||
|
command,
|
||||||
|
tag: `${this.ruleTag}:BANNED`,
|
||||||
|
added: true
|
||||||
|
});
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Add allowed IPs (explicit allow)
|
||||||
|
if (this.settings.allowedSourceIPs && this.settings.allowedSourceIPs.length > 0) {
|
||||||
|
// First add a default deny for all
|
||||||
|
const denyAllCommand = `${iptablesCmd} -t ${table} -A ${chain} -p ${this.settings.protocol} -j DROP -m comment --comment "${this.ruleTag}:DENY_ALL"`;
|
||||||
|
|
||||||
|
// Add allow rules for specific IPs
|
||||||
|
for (const ip of this.settings.allowedSourceIPs) {
|
||||||
|
const command = `${iptablesCmd} -t ${table} -A ${chain} -s ${ip} -p ${this.settings.protocol} -j ACCEPT -m comment --comment "${this.ruleTag}:ALLOWED"`;
|
||||||
|
|
||||||
|
// Check if rule already exists
|
||||||
|
if (this.settings.checkExistingRules && await this.ruleExists(table, command, isIpv6)) {
|
||||||
|
this.log('info', `Rule already exists, skipping: ${command}`);
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
|
await execAsync(command);
|
||||||
|
this.log('info', `Added allowed IP rule: ${command}`);
|
||||||
|
|
||||||
|
this.rules.push({
|
||||||
|
table,
|
||||||
|
chain,
|
||||||
|
command,
|
||||||
|
tag: `${this.ruleTag}:ALLOWED`,
|
||||||
|
added: true
|
||||||
|
});
|
||||||
|
}
|
||||||
|
|
||||||
|
// Now add the default deny after all allows
|
||||||
|
if (this.settings.checkExistingRules && await this.ruleExists(table, denyAllCommand, isIpv6)) {
|
||||||
|
this.log('info', `Rule already exists, skipping: ${denyAllCommand}`);
|
||||||
|
} else {
|
||||||
|
await execAsync(denyAllCommand);
|
||||||
|
this.log('info', `Added default deny rule: ${denyAllCommand}`);
|
||||||
|
|
||||||
|
this.rules.push({
|
||||||
|
table,
|
||||||
|
chain,
|
||||||
|
command: denyAllCommand,
|
||||||
|
tag: `${this.ruleTag}:DENY_ALL`,
|
||||||
|
added: true
|
||||||
|
});
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return true;
|
||||||
|
} catch (err) {
|
||||||
|
this.log('error', `Failed to add source IP filter rules: ${err}`);
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Adds a port forwarding rule
|
||||||
|
*/
|
||||||
|
private async addPortForwardingRule(
|
||||||
|
fromPortRange: IPortRange,
|
||||||
|
toPortRange: IPortRange,
|
||||||
|
isIpv6: boolean = false
|
||||||
|
): Promise<boolean> {
|
||||||
|
const iptablesCmd = this.getIptablesCommand(isIpv6);
|
||||||
|
const table = 'nat';
|
||||||
|
const chain = this.customChain || 'PREROUTING';
|
||||||
|
|
||||||
|
try {
|
||||||
|
// Handle single port case
|
||||||
|
if (fromPortRange.from === fromPortRange.to && toPortRange.from === toPortRange.to) {
|
||||||
|
// Single port forward
|
||||||
|
const command = `${iptablesCmd} -t ${table} -A ${chain} -p ${this.settings.protocol} --dport ${fromPortRange.from} ` +
|
||||||
|
`-j DNAT --to-destination ${this.settings.toHost}:${toPortRange.from} ` +
|
||||||
|
`-m comment --comment "${this.ruleTag}:DNAT"`;
|
||||||
|
|
||||||
|
// Check if rule already exists
|
||||||
|
if (this.settings.checkExistingRules && await this.ruleExists(table, command, isIpv6)) {
|
||||||
|
this.log('info', `Rule already exists, skipping: ${command}`);
|
||||||
|
} else {
|
||||||
|
await execAsync(command);
|
||||||
|
this.log('info', `Added port forwarding rule: ${command}`);
|
||||||
|
|
||||||
|
this.rules.push({
|
||||||
|
table,
|
||||||
|
chain,
|
||||||
|
command,
|
||||||
|
tag: `${this.ruleTag}:DNAT`,
|
||||||
|
added: true
|
||||||
|
});
|
||||||
|
}
|
||||||
|
} else if (fromPortRange.to - fromPortRange.from === toPortRange.to - toPortRange.from) {
|
||||||
|
// Port range forward with equal ranges
|
||||||
|
const command = `${iptablesCmd} -t ${table} -A ${chain} -p ${this.settings.protocol} --dport ${fromPortRange.from}:${fromPortRange.to} ` +
|
||||||
|
`-j DNAT --to-destination ${this.settings.toHost}:${toPortRange.from}-${toPortRange.to} ` +
|
||||||
|
`-m comment --comment "${this.ruleTag}:DNAT_RANGE"`;
|
||||||
|
|
||||||
|
// Check if rule already exists
|
||||||
|
if (this.settings.checkExistingRules && await this.ruleExists(table, command, isIpv6)) {
|
||||||
|
this.log('info', `Rule already exists, skipping: ${command}`);
|
||||||
|
} else {
|
||||||
|
await execAsync(command);
|
||||||
|
this.log('info', `Added port range forwarding rule: ${command}`);
|
||||||
|
|
||||||
|
this.rules.push({
|
||||||
|
table,
|
||||||
|
chain,
|
||||||
|
command,
|
||||||
|
tag: `${this.ruleTag}:DNAT_RANGE`,
|
||||||
|
added: true
|
||||||
|
});
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
// Unequal port ranges need individual rules
|
||||||
|
for (let i = 0; i <= fromPortRange.to - fromPortRange.from; i++) {
|
||||||
|
const fromPort = fromPortRange.from + i;
|
||||||
|
const toPort = toPortRange.from + i % (toPortRange.to - toPortRange.from + 1);
|
||||||
|
|
||||||
|
const command = `${iptablesCmd} -t ${table} -A ${chain} -p ${this.settings.protocol} --dport ${fromPort} ` +
|
||||||
|
`-j DNAT --to-destination ${this.settings.toHost}:${toPort} ` +
|
||||||
|
`-m comment --comment "${this.ruleTag}:DNAT_INDIVIDUAL"`;
|
||||||
|
|
||||||
|
// Check if rule already exists
|
||||||
|
if (this.settings.checkExistingRules && await this.ruleExists(table, command, isIpv6)) {
|
||||||
|
this.log('info', `Rule already exists, skipping: ${command}`);
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
|
await execAsync(command);
|
||||||
|
this.log('info', `Added individual port forwarding rule: ${command}`);
|
||||||
|
|
||||||
|
this.rules.push({
|
||||||
|
table,
|
||||||
|
chain,
|
||||||
|
command,
|
||||||
|
tag: `${this.ruleTag}:DNAT_INDIVIDUAL`,
|
||||||
|
added: true
|
||||||
|
});
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// If preserveSourceIP is false, add a MASQUERADE rule
|
