push.rocks/smartproxy
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(routing): unify route based architecture

Browse Source
This commit is contained in:
Philipp Kunz
2025-05-13 12:48:41 +00:00
parent fe632bde67
commit fcc8cf9caa
46 changed files with 7943 additions and 1332 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
ts/core/models/index.ts
View File

@ -3,3 +3,5 @@
*/
export * from './common-types.js';
export * from './socket-augmentation.js';
export * from './route-context.js';

111
ts/core/models/route-context.ts Normal file
View File

@ -0,0 +1,111 @@
/**
* Shared Route Context Interface
*
* This interface defines the route context object that is used by both
* SmartProxy and NetworkProxy, ensuring consistent context throughout the system.
*/
/**
* Route context for route matching and function-based target resolution
*/
export interface IRouteContext {
// Connection basics
port: number; // The matched incoming port
domain?: string; // The domain from SNI or Host header
clientIp: string; // The client's IP address
serverIp: string; // The server's IP address
// HTTP specifics (NetworkProxy only)
path?: string; // URL path (for HTTP connections)
query?: string; // Query string (for HTTP connections)
headers?: Record<string, string>; // HTTP headers (for HTTP connections)
// TLS information
isTls: boolean; // Whether the connection is TLS
tlsVersion?: string; // TLS version if applicable
// Routing information
routeName?: string; // The name of the matched route
routeId?: string; // The ID of the matched route
// Resolved values
targetHost?: string | string[]; // The resolved target host
targetPort?: number; // The resolved target port
// Request metadata
timestamp: number; // The request timestamp
connectionId: string; // Unique connection identifier
}
/**
* Extended context interface with HTTP-specific objects
* Used only in NetworkProxy for HTTP request handling
*/
export interface IHttpRouteContext extends IRouteContext {
req?: any; // http.IncomingMessage
res?: any; // http.ServerResponse
method?: string; // HTTP method (GET, POST, etc.)
}
/**
* Extended context interface with HTTP/2-specific objects
* Used only in NetworkProxy for HTTP/2 request handling
*/
export interface IHttp2RouteContext extends IHttpRouteContext {
stream?: any; // http2.Http2Stream
headers?: Record<string, string>; // HTTP/2 pseudo-headers like :method, :path
}
/**
* Create a basic route context from connection information
*/
export function createBaseRouteContext(options: {
port: number;
clientIp: string;
serverIp: string;
domain?: string;
isTls: boolean;
tlsVersion?: string;
connectionId: string;
}): IRouteContext {
return {
...options,
timestamp: Date.now(),
};
}
/**
* Convert IHttpRouteContext to IRouteContext
* This is used to ensure type compatibility when passing HTTP-specific context
* to methods that require the base IRouteContext type
*/
export function toBaseContext(httpContext: IHttpRouteContext): IRouteContext {
// Create a new object with only the properties from IRouteContext
const baseContext: IRouteContext = {
port: httpContext.port,
domain: httpContext.domain,
clientIp: httpContext.clientIp,
serverIp: httpContext.serverIp,
path: httpContext.path,
query: httpContext.query,
headers: httpContext.headers,
isTls: httpContext.isTls,
tlsVersion: httpContext.tlsVersion,
routeName: httpContext.routeName,
routeId: httpContext.routeId,
timestamp: httpContext.timestamp,
connectionId: httpContext.connectionId
};
// Only copy targetHost if it's a string
if (httpContext.targetHost) {
baseContext.targetHost = httpContext.targetHost;
}
// Copy targetPort if it exists
if (httpContext.targetPort) {
baseContext.targetPort = httpContext.targetPort;
}
return baseContext;
}

33
ts/core/models/socket-augmentation.ts Normal file
View File

@ -0,0 +1,33 @@
import * as plugins from '../../plugins.js';
// Augment the Node.js Socket type to include TLS-related properties
// This helps TypeScript understand properties that are dynamically added by Node.js
declare module 'net' {
interface Socket {
// TLS-related properties
encrypted?: boolean; // Indicates if the socket is encrypted (TLS/SSL)
authorizationError?: Error; // Authentication error if TLS handshake failed
// TLS-related methods
getTLSVersion?(): string; // Returns the TLS version (e.g., 'TLSv1.2', 'TLSv1.3')
getPeerCertificate?(detailed?: boolean): any; // Returns the peer's certificate
getSession?(): Buffer; // Returns the TLS session data
}
}
// Export a utility function to check if a socket is a TLS socket
export function isTLSSocket(socket: plugins.net.Socket): boolean {
return 'encrypted' in socket && !!socket.encrypted;
}
// Export a utility function to safely get the TLS version
export function getTLSVersion(socket: plugins.net.Socket): string | null {
if (socket.getTLSVersion) {
try {
return socket.getTLSVersion();
} catch (e) {
return null;
}
}
return null;
}

376
ts/core/utils/event-system.ts Normal file
View File

@ -0,0 +1,376 @@
import * as plugins from '../../plugins.js';
import type {
ICertificateData,
ICertificateFailure,
ICertificateExpiring
} from '../models/common-types.js';
import type { IRouteConfig } from '../../proxies/smart-proxy/models/route-types.js';
import { Port80HandlerEvents } from '../models/common-types.js';
/**
* Standardized event names used throughout the system
*/
export enum ProxyEvents {
// Certificate events
CERTIFICATE_ISSUED = 'certificate:issued',
CERTIFICATE_RENEWED = 'certificate:renewed',
CERTIFICATE_FAILED = 'certificate:failed',
CERTIFICATE_EXPIRING = 'certificate:expiring',
// Component lifecycle events
COMPONENT_STARTED = 'component:started',
COMPONENT_STOPPED = 'component:stopped',
// Connection events
CONNECTION_ESTABLISHED = 'connection:established',
CONNECTION_CLOSED = 'connection:closed',
CONNECTION_ERROR = 'connection:error',
// Request events
REQUEST_RECEIVED = 'request:received',
REQUEST_COMPLETED = 'request:completed',
REQUEST_ERROR = 'request:error',
// Route events
ROUTE_MATCHED = 'route:matched',
ROUTE_UPDATED = 'route:updated',
ROUTE_ERROR = 'route:error',
// Security events
SECURITY_BLOCKED = 'security:blocked',
SECURITY_BREACH_ATTEMPT = 'security:breach-attempt',
// TLS events
TLS_HANDSHAKE_STARTED = 'tls:handshake-started',
TLS_HANDSHAKE_COMPLETED = 'tls:handshake-completed',
TLS_HANDSHAKE_FAILED = 'tls:handshake-failed'
}
/**
* Component types for event metadata
*/
export enum ComponentType {
SMART_PROXY = 'smart-proxy',
NETWORK_PROXY = 'network-proxy',
NFTABLES_PROXY = 'nftables-proxy',
PORT80_HANDLER = 'port80-handler',
CERTIFICATE_MANAGER = 'certificate-manager',
ROUTE_MANAGER = 'route-manager',
CONNECTION_MANAGER = 'connection-manager',
TLS_MANAGER = 'tls-manager',
SECURITY_MANAGER = 'security-manager'
}
/**
* Base event data interface
*/
export interface IEventData {
timestamp: number;
componentType: ComponentType;
componentId?: string;
}
/**
* Certificate event data
*/
export interface ICertificateEventData extends IEventData, ICertificateData {
isRenewal?: boolean;
source?: string;
}
/**
* Certificate failure event data
*/
export interface ICertificateFailureEventData extends IEventData, ICertificateFailure {}
/**
* Certificate expiring event data
*/
export interface ICertificateExpiringEventData extends IEventData, ICertificateExpiring {}
/**
* Component lifecycle event data
*/
export interface IComponentEventData extends IEventData {
name: string;
version?: string;
}
/**
* Connection event data
*/
export interface IConnectionEventData extends IEventData {
connectionId: string;
clientIp: string;
serverIp?: string;
port: number;
isTls?: boolean;
domain?: string;
}
/**
* Request event data
*/
export interface IRequestEventData extends IEventData {
connectionId: string;
requestId: string;
method?: string;
path?: string;
statusCode?: number;
duration?: number;
routeId?: string;
routeName?: string;
}
/**
* Route event data
*/
export interface IRouteEventData extends IEventData {
route: IRouteConfig;
context?: any;
}
/**
* Security event data
*/
export interface ISecurityEventData extends IEventData {
clientIp: string;
reason: string;
routeId?: string;
routeName?: string;
}
/**
* TLS event data
*/
export interface ITlsEventData extends IEventData {
connectionId: string;
domain?: string;
clientIp: string;
tlsVersion?: string;
cipherSuite?: string;
sniHostname?: string;
}
/**
* Logger interface for event system
*/
export interface IEventLogger {
info: (message: string, ...args: any[]) => void;
warn: (message: string, ...args: any[]) => void;
error: (message: string, ...args: any[]) => void;
debug?: (message: string, ...args: any[]) => void;
}
/**
* Event handler type
*/
export type EventHandler<T> = (data: T) => void;
/**
* Helper class to standardize event emission and handling
* across all system components
*/
export class EventSystem {
private emitter: plugins.EventEmitter;
private componentType: ComponentType;
private componentId: string;
private logger?: IEventLogger;
constructor(
componentType: ComponentType,
componentId: string = '',
logger?: IEventLogger
) {
this.emitter = new plugins.EventEmitter();
this.componentType = componentType;
this.componentId = componentId;
this.logger = logger;
}
/**
* Emit a certificate issued event
*/
public emitCertificateIssued(data: Omit<ICertificateEventData, 'timestamp' | 'componentType' | 'componentId'>): void {
const eventData: ICertificateEventData = {
...data,
timestamp: Date.now(),
componentType: this.componentType,
componentId: this.componentId
};
this.logger?.info?.(`Certificate issued for ${data.domain}`);
this.emitter.emit(ProxyEvents.CERTIFICATE_ISSUED, eventData);
}
/**
* Emit a certificate renewed event
*/
public emitCertificateRenewed(data: Omit<ICertificateEventData, 'timestamp' | 'componentType' | 'componentId'>): void {
const eventData: ICertificateEventData = {
...data,
timestamp: Date.now(),
componentType: this.componentType,
componentId: this.componentId
};
this.logger?.info?.(`Certificate renewed for ${data.domain}`);
this.emitter.emit(ProxyEvents.CERTIFICATE_RENEWED, eventData);
}
/**
* Emit a certificate failed event
*/
public emitCertificateFailed(data: Omit<ICertificateFailureEventData, 'timestamp' | 'componentType' | 'componentId'>): void {
const eventData: ICertificateFailureEventData = {
...data,
timestamp: Date.now(),
componentType: this.componentType,
componentId: this.componentId
};
this.logger?.error?.(`Certificate issuance failed for ${data.domain}: ${data.error}`);
this.emitter.emit(ProxyEvents.CERTIFICATE_FAILED, eventData);
}
/**
* Emit a certificate expiring event
*/
public emitCertificateExpiring(data: Omit<ICertificateExpiringEventData, 'timestamp' | 'componentType' | 'componentId'>): void {
const eventData: ICertificateExpiringEventData = {
...data,
timestamp: Date.now(),
componentType: this.componentType,
componentId: this.componentId
};
this.logger?.warn?.(`Certificate expiring for ${data.domain} in ${data.daysRemaining} days`);
this.emitter.emit(ProxyEvents.CERTIFICATE_EXPIRING, eventData);
}
/**
* Emit a component started event
*/
public emitComponentStarted(name: string, version?: string): void {
const eventData: IComponentEventData = {
name,
version,
timestamp: Date.now(),
componentType: this.componentType,
componentId: this.componentId
};
this.logger?.info?.(`Component ${name} started${version ? ` (v${version})` : ''}`);
this.emitter.emit(ProxyEvents.COMPONENT_STARTED, eventData);
}
/**
* Emit a component stopped event
*/
public emitComponentStopped(name: string): void {
const eventData: IComponentEventData = {
name,
timestamp: Date.now(),
componentType: this.componentType,
componentId: this.componentId
};
this.logger?.info?.(`Component ${name} stopped`);
this.emitter.emit(ProxyEvents.COMPONENT_STOPPED, eventData);
}
/**
* Emit a connection established event
*/
public emitConnectionEstablished(data: Omit<IConnectionEventData, 'timestamp' | 'componentType' | 'componentId'>): void {
const eventData: IConnectionEventData = {
...data,
timestamp: Date.now(),
componentType: this.componentType,
componentId: this.componentId
};
this.logger?.debug?.(`Connection ${data.connectionId} established from ${data.clientIp} on port ${data.port}`);
this.emitter.emit(ProxyEvents.CONNECTION_ESTABLISHED, eventData);
}
/**
* Emit a connection closed event
*/
public emitConnectionClosed(data: Omit<IConnectionEventData, 'timestamp' | 'componentType' | 'componentId'>): void {
const eventData: IConnectionEventData = {
...data,
timestamp: Date.now(),
componentType: this.componentType,
componentId: this.componentId
};
this.logger?.debug?.(`Connection ${data.connectionId} closed`);
this.emitter.emit(ProxyEvents.CONNECTION_CLOSED, eventData);
}
/**
* Emit a route matched event
*/
public emitRouteMatched(data: Omit<IRouteEventData, 'timestamp' | 'componentType' | 'componentId'>): void {
const eventData: IRouteEventData = {
...data,
timestamp: Date.now(),
componentType: this.componentType,
componentId: this.componentId
};
this.logger?.debug?.(`Route matched: ${data.route.name || data.route.id || 'unnamed'}`);
this.emitter.emit(ProxyEvents.ROUTE_MATCHED, eventData);
}
/**
* Subscribe to an event
*/
public on<T>(event: ProxyEvents, handler: EventHandler<T>): void {
this.emitter.on(event, handler);
}
/**
* Subscribe to an event once
*/
public once<T>(event: ProxyEvents, handler: EventHandler<T>): void {
this.emitter.once(event, handler);
}
/**
* Unsubscribe from an event
*/
public off<T>(event: ProxyEvents, handler: EventHandler<T>): void {
this.emitter.off(event, handler);
}
/**
* Map Port80Handler events to standard proxy events
*/
public subscribePort80HandlerEvents(handler: any): void {
handler.on(Port80HandlerEvents.CERTIFICATE_ISSUED, (data: ICertificateData) => {
this.emitCertificateIssued({
...data,
isRenewal: false,
source: 'port80handler'
});
});
handler.on(Port80HandlerEvents.CERTIFICATE_RENEWED, (data: ICertificateData) => {
this.emitCertificateRenewed({
...data,
isRenewal: true,
source: 'port80handler'
});
});
handler.on(Port80HandlerEvents.CERTIFICATE_FAILED, (data: ICertificateFailure) => {
this.emitCertificateFailed(data);
});
handler.on(Port80HandlerEvents.CERTIFICATE_EXPIRING, (data: ICertificateExpiring) => {
this.emitCertificateExpiring(data);
});
}
}

7
ts/core/utils/index.ts
View File

@ -5,3 +5,10 @@
export * from './event-utils.js';
export * from './validation-utils.js';
export * from './ip-utils.js';
export * from './template-utils.js';
export * from './route-manager.js';
export * from './route-utils.js';
export * from './security-utils.js';
export * from './shared-security-manager.js';
export * from './event-system.js';
export * from './websocket-utils.js';

489
ts/core/utils/route-manager.ts Normal file
View File

@ -0,0 +1,489 @@
import * as plugins from '../../plugins.js';
import type {
IRouteConfig,
IRouteMatch,
IRouteAction,
TPortRange,
IRouteContext
} from '../../proxies/smart-proxy/models/route-types.js';
import {
matchDomain,
matchRouteDomain,
matchPath,
matchIpPattern,
matchIpCidr,
ipToNumber,
isIpAuthorized,
calculateRouteSpecificity
} from './route-utils.js';
/**
* Result of route matching
*/
export interface IRouteMatchResult {
route: IRouteConfig;
// Additional match parameters (path, query, etc.)
params?: Record<string, string>;
}
/**
* Logger interface for RouteManager
*/
export interface ILogger {
info: (message: string, ...args: any[]) => void;
warn: (message: string, ...args: any[]) => void;
error: (message: string, ...args: any[]) => void;
debug?: (message: string, ...args: any[]) => void;
}
/**
* Shared RouteManager used by both SmartProxy and NetworkProxy
*
* This provides a unified implementation for route management,
* route matching, and port handling.
*/
export class SharedRouteManager extends plugins.EventEmitter {
private routes: IRouteConfig[] = [];
private portMap: Map<number, IRouteConfig[]> = new Map();
private logger: ILogger;
private enableDetailedLogging: boolean;
/**
* Memoization cache for expanded port ranges
*/
private portRangeCache: Map<string, number[]> = new Map();
constructor(options: {
logger?: ILogger;
enableDetailedLogging?: boolean;
routes?: IRouteConfig[];
}) {
super();
// Set up logger (use console if not provided)
this.logger = options.logger || {
info: console.log,
warn: console.warn,
error: console.error,
debug: options.enableDetailedLogging ? console.log : undefined
};
this.enableDetailedLogging = options.enableDetailedLogging || false;
// Initialize routes if provided
if (options.routes) {
this.updateRoutes(options.routes);
}
}
/**
* Update routes with new configuration
*/
public updateRoutes(routes: IRouteConfig[] = []): void {
// Sort routes by priority (higher first)
this.routes = [...(routes || [])].sort((a, b) => {
const priorityA = a.priority ?? 0;
const priorityB = b.priority ?? 0;
return priorityB - priorityA;
});
// Rebuild port mapping for fast lookups
this.rebuildPortMap();
this.logger.info(`Updated RouteManager with ${this.routes.length} routes`);
}
/**
* Get all routes
*/
public getRoutes(): IRouteConfig[] {
return [...this.routes];
}
/**
* Rebuild the port mapping for fast lookups
* Also logs information about the ports being listened on
*/
private rebuildPortMap(): void {
this.portMap.clear();
this.portRangeCache.clear(); // Clear cache when rebuilding
// Track ports for logging
const portToRoutesMap = new Map<number, string[]>();
for (const route of this.routes) {
const ports = this.expandPortRange(route.match.ports);
// Skip if no ports were found
if (ports.length === 0) {
this.logger.warn(`Route ${route.name || 'unnamed'} has no valid ports to listen on`);
continue;
}
for (const port of ports) {
// Add to portMap for routing
if (!this.portMap.has(port)) {
this.portMap.set(port, []);
}
this.portMap.get(port)!.push(route);
// Add to tracking for logging
if (!portToRoutesMap.has(port)) {
portToRoutesMap.set(port, []);
}
portToRoutesMap.get(port)!.push(route.name || 'unnamed');
}
}
// Log summary of ports and routes
const totalPorts = this.portMap.size;
const totalRoutes = this.routes.length;
this.logger.info(`Route manager configured with ${totalRoutes} routes across ${totalPorts} ports`);
// Log port details if detailed logging is enabled
if (this.enableDetailedLogging) {
for (const [port, routes] of this.portMap.entries()) {
this.logger.info(`Port ${port}: ${routes.length} routes (${portToRoutesMap.get(port)!.join(', ')})`);
}
}
}
/**
* Expand a port range specification into an array of individual ports
* Uses caching to improve performance for frequently used port ranges
*
* @public - Made public to allow external code to interpret port ranges
*/
public expandPortRange(portRange: TPortRange): number[] {
// For simple number, return immediately
if (typeof portRange === 'number') {
return [portRange];
}
// Create a cache key for this port range
const cacheKey = JSON.stringify(portRange);
// Check if we have a cached result
if (this.portRangeCache.has(cacheKey)) {
return this.portRangeCache.get(cacheKey)!;
}
// Process the port range
let result: number[] = [];
if (Array.isArray(portRange)) {
// Handle array of port objects or numbers
result = portRange.flatMap(item => {
if (typeof item === 'number') {
return [item];
} else if (typeof item === 'object' && 'from' in item && 'to' in item) {
// Handle port range object - check valid range
if (item.from > item.to) {
this.logger.warn(`Invalid port range: from (${item.from}) > to (${item.to})`);
return [];
}
// Handle port range object
const ports: number[] = [];
for (let p = item.from; p <= item.to; p++) {
ports.push(p);
}
return ports;
}
return [];
});
}
// Cache the result
this.portRangeCache.set(cacheKey, result);
return result;
}
/**
* Get all ports that should be listened on
* This method automatically infers all required ports from route configurations
*/
public getListeningPorts(): number[] {
// Return the unique set of ports from all routes
return Array.from(this.portMap.keys());
}
/**
* Get all routes for a given port
*/
public getRoutesForPort(port: number): IRouteConfig[] {
return this.portMap.get(port) || [];
}
/**
* Find the matching route for a connection
*/
public findMatchingRoute(context: IRouteContext): IRouteMatchResult | null {
// Get routes for this port if using port-based filtering
const routesToCheck = context.port
? (this.portMap.get(context.port) || [])
: this.routes;
// Find the first matching route based on priority order
for (const route of routesToCheck) {
if (this.matchesRoute(route, context)) {
return { route };
}
}
return null;
}
/**
* Check if a route matches the given context
*/
private matchesRoute(route: IRouteConfig, context: IRouteContext): boolean {
// Skip disabled routes
if (route.enabled === false) {
return false;
}
// Check port match if provided in context
if (context.port !== undefined) {
const ports = this.expandPortRange(route.match.ports);
if (!ports.includes(context.port)) {
return false;
}
}
// Check domain match if specified
if (route.match.domains && context.domain) {
const domains = Array.isArray(route.match.domains)
? route.match.domains
: [route.match.domains];
if (!domains.some(domainPattern => this.matchDomain(domainPattern, context.domain!))) {
return false;
}
}
// Check path match if specified
if (route.match.path && context.path) {
if (!this.matchPath(route.match.path, context.path)) {
return false;
}
}
// Check client IP match if specified
if (route.match.clientIp && context.clientIp) {
if (!route.match.clientIp.some(ip => this.matchIpPattern(ip, context.clientIp))) {
return false;
}
}
// Check TLS version match if specified
if (route.match.tlsVersion && context.tlsVersion) {
if (!route.match.tlsVersion.includes(context.tlsVersion)) {
return false;
}
}
// Check header match if specified
if (route.match.headers && context.headers) {
for (const [headerName, expectedValue] of Object.entries(route.match.headers)) {
const actualValue = context.headers[headerName.toLowerCase()];
// If header doesn't exist, no match
if (actualValue === undefined) {
return false;
}
// Match against string or regex
if (typeof expectedValue === 'string') {
if (actualValue !== expectedValue) {
return false;
}
} else if (expectedValue instanceof RegExp) {
if (!expectedValue.test(actualValue)) {
return false;
}
}
}
}
// All criteria matched
return true;
}
/**
* Match a domain pattern against a domain
* @deprecated Use the matchDomain function from route-utils.js instead
*/
public matchDomain(pattern: string, domain: string): boolean {
return matchDomain(pattern, domain);
}
/**
* Match a path pattern against a path
* @deprecated Use the matchPath function from route-utils.js instead
*/
public matchPath(pattern: string, path: string): boolean {
return matchPath(pattern, path);
}
/**
* Match an IP pattern against a pattern
* @deprecated Use the matchIpPattern function from route-utils.js instead
*/
public matchIpPattern(pattern: string, ip: string): boolean {
return matchIpPattern(pattern, ip);
}
/**
* Match an IP against a CIDR pattern
* @deprecated Use the matchIpCidr function from route-utils.js instead
*/
public matchIpCidr(cidr: string, ip: string): boolean {
return matchIpCidr(cidr, ip);
}
/**
* Convert an IP address to a numeric value
* @deprecated Use the ipToNumber function from route-utils.js instead
*/
private ipToNumber(ip: string): number {
return ipToNumber(ip);
}
/**
* Validate the route configuration and return any warnings
*/
public validateConfiguration(): string[] {
const warnings: string[] = [];
const duplicatePorts = new Map<number, number>();
// Check for routes with the same exact match criteria
for (let i = 0; i < this.routes.length; i++) {
for (let j = i + 1; j < this.routes.length; j++) {
const route1 = this.routes[i];
const route2 = this.routes[j];
// Check if route match criteria are the same
if (this.areMatchesSimilar(route1.match, route2.match)) {
warnings.push(
`Routes "${route1.name || i}" and "${route2.name || j}" have similar match criteria. ` +
`The route with higher priority (${Math.max(route1.priority || 0, route2.priority || 0)}) will be used.`
);
}
}
}
// Check for routes that may never be matched due to priority
for (let i = 0; i < this.routes.length; i++) {
const route = this.routes[i];
const higherPriorityRoutes = this.routes.filter(r =>
(r.priority || 0) > (route.priority || 0));
for (const higherRoute of higherPriorityRoutes) {
if (this.isRouteShadowed(route, higherRoute)) {
warnings.push(
`Route "${route.name || i}" may never be matched because it is shadowed by ` +
`higher priority route "${higherRoute.name || 'unnamed'}"`
);
break;
}
}
}
return warnings;
}
/**
* Check if two route matches are similar (potential conflict)
*/
private areMatchesSimilar(match1: IRouteMatch, match2: IRouteMatch): boolean {
// Check port overlap
const ports1 = new Set(this.expandPortRange(match1.ports));
const ports2 = new Set(this.expandPortRange(match2.ports));
let havePortOverlap = false;
for (const port of ports1) {
if (ports2.has(port)) {
havePortOverlap = true;
break;
}
}
if (!havePortOverlap) {
return false;
}
// Check domain overlap
if (match1.domains && match2.domains) {
const domains1 = Array.isArray(match1.domains) ? match1.domains : [match1.domains];
const domains2 = Array.isArray(match2.domains) ? match2.domains : [match2.domains];
// Check if any domain pattern from match1 could match any from match2
let haveDomainOverlap = false;
for (const domain1 of domains1) {
for (const domain2 of domains2) {
if (domain1 === domain2 ||
(domain1.includes('*') || domain2.includes('*'))) {
haveDomainOverlap = true;
break;
}
}
if (haveDomainOverlap) break;
}
if (!haveDomainOverlap) {
return false;
}
} else if (match1.domains || match2.domains) {
// One has domains, the other doesn't - they could overlap
// The one with domains is more specific, so it's not exactly a conflict
return false;
}
// Check path overlap
if (match1.path && match2.path) {
// This is a simplified check - in a real implementation,
// you'd need to check if the path patterns could match the same paths
return match1.path === match2.path ||
match1.path.includes('*') ||
match2.path.includes('*');
} else if (match1.path || match2.path) {
// One has a path, the other doesn't
return false;
}
// If we get here, the matches have significant overlap
return true;
}
/**
* Check if a route is completely shadowed by a higher priority route
*/
private isRouteShadowed(route: IRouteConfig, higherPriorityRoute: IRouteConfig): boolean {
// If they don't have similar match criteria, no shadowing occurs
if (!this.areMatchesSimilar(route.match, higherPriorityRoute.match)) {
return false;
}
// If higher priority route has more specific criteria, no shadowing
const routeSpecificity = calculateRouteSpecificity(route.match);
const higherRouteSpecificity = calculateRouteSpecificity(higherPriorityRoute.match);
if (higherRouteSpecificity > routeSpecificity) {
return false;
}
// If higher priority route is equally or less specific but has higher priority,
// it shadows the lower priority route
return true;
}
/**
* Check if route1 is more specific than route2
* @deprecated Use the calculateRouteSpecificity function from route-utils.js instead
*/
private isRouteMoreSpecific(match1: IRouteMatch, match2: IRouteMatch): boolean {
return calculateRouteSpecificity(match1) > calculateRouteSpecificity(match2);
}
}

