diff --git a/changelog.md b/changelog.md index 1dbda28..320c928 100644 --- a/changelog.md +++ b/changelog.md @@ -1,5 +1,12 @@ # Changelog +## 2025-03-15 - 4.1.4 - fix(ConnectionHandler) +Refactor ConnectionHandler code formatting for improved readability and consistency in log messages and whitespace handling + +- Standardized indentation and spacing in method signatures and log statements +- Aligned inline comments and string concatenations for clarity +- Minor refactoring of parameter formatting without changing functionality + ## 2025-03-15 - 4.1.3 - fix(connectionhandler) Improve handling of TLS ClientHello messages when allowSessionTicket is disabled and no SNI is provided by sending a warning alert (unrecognized_name, code 0x70) with a proper callback and delay to ensure the alert is transmitted before closing the connection. diff --git a/ts/00_commitinfo_data.ts b/ts/00_commitinfo_data.ts index dea6342..22f953f 100644 --- a/ts/00_commitinfo_data.ts +++ b/ts/00_commitinfo_data.ts @@ -3,6 +3,6 @@ */ export const commitinfo = { name: '@push.rocks/smartproxy', - version: '4.1.3', + version: '4.1.4', description: 'A powerful proxy package that effectively handles high traffic, with features such as SSL/TLS support, port proxying, WebSocket handling, dynamic routing with authentication options, and automatic ACME certificate management.' } diff --git a/ts/classes.pp.connectionhandler.ts b/ts/classes.pp.connectionhandler.ts index d5fa620..7065fd5 100644 --- a/ts/classes.pp.connectionhandler.ts +++ b/ts/classes.pp.connectionhandler.ts @@ -1,5 +1,9 @@ import * as plugins from './plugins.js'; -import type { IConnectionRecord, IDomainConfig, IPortProxySettings } from './classes.pp.interfaces.js'; +import type { + IConnectionRecord, + IDomainConfig, + IPortProxySettings, +} from './classes.pp.interfaces.js'; import { ConnectionManager } from './classes.pp.connectionmanager.js'; import { SecurityManager } from './classes.pp.securitymanager.js'; import { DomainConfigManager } from './classes.pp.domainconfigmanager.js'; @@ -73,8 +77,8 @@ export class ConnectionHandler { if (this.settings.enableDetailedLogging) { console.log( `[${connectionId}] New connection from ${remoteIP} on port ${localPort}. ` + - `Keep-Alive: ${record.hasKeepAlive ? 'Enabled' : 'Disabled'}. ` + - `Active connections: ${this.connectionManager.getConnectionCount()}` + `Keep-Alive: ${record.hasKeepAlive ? 'Enabled' : 'Disabled'}. ` + + `Active connections: ${this.connectionManager.getConnectionCount()}` ); } else { console.log( @@ -94,7 +98,10 @@ export class ConnectionHandler { /** * Handle a connection that should be forwarded to NetworkProxy */ - private handleNetworkProxyConnection(socket: plugins.net.Socket, record: IConnectionRecord): void { + private handleNetworkProxyConnection( + socket: plugins.net.Socket, + record: IConnectionRecord + ): void { const connectionId = record.id; let initialDataReceived = false; @@ -104,7 +111,7 @@ export class ConnectionHandler { console.log( `[${connectionId}] Initial data warning (${this.settings.initialDataTimeout}ms) for connection from ${record.remoteIP}` ); - + // Add a grace period instead of immediate termination setTimeout(() => { if (!initialDataReceived) { @@ -144,7 +151,7 @@ export class ConnectionHandler { if (!this.tlsManager.isTlsHandshake(chunk) && localPort === 443) { console.log( `[${connectionId}] Non-TLS connection detected on port 443. ` + - `Terminating connection - only TLS traffic is allowed on standard HTTPS port.` + `Terminating connection - only TLS traffic is allowed on standard HTTPS port.` ); if (record.incomingTerminationReason === null) { record.incomingTerminationReason = 'non_tls_blocked'; @@ -159,8 +166,8 @@ export class ConnectionHandler { if (this.tlsManager.isTlsHandshake(chunk)) { record.isTLS = true; - // Check session tickets if they're disabled - if (this.settings.allowSessionTicket === false && this.tlsManager.isClientHello(chunk)) { + // Check for ClientHello to extract SNI - but don't enforce it for NetworkProxy + if (this.tlsManager.isClientHello(chunk)) { // Create connection info for SNI extraction const connInfo = { sourceIp: record.remoteIP, @@ -169,83 +176,46 @@ export class ConnectionHandler { destPort: socket.localPort || 0, }; - // Extract SNI for domain-specific NetworkProxy handling + // Extract SNI for domain-specific NetworkProxy handling if available const serverName = this.tlsManager.extractSNI(chunk, connInfo); - // If allowSessionTicket is false and we can't determine SNI, terminate the connection - if (!serverName) { - // Always block when allowSessionTicket is false and there's no SNI - console.log( - `[${connectionId}] No SNI detected in ClientHello and allowSessionTicket=false. ` + - `Terminating connection to force new TLS handshake with SNI.