||||||
|
if (!this.settings.preserveSourceIP) {
|
||||||
|
// For port range
|
||||||
|
const masqCommand = `${iptablesCmd} -t nat -A POSTROUTING -p ${this.settings.protocol} -d ${this.settings.toHost} ` +
|
||||||
|
`--dport ${toPortRange.from}:${toPortRange.to} -j MASQUERADE ` +
|
||||||
|
`-m comment --comment "${this.ruleTag}:MASQ"`;
|
||||||
|
|
||||||
|
// Check if rule already exists
|
||||||
|
if (this.settings.checkExistingRules && await this.ruleExists('nat', masqCommand, isIpv6)) {
|
||||||
|
this.log('info', `Rule already exists, skipping: ${masqCommand}`);
|
||||||
|
} else {
|
||||||
|
await execAsync(masqCommand);
|
||||||
|
this.log('info', `Added MASQUERADE rule: ${masqCommand}`);
|
||||||
|
|
||||||
|
this.rules.push({
|
||||||
|
table: 'nat',
|
||||||
|
chain: 'POSTROUTING',
|
||||||
|
command: masqCommand,
|
||||||
|
tag: `${this.ruleTag}:MASQ`,
|
||||||
|
added: true
|
||||||
|
});
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return true;
|
||||||
|
} catch (err) {
|
||||||
|
this.log('error', `Failed to add port forwarding rule: ${err}`);
|
||||||
|
|
||||||
|
// Try to roll back any rules that were already added
|
||||||
|
await this.rollbackRules();
|
||||||
|
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Special handling for NetworkProxy integration
|
||||||
|
*/
|
||||||
|
private async setupNetworkProxyIntegration(isIpv6: boolean = false): Promise<boolean> {
|
||||||
|
if (!this.settings.netProxyIntegration?.enabled) {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
const netProxyConfig = this.settings.netProxyIntegration;
|
||||||
|
const iptablesCmd = this.getIptablesCommand(isIpv6);
|
||||||
|
const table = 'nat';
|
||||||
|
const chain = this.customChain || 'PREROUTING';
|
||||||
|
|
||||||
|
try {
|
||||||
|
// If redirectLocalhost is true, set up special rule to redirect localhost traffic to NetworkProxy
|
||||||
|
if (netProxyConfig.redirectLocalhost && netProxyConfig.sslTerminationPort) {
|
||||||
|
const redirectCommand = `${iptablesCmd} -t ${table} -A OUTPUT -p tcp -d 127.0.0.1 -j REDIRECT ` +
|
||||||
|
`--to-port ${netProxyConfig.sslTerminationPort} ` +
|
||||||
|
`-m comment --comment "${this.ruleTag}:NETPROXY_REDIRECT"`;
|
||||||
|
|
||||||
|
// Check if rule already exists
|
||||||
|
if (this.settings.checkExistingRules && await this.ruleExists(table, redirectCommand, isIpv6)) {
|
||||||
|
this.log('info', `Rule already exists, skipping: ${redirectCommand}`);
|
||||||
|
} else {
|
||||||
|
await execAsync(redirectCommand);
|
||||||
|
this.log('info', `Added NetworkProxy redirection rule: ${redirectCommand}`);
|
||||||
|
|
||||||
|
this.rules.push({
|
||||||
|
table,
|
||||||
|
chain: 'OUTPUT',
|
||||||
|
command: redirectCommand,
|
||||||
|
tag: `${this.ruleTag}:NETPROXY_REDIRECT`,
|
||||||
|
added: true
|
||||||
|
});
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return true;
|
||||||
|
} catch (err) {
|
||||||
|
this.log('error', `Failed to set up NetworkProxy integration: ${err}`);
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Rolls back rules that were added in case of error
|
||||||
|
*/
|
||||||
|
private async rollbackRules(): Promise<void> {
|
||||||
|
// Process rules in reverse order (LIFO)
|
||||||
|
for (let i = this.rules.length - 1; i >= 0; i--) {
|
||||||
|
const rule = this.rules[i];
|
||||||
|
|
||||||
|
if (rule.added) {
|
||||||
|
try {
|
||||||
|
// Convert -A (add) to -D (delete)
|
||||||
|
const deleteCommand = rule.command.replace('-A', '-D');
|
||||||
|
await execAsync(deleteCommand);
|
||||||
|
this.log('info', `Rolled back rule: ${deleteCommand}`);
|
||||||
|
|
||||||
|
rule.added = false;
|
||||||
|
} catch (err) {
|
||||||
|
this.log('error', `Failed to roll back rule: ${err}`);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Sets up iptables rules for port forwarding with enhanced features
|
||||||
|
*/
|
||||||
|
public async start(): Promise<void> {
|
||||||
|
// Optionally clean the slate first
|
||||||
|
if (this.settings.forceCleanSlate) {
|
||||||
|
await IPTablesProxy.cleanSlate();
|
||||||
|
}
|
||||||
|
|
||||||
|
// First set up any custom chains
|
||||||
|
if (this.settings.addJumpRule) {
|
||||||
|
const chainSetupSuccess = await this.setupCustomChain();
|
||||||
|
if (!chainSetupSuccess) {
|
||||||
|
throw new Error('Failed to set up custom chain');
|
||||||
|
}
|
||||||
|
|
||||||
|
// For IPv6 if enabled
|
||||||
|
if (this.settings.ipv6Support) {
|
||||||
|
const chainSetupSuccessIpv6 = await this.setupCustomChain(true);
|
||||||
|
if (!chainSetupSuccessIpv6) {
|
||||||
|
this.log('warn', 'Failed to set up IPv6 custom chain, continuing with IPv4 only');
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Add source IP filters
|
||||||
|
await this.addSourceIPFilter();
|
||||||
|
if (this.settings.ipv6Support) {
|
||||||
|
await this.addSourceIPFilter(true);
|
||||||
|
}
|
||||||
|
|
||||||
|
// Set up NetworkProxy integration if enabled
|
||||||
|
if (this.settings.netProxyIntegration?.enabled) {
|
||||||
|
const netProxySetupSuccess = await this.setupNetworkProxyIntegration();
|
||||||
|
if (!netProxySetupSuccess) {
|
||||||
|
this.log('warn', 'Failed to set up NetworkProxy integration');
|
||||||
|
}
|
||||||
|
|
||||||
|
if (this.settings.ipv6Support) {
|
||||||
|
await this.setupNetworkProxyIntegration(true);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Normalize port specifications
|
||||||
|
const fromPortRanges = this.normalizePortSpec(this.settings.fromPort);
|
||||||
|
const toPortRanges = this.normalizePortSpec(this.settings.toPort);
|
||||||
|
|
||||||
|
// Handle the case where fromPort and toPort counts don't match
|
||||||
|
if (fromPortRanges.length !== toPortRanges.length) {
|
||||||
|
if (toPortRanges.length === 1) {
|
||||||
|
// If there's only one toPort, use it for all fromPorts