293
ts/core/utils/route-utils.ts Normal file
View File

@ -0,0 +1,293 @@
/**
* Route matching utilities for SmartProxy components
*
* Contains shared logic for domain matching, path matching, and IP matching
* to be used by different proxy components throughout the system.
*/
/**
* Match a domain pattern against a domain
*
* @param pattern Domain pattern with optional wildcards (e.g., "*.example.com")
* @param domain Domain to match against the pattern
* @returns Whether the domain matches the pattern
*/
export function matchDomain(pattern: string, domain: string): boolean {
// Handle exact match
if (pattern === domain) {
return true;
}
// Handle wildcard pattern
if (pattern.includes('*')) {
const regexPattern = pattern
.replace(/\./g, '\\.') // Escape dots
.replace(/\*/g, '.*'); // Convert * to .*
const regex = new RegExp(`^${regexPattern}$`, 'i');
return regex.test(domain);
}
return false;
}
/**
* Match domains from a route against a given domain
*
* @param domains Array or single domain pattern to match against
* @param domain Domain to match
* @returns Whether the domain matches any of the patterns
*/
export function matchRouteDomain(domains: string | string[] | undefined, domain: string | undefined): boolean {
// If no domains specified in the route, match all domains
if (!domains) {
return true;
}
// If no domain in the request, can't match domain-specific routes
if (!domain) {
return false;
}
const patterns = Array.isArray(domains) ? domains : [domains];
return patterns.some(pattern => matchDomain(pattern, domain));
}
/**
* Match a path pattern against a path
*
* @param pattern Path pattern with optional wildcards
* @param path Path to match against the pattern
* @returns Whether the path matches the pattern
*/
export function matchPath(pattern: string, path: string): boolean {
// Handle exact match
if (pattern === path) {
return true;
}
// Handle simple wildcard at the end (like /api/*)
if (pattern.endsWith('*')) {
const prefix = pattern.slice(0, -1);
return path.startsWith(prefix);
}
// Handle more complex wildcard patterns
if (pattern.includes('*')) {
const regexPattern = pattern
.replace(/\./g, '\\.') // Escape dots
.replace(/\*/g, '.*') // Convert * to .*
.replace(/\//g, '\\/'); // Escape slashes
const regex = new RegExp(`^${regexPattern}$`);
return regex.test(path);
}
return false;
}
/**
* Parse CIDR notation into subnet and mask bits
*
* @param cidr CIDR string (e.g., "192.168.1.0/24")
* @returns Object with subnet and bits, or null if invalid
*/
export function parseCidr(cidr: string): { subnet: string; bits: number } | null {
try {
const [subnet, bitsStr] = cidr.split('/');
const bits = parseInt(bitsStr, 10);
if (isNaN(bits) || bits < 0 || bits > 32) {
return null;
}
return { subnet, bits };
} catch (e) {
return null;
}
}
/**
* Convert an IP address to a numeric value
*
* @param ip IPv4 address string (e.g., "192.168.1.1")
* @returns Numeric representation of the IP
*/
export function ipToNumber(ip: string): number {
// Handle IPv6-mapped IPv4 addresses (::ffff:192.168.1.1)
if (ip.startsWith('::ffff:')) {
ip = ip.slice(7);
}
const parts = ip.split('.').map(part => parseInt(part, 10));
return (parts[0] << 24) | (parts[1] << 16) | (parts[2] << 8) | parts[3];
}
/**
* Match an IP against a CIDR pattern
*
* @param cidr CIDR pattern (e.g., "192.168.1.0/24")
* @param ip IP to match against the pattern
* @returns Whether the IP is in the CIDR range
*/
export function matchIpCidr(cidr: string, ip: string): boolean {
const parsed = parseCidr(cidr);
if (!parsed) {
return false;
}
try {
const { subnet, bits } = parsed;
// Convert IP addresses to numeric values
const ipNum = ipToNumber(ip);
const subnetNum = ipToNumber(subnet);
// Calculate subnet mask
const maskNum = ~(2 ** (32 - bits) - 1);
// Check if IP is in subnet
return (ipNum & maskNum) === (subnetNum & maskNum);
} catch (e) {
return false;
}
}
/**
* Match an IP pattern against an IP
*
* @param pattern IP pattern (exact, CIDR, or with wildcards)
* @param ip IP to match against the pattern
* @returns Whether the IP matches the pattern
*/
export function matchIpPattern(pattern: string, ip: string): boolean {
// Handle exact match
if (pattern === ip) {
return true;
}
// Handle "all" wildcard
if (pattern === '*') {
return true;
}
// Handle CIDR notation (e.g., 192.168.1.0/24)
if (pattern.includes('/')) {
return matchIpCidr(pattern, ip);
}
// Handle glob pattern (e.g., 192.168.1.*)
if (pattern.includes('*')) {
const regexPattern = pattern.replace(/\./g, '\\.').replace(/\*/g, '.*');
const regex = new RegExp(`^${regexPattern}$`);
return regex.test(ip);
}
return false;
}
/**
* Match an IP against allowed and blocked IP patterns
*
* @param ip IP to check
* @param allowedIps Array of allowed IP patterns
* @param blockedIps Array of blocked IP patterns
* @returns Whether the IP is allowed
*/
export function isIpAuthorized(
ip: string,
allowedIps: string[] = ['*'],
blockedIps: string[] = []
): boolean {
// Check blocked IPs first
if (blockedIps.length > 0) {
for (const pattern of blockedIps) {
if (matchIpPattern(pattern, ip)) {
return false; // IP is blocked
}
}
}
// If there are allowed IPs, check them
if (allowedIps.length > 0) {
// Special case: if '*' is in allowed IPs, all non-blocked IPs are allowed
if (allowedIps.includes('*')) {
return true;
}
for (const pattern of allowedIps) {
if (matchIpPattern(pattern, ip)) {
return true; // IP is allowed
}
}
return false; // IP not in allowed list
}
// No allowed IPs specified, so IP is allowed by default
return true;
}
/**
* Match an HTTP header pattern against a header value
*
* @param pattern Expected header value (string or RegExp)
* @param value Actual header value
* @returns Whether the header matches the pattern
*/
export function matchHeader(pattern: string | RegExp, value: string): boolean {
if (typeof pattern === 'string') {
return pattern === value;
} else if (pattern instanceof RegExp) {
return pattern.test(value);
}
return false;
}
/**
* Calculate route specificity score
* Higher score means more specific matching criteria
*
* @param match Match criteria to evaluate
* @returns Numeric specificity score
*/
export function calculateRouteSpecificity(match: {
domains?: string | string[];
path?: string;
clientIp?: string[];
tlsVersion?: string[];
headers?: Record<string, string | RegExp>;
}): number {
let score = 0;
// Path is very specific
if (match.path) {
// More specific if it doesn't use wildcards
score += match.path.includes('*') ? 3 : 4;
}
// Domain is next most specific
if (match.domains) {
const domains = Array.isArray(match.domains) ? match.domains : [match.domains];
// More domains or more specific domains (without wildcards) increase specificity
score += domains.length;
// Add bonus for exact domains (without wildcards)
score += domains.some(d => !d.includes('*')) ? 1 : 0;
}
// Headers are quite specific
if (match.headers) {
score += Object.keys(match.headers).length * 2;
}
// Client IP adds some specificity
if (match.clientIp && match.clientIp.length > 0) {
score += 1;
}
// TLS version adds minimal specificity
if (match.tlsVersion && match.tlsVersion.length > 0) {
score += 1;
}
return score;
}

309
ts/core/utils/security-utils.ts Normal file
View File

@ -0,0 +1,309 @@
import * as plugins from '../../plugins.js';
import {
matchIpPattern,
ipToNumber,
matchIpCidr
} from './route-utils.js';
/**
* Security utilities for IP validation, rate limiting,
* authentication, and other security features
*/
/**
* Result of IP validation
*/
export interface IIpValidationResult {
allowed: boolean;
reason?: string;
}
/**
* IP connection tracking information
*/
export interface IIpConnectionInfo {
connections: Set<string>; // ConnectionIDs
timestamps: number[]; // Connection timestamps
ipVariants: string[]; // Normalized IP variants (e.g., ::ffff:127.0.0.1 and 127.0.0.1)
}
/**
* Rate limit tracking
*/
export interface IRateLimitInfo {
count: number;
expiry: number;
}
/**
* Logger interface for security utilities
*/
export interface ISecurityLogger {
info: (message: string, ...args: any[]) => void;
warn: (message: string, ...args: any[]) => void;
error: (message: string, ...args: any[]) => void;
debug?: (message: string, ...args: any[]) => void;
}
/**
* Normalize IP addresses for comparison
* Handles IPv4-mapped IPv6 addresses (::ffff:127.0.0.1)
*
* @param ip IP address to normalize
* @returns Array of equivalent IP representations
*/
export function normalizeIP(ip: string): string[] {
if (!ip) return [];
// Handle IPv4-mapped IPv6 addresses (::ffff:127.0.0.1)
if (ip.startsWith('::ffff:')) {
const ipv4 = ip.slice(7);
return [ip, ipv4];
}
// Handle IPv4 addresses by also checking IPv4-mapped form
if (/^\d{1,3}(\.\d{1,3}){3}$/.test(ip)) {
return [ip, `::ffff:${ip}`];
}
return [ip];
}
/**
* Check if an IP is authorized based on allow and block lists
*
* @param ip - The IP address to check
* @param allowedIPs - Array of allowed IP patterns
* @param blockedIPs - Array of blocked IP patterns
* @returns Whether the IP is authorized
*/
export function isIPAuthorized(
ip: string,
allowedIPs: string[] = ['*'],
blockedIPs: string[] = []
): boolean {
// Skip IP validation if no rules
if (!ip || (allowedIPs.length === 0 && blockedIPs.length === 0)) {
return true;
}
// First check if IP is blocked - blocked IPs take precedence
if (blockedIPs.length > 0) {
for (const pattern of blockedIPs) {
if (matchIpPattern(pattern, ip)) {
return false;
}
}
}
// If allowed IPs list has wildcard, all non-blocked IPs are allowed
if (allowedIPs.includes('*')) {
return true;
}
// Then check if IP is allowed in the explicit allow list
if (allowedIPs.length > 0) {
for (const pattern of allowedIPs) {
if (matchIpPattern(pattern, ip)) {
return true;
}
}
// If allowedIPs is specified but no match, deny access
return false;
}
// Default allow if no explicit allow list
return true;
}
/**
* Check if an IP exceeds maximum connections
*
* @param ip - The IP address to check
* @param ipConnectionsMap - Map of IPs to connection info
* @param maxConnectionsPerIP - Maximum allowed connections per IP
* @returns Result with allowed status and reason if blocked
*/
export function checkMaxConnections(
ip: string,
ipConnectionsMap: Map<string, IIpConnectionInfo>,
maxConnectionsPerIP: number
): IIpValidationResult {
if (!ipConnectionsMap.has(ip)) {
return { allowed: true };
}
const connectionCount = ipConnectionsMap.get(ip)!.connections.size;
if (connectionCount >= maxConnectionsPerIP) {
return {
allowed: false,
reason: `Maximum connections per IP (${maxConnectionsPerIP}) exceeded`
};
}
return { allowed: true };
}
/**
* Check if an IP exceeds connection rate limit
*
* @param ip - The IP address to check
* @param ipConnectionsMap - Map of IPs to connection info
* @param rateLimit - Maximum connections per minute
* @returns Result with allowed status and reason if blocked
*/
export function checkConnectionRate(
ip: string,
ipConnectionsMap: Map<string, IIpConnectionInfo>,
rateLimit: number
): IIpValidationResult {
const now = Date.now();
const minute = 60 * 1000;
// Get or create connection info
if (!ipConnectionsMap.has(ip)) {
const info: IIpConnectionInfo = {
connections: new Set(),
timestamps: [now],
ipVariants: normalizeIP(ip)
};
ipConnectionsMap.set(ip, info);
return { allowed: true };
}
// Get timestamps and filter out entries older than 1 minute
const info = ipConnectionsMap.get(ip)!;
const timestamps = info.timestamps.filter(time => now - time < minute);
timestamps.push(now);
info.timestamps = timestamps;
// Check if rate exceeds limit
if (timestamps.length > rateLimit) {
return {
allowed: false,
reason: `Connection rate limit (${rateLimit}/min) exceeded`
};
}
return { allowed: true };
}
/**
* Track a connection for an IP
*
* @param ip - The IP address
* @param connectionId - The connection ID to track
* @param ipConnectionsMap - Map of IPs to connection info
*/
export function trackConnection(
ip: string,
connectionId: string,
ipConnectionsMap: Map<string, IIpConnectionInfo>
): void {
if (!ipConnectionsMap.has(ip)) {
ipConnectionsMap.set(ip, {
connections: new Set([connectionId]),
timestamps: [Date.now()],
ipVariants: normalizeIP(ip)
});
return;
}
const info = ipConnectionsMap.get(ip)!;
info.connections.add(connectionId);
}
/**
* Remove connection tracking for an IP
*
* @param ip - The IP address
* @param connectionId - The connection ID to remove
* @param ipConnectionsMap - Map of IPs to connection info
*/
export function removeConnection(
ip: string,
connectionId: string,
ipConnectionsMap: Map<string, IIpConnectionInfo>
): void {
if (!ipConnectionsMap.has(ip)) return;
const info = ipConnectionsMap.get(ip)!;
info.connections.delete(connectionId);
if (info.connections.size === 0) {
ipConnectionsMap.delete(ip);
}
}
/**
* Clean up expired rate limits
*
* @param rateLimits - Map of rate limits to clean up
* @param logger - Logger for debug messages
*/
export function cleanupExpiredRateLimits(
rateLimits: Map<string, Map<string, IRateLimitInfo>>,
logger?: ISecurityLogger
): void {
const now = Date.now();
let totalRemoved = 0;
for (const [routeId, routeLimits] of rateLimits.entries()) {
let removed = 0;
for (const [key, limit] of routeLimits.entries()) {
if (limit.expiry < now) {
routeLimits.delete(key);
removed++;
totalRemoved++;
}
}
if (removed > 0 && logger?.debug) {
logger.debug(`Cleaned up ${removed} expired rate limits for route ${routeId}`);
}
}
if (totalRemoved > 0 && logger?.info) {
logger.info(`Cleaned up ${totalRemoved} expired rate limits total`);
}
}
/**
* Generate basic auth header value from username and password
*
* @param username - The username
* @param password - The password
* @returns Base64 encoded basic auth string
*/
export function generateBasicAuthHeader(username: string, password: string): string {
return `Basic ${Buffer.from(`${username}:${password}`).toString('base64')}`;
}
/**
* Parse basic auth header
*
* @param authHeader - The Authorization header value
* @returns Username and password, or null if invalid
*/
export function parseBasicAuthHeader(
authHeader: string
): { username: string; password: string } | null {
if (!authHeader || !authHeader.startsWith('Basic ')) {
return null;
}
try {
const base64 = authHeader.slice(6); // Remove 'Basic '
const decoded = Buffer.from(base64, 'base64').toString();
const [username, password] = decoded.split(':');
if (!username || !password) {
return null;
}
return { username, password };
} catch (err) {
return null;
}
}

333
ts/core/utils/shared-security-manager.ts Normal file
View File

@ -0,0 +1,333 @@
import * as plugins from '../../plugins.js';
import type { IRouteConfig, IRouteContext } from '../../proxies/smart-proxy/models/route-types.js';
import type {
IIpValidationResult,
IIpConnectionInfo,
ISecurityLogger,
IRateLimitInfo
} from './security-utils.js';
import {
isIPAuthorized,
checkMaxConnections,
checkConnectionRate,
trackConnection,
removeConnection,
cleanupExpiredRateLimits,
parseBasicAuthHeader
} from './security-utils.js';
/**
* Shared SecurityManager for use across proxy components
* Handles IP tracking, rate limiting, and authentication
*/
export class SharedSecurityManager {
// IP connection tracking
private connectionsByIP: Map<string, IIpConnectionInfo> = new Map();
// Route-specific rate limiting
private rateLimits: Map<string, Map<string, IRateLimitInfo>> = new Map();
// Cache IP filtering results to avoid constant regex matching
private ipFilterCache: Map<string, Map<string, boolean>> = new Map();
// Default limits
private maxConnectionsPerIP: number;
private connectionRateLimitPerMinute: number;
// Cache cleanup interval
private cleanupInterval: NodeJS.Timeout | null = null;
/**
* Create a new SharedSecurityManager
*
* @param options - Configuration options
* @param logger - Logger instance
*/
constructor(options: {
maxConnectionsPerIP?: number;
connectionRateLimitPerMinute?: number;
cleanupIntervalMs?: number;
routes?: IRouteConfig[];
}, private logger?: ISecurityLogger) {
this.maxConnectionsPerIP = options.maxConnectionsPerIP || 100;
this.connectionRateLimitPerMinute = options.connectionRateLimitPerMinute || 300;
// Set up logger with defaults if not provided
this.logger = logger || {
info: console.log,
warn: console.warn,
error: console.error
};
// Set up cache cleanup interval
const cleanupInterval = options.cleanupIntervalMs || 60000; // Default: 1 minute
this.cleanupInterval = setInterval(() => {
this.cleanupCaches();
}, cleanupInterval);
// Don't keep the process alive just for cleanup
if (this.cleanupInterval.unref) {
this.cleanupInterval.unref();
}
}
/**
* Get connections count by IP
*
* @param ip - The IP address to check
* @returns Number of connections from this IP
*/
public getConnectionCountByIP(ip: string): number {
return this.connectionsByIP.get(ip)?.connections.size || 0;
}
/**
* Track connection by IP
*
* @param ip - The IP address to track
* @param connectionId - The connection ID to associate
*/
public trackConnectionByIP(ip: string, connectionId: string): void {
trackConnection(ip, connectionId, this.connectionsByIP);
}
/**
* Remove connection tracking for an IP
*
* @param ip - The IP address to update
* @param connectionId - The connection ID to remove
*/
public removeConnectionByIP(ip: string, connectionId: string): void {
removeConnection(ip, connectionId, this.connectionsByIP);
}
/**
* Check if IP is authorized based on route security settings
*
* @param ip - The IP address to check
* @param allowedIPs - List of allowed IP patterns
* @param blockedIPs - List of blocked IP patterns
* @returns Whether the IP is authorized
*/
public isIPAuthorized(
ip: string,
allowedIPs: string[] = ['*'],
blockedIPs: string[] = []
): boolean {
return isIPAuthorized(ip, allowedIPs, blockedIPs);
}
/**
* Validate IP against rate limits and connection limits
*
* @param ip - The IP address to validate
* @returns Result with allowed status and reason if blocked
*/
public validateIP(ip: string): IIpValidationResult {
// Check connection count limit
const connectionResult = checkMaxConnections(
ip,
this.connectionsByIP,
this.maxConnectionsPerIP
);
if (!connectionResult.allowed) {
return connectionResult;
}
// Check connection rate limit
const rateResult = checkConnectionRate(
ip,
this.connectionsByIP,
this.connectionRateLimitPerMinute
);
if (!rateResult.allowed) {
return rateResult;
}
return { allowed: true };
}
/**
* Check if a client is allowed to access a specific route
*
* @param route - The route to check
* @param context - The request context
* @returns Whether access is allowed
*/
public isAllowed(route: IRouteConfig, context: IRouteContext): boolean {
if (!route.security) {
return true; // No security restrictions
}
// --- IP filtering ---
if (!this.isClientIpAllowed(route, context.clientIp)) {
this.logger?.debug?.(`IP ${context.clientIp} is blocked for route ${route.name || 'unnamed'}`);
return false;
}
// --- Rate limiting ---
if (route.security.rateLimit?.enabled && !this.isWithinRateLimit(route, context)) {
this.logger?.debug?.(`Rate limit exceeded for route ${route.name || 'unnamed'}`);
return false;
}
return true;
}
/**
* Check if a client IP is allowed for a route
*
* @param route - The route to check
* @param clientIp - The client IP
* @returns Whether the IP is allowed
*/
private isClientIpAllowed(route: IRouteConfig, clientIp: string): boolean {
if (!route.security) {
return true; // No security restrictions
}
const routeId = route.id || route.name || 'unnamed';
// Check cache first
if (!this.ipFilterCache.has(routeId)) {
this.ipFilterCache.set(routeId, new Map());
}
const routeCache = this.ipFilterCache.get(routeId)!;
if (routeCache.has(clientIp)) {
return routeCache.get(clientIp)!;
}
// Check IP against route security settings
const ipAllowList = route.security.ipAllowList || route.security.allowedIps;
const ipBlockList = route.security.ipBlockList || route.security.blockedIps;
const allowed = this.isIPAuthorized(clientIp, ipAllowList, ipBlockList);
// Cache the result
routeCache.set(clientIp, allowed);
return allowed;
}
/**
* Check if request is within rate limit
*
* @param route - The route to check
* @param context - The request context
* @returns Whether the request is within rate limit
*/
private isWithinRateLimit(route: IRouteConfig, context: IRouteContext): boolean {
if (!route.security?.rateLimit?.enabled) {
return true;
}
const rateLimit = route.security.rateLimit;
const routeId = route.id || route.name || 'unnamed';
// Determine rate limit key (by IP, path, or header)
let key = context.clientIp; // Default to IP
if (rateLimit.keyBy === 'path' && context.path) {
key = `${context.clientIp}:${context.path}`;
} else if (rateLimit.keyBy === 'header' && rateLimit.headerName && context.headers) {
const headerValue = context.headers[rateLimit.headerName.toLowerCase()];
if (headerValue) {
key = `${context.clientIp}:${headerValue}`;
}
}
// Get or create rate limit tracking for this route
if (!this.rateLimits.has(routeId)) {
this.rateLimits.set(routeId, new Map());
}
const routeLimits = this.rateLimits.get(routeId)!;
const now = Date.now();
// Get or create rate limit tracking for this key
let limit = routeLimits.get(key);
if (!limit || limit.expiry < now) {
// Create new rate limit or reset expired one
limit = {
count: 1,
expiry: now + (rateLimit.window * 1000)
};
routeLimits.set(key, limit);
return true;
}
// Increment the counter
limit.count++;
// Check if rate limit is exceeded
return limit.count <= rateLimit.maxRequests;
}
/**
* Validate HTTP Basic Authentication
*
* @param route - The route to check
* @param authHeader - The Authorization header
* @returns Whether authentication is valid
*/
public validateBasicAuth(route: IRouteConfig, authHeader?: string): boolean {
// Skip if basic auth not enabled for route
if (!route.security?.basicAuth?.enabled) {
return true;
}
// No auth header means auth failed
if (!authHeader) {
return false;
}
// Parse auth header
const credentials = parseBasicAuthHeader(authHeader);
if (!credentials) {
return false;
}
// Check credentials against configured users
const { username, password } = credentials;
const users = route.security.basicAuth.users;
return users.some(user =>
user.username === username && user.password === password
);
}
/**
* Clean up caches to prevent memory leaks
*/
private cleanupCaches(): void {
// Clean up rate limits
cleanupExpiredRateLimits(this.rateLimits, this.logger);
// IP filter cache doesn't need cleanup (tied to routes)
}
/**
* Clear all IP tracking data (for shutdown)
*/
public clearIPTracking(): void {
this.connectionsByIP.clear();
this.rateLimits.clear();
this.ipFilterCache.clear();
if (this.cleanupInterval) {
clearInterval(this.cleanupInterval);
this.cleanupInterval = null;
}
}
/**
* Update routes for security checking
*
* @param routes - New routes to use
*/
public setRoutes(routes: IRouteConfig[]): void {
// Only clear the IP filter cache - route-specific
this.ipFilterCache.clear();
}
}