` - ); - - // Send a proper TLS alert before ending the connection - // Using "unrecognized_name" (112) alert which is a warning level alert (1) - // that encourages clients to retry with proper SNI - const alertData = Buffer.from([ - 0x15, // Alert record type - 0x03, 0x03, // TLS 1.2 version - 0x00, 0x02, // Length - 0x01, // Warning alert level (not fatal) - 0x70 // unrecognized_name alert (code 112) - ]); - - try { - socket.write(alertData, () => { - // Only close the socket after we're sure the alert was sent - // Give the alert time to be processed by the client - setTimeout(() => { - socket.end(); - - // Ensure complete cleanup happens a bit later - setTimeout(() => { - if (!socket.destroyed) { - socket.destroy(); - } - this.connectionManager.cleanupConnection(record, 'session_ticket_blocked_no_sni'); - }, 100); - }, 100); - }); - } catch (err) { - // If we can't send the alert, fall back to immediate termination - socket.end(); - this.connectionManager.cleanupConnection(record, 'session_ticket_blocked_no_sni'); - } - - if (record.incomingTerminationReason === null) { - record.incomingTerminationReason = 'session_ticket_blocked_no_sni'; - this.connectionManager.incrementTerminationStat('incoming', 'session_ticket_blocked_no_sni'); - } - - return; - } + // For NetworkProxy connections, we'll allow session tickets even without SNI + // We'll only use the serverName if available to determine the specific NetworkProxy port + if (serverName) { + // Save domain config and SNI in connection record + const domainConfig = this.domainConfigManager.findDomainConfig(serverName); + record.domainConfig = domainConfig; + record.lockedDomain = serverName; - // Save domain config and SNI in connection record - const domainConfig = this.domainConfigManager.findDomainConfig(serverName); - record.domainConfig = domainConfig; - record.lockedDomain = serverName; + // Use domain-specific NetworkProxy port if configured + if (domainConfig && this.domainConfigManager.shouldUseNetworkProxy(domainConfig)) { + const networkProxyPort = this.domainConfigManager.getNetworkProxyPort(domainConfig); - // Use domain-specific NetworkProxy port if configured - if (domainConfig && this.domainConfigManager.shouldUseNetworkProxy(domainConfig)) { - const networkProxyPort = this.domainConfigManager.getNetworkProxyPort(domainConfig); + if (this.settings.enableDetailedLogging) { + console.log( + `[${connectionId}] Using domain-specific NetworkProxy for ${serverName} on port ${networkProxyPort}` + ); + } - if (this.settings.enableDetailedLogging) { - console.log( - `[${connectionId}] Using domain-specific NetworkProxy for ${serverName} on port ${networkProxyPort}` + // Forward to NetworkProxy with domain-specific port + this.networkProxyBridge.forwardToNetworkProxy( + connectionId, + socket, + record, + chunk, + networkProxyPort, + (reason) => this.connectionManager.initiateCleanupOnce(record, reason) ); + return; } - - // Forward to NetworkProxy with domain-specific port - this.networkProxyBridge.forwardToNetworkProxy( - connectionId, - socket, - record, - chunk, - networkProxyPort, - (reason) => this.connectionManager.initiateCleanupOnce(record, reason) + } else if ( + this.settings.allowSessionTicket === false && + this.settings.enableDetailedLogging + ) { + // Log that we're allowing a session resumption without SNI for NetworkProxy + console.log( + `[${connectionId}] Allowing session resumption without SNI for NetworkProxy forwarding` ); - return; } } @@ -260,14 +230,10 @@ export class ConnectionHandler { ); } else { // If not TLS, use normal direct connection - console.log(`[${connectionId}] Non-TLS connection on NetworkProxy port ${record.localPort}`); - this.setupDirectConnection( - socket, - record, - undefined, - undefined, - chunk + console.log( + `[${connectionId}] Non-TLS connection on NetworkProxy port ${record.localPort}` ); + this.setupDirectConnection(socket, record, undefined, undefined, chunk); } }); } @@ -300,7 +266,7 @@ export class ConnectionHandler { console.log( `[${connectionId}] Initial data warning (${this.settings.initialDataTimeout}ms) for connection from ${record.remoteIP}` ); - + // Add a grace period instead of immediate termination setTimeout(() => { if (!initialDataReceived) { @@ -385,14 +351,13 @@ export class ConnectionHandler { record.domainConfig = domainConfig; // Check if this