|
||||||
|
for (const fromRange of fromPortRanges) {
|
||||||
|
await this.addPortForwardingRule(fromRange, toPortRanges[0]);
|
||||||
|
|
||||||
|
if (this.settings.ipv6Support) {
|
||||||
|
await this.addPortForwardingRule(fromRange, toPortRanges[0], true);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
throw new Error('Mismatched port counts: fromPort and toPort arrays must have equal length or toPort must be a single value');
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
// Add port forwarding rules for each port specification
|
||||||
|
for (let i = 0; i < fromPortRanges.length; i++) {
|
||||||
|
await this.addPortForwardingRule(fromPortRanges[i], toPortRanges[i]);
|
||||||
|
|
||||||
|
if (this.settings.ipv6Support) {
|
||||||
|
await this.addPortForwardingRule(fromPortRanges[i], toPortRanges[i], true);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Final check - ensure we have at least one rule added
|
||||||
|
if (this.rules.filter(r => r.added).length === 0) {
|
||||||
|
throw new Error('No rules were added');
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Removes all added iptables rules
|
||||||
*/
|
*/
|
||||||
public async stop(): Promise<void> {
|
public async stop(): Promise<void> {
|
||||||
if (!this.rulesInstalled) return;
|
// Process rules in reverse order (LIFO)
|
||||||
|
for (let i = this.rules.length - 1; i >= 0; i--) {
|
||||||
|
const rule = this.rules[i];
|
||||||
|
|
||||||
const dnatDelCmd = `iptables -t nat -D PREROUTING -p tcp --dport ${this.settings.fromPort} ` +
|
if (rule.added) {
|
||||||
`-j DNAT --to-destination ${this.settings.toHost}:${this.settings.toPort} ` +
|
|
||||||
`-m comment --comment "${this.ruleTag}:DNAT"`;
|
|
||||||
try {
|
try {
|
||||||
await execAsync(dnatDelCmd);
|
// Convert -A (add) to -D (delete)
|
||||||
console.log(`Removed iptables rule: ${dnatDelCmd}`);
|
const deleteCommand = rule.command.replace('-A', '-D');
|
||||||
|
await execAsync(deleteCommand);
|
||||||
|
this.log('info', `Removed rule: ${deleteCommand}`);
|
||||||
|
|
||||||
|
rule.added = false;
|
||||||
} catch (err) {
|
} catch (err) {
|
||||||
console.error(`Failed to remove iptables DNAT rule: ${err}`);
|
this.log('error', `Failed to remove rule: ${err}`);
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!this.settings.preserveSourceIP) {
|
// If we created a custom chain, we need to clean it up
|
||||||
const masqueradeDelCmd = `iptables -t nat -D POSTROUTING -p tcp -d ${this.settings.toHost} ` +
|
if (this.customChain) {
|
||||||
`--dport ${this.settings.toPort} -j MASQUERADE ` +
|
|
||||||
`-m comment --comment "${this.ruleTag}:MASQ"`;
|
|
||||||
try {
|
try {
|
||||||
await execAsync(masqueradeDelCmd);
|
// First flush the chain
|
||||||
console.log(`Removed iptables rule: ${masqueradeDelCmd}`);
|
await execAsync(`iptables -t nat -F ${this.customChain}`);
|
||||||
|
this.log('info', `Flushed custom chain: ${this.customChain}`);
|
||||||
|
|
||||||
|
// Then delete it
|
||||||
|
await execAsync(`iptables -t nat -X ${this.customChain}`);
|
||||||
|
this.log('info', `Deleted custom chain: ${this.customChain}`);
|
||||||
|
|
||||||
|
// Same for IPv6 if enabled
|
||||||
|
if (this.settings.ipv6Support) {
|
||||||
|
try {
|
||||||
|
await execAsync(`ip6tables -t nat -F ${this.customChain}`);
|
||||||
|
await execAsync(`ip6tables -t nat -X ${this.customChain}`);
|
||||||
|
this.log('info', `Deleted IPv6 custom chain: ${this.customChain}`);
|
||||||
} catch (err) {
|
} catch (err) {
|
||||||
console.error(`Failed to remove iptables MASQUERADE rule: ${err}`);
|
this.log('error', `Failed to delete IPv6 custom chain: ${err}`);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
} catch (err) {
|
||||||
|
this.log('error', `Failed to delete custom chain: ${err}`);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
this.rulesInstalled = false;
|
// Clear rules array
|
||||||
|
this.rules = [];
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Synchronous version of stop, for use in exit handlers
|
||||||
|
*/
|
||||||
|
public stopSync(): void {
|
||||||
|
// Process rules in reverse order (LIFO)
|
||||||
|
for (let i = this.rules.length - 1; i >= 0; i--) {
|
||||||
|
const rule = this.rules[i];
|
||||||
|
|
||||||
|
if (rule.added) {
|
||||||
|
try {
|
||||||
|
// Convert -A (add) to -D (delete)
|
||||||
|
const deleteCommand = rule.command.replace('-A', '-D');
|
||||||
|
execSync(deleteCommand);
|
||||||
|
this.log('info', `Removed rule: ${deleteCommand}`);
|
||||||
|
|
||||||
|
rule.added = false;
|
||||||
|
} catch (err) {
|
||||||
|
this.log('error', `Failed to remove rule: ${err}`);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// If we created a custom chain, we need to clean it up
|
||||||
|
if (this.customChain) {
|
||||||
|
try {
|
||||||
|
// First flush the chain
|
||||||
|
execSync(`iptables -t nat -F ${this.customChain}`);
|
||||||
|
|
||||||
|
// Then delete it
|
||||||
|
execSync(`iptables -t nat -X ${this.customChain}`);
|
||||||
|
this.log('info', `Deleted custom chain: ${this.customChain}`);
|
||||||
|
|
||||||
|
// Same for IPv6 if enabled
|
||||||
|
if (this.settings.ipv6Support) {
|
||||||
|
try {
|
||||||
|
execSync(`ip6tables -t nat -F ${this.customChain}`);
|
||||||
|
execSync(`ip6tables -t nat -X ${this.customChain}`);
|
||||||
|
} catch (err) {
|
||||||
|
// IPv6 failures are non-critical
|
||||||
|
}
|
||||||
|
}
|
||||||
|
} catch (err) {
|
||||||
|
this.log('error', `Failed to delete custom chain: ${err}`);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Clear rules array
|
||||||
|
this.rules = [];
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@ -130,16 +702,62 @@ export class IPTablesProxy {
|
|||||||
* It looks for rules with comments containing "IPTablesProxy:".
|
* It looks for rules with comments containing "IPTablesProxy:".
