push.rocks/smartproxy
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(ConnectionHandler): Refactor ConnectionHandler code formatting for improved readability and consistency in log messages and whitespace handling

Browse Source
This commit is contained in:
Philipp Kunz 2025-03-15 19:10:54 +00:00
parent 794e1292e5
commit cad0e6a2b2
3 changed files with 149 additions and 162 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
changelog.md
View File

@ -1,5 +1,12 @@
# Changelog # Changelog
## 2025-03-15 - 4.1.4 - fix(ConnectionHandler)
Refactor ConnectionHandler code formatting for improved readability and consistency in log messages and whitespace handling
- Standardized indentation and spacing in method signatures and log statements
- Aligned inline comments and string concatenations for clarity
- Minor refactoring of parameter formatting without changing functionality
## 2025-03-15 - 4.1.3 - fix(connectionhandler) ## 2025-03-15 - 4.1.3 - fix(connectionhandler)
Improve handling of TLS ClientHello messages when allowSessionTicket is disabled and no SNI is provided by sending a warning alert (unrecognized_name, code 0x70) with a proper callback and delay to ensure the alert is transmitted before closing the connection. Improve handling of TLS ClientHello messages when allowSessionTicket is disabled and no SNI is provided by sending a warning alert (unrecognized_name, code 0x70) with a proper callback and delay to ensure the alert is transmitted before closing the connection.

2
ts/00_commitinfo_data.ts
View File

@ -3,6 +3,6 @@
*/ */
export const commitinfo = { export const commitinfo = {
name: '@push.rocks/smartproxy', name: '@push.rocks/smartproxy',
version: '4.1.3', version: '4.1.4',
description: 'A powerful proxy package that effectively handles high traffic, with features such as SSL/TLS support, port proxying, WebSocket handling, dynamic routing with authentication options, and automatic ACME certificate management.' description: 'A powerful proxy package that effectively handles high traffic, with features such as SSL/TLS support, port proxying, WebSocket handling, dynamic routing with authentication options, and automatic ACME certificate management.'
} }

302
ts/classes.pp.connectionhandler.ts
View File

@ -1,5 +1,9 @@
import * as plugins from './plugins.js'; import * as plugins from './plugins.js';
import type { IConnectionRecord, IDomainConfig, IPortProxySettings } from './classes.pp.interfaces.js'; import type {
IConnectionRecord,
IDomainConfig,
IPortProxySettings,
} from './classes.pp.interfaces.js';
import { ConnectionManager } from './classes.pp.connectionmanager.js'; import { ConnectionManager } from './classes.pp.connectionmanager.js';
import { SecurityManager } from './classes.pp.securitymanager.js'; import { SecurityManager } from './classes.pp.securitymanager.js';
import { DomainConfigManager } from './classes.pp.domainconfigmanager.js'; import { DomainConfigManager } from './classes.pp.domainconfigmanager.js';
@ -73,8 +77,8 @@ export class ConnectionHandler {
if (this.settings.enableDetailedLogging) { if (this.settings.enableDetailedLogging) {
console.log( console.log(
`[${connectionId}] New connection from ${remoteIP} on port ${localPort}. ` + `[${connectionId}] New connection from ${remoteIP} on port ${localPort}. ` +
`Keep-Alive: ${record.hasKeepAlive ? 'Enabled' : 'Disabled'}. ` + `Keep-Alive: ${record.hasKeepAlive ? 'Enabled' : 'Disabled'}. ` +
`Active connections: ${this.connectionManager.getConnectionCount()}` `Active connections: ${this.connectionManager.getConnectionCount()}`
); );
} else { } else {
console.log( console.log(
@ -94,7 +98,10 @@ export class ConnectionHandler {
/** /**
* Handle a connection that should be forwarded to NetworkProxy * Handle a connection that should be forwarded to NetworkProxy
*/ */
private handleNetworkProxyConnection(socket: plugins.net.Socket, record: IConnectionRecord): void { private handleNetworkProxyConnection(
socket: plugins.net.Socket,
record: IConnectionRecord
