fix some tests and prepare next step of evolution

2025-12-09 09:19:13 +00:00
parent ad44274075
commit be3ac75422
27 changed files with 3363 additions and 3246 deletions
--- a/ts/proxies/smart-proxy/models/interfaces.ts
+++ b/ts/proxies/smart-proxy/models/interfaces.ts
@@ -89,7 +89,6 @@ export interface ISmartProxyOptions {
  enableDetailedLogging?: boolean; // Enable detailed connection logging
  enableTlsDebugLogging?: boolean; // Enable TLS handshake debug logging
  enableRandomizedTimeouts?: boolean; // Randomize timeouts slightly to prevent thundering herd
-  allowSessionTicket?: boolean; // Allow TLS session ticket for reconnection (default: true)

  // Rate limiting and security
  maxConnectionsPerIP?: number; // Maximum simultaneous connections from a single IP
--- a/ts/proxies/smart-proxy/route-connection-handler.ts
+++ b/ts/proxies/smart-proxy/route-connection-handler.ts
@@ -184,14 +184,28 @@ export class RouteConnectionHandler {
    const needsTlsHandling = allRoutes.some(route => {
      // Check if route matches this port
      const matchesPort = this.smartProxy.routeManager.getRoutesForPort(localPort).includes(route);
-      
-      return matchesPort && 
-             route.action.type === 'forward' && 
-             route.action.tls && 
-             (route.action.tls.mode === 'terminate' || 
+
+      return matchesPort &&
+             route.action.type === 'forward' &&
+             route.action.tls &&
+             (route.action.tls.mode === 'terminate' ||
              route.action.tls.mode === 'passthrough');
    });

+    // Auto-calculate session ticket handling based on route configuration
+    // If any route on this port terminates TLS, allow session tickets (HttpProxy handles resumption)
+    // Otherwise, block session tickets (need SNI for passthrough routing)
+    const hasTlsTermination = allRoutes.some(route => {
+      const matchesPort = this.smartProxy.routeManager.getRoutesForPort(localPort).includes(route);
+
+      return matchesPort &&
+             route.action.type === 'forward' &&
+             route.action.tls &&
+             (route.action.tls.mode === 'terminate' ||
+              route.action.tls.mode === 'terminate-and-reencrypt');
+    });
+    const allowSessionTicket = hasTlsTermination;
+
    // If no routes require TLS handling and it's not port 443, route immediately
    if (!needsTlsHandling && localPort !== 443) {
      // Extract underlying socket for socket-utils functions
@@ -345,7 +359,7 @@ export class RouteConnectionHandler {
        record.lockedDomain = serverName;

        // Check if we should reject connections without SNI
-        if (!serverName && this.smartProxy.settings.allowSessionTicket === false) {
+        if (!serverName && allowSessionTicket === false) {
          logger.log('warn', `No SNI detected in TLS ClientHello for connection ${record.id}; sending TLS alert`, {
            connectionId: record.id,
            component: 'route-handler'
--- a/ts/proxies/smart-proxy/smart-proxy.ts
+++ b/ts/proxies/smart-proxy/smart-proxy.ts
@@ -137,8 +137,6 @@ export class SmartProxy extends plugins.EventEmitter {
      enableDetailedLogging: settingsArg.enableDetailedLogging || false,
      enableTlsDebugLogging: settingsArg.enableTlsDebugLogging || false,
      enableRandomizedTimeouts: settingsArg.enableRandomizedTimeouts || false,
-      allowSessionTicket:
-        settingsArg.allowSessionTicket !== undefined ? settingsArg.allowSessionTicket : true,
      maxConnectionsPerIP: settingsArg.maxConnectionsPerIP || 100,
      connectionRateLimitPerMinute: settingsArg.connectionRateLimitPerMinute || 300,
      keepAliveTreatment: settingsArg.keepAliveTreatment || 'extended',
--- a/ts/proxies/smart-proxy/tls-manager.ts
+++ b/ts/proxies/smart-proxy/tls-manager.ts
@@ -50,43 +50,7 @@ export class TlsManager {
    );
  }
  
-  /**
-   * Handle session resumption attempts
-   */
-  public handleSessionResumption(
-    chunk: Buffer, 
-    connectionId: string,
-    hasSNI: boolean
-  ): { shouldBlock: boolean; reason?: string } {
-    // Skip if session tickets are allowed
-    if (this.smartProxy.settings.allowSessionTicket !== false) {
-      return { shouldBlock: false };
-    }
-    
-    // Check for session resumption attempt
-    const resumptionInfo = SniHandler.hasSessionResumption(
-      chunk,
-      this.smartProxy.settings.enableTlsDebugLogging || false
-    );
-    
-    // If this is a resumption attempt without SNI, block it
-    if (resumptionInfo.isResumption && !hasSNI && !resumptionInfo.hasSNI) {
-      if (this.smartProxy.settings.enableTlsDebugLogging) {
-        console.log(
-          `[${connectionId}] Session resumption detected without SNI and allowSessionTicket=false. ` +
-          `Terminating connection to force new TLS handshake.`
-        );
-      }
-      return { 
-        shouldBlock: true, 
-        reason: 'session_ticket_blocked' 
-      };
-    }
-    
-    return { shouldBlock: false };
-  }
-  
-  /**
+/**
   * Check for SNI mismatch during renegotiation
   */
  public checkRenegotiationSNI(