|
||||||
*/
|
*/
|
||||||
public static async cleanSlate(): Promise<void> {
|
public static async cleanSlate(): Promise<void> {
|
||||||
|
await IPTablesProxy.cleanSlateInternal();
|
||||||
|
|
||||||
|
// Also clean IPv6 rules
|
||||||
|
await IPTablesProxy.cleanSlateInternal(true);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Internal implementation of cleanSlate with IPv6 support
|
||||||
|
*/
|
||||||
|
private static async cleanSlateInternal(isIpv6: boolean = false): Promise<void> {
|
||||||
|
const iptablesCmd = isIpv6 ? 'ip6tables' : 'iptables';
|
||||||
|
|
||||||
try {
|
try {
|
||||||
const { stdout } = await execAsync('iptables-save -t nat');
|
const { stdout } = await execAsync(`${iptablesCmd}-save -t nat`);
|
||||||
const lines = stdout.split('\n');
|
const lines = stdout.split('\n');
|
||||||
const proxyLines = lines.filter(line => line.includes('IPTablesProxy:'));
|
const proxyLines = lines.filter(line => line.includes('IPTablesProxy:'));
|
||||||
|
|
||||||
|
// First, find and remove any custom chains
|
||||||
|
const customChains = new Set<string>();
|
||||||
|
const jumpRules: string[] = [];
|
||||||
|
|
||||||
for (const line of proxyLines) {
|
for (const line of proxyLines) {
|
||||||
|
if (line.includes('IPTablesProxy:JUMP')) {
|
||||||
|
// Extract chain name from jump rule
|
||||||
|
const match = line.match(/\s+-j\s+(\S+)\s+/);
|
||||||
|
if (match && match[1].startsWith('IPTablesProxy_')) {
|
||||||
|
customChains.add(match[1]);
|
||||||
|
jumpRules.push(line);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Remove jump rules first
|
||||||
|
for (const line of jumpRules) {
|
||||||
const trimmedLine = line.trim();
|
const trimmedLine = line.trim();
|
||||||
if (trimmedLine.startsWith('-A')) {
|
if (trimmedLine.startsWith('-A')) {
|
||||||
// Replace the "-A" with "-D" to form a deletion command.
|
// Replace the "-A" with "-D" to form a deletion command
|
||||||
const deleteRule = trimmedLine.replace('-A', '-D');
|
const deleteRule = trimmedLine.replace('-A', '-D');
|
||||||
const cmd = `iptables -t nat ${deleteRule}`;
|
const cmd = `${iptablesCmd} -t nat ${deleteRule}`;
|
||||||
|
try {
|
||||||
|
await execAsync(cmd);
|
||||||
|
console.log(`Cleaned up iptables jump rule: ${cmd}`);
|
||||||
|
} catch (err) {
|
||||||
|
console.error(`Failed to remove iptables jump rule: ${cmd}`, err);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Then remove all other rules
|
||||||
|
for (const line of proxyLines) {
|
||||||
|
if (!line.includes('IPTablesProxy:JUMP')) { // Skip jump rules we already handled
|
||||||
|
const trimmedLine = line.trim();
|
||||||
|
if (trimmedLine.startsWith('-A')) {
|
||||||
|
// Replace the "-A" with "-D" to form a deletion command
|
||||||
|
const deleteRule = trimmedLine.replace('-A', '-D');
|
||||||
|
const cmd = `${iptablesCmd} -t nat ${deleteRule}`;
|
||||||
try {
|
try {
|
||||||
await execAsync(cmd);
|
await execAsync(cmd);
|
||||||
console.log(`Cleaned up iptables rule: ${cmd}`);
|
console.log(`Cleaned up iptables rule: ${cmd}`);
|
||||||
@ -148,8 +766,24 @@ export class IPTablesProxy {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Finally clean up custom chains
|
||||||
|
for (const chain of customChains) {
|
||||||
|
try {
|
||||||
|
// Flush the chain
|
||||||
|
await execAsync(`${iptablesCmd} -t nat -F ${chain}`);
|
||||||
|
console.log(`Flushed custom chain: ${chain}`);
|
||||||
|
|
||||||
|
// Delete the chain
|
||||||
|
await execAsync(`${iptablesCmd} -t nat -X ${chain}`);
|
||||||
|
console.log(`Deleted custom chain: ${chain}`);
|
||||||
} catch (err) {
|
} catch (err) {
|
||||||
console.error(`Failed to run iptables-save: ${err}`);
|
console.error(`Failed to delete custom chain ${chain}:`, err);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
} catch (err) {
|
||||||
|
console.error(`Failed to run ${iptablesCmd}-save: ${err}`);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -159,15 +793,61 @@ export class IPTablesProxy {
|
|||||||
* This method is intended for use in process exit handlers.
|
* This method is intended for use in process exit handlers.
|
||||||
*/
|
*/
|
||||||
public static cleanSlateSync(): void {
|
public static cleanSlateSync(): void {
|
||||||
|
IPTablesProxy.cleanSlateSyncInternal();
|
||||||
|
|
||||||
|
// Also clean IPv6 rules
|
||||||
|
IPTablesProxy.cleanSlateSyncInternal(true);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Internal implementation of cleanSlateSync with IPv6 support
|
||||||
|
*/
|
||||||
|
private static cleanSlateSyncInternal(isIpv6: boolean = false): void {
|
||||||
|
const iptablesCmd = isIpv6 ? 'ip6tables' : 'iptables';
|
||||||
|
|
||||||
try {
|
try {
|
||||||
const stdout = execSync('iptables-save -t nat').toString();
|
const stdout = execSync(`${iptablesCmd}-save -t nat`).toString();
|
||||||
const lines = stdout.split('\n');
|
const lines = stdout.split('\n');
|
||||||
const proxyLines = lines.filter(line => line.includes('IPTablesProxy:'));
|
const proxyLines = lines.filter(line => line.includes('IPTablesProxy:'));
|
||||||
|
|
||||||
|
// First, find and remove any custom chains
|
||||||
|
const customChains = new Set<string>();
|
||||||
|
const jumpRules: string[] = [];
|
||||||
|
|
||||||
for (const line of proxyLines) {
|
for (const line of proxyLines) {
|
||||||
|
if (line.includes('IPTablesProxy:JUMP')) {
|
||||||
|
// Extract chain name from jump rule
|
||||||
|
const match = line.match(/\s+-j\s+(\S+)\s+/);
|
||||||
|
if (match && match[1].startsWith('IPTablesProxy_')) {
|
||||||
|
customChains.add(match[1]);
|
||||||
|
jumpRules.push(line);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Remove jump rules first
|
||||||
|
for (const line of jumpRules) {
|
||||||
|
const trimmedLine = line.trim();
|
||||||
|
if (trimmedLine.startsWith('-A')) {
|
||||||
|
// Replace the "-A" with "-D" to form a deletion command
|
||||||
|
const deleteRule = trimmedLine.replace('-A', '-D');
|
||||||
|
const cmd = `${iptablesCmd} -t nat ${deleteRule}`;
|
||||||
|
try {
|
||||||
|
execSync(cmd);
|
||||||
|
console.log(`Cleaned up iptables jump rule: ${cmd}`);
|
||||||
|
} catch (err) {
|
||||||
|
console.error(`Failed to remove iptables jump rule: ${cmd}`, err);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Then remove all other rules
|
||||||
|
for (const line of proxyLines) {
|
||||||
|
if (!line.includes('IPTablesProxy:JUMP')) { // Skip jump rules we already handled
|
||||||
const trimmedLine = line.trim();
|
const trimmedLine = line.trim();
|
||||||
if (trimmedLine.startsWith('-A')) {
