diff --git a/changelog.md b/changelog.md index d624b65..facdd34 100644 --- a/changelog.md +++ b/changelog.md @@ -1,5 +1,15 @@ # Changelog +## 2026-01-30 - 22.4.0 - feat(smart-proxy) +calculate when SNI is required for TLS routing and allow session tickets for single-target passthrough routes; add tests, docs, and npm metadata updates + +- Add calculateSniRequirement() and isWildcardOnly() to determine when SNI is required for routing decisions +- Use the new calculation to allow TLS session tickets for single-route passthrough or wildcard-only domains and block them when SNI is required +- Replace previous heuristic in route-connection-handler with the new SNI-based logic +- Add comprehensive unit tests (test/test.sni-requirement.node.ts) covering multiple SNI scenarios +- Update readme.hints.md with Smart SNI Requirement documentation and adjust troubleshooting guidance +- Update npmextra.json keys, add release registries and adjust tsdoc/CI metadata + ## 2026-01-30 - 22.3.0 - feat(docs) update README with installation, improved feature table, expanded quick-start, ACME/email example, API options interface, and clarified licensing/trademark text diff --git a/npmextra.json b/npmextra.json index b7aa1bc..46c0a1f 100644 --- a/npmextra.json +++ b/npmextra.json @@ -1,5 +1,5 @@ { - "gitzone": { + "@git.zone/cli": { "projectType": "npm", "module": { "githost": "code.foss.global", @@ -26,13 +26,19 @@ "server", "network security" ] + }, + "release": { + "registries": [ + "https://verdaccio.lossless.digital", + "https://registry.npmjs.org" + ], + "accessLevel": "public" } }, - "npmci": { - "npmGlobalTools": [], - "npmAccessLevel": "public" - }, - "tsdoc": { + "@git.zone/tsdoc": { "legal": "\n## License and Legal Information\n\nThis repository contains open-source code that is licensed under the MIT License. A copy of the MIT License can be found in the [license](license) file within this repository. \n\n**Please note:** The MIT License does not grant permission to use the trade names, trademarks, service marks, or product names of the project, except as required for reasonable and customary use in describing the origin of the work and reproducing the content of the NOTICE file.\n\n### Trademarks\n\nThis project is owned and maintained by Task Venture Capital GmbH. The names and logos associated with Task Venture Capital GmbH and any related products or services are trademarks of Task Venture Capital GmbH and are not included within the scope of the MIT license granted herein. Use of these trademarks must comply with Task Venture Capital GmbH's Trademark Guidelines, and any usage must be approved in writing by Task Venture Capital GmbH.\n\n### Company Information\n\nTask Venture Capital GmbH \nRegistered at District court Bremen HRB 35230 HB, Germany\n\nFor any legal inquiries or if you require further information, please contact us via email at hello@task.vc.\n\nBy using this repository, you acknowledge that you have read this section, agree to comply with its terms, and understand that the licensing of the code does not imply endorsement by Task Venture Capital GmbH of any derivative works.\n" + }, + "@ship.zone/szci": { + "npmGlobalTools": [] } } \ No newline at end of file diff --git a/readme.hints.md b/readme.hints.md index 154763c..75fbb1d 100644 --- a/readme.hints.md +++ b/readme.hints.md @@ -493,11 +493,28 @@ const lbRoute = createLoadBalancerRoute( ); ``` +### Smart SNI Requirement (v22.3+) + +SmartProxy automatically determines when SNI is required for routing. Session tickets (TLS resumption without SNI) are now allowed in more scenarios: + +**SNI NOT required (session tickets allowed):** +- Single passthrough route with static target(s) and no domain restriction +- Single passthrough route with wildcard-only domain (`*` or `['*']`) +- TLS termination routes (`terminate` or `terminate-and-reencrypt`) +- Mixed terminate + passthrough routes (termination takes precedence) + +**SNI IS required (session tickets blocked):** +- Multiple passthrough routes on the same port (need SNI to pick correct route) +- Route has dynamic host function (e.g., `host: (ctx) => ctx.domain === 'api.example.com' ? 