domain should use NetworkProxy (domain-specific setting) - if (domainConfig && - this.domainConfigManager.shouldUseNetworkProxy(domainConfig) && - this.networkProxyBridge.getNetworkProxy()) { - + if ( + domainConfig && + this.domainConfigManager.shouldUseNetworkProxy(domainConfig) && + this.networkProxyBridge.getNetworkProxy() + ) { if (this.settings.enableDetailedLogging) { - console.log( - `[${connectionId}] Domain ${serverName} is configured to use NetworkProxy` - ); + console.log(`[${connectionId}] Domain ${serverName} is configured to use NetworkProxy`); } const networkProxyPort = this.domainConfigManager.getNetworkProxyPort(domainConfig); @@ -414,23 +379,24 @@ export class ConnectionHandler { // IP validation if (domainConfig) { const ipRules = this.domainConfigManager.getEffectiveIPRules(domainConfig); - + // Skip IP validation if allowedIPs is empty if ( domainConfig.allowedIPs.length > 0 && - !this.securityManager.isIPAuthorized(record.remoteIP, ipRules.allowedIPs, ipRules.blockedIPs) + !this.securityManager.isIPAuthorized( + record.remoteIP, + ipRules.allowedIPs, + ipRules.blockedIPs + ) ) { return rejectIncomingConnection( 'rejected', - `Connection rejected: IP ${record.remoteIP} not allowed for domain ${domainConfig.domains.join( - ', ' - )}` + `Connection rejected: IP ${ + record.remoteIP + } not allowed for domain ${domainConfig.domains.join(', ')}` ); } - } else if ( - this.settings.defaultAllowedIPs && - this.settings.defaultAllowedIPs.length > 0 - ) { + } else if (this.settings.defaultAllowedIPs && this.settings.defaultAllowedIPs.length > 0) { if ( !this.securityManager.isIPAuthorized( record.remoteIP, @@ -497,28 +463,36 @@ export class ConnectionHandler { } else { // Attempt to find a matching forced domain config based on the local port. const forcedDomain = this.domainConfigManager.findDomainConfigForPort(localPort); - + if (forcedDomain) { const ipRules = this.domainConfigManager.getEffectiveIPRules(forcedDomain); - - if (!this.securityManager.isIPAuthorized(record.remoteIP, ipRules.allowedIPs, ipRules.blockedIPs)) { + + if ( + !this.securityManager.isIPAuthorized( + record.remoteIP, + ipRules.allowedIPs, + ipRules.blockedIPs + ) + ) { console.log( - `[${connectionId}] Connection from ${record.remoteIP} rejected: IP not allowed for domain ${forcedDomain.domains.join( + `[${connectionId}] Connection from ${ + record.remoteIP + } rejected: IP not allowed for domain ${forcedDomain.domains.join( ', ' )} on port ${localPort}.` ); socket.end(); return; } - + if (this.settings.enableDetailedLogging) { console.log( - `[${connectionId}] Port-based connection from ${record.remoteIP} on port ${localPort} matched domain ${forcedDomain.domains.join( - ', ' - )}.` + `[${connectionId}] Port-based connection from ${ + record.remoteIP + } on port ${localPort} matched domain ${forcedDomain.domains.join(', ')}.` ); } - + setupConnection('', undefined, forcedDomain, localPort); return; } @@ -536,14 +510,14 @@ export class ConnectionHandler { clearTimeout(initialTimeout); initialTimeout = null; } - + initialDataReceived = true; - + // Block non-TLS connections on port 443 if (!this.tlsManager.isTlsHandshake(chunk) && localPort === 443) { console.log( `[${connectionId}] Non-TLS connection detected on port 443 in SNI handler. ` + - `Terminating connection - only TLS traffic is allowed on standard HTTPS port.` + `Terminating connection - only TLS traffic is allowed on standard HTTPS port.` ); if (record.incomingTerminationReason === null) { record.incomingTerminationReason = 'non_tls_blocked'; @@ -576,42 +550,48 @@ export class ConnectionHandler { // Extract SNI serverName = this.tlsManager.extractSNI(chunk, connInfo) || ''; - + // If allowSessionTicket is false and this is a ClientHello with no SNI, terminate the connection - if (this.settings.allowSessionTicket === false && - this.tlsManager.isClientHello(chunk) && - !serverName) { - + if ( + this.settings.allowSessionTicket === false && + this.tlsManager.isClientHello(chunk) && + !serverName + ) { // Always block ClientHello without SNI when allowSessionTicket is false console.log( `[${connectionId}] No SNI detected in ClientHello and allowSessionTicket=false. ` + - `Terminating connection to force new TLS handshake with SNI.` + `Terminating connection to force new TLS handshake with SNI.