124
ts/core/utils/template-utils.ts Normal file
View File

@ -0,0 +1,124 @@
import type { IRouteContext } from '../models/route-context.js';
/**
* Utility class for resolving template variables in strings
*/
export class TemplateUtils {
/**
* Resolve template variables in a string using the route context
* Supports variables like {domain}, {path}, {clientIp}, etc.
*
* @param template The template string with {variables}
* @param context The route context with values
* @returns The resolved string
*/
public static resolveTemplateVariables(template: string, context: IRouteContext): string {
if (!template) {
return template;
}
// Replace variables with values from context
return template.replace(/\{([a-zA-Z0-9_\.]+)\}/g, (match, varName) => {
// Handle nested properties with dot notation (e.g., {headers.host})
if (varName.includes('.')) {
const parts = varName.split('.');
let current: any = context;
// Traverse nested object structure
for (const part of parts) {
if (current === undefined || current === null) {
return match; // Return original if path doesn't exist
}
current = current[part];
}
// Return the resolved value if it exists
if (current !== undefined && current !== null) {
return TemplateUtils.convertToString(current);
}
return match;
}
// Direct property access
const value = context[varName as keyof IRouteContext];
if (value === undefined) {
return match; // Keep the original {variable} if not found
}
// Convert value to string
return TemplateUtils.convertToString(value);
});
}
/**
* Safely convert a value to a string
*
* @param value Any value to convert to string
* @returns String representation or original match for complex objects
*/
private static convertToString(value: any): string {
if (value === null || value === undefined) {
return '';
}
if (typeof value === 'string') {
return value;
}
if (typeof value === 'number' || typeof value === 'boolean') {
return value.toString();
}
if (Array.isArray(value)) {
return value.join(',');
}
if (typeof value === 'object') {
try {
return JSON.stringify(value);
} catch (e) {
return '[Object]';
}
}
return String(value);
}
/**
* Resolve template variables in header values
*
* @param headers Header object with potential template variables
* @param context Route context for variable resolution
* @returns New header object with resolved values
*/
public static resolveHeaderTemplates(
headers: Record<string, string>,
context: IRouteContext
): Record<string, string> {
const result: Record<string, string> = {};
for (const [key, value] of Object.entries(headers)) {
// Skip special directive headers (starting with !)
if (value.startsWith('!')) {
result[key] = value;
continue;
}
// Resolve template variables in the header value
result[key] = TemplateUtils.resolveTemplateVariables(value, context);
}
return result;
}
/**
* Check if a string contains template variables
*
* @param str String to check for template variables
* @returns True if string contains template variables
*/
public static containsTemplateVariables(str: string): boolean {
return !!str && /\{([a-zA-Z0-9_\.]+)\}/g.test(str);
}
}

81
ts/core/utils/websocket-utils.ts Normal file
View File

@ -0,0 +1,81 @@
/**
* WebSocket utility functions
*/
/**
* Type for WebSocket RawData that can be different types in different environments
* This matches the ws library's type definition
*/
export type RawData = Buffer | ArrayBuffer | Buffer[] | any;
/**
* Get the length of a WebSocket message regardless of its type
* (handles all possible WebSocket message data types)
*
* @param data - The data message from WebSocket (could be any RawData type)
* @returns The length of the data in bytes
*/
export function getMessageSize(data: RawData): number {
if (typeof data === 'string') {
// For string data, get the byte length
return Buffer.from(data, 'utf8').length;
} else if (data instanceof Buffer) {
// For Node.js Buffer
return data.length;
} else if (data instanceof ArrayBuffer) {
// For ArrayBuffer
return data.byteLength;
} else if (Array.isArray(data)) {
// For array of buffers, sum their lengths
return data.reduce((sum, chunk) => {
if (chunk instanceof Buffer) {
return sum + chunk.length;
} else if (chunk instanceof ArrayBuffer) {
return sum + chunk.byteLength;
}
return sum;
}, 0);
} else {
// For other types, try to determine the size or return 0
try {
return Buffer.from(data).length;
} catch (e) {
console.warn('Could not determine message size', e);
return 0;
}
}
}
/**
* Convert any raw WebSocket data to Buffer for consistent handling
*
* @param data - The data message from WebSocket (could be any RawData type)
* @returns A Buffer containing the data
*/
export function toBuffer(data: RawData): Buffer {
if (typeof data === 'string') {
return Buffer.from(data, 'utf8');
} else if (data instanceof Buffer) {
return data;
} else if (data instanceof ArrayBuffer) {
return Buffer.from(data);
} else if (Array.isArray(data)) {
// For array of buffers, concatenate them
return Buffer.concat(data.map(chunk => {
if (chunk instanceof Buffer) {
return chunk;
} else if (chunk instanceof ArrayBuffer) {
return Buffer.from(chunk);
}
return Buffer.from(chunk);
}));
} else {
// For other types, try to convert to Buffer or return empty Buffer
try {
return Buffer.from(data);
} catch (e) {
console.warn('Could not convert message to Buffer', e);
return Buffer.alloc(0);
}
}
}

9
ts/http/router/index.ts
View File

@ -2,4 +2,11 @@
* HTTP routing
*/
export * from './proxy-router.js';
// Export selectively to avoid ambiguity between duplicate type names
export { ProxyRouter } from './proxy-router.js';
export type { IPathPatternConfig } from './proxy-router.js';
// Re-export the RouterResult and PathPatternConfig from proxy-router.js (legacy names maintained for compatibility)
export type { PathPatternConfig as ProxyPathPatternConfig, RouterResult as ProxyRouterResult } from './proxy-router.js';
export { RouteRouter } from './route-router.js';
export type { PathPatternConfig as RoutePathPatternConfig, RouterResult as RouteRouterResult } from './route-router.js';

482
ts/http/router/route-router.ts Normal file
View File

@ -0,0 +1,482 @@
import * as plugins from '../../plugins.js';
import type { IRouteConfig } from '../../proxies/smart-proxy/models/route-types.js';
import type { ILogger } from '../../proxies/network-proxy/models/types.js';
/**
* Optional path pattern configuration that can be added to proxy configs
*/
export interface PathPatternConfig {
pathPattern?: string;
}
/**
* Interface for router result with additional metadata
*/
export interface RouterResult {
route: IRouteConfig;
pathMatch?: string;
pathParams?: Record<string, string>;
pathRemainder?: string;
}
/**
* Router for HTTP reverse proxy requests based on route configurations
*
* Supports the following domain matching patterns:
* - Exact matches: "example.com"
* - Wildcard subdomains: "*.example.com" (matches any subdomain of example.com)
* - TLD wildcards: "example.*" (matches example.com, example.org, etc.)
* - Complex wildcards: "*.lossless*" (matches any subdomain of any lossless domain)
* - Default fallback: "*" (matches any unmatched domain)
*
* Also supports path pattern matching for each domain:
* - Exact path: "/api/users"
* - Wildcard paths: "/api/*"
* - Path parameters: "/users/:id/profile"
*/
export class RouteRouter {
// Store original routes for reference
private routes: IRouteConfig[] = [];
// Default route to use when no match is found (optional)
private defaultRoute?: IRouteConfig;
// Store path patterns separately since they're not in the original interface
private pathPatterns: Map<IRouteConfig, string> = new Map();
// Logger interface
private logger: ILogger;
constructor(
routes?: IRouteConfig[],
logger?: ILogger
) {
this.logger = logger || {
error: console.error,
warn: console.warn,
info: console.info,
debug: console.debug
};
if (routes) {
this.setRoutes(routes);
}
}
/**
* Sets a new set of routes to be routed to
* @param routes Array of route configurations
*/
public setRoutes(routes: IRouteConfig[]): void {
this.routes = [...routes];
// Sort routes by priority
this.routes.sort((a, b) => {
const priorityA = a.priority ?? 0;
const priorityB = b.priority ?? 0;
return priorityB - priorityA;
});
// Find default route if any (route with "*" as domain)
this.defaultRoute = this.routes.find(route => {
const domains = Array.isArray(route.match.domains)
? route.match.domains
: [route.match.domains];
return domains.includes('*');
});
// Extract path patterns from route match.path
for (const route of this.routes) {
if (route.match.path) {
this.pathPatterns.set(route, route.match.path);
}
}
const uniqueDomains = this.getHostnames();
this.logger.info(`Router initialized with ${this.routes.length} routes (${uniqueDomains.length} unique hosts)`);
}
/**
* Routes a request based on hostname and path
* @param req The incoming HTTP request
* @returns The matching route or undefined if no match found
*/
public routeReq(req: plugins.http.IncomingMessage): IRouteConfig | undefined {
const result = this.routeReqWithDetails(req);
return result ? result.route : undefined;
}
/**
* Routes a request with detailed matching information
* @param req The incoming HTTP request
* @returns Detailed routing result including matched route and path information
*/
public routeReqWithDetails(req: plugins.http.IncomingMessage): RouterResult | undefined {
// Extract and validate host header
const originalHost = req.headers.host;
if (!originalHost) {
this.logger.error('No host header found in request');
return this.defaultRoute ? { route: this.defaultRoute } : undefined;
}
// Parse URL for path matching
const parsedUrl = plugins.url.parse(req.url || '/');
const urlPath = parsedUrl.pathname || '/';
// Extract hostname without port
const hostWithoutPort = originalHost.split(':')[0].toLowerCase();
// First try exact hostname match
const exactRoute = this.findRouteForHost(hostWithoutPort, urlPath);
if (exactRoute) {
return exactRoute;
}
// Try various wildcard patterns
if (hostWithoutPort.includes('.')) {
const domainParts = hostWithoutPort.split('.');
// Try wildcard subdomain (*.example.com)
if (domainParts.length > 2) {
const wildcardDomain = `*.${domainParts.slice(1).join('.')}`;
const wildcardRoute = this.findRouteForHost(wildcardDomain, urlPath);
if (wildcardRoute) {
return wildcardRoute;
}
}
// Try TLD wildcard (example.*)
const baseDomain = domainParts.slice(0, -1).join('.');
const tldWildcardDomain = `${baseDomain}.*`;
const tldWildcardRoute = this.findRouteForHost(tldWildcardDomain, urlPath);
if (tldWildcardRoute) {
return tldWildcardRoute;
}
// Try complex wildcard patterns
const wildcardPatterns = this.findWildcardMatches(hostWithoutPort);
for (const pattern of wildcardPatterns) {
const wildcardRoute = this.findRouteForHost(pattern, urlPath);
if (wildcardRoute) {
return wildcardRoute;
}
}
}
// Fall back to default route if available
if (this.defaultRoute) {
this.logger.warn(`No specific route found for host: ${hostWithoutPort}, using default`);
return { route: this.defaultRoute };
}
this.logger.error(`No route found for host: ${hostWithoutPort}`);
return undefined;
}
/**
* Find potential wildcard patterns that could match a given hostname
* Handles complex patterns like "*.lossless*" or other partial matches
* @param hostname The hostname to find wildcard matches for
* @returns Array of potential wildcard patterns that could match
*/
private findWildcardMatches(hostname: string): string[] {
const patterns: string[] = [];
// Find all routes with wildcard domains
for (const route of this.routes) {
if (!route.match.domains) continue;
const domains = Array.isArray(route.match.domains)
? route.match.domains
: [route.match.domains];
// Filter to only wildcard domains
const wildcardDomains = domains.filter(domain => domain.includes('*'));
// Convert each wildcard domain to a regex pattern and check if it matches
for (const domain of wildcardDomains) {
// Skip the default wildcard '*'
if (domain === '*') continue;
// Skip already checked patterns (*.domain.com and domain.*)
if (domain.startsWith('*.') && domain.indexOf('*', 2) === -1) continue;
if (domain.endsWith('.*') && domain.indexOf('*') === domain.length - 1) continue;
// Convert wildcard pattern to regex
const regexPattern = domain
.replace(/\./g, '\\.') // Escape dots
.replace(/\*/g, '.*'); // Convert * to .* for regex
// Create regex object with case insensitive flag
const regex = new RegExp(`^${regexPattern}$`, 'i');
// If hostname matches this complex pattern, add it to the list
if (regex.test(hostname)) {
patterns.push(domain);
}
}
}
return patterns;
}
/**
* Find a route for a specific host and path
*/
private findRouteForHost(hostname: string, path: string): RouterResult | undefined {
// Find all routes for this hostname
const matchingRoutes = this.routes.filter(route => {
if (!route.match.domains) return false;
const domains = Array.isArray(route.match.domains)
? route.match.domains
: [route.match.domains];
return domains.some(domain => domain.toLowerCase() === hostname.toLowerCase());
});
if (matchingRoutes.length === 0) {
return undefined;
}
// First try routes with path patterns
const routesWithPaths = matchingRoutes.filter(route => this.pathPatterns.has(route));
// Already sorted by priority during setRoutes
// Check each route with path pattern
for (const route of routesWithPaths) {
const pathPattern = this.pathPatterns.get(route);
if (pathPattern) {
const pathMatch = this.matchPath(path, pathPattern);
if (pathMatch) {
return {
route,
pathMatch: pathMatch.matched,
pathParams: pathMatch.params,
pathRemainder: pathMatch.remainder
};
}
}
}
// If no path pattern matched, use the first route without a path pattern
const routeWithoutPath = matchingRoutes.find(route => !this.pathPatterns.has(route));
if (routeWithoutPath) {
return { route: routeWithoutPath };
}
return undefined;
}
/**
* Matches a URL path against a pattern
* Supports:
* - Exact matches: /users/profile
* - Wildcards: /api/* (matches any path starting with /api/)
* - Path parameters: /users/:id (captures id as a parameter)
*
* @param path The URL path to match
* @param pattern The pattern to match against
* @returns Match result with params and remainder, or null if no match
*/
private matchPath(path: string, pattern: string): {
matched: string;
params: Record<string, string>;
remainder: string;
} | null {
// Handle exact match
if (path === pattern) {
return {
matched: pattern,
params: {},
remainder: ''
};
}
// Handle wildcard match
if (pattern.endsWith('/*')) {
const prefix = pattern.slice(0, -2);
if (path === prefix || path.startsWith(`${prefix}/`)) {
return {
matched: prefix,
params: {},
remainder: path.slice(prefix.length)
};
}
return null;
}
// Handle path parameters
const patternParts = pattern.split('/').filter(p => p);
const pathParts = path.split('/').filter(p => p);
// Too few path parts to match
if (pathParts.length < patternParts.length) {
return null;
}
const params: Record<string, string> = {};
// Compare each part
for (let i = 0; i < patternParts.length; i++) {
const patternPart = patternParts[i];
const pathPart = pathParts[i];
// Handle parameter
if (patternPart.startsWith(':')) {
const paramName = patternPart.slice(1);
params[paramName] = pathPart;
continue;
}
// Handle wildcard at the end
if (patternPart === '*' && i === patternParts.length - 1) {
break;
}
// Handle exact match for this part
if (patternPart !== pathPart) {
return null;
}
}
// Calculate the remainder - the unmatched path parts
const remainderParts = pathParts.slice(patternParts.length);
const remainder = remainderParts.length ? '/' + remainderParts.join('/') : '';
// Calculate the matched path
const matchedParts = patternParts.map((part, i) => {
return part.startsWith(':') ? pathParts[i] : part;
});
const matched = '/' + matchedParts.join('/');
return {
matched,
params,
remainder
};
}
/**
* Gets all currently active route configurations
* @returns Array of all active routes
*/
public getRoutes(): IRouteConfig[] {
return [...this.routes];
}
/**
* Gets all hostnames that this router is configured to handle
* @returns Array of hostnames
*/
public getHostnames(): string[] {
const hostnames = new Set<string>();
for (const route of this.routes) {
if (!route.match.domains) continue;
const domains = Array.isArray(route.match.domains)
? route.match.domains
: [route.match.domains];
for (const domain of domains) {
if (domain !== '*') {
hostnames.add(domain.toLowerCase());
}
}
}
return Array.from(hostnames);
}
/**
* Adds a single new route configuration
* @param route The route configuration to add
*/
public addRoute(route: IRouteConfig): void {
this.routes.push(route);
// Store path pattern if present
if (route.match.path) {
this.pathPatterns.set(route, route.match.path);
}
// Re-sort routes by priority
this.routes.sort((a, b) => {
const priorityA = a.priority ?? 0;
const priorityB = b.priority ?? 0;
return priorityB - priorityA;
});
}
/**
* Removes routes by domain pattern
* @param domain The domain pattern to remove routes for
* @returns Boolean indicating whether any routes were removed
*/
public removeRoutesByDomain(domain: string): boolean {
const initialCount = this.routes.length;
// Find routes to remove
const routesToRemove = this.routes.filter(route => {
if (!route.match.domains) return false;
const domains = Array.isArray(route.match.domains)
? route.match.domains
: [route.match.domains];
return domains.includes(domain);
});
// Remove them from the patterns map
for (const route of routesToRemove) {
this.pathPatterns.delete(route);
}
// Filter them out of the routes array
this.routes = this.routes.filter(route => {
if (!route.match.domains) return true;
const domains = Array.isArray(route.match.domains)
? route.match.domains
: [route.match.domains];
return !domains.includes(domain);
});
return this.routes.length !== initialCount;
}
/**
* Legacy method for compatibility with ProxyRouter
* Converts IReverseProxyConfig to IRouteConfig and calls setRoutes
*
* @param configs Array of legacy proxy configurations
*/
public setNewProxyConfigs(configs: any[]): void {
// Convert legacy configs to routes and add them
const routes: IRouteConfig[] = configs.map(config => {
// Create a basic route configuration from the legacy config
return {
match: {
ports: config.destinationPorts[0], // Just use the first port
domains: config.hostName
},
action: {
type: 'forward',
target: {
host: config.destinationIps,
port: config.destinationPorts[0]
},
tls: {
mode: 'terminate',
certificate: {
key: config.privateKey,
cert: config.publicKey
}
}
},
name: `Legacy Config - ${config.hostName}`,
enabled: true
};
});
this.setRoutes(routes);
}
}

16
ts/index.ts
View File

@ -5,7 +5,13 @@
// Legacy exports (to maintain backward compatibility)
// Migrated to the new proxies structure
export * from './proxies/nftables-proxy/index.js';
export * from './proxies/network-proxy/index.js';
// Export NetworkProxy elements selectively to avoid RouteManager ambiguity
export { NetworkProxy, CertificateManager, ConnectionPool, RequestHandler, WebSocketHandler } from './proxies/network-proxy/index.js';
export type { IMetricsTracker, MetricsTracker } from './proxies/network-proxy/index.js';
export * from './proxies/network-proxy/models/index.js';
export { RouteManager as NetworkProxyRouteManager } from './proxies/network-proxy/models/types.js';
// Export port80handler elements selectively to avoid conflicts
export {
Port80Handler,
@ -17,7 +23,13 @@ export {
export { Port80HandlerEvents } from './certificate/events/certificate-events.js';
export * from './redirect/classes.redirect.js';
export * from './proxies/smart-proxy/index.js';
// Export SmartProxy elements selectively to avoid RouteManager ambiguity
export { SmartProxy, ConnectionManager, SecurityManager, TimeoutManager, TlsManager, NetworkProxyBridge, RouteConnectionHandler } from './proxies/smart-proxy/index.js';
export { RouteManager } from './proxies/smart-proxy/route-manager.js';
export * from './proxies/smart-proxy/models/index.js';
export * from './proxies/smart-proxy/utils/index.js';
// Original: export * from './smartproxy/classes.pp.snihandler.js'
// Now we export from the new module
export { SniHandler } from './tls/sni/sni-handler.js';

15
ts/proxies/index.ts
View File

@ -2,7 +2,16 @@
* Proxy implementations module
*/
// Export submodules
export * from './smart-proxy/index.js';
export * from './network-proxy/index.js';
// Export NetworkProxy with selective imports to avoid RouteManager ambiguity
export { NetworkProxy, CertificateManager, ConnectionPool, RequestHandler, WebSocketHandler } from './network-proxy/index.js';
export type { IMetricsTracker, MetricsTracker } from './network-proxy/index.js';
export * from './network-proxy/models/index.js';
// Export SmartProxy with selective imports to avoid RouteManager ambiguity
export { SmartProxy, ConnectionManager, SecurityManager, TimeoutManager, TlsManager, NetworkProxyBridge, RouteConnectionHandler } from './smart-proxy/index.js';
export { RouteManager as SmartProxyRouteManager } from './smart-proxy/route-manager.js';
export * from './smart-proxy/utils/index.js';
export * from './smart-proxy/models/index.js';
// Export NFTables proxy (no conflicts)
export * from './nftables-proxy/index.js';