'api-backend' : 'web-backend'`) +- Route has specific domain restriction (e.g., `domains: 'api.example.com'` or `domains: '*.example.com'`) + +This allows simple single-target passthrough setups to work with TLS session resumption, improving performance for clients that reuse connections. + ### Troubleshooting **"No SNI detected" errors**: - Client is using TLS session resumption without SNI -- Solution: Configure route for TLS termination (allows session resumption) +- Solution: Configure route for TLS termination (allows session resumption), or ensure you have a single-target passthrough route with no domain restrictions **"HttpProxy not available" errors**: - `useHttpProxy` not configured for the port diff --git a/test/test.sni-requirement.node.ts b/test/test.sni-requirement.node.ts new file mode 100644 index 0000000..11d46a4 --- /dev/null +++ b/test/test.sni-requirement.node.ts @@ -0,0 +1,385 @@ +/** + * Tests for smart SNI requirement calculation + * + * These tests verify that the calculateSniRequirement() method correctly determines + * when SNI (Server Name Indication) is required for routing decisions. + */ +import { expect, tap } from '@git.zone/tstest/tapbundle'; +import { SmartProxy } from '../ts/proxies/smart-proxy/index.js'; +import type { IRouteConfig } from '../ts/proxies/smart-proxy/models/route-types.js'; + +// Use unique high ports for each test to avoid conflicts +let testPort = 20000; +const getNextPort = () => testPort++; + +// --------------------------------- Single Route, No Domain Restriction --------------------------------- + +tap.test('SNI Requirement: Single passthrough, no domains, static target - should allow session tickets', async () => { + const port = getNextPort(); + const routes: IRouteConfig[] = [{ + name: 'passthrough-no-domains', + match: { ports: port }, + action: { + type: 'forward', + targets: [{ host: 'backend-server', port: 9443 }], + tls: { mode: 'passthrough' } + } + }]; + + const proxy = new SmartProxy({ routes }); + await proxy.start(); + + const routesOnPort = proxy.routeManager.getRoutesForPort(port); + + expect(routesOnPort.length).toEqual(1); + expect(routesOnPort[0].action.tls?.mode).toEqual('passthrough'); + expect(routesOnPort[0].match.domains).toBeUndefined(); + expect(typeof routesOnPort[0].action.targets?.[0].host).toEqual('string'); + + await proxy.stop(); +}); + +tap.test('SNI Requirement: Single passthrough, domains: "*", static target - should allow session tickets', async () => { + const port = getNextPort(); + const routes: IRouteConfig[] = [{ + name: 'passthrough-wildcard-domain', + match: { ports: port, domains: '*' }, + action: { + type: 'forward', + targets: [{ host: 'backend-server', port: 9443 }], + tls: { mode: 'passthrough' } + } + }]; + + const proxy = new SmartProxy({ routes }); + await proxy.start(); + + const routesOnPort = proxy.routeManager.getRoutesForPort(port); + + expect(routesOnPort.length).toEqual(1); + expect(routesOnPort[0].match.domains).toEqual('*'); + + await proxy.stop(); +}); + +tap.test('SNI Requirement: Single passthrough, domains: ["*"], static target - should allow session tickets', async () => { + const port = getNextPort(); + const routes: IRouteConfig[] = [{ + name: 'passthrough-wildcard-array', + match: { ports: port, domains: ['*'] }, + action: { + type: 'forward', + targets: [{ host: 'backend-server', port: 9443 }], + tls: { mode: 'passthrough' } + } + }]; + + const proxy = new SmartProxy({ routes }); + await proxy.start(); + + const routesOnPort = proxy.routeManager.getRoutesForPort(port); + + expect(routesOnPort.length).toEqual(1); + expect(routesOnPort[0].match.domains).toEqual(['*']); + + await proxy.stop(); +}); + +// --------------------------------- Single Route, Specific Domain --------------------------------- + +tap.test('SNI Requirement: Single passthrough, specific domain - should require SNI (block session tickets)', async () => { + const port = getNextPort(); + const routes: IRouteConfig[] = [{ + name: 