` ); - + // Send a proper TLS alert before ending the connection - // Using "unrecognized_name" (112) alert which is a warning level alert (1) + // Using "unrecognized_name" (112) alert which is a warning level alert (1) // that encourages clients to retry with proper SNI const alertData = Buffer.from([ - 0x15, // Alert record type - 0x03, 0x03, // TLS 1.2 version - 0x00, 0x02, // Length - 0x01, // Warning alert level (not fatal) - 0x70 // unrecognized_name alert (code 112) + 0x15, // Alert record type + 0x03, + 0x03, // TLS 1.2 version + 0x00, + 0x02, // Length + 0x01, // Warning alert level (not fatal) + 0x70, // unrecognized_name alert (code 112) ]); - + try { socket.write(alertData, () => { // Only close the socket after we're sure the alert was sent // Give the alert time to be processed by the client setTimeout(() => { socket.end(); - + // Ensure complete cleanup happens a bit later setTimeout(() => { if (!socket.destroyed) { socket.destroy(); } - this.connectionManager.cleanupConnection(record, 'session_ticket_blocked_no_sni'); + this.connectionManager.cleanupConnection( + record, + 'session_ticket_blocked_no_sni' + ); }, 100); }, 100); }); @@ -620,12 +600,15 @@ export class ConnectionHandler { socket.end(); this.connectionManager.cleanupConnection(record, 'session_ticket_blocked_no_sni'); } - + if (record.incomingTerminationReason === null) { record.incomingTerminationReason = 'session_ticket_blocked_no_sni'; - this.connectionManager.incrementTerminationStat('incoming', 'session_ticket_blocked_no_sni'); + this.connectionManager.incrementTerminationStat( + 'incoming', + 'session_ticket_blocked_no_sni' + ); } - + return; } } @@ -674,23 +657,21 @@ export class ConnectionHandler { overridePort?: number ): void { const connectionId = record.id; - + // Determine target host - const targetHost = domainConfig - ? this.domainConfigManager.getTargetIP(domainConfig) + const targetHost = domainConfig + ? this.domainConfigManager.getTargetIP(domainConfig) : this.settings.targetIP!; - + // Determine target port - const targetPort = overridePort !== undefined - ? overridePort - : this.settings.toPort; - + const targetPort = overridePort !== undefined ? overridePort : this.settings.toPort; + // Setup connection options const connectionOptions: plugins.net.NetConnectOpts = { host: targetHost, port: targetPort, }; - + // Preserve source IP if configured if (this.settings.preserveSourceIP) { connectionOptions.localAddress = record.remoteIP.replace('::ffff:', ''); @@ -947,18 +928,20 @@ export class ConnectionHandler { // Process any remaining data in the queue before switching to piping processDataQueue(); - + // Set up piping immediately pipingEstablished = true; - + // Flush all pending data to target if (record.pendingData.length > 0) { const combinedData = Buffer.concat(record.pendingData); - + if (this.settings.enableDetailedLogging) { - console.log(`[${connectionId}] Forwarding ${combinedData.length} bytes of initial data to target`); + console.log( + `[${connectionId}] Forwarding ${combinedData.length} bytes of initial data to target` + ); } - + // Write pending data immediately targetSocket.write(combinedData, (err) => { if (err) { @@ -966,19 +949,19 @@ export class ConnectionHandler { return this.connectionManager.initiateCleanupOnce(record, 'write_error'); } }); - + // Clear the buffer now that we've processed it record.pendingData = []; record.pendingDataSize = 0; } - + // Setup piping in both directions without any delays socket.pipe(targetSocket); targetSocket.pipe(socket); - + // Resume the socket to ensure data flows socket.resume(); - + // Process any data that might be queued in the interim if (dataQueue.length > 0) { // Write any remaining queued data directly to the target socket @@ -989,7 +972,7 @@ export class ConnectionHandler { dataQueue.length = 0; queueSize = 0; } - + if (this.settings.enableDetailedLogging) { console.log( `[${connectionId}] Connection established: ${record.remoteIP} -> ${targetHost}:${connectionOptions.port}` + @@ -1054,15 +1037,12 @@ export class ConnectionHandler { } // Set connection timeout - record.cleanupTimer = this.timeoutManager.setupConnectionTimeout( - record, - (record, reason) => { - console.log( - `[${connectionId}] Connection from ${record.remoteIP} exceeded max lifetime, forcing cleanup.` - ); - this.connectionManager.initiateCleanupOnce(record, reason); - } - ); + record.cleanupTimer = this.timeoutManager.setupConnectionTimeout(record, (record, reason) => { + console.log( + `[${connectionId}] Connection from ${record.remoteIP} exceeded max lifetime, forcing cleanup.` + ); + this.connectionManager.initiateCleanupOnce(record, reason); + }); // Mark TLS handshake as complete for TLS connections if (record.isTLS) { @@ -1076,4 +1056,4 @@ export class ConnectionHandler { } }); } -} \ No newline at end of file +}