124
ts/proxies/network-proxy/certificate-manager.ts
View File

@ -8,6 +8,7 @@ import { CertificateEvents } from '../../certificate/events/certificate-events.j
import { buildPort80Handler } from '../../certificate/acme/acme-factory.js';
import { subscribeToPort80Handler } from '../../core/utils/event-utils.js';
import type { IDomainOptions } from '../../certificate/models/certificate-types.js';
import type { IRouteConfig } from '../smart-proxy/models/route-types.js';
/**
* Manages SSL certificates for NetworkProxy including ACME integration
@ -91,7 +92,7 @@ export class CertificateManager {
public setExternalPort80Handler(handler: Port80Handler): void {
if (this.port80Handler && !this.externalPort80Handler) {
this.logger.warn('Replacing existing internal Port80Handler with external handler');
// Clean up existing handler if needed
if (this.port80Handler !== handler) {
// Unregister event handlers to avoid memory leaks
@ -101,11 +102,11 @@ export class CertificateManager {
this.port80Handler.removeAllListeners(CertificateEvents.CERTIFICATE_EXPIRING);
}
}
// Set the external handler
this.port80Handler = handler;
this.externalPort80Handler = true;
// Subscribe to Port80Handler events
subscribeToPort80Handler(this.port80Handler, {
onCertificateIssued: this.handleCertificateIssued.bind(this),
@ -115,17 +116,40 @@ export class CertificateManager {
this.logger.info(`Certificate for ${data.domain} expires in ${data.daysRemaining} days`);
}
});
this.logger.info('External Port80Handler connected to CertificateManager');
// Register domains with Port80Handler if we have any certificates cached
if (this.certificateCache.size > 0) {
const domains = Array.from(this.certificateCache.keys())
.filter(domain => !domain.includes('*')); // Skip wildcard domains
this.registerDomainsWithPort80Handler(domains);
}
}
/**
* Update route configurations managed by this certificate manager
* This method is called when route configurations change
*
* @param routes Array of route configurations
*/
public updateRouteConfigs(routes: IRouteConfig[]): void {
if (!this.port80Handler) {
this.logger.warn('Cannot update routes - Port80Handler is not initialized');
return;
}
// Register domains from routes with Port80Handler
this.registerRoutesWithPort80Handler(routes);
// Process individual routes for certificate requirements
for (const route of routes) {
this.processRouteForCertificates(route);
}
this.logger.info(`Updated certificate management for ${routes.length} routes`);
}
/**
* Handle newly issued or renewed certificates from Port80Handler
@ -317,20 +341,21 @@ export class CertificateManager {
/**
* Registers domains with Port80Handler for ACME certificate management
* @param domains String array of domains to register
*/
public registerDomainsWithPort80Handler(domains: string[]): void {
if (!this.port80Handler) {
this.logger.warn('Port80Handler is not initialized');
return;
}
for (const domain of domains) {
// Skip wildcard domains - can't get certs for these with HTTP-01 validation
if (domain.includes('*')) {
this.logger.info(`Skipping wildcard domain for ACME: ${domain}`);
continue;
}
// Skip domains already with certificates if configured to do so
if (this.options.acme?.skipConfiguredCerts) {
const cachedCert = this.certificateCache.get(domain);
@ -339,18 +364,97 @@ export class CertificateManager {
continue;
}
}
// Register the domain for certificate issuance with new domain options format
const domainOptions: IDomainOptions = {
domainName: domain,
sslRedirect: true,
acmeMaintenance: true
};
this.port80Handler.addDomain(domainOptions);
this.logger.info(`Registered domain for ACME certificate issuance: ${domain}`);
}
}
/**
* Extract domains from route configurations and register with Port80Handler
* This method enables direct integration with route-based configuration
*
* @param routes Array of route configurations
*/
public registerRoutesWithPort80Handler(routes: IRouteConfig[]): void {
if (!this.port80Handler) {
this.logger.warn('Port80Handler is not initialized');
return;
}
// Extract domains from route configurations
const domains: Set<string> = new Set();
for (const route of routes) {
// Skip disabled routes
if (route.enabled === false) {
continue;
}
// Skip routes without HTTPS termination
if (route.action.type !== 'forward' || route.action.tls?.mode !== 'terminate') {
continue;
}
// Extract domains from match criteria
if (route.match.domains) {
if (typeof route.match.domains === 'string') {
domains.add(route.match.domains);
} else if (Array.isArray(route.match.domains)) {
for (const domain of route.match.domains) {
domains.add(domain);
}
}
}
}
// Register extracted domains
this.registerDomainsWithPort80Handler(Array.from(domains));
}
/**
* Process a route config to determine if it requires automatic certificate provisioning
* @param route Route configuration to process
*/
public processRouteForCertificates(route: IRouteConfig): void {
// Skip disabled routes
if (route.enabled === false) {
return;
}
// Skip routes without HTTPS termination or auto certificate
if (route.action.type !== 'forward' ||
route.action.tls?.mode !== 'terminate' ||
route.action.tls?.certificate !== 'auto') {
return;
}
// Extract domains from match criteria
const domains: string[] = [];
if (route.match.domains) {
if (typeof route.match.domains === 'string') {
domains.push(route.match.domains);
} else if (Array.isArray(route.match.domains)) {
domains.push(...route.match.domains);
}
}
// Request certificates for the domains
for (const domain of domains) {
if (!domain.includes('*')) { // Skip wildcard domains
this.requestCertificate(domain).catch(err => {
this.logger.error(`Error requesting certificate for domain ${domain}:`, err);
});
}
}
}
/**
* Initialize internal Port80Handler

145
ts/proxies/network-proxy/context-creator.ts Normal file
View File

@ -0,0 +1,145 @@
import * as plugins from '../../plugins.js';
import '../../core/models/socket-augmentation.js';
import type { IRouteContext, IHttpRouteContext, IHttp2RouteContext } from '../../core/models/route-context.js';
/**
* Context creator for NetworkProxy
* Creates route contexts for matching and function evaluation
*/
export class ContextCreator {
/**
* Create a route context from HTTP request information
*/
public createHttpRouteContext(req: any, options: {
tlsVersion?: string;
connectionId: string;
clientIp: string;
serverIp: string;
}): IHttpRouteContext {
// Parse headers
const headers: Record<string, string> = {};
for (const [key, value] of Object.entries(req.headers)) {
if (typeof value === 'string') {
headers[key.toLowerCase()] = value;
} else if (Array.isArray(value) && value.length > 0) {
headers[key.toLowerCase()] = value[0];
}
}
// Parse domain from Host header
const domain = headers['host']?.split(':')[0] || '';
// Parse URL
const url = new URL(`http://${domain}${req.url || '/'}`);
return {
// Connection basics
port: req.socket.localPort || 0,
domain,
clientIp: options.clientIp,
serverIp: options.serverIp,
// HTTP specifics
path: url.pathname,
query: url.search ? url.search.substring(1) : '',
headers,
// TLS information
isTls: !!req.socket.encrypted,
tlsVersion: options.tlsVersion,
// Request objects
req,
// Metadata
timestamp: Date.now(),
connectionId: options.connectionId
};
}
/**
* Create a route context from HTTP/2 stream and headers
*/
public createHttp2RouteContext(
stream: plugins.http2.ServerHttp2Stream,
headers: plugins.http2.IncomingHttpHeaders,
options: {
connectionId: string;
clientIp: string;
serverIp: string;
}
): IHttp2RouteContext {
// Parse headers, excluding HTTP/2 pseudo-headers
const processedHeaders: Record<string, string> = {};
for (const [key, value] of Object.entries(headers)) {
if (!key.startsWith(':') && typeof value === 'string') {
processedHeaders[key.toLowerCase()] = value;
}
}
// Get domain from :authority pseudo-header
const authority = headers[':authority'] as string || '';
const domain = authority.split(':')[0];
// Get path from :path pseudo-header
const path = headers[':path'] as string || '/';
// Parse the path to extract query string
const pathParts = path.split('?');
const pathname = pathParts[0];
const query = pathParts.length > 1 ? pathParts[1] : '';
// Get the socket from the session
const socket = (stream.session as any)?.socket;
return {
// Connection basics
port: socket?.localPort || 0,
domain,
clientIp: options.clientIp,
serverIp: options.serverIp,
// HTTP specifics
path: pathname,
query,
headers: processedHeaders,
// HTTP/2 specific properties
method: headers[':method'] as string,
stream,
// TLS information - HTTP/2 is always on TLS in browsers
isTls: true,
tlsVersion: socket?.getTLSVersion?.() || 'TLSv1.3',
// Metadata
timestamp: Date.now(),
connectionId: options.connectionId
};
}
/**
* Create a basic route context from socket information
*/
public createSocketRouteContext(socket: plugins.net.Socket, options: {
domain?: string;
tlsVersion?: string;
connectionId: string;
}): IRouteContext {
return {
// Connection basics
port: socket.localPort || 0,
domain: options.domain,
clientIp: socket.remoteAddress?.replace('::ffff:', '') || '0.0.0.0',
serverIp: socket.localAddress?.replace('::ffff:', '') || '0.0.0.0',
// TLS information
isTls: options.tlsVersion !== undefined,
tlsVersion: options.tlsVersion,
// Metadata
timestamp: Date.now(),
connectionId: options.connectionId
};
}
}

259
ts/proxies/network-proxy/function-cache.ts Normal file
View File

@ -0,0 +1,259 @@
import type { IRouteContext } from '../../core/models/route-context.js';
import type { ILogger } from './models/types.js';
/**
* Interface for cached function result
*/
interface ICachedResult<T> {
value: T;
expiry: number;
hash: string;
}
/**
* Function cache for NetworkProxy function-based targets
*
* This cache improves performance for function-based targets by storing
* the results of function evaluations and reusing them for similar contexts.
*/
export class FunctionCache {
// Cache storage
private hostCache: Map<string, ICachedResult<string | string[]>> = new Map();
private portCache: Map<string, ICachedResult<number>> = new Map();
// Maximum number of entries to store in each cache
private maxCacheSize: number;
// Default TTL for cache entries in milliseconds (default: 5 seconds)
private defaultTtl: number;
// Logger
private logger: ILogger;
/**
* Creates a new function cache
*
* @param logger Logger for debug output
* @param options Cache options
*/
constructor(
logger: ILogger,
options: {
maxCacheSize?: number;
defaultTtl?: number;
} = {}
) {
this.logger = logger;
this.maxCacheSize = options.maxCacheSize || 1000;
this.defaultTtl = options.defaultTtl || 5000; // 5 seconds default
// Start the cache cleanup timer
setInterval(() => this.cleanupCache(), 30000); // Cleanup every 30 seconds
}
/**
* Compute a hash for a context object
* This is used to identify similar contexts for caching
*
* @param context The route context to hash
* @param functionId Identifier for the function (usually route name or ID)
* @returns A string hash
*/
private computeContextHash(context: IRouteContext, functionId: string): string {
// Extract relevant properties for the hash
const hashBase = {
functionId,
port: context.port,
domain: context.domain,
clientIp: context.clientIp,
path: context.path,
query: context.query,
isTls: context.isTls,
tlsVersion: context.tlsVersion
};
// Generate a hash string
return JSON.stringify(hashBase);
}
/**
* Get cached host result for a function and context
*
* @param context Route context
* @param functionId Identifier for the function
* @returns Cached host value or undefined if not found
*/
public getCachedHost(context: IRouteContext, functionId: string): string | string[] | undefined {
const hash = this.computeContextHash(context, functionId);
const cached = this.hostCache.get(hash);
// Return if no cached value or expired
if (!cached || cached.expiry < Date.now()) {
if (cached) {
// If expired, remove from cache
this.hostCache.delete(hash);
this.logger.debug(`Cache miss (expired) for host function: ${functionId}`);
} else {
this.logger.debug(`Cache miss for host function: ${functionId}`);
}
return undefined;
}
this.logger.debug(`Cache hit for host function: ${functionId}`);
return cached.value;
}
/**
* Get cached port result for a function and context
*
* @param context Route context
* @param functionId Identifier for the function
* @returns Cached port value or undefined if not found
*/
public getCachedPort(context: IRouteContext, functionId: string): number | undefined {
const hash = this.computeContextHash(context, functionId);
const cached = this.portCache.get(hash);
// Return if no cached value or expired
if (!cached || cached.expiry < Date.now()) {
if (cached) {
// If expired, remove from cache
this.portCache.delete(hash);
this.logger.debug(`Cache miss (expired) for port function: ${functionId}`);
} else {
this.logger.debug(`Cache miss for port function: ${functionId}`);
}
return undefined;
}
this.logger.debug(`Cache hit for port function: ${functionId}`);
return cached.value;
}
/**
* Store a host function result in the cache
*
* @param context Route context
* @param functionId Identifier for the function
* @param value Host value to cache
* @param ttl Optional TTL in milliseconds
*/
public cacheHost(
context: IRouteContext,
functionId: string,
value: string | string[],
ttl?: number
): void {
const hash = this.computeContextHash(context, functionId);
const expiry = Date.now() + (ttl || this.defaultTtl);
// Check if we need to prune the cache before adding
if (this.hostCache.size >= this.maxCacheSize) {
this.pruneOldestEntries(this.hostCache);
}
// Store the result
this.hostCache.set(hash, { value, expiry, hash });
this.logger.debug(`Cached host function result for: ${functionId}`);
}
/**
* Store a port function result in the cache
*
* @param context Route context
* @param functionId Identifier for the function
* @param value Port value to cache
* @param ttl Optional TTL in milliseconds
*/
public cachePort(
context: IRouteContext,
functionId: string,
value: number,
ttl?: number
): void {
const hash = this.computeContextHash(context, functionId);
const expiry = Date.now() + (ttl || this.defaultTtl);
// Check if we need to prune the cache before adding
if (this.portCache.size >= this.maxCacheSize) {
this.pruneOldestEntries(this.portCache);
}
// Store the result
this.portCache.set(hash, { value, expiry, hash });
this.logger.debug(`Cached port function result for: ${functionId}`);
}
/**
* Remove expired entries from the cache
*/
private cleanupCache(): void {
const now = Date.now();
let expiredCount = 0;
// Clean up host cache
for (const [hash, cached] of this.hostCache.entries()) {
if (cached.expiry < now) {
this.hostCache.delete(hash);
expiredCount++;
}
}
// Clean up port cache
for (const [hash, cached] of this.portCache.entries()) {
if (cached.expiry < now) {
this.portCache.delete(hash);
expiredCount++;
}
}
if (expiredCount > 0) {
this.logger.debug(`Cleaned up ${expiredCount} expired cache entries`);
}
}
/**
* Prune oldest entries from a cache map
* Used when the cache exceeds the maximum size
*
* @param cache The cache map to prune
*/
private pruneOldestEntries<T>(cache: Map<string, ICachedResult<T>>): void {
// Find the oldest entries
const now = Date.now();
const itemsToRemove = Math.floor(this.maxCacheSize * 0.2); // Remove 20% of the cache
// Convert to array for sorting
const entries = Array.from(cache.entries());
// Sort by expiry (oldest first)
entries.sort((a, b) => a[1].expiry - b[1].expiry);
// Remove oldest entries
const toRemove = entries.slice(0, itemsToRemove);
for (const [hash] of toRemove) {
cache.delete(hash);
}
this.logger.debug(`Pruned ${toRemove.length} oldest cache entries`);
}
/**
* Get current cache stats
*/
public getStats(): { hostCacheSize: number; portCacheSize: number } {
return {
hostCacheSize: this.hostCache.size,
portCacheSize: this.portCache.size
};
}
/**
* Clear all cached entries
*/
public clearCache(): void {
this.hostCache.clear();
this.portCache.clear();
this.logger.info('Function cache cleared');
}
}

330
ts/proxies/network-proxy/http-request-handler.ts Normal file
View File

@ -0,0 +1,330 @@
import * as plugins from '../../plugins.js';
import '../../core/models/socket-augmentation.js';
import type { IHttpRouteContext, IRouteContext } from '../../core/models/route-context.js';
import type { ILogger } from './models/types.js';
import type { IMetricsTracker } from './request-handler.js';
import type { IRouteConfig } from '../smart-proxy/models/route-types.js';
import { TemplateUtils } from '../../core/utils/template-utils.js';
/**
* HTTP Request Handler Helper - handles requests with specific destinations
* This is a helper class for the main RequestHandler
*/
export class HttpRequestHandler {
/**
* Handle HTTP request with a specific destination
*/
public static async handleHttpRequestWithDestination(
req: plugins.http.IncomingMessage,
res: plugins.http.ServerResponse,
destination: { host: string, port: number },
routeContext: IHttpRouteContext,
startTime: number,
logger: ILogger,
metricsTracker?: IMetricsTracker | null,
route?: IRouteConfig
): Promise<void> {
try {
// Apply URL rewriting if route config is provided
if (route) {
HttpRequestHandler.applyUrlRewriting(req, route, routeContext, logger);
HttpRequestHandler.applyRouteHeaderModifications(route, req, res, logger);
}
// Create options for the proxy request
const options: plugins.http.RequestOptions = {
hostname: destination.host,
port: destination.port,
path: req.url,
method: req.method,
headers: { ...req.headers }
};
// Optionally rewrite host header to match target
if (options.headers && options.headers.host) {
// Only apply if host header rewrite is enabled or not explicitly disabled
const shouldRewriteHost = route?.action.options?.rewriteHostHeader !== false;
if (shouldRewriteHost) {
options.headers.host = `${destination.host}:${destination.port}`;
}
}
logger.debug(
`Proxying request to ${destination.host}:${destination.port}${req.url}`,
{ method: req.method }
);
// Create proxy request
const proxyReq = plugins.http.request(options, (proxyRes) => {
// Copy status code
res.statusCode = proxyRes.statusCode || 500;
// Copy headers from proxy response to client response
for (const [key, value] of Object.entries(proxyRes.headers)) {
if (value !== undefined) {
res.setHeader(key, value);
}
}
// Apply response header modifications if route config is provided
if (route && route.headers?.response) {
HttpRequestHandler.applyResponseHeaderModifications(route, res, logger, routeContext);
}
// Pipe proxy response to client response
proxyRes.pipe(res);
// Increment served requests counter when the response finishes
res.on('finish', () => {
if (metricsTracker) {
metricsTracker.incrementRequestsServed();
}
// Log the completed request
const duration = Date.now() - startTime;
logger.debug(
`Request completed in ${duration}ms: ${req.method} ${req.url} ${res.statusCode}`,
{ duration, statusCode: res.statusCode }
);
});
});
// Handle proxy request errors
proxyReq.on('error', (error) => {
const duration = Date.now() - startTime;
logger.error(
`Proxy error for ${req.method} ${req.url}: ${error.message}`,
{ duration, error: error.message }
);
// Increment failed requests counter
if (metricsTracker) {
metricsTracker.incrementFailedRequests();
}
// Check if headers have already been sent
if (!res.headersSent) {
res.statusCode = 502;
res.end(`Bad Gateway: ${error.message}`);
} else {
// If headers already sent, just close the connection
res.end();
}
});
// Pipe request body to proxy request and handle client-side errors
req.pipe(proxyReq);
// Handle client disconnection
req.on('error', (error) => {
logger.debug(`Client connection error: ${error.message}`);
proxyReq.destroy();
// Increment failed requests counter on client errors
if (metricsTracker) {
metricsTracker.incrementFailedRequests();
}
});
// Handle response errors
res.on('error', (error) => {
logger.debug(`Response error: ${error.message}`);
proxyReq.destroy();
// Increment failed requests counter on response errors
if (metricsTracker) {
metricsTracker.incrementFailedRequests();
}
});
} catch (error) {
// Handle any unexpected errors
logger.error(
`Unexpected error handling request: ${error.message}`,
{ error: error.stack }
);
// Increment failed requests counter
if (metricsTracker) {
metricsTracker.incrementFailedRequests();
}
if (!res.headersSent) {
res.statusCode = 500;
res.end('Internal Server Error');
} else {
res.end();
}
}
}
/**
* Apply URL rewriting based on route configuration
* Implements Phase 5.2: URL rewriting using route context
*
* @param req The request with the URL to rewrite
* @param route The route configuration containing rewrite rules
* @param routeContext Context for template variable resolution
* @param logger Logger for debugging information
* @returns True if URL was rewritten, false otherwise
*/
private static applyUrlRewriting(
req: plugins.http.IncomingMessage,
route: IRouteConfig,
routeContext: IHttpRouteContext,
logger: ILogger
): boolean {
// Check if route has URL rewriting configuration
if (!route.action.advanced?.urlRewrite) {
return false;
}
const rewriteConfig = route.action.advanced.urlRewrite;
// Store original URL for logging
const originalUrl = req.url;
if (rewriteConfig.pattern && rewriteConfig.target) {
try {
// Create a RegExp from the pattern with optional flags
const regex = new RegExp(rewriteConfig.pattern, rewriteConfig.flags || '');
// Apply rewriting with template variable resolution
let target = rewriteConfig.target;
// Replace template variables in target with values from context
target = TemplateUtils.resolveTemplateVariables(target, routeContext);
// If onlyRewritePath is set, split URL into path and query parts
if (rewriteConfig.onlyRewritePath && req.url) {
const [path, query] = req.url.split('?');
const rewrittenPath = path.replace(regex, target);
req.url = query ? `${rewrittenPath}?${query}` : rewrittenPath;
} else {
// Perform the replacement on the entire URL
req.url = req.url?.replace(regex, target);
}
logger.debug(`URL rewritten: ${originalUrl} -> ${req.url}`);
return true;
} catch (err) {
logger.error(`Error in URL rewriting: ${err}`);
return false;
}
}
return false;
}
/**
* Apply header modifications from route configuration to request headers
* Implements Phase 5.1: Route-based header manipulation for requests
*/
private static applyRouteHeaderModifications(
route: IRouteConfig,
req: plugins.http.IncomingMessage,
res: plugins.http.ServerResponse,
logger: ILogger
): void {
// Check if route has header modifications
if (!route.headers) {
return;
}
// Apply request header modifications (these will be sent to the backend)
if (route.headers.request && req.headers) {
// Create routing context for template resolution
const routeContext: IRouteContext = {
domain: req.headers.host as string || '',
path: req.url || '',
clientIp: req.socket.remoteAddress?.replace('::ffff:', '') || '',
serverIp: req.socket.localAddress?.replace('::ffff:', '') || '',
port: parseInt(req.socket.localPort?.toString() || '0', 10),
isTls: !!req.socket.encrypted,
headers: req.headers as Record<string, string>,
timestamp: Date.now(),
connectionId: `${Date.now()}-${Math.floor(Math.random() * 10000)}`,
};
for (const [key, value] of Object.entries(route.headers.request)) {
// Skip if header already exists and we're not overriding
if (req.headers[key.toLowerCase()] && !value.startsWith('!')) {
continue;
}
// Handle special delete directive (!delete)
if (value === '!delete') {
delete req.headers[key.toLowerCase()];
logger.debug(`Deleted request header: ${key}`);
continue;
}
// Handle forced override (!value)
let finalValue: string;
if (value.startsWith('!')) {
// Keep the ! but resolve any templates in the rest
const templateValue = value.substring(1);
finalValue = '!' + TemplateUtils.resolveTemplateVariables(templateValue, routeContext);
} else {
// Resolve templates in the entire value
finalValue = TemplateUtils.resolveTemplateVariables(value, routeContext);
}
// Set the header
req.headers[key.toLowerCase()] = finalValue;
logger.debug(`Modified request header: ${key}=${finalValue}`);
}
}
}
/**
* Apply header modifications from route configuration to response headers
* Implements Phase 5.1: Route-based header manipulation for responses
*/
private static applyResponseHeaderModifications(
route: IRouteConfig,
res: plugins.http.ServerResponse,
logger: ILogger,
routeContext?: IRouteContext
): void {
// Check if route has response header modifications
if (!route.headers?.response) {
return;
}
// Apply response header modifications
for (const [key, value] of Object.entries(route.headers.response)) {
// Skip if header already exists and we're not overriding
if (res.hasHeader(key) && !value.startsWith('!')) {
continue;
}
// Handle special delete directive (!delete)
if (value === '!delete') {
res.removeHeader(key);
logger.debug(`Deleted response header: ${key}`);
continue;
}
// Handle forced override (!value)
let finalValue: string;
if (value.startsWith('!') && value !== '!delete') {
// Keep the ! but resolve any templates in the rest
const templateValue = value.substring(1);
finalValue = routeContext
? '!' + TemplateUtils.resolveTemplateVariables(templateValue, routeContext)
: '!' + templateValue;
} else {
// Resolve templates in the entire value
finalValue = routeContext
? TemplateUtils.resolveTemplateVariables(value, routeContext)
: value;
}
// Set the header
res.setHeader(key, finalValue);
logger.debug(`Modified response header: ${key}=${finalValue}`);
}
}
// Template resolution is now handled by the TemplateUtils class
}