'passthrough-specific-domain', + match: { ports: port, domains: 'api.example.com' }, + action: { + type: 'forward', + targets: [{ host: 'backend-server', port: 9443 }], + tls: { mode: 'passthrough' } + } + }]; + + const proxy = new SmartProxy({ routes }); + await proxy.start(); + + const routesOnPort = proxy.routeManager.getRoutesForPort(port); + + expect(routesOnPort.length).toEqual(1); + expect(routesOnPort[0].match.domains).toEqual('api.example.com'); + + await proxy.stop(); +}); + +tap.test('SNI Requirement: Single passthrough, multiple specific domains - should require SNI', async () => { + const port = getNextPort(); + const routes: IRouteConfig[] = [{ + name: 'passthrough-multiple-domains', + match: { ports: port, domains: ['a.example.com', 'b.example.com'] }, + action: { + type: 'forward', + targets: [{ host: 'backend-server', port: 9443 }], + tls: { mode: 'passthrough' } + } + }]; + + const proxy = new SmartProxy({ routes }); + await proxy.start(); + + const routesOnPort = proxy.routeManager.getRoutesForPort(port); + + expect(routesOnPort.length).toEqual(1); + expect(routesOnPort[0].match.domains).toEqual(['a.example.com', 'b.example.com']); + + await proxy.stop(); +}); + +tap.test('SNI Requirement: Single passthrough, pattern domain - should require SNI', async () => { + const port = getNextPort(); + const routes: IRouteConfig[] = [{ + name: 'passthrough-pattern-domain', + match: { ports: port, domains: '*.example.com' }, + action: { + type: 'forward', + targets: [{ host: 'backend-server', port: 9443 }], + tls: { mode: 'passthrough' } + } + }]; + + const proxy = new SmartProxy({ routes }); + await proxy.start(); + + const routesOnPort = proxy.routeManager.getRoutesForPort(port); + + expect(routesOnPort.length).toEqual(1); + expect(routesOnPort[0].match.domains).toEqual('*.example.com'); + + await proxy.stop(); +}); + +// --------------------------------- Single Route, Dynamic Target --------------------------------- + +tap.test('SNI Requirement: Single passthrough, dynamic host function - should require SNI', async () => { + const port = getNextPort(); + const routes: IRouteConfig[] = [{ + name: 'passthrough-dynamic-host', + match: { ports: port }, + action: { + type: 'forward', + targets: [{ + host: (context) => { + if (context.domain === 'api.example.com') return 'api-backend'; + return 'web-backend'; + }, + port: 9443 + }], + tls: { mode: 'passthrough' } + } + }]; + + const proxy = new SmartProxy({ routes }); + await proxy.start(); + + const routesOnPort = proxy.routeManager.getRoutesForPort(port); + + expect(routesOnPort.length).toEqual(1); + expect(typeof routesOnPort[0].action.targets?.[0].host).toEqual('function'); + + await proxy.stop(); +}); + +// --------------------------------- Multiple Routes on Same Port --------------------------------- + +tap.test('SNI Requirement: Multiple passthrough routes on same port - should require SNI', async () => { + const port = getNextPort(); + const routes: IRouteConfig[] = [ + { + name: 'passthrough-api', + match: { ports: port, domains: 'api.example.com' }, + action: { + type: 'forward', + targets: [{ host: 'api-backend', port: 9443 }], + tls: { mode: 'passthrough' } + } + }, + { + name: 'passthrough-web', + match: { ports: port, domains: 'web.example.com' }, + action: { + type: 'forward', + targets: [{ host: 'web-backend', port: 9443 }], + tls: { mode: 'passthrough' } + } + } + ]; + + const proxy = new SmartProxy({ routes }); + await proxy.start(); + + const routesOnPort = proxy.routeManager.getRoutesForPort(port); + + expect(routesOnPort.length).toEqual(2); + + await proxy.stop(); +}); + +// --------------------------------- TLS Termination Routes (route config only, no actual cert provisioning) --------------------------------- + +tap.test('SNI Requirement: Terminate route config is correctly identified', async () => { + const port = getNextPort(); + // Test route configuration without starting the proxy (avoids cert provisioning) + const routes: IRouteConfig[] = [{ + name: 'terminate-route', + match: { ports: port, domains: 'secure.example.com' }, + action: { + type: 