|
if (trimmedLine.startsWith('-A')) {
|
||||||
const deleteRule = trimmedLine.replace('-A', '-D');
|
const deleteRule = trimmedLine.replace('-A', '-D');
|
||||||
const cmd = `iptables -t nat ${deleteRule}`;
|
const cmd = `${iptablesCmd} -t nat ${deleteRule}`;
|
||||||
try {
|
try {
|
||||||
execSync(cmd);
|
execSync(cmd);
|
||||||
console.log(`Cleaned up iptables rule: ${cmd}`);
|
console.log(`Cleaned up iptables rule: ${cmd}`);
|
||||||
@ -176,8 +856,46 @@ export class IPTablesProxy {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Finally clean up custom chains
|
||||||
|
for (const chain of customChains) {
|
||||||
|
try {
|
||||||
|
// Flush the chain
|
||||||
|
execSync(`${iptablesCmd} -t nat -F ${chain}`);
|
||||||
|
|
||||||
|
// Delete the chain
|
||||||
|
execSync(`${iptablesCmd} -t nat -X ${chain}`);
|
||||||
|
console.log(`Deleted custom chain: ${chain}`);
|
||||||
} catch (err) {
|
} catch (err) {
|
||||||
console.error(`Failed to run iptables-save: ${err}`);
|
console.error(`Failed to delete custom chain ${chain}:`, err);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
} catch (err) {
|
||||||
|
console.error(`Failed to run ${iptablesCmd}-save: ${err}`);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Logging utility that respects the enableLogging setting
|
||||||
|
*/
|
||||||
|
private log(level: 'info' | 'warn' | 'error', message: string): void {
|
||||||
|
if (!this.settings.enableLogging && level === 'info') {
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
const timestamp = new Date().toISOString();
|
||||||
|
|
||||||
|
switch (level) {
|
||||||
|
case 'info':
|
||||||
|
console.log(`[${timestamp}] [INFO] ${message}`);
|
||||||
|
break;
|
||||||
|
case 'warn':
|
||||||
|
console.warn(`[${timestamp}] [WARN] ${message}`);
|
||||||
|
break;
|
||||||
|
case 'error':
|
||||||
|
console.error(`[${timestamp}] [ERROR] ${message}`);
|
||||||
|
break;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
@ -16,6 +16,10 @@ export interface INetworkProxyOptions {
|
|||||||
allowHeaders?: string;
|
allowHeaders?: string;
|
||||||
maxAge?: number;
|
maxAge?: number;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
// New settings for PortProxy integration
|
||||||
|
connectionPoolSize?: number; // Maximum connections to maintain in the pool to each backend
|
||||||
|
portProxyIntegration?: boolean; // Flag to indicate this proxy is used by PortProxy
|
||||||
}
|
}
|
||||||
|
|
||||||
interface IWebSocketWithHeartbeat extends plugins.wsDefault {
|
interface IWebSocketWithHeartbeat extends plugins.wsDefault {
|
||||||
@ -42,14 +46,26 @@ export class NetworkProxy {
|
|||||||
public requestsServed: number = 0;
|
public requestsServed: number = 0;
|
||||||
public failedRequests: number = 0;
|
public failedRequests: number = 0;
|
||||||
|
|
||||||
|
// New tracking for PortProxy integration
|
||||||
|
private portProxyConnections: number = 0;
|
||||||
|
private tlsTerminatedConnections: number = 0;
|
||||||
|
|
||||||
// Timers and intervals
|
// Timers and intervals
|
||||||
private heartbeatInterval: NodeJS.Timeout;
|
private heartbeatInterval: NodeJS.Timeout;
|
||||||
private metricsInterval: NodeJS.Timeout;
|
private metricsInterval: NodeJS.Timeout;
|
||||||
|
private connectionPoolCleanupInterval: NodeJS.Timeout;
|
||||||
|
|
||||||
// Certificates
|
// Certificates
|
||||||
private defaultCertificates: { key: string; cert: string };
|
private defaultCertificates: { key: string; cert: string };
|
||||||
private certificateCache: Map<string, { key: string; cert: string; expires?: Date }> = new Map();
|
private certificateCache: Map<string, { key: string; cert: string; expires?: Date }> = new Map();
|
||||||
|
|
||||||
|
// New connection pool for backend connections
|
||||||
|
private connectionPool: Map<string, Array<{
|
||||||
|
socket: plugins.net.Socket;
|
||||||
|
lastUsed: number;
|
||||||
|
isIdle: boolean;
|
||||||
|
}>> = new Map();
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Creates a new NetworkProxy instance
|
* Creates a new NetworkProxy instance
|
||||||
*/
|
*/
|
||||||
@ -66,7 +82,10 @@ export class NetworkProxy {
|
|||||||
allowMethods: 'GET, POST, PUT, DELETE, OPTIONS',
|
allowMethods: 'GET, POST, PUT, DELETE, OPTIONS',
|
||||||
allowHeaders: 'Content-Type, Authorization',
|
allowHeaders: 'Content-Type, Authorization',
|
||||||
maxAge: 86400
|
maxAge: 86400
|
||||||
}
|
},
|
||||||
|
// New defaults for PortProxy integration
|
||||||
|
connectionPoolSize: optionsArg.connectionPoolSize || 50,
|
||||||
|
portProxyIntegration: optionsArg.portProxyIntegration || false
|
||||||
};
|
};
|
||||||
|
|
||||||
this.loadDefaultCertificates();
|
this.loadDefaultCertificates();
|
||||||
@ -104,6 +123,213 @@ export class NetworkProxy {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Returns the port number this NetworkProxy is listening on
|
||||||
|
* Useful for PortProxy to determine where to forward connections
|
||||||
|
*/
|
||||||
|
public getListeningPort(): number {
|
||||||
|
return this.options.port;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Updates the server capacity settings
|
||||||
|
* @param maxConnections Maximum number of simultaneous connections
|
||||||
|
* @param keepAliveTimeout Keep-alive timeout in milliseconds
|
||||||
|
* @param connectionPoolSize Size of the connection pool per backend
|
||||||
|
*/
|
||||||
|
public updateCapacity(maxConnections?: number, keepAliveTimeout?: number, connectionPoolSize?: number): void {
|
||||||
|
if (maxConnections !== undefined) {
|
||||||
|
this.options.maxConnections = maxConnections;
|
||||||
|
this.log('info', `Updated max connections to ${maxConnections}`);
|
||||||
|
}
|
||||||
|
|
||||||
|
if (keepAliveTimeout !== undefined) {
|
||||||
|
this.options.keepAliveTimeout = keepAliveTimeout;
|
||||||
|
|
||||||
|
if (this.httpsServer) {
|
||||||
|
this.httpsServer.keepAliveTimeout = keepAliveTimeout;
|
||||||
|
this.log('info', `Updated keep-alive timeout to ${keepAliveTimeout}ms`);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if (connectionPoolSize !== undefined) {
|
||||||
|
this.options.connectionPoolSize = connectionPoolSize;
|
||||||
|
this.log('info', `Updated connection pool size to ${connectionPoolSize}`);
|
||||||
|
|
||||||
|
// Cleanup excess connections in the pool if the size was reduced
|
||||||
|
this.cleanupConnectionPool();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Returns current server metrics
|
||||||
|
* Useful for PortProxy to determine which NetworkProxy to use for load balancing