): void {
const connectionId = record.id; const connectionId = record.id;
let initialDataReceived = false; let initialDataReceived = false;
@ -104,7 +111,7 @@ export class ConnectionHandler {
console.log( console.log(
`[${connectionId}] Initial data warning (${this.settings.initialDataTimeout}ms) for connection from ${record.remoteIP}` `[${connectionId}] Initial data warning (${this.settings.initialDataTimeout}ms) for connection from ${record.remoteIP}`
); );
// Add a grace period instead of immediate termination // Add a grace period instead of immediate termination
setTimeout(() => { setTimeout(() => {
if (!initialDataReceived) { if (!initialDataReceived) {
@ -144,7 +151,7 @@ export class ConnectionHandler {
if (!this.tlsManager.isTlsHandshake(chunk) && localPort === 443) { if (!this.tlsManager.isTlsHandshake(chunk) && localPort === 443) {
console.log( console.log(
`[${connectionId}] Non-TLS connection detected on port 443. ` + `[${connectionId}] Non-TLS connection detected on port 443. ` +
`Terminating connection - only TLS traffic is allowed on standard HTTPS port.` `Terminating connection - only TLS traffic is allowed on standard HTTPS port.`
); );
if (record.incomingTerminationReason === null) { if (record.incomingTerminationReason === null) {
record.incomingTerminationReason = 'non_tls_blocked'; record.incomingTerminationReason = 'non_tls_blocked';
@ -159,8 +166,8 @@ export class ConnectionHandler {
if (this.tlsManager.isTlsHandshake(chunk)) { if (this.tlsManager.isTlsHandshake(chunk)) {
record.isTLS = true; record.isTLS = true;
// Check session tickets if they're disabled // Check for ClientHello to extract SNI - but don't enforce it for NetworkProxy
if (this.settings.allowSessionTicket === false && this.tlsManager.isClientHello(chunk)) { if (this.tlsManager.isClientHello(chunk)) {
// Create connection info for SNI extraction // Create connection info for SNI extraction
const connInfo = { const connInfo = {
sourceIp: record.remoteIP, sourceIp: record.remoteIP,
@ -169,83 +176,46 @@ export class ConnectionHandler {
destPort: socket.localPort || 0, destPort: socket.localPort || 0,
}; };
// Extract SNI for domain-specific NetworkProxy handling // Extract SNI for domain-specific NetworkProxy handling if available
const serverName = this.tlsManager.extractSNI(chunk, connInfo); const serverName = this.tlsManager.extractSNI(chunk, connInfo);
// If allowSessionTicket is false and we can't determine SNI, terminate the connection // For NetworkProxy connections, we'll allow session tickets even without SNI
if (!serverName) { // We'll only use the serverName if available to determine the specific NetworkProxy port
// Always block when allowSessionTicket is false and there's no SNI if (serverName) {
console.log( // Save domain config and SNI in connection record
`[${connectionId}] No SNI detected in ClientHello and allowSessionTicket=false. ` + const domainConfig = this.domainConfigManager.findDomainConfig(serverName);
`Terminating connection to force new TLS handshake with SNI.` record.domainConfig = domainConfig;
); record.lockedDomain = serverName;
// Send a proper TLS alert before ending the connection
// Using "unrecognized_name" (112) alert which is a warning level alert (1)
// that encourages clients to retry with proper SNI
const alertData = Buffer.from([
0x15, // Alert record type
0x03, 0x03, // TLS 1.2 version
0x00, 0x02, // Length
0x01, // Warning alert level (not fatal)
0x70 // unrecognized_name alert (code 112)
]);
try {
socket.write(alertData, () => {
// Only close the socket after we're sure the alert was sent
// Give the alert time to be processed by the client
setTimeout(() => {
socket.end();
// Ensure complete cleanup happens a bit later
setTimeout(() => {
if (!socket.destroyed) {
socket.destroy();
}
this.connectionManager.cleanupConnection(record, 'session_ticket_blocked_no_sni');
}, 100);
}, 100);
});
} catch (err) {
// If we can't send the alert, fall back to immediate termination
socket.end();