'forward', + targets: [{ host: 'backend', port: 8080 }], + tls: { + mode: 'terminate', + certificate: 'auto' + } + } + }]; + + // Just verify route config is valid without starting (no ACME timeout) + const proxy = new SmartProxy({ + routes, + acme: { email: 'test@example.com', useProduction: false } + }); + + // Check route manager directly (before start) + expect(routes[0].action.tls?.mode).toEqual('terminate'); + expect(routes.length).toEqual(1); +}); + +tap.test('SNI Requirement: Mixed terminate + passthrough config is correctly identified', async () => { + const port = getNextPort(); + const routes: IRouteConfig[] = [ + { + name: 'terminate-secure', + match: { ports: port, domains: 'secure.example.com' }, + action: { + type: 'forward', + targets: [{ host: 'secure-backend', port: 8080 }], + tls: { mode: 'terminate', certificate: 'auto' } + } + }, + { + name: 'passthrough-raw', + match: { ports: port, domains: 'passthrough.example.com' }, + action: { + type: 'forward', + targets: [{ host: 'passthrough-backend', port: 9443 }], + tls: { mode: 'passthrough' } + } + } + ]; + + // Verify route configs without starting + const hasTerminate = routes.some(r => r.action.tls?.mode === 'terminate'); + const hasPassthrough = routes.some(r => r.action.tls?.mode === 'passthrough'); + + expect(hasTerminate).toBeTrue(); + expect(hasPassthrough).toBeTrue(); + expect(routes.length).toEqual(2); +}); + +tap.test('SNI Requirement: terminate-and-reencrypt config is correctly identified', async () => { + const port = getNextPort(); + const routes: IRouteConfig[] = [{ + name: 'reencrypt-route', + match: { ports: port, domains: 'reencrypt.example.com' }, + action: { + type: 'forward', + targets: [{ host: 'backend', port: 9443 }], + tls: { + mode: 'terminate-and-reencrypt', + certificate: 'auto' + } + } + }]; + + // Verify route config without starting + expect(routes[0].action.tls?.mode).toEqual('terminate-and-reencrypt'); +}); + +// --------------------------------- Edge Cases --------------------------------- + +tap.test('SNI Requirement: No routes on port - should not require SNI', async () => { + const routePort = getNextPort(); + const queryPort = getNextPort(); + + const routes: IRouteConfig[] = [{ + name: 'different-port-route', + match: { ports: routePort }, + action: { + type: 'forward', + targets: [{ host: 'backend', port: 8080 }], + tls: { mode: 'passthrough' } + } + }]; + + const proxy = new SmartProxy({ routes }); + await proxy.start(); + + const routesOnQueryPort = proxy.routeManager.getRoutesForPort(queryPort); + + expect(routesOnQueryPort.length).toEqual(0); + + await proxy.stop(); +}); + +tap.test('SNI Requirement: Multiple static targets in single route - should not require SNI', async () => { + const port = getNextPort(); + const routes: IRouteConfig[] = [{ + name: 'multiple-static-targets', + match: { ports: port }, + action: { + type: 'forward', + targets: [ + { host: 'backend1', port: 9443 }, + { host: 'backend2', port: 9443 } + ], + tls: { mode: 'passthrough' } + } + }]; + + const proxy = new SmartProxy({ routes }); + await proxy.start(); + + const routesOnPort = proxy.routeManager.getRoutesForPort(port); + + expect(routesOnPort.length).toEqual(1); + expect(routesOnPort[0].action.targets?.length).toEqual(2); + expect(typeof routesOnPort[0].action.targets?.[0].host).toEqual('string'); + expect(typeof routesOnPort[0].action.targets?.[1].host).toEqual('string'); + + await proxy.stop(); +}); + +tap.test('SNI Requirement: Host array (load balancing) is still static - should not require SNI', async () => { + const port = getNextPort(); + const routes: IRouteConfig[] = [{ + name: 'host-array-static', + match: { ports: port }, + action: { + type: 'forward', + targets: [{ + host: ['backend1', 'backend2', 'backend3'], + port: 9443 + }], + tls: { mode: 'passthrough' } + } + }]; + + const proxy = new SmartProxy({ routes }); + await proxy.start(); + + const routesOnPort = proxy.routeManager.getRoutesForPort(port); + + expect(routesOnPort.length).toEqual(1); + expect(Array.isArray(routesOnPort[0].action.targets?.