|
||||||
|
*/
|
||||||
|
public getMetrics(): any {
|
||||||
|
return {
|
||||||
|
activeConnections: this.connectedClients,
|
||||||
|
totalRequests: this.requestsServed,
|
||||||
|
failedRequests: this.failedRequests,
|
||||||
|
portProxyConnections: this.portProxyConnections,
|
||||||
|
tlsTerminatedConnections: this.tlsTerminatedConnections,
|
||||||
|
connectionPoolSize: Array.from(this.connectionPool.entries()).reduce((acc, [host, connections]) => {
|
||||||
|
acc[host] = connections.length;
|
||||||
|
return acc;
|
||||||
|
}, {} as Record<string, number>),
|
||||||
|
uptime: Math.floor((Date.now() - this.startTime) / 1000),
|
||||||
|
memoryUsage: process.memoryUsage(),
|
||||||
|
activeWebSockets: this.wsServer?.clients.size || 0
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Cleanup the connection pool by removing idle connections
|
||||||
|
* or reducing pool size if it exceeds the configured maximum
|
||||||
|
*/
|
||||||
|
private cleanupConnectionPool(): void {
|
||||||
|
const now = Date.now();
|
||||||
|
const idleTimeout = this.options.keepAliveTimeout || 120000; // 2 minutes default
|
||||||
|
|
||||||
|
for (const [host, connections] of this.connectionPool.entries()) {
|
||||||
|
// Sort by last used time (oldest first)
|
||||||
|
connections.sort((a, b) => a.lastUsed - b.lastUsed);
|
||||||
|
|
||||||
|
// Remove idle connections older than the idle timeout
|
||||||
|
let removed = 0;
|
||||||
|
while (connections.length > 0) {
|
||||||
|
const connection = connections[0];
|
||||||
|
|
||||||
|
// Remove if idle and exceeds timeout, or if pool is too large
|
||||||
|
if ((connection.isIdle && now - connection.lastUsed > idleTimeout) ||
|
||||||
|
connections.length > this.options.connectionPoolSize!) {
|
||||||
|
|
||||||
|
try {
|
||||||
|
if (!connection.socket.destroyed) {
|
||||||
|
connection.socket.end();
|
||||||
|
connection.socket.destroy();
|
||||||
|
}
|
||||||
|
} catch (err) {
|
||||||
|
this.log('error', `Error destroying pooled connection to ${host}`, err);
|
||||||
|
}
|
||||||
|
|
||||||
|
connections.shift(); // Remove from pool
|
||||||
|
removed++;
|
||||||
|
} else {
|
||||||
|
break; // Stop removing if we've reached active or recent connections
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if (removed > 0) {
|
||||||
|
this.log('debug', `Removed ${removed} idle connections from pool for ${host}, ${connections.length} remaining`);
|
||||||
|
}
|
||||||
|
|
||||||
|
// Update the pool with the remaining connections
|
||||||
|
if (connections.length === 0) {
|
||||||
|
this.connectionPool.delete(host);
|
||||||
|
} else {
|
||||||
|
this.connectionPool.set(host, connections);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Get a connection from the pool or create a new one
|
||||||
|
*/
|
||||||
|
private getConnectionFromPool(host: string, port: number): Promise<plugins.net.Socket> {
|
||||||
|
return new Promise((resolve, reject) => {
|
||||||
|
const poolKey = `${host}:${port}`;
|
||||||
|
const connectionList = this.connectionPool.get(poolKey) || [];
|
||||||
|
|
||||||
|
// Look for an idle connection
|
||||||
|
const idleConnectionIndex = connectionList.findIndex(c => c.isIdle);
|
||||||
|
|
||||||
|
if (idleConnectionIndex >= 0) {
|
||||||
|
// Get existing connection from pool
|
||||||
|
const connection = connectionList[idleConnectionIndex];
|
||||||
|
connection.isIdle = false;
|
||||||
|
connection.lastUsed = Date.now();
|
||||||
|
this.log('debug', `Reusing connection from pool for ${poolKey}`);
|
||||||
|
|
||||||
|
// Update the pool
|
||||||
|
this.connectionPool.set(poolKey, connectionList);
|
||||||
|
|
||||||
|
resolve(connection.socket);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
// No idle connection available, create a new one if pool isn't full
|
||||||
|
if (connectionList.length < this.options.connectionPoolSize!) {
|
||||||
|
this.log('debug', `Creating new connection to ${host}:${port}`);
|
||||||
|
|
||||||
|
try {
|
||||||
|
const socket = plugins.net.connect({
|
||||||
|
host,
|
||||||
|
port,
|
||||||
|
keepAlive: true,
|
||||||
|
keepAliveInitialDelay: 30000 // 30 seconds
|
||||||
|
});
|
||||||
|
|
||||||
|
socket.once('connect', () => {
|
||||||
|
// Add to connection pool
|
||||||
|
const connection = {
|
||||||
|
socket,
|
||||||
|
lastUsed: Date.now(),
|
||||||
|
isIdle: false
|
||||||
|
};
|
||||||
|
|
||||||
|
connectionList.push(connection);
|
||||||
|
this.connectionPool.set(poolKey, connectionList);
|
||||||
|
|
||||||
|
// Setup cleanup when the connection is closed
|
||||||
|
socket.once('close', () => {
|
||||||
|
const idx = connectionList.findIndex(c => c.socket === socket);
|
||||||
|
if (idx >= 0) {
|
||||||
|
connectionList.splice(idx, 1);
|
||||||
|
this.connectionPool.set(poolKey, connectionList);
|
||||||
|
this.log('debug', `Removed closed connection from pool for ${poolKey}`);
|
||||||
|
}
|
||||||
|
});
|
||||||
|
|
||||||
|
resolve(socket);
|
||||||
|
});
|
||||||
|
|
||||||
|
socket.once('error', (err) => {
|
||||||
|
this.log('error', `Error creating connection to ${host}:${port}`, err);
|
||||||
|
reject(err);
|
||||||
|
});
|
||||||
|
} catch (err) {
|
||||||
|
this.log('error', `Failed to create connection to ${host}:${port}`, err);
|
||||||
|
reject(err);
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
// Pool is full, wait for an idle connection or reject
|
||||||
|
this.log('warn', `Connection pool for ${poolKey} is full (${connectionList.length})`);
|
||||||
|
reject(new Error(`Connection pool for ${poolKey} is full`));
|
||||||
|
}
|
||||||
|
});
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Return a connection to the pool for reuse
|
||||||
|
*/
|
||||||
|
private returnConnectionToPool(socket: plugins.net.Socket, host: string, port: number): void {
|
||||||
|
const poolKey = `${host}:${port}`;
|
||||||
|
const connectionList = this.connectionPool.get(poolKey) || [];
|
||||||
|
|
||||||
|
// Find this connection in the pool
|
||||||
|
const connectionIndex = connectionList.findIndex(c => c.socket === socket);
|
||||||
|
|
||||||
|
if (connectionIndex >= 0) {
|
||||||
|
// Mark as idle and update last used time
|
||||||
|
connectionList[connectionIndex].isIdle = true;
|
||||||
|
connectionList[connectionIndex].lastUsed = Date.now();
|
||||||
|
|
||||||
|
this.log('debug', `Returned connection to pool for ${poolKey}`);
|
||||||
|
} else {
|
||||||
|
this.log('warn', `Attempted to return unknown connection to pool for ${poolKey}`);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Starts the proxy server