255
ts/proxies/network-proxy/http2-request-handler.ts Normal file
View File

@ -0,0 +1,255 @@
import * as plugins from '../../plugins.js';
import type { IHttpRouteContext } from '../../core/models/route-context.js';
import type { ILogger } from './models/types.js';
import type { IMetricsTracker } from './request-handler.js';
/**
* HTTP/2 Request Handler Helper - handles HTTP/2 streams with specific destinations
* This is a helper class for the main RequestHandler
*/
export class Http2RequestHandler {
/**
* Handle HTTP/2 stream with direct HTTP/2 backend
*/
public static async handleHttp2WithHttp2Destination(
stream: plugins.http2.ServerHttp2Stream,
headers: plugins.http2.IncomingHttpHeaders,
destination: { host: string, port: number },
routeContext: IHttpRouteContext,
sessions: Map<string, plugins.http2.ClientHttp2Session>,
logger: ILogger,
metricsTracker?: IMetricsTracker | null
): Promise<void> {
const key = `${destination.host}:${destination.port}`;
// Get or create a client HTTP/2 session
let session = sessions.get(key);
if (!session || session.closed || (session as any).destroyed) {
try {
// Connect to the backend HTTP/2 server
session = plugins.http2.connect(`http://${destination.host}:${destination.port}`);
sessions.set(key, session);
// Handle session errors and cleanup
session.on('error', (err) => {
logger.error(`HTTP/2 session error to ${key}: ${err.message}`);
sessions.delete(key);
});
session.on('close', () => {
logger.debug(`HTTP/2 session closed to ${key}`);
sessions.delete(key);
});
} catch (err) {
logger.error(`Failed to establish HTTP/2 session to ${key}: ${err.message}`);
stream.respond({ ':status': 502 });
stream.end('Bad Gateway: Failed to establish connection to backend');
if (metricsTracker) metricsTracker.incrementFailedRequests();
return;
}
}
try {
// Build headers for backend HTTP/2 request
const h2Headers: Record<string, any> = {
':method': headers[':method'],
':path': headers[':path'],
':authority': `${destination.host}:${destination.port}`
};
// Copy other headers, excluding pseudo-headers
for (const [key, value] of Object.entries(headers)) {
if (!key.startsWith(':') && typeof value === 'string') {
h2Headers[key] = value;
}
}
logger.debug(
`Proxying HTTP/2 request to ${destination.host}:${destination.port}${headers[':path']}`,
{ method: headers[':method'] }
);
// Create HTTP/2 request stream to the backend
const h2Stream = session.request(h2Headers);
// Pipe client stream to backend stream
stream.pipe(h2Stream);
// Handle responses from the backend
h2Stream.on('response', (responseHeaders) => {
// Map status and headers to client response
const resp: Record<string, any> = {
':status': responseHeaders[':status'] as number
};
// Copy non-pseudo headers
for (const [key, value] of Object.entries(responseHeaders)) {
if (!key.startsWith(':') && value !== undefined) {
resp[key] = value;
}
}
// Send headers to client
stream.respond(resp);
// Pipe backend response to client
h2Stream.pipe(stream);
// Track successful requests
stream.on('end', () => {
if (metricsTracker) metricsTracker.incrementRequestsServed();
logger.debug(
`HTTP/2 request completed: ${headers[':method']} ${headers[':path']} ${responseHeaders[':status']}`,
{ method: headers[':method'], status: responseHeaders[':status'] }
);
});
});
// Handle backend errors
h2Stream.on('error', (err) => {
logger.error(`HTTP/2 stream error: ${err.message}`);
// Only send error response if headers haven't been sent
if (!stream.headersSent) {
stream.respond({ ':status': 502 });
stream.end(`Bad Gateway: ${err.message}`);
} else {
stream.end();
}
if (metricsTracker) metricsTracker.incrementFailedRequests();
});
// Handle client stream errors
stream.on('error', (err) => {
logger.debug(`Client HTTP/2 stream error: ${err.message}`);
h2Stream.destroy();
if (metricsTracker) metricsTracker.incrementFailedRequests();
});
} catch (err: any) {
logger.error(`Error handling HTTP/2 request: ${err.message}`);
// Only send error response if headers haven't been sent
if (!stream.headersSent) {
stream.respond({ ':status': 500 });
stream.end('Internal Server Error');
} else {
stream.end();
}
if (metricsTracker) metricsTracker.incrementFailedRequests();
}
}
/**
* Handle HTTP/2 stream with HTTP/1 backend
*/
public static async handleHttp2WithHttp1Destination(
stream: plugins.http2.ServerHttp2Stream,
headers: plugins.http2.IncomingHttpHeaders,
destination: { host: string, port: number },
routeContext: IHttpRouteContext,
logger: ILogger,
metricsTracker?: IMetricsTracker | null
): Promise<void> {
try {
// Build headers for HTTP/1 proxy request, excluding HTTP/2 pseudo-headers
const outboundHeaders: Record<string, string> = {};
for (const [key, value] of Object.entries(headers)) {
if (typeof key === 'string' && typeof value === 'string' && !key.startsWith(':')) {
outboundHeaders[key] = value;
}
}
// Always rewrite host header to match target
outboundHeaders.host = `${destination.host}:${destination.port}`;
logger.debug(
`Proxying HTTP/2 request to HTTP/1 backend ${destination.host}:${destination.port}${headers[':path']}`,
{ method: headers[':method'] }
);
// Create HTTP/1 proxy request
const proxyReq = plugins.http.request(
{
hostname: destination.host,
port: destination.port,
path: headers[':path'] as string,
method: headers[':method'] as string,
headers: outboundHeaders
},
(proxyRes) => {
// Map status and headers back to HTTP/2
const responseHeaders: Record<string, number | string | string[]> = {
':status': proxyRes.statusCode || 500
};
// Copy headers from HTTP/1 response to HTTP/2 response
for (const [key, value] of Object.entries(proxyRes.headers)) {
if (value !== undefined) {
responseHeaders[key] = value as string | string[];
}
}
// Send headers to client
stream.respond(responseHeaders);
// Pipe HTTP/1 response to HTTP/2 stream
proxyRes.pipe(stream);
// Clean up when client disconnects
stream.on('close', () => proxyReq.destroy());
stream.on('error', () => proxyReq.destroy());
// Track successful requests
stream.on('end', () => {
if (metricsTracker) metricsTracker.incrementRequestsServed();
logger.debug(
`HTTP/2 to HTTP/1 request completed: ${headers[':method']} ${headers[':path']} ${proxyRes.statusCode}`,
{ method: headers[':method'], status: proxyRes.statusCode }
);
});
}
);
// Handle proxy request errors
proxyReq.on('error', (err) => {
logger.error(`HTTP/1 proxy error: ${err.message}`);
// Only send error response if headers haven't been sent
if (!stream.headersSent) {
stream.respond({ ':status': 502 });
stream.end(`Bad Gateway: ${err.message}`);
} else {
stream.end();
}
if (metricsTracker) metricsTracker.incrementFailedRequests();
});
// Pipe client stream to proxy request
stream.pipe(proxyReq);
// Handle client stream errors
stream.on('error', (err) => {
logger.debug(`Client HTTP/2 stream error: ${err.message}`);
proxyReq.destroy();
if (metricsTracker) metricsTracker.incrementFailedRequests();
});
} catch (err: any) {
logger.error(`Error handling HTTP/2 to HTTP/1 request: ${err.message}`);
// Only send error response if headers haven't been sent
if (!stream.headersSent) {
stream.respond({ ':status': 500 });
stream.end('Internal Server Error');
} else {
stream.end();
}
if (metricsTracker) metricsTracker.incrementFailedRequests();
}
}
}

255
ts/proxies/network-proxy/models/types.ts
View File

@ -1,5 +1,7 @@
import * as plugins from '../../../plugins.js';
import type { IAcmeOptions } from '../../../certificate/models/certificate-types.js';
import type { IRouteConfig } from '../../smart-proxy/models/route-types.js';
import type { IRouteContext } from '../../../core/models/route-context.js';
/**
* Configuration options for NetworkProxy
@ -24,8 +26,15 @@ export interface INetworkProxyOptions {
// Protocol to use when proxying to backends: HTTP/1.x or HTTP/2
backendProtocol?: 'http1' | 'http2';
// Function cache options
functionCacheSize?: number; // Maximum number of cached function results (default: 1000)
functionCacheTtl?: number; // Time to live for cached function results in ms (default: 5000)
// ACME certificate management options
acme?: IAcmeOptions;
// Direct route configurations
routes?: IRouteConfig[];
}
/**
@ -38,20 +47,39 @@ export interface ICertificateEntry {
}
/**
* Interface for reverse proxy configuration
* @deprecated Use IRouteConfig instead. This interface will be removed in a future release.
*
* IMPORTANT: This is a legacy interface maintained only for backward compatibility.
* New code should use IRouteConfig for all configuration purposes.
*
* @see IRouteConfig for the modern, recommended configuration format
*/
export interface IReverseProxyConfig {
/** Target hostnames/IPs to proxy requests to */
destinationIps: string[];
/** Target ports to proxy requests to */
destinationPorts: number[];
/** Hostname to match for routing */
hostName: string;
/** SSL private key for this host (PEM format) */
privateKey: string;
/** SSL public key/certificate for this host (PEM format) */
publicKey: string;
/** Basic authentication configuration */
authentication?: {
type: 'Basic';
user: string;
pass: string;
};
/** Whether to rewrite the Host header to match the target */
rewriteHostHeader?: boolean;
/**
* Protocol to use when proxying to this backend: 'http1' or 'http2'.
* Overrides the global backendProtocol option if set.
@ -59,6 +87,231 @@ export interface IReverseProxyConfig {
backendProtocol?: 'http1' | 'http2';
}
/**
* Convert a legacy IReverseProxyConfig to the modern IRouteConfig format
*
* @deprecated This function is maintained for backward compatibility.
* New code should create IRouteConfig objects directly.
*
* @param legacyConfig The legacy configuration to convert
* @param proxyPort The port the proxy listens on
* @returns A modern route configuration equivalent to the legacy config
*/
export function convertLegacyConfigToRouteConfig(
legacyConfig: IReverseProxyConfig,
proxyPort: number
): IRouteConfig {
// Create basic route configuration
const routeConfig: IRouteConfig = {
// Match properties
match: {
ports: proxyPort,
domains: legacyConfig.hostName
},
// Action properties
action: {
type: 'forward',
target: {
host: legacyConfig.destinationIps,
port: legacyConfig.destinationPorts[0]
},
// TLS mode is always 'terminate' for legacy configs
tls: {
mode: 'terminate',
certificate: {
key: legacyConfig.privateKey,
cert: legacyConfig.publicKey
}
},
// Advanced options
advanced: {
// Rewrite host header if specified
headers: legacyConfig.rewriteHostHeader ? { 'host': '{domain}' } : {}
}
},
// Metadata
name: `Legacy Config - ${legacyConfig.hostName}`,
priority: 0, // Default priority
enabled: true
};
// Add authentication if present
if (legacyConfig.authentication) {
routeConfig.action.security = {
authentication: {
type: 'basic',
credentials: [{
username: legacyConfig.authentication.user,
password: legacyConfig.authentication.pass
}]
}
};
}
// Add backend protocol if specified
if (legacyConfig.backendProtocol) {
if (!routeConfig.action.options) {
routeConfig.action.options = {};
}
routeConfig.action.options.backendProtocol = legacyConfig.backendProtocol;
}
return routeConfig;
}
/**
* Route manager for NetworkProxy
* Handles route matching and configuration
*/
export class RouteManager {
private routes: IRouteConfig[] = [];
private logger: ILogger;
constructor(logger: ILogger) {
this.logger = logger;
}
/**
* Update the routes configuration
*/
public updateRoutes(routes: IRouteConfig[]): void {
// Sort routes by priority (higher first)
this.routes = [...routes].sort((a, b) => {
const priorityA = a.priority ?? 0;
const priorityB = b.priority ?? 0;
return priorityB - priorityA;
});
this.logger.info(`Updated RouteManager with ${this.routes.length} routes`);
}
/**
* Get all routes
*/
public getRoutes(): IRouteConfig[] {
return [...this.routes];
}
/**
* Find the first matching route for a context
*/
public findMatchingRoute(context: IRouteContext): IRouteConfig | null {
for (const route of this.routes) {
if (this.matchesRoute(route, context)) {
return route;
}
}
return null;
}
/**
* Check if a route matches the given context
*/
private matchesRoute(route: IRouteConfig, context: IRouteContext): boolean {
// Skip disabled routes
if (route.enabled === false) {
return false;
}
// Check domain match if specified
if (route.match.domains && context.domain) {
const domains = Array.isArray(route.match.domains)
? route.match.domains
: [route.match.domains];
if (!domains.some(domainPattern => this.matchDomain(domainPattern, context.domain!))) {
return false;
}
}
// Check path match if specified
if (route.match.path && context.path) {
if (!this.matchPath(route.match.path, context.path)) {
return false;
}
}
// Check client IP match if specified
if (route.match.clientIp && context.clientIp) {
if (!route.match.clientIp.some(ip => this.matchIp(ip, context.clientIp))) {
return false;
}
}
// Check TLS version match if specified
if (route.match.tlsVersion && context.tlsVersion) {
if (!route.match.tlsVersion.includes(context.tlsVersion)) {
return false;
}
}
// All criteria matched
return true;
}
/**
* Match a domain pattern against a domain
*/
private matchDomain(pattern: string, domain: string): boolean {
if (pattern === domain) {
return true;
}
if (pattern.includes('*')) {
const regexPattern = pattern
.replace(/\./g, '\\.')
.replace(/\*/g, '.*');
const regex = new RegExp(`^${regexPattern}$`, 'i');
return regex.test(domain);
}
return false;
}
/**
* Match a path pattern against a path
*/
private matchPath(pattern: string, path: string): boolean {
if (pattern === path) {
return true;
}
if (pattern.endsWith('*')) {
const prefix = pattern.slice(0, -1);
return path.startsWith(prefix);
}
return false;
}
/**
* Match an IP pattern against an IP
*/
private matchIp(pattern: string, ip: string): boolean {
if (pattern === ip) {
return true;
}
if (pattern.includes('*')) {
const regexPattern = pattern
.replace(/\./g, '\\.')
.replace(/\*/g, '.*');
const regex = new RegExp(`^${regexPattern}$`);
return regex.test(ip);
}
// TODO: Implement CIDR matching
return false;
}
}
/**
* Interface for connection tracking in the pool
*/

331
ts/proxies/network-proxy/network-proxy.ts
View File

@ -1,18 +1,25 @@
import * as plugins from '../../plugins.js';
import {
createLogger
createLogger,
RouteManager,
convertLegacyConfigToRouteConfig
} from './models/types.js';
import type {
INetworkProxyOptions,
ILogger,
IReverseProxyConfig
} from './models/types.js';
import type { IRouteConfig } from '../smart-proxy/models/route-types.js';
import type { IRouteContext, IHttpRouteContext } from '../../core/models/route-context.js';
import { createBaseRouteContext } from '../../core/models/route-context.js';
import { CertificateManager } from './certificate-manager.js';
import { ConnectionPool } from './connection-pool.js';
import { RequestHandler, type IMetricsTracker } from './request-handler.js';
import { WebSocketHandler } from './websocket-handler.js';
import { ProxyRouter } from '../../http/router/index.js';
import { RouteRouter } from '../../http/router/route-router.js';
import { Port80Handler } from '../../http/port80/port80-handler.js';
import { FunctionCache } from './function-cache.js';
/**
* NetworkProxy provides a reverse proxy with TLS termination, WebSocket support,
@ -25,17 +32,20 @@ export class NetworkProxy implements IMetricsTracker {
}
// Configuration
public options: INetworkProxyOptions;
public proxyConfigs: IReverseProxyConfig[] = [];
public routes: IRouteConfig[] = [];
// Server instances (HTTP/2 with HTTP/1 fallback)
public httpsServer: any;
// Core components
private certificateManager: CertificateManager;
private connectionPool: ConnectionPool;
private requestHandler: RequestHandler;
private webSocketHandler: WebSocketHandler;
private router = new ProxyRouter();
private legacyRouter = new ProxyRouter(); // Legacy router for backward compatibility
private router = new RouteRouter(); // New modern router
private routeManager: RouteManager;
private functionCache: FunctionCache;
// State tracking
public socketMap = new plugins.lik.ObjectMap<plugins.net.Socket>();
@ -94,15 +104,41 @@ export class NetworkProxy implements IMetricsTracker {
// Initialize logger
this.logger = createLogger(this.options.logLevel);
// Initialize components
// Initialize route manager
this.routeManager = new RouteManager(this.logger);
// Initialize function cache
this.functionCache = new FunctionCache(this.logger, {
maxCacheSize: this.options.functionCacheSize || 1000,
defaultTtl: this.options.functionCacheTtl || 5000
});
// Initialize other components
this.certificateManager = new CertificateManager(this.options);
this.connectionPool = new ConnectionPool(this.options);
this.requestHandler = new RequestHandler(this.options, this.connectionPool, this.router);
this.webSocketHandler = new WebSocketHandler(this.options, this.connectionPool, this.router);
this.requestHandler = new RequestHandler(
this.options,
this.connectionPool,
this.legacyRouter, // Still use legacy router for backward compatibility
this.routeManager,
this.functionCache,
this.router // Pass the new modern router as well
);
this.webSocketHandler = new WebSocketHandler(
this.options,
this.connectionPool,
this.legacyRouter,
this.routes // Pass current routes to WebSocketHandler
);
// Connect request handler to this metrics tracker
this.requestHandler.setMetricsTracker(this);
// Initialize with any provided routes
if (this.options.routes && this.options.routes.length > 0) {
this.updateRouteConfigs(this.options.routes);
}
}
/**
@ -171,7 +207,8 @@ export class NetworkProxy implements IMetricsTracker {
connectionPoolSize: this.connectionPool.getPoolStatus(),
uptime: Math.floor((Date.now() - this.startTime) / 1000),
memoryUsage: process.memoryUsage(),
activeWebSockets: this.webSocketHandler.getConnectionInfo().activeConnections
activeWebSockets: this.webSocketHandler.getConnectionInfo().activeConnections,
functionCache: this.functionCache.getStats()
};
}
@ -325,58 +362,159 @@ export class NetworkProxy implements IMetricsTracker {
}
/**
* Updates proxy configurations
* Updates the route configurations - this is the primary method for configuring NetworkProxy
* @param routes The new route configurations to use
*/
public async updateProxyConfigs(
proxyConfigsArg: IReverseProxyConfig[]
): Promise<void> {
this.logger.info(`Updating proxy configurations (${proxyConfigsArg.length} configs)`);
// Update internal configs
this.proxyConfigs = proxyConfigsArg;
this.router.setNewProxyConfigs(proxyConfigsArg);
// Collect all hostnames for cleanup later
const currentHostNames = new Set<string>();
// Add/update SSL contexts for each host
for (const config of proxyConfigsArg) {
currentHostNames.add(config.hostName);
try {
// Update certificate in cache
this.certificateManager.updateCertificateCache(
config.hostName,
config.publicKey,
config.privateKey
);
this.activeContexts.add(config.hostName);
} catch (error) {
this.logger.error(`Failed to add SSL context for ${config.hostName}`, error);
public async updateRouteConfigs(routes: IRouteConfig[]): Promise<void> {
this.logger.info(`Updating route configurations (${routes.length} routes)`);
// Update routes in RouteManager, modern router, WebSocketHandler, and SecurityManager
this.routeManager.updateRoutes(routes);
this.router.setRoutes(routes);
this.webSocketHandler.setRoutes(routes);
this.requestHandler.securityManager.setRoutes(routes);
this.routes = routes;
// Directly update the certificate manager with the new routes
// This will extract domains and handle certificate provisioning
this.certificateManager.updateRouteConfigs(routes);
// Collect all domains and certificates for configuration
const currentHostnames = new Set<string>();
const certificateUpdates = new Map<string, { cert: string, key: string }>();
// Process each route to extract domain and certificate information
for (const route of routes) {
// Skip non-forward routes or routes without domains
if (route.action.type !== 'forward' || !route.match.domains) {
continue;
}
// Get domains from route
const domains = Array.isArray(route.match.domains)
? route.match.domains
: [route.match.domains];
// Process each domain
for (const domain of domains) {
// Skip wildcard domains for direct host configuration
if (domain.includes('*')) {
continue;
}
currentHostnames.add(domain);
// Check if we have a static certificate for this domain
if (route.action.tls?.certificate && route.action.tls.certificate !== 'auto') {
certificateUpdates.set(domain, {
cert: route.action.tls.certificate.cert,
key: route.action.tls.certificate.key
});
}
}
}
// Update certificate cache with any static certificates
for (const [domain, certData] of certificateUpdates.entries()) {
try {
this.certificateManager.updateCertificateCache(
domain,
certData.cert,
certData.key
);
this.activeContexts.add(domain);
} catch (error) {
this.logger.error(`Failed to add SSL context for ${domain}`, error);
}
}
// Clean up removed contexts
for (const hostname of this.activeContexts) {
if (!currentHostNames.has(hostname)) {
if (!currentHostnames.has(hostname)) {
this.logger.info(`Hostname ${hostname} removed from configuration`);
this.activeContexts.delete(hostname);
}
}
// Register domains with Port80Handler if available
const domainsForACME = Array.from(currentHostNames)
.filter(domain => !domain.includes('*')); // Skip wildcard domains
this.certificateManager.registerDomainsWithPort80Handler(domainsForACME);
// Create legacy proxy configs for the router
// This is only needed for backward compatibility with ProxyRouter
// and will be removed in the future
const legacyConfigs: IReverseProxyConfig[] = [];
for (const domain of currentHostnames) {
// Find route for this domain
const route = routes.find(r => {
const domains = Array.isArray(r.match.domains) ? r.match.domains : [r.match.domains];
return domains.includes(domain);
});
if (!route || route.action.type !== 'forward' || !route.action.target) {
continue;
}
// Skip routes with function-based targets - we'll handle them during request processing
if (typeof route.action.target.host === 'function' || typeof route.action.target.port === 'function') {
this.logger.info(`Domain ${domain} uses function-based targets - will be handled at request time`);
continue;
}
// Extract static target information
const targetHosts = Array.isArray(route.action.target.host)
? route.action.target.host
: [route.action.target.host];
const targetPort = route.action.target.port;
// Get certificate information
const certData = certificateUpdates.get(domain);
const defaultCerts = this.certificateManager.getDefaultCertificates();
legacyConfigs.push({
hostName: domain,
destinationIps: targetHosts,
destinationPorts: [targetPort],
privateKey: certData?.key || defaultCerts.key,
publicKey: certData?.cert || defaultCerts.cert
});
}
// Update the router with legacy configs
// Handle both old and new router interfaces
if (typeof this.router.setRoutes === 'function') {
this.router.setRoutes(routes);
} else if (typeof this.router.setNewProxyConfigs === 'function') {
this.router.setNewProxyConfigs(legacyConfigs);
} else {
this.logger.warn('Router has no recognized configuration method');
}
this.logger.info(`Route configuration updated with ${routes.length} routes and ${legacyConfigs.length} proxy configs`);
}
/**
* @deprecated Use updateRouteConfigs instead
* Legacy method for updating proxy configurations using IReverseProxyConfig
* This method is maintained for backward compatibility
*/
public async updateProxyConfigs(
proxyConfigsArg: IReverseProxyConfig[]
): Promise<void> {
this.logger.info(`Converting ${proxyConfigsArg.length} legacy configs to route configs`);
// Convert legacy configs to route configs
const routes: IRouteConfig[] = proxyConfigsArg.map(config =>
convertLegacyConfigToRouteConfig(config, this.options.port)
);
// Use the primary method
return this.updateRouteConfigs(routes);
}
/**
* @deprecated Use route-based configuration instead
* Converts SmartProxy domain configurations to NetworkProxy configs
* @param domainConfigs SmartProxy domain configs
* @param sslKeyPair Default SSL key pair to use if not specified
* @returns Array of NetworkProxy configs
* This method is maintained for backward compatibility
*/
public convertSmartProxyConfigs(
domainConfigs: Array<{
@ -386,13 +524,15 @@ export class NetworkProxy implements IMetricsTracker {
}>,
sslKeyPair?: { key: string; cert: string }
): IReverseProxyConfig[] {
this.logger.warn('convertSmartProxyConfigs is deprecated - use route-based configuration instead');
const proxyConfigs: IReverseProxyConfig[] = [];
// Use default certificates if not provided
const defaultCerts = this.certificateManager.getDefaultCertificates();
const sslKey = sslKeyPair?.key || defaultCerts.key;
const sslCert = sslKeyPair?.cert || defaultCerts.cert;
for (const domainConfig of domainConfigs) {
// Each domain in the domains array gets its own config
for (const domain of domainConfig.domains) {
@ -400,7 +540,7 @@ export class NetworkProxy implements IMetricsTracker {
if (domain.match(/^\d+\.\d+\.\d+\.\d+$/) || domain === '*' || domain === 'localhost') {
continue;
}
proxyConfigs.push({
hostName: domain,
destinationIps: domainConfig.targetIPs || ['localhost'],
@ -410,7 +550,7 @@ export class NetworkProxy implements IMetricsTracker {
});
}
}
this.logger.info(`Converted ${domainConfigs.length} SmartProxy configs to ${proxyConfigs.length} NetworkProxy configs`);
return proxyConfigs;
}
@ -474,11 +614,90 @@ export class NetworkProxy implements IMetricsTracker {
public async requestCertificate(domain: string): Promise<boolean> {
return this.certificateManager.requestCertificate(domain);
}
/**
* Update certificate for a domain
*
* This method allows direct updates of certificates from external sources
* like Port80Handler or custom certificate providers.
*
* @param domain The domain to update certificate for
* @param certificate The new certificate (public key)
* @param privateKey The new private key
* @param expiryDate Optional expiry date
*/
public updateCertificate(
domain: string,
certificate: string,
privateKey: string,
expiryDate?: Date
): void {
this.logger.info(`Updating certificate for ${domain}`);
this.certificateManager.updateCertificateCache(domain, certificate, privateKey, expiryDate);
}
/**
* Gets all proxy configurations currently in use
* Gets all route configurations currently in use
*/
public getRouteConfigs(): IRouteConfig[] {
return this.routeManager.getRoutes();
}
/**
* @deprecated Use getRouteConfigs instead
* Gets all proxy configurations currently in use in the legacy format
* This method is maintained for backward compatibility
*/
public getProxyConfigs(): IReverseProxyConfig[] {
return [...this.proxyConfigs];
this.logger.warn('getProxyConfigs is deprecated - use getRouteConfigs instead');
// Create legacy proxy configs from our route configurations
const legacyConfigs: IReverseProxyConfig[] = [];
const currentRoutes = this.routeManager.getRoutes();
for (const route of currentRoutes) {
// Skip non-forward routes or routes without domains
if (route.action.type !== 'forward' || !route.match.domains || !route.action.target) {
continue;
}
// Skip routes with function-based targets
if (typeof route.action.target.host === 'function' || typeof route.action.target.port === 'function') {
continue;
}
// Get domains
const domains = Array.isArray(route.match.domains)
? route.match.domains.filter(d => !d.includes('*'))
: route.match.domains.includes('*') ? [] : [route.match.domains];
// Get certificate
let privateKey = '';
let publicKey = '';
if (route.action.tls?.certificate && route.action.tls.certificate !== 'auto') {
privateKey = route.action.tls.certificate.key;
publicKey = route.action.tls.certificate.cert;
} else {
const defaultCerts = this.certificateManager.getDefaultCertificates();
privateKey = defaultCerts.key;
publicKey = defaultCerts.cert;
}
// Create legacy config for each domain
for (const domain of domains) {
legacyConfigs.push({
hostName: domain,
destinationIps: Array.isArray(route.action.target.host)
? route.action.target.host
: [route.action.target.host],
destinationPorts: [route.action.target.port],
privateKey,
publicKey
});
}
}
return legacyConfigs;
}
}