this.connectionManager.cleanupConnection(record, 'session_ticket_blocked_no_sni');
}
if (record.incomingTerminationReason === null) {
record.incomingTerminationReason = 'session_ticket_blocked_no_sni';
this.connectionManager.incrementTerminationStat('incoming', 'session_ticket_blocked_no_sni');
}
return;
}
// Save domain config and SNI in connection record // Use domain-specific NetworkProxy port if configured
const domainConfig = this.domainConfigManager.findDomainConfig(serverName); if (domainConfig && this.domainConfigManager.shouldUseNetworkProxy(domainConfig)) {
record.domainConfig = domainConfig; const networkProxyPort = this.domainConfigManager.getNetworkProxyPort(domainConfig);
record.lockedDomain = serverName;
// Use domain-specific NetworkProxy port if configured if (this.settings.enableDetailedLogging) {
if (domainConfig && this.domainConfigManager.shouldUseNetworkProxy(domainConfig)) { console.log(
const networkProxyPort = this.domainConfigManager.getNetworkProxyPort(domainConfig); `[${connectionId}] Using domain-specific NetworkProxy for ${serverName} on port ${networkProxyPort}`
);
}
if (this.settings.enableDetailedLogging) { // Forward to NetworkProxy with domain-specific port
console.log( this.networkProxyBridge.forwardToNetworkProxy(
`[${connectionId}] Using domain-specific NetworkProxy for ${serverName} on port ${networkProxyPort}` connectionId,
socket,
record,
chunk,
networkProxyPort,
(reason) => this.connectionManager.initiateCleanupOnce(record, reason)
); );
return;
} }
} else if (
// Forward to NetworkProxy with domain-specific port this.settings.allowSessionTicket === false &&
this.networkProxyBridge.forwardToNetworkProxy( this.settings.enableDetailedLogging
connectionId, ) {
socket, // Log that we're allowing a session resumption without SNI for NetworkProxy
record, console.log(
chunk, `[${connectionId}] Allowing session resumption without SNI for NetworkProxy forwarding`
networkProxyPort,
(reason) => this.connectionManager.initiateCleanupOnce(record, reason)
); );
return;
} }
} }
@ -260,14 +230,10 @@ export class ConnectionHandler {
); );
} else { } else {
// If not TLS, use normal direct connection // If not TLS, use normal direct connection
console.log(`[${connectionId}] Non-TLS connection on NetworkProxy port ${record.localPort}`); console.log(
this.setupDirectConnection( `[${connectionId}] Non-TLS connection on NetworkProxy port ${record.localPort}`
socket,
record,
undefined,
undefined,
chunk
); );
this.setupDirectConnection(socket, record, undefined, undefined, chunk);
} }
}); });
} }
@ -300,7 +266,7 @@ export class ConnectionHandler {
console.log( console.log(
`[${connectionId}] Initial data warning (${this.settings.initialDataTimeout}ms) for connection from ${record.remoteIP}` `[${connectionId}] Initial data warning (${this.settings.initialDataTimeout}ms) for connection from ${record.remoteIP}`
); );
// Add a grace period instead of immediate termination // Add a grace period instead of immediate termination
setTimeout(() => { setTimeout(() => {
if (!initialDataReceived) { if (!initialDataReceived) {
@ -385,14 +351,13 @@ export class ConnectionHandler {
record.domainConfig = domainConfig; record.domainConfig = domainConfig;
// Check if this domain should use NetworkProxy (domain-specific setting) // Check if this domain should use NetworkProxy (domain-specific setting)
if (domainConfig && if (
this.domainConfigManager.shouldUseNetworkProxy(domainConfig) && domainConfig &&
this.networkProxyBridge.getNetworkProxy()) { this.domainConfigManager.shouldUseNetworkProxy(domainConfig) &&
this.networkProxyBridge.getNetworkProxy()
) {
if (this.settings.enableDetailedLogging) { if (this.settings.enableDetailedLogging) {
console.log( console.log(`[${connectionId}] Domain ${serverName} is configured to use NetworkProxy`);
`[${connectionId}] Domain ${serverName} is configured to use NetworkProxy`
);
} }
const networkProxyPort = this.domainConfigManager.getNetworkProxyPort(domainConfig); const networkProxyPort = this.domainConfigManager.getNetworkProxyPort(domainConfig);