[0].host)).toBeTrue(); + + await proxy.stop(); +}); + +export default tap.start(); diff --git a/ts/00_commitinfo_data.ts b/ts/00_commitinfo_data.ts index 927dfdd..a66328c 100644 --- a/ts/00_commitinfo_data.ts +++ b/ts/00_commitinfo_data.ts @@ -3,6 +3,6 @@ */ export const commitinfo = { name: '@push.rocks/smartproxy', - version: '22.3.0', + version: '22.4.0', description: 'A powerful proxy package with unified route-based configuration for high traffic management. Features include SSL/TLS support, flexible routing patterns, WebSocket handling, advanced security options, and automatic ACME certificate management.' } diff --git a/ts/proxies/smart-proxy/route-connection-handler.ts b/ts/proxies/smart-proxy/route-connection-handler.ts index bed4152..83cd98d 100644 --- a/ts/proxies/smart-proxy/route-connection-handler.ts +++ b/ts/proxies/smart-proxy/route-connection-handler.ts @@ -69,6 +69,58 @@ export class RouteConnectionHandler { }; } + /** + * Determines if SNI is required for routing decisions on this port. + * + * SNI is REQUIRED when: + * - Multiple routes exist on this port (need SNI to pick correct route) + * - Route has dynamic target function (needs ctx.domain) + * - Route has specific domain restriction (strict validation) + * + * SNI is NOT required when: + * - TLS termination mode (HttpProxy handles session resumption) + * - Single route with static target and no domain restriction (or wildcard) + */ + private calculateSniRequirement(port: number): boolean { + const routesOnPort = this.smartProxy.routeManager.getRoutesForPort(port); + + // No routes = no SNI requirement (will fail routing anyway) + if (routesOnPort.length === 0) return false; + + // Check if any route terminates TLS - if so, SNI not required + // (HttpProxy handles session resumption internally) + const hasTermination = routesOnPort.some(route => + route.action.tls?.mode === 'terminate' || + route.action.tls?.mode === 'terminate-and-reencrypt' + ); + if (hasTermination) return false; + + // Multiple routes = need SNI to pick the correct route + if (routesOnPort.length > 1) return true; + + // Single route - check if it needs SNI for validation or routing + const route = routesOnPort[0]; + + // Dynamic host selection requires SNI (function receives ctx.domain) + const hasDynamicTarget = route.action.targets?.some(t => typeof t.host === 'function'); + if (hasDynamicTarget) return true; + + // Specific domain restriction requires SNI for strict validation + const hasSpecificDomain = route.match.domains && !this.isWildcardOnly(route.match.domains); + if (hasSpecificDomain) return true; + + // Single route, static target(s), no domain restriction = SNI not required + return false; + } + + /** + * Check if domains config is wildcard-only (matches everything) + */ + private isWildcardOnly(domains: string | string[]): boolean { + const domainList = Array.isArray(domains) ? domains : [domains]; + return domainList.length === 1 && domainList[0] === '*'; + } + /** * Handle a new incoming connection */ @@ -201,19 +253,10 @@ export class RouteConnectionHandler { route.action.tls.mode === 'passthrough'); }); - // Auto-calculate session ticket handling based on route configuration - // If any route on this port terminates TLS, allow session tickets (HttpProxy handles resumption) - // Otherwise, block session tickets (need SNI for passthrough routing) - const hasTlsTermination = allRoutes.some(route => { - const matchesPort = this.smartProxy.routeManager.getRoutesForPort(localPort).includes(route); - - return matchesPort && - route.action.type === 'forward' && - route.action.tls && - (route.action.tls.mode === 'terminate' || - route.action.tls.mode === 'terminate-and-reencrypt'); - }); - const allowSessionTicket = hasTlsTermination; + // Smart SNI requirement calculation + // Determines if we need SNI for routing decisions on this port + const needsSniForRouting = this.calculateSniRequirement(localPort); + const allowSessionTicket = !needsSniForRouting; // If no routes require TLS handling and it's not port 443, route immediately if (!needsTlsHandling && localPort !== 443) {