810
ts/proxies/network-proxy/request-handler.ts
View File

@ -1,7 +1,22 @@
import * as plugins from '../../plugins.js';
import { type INetworkProxyOptions, type ILogger, createLogger, type IReverseProxyConfig } from './models/types.js';
import '../../core/models/socket-augmentation.js';
import {
type INetworkProxyOptions,
type ILogger,
createLogger,
type IReverseProxyConfig,
RouteManager
} from './models/types.js';
import { ConnectionPool } from './connection-pool.js';
import { ProxyRouter } from '../../http/router/index.js';
import { ContextCreator } from './context-creator.js';
import { HttpRequestHandler } from './http-request-handler.js';
import { Http2RequestHandler } from './http2-request-handler.js';
import type { IRouteConfig } from '../smart-proxy/models/route-types.js';
import type { IRouteContext, IHttpRouteContext } from '../../core/models/route-context.js';
import { toBaseContext } from '../../core/models/route-context.js';
import { TemplateUtils } from '../../core/utils/template-utils.js';
import { SecurityManager } from './security-manager.js';
/**
* Interface for tracking metrics
@ -24,12 +39,34 @@ export class RequestHandler {
// HTTP/2 client sessions for backend proxying
private h2Sessions: Map<string, plugins.http2.ClientHttp2Session> = new Map();
// Context creator for route contexts
private contextCreator: ContextCreator = new ContextCreator();
// Security manager for IP filtering, rate limiting, etc.
public securityManager: SecurityManager;
constructor(
private options: INetworkProxyOptions,
private connectionPool: ConnectionPool,
private router: ProxyRouter
private legacyRouter: ProxyRouter, // Legacy router for backward compatibility
private routeManager?: RouteManager,
private functionCache?: any, // FunctionCache - using any to avoid circular dependency
private router?: any // RouteRouter - using any to avoid circular dependency
) {
this.logger = createLogger(options.logLevel || 'info');
this.securityManager = new SecurityManager(this.logger);
// Schedule rate limit cleanup every minute
setInterval(() => {
this.securityManager.cleanupExpiredRateLimits();
}, 60000);
}
/**
* Set the route manager instance
*/
public setRouteManager(routeManager: RouteManager): void {
this.routeManager = routeManager;
}
/**
@ -59,39 +96,104 @@ export class RequestHandler {
/**
* Apply CORS headers to response if configured
* Implements Phase 5.5: Context-aware CORS handling
*
* @param res The server response to apply headers to
* @param req The incoming request
* @param route Optional route config with CORS settings
*/
private applyCorsHeaders(
res: plugins.http.ServerResponse,
req: plugins.http.IncomingMessage
res: plugins.http.ServerResponse,
req: plugins.http.IncomingMessage,
route?: IRouteConfig
): void {
if (!this.options.cors) {
// Use route-specific CORS config if available, otherwise use global config
let corsConfig: any = null;
// Route CORS config takes precedence if enabled
if (route?.headers?.cors?.enabled) {
corsConfig = route.headers.cors;
this.logger.debug(`Using route-specific CORS config for ${route.name || 'unnamed route'}`);
}
// Fall back to global CORS config if available
else if (this.options.cors) {
corsConfig = this.options.cors;
this.logger.debug('Using global CORS config');
}
// If no CORS config available, skip
if (!corsConfig) {
return;
}
// Apply CORS headers
if (this.options.cors.allowOrigin) {
res.setHeader('Access-Control-Allow-Origin', this.options.cors.allowOrigin);
// Get origin from request
const origin = req.headers.origin;
// Apply Allow-Origin (with dynamic validation if needed)
if (corsConfig.allowOrigin) {
// Handle multiple origins in array format
if (Array.isArray(corsConfig.allowOrigin)) {
if (origin && corsConfig.allowOrigin.includes(origin)) {
// Match found, set specific origin
res.setHeader('Access-Control-Allow-Origin', origin);
res.setHeader('Vary', 'Origin'); // Important for caching
} else if (corsConfig.allowOrigin.includes('*')) {
// Wildcard match
res.setHeader('Access-Control-Allow-Origin', '*');
}
}
// Handle single origin or wildcard
else if (corsConfig.allowOrigin === '*') {
res.setHeader('Access-Control-Allow-Origin', '*');
}
// Match single origin against request
else if (origin && corsConfig.allowOrigin === origin) {
res.setHeader('Access-Control-Allow-Origin', origin);
res.setHeader('Vary', 'Origin');
}
// Use template variables if present
else if (origin && corsConfig.allowOrigin.includes('{')) {
const resolvedOrigin = TemplateUtils.resolveTemplateVariables(
corsConfig.allowOrigin,
{ domain: req.headers.host } as any
);
if (resolvedOrigin === origin || resolvedOrigin === '*') {
res.setHeader('Access-Control-Allow-Origin', origin);
res.setHeader('Vary', 'Origin');
}
}
}
if (this.options.cors.allowMethods) {
res.setHeader('Access-Control-Allow-Methods', this.options.cors.allowMethods);
// Apply other CORS headers
if (corsConfig.allowMethods) {
res.setHeader('Access-Control-Allow-Methods', corsConfig.allowMethods);
}
if (this.options.cors.allowHeaders) {
res.setHeader('Access-Control-Allow-Headers', this.options.cors.allowHeaders);
if (corsConfig.allowHeaders) {
res.setHeader('Access-Control-Allow-Headers', corsConfig.allowHeaders);
}
if (this.options.cors.maxAge) {
res.setHeader('Access-Control-Max-Age', this.options.cors.maxAge.toString());
if (corsConfig.allowCredentials) {
res.setHeader('Access-Control-Allow-Credentials', 'true');
}
// Handle CORS preflight requests
if (req.method === 'OPTIONS') {
if (corsConfig.exposeHeaders) {
res.setHeader('Access-Control-Expose-Headers', corsConfig.exposeHeaders);
}
if (corsConfig.maxAge) {
res.setHeader('Access-Control-Max-Age', corsConfig.maxAge.toString());
}
// Handle CORS preflight requests if enabled (default: true)
if (req.method === 'OPTIONS' && corsConfig.preflight !== false) {
res.statusCode = 204; // No content
res.end();
return;
}
}
// First implementation of applyRouteHeaderModifications moved to the second implementation below
/**
* Apply default headers to response
@ -103,12 +205,147 @@ export class RequestHandler {
res.setHeader(key, value);
}
}
// Add server identifier if not already set
if (!res.hasHeader('Server')) {
res.setHeader('Server', 'NetworkProxy');
}
}
/**
* Apply URL rewriting based on route configuration
* Implements Phase 5.2: URL rewriting using route context
*
* @param req The request with the URL to rewrite
* @param route The route configuration containing rewrite rules
* @param routeContext Context for template variable resolution
* @returns True if URL was rewritten, false otherwise
*/
private applyUrlRewriting(
req: plugins.http.IncomingMessage,
route: IRouteConfig,
routeContext: IHttpRouteContext
): boolean {
// Check if route has URL rewriting configuration
if (!route.action.advanced?.urlRewrite) {
return false;
}
const rewriteConfig = route.action.advanced.urlRewrite;
// Store original URL for logging
const originalUrl = req.url;
if (rewriteConfig.pattern && rewriteConfig.target) {
try {
// Create a RegExp from the pattern
const regex = new RegExp(rewriteConfig.pattern, rewriteConfig.flags || '');
// Apply rewriting with template variable resolution
let target = rewriteConfig.target;
// Replace template variables in target with values from context
target = TemplateUtils.resolveTemplateVariables(target, routeContext);
// If onlyRewritePath is set, split URL into path and query parts
if (rewriteConfig.onlyRewritePath && req.url) {
const [path, query] = req.url.split('?');
const rewrittenPath = path.replace(regex, target);
req.url = query ? `${rewrittenPath}?${query}` : rewrittenPath;
} else {
// Perform the replacement on the entire URL
req.url = req.url?.replace(regex, target);
}
this.logger.debug(`URL rewritten: ${originalUrl} -> ${req.url}`);
return true;
} catch (err) {
this.logger.error(`Error in URL rewriting: ${err}`);
return false;
}
}
return false;
}
/**
* Apply header modifications from route configuration
* Implements Phase 5.1: Route-based header manipulation
*/
private applyRouteHeaderModifications(
route: IRouteConfig,
req: plugins.http.IncomingMessage,
res: plugins.http.ServerResponse
): void {
// Check if route has header modifications
if (!route.headers) {
return;
}
// Apply request header modifications (these will be sent to the backend)
if (route.headers.request && req.headers) {
for (const [key, value] of Object.entries(route.headers.request)) {
// Skip if header already exists and we're not overriding
if (req.headers[key.toLowerCase()] && !value.startsWith('!')) {
continue;
}
// Handle special delete directive (!delete)
if (value === '!delete') {
delete req.headers[key.toLowerCase()];
this.logger.debug(`Deleted request header: ${key}`);
continue;
}
// Handle forced override (!value)
let finalValue: string;
if (value.startsWith('!') && value !== '!delete') {
// Keep the ! but resolve any templates in the rest
const templateValue = value.substring(1);
finalValue = '!' + TemplateUtils.resolveTemplateVariables(templateValue, {} as IRouteContext);
} else {
// Resolve templates in the entire value
finalValue = TemplateUtils.resolveTemplateVariables(value, {} as IRouteContext);
}
// Set the header
req.headers[key.toLowerCase()] = finalValue;
this.logger.debug(`Modified request header: ${key}=${finalValue}`);
}
}
// Apply response header modifications (these will be stored for later use)
if (route.headers.response) {
for (const [key, value] of Object.entries(route.headers.response)) {
// Skip if header already exists and we're not overriding
if (res.hasHeader(key) && !value.startsWith('!')) {
continue;
}
// Handle special delete directive (!delete)
if (value === '!delete') {
res.removeHeader(key);
this.logger.debug(`Deleted response header: ${key}`);
continue;
}
// Handle forced override (!value)
let finalValue: string;
if (value.startsWith('!') && value !== '!delete') {
// Keep the ! but resolve any templates in the rest
const templateValue = value.substring(1);
finalValue = '!' + TemplateUtils.resolveTemplateVariables(templateValue, {} as IRouteContext);
} else {
// Resolve templates in the entire value
finalValue = TemplateUtils.resolveTemplateVariables(value, {} as IRouteContext);
}
// Set the header
res.setHeader(key, finalValue);
this.logger.debug(`Modified response header: ${key}=${finalValue}`);
}
}
}
/**
* Handle an HTTP request
@ -119,10 +356,32 @@ export class RequestHandler {
): Promise<void> {
// Record start time for logging
const startTime = Date.now();
// Apply CORS headers if configured
this.applyCorsHeaders(res, req);
// Get route before applying CORS (we might need its settings)
// Try to find a matching route using RouteManager
let matchingRoute: IRouteConfig | null = null;
if (this.routeManager) {
try {
// Create a connection ID for this request
const connectionId = `http-${Date.now()}-${Math.floor(Math.random() * 10000)}`;
// Create route context for function-based targets
const routeContext = this.contextCreator.createHttpRouteContext(req, {
connectionId,
clientIp: req.socket.remoteAddress?.replace('::ffff:', '') || '0.0.0.0',
serverIp: req.socket.localAddress?.replace('::ffff:', '') || '0.0.0.0',
tlsVersion: req.socket.getTLSVersion?.() || undefined
});
matchingRoute = this.routeManager.findMatchingRoute(toBaseContext(routeContext));
} catch (err) {
this.logger.error('Error finding matching route', err);
}
}
// Apply CORS headers with route-specific settings if available
this.applyCorsHeaders(res, req, matchingRoute);
// If this is an OPTIONS request, the response has already been ended in applyCorsHeaders
// so we should return early to avoid trying to set more headers
if (req.method === 'OPTIONS') {
@ -132,16 +391,220 @@ export class RequestHandler {
}
return;
}
// Apply default headers
this.applyDefaultHeaders(res);
// Determine routing configuration
// We already have the connection ID and routeContext from CORS handling
const connectionId = `http-${Date.now()}-${Math.floor(Math.random() * 10000)}`;
// Create route context for function-based targets (if we don't already have one)
const routeContext = this.contextCreator.createHttpRouteContext(req, {
connectionId,
clientIp: req.socket.remoteAddress?.replace('::ffff:', '') || '0.0.0.0',
serverIp: req.socket.localAddress?.replace('::ffff:', '') || '0.0.0.0',
tlsVersion: req.socket.getTLSVersion?.() || undefined
});
// Check security restrictions if we have a matching route
if (matchingRoute) {
// Check IP filtering and rate limiting
if (!this.securityManager.isAllowed(matchingRoute, routeContext)) {
this.logger.warn(`Access denied for ${routeContext.clientIp} to ${matchingRoute.name || 'unnamed'}`);
res.statusCode = 403;
res.end('Forbidden: Access denied by security policy');
if (this.metricsTracker) this.metricsTracker.incrementFailedRequests();
return;
}
// Check basic auth
if (matchingRoute.security?.basicAuth?.enabled) {
const authHeader = req.headers.authorization;
if (!authHeader || !authHeader.startsWith('Basic ')) {
// No auth header provided - send 401 with WWW-Authenticate header
res.statusCode = 401;
const realm = matchingRoute.security.basicAuth.realm || 'Protected Area';
res.setHeader('WWW-Authenticate', `Basic realm="${realm}", charset="UTF-8"`);
res.end('Authentication Required');
if (this.metricsTracker) this.metricsTracker.incrementFailedRequests();
return;
}
// Verify credentials
try {
const credentials = Buffer.from(authHeader.substring(6), 'base64').toString('utf-8');
const [username, password] = credentials.split(':');
if (!this.securityManager.checkBasicAuth(matchingRoute, username, password)) {
res.statusCode = 401;
const realm = matchingRoute.security.basicAuth.realm || 'Protected Area';
res.setHeader('WWW-Authenticate', `Basic realm="${realm}", charset="UTF-8"`);
res.end('Invalid Credentials');
if (this.metricsTracker) this.metricsTracker.incrementFailedRequests();
return;
}
} catch (err) {
this.logger.error(`Error verifying basic auth: ${err}`);
res.statusCode = 401;
res.end('Authentication Error');
if (this.metricsTracker) this.metricsTracker.incrementFailedRequests();
return;
}
}
// Check JWT auth
if (matchingRoute.security?.jwtAuth?.enabled) {
const authHeader = req.headers.authorization;
if (!authHeader || !authHeader.startsWith('Bearer ')) {
// No auth header provided - send 401
res.statusCode = 401;
res.end('Authentication Required: JWT token missing');
if (this.metricsTracker) this.metricsTracker.incrementFailedRequests();
return;
}
// Verify token
const token = authHeader.substring(7);
if (!this.securityManager.verifyJwtToken(matchingRoute, token)) {
res.statusCode = 401;
res.end('Invalid or Expired JWT');
if (this.metricsTracker) this.metricsTracker.incrementFailedRequests();
return;
}
}
}
// If we found a matching route with function-based targets, use it
if (matchingRoute && matchingRoute.action.type === 'forward' && matchingRoute.action.target) {
this.logger.debug(`Found matching route: ${matchingRoute.name || 'unnamed'}`);
// Extract target information, resolving functions if needed
let targetHost: string | string[];
let targetPort: number;
try {
// Check function cache for host and resolve or use cached value
if (typeof matchingRoute.action.target.host === 'function') {
// Generate a function ID for caching (use route name or ID if available)
const functionId = `host-${matchingRoute.id || matchingRoute.name || 'unnamed'}`;
// Check if we have a cached result
if (this.functionCache) {
const cachedHost = this.functionCache.getCachedHost(routeContext, functionId);
if (cachedHost !== undefined) {
targetHost = cachedHost;
this.logger.debug(`Using cached host value for ${functionId}`);
} else {
// Resolve the function and cache the result
const resolvedHost = matchingRoute.action.target.host(toBaseContext(routeContext));
targetHost = resolvedHost;
// Cache the result
this.functionCache.cacheHost(routeContext, functionId, resolvedHost);
this.logger.debug(`Resolved and cached function-based host to: ${Array.isArray(resolvedHost) ? resolvedHost.join(', ') : resolvedHost}`);
}
} else {
// No cache available, just resolve
const resolvedHost = matchingRoute.action.target.host(routeContext);
targetHost = resolvedHost;
this.logger.debug(`Resolved function-based host to: ${Array.isArray(resolvedHost) ? resolvedHost.join(', ') : resolvedHost}`);
}
} else {
targetHost = matchingRoute.action.target.host;
}
// Check function cache for port and resolve or use cached value
if (typeof matchingRoute.action.target.port === 'function') {
// Generate a function ID for caching
const functionId = `port-${matchingRoute.id || matchingRoute.name || 'unnamed'}`;
// Check if we have a cached result
if (this.functionCache) {
const cachedPort = this.functionCache.getCachedPort(routeContext, functionId);
if (cachedPort !== undefined) {
targetPort = cachedPort;
this.logger.debug(`Using cached port value for ${functionId}`);
} else {
// Resolve the function and cache the result
const resolvedPort = matchingRoute.action.target.port(toBaseContext(routeContext));
targetPort = resolvedPort;
// Cache the result
this.functionCache.cachePort(routeContext, functionId, resolvedPort);
this.logger.debug(`Resolved and cached function-based port to: ${resolvedPort}`);
}
} else {
// No cache available, just resolve
const resolvedPort = matchingRoute.action.target.port(routeContext);
targetPort = resolvedPort;
this.logger.debug(`Resolved function-based port to: ${resolvedPort}`);
}
} else {
targetPort = matchingRoute.action.target.port;
}
// Select a single host if an array was provided
const selectedHost = Array.isArray(targetHost)
? targetHost[Math.floor(Math.random() * targetHost.length)]
: targetHost;
// Create a destination for the connection pool
const destination = {
host: selectedHost,
port: targetPort
};
// Apply URL rewriting if configured
this.applyUrlRewriting(req, matchingRoute, routeContext);
// Apply header modifications if configured
this.applyRouteHeaderModifications(matchingRoute, req, res);
// Continue with handling using the resolved destination
HttpRequestHandler.handleHttpRequestWithDestination(
req,
res,
destination,
routeContext,
startTime,
this.logger,
this.metricsTracker,
matchingRoute // Pass the route config for additional processing
);
return;
} catch (err) {
this.logger.error(`Error evaluating function-based target: ${err}`);
res.statusCode = 500;
res.end('Internal Server Error: Failed to evaluate target functions');
if (this.metricsTracker) this.metricsTracker.incrementFailedRequests();
return;
}
}
// Try modern router first, then fall back to legacy routing if needed
if (this.router) {
try {
// Try to find a matching route using the modern router
const route = this.router.routeReq(req);
if (route && route.action.type === 'forward' && route.action.target) {
// Handle this route similarly to RouteManager logic
this.logger.debug(`Found matching route via modern router: ${route.name || 'unnamed'}`);
// No need to do anything here, we'll continue with legacy routing
// The routeManager would have already found this route if applicable
}
} catch (err) {
this.logger.error('Error using modern router', err);
// Continue with legacy routing
}
}
// Fall back to legacy routing if no matching route found via RouteManager
let proxyConfig: IReverseProxyConfig | undefined;
try {
proxyConfig = this.router.routeReq(req);
proxyConfig = this.legacyRouter.routeReq(req);
} catch (err) {
this.logger.error('Error routing request', err);
this.logger.error('Error routing request with legacy router', err);
res.statusCode = 500;
res.end('Internal Server Error');
if (this.metricsTracker) this.metricsTracker.incrementFailedRequests();
@ -345,18 +808,180 @@ export class RequestHandler {
}
/**
* Handle HTTP/2 stream requests by proxying to HTTP/1 backends
* Handle HTTP/2 stream requests with function-based target support
*/
public async handleHttp2(stream: any, headers: any): Promise<void> {
public async handleHttp2(stream: plugins.http2.ServerHttp2Stream, headers: plugins.http2.IncomingHttpHeaders): Promise<void> {
const startTime = Date.now();
// Create a connection ID for this HTTP/2 stream
const connectionId = `http2-${Date.now()}-${Math.floor(Math.random() * 10000)}`;
// Get client IP and server IP from the socket
const socket = (stream.session as any)?.socket;
const clientIp = socket?.remoteAddress?.replace('::ffff:', '') || '0.0.0.0';
const serverIp = socket?.localAddress?.replace('::ffff:', '') || '0.0.0.0';
// Create route context for function-based targets
const routeContext = this.contextCreator.createHttp2RouteContext(stream, headers, {
connectionId,
clientIp,
serverIp
});
// Try to find a matching route using RouteManager
let matchingRoute: IRouteConfig | null = null;
if (this.routeManager) {
try {
matchingRoute = this.routeManager.findMatchingRoute(toBaseContext(routeContext));
} catch (err) {
this.logger.error('Error finding matching route for HTTP/2 request', err);
}
}
// If we found a matching route with function-based targets, use it
if (matchingRoute && matchingRoute.action.type === 'forward' && matchingRoute.action.target) {
this.logger.debug(`Found matching route for HTTP/2 request: ${matchingRoute.name || 'unnamed'}`);
// Extract target information, resolving functions if needed
let targetHost: string | string[];
let targetPort: number;
try {
// Check function cache for host and resolve or use cached value
if (typeof matchingRoute.action.target.host === 'function') {
// Generate a function ID for caching (use route name or ID if available)
const functionId = `host-http2-${matchingRoute.id || matchingRoute.name || 'unnamed'}`;
// Check if we have a cached result
if (this.functionCache) {
const cachedHost = this.functionCache.getCachedHost(routeContext, functionId);
if (cachedHost !== undefined) {
targetHost = cachedHost;
this.logger.debug(`Using cached host value for HTTP/2: ${functionId}`);
} else {
// Resolve the function and cache the result
const resolvedHost = matchingRoute.action.target.host(toBaseContext(routeContext));
targetHost = resolvedHost;
// Cache the result
this.functionCache.cacheHost(routeContext, functionId, resolvedHost);
this.logger.debug(`Resolved and cached HTTP/2 function-based host to: ${Array.isArray(resolvedHost) ? resolvedHost.join(', ') : resolvedHost}`);
}
} else {
// No cache available, just resolve
const resolvedHost = matchingRoute.action.target.host(routeContext);
targetHost = resolvedHost;
this.logger.debug(`Resolved HTTP/2 function-based host to: ${Array.isArray(resolvedHost) ? resolvedHost.join(', ') : resolvedHost}`);
}
} else {
targetHost = matchingRoute.action.target.host;
}
// Check function cache for port and resolve or use cached value
if (typeof matchingRoute.action.target.port === 'function') {
// Generate a function ID for caching
const functionId = `port-http2-${matchingRoute.id || matchingRoute.name || 'unnamed'}`;
// Check if we have a cached result
if (this.functionCache) {
const cachedPort = this.functionCache.getCachedPort(routeContext, functionId);
if (cachedPort !== undefined) {
targetPort = cachedPort;
this.logger.debug(`Using cached port value for HTTP/2: ${functionId}`);
} else {
// Resolve the function and cache the result
const resolvedPort = matchingRoute.action.target.port(toBaseContext(routeContext));
targetPort = resolvedPort;
// Cache the result
this.functionCache.cachePort(routeContext, functionId, resolvedPort);
this.logger.debug(`Resolved and cached HTTP/2 function-based port to: ${resolvedPort}`);
}
} else {
// No cache available, just resolve
const resolvedPort = matchingRoute.action.target.port(routeContext);
targetPort = resolvedPort;
this.logger.debug(`Resolved HTTP/2 function-based port to: ${resolvedPort}`);
}
} else {
targetPort = matchingRoute.action.target.port;
}
// Select a single host if an array was provided
const selectedHost = Array.isArray(targetHost)
? targetHost[Math.floor(Math.random() * targetHost.length)]
: targetHost;
// Create a destination for forwarding
const destination = {
host: selectedHost,
port: targetPort
};
// Handle HTTP/2 stream based on backend protocol
const backendProtocol = matchingRoute.action.options?.backendProtocol || this.options.backendProtocol;
if (backendProtocol === 'http2') {
// Forward to HTTP/2 backend
return Http2RequestHandler.handleHttp2WithHttp2Destination(
stream,
headers,
destination,
routeContext,
this.h2Sessions,
this.logger,
this.metricsTracker
);
} else {
// Forward to HTTP/1.1 backend
return Http2RequestHandler.handleHttp2WithHttp1Destination(
stream,
headers,
destination,
routeContext,
this.logger,
this.metricsTracker
);
}
} catch (err) {
this.logger.error(`Error evaluating function-based target for HTTP/2: ${err}`);
stream.respond({ ':status': 500 });
stream.end('Internal Server Error: Failed to evaluate target functions');
if (this.metricsTracker) this.metricsTracker.incrementFailedRequests();
return;
}
}
// Fall back to legacy routing if no matching route found
const method = headers[':method'] || 'GET';
const path = headers[':path'] || '/';
// If configured to proxy to backends over HTTP/2, use HTTP/2 client sessions
if (this.options.backendProtocol === 'http2') {
const authority = headers[':authority'] as string || '';
const host = authority.split(':')[0];
const fakeReq: any = { headers: { host }, method: headers[':method'], url: headers[':path'], socket: (stream.session as any).socket };
const proxyConfig = this.router.routeReq(fakeReq);
const fakeReq: any = {
headers: { host },
method: headers[':method'],
url: headers[':path'],
socket: (stream.session as any).socket
};
// Try modern router first if available
let route;
if (this.router) {
try {
route = this.router.routeReq(fakeReq);
if (route && route.action.type === 'forward' && route.action.target) {
this.logger.debug(`Found matching HTTP/2 route via modern router: ${route.name || 'unnamed'}`);
// The routeManager would have already found this route if applicable
}
} catch (err) {
this.logger.error('Error using modern router for HTTP/2', err);
}
}
// Fall back to legacy routing
const proxyConfig = this.legacyRouter.routeReq(fakeReq);
if (!proxyConfig) {
stream.respond({ ':status': 404 });
stream.end('Not Found');
@ -364,96 +989,67 @@ export class RequestHandler {
return;
}
const destination = this.connectionPool.getNextTarget(proxyConfig.destinationIps, proxyConfig.destinationPorts[0]);
const key = `${destination.host}:${destination.port}`;
let session = this.h2Sessions.get(key);
if (!session || session.closed || (session as any).destroyed) {
session = plugins.http2.connect(`http://${destination.host}:${destination.port}`);
this.h2Sessions.set(key, session);
session.on('error', () => this.h2Sessions.delete(key));
session.on('close', () => this.h2Sessions.delete(key));
}
// Build headers for backend HTTP/2 request
const h2Headers: Record<string, any> = {
':method': headers[':method'],
':path': headers[':path'],
':authority': `${destination.host}:${destination.port}`
};
for (const [k, v] of Object.entries(headers)) {
if (!k.startsWith(':') && typeof v === 'string') {
h2Headers[k] = v;
}
}
const h2Stream2 = session.request(h2Headers);
stream.pipe(h2Stream2);
h2Stream2.on('response', (hdrs: any) => {
// Map status and headers to client
const resp: Record<string, any> = { ':status': hdrs[':status'] as number };
for (const [hk, hv] of Object.entries(hdrs)) {
if (!hk.startsWith(':') && hv) resp[hk] = hv;
}
stream.respond(resp);
h2Stream2.pipe(stream);
});
h2Stream2.on('error', (err) => {
stream.respond({ ':status': 502 });
stream.end(`Bad Gateway: ${err.message}`);
if (this.metricsTracker) this.metricsTracker.incrementFailedRequests();
});
return;
// Use the helper for HTTP/2 to HTTP/2 routing
return Http2RequestHandler.handleHttp2WithHttp2Destination(
stream,
headers,
destination,
routeContext,
this.h2Sessions,
this.logger,
this.metricsTracker
);
}
try {
// Determine host for routing
const authority = headers[':authority'] as string || '';
const host = authority.split(':')[0];
// Fake request object for routing
const fakeReq: any = { headers: { host }, method, url: path, socket: (stream.session as any).socket };
const proxyConfig = this.router.routeReq(fakeReq as any);
const fakeReq: any = {
headers: { host },
method,
url: path,
socket: (stream.session as any).socket
};
// Try modern router first if available
if (this.router) {
try {
const route = this.router.routeReq(fakeReq);
if (route && route.action.type === 'forward' && route.action.target) {
this.logger.debug(`Found matching HTTP/2 route via modern router: ${route.name || 'unnamed'}`);
// The routeManager would have already found this route if applicable
}
} catch (err) {
this.logger.error('Error using modern router for HTTP/2', err);
}
}
// Fall back to legacy routing
const proxyConfig = this.legacyRouter.routeReq(fakeReq as any);
if (!proxyConfig) {
stream.respond({ ':status': 404 });
stream.end('Not Found');
if (this.metricsTracker) this.metricsTracker.incrementFailedRequests();
return;
}
// Select backend target
const destination = this.connectionPool.getNextTarget(
proxyConfig.destinationIps,
proxyConfig.destinationPorts[0]
);
// Build headers for HTTP/1 proxy
const outboundHeaders: Record<string,string> = {};
for (const [key, value] of Object.entries(headers)) {
if (typeof key === 'string' && typeof value === 'string' && !key.startsWith(':')) {
outboundHeaders[key] = value;
}
}
if (outboundHeaders.host && (proxyConfig as IReverseProxyConfig).rewriteHostHeader) {
outboundHeaders.host = `${destination.host}:${destination.port}`;
}
// Create HTTP/1 proxy request
const proxyReq = plugins.http.request(
{ hostname: destination.host, port: destination.port, path, method, headers: outboundHeaders },
(proxyRes) => {
// Map status and headers back to HTTP/2
const responseHeaders: Record<string, number|string|string[]> = {};
for (const [k, v] of Object.entries(proxyRes.headers)) {
if (v !== undefined) {
responseHeaders[k] = v as string | string[];
}
}
stream.respond({ ':status': proxyRes.statusCode || 500, ...responseHeaders });
proxyRes.pipe(stream);
stream.on('close', () => proxyReq.destroy());
stream.on('error', () => proxyReq.destroy());
if (this.metricsTracker) stream.on('end', () => this.metricsTracker.incrementRequestsServed());
}
// Use the helper for HTTP/2 to HTTP/1 routing
return Http2RequestHandler.handleHttp2WithHttp1Destination(
stream,
headers,
destination,
routeContext,
this.logger,
this.metricsTracker
);
proxyReq.on('error', (err) => {
stream.respond({ ':status': 502 });
stream.end(`Bad Gateway: ${err.message}`);
if (this.metricsTracker) this.metricsTracker.incrementFailedRequests();
});
// Pipe client stream to backend
stream.pipe(proxyReq);
} catch (err: any) {
stream.respond({ ':status': 500 });
stream.end('Internal Server Error');