@ -414,23 +379,24 @@ export class ConnectionHandler {
// IP validation // IP validation
if (domainConfig) { if (domainConfig) {
const ipRules = this.domainConfigManager.getEffectiveIPRules(domainConfig); const ipRules = this.domainConfigManager.getEffectiveIPRules(domainConfig);
// Skip IP validation if allowedIPs is empty // Skip IP validation if allowedIPs is empty
if ( if (
domainConfig.allowedIPs.length > 0 && domainConfig.allowedIPs.length > 0 &&
!this.securityManager.isIPAuthorized(record.remoteIP, ipRules.allowedIPs, ipRules.blockedIPs) !this.securityManager.isIPAuthorized(
record.remoteIP,
ipRules.allowedIPs,
ipRules.blockedIPs
)
) { ) {
return rejectIncomingConnection( return rejectIncomingConnection(
'rejected', 'rejected',
`Connection rejected: IP ${record.remoteIP} not allowed for domain ${domainConfig.domains.join( `Connection rejected: IP ${
', ' record.remoteIP
)}` } not allowed for domain ${domainConfig.domains.join(', ')}`
); );
} }
} else if ( } else if (this.settings.defaultAllowedIPs && this.settings.defaultAllowedIPs.length > 0) {
this.settings.defaultAllowedIPs &&
this.settings.defaultAllowedIPs.length > 0
) {
if ( if (
!this.securityManager.isIPAuthorized( !this.securityManager.isIPAuthorized(
record.remoteIP, record.remoteIP,
@ -497,28 +463,36 @@ export class ConnectionHandler {
} else { } else {
// Attempt to find a matching forced domain config based on the local port. // Attempt to find a matching forced domain config based on the local port.
const forcedDomain = this.domainConfigManager.findDomainConfigForPort(localPort); const forcedDomain = this.domainConfigManager.findDomainConfigForPort(localPort);
if (forcedDomain) { if (forcedDomain) {
const ipRules = this.domainConfigManager.getEffectiveIPRules(forcedDomain); const ipRules = this.domainConfigManager.getEffectiveIPRules(forcedDomain);
if (!this.securityManager.isIPAuthorized(record.remoteIP, ipRules.allowedIPs, ipRules.blockedIPs)) { if (
!this.securityManager.isIPAuthorized(
record.remoteIP,
ipRules.allowedIPs,
ipRules.blockedIPs
)
) {
console.log( console.log(
`[${connectionId}] Connection from ${record.remoteIP} rejected: IP not allowed for domain ${forcedDomain.domains.join( `[${connectionId}] Connection from ${
record.remoteIP
} rejected: IP not allowed for domain ${forcedDomain.domains.join(
', ' ', '
)} on port ${localPort}.` )} on port ${localPort}.`
); );
socket.end(); socket.end();
return; return;
} }
if (this.settings.enableDetailedLogging) { if (this.settings.enableDetailedLogging) {
console.log( console.log(
`[${connectionId}] Port-based connection from ${record.remoteIP} on port ${localPort} matched domain ${forcedDomain.domains.join( `[${connectionId}] Port-based connection from ${
', ' record.remoteIP
)}.` } on port ${localPort} matched domain ${forcedDomain.domains.join(', ')}.`
); );
} }
setupConnection('', undefined, forcedDomain, localPort); setupConnection('', undefined, forcedDomain, localPort);
return; return;
} }
@ -536,14 +510,14 @@ export class ConnectionHandler {
clearTimeout(initialTimeout); clearTimeout(initialTimeout);
initialTimeout = null; initialTimeout = null;
} }
initialDataReceived = true; initialDataReceived = true;
// Block non-TLS connections on port 443 // Block non-TLS connections on port 443
if (!this.tlsManager.isTlsHandshake(chunk) && localPort === 443) { if (!this.tlsManager.isTlsHandshake(chunk) && localPort === 443) {
console.log( console.log(
`[${connectionId}] Non-TLS connection detected on port 443 in SNI handler. ` + `[${connectionId}] Non-TLS connection detected on port 443 in SNI handler. ` +
`Terminating connection - only TLS traffic is allowed on standard HTTPS port.` `Terminating connection - only TLS traffic is allowed on standard HTTPS port.`
); );
if (record.incomingTerminationReason === null) { if (record.incomingTerminationReason === null) {
record.incomingTerminationReason = 'non_tls_blocked'; record.incomingTerminationReason = 'non_tls_blocked';