|
* Starts the proxy server
|
||||||
*/
|
*/
|
||||||
@ -132,6 +358,9 @@ export class NetworkProxy {
|
|||||||
// Start metrics collection
|
// Start metrics collection
|
||||||
this.setupMetricsCollection();
|
this.setupMetricsCollection();
|
||||||
|
|
||||||
|
// Setup connection pool cleanup interval
|
||||||
|
this.setupConnectionPoolCleanup();
|
||||||
|
|
||||||
// Start the server
|
// Start the server
|
||||||
return new Promise((resolve) => {
|
return new Promise((resolve) => {
|
||||||
this.httpsServer.listen(this.options.port, () => {
|
this.httpsServer.listen(this.options.port, () => {
|
||||||
@ -156,13 +385,31 @@ export class NetworkProxy {
|
|||||||
// Add connection to tracking
|
// Add connection to tracking
|
||||||
this.socketMap.add(connection);
|
this.socketMap.add(connection);
|
||||||
this.connectedClients = this.socketMap.getArray().length;
|
this.connectedClients = this.socketMap.getArray().length;
|
||||||
this.log('debug', `New connection. Currently ${this.connectedClients} active connections`);
|
|
||||||
|
// Check for connection from PortProxy by inspecting the source port
|
||||||
|
// This is a heuristic - in a production environment you might use a more robust method
|
||||||
|
const localPort = connection.localPort;
|
||||||
|
const remotePort = connection.remotePort;
|
||||||
|
|
||||||
|
// If this connection is from a PortProxy (usually indicated by it coming from localhost)
|
||||||
|
if (this.options.portProxyIntegration && connection.remoteAddress?.includes('127.0.0.1')) {
|
||||||
|
this.portProxyConnections++;
|
||||||
|
this.log('debug', `New connection from PortProxy (local: ${localPort}, remote: ${remotePort})`);
|
||||||
|
} else {
|
||||||
|
this.log('debug', `New direct connection (local: ${localPort}, remote: ${remotePort})`);
|
||||||
|
}
|
||||||
|
|
||||||
// Setup connection cleanup handlers
|
// Setup connection cleanup handlers
|
||||||
const cleanupConnection = () => {
|
const cleanupConnection = () => {
|
||||||
if (this.socketMap.checkForObject(connection)) {
|
if (this.socketMap.checkForObject(connection)) {
|
||||||
this.socketMap.remove(connection);
|
this.socketMap.remove(connection);
|
||||||
this.connectedClients = this.socketMap.getArray().length;
|
this.connectedClients = this.socketMap.getArray().length;
|
||||||
|
|
||||||
|
// If this was a PortProxy connection, decrement the counter
|
||||||
|
if (this.options.portProxyIntegration && connection.remoteAddress?.includes('127.0.0.1')) {
|
||||||
|
this.portProxyConnections--;
|
||||||
|
}
|
||||||
|
|
||||||
this.log('debug', `Connection closed. ${this.connectedClients} connections remaining`);
|
this.log('debug', `Connection closed. ${this.connectedClients} connections remaining`);
|
||||||
}
|
}
|
||||||
};
|
};
|
||||||
@ -178,6 +425,12 @@ export class NetworkProxy {
|
|||||||
cleanupConnection();
|
cleanupConnection();
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
|
|
||||||
|
// Track TLS handshake completions
|
||||||
|
this.httpsServer.on('secureConnection', (tlsSocket) => {
|
||||||
|
this.tlsTerminatedConnections++;
|
||||||
|
this.log('debug', 'TLS handshake completed, connection secured');
|
||||||
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@ -228,15 +481,36 @@ export class NetworkProxy {
|
|||||||
activeConnections: this.connectedClients,
|
activeConnections: this.connectedClients,
|
||||||
totalRequests: this.requestsServed,
|
totalRequests: this.requestsServed,
|
||||||
failedRequests: this.failedRequests,
|
failedRequests: this.failedRequests,
|
||||||
|
portProxyConnections: this.portProxyConnections,
|
||||||
|
tlsTerminatedConnections: this.tlsTerminatedConnections,
|
||||||
activeWebSockets: this.wsServer?.clients.size || 0,
|
activeWebSockets: this.wsServer?.clients.size || 0,
|
||||||
memoryUsage: process.memoryUsage(),
|
memoryUsage: process.memoryUsage(),
|
||||||
activeContexts: Array.from(this.activeContexts)
|
activeContexts: Array.from(this.activeContexts),
|
||||||
|
connectionPool: Object.fromEntries(
|
||||||
|
Array.from(this.connectionPool.entries()).map(([host, connections]) => [
|
||||||
|
host,
|
||||||
|
{
|
||||||
|
total: connections.length,
|
||||||
|
idle: connections.filter(c => c.isIdle).length
|
||||||
|
}
|
||||||
|
])
|
||||||
|
)
|
||||||
};
|
};
|
||||||
|
|
||||||
this.log('debug', 'Proxy metrics', metrics);
|
this.log('debug', 'Proxy metrics', metrics);
|
||||||
}, 60000); // Log metrics every minute
|
}, 60000); // Log metrics every minute
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Sets up connection pool cleanup
|
||||||
|
*/
|
||||||
|
private setupConnectionPoolCleanup(): void {
|
||||||
|
// Clean up idle connections every minute
|
||||||
|
this.connectionPoolCleanupInterval = setInterval(() => {
|
||||||
|
this.cleanupConnectionPool();
|
||||||
|
}, 60000); // 1 minute
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Handles an incoming WebSocket connection
|
* Handles an incoming WebSocket connection
|
||||||
*/
|
*/
|
||||||
@ -410,12 +684,27 @@ export class NetworkProxy {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Determine if we should use connection pooling
|
||||||
|
const useConnectionPool = this.options.portProxyIntegration &&
|
||||||
|
originRequest.socket.remoteAddress?.includes('127.0.0.1');
|
||||||
|
|
||||||
// Construct destination URL
|
// Construct destination URL
|
||||||
const destinationUrl = `http://${destinationConfig.destinationIp}:${destinationConfig.destinationPort}${originRequest.url}`;
|
const destinationUrl = `http://${destinationConfig.destinationIp}:${destinationConfig.destinationPort}${originRequest.url}`;
|
||||||
this.log('debug', `[${reqId}] Proxying to ${destinationUrl}`);
|
|
||||||
|
|
||||||
// Forward the request
|
if (useConnectionPool) {
|
||||||
|
this.log('debug', `[${reqId}] Proxying to ${destinationUrl} (using connection pool)`);
|
||||||
|
await this.forwardRequestUsingConnectionPool(
|
||||||
|
reqId,
|
||||||
|
originRequest,
|
||||||
|
originResponse,
|
||||||
|
destinationConfig.destinationIp,
|
||||||
|
destinationConfig.destinationPort,
|
||||||
|
originRequest.url
|
||||||
|
);
|
||||||
|
} else {
|
||||||
|
this.log('debug', `[${reqId}] Proxying to ${destinationUrl}`);
|
||||||
await this.forwardRequest(reqId, originRequest, originResponse, destinationUrl);
|
await this.forwardRequest(reqId, originRequest, originResponse, destinationUrl);
|
||||||
|
}
|
||||||
|
|
||||||
const processingTime = Date.now() - startTime;
|