298
ts/proxies/network-proxy/security-manager.ts Normal file
View File

@ -0,0 +1,298 @@
import * as plugins from '../../plugins.js';
import type { ILogger } from './models/types.js';
import type { IRouteConfig } from '../smart-proxy/models/route-types.js';
import type { IRouteContext } from '../../core/models/route-context.js';
/**
* Manages security features for the NetworkProxy
* Implements Phase 5.4: Security features like IP filtering and rate limiting
*/
export class SecurityManager {
// Cache IP filtering results to avoid constant regex matching
private ipFilterCache: Map<string, Map<string, boolean>> = new Map();
// Store rate limits per route and key
private rateLimits: Map<string, Map<string, { count: number, expiry: number }>> = new Map();
constructor(private logger: ILogger, private routes: IRouteConfig[] = []) {}
/**
* Update the routes configuration
*/
public setRoutes(routes: IRouteConfig[]): void {
this.routes = routes;
// Reset caches when routes change
this.ipFilterCache.clear();
}
/**
* Check if a client is allowed to access a specific route
*
* @param route The route to check access for
* @param context The route context with client information
* @returns True if access is allowed, false otherwise
*/
public isAllowed(route: IRouteConfig, context: IRouteContext): boolean {
if (!route.security) {
return true; // No security restrictions
}
// --- IP filtering ---
if (!this.isIpAllowed(route, context.clientIp)) {
this.logger.debug(`IP ${context.clientIp} is blocked for route ${route.name || route.id || 'unnamed'}`);
return false;
}
// --- Rate limiting ---
if (route.security.rateLimit?.enabled && !this.isWithinRateLimit(route, context)) {
this.logger.debug(`Rate limit exceeded for route ${route.name || route.id || 'unnamed'}`);
return false;
}
// --- Basic Auth (handled at HTTP level) ---
// Basic auth is not checked here as it requires HTTP headers
// and is handled in the RequestHandler
return true;
}
/**
* Check if an IP is allowed based on route security settings
*/
private isIpAllowed(route: IRouteConfig, clientIp: string): boolean {
if (!route.security) {
return true; // No security restrictions
}
const routeId = route.id || route.name || 'unnamed';
// Check cache first
if (!this.ipFilterCache.has(routeId)) {
this.ipFilterCache.set(routeId, new Map());
}
const routeCache = this.ipFilterCache.get(routeId)!;
if (routeCache.has(clientIp)) {
return routeCache.get(clientIp)!;
}
let allowed = true;
// Check block list first (deny has priority over allow)
if (route.security.ipBlockList && route.security.ipBlockList.length > 0) {
if (this.ipMatchesPattern(clientIp, route.security.ipBlockList)) {
allowed = false;
}
}
// Then check allow list (overrides block list if specified)
if (route.security.ipAllowList && route.security.ipAllowList.length > 0) {
// If allow list is specified, IP must match an entry to be allowed
allowed = this.ipMatchesPattern(clientIp, route.security.ipAllowList);
}
// Cache the result
routeCache.set(clientIp, allowed);
return allowed;
}
/**
* Check if IP matches any pattern in the list
*/
private ipMatchesPattern(ip: string, patterns: string[]): boolean {
for (const pattern of patterns) {
// CIDR notation
if (pattern.includes('/')) {
if (this.ipMatchesCidr(ip, pattern)) {
return true;
}
}
// Wildcard notation
else if (pattern.includes('*')) {
const regex = new RegExp('^' + pattern.replace(/\./g, '\\.').replace(/\*/g, '.*') + '$');
if (regex.test(ip)) {
return true;
}
}
// Exact match
else if (pattern === ip) {
return true;
}
}
return false;
}
/**
* Check if IP matches CIDR notation
* Very basic implementation - for production use, consider a dedicated IP library
*/
private ipMatchesCidr(ip: string, cidr: string): boolean {
try {
const [subnet, bits] = cidr.split('/');
const mask = parseInt(bits, 10);
// Convert IP to numeric format
const ipParts = ip.split('.').map(part => parseInt(part, 10));
const subnetParts = subnet.split('.').map(part => parseInt(part, 10));
// Calculate the numeric IP and subnet
const ipNum = (ipParts[0] << 24) | (ipParts[1] << 16) | (ipParts[2] << 8) | ipParts[3];
const subnetNum = (subnetParts[0] << 24) | (subnetParts[1] << 16) | (subnetParts[2] << 8) | subnetParts[3];
// Calculate the mask
const maskNum = ~((1 << (32 - mask)) - 1);
// Check if IP is in subnet
return (ipNum & maskNum) === (subnetNum & maskNum);
} catch (e) {
this.logger.error(`Invalid CIDR notation: ${cidr}`);
return false;
}
}
/**
* Check if request is within rate limit
*/
private isWithinRateLimit(route: IRouteConfig, context: IRouteContext): boolean {
if (!route.security?.rateLimit?.enabled) {
return true;
}
const rateLimit = route.security.rateLimit;
const routeId = route.id || route.name || 'unnamed';
// Determine rate limit key (by IP, path, or header)
let key = context.clientIp; // Default to IP
if (rateLimit.keyBy === 'path' && context.path) {
key = `${context.clientIp}:${context.path}`;
} else if (rateLimit.keyBy === 'header' && rateLimit.headerName && context.headers) {
const headerValue = context.headers[rateLimit.headerName.toLowerCase()];
if (headerValue) {
key = `${context.clientIp}:${headerValue}`;
}
}
// Get or create rate limit tracking for this route
if (!this.rateLimits.has(routeId)) {
this.rateLimits.set(routeId, new Map());
}
const routeLimits = this.rateLimits.get(routeId)!;
const now = Date.now();
// Get or create rate limit tracking for this key
let limit = routeLimits.get(key);
if (!limit || limit.expiry < now) {
// Create new rate limit or reset expired one
limit = {
count: 1,
expiry: now + (rateLimit.window * 1000)
};
routeLimits.set(key, limit);
return true;
}
// Increment the counter
limit.count++;
// Check if rate limit is exceeded
return limit.count <= rateLimit.maxRequests;
}
/**
* Clean up expired rate limits
* Should be called periodically to prevent memory leaks
*/
public cleanupExpiredRateLimits(): void {
const now = Date.now();
for (const [routeId, routeLimits] of this.rateLimits.entries()) {
let removed = 0;
for (const [key, limit] of routeLimits.entries()) {
if (limit.expiry < now) {
routeLimits.delete(key);
removed++;
}
}
if (removed > 0) {
this.logger.debug(`Cleaned up ${removed} expired rate limits for route ${routeId}`);
}
}
}
/**
* Check basic auth credentials
*
* @param route The route to check auth for
* @param username The provided username
* @param password The provided password
* @returns True if credentials are valid, false otherwise
*/
public checkBasicAuth(route: IRouteConfig, username: string, password: string): boolean {
if (!route.security?.basicAuth?.enabled) {
return true;
}
const basicAuth = route.security.basicAuth;
// Check credentials against configured users
for (const user of basicAuth.users) {
if (user.username === username && user.password === password) {
return true;
}
}
return false;
}
/**
* Verify a JWT token
*
* @param route The route to verify the token for
* @param token The JWT token to verify
* @returns True if the token is valid, false otherwise
*/
public verifyJwtToken(route: IRouteConfig, token: string): boolean {
if (!route.security?.jwtAuth?.enabled) {
return true;
}
try {
// This is a simplified version - in production you'd use a proper JWT library
const jwtAuth = route.security.jwtAuth;
// Verify structure
const parts = token.split('.');
if (parts.length !== 3) {
return false;
}
// Decode payload
const payload = JSON.parse(Buffer.from(parts[1], 'base64').toString());
// Check expiration
if (payload.exp && payload.exp < Math.floor(Date.now() / 1000)) {
return false;
}
// Check issuer
if (jwtAuth.issuer && payload.iss !== jwtAuth.issuer) {
return false;
}
// Check audience
if (jwtAuth.audience && payload.aud !== jwtAuth.audience) {
return false;
}
// In a real implementation, you'd also verify the signature
// using the secret and algorithm specified in jwtAuth
return true;
} catch (err) {
this.logger.error(`Error verifying JWT: ${err}`);
return false;
}
}
}