@ -576,42 +550,48 @@ export class ConnectionHandler {
// Extract SNI // Extract SNI
serverName = this.tlsManager.extractSNI(chunk, connInfo) || ''; serverName = this.tlsManager.extractSNI(chunk, connInfo) || '';
// If allowSessionTicket is false and this is a ClientHello with no SNI, terminate the connection // If allowSessionTicket is false and this is a ClientHello with no SNI, terminate the connection
if (this.settings.allowSessionTicket === false && if (
this.tlsManager.isClientHello(chunk) && this.settings.allowSessionTicket === false &&
!serverName) { this.tlsManager.isClientHello(chunk) &&
!serverName
) {
// Always block ClientHello without SNI when allowSessionTicket is false // Always block ClientHello without SNI when allowSessionTicket is false
console.log( console.log(
`[${connectionId}] No SNI detected in ClientHello and allowSessionTicket=false. ` + `[${connectionId}] No SNI detected in ClientHello and allowSessionTicket=false. ` +
`Terminating connection to force new TLS handshake with SNI.` `Terminating connection to force new TLS handshake with SNI.`
); );
// Send a proper TLS alert before ending the connection // Send a proper TLS alert before ending the connection
// Using "unrecognized_name" (112) alert which is a warning level alert (1) // Using "unrecognized_name" (112) alert which is a warning level alert (1)
// that encourages clients to retry with proper SNI // that encourages clients to retry with proper SNI
const alertData = Buffer.from([ const alertData = Buffer.from([
0x15, // Alert record type 0x15, // Alert record type
0x03, 0x03, // TLS 1.2 version 0x03,
0x00, 0x02, // Length 0x03, // TLS 1.2 version
0x01, // Warning alert level (not fatal) 0x00,
0x70 // unrecognized_name alert (code 112) 0x02, // Length
0x01, // Warning alert level (not fatal)
0x70, // unrecognized_name alert (code 112)
]); ]);
try { try {
socket.write(alertData, () => { socket.write(alertData, () => {
// Only close the socket after we're sure the alert was sent // Only close the socket after we're sure the alert was sent
// Give the alert time to be processed by the client // Give the alert time to be processed by the client
setTimeout(() => { setTimeout(() => {
socket.end(); socket.end();
// Ensure complete cleanup happens a bit later // Ensure complete cleanup happens a bit later
setTimeout(() => { setTimeout(() => {
if (!socket.destroyed) { if (!socket.destroyed) {
socket.destroy(); socket.destroy();
} }
this.connectionManager.cleanupConnection(record, 'session_ticket_blocked_no_sni'); this.connectionManager.cleanupConnection(
record,
'session_ticket_blocked_no_sni'
);
}, 100); }, 100);
}, 100); }, 100);
}); });
@ -620,12 +600,15 @@ export class ConnectionHandler {
socket.end(); socket.end();
this.connectionManager.cleanupConnection(record, 'session_ticket_blocked_no_sni'); this.connectionManager.cleanupConnection(record, 'session_ticket_blocked_no_sni');
} }
if (record.incomingTerminationReason === null) { if (record.incomingTerminationReason === null) {
record.incomingTerminationReason = 'session_ticket_blocked_no_sni'; record.incomingTerminationReason = 'session_ticket_blocked_no_sni';
this.connectionManager.incrementTerminationStat('incoming', 'session_ticket_blocked_no_sni'); this.connectionManager.incrementTerminationStat(
'incoming',
'session_ticket_blocked_no_sni'
);
} }
return; return;
} }
} }
@ -674,23 +657,21 @@ export class ConnectionHandler {
overridePort?: number overridePort?: number
): void { ): void {
const connectionId = record.id; const connectionId = record.id;
// Determine target host // Determine target host
const targetHost = domainConfig const targetHost = domainConfig
? this.domainConfigManager.getTargetIP(domainConfig) ? this.domainConfigManager.getTargetIP(domainConfig)
: this.settings.targetIP!; : this.settings.targetIP!;
// Determine target port // Determine target port
const targetPort = overridePort !== undefined const targetPort = overridePort !== undefined ? overridePort : this.settings.toPort;
? overridePort