const processingTime = Date.now() - startTime;
|
||||||
this.log('debug', `[${reqId}] Request completed in ${processingTime}ms`);
|
this.log('debug', `[${reqId}] Request completed in ${processingTime}ms`);
|
||||||
@ -488,7 +777,105 @@ export class NetworkProxy {
|
|||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Forwards a request to the destination
|
* Forwards a request to the destination using connection pool
|
||||||
|
* for optimized connection reuse from PortProxy
|
||||||
|
*/
|
||||||
|
private async forwardRequestUsingConnectionPool(
|
||||||
|
reqId: string,
|
||||||
|
originRequest: plugins.http.IncomingMessage,
|
||||||
|
originResponse: plugins.http.ServerResponse,
|
||||||
|
host: string,
|
||||||
|
port: number,
|
||||||
|
path: string
|
||||||
|
): Promise<void> {
|
||||||
|
try {
|
||||||
|
// Try to get a connection from the pool
|
||||||
|
const socket = await this.getConnectionFromPool(host, port);
|
||||||
|
|
||||||
|
// Create an HTTP client request using the pooled socket
|
||||||
|
const reqOptions = {
|
||||||
|
createConnection: () => socket,
|
||||||
|
host,
|
||||||
|
port,
|
||||||
|
path,
|
||||||
|
method: originRequest.method,
|
||||||
|
headers: this.prepareForwardHeaders(originRequest),
|
||||||
|
timeout: 30000 // 30 second timeout
|
||||||
|
};
|
||||||
|
|
||||||
|
const proxyReq = plugins.http.request(reqOptions);
|
||||||
|
|
||||||
|
// Handle timeouts
|
||||||
|
proxyReq.on('timeout', () => {
|
||||||
|
this.log('warn', `[${reqId}] Request to ${host}:${port}${path} timed out`);
|
||||||
|
proxyReq.destroy();
|
||||||
|
});
|
||||||
|
|
||||||
|
// Handle errors
|
||||||
|
proxyReq.on('error', (err) => {
|
||||||
|
this.log('error', `[${reqId}] Error in proxy request to ${host}:${port}${path}`, err);
|
||||||
|
|
||||||
|
// Check if the client response is still writable
|
||||||
|
if (!originResponse.writableEnded) {
|
||||||
|
this.sendErrorResponse(originResponse, 502, 'Bad Gateway: Error communicating with upstream server');
|
||||||
|
}
|
||||||
|
|
||||||
|
// Don't return the socket to the pool on error
|
||||||
|
try {
|
||||||
|
if (!socket.destroyed) {
|
||||||
|
socket.destroy();
|
||||||
|
}
|
||||||
|
} catch (socketErr) {
|
||||||
|
this.log('error', `[${reqId}] Error destroying socket after request error`, socketErr);
|
||||||
|
}
|
||||||
|
});
|
||||||
|
|
||||||
|
// Forward request body
|
||||||
|
originRequest.pipe(proxyReq);
|
||||||
|
|
||||||
|
// Handle response
|
||||||
|
proxyReq.on('response', (proxyRes) => {
|
||||||
|
// Copy status and headers
|
||||||
|
originResponse.statusCode = proxyRes.statusCode;
|
||||||
|
|
||||||
|
for (const [name, value] of Object.entries(proxyRes.headers)) {
|
||||||
|
if (value !== undefined) {
|
||||||
|
originResponse.setHeader(name, value);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Forward the response body
|
||||||
|
proxyRes.pipe(originResponse);
|
||||||
|
|
||||||
|
// Return connection to pool when the response completes
|
||||||
|
proxyRes.on('end', () => {
|
||||||
|
if (!socket.destroyed) {
|
||||||
|
this.returnConnectionToPool(socket, host, port);
|
||||||
|
}
|
||||||
|
});
|
||||||
|
|
||||||
|
proxyRes.on('error', (err) => {
|
||||||
|
this.log('error', `[${reqId}] Error in proxy response from ${host}:${port}${path}`, err);
|
||||||
|
|
||||||
|
// Don't return the socket to the pool on error
|
||||||
|
try {
|
||||||
|
if (!socket.destroyed) {
|
||||||
|
socket.destroy();
|
||||||
|
}
|
||||||
|
} catch (socketErr) {
|
||||||
|
this.log('error', `[${reqId}] Error destroying socket after response error`, socketErr);
|
||||||
|
}
|
||||||
|
});
|
||||||
|
});
|
||||||
|
} catch (error) {
|
||||||
|
this.log('error', `[${reqId}] Error setting up pooled connection to ${host}:${port}`, error);
|
||||||
|
this.sendErrorResponse(originResponse, 502, 'Bad Gateway: Unable to reach upstream server');
|
||||||
|
throw error;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Forwards a request to the destination (standard method)
|
||||||
*/
|
*/
|
||||||
private async forwardRequest(
|
private async forwardRequest(
|
||||||
reqId: string,
|
reqId: string,
|
||||||
@ -532,6 +919,11 @@ export class NetworkProxy {
|
|||||||
// Add proxy-specific headers
|
// Add proxy-specific headers
|
||||||
safeHeaders['X-Proxy-Id'] = `NetworkProxy-${this.options.port}`;
|
safeHeaders['X-Proxy-Id'] = `NetworkProxy-${this.options.port}`;
|
||||||
|
|
||||||
|
// If this is coming from PortProxy, add a header to indicate that
|
||||||
|
if (this.options.portProxyIntegration && req.socket.remoteAddress?.includes('127.0.0.1')) {
|
||||||
|
safeHeaders['X-PortProxy-Forwarded'] = 'true';
|
||||||
|
}
|
||||||
|
|
||||||
// Remove sensitive headers we don't want to forward
|
// Remove sensitive headers we don't want to forward
|
||||||
const sensitiveHeaders = ['connection', 'upgrade', 'http2-settings'];
|
const sensitiveHeaders = ['connection', 'upgrade', 'http2-settings'];
|
||||||
for (const header of sensitiveHeaders) {
|
for (const header of sensitiveHeaders) {
|
||||||
@ -778,6 +1170,10 @@ export class NetworkProxy {
|
|||||||
clearInterval(this.metricsInterval);
|
clearInterval(this.metricsInterval);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (this.connectionPoolCleanupInterval) {
|
||||||
|
clearInterval(this.connectionPoolCleanupInterval);
|
||||||
|
}
|
||||||
|
|
||||||
// Close WebSocket server if exists
|
// Close WebSocket server if exists
|
||||||
if (this.wsServer) {
|
if (this.wsServer) {
|
||||||
for (const client of this.wsServer.clients) {
|
for (const client of this.wsServer.clients) {
|
||||||
@ -798,6 +1194,20 @@ export class NetworkProxy {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Close all connection pool connections
|
||||||
|
for (const [host, connections] of this.connectionPool.entries()) {
|
||||||
|
for (const connection of connections) {
|
||||||
|
try {
|
||||||
|
if (!connection.socket.destroyed) {
|
||||||
|
connection.socket.destroy();
|
||||||
|
}
|
||||||
|
} catch (error) {
|
||||||
|
this.log('error', `Error destroying pooled connection to ${host}`, error);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
this.connectionPool.clear();
|
||||||
|
|
||||||
// Close the HTTPS server
|
// Close the HTTPS server
|
||||||
return new Promise((resolve) => {
|
return new Promise((resolve) => {
|
||||||
this.httpsServer.close(() => {
|
this.httpsServer.close(() => {
|
||||||
|
File diff suppressed because it is too large
Load Diff
Loading…
x
Reference in New Issue
Block a user