: this.settings.toPort;
// Setup connection options // Setup connection options
const connectionOptions: plugins.net.NetConnectOpts = { const connectionOptions: plugins.net.NetConnectOpts = {
host: targetHost, host: targetHost,
port: targetPort, port: targetPort,
}; };
// Preserve source IP if configured // Preserve source IP if configured
if (this.settings.preserveSourceIP) { if (this.settings.preserveSourceIP) {
connectionOptions.localAddress = record.remoteIP.replace('::ffff:', ''); connectionOptions.localAddress = record.remoteIP.replace('::ffff:', '');
@ -947,18 +928,20 @@ export class ConnectionHandler {
// Process any remaining data in the queue before switching to piping // Process any remaining data in the queue before switching to piping
processDataQueue(); processDataQueue();
// Set up piping immediately // Set up piping immediately
pipingEstablished = true; pipingEstablished = true;
// Flush all pending data to target // Flush all pending data to target
if (record.pendingData.length > 0) { if (record.pendingData.length > 0) {
const combinedData = Buffer.concat(record.pendingData); const combinedData = Buffer.concat(record.pendingData);
if (this.settings.enableDetailedLogging) { if (this.settings.enableDetailedLogging) {
console.log(`[${connectionId}] Forwarding ${combinedData.length} bytes of initial data to target`); console.log(
`[${connectionId}] Forwarding ${combinedData.length} bytes of initial data to target`
);
} }
// Write pending data immediately // Write pending data immediately
targetSocket.write(combinedData, (err) => { targetSocket.write(combinedData, (err) => {
if (err) { if (err) {
@ -966,19 +949,19 @@ export class ConnectionHandler {
return this.connectionManager.initiateCleanupOnce(record, 'write_error'); return this.connectionManager.initiateCleanupOnce(record, 'write_error');
} }
}); });
// Clear the buffer now that we've processed it // Clear the buffer now that we've processed it
record.pendingData = []; record.pendingData = [];
record.pendingDataSize = 0; record.pendingDataSize = 0;
} }
// Setup piping in both directions without any delays // Setup piping in both directions without any delays
socket.pipe(targetSocket); socket.pipe(targetSocket);
targetSocket.pipe(socket); targetSocket.pipe(socket);
// Resume the socket to ensure data flows // Resume the socket to ensure data flows
socket.resume(); socket.resume();
// Process any data that might be queued in the interim // Process any data that might be queued in the interim
if (dataQueue.length > 0) { if (dataQueue.length > 0) {
// Write any remaining queued data directly to the target socket // Write any remaining queued data directly to the target socket
@ -989,7 +972,7 @@ export class ConnectionHandler {
dataQueue.length = 0; dataQueue.length = 0;
queueSize = 0; queueSize = 0;
} }
if (this.settings.enableDetailedLogging) { if (this.settings.enableDetailedLogging) {
console.log( console.log(
`[${connectionId}] Connection established: ${record.remoteIP} -> ${targetHost}:${connectionOptions.port}` + `[${connectionId}] Connection established: ${record.remoteIP} -> ${targetHost}:${connectionOptions.port}` +
@ -1054,15 +1037,12 @@ export class ConnectionHandler {
} }
// Set connection timeout // Set connection timeout
record.cleanupTimer = this.timeoutManager.setupConnectionTimeout( record.cleanupTimer = this.timeoutManager.setupConnectionTimeout(record, (record, reason) => {
record, console.log(
(record, reason) => { `[${connectionId}] Connection from ${record.remoteIP} exceeded max lifetime, forcing cleanup.`
console.log( );
`[${connectionId}] Connection from ${record.remoteIP} exceeded max lifetime, forcing cleanup.` this.connectionManager.initiateCleanupOnce(record, reason);
); });
this.connectionManager.initiateCleanupOnce(record, reason);
}
);
// Mark TLS handshake as complete for TLS connections // Mark TLS handshake as complete for TLS connections
if (record.isTLS) { if (record.isTLS) {
@ -1076,4 +1056,4 @@ export class ConnectionHandler {
} }
}); });
} }
} }