309
ts/proxies/network-proxy/websocket-handler.ts
View File

@ -1,7 +1,15 @@
import * as plugins from '../../plugins.js';
import '../../core/models/socket-augmentation.js';
import { type INetworkProxyOptions, type IWebSocketWithHeartbeat, type ILogger, createLogger, type IReverseProxyConfig } from './models/types.js';
import { ConnectionPool } from './connection-pool.js';
import { ProxyRouter } from '../../http/router/index.js';
import { ProxyRouter, RouteRouter } from '../../http/router/index.js';
import type { IRouteConfig } from '../smart-proxy/models/route-types.js';
import type { IRouteContext } from '../../core/models/route-context.js';
import { toBaseContext } from '../../core/models/route-context.js';
import { ContextCreator } from './context-creator.js';
import { SecurityManager } from './security-manager.js';
import { TemplateUtils } from '../../core/utils/template-utils.js';
import { getMessageSize, toBuffer } from '../../core/utils/websocket-utils.js';
/**
* Handles WebSocket connections and proxying
@ -10,13 +18,40 @@ export class WebSocketHandler {
private heartbeatInterval: NodeJS.Timeout | null = null;
private wsServer: plugins.ws.WebSocketServer | null = null;
private logger: ILogger;
private contextCreator: ContextCreator = new ContextCreator();
private routeRouter: RouteRouter | null = null;
private securityManager: SecurityManager;
constructor(
private options: INetworkProxyOptions,
private connectionPool: ConnectionPool,
private router: ProxyRouter
private legacyRouter: ProxyRouter, // Legacy router for backward compatibility
private routes: IRouteConfig[] = [] // Routes for modern router
) {
this.logger = createLogger(options.logLevel || 'info');
this.securityManager = new SecurityManager(this.logger, routes);
// Initialize modern router if we have routes
if (routes.length > 0) {
this.routeRouter = new RouteRouter(routes, this.logger);
}
}
/**
* Set the route configurations
*/
public setRoutes(routes: IRouteConfig[]): void {
this.routes = routes;
// Initialize or update the route router
if (!this.routeRouter) {
this.routeRouter = new RouteRouter(routes, this.logger);
} else {
this.routeRouter.setRoutes(routes);
}
// Update the security manager
this.securityManager.setRoutes(routes);
}
/**
@ -91,51 +126,200 @@ export class WebSocketHandler {
wsIncoming.lastPong = Date.now();
});
// Find target configuration based on request
const proxyConfig = this.router.routeReq(req);
if (!proxyConfig) {
this.logger.warn(`No proxy configuration for WebSocket host: ${req.headers.host}`);
wsIncoming.close(1008, 'No proxy configuration for this host');
return;
// Create a context for routing
const connectionId = `ws-${Date.now()}-${Math.floor(Math.random() * 10000)}`;
const routeContext = this.contextCreator.createHttpRouteContext(req, {
connectionId,
clientIp: req.socket.remoteAddress?.replace('::ffff:', '') || '0.0.0.0',
serverIp: req.socket.localAddress?.replace('::ffff:', '') || '0.0.0.0',
tlsVersion: req.socket.getTLSVersion?.() || undefined
});
// Try modern router first if available
let route: IRouteConfig | undefined;
if (this.routeRouter) {
route = this.routeRouter.routeReq(req);
}
// Define destination variables
let destination: { host: string; port: number };
// If we found a route with the modern router, use it
if (route && route.action.type === 'forward' && route.action.target) {
this.logger.debug(`Found matching WebSocket route: ${route.name || 'unnamed'}`);
// Check if WebSockets are enabled for this route
if (route.action.websocket?.enabled === false) {
this.logger.debug(`WebSockets are disabled for route: ${route.name || 'unnamed'}`);
wsIncoming.close(1003, 'WebSockets not supported for this route');
return;
}
// Check security restrictions if configured to authenticate WebSocket requests
if (route.action.websocket?.authenticateRequest !== false && route.security) {
if (!this.securityManager.isAllowed(route, toBaseContext(routeContext))) {
this.logger.warn(`WebSocket connection denied by security policy for ${routeContext.clientIp}`);
wsIncoming.close(1008, 'Access denied by security policy');
return;
}
// Check origin restrictions if configured
const origin = req.headers.origin;
if (origin && route.action.websocket?.allowedOrigins && route.action.websocket.allowedOrigins.length > 0) {
const isAllowed = route.action.websocket.allowedOrigins.some(allowedOrigin => {
// Handle wildcards and template variables
if (allowedOrigin.includes('*') || allowedOrigin.includes('{')) {
const pattern = allowedOrigin.replace(/\*/g, '.*');
const resolvedPattern = TemplateUtils.resolveTemplateVariables(pattern, routeContext);
const regex = new RegExp(`^${resolvedPattern}$`);
return regex.test(origin);
}
return allowedOrigin === origin;
});
if (!isAllowed) {
this.logger.warn(`WebSocket origin ${origin} not allowed for route: ${route.name || 'unnamed'}`);
wsIncoming.close(1008, 'Origin not allowed');
return;
}
}
}
// Extract target information, resolving functions if needed
let targetHost: string | string[];
let targetPort: number;
try {
// Resolve host if it's a function
if (typeof route.action.target.host === 'function') {
const resolvedHost = route.action.target.host(toBaseContext(routeContext));
targetHost = resolvedHost;
this.logger.debug(`Resolved function-based host for WebSocket: ${Array.isArray(resolvedHost) ? resolvedHost.join(', ') : resolvedHost}`);
} else {
targetHost = route.action.target.host;
}
// Resolve port if it's a function
if (typeof route.action.target.port === 'function') {
targetPort = route.action.target.port(toBaseContext(routeContext));
this.logger.debug(`Resolved function-based port for WebSocket: ${targetPort}`);
} else {
targetPort = route.action.target.port;
}
// Select a single host if an array was provided
const selectedHost = Array.isArray(targetHost)
? targetHost[Math.floor(Math.random() * targetHost.length)]
: targetHost;
// Create a destination for the WebSocket connection
destination = {
host: selectedHost,
port: targetPort
};
} catch (err) {
this.logger.error(`Error evaluating function-based target for WebSocket: ${err}`);
wsIncoming.close(1011, 'Internal server error');
return;
}
} else {
// Fall back to legacy routing if no matching route found via modern router
const proxyConfig = this.legacyRouter.routeReq(req);
if (!proxyConfig) {
this.logger.warn(`No proxy configuration for WebSocket host: ${req.headers.host}`);
wsIncoming.close(1008, 'No proxy configuration for this host');
return;
}
// Get destination target using round-robin if multiple targets
destination = this.connectionPool.getNextTarget(
proxyConfig.destinationIps,
proxyConfig.destinationPorts[0]
);
}
// Get destination target using round-robin if multiple targets
const destination = this.connectionPool.getNextTarget(
proxyConfig.destinationIps,
proxyConfig.destinationPorts[0]
);
// Build target URL
// Build target URL with potential path rewriting
const protocol = (req.socket as any).encrypted ? 'wss' : 'ws';
const targetUrl = `${protocol}://${destination.host}:${destination.port}${req.url}`;
let targetPath = req.url || '/';
// Apply path rewriting if configured
if (route?.action.websocket?.rewritePath) {
const originalPath = targetPath;
targetPath = TemplateUtils.resolveTemplateVariables(
route.action.websocket.rewritePath,
{...routeContext, path: targetPath}
);
this.logger.debug(`WebSocket path rewritten: ${originalPath} -> ${targetPath}`);
}
const targetUrl = `${protocol}://${destination.host}:${destination.port}${targetPath}`;
this.logger.debug(`WebSocket connection from ${req.socket.remoteAddress} to ${targetUrl}`);
// Create headers for outgoing WebSocket connection
const headers: { [key: string]: string } = {};
// Copy relevant headers from incoming request
for (const [key, value] of Object.entries(req.headers)) {
if (value && typeof value === 'string' &&
key.toLowerCase() !== 'connection' &&
if (value && typeof value === 'string' &&
key.toLowerCase() !== 'connection' &&
key.toLowerCase() !== 'upgrade' &&
key.toLowerCase() !== 'sec-websocket-key' &&
key.toLowerCase() !== 'sec-websocket-version') {
headers[key] = value;
}
}
// Override host header if needed
if ((proxyConfig as IReverseProxyConfig).rewriteHostHeader) {
headers['host'] = `${destination.host}:${destination.port}`;
// Always rewrite host header for WebSockets for consistency
headers['host'] = `${destination.host}:${destination.port}`;
// Add custom headers from route configuration
if (route?.action.websocket?.customHeaders) {
for (const [key, value] of Object.entries(route.action.websocket.customHeaders)) {
// Skip if header already exists and we're not overriding
if (headers[key.toLowerCase()] && !value.startsWith('!')) {
continue;
}
// Handle special delete directive (!delete)
if (value === '!delete') {
delete headers[key.toLowerCase()];
continue;
}
// Handle forced override (!value)
let finalValue: string;
if (value.startsWith('!') && value !== '!delete') {
// Keep the ! but resolve any templates in the rest
const templateValue = value.substring(1);
finalValue = '!' + TemplateUtils.resolveTemplateVariables(templateValue, routeContext);
} else {
// Resolve templates in the entire value
finalValue = TemplateUtils.resolveTemplateVariables(value, routeContext);
}
// Set the header
headers[key.toLowerCase()] = finalValue;
}
}
// Create outgoing WebSocket connection
const wsOutgoing = new plugins.wsDefault(targetUrl, {
// Create WebSocket connection options
const wsOptions: any = {
headers: headers,
followRedirects: true
});
};
// Add subprotocols if configured
if (route?.action.websocket?.subprotocols && route.action.websocket.subprotocols.length > 0) {
wsOptions.protocols = route.action.websocket.subprotocols;
} else if (req.headers['sec-websocket-protocol']) {
// Pass through client requested protocols
wsOptions.protocols = req.headers['sec-websocket-protocol'].split(',').map(p => p.trim());
}
// Create outgoing WebSocket connection
const wsOutgoing = new plugins.wsDefault(targetUrl, wsOptions);
// Handle connection errors
wsOutgoing.on('error', (err) => {
@ -147,35 +331,94 @@ export class WebSocketHandler {
// Handle outgoing connection open
wsOutgoing.on('open', () => {
// Set up custom ping interval if configured
let pingInterval: NodeJS.Timeout | null = null;
if (route?.action.websocket?.pingInterval && route.action.websocket.pingInterval > 0) {
pingInterval = setInterval(() => {
if (wsIncoming.readyState === wsIncoming.OPEN) {
wsIncoming.ping();
this.logger.debug(`Sent WebSocket ping to client for route: ${route.name || 'unnamed'}`);
}
}, route.action.websocket.pingInterval);
// Don't keep process alive just for pings
if (pingInterval.unref) pingInterval.unref();
}
// Set up custom ping timeout if configured
let pingTimeout: NodeJS.Timeout | null = null;
const pingTimeoutMs = route?.action.websocket?.pingTimeout || 60000; // Default 60s
// Define timeout function for cleaner code
const resetPingTimeout = () => {
if (pingTimeout) clearTimeout(pingTimeout);
pingTimeout = setTimeout(() => {
this.logger.debug(`WebSocket ping timeout for client connection on route: ${route?.name || 'unnamed'}`);
wsIncoming.terminate();
}, pingTimeoutMs);
// Don't keep process alive just for timeouts
if (pingTimeout.unref) pingTimeout.unref();
};
// Reset timeout on pong
wsIncoming.on('pong', () => {
wsIncoming.isAlive = true;
wsIncoming.lastPong = Date.now();
resetPingTimeout();
});
// Initial ping timeout
resetPingTimeout();
// Handle potential message size limits
const maxSize = route?.action.websocket?.maxPayloadSize || 0;
// Forward incoming messages to outgoing connection
wsIncoming.on('message', (data, isBinary) => {
if (wsOutgoing.readyState === wsOutgoing.OPEN) {
// Check message size if limit is set
const messageSize = getMessageSize(data);
if (maxSize > 0 && messageSize > maxSize) {
this.logger.warn(`WebSocket message exceeds max size (${messageSize} > ${maxSize})`);
wsIncoming.close(1009, 'Message too big');
return;
}
wsOutgoing.send(data, { binary: isBinary });
}
});
// Forward outgoing messages to incoming connection
wsOutgoing.on('message', (data, isBinary) => {
if (wsIncoming.readyState === wsIncoming.OPEN) {
wsIncoming.send(data, { binary: isBinary });
}
});
// Handle closing of connections
wsIncoming.on('close', (code, reason) => {
this.logger.debug(`WebSocket client connection closed: ${code} ${reason}`);
if (wsOutgoing.readyState === wsOutgoing.OPEN) {
wsOutgoing.close(code, reason);
}
// Clean up timers
if (pingInterval) clearInterval(pingInterval);
if (pingTimeout) clearTimeout(pingTimeout);
});
wsOutgoing.on('close', (code, reason) => {
this.logger.debug(`WebSocket target connection closed: ${code} ${reason}`);
if (wsIncoming.readyState === wsIncoming.OPEN) {
wsIncoming.close(code, reason);
}
// Clean up timers
if (pingInterval) clearInterval(pingInterval);
if (pingTimeout) clearTimeout(pingTimeout);
});
this.logger.debug(`WebSocket connection established: ${req.headers.host} -> ${destination.host}:${destination.port}`);
});

441
ts/proxies/smart-proxy/domain-config-manager.ts.bak
View File

@ -1,441 +0,0 @@
import * as plugins from '../../plugins.js';
import type { IDomainConfig, ISmartProxyOptions } from './models/interfaces.js';
import type { TForwardingType, IForwardConfig } from '../../forwarding/config/forwarding-types.js';
import type { ForwardingHandler } from '../../forwarding/handlers/base-handler.js';
import { ForwardingHandlerFactory } from '../../forwarding/factory/forwarding-factory.js';
import type { IRouteConfig } from './models/route-types.js';
import { RouteManager } from './route-manager.js';
/**
* Manages domain configurations and target selection
*/
export class DomainConfigManager {
// Track round-robin indices for domain configs
private domainTargetIndices: Map<IDomainConfig, number> = new Map();
// Cache forwarding handlers for each domain config
private forwardingHandlers: Map<IDomainConfig, ForwardingHandler> = new Map();
// Store derived domain configs from routes
private derivedDomainConfigs: IDomainConfig[] = [];
// Reference to RouteManager for route-based configuration
private routeManager?: RouteManager;
constructor(private settings: ISmartProxyOptions) {
// Initialize with derived domain configs if using route-based configuration
if (settings.routes && !settings.domainConfigs) {
this.generateDomainConfigsFromRoutes();
}
}
/**
* Set the route manager reference for route-based queries
*/
public setRouteManager(routeManager: RouteManager): void {
this.routeManager = routeManager;
// Regenerate domain configs from routes if needed
if (this.settings.routes && (!this.settings.domainConfigs || this.settings.domainConfigs.length === 0)) {
this.generateDomainConfigsFromRoutes();
}
}
/**
* Generate domain configs from routes
*/
public generateDomainConfigsFromRoutes(): void {
this.derivedDomainConfigs = [];
if (!this.settings.routes) return;
for (const route of this.settings.routes) {
if (route.action.type !== 'forward' || !route.match.domains) continue;
// Convert route to domain config
const domainConfig = this.routeToDomainConfig(route);
if (domainConfig) {
this.derivedDomainConfigs.push(domainConfig);
}
}
}
/**
* Convert a route to a domain config
*/
private routeToDomainConfig(route: IRouteConfig): IDomainConfig | null {
if (route.action.type !== 'forward' || !route.action.target) return null;
// Get domains from route
const domains = Array.isArray(route.match.domains) ?
route.match.domains :
(route.match.domains ? [route.match.domains] : []);
if (domains.length === 0) return null;
// Determine forwarding type based on TLS mode
let forwardingType: TForwardingType = 'http-only';
if (route.action.tls) {
switch (route.action.tls.mode) {
case 'passthrough':
forwardingType = 'https-passthrough';
break;
case 'terminate':
forwardingType = 'https-terminate-to-http';
break;
case 'terminate-and-reencrypt':
forwardingType = 'https-terminate-to-https';
break;
}
}
// Create domain config
return {
domains,
forwarding: {
type: forwardingType,
target: {
host: route.action.target.host,
port: route.action.target.port
},
security: route.action.security ? {
allowedIps: route.action.security.allowedIps,
blockedIps: route.action.security.blockedIps,
maxConnections: route.action.security.maxConnections
} : undefined,
https: route.action.tls && route.action.tls.certificate !== 'auto' ? {
customCert: route.action.tls.certificate
} : undefined,
advanced: route.action.advanced
}
};
}
/**
* Updates the domain configurations
*/
public updateDomainConfigs(newDomainConfigs: IDomainConfig[]): void {
// If we're using domainConfigs property, update it
if (this.settings.domainConfigs) {
this.settings.domainConfigs = newDomainConfigs;
} else {
// Otherwise update our derived configs
this.derivedDomainConfigs = newDomainConfigs;
}
// Reset target indices for removed configs
const currentConfigSet = new Set(newDomainConfigs);
for (const [config] of this.domainTargetIndices) {
if (!currentConfigSet.has(config)) {
this.domainTargetIndices.delete(config);
}
}
// Clear handlers for removed configs and create handlers for new configs
const handlersToRemove: IDomainConfig[] = [];
for (const [config] of this.forwardingHandlers) {
if (!currentConfigSet.has(config)) {
handlersToRemove.push(config);
}
}
// Remove handlers that are no longer needed
for (const config of handlersToRemove) {
this.forwardingHandlers.delete(config);
}
// Create handlers for new configs
for (const config of newDomainConfigs) {
if (!this.forwardingHandlers.has(config)) {
try {
const handler = this.createForwardingHandler(config);
this.forwardingHandlers.set(config, handler);
} catch (err) {
console.log(`Error creating forwarding handler for domain ${config.domains.join(', ')}: ${err}`);
}
}
}
}
/**
* Get all domain configurations
*/
public getDomainConfigs(): IDomainConfig[] {
// Use domainConfigs from settings if available, otherwise use derived configs
return this.settings.domainConfigs || this.derivedDomainConfigs;
}
/**
* Find domain config matching a server name
*/
public findDomainConfig(serverName: string): IDomainConfig | undefined {
if (!serverName) return undefined;
// Get domain configs from the appropriate source
const domainConfigs = this.getDomainConfigs();
// Check for direct match
for (const config of domainConfigs) {
if (config.domains.some(d => plugins.minimatch(serverName, d))) {
return config;
}
}
// No match found
return undefined;
}
/**
* Find domain config for a specific port
*/
public findDomainConfigForPort(port: number): IDomainConfig | undefined {
// Get domain configs from the appropriate source
const domainConfigs = this.getDomainConfigs();
// Check if any domain config has a matching port range
for (const domain of domainConfigs) {
const portRanges = domain.forwarding?.advanced?.portRanges;
if (portRanges && portRanges.length > 0 && this.isPortInRanges(port, portRanges)) {
return domain;
}
}
// If we're in route-based mode, also check routes for this port
if (this.settings.routes && (!this.settings.domainConfigs || this.settings.domainConfigs.length === 0)) {
const routesForPort = this.settings.routes.filter(route => {
// Check if this port is in the route's ports
if (typeof route.match.ports === 'number') {
return route.match.ports === port;
} else if (Array.isArray(route.match.ports)) {
return route.match.ports.some(p => {
if (typeof p === 'number') {
return p === port;
} else if (p.from && p.to) {
return port >= p.from && port <= p.to;
}
return false;
});
}
return false;
});
// If we found any routes for this port, convert the first one to a domain config
if (routesForPort.length > 0 && routesForPort[0].action.type === 'forward') {
const domainConfig = this.routeToDomainConfig(routesForPort[0]);
if (domainConfig) {
return domainConfig;
}
}
}
return undefined;
}
/**
* Check if a port is within any of the given ranges
*/
public isPortInRanges(port: number, ranges: Array<{ from: number; to: number }>): boolean {
return ranges.some((range) => port >= range.from && port <= range.to);
}
/**
* Get target IP with round-robin support
*/
public getTargetIP(domainConfig: IDomainConfig): string {
const targetHosts = Array.isArray(domainConfig.forwarding.target.host)
? domainConfig.forwarding.target.host
: [domainConfig.forwarding.target.host];
if (targetHosts.length > 0) {
const currentIndex = this.domainTargetIndices.get(domainConfig) || 0;
const ip = targetHosts[currentIndex % targetHosts.length];
this.domainTargetIndices.set(domainConfig, currentIndex + 1);
return ip;
}
return this.settings.targetIP || 'localhost';
}
/**
* Get target host with round-robin support (for tests)
* This is just an alias for getTargetIP for easier test compatibility
*/
public getTargetHost(domainConfig: IDomainConfig): string {
return this.getTargetIP(domainConfig);
}
/**
* Get target port from domain config
*/
public getTargetPort(domainConfig: IDomainConfig, defaultPort: number): number {
return domainConfig.forwarding.target.port || defaultPort;
}
/**
* Checks if a domain should use NetworkProxy
*/
public shouldUseNetworkProxy(domainConfig: IDomainConfig): boolean {
const forwardingType = this.getForwardingType(domainConfig);
return forwardingType === 'https-terminate-to-http' ||
forwardingType === 'https-terminate-to-https';
}
/**
* Gets the NetworkProxy port for a domain
*/
public getNetworkProxyPort(domainConfig: IDomainConfig): number | undefined {
// First check if we should use NetworkProxy at all
if (!this.shouldUseNetworkProxy(domainConfig)) {
return undefined;
}
return domainConfig.forwarding.advanced?.networkProxyPort || this.settings.networkProxyPort;
}
/**
* Get effective allowed and blocked IPs for a domain
*
* This method combines domain-specific security rules from the forwarding configuration
* with global security defaults when necessary.
*/
public getEffectiveIPRules(domainConfig: IDomainConfig): {
allowedIPs: string[],
blockedIPs: string[]
} {
// Start with empty arrays
const allowedIPs: string[] = [];
const blockedIPs: string[] = [];
// Add IPs from forwarding security settings if available
if (domainConfig.forwarding?.security?.allowedIps) {
allowedIPs.push(...domainConfig.forwarding.security.allowedIps);
} else {
// If no allowed IPs are specified in forwarding config and global defaults exist, use them
if (this.settings.defaultAllowedIPs && this.settings.defaultAllowedIPs.length > 0) {
allowedIPs.push(...this.settings.defaultAllowedIPs);
} else {
// Default to allow all if no specific rules
allowedIPs.push('*');
}
}
// Add blocked IPs from forwarding security settings if available
if (domainConfig.forwarding?.security?.blockedIps) {
blockedIPs.push(...domainConfig.forwarding.security.blockedIps);
}
// Always add global blocked IPs, even if domain has its own rules
// This ensures that global blocks take precedence
if (this.settings.defaultBlockedIPs && this.settings.defaultBlockedIPs.length > 0) {
// Add only unique IPs that aren't already in the list
for (const ip of this.settings.defaultBlockedIPs) {
if (!blockedIPs.includes(ip)) {
blockedIPs.push(ip);
}
}
}
return {
allowedIPs,
blockedIPs
};
}
/**
* Get connection timeout for a domain
*/
public getConnectionTimeout(domainConfig?: IDomainConfig): number {
if (domainConfig?.forwarding.advanced?.timeout) {
return domainConfig.forwarding.advanced.timeout;
}
return this.settings.maxConnectionLifetime || 86400000; // 24 hours default
}
/**
* Creates a forwarding handler for a domain configuration
*/
private createForwardingHandler(domainConfig: IDomainConfig): ForwardingHandler {
// Create a new handler using the factory
const handler = ForwardingHandlerFactory.createHandler(domainConfig.forwarding);
// Initialize the handler
handler.initialize().catch(err => {
console.log(`Error initializing forwarding handler for ${domainConfig.domains.join(', ')}: ${err}`);
});
return handler;
}
/**
* Gets a forwarding handler for a domain config
* If no handler exists, creates one
*/
public getForwardingHandler(domainConfig: IDomainConfig): ForwardingHandler {
// If we already have a handler, return it
if (this.forwardingHandlers.has(domainConfig)) {
return this.forwardingHandlers.get(domainConfig)!;
}
// Otherwise create a new handler
const handler = this.createForwardingHandler(domainConfig);
this.forwardingHandlers.set(domainConfig, handler);
return handler;
}
/**
* Gets the forwarding type for a domain config
*/
public getForwardingType(domainConfig?: IDomainConfig): TForwardingType | undefined {
if (!domainConfig?.forwarding) return undefined;
return domainConfig.forwarding.type;
}
/**
* Checks if the forwarding type requires TLS termination
*/
public requiresTlsTermination(domainConfig?: IDomainConfig): boolean {
if (!domainConfig) return false;
const forwardingType = this.getForwardingType(domainConfig);
return forwardingType === 'https-terminate-to-http' ||
forwardingType === 'https-terminate-to-https';
}
/**
* Checks if the forwarding type supports HTTP
*/
public supportsHttp(domainConfig?: IDomainConfig): boolean {
if (!domainConfig) return false;
const forwardingType = this.getForwardingType(domainConfig);
// HTTP-only always supports HTTP
if (forwardingType === 'http-only') return true;
// For termination types, check the HTTP settings
if (forwardingType === 'https-terminate-to-http' ||
forwardingType === 'https-terminate-to-https') {
// HTTP is supported by default for termination types
return domainConfig.forwarding?.http?.enabled !== false;
}
// HTTPS-passthrough doesn't support HTTP
return false;
}
/**
* Checks if HTTP requests should be redirected to HTTPS
*/
public shouldRedirectToHttps(domainConfig?: IDomainConfig): boolean {
if (!domainConfig?.forwarding) return false;
// Only check for redirect if HTTP is enabled
if (this.supportsHttp(domainConfig)) {
return !!domainConfig.forwarding.http?.redirectToHttps;
}
return false;
}
}

14
ts/proxies/smart-proxy/index.ts
View File

@ -20,15 +20,5 @@ export { NetworkProxyBridge } from './network-proxy-bridge.js';
export { RouteManager } from './route-manager.js';
export { RouteConnectionHandler } from './route-connection-handler.js';
// Export route helpers for configuration
export {
createRoute,
createHttpRoute,
createHttpsRoute,
createPassthroughRoute,
createRedirectRoute,
createHttpToHttpsRedirect,
createBlockRoute,
createLoadBalancerRoute,
createHttpsServer
} from './route-helpers.js';
// Export all helper functions from the utils directory
export * from './utils/index.js';

11
ts/proxies/smart-proxy/models/interfaces.ts
View File

@ -33,10 +33,8 @@ export interface ISmartProxyOptions {
// The unified configuration array (required)
routes: IRouteConfig[];
// Port range configuration
globalPortRanges?: Array<{ from: number; to: number }>;
forwardAllGlobalRanges?: boolean;
preserveSourceIP?: boolean;
// Port configuration
preserveSourceIP?: boolean; // Preserve client IP when forwarding
// Global/default settings
defaults?: {
@ -140,6 +138,11 @@ export interface IConnectionRecord {
hasReceivedInitialData: boolean; // Whether initial data has been received
routeConfig?: IRouteConfig; // Associated route config for this connection
// Target information (for dynamic port/host mapping)
targetHost?: string; // Resolved target host
targetPort?: number; // Resolved target port
tlsVersion?: string; // TLS version (for routing context)
// Keep-alive tracking
hasKeepAlive: boolean; // Whether keep-alive is enabled for this connection
inactivityWarningIssued?: boolean; // Whether an inactivity warning has been issued

85
ts/proxies/smart-proxy/models/route-types.ts
View File

@ -34,13 +34,43 @@ export interface IRouteMatch {
headers?: Record<string, string | RegExp>; // Match specific HTTP headers
}
/**
* Context provided to port and host mapping functions
*/
export interface IRouteContext {
// Connection information
port: number; // The matched incoming port
domain?: string; // The domain from SNI or Host header
clientIp: string; // The client's IP address
serverIp: string; // The server's IP address
path?: string; // URL path (for HTTP connections)
query?: string; // Query string (for HTTP connections)
headers?: Record<string, string>; // HTTP headers (for HTTP connections)
// TLS information
isTls: boolean; // Whether the connection is TLS
tlsVersion?: string; // TLS version if applicable
// Route information
routeName?: string; // The name of the matched route
routeId?: string; // The ID of the matched route
// Target information (resolved from dynamic mapping)
targetHost?: string; // The resolved target host
targetPort?: number; // The resolved target port
// Additional properties
timestamp: number; // The request timestamp
connectionId: string; // Unique connection identifier
}
/**
* Target configuration for forwarding
*/
export interface IRouteTarget {
host: string | string[]; // Support single host or round-robin
port: number;
preservePort?: boolean; // Use incoming port as target port
host: string | string[] | ((context: any) => string | string[]); // Support static or dynamic host selection with any compatible context
port: number | ((context: any) => number); // Support static or dynamic port mapping with any compatible context
preservePort?: boolean; // Use incoming port as target port (ignored if port is a function)
}
/**
@ -115,6 +145,16 @@ export interface IRouteTestResponse {
body: string;
}
/**
* URL rewriting configuration
*/
export interface IRouteUrlRewrite {
pattern: string; // RegExp pattern to match in URL
target: string; // Replacement pattern (supports template variables like {domain})
flags?: string; // RegExp flags like 'g' for global replacement
onlyRewritePath?: boolean; // Only apply to path, not query string
}
/**
* Advanced options for route actions
*/
@ -124,6 +164,7 @@ export interface IRouteAdvanced {
keepAlive?: boolean;
staticFiles?: IRouteStaticFiles;
testResponse?: IRouteTestResponse;
urlRewrite?: IRouteUrlRewrite; // URL rewriting configuration
// Additional advanced options would go here
}
@ -131,10 +172,15 @@ export interface IRouteAdvanced {
* WebSocket configuration
*/
export interface IRouteWebSocket {
enabled: boolean;
pingInterval?: number;
pingTimeout?: number;
maxPayloadSize?: number;
enabled: boolean; // Whether WebSockets are enabled for this route
pingInterval?: number; // Interval for sending ping frames (ms)
pingTimeout?: number; // Timeout for pong response (ms)
maxPayloadSize?: number; // Maximum message size in bytes
customHeaders?: Record<string, string>; // Custom headers for WebSocket handshake
subprotocols?: string[]; // Supported subprotocols
rewritePath?: string; // Path rewriting for WebSocket connections
allowedOrigins?: string[]; // Allowed origins for WebSocket connections
authenticateRequest?: boolean; // Whether to apply route security to WebSocket connections
}
/**
@ -181,6 +227,12 @@ export interface IRouteAction {
// Advanced options
advanced?: IRouteAdvanced;
// Additional options for backend-specific settings
options?: {
backendProtocol?: 'http1' | 'http2';
[key: string]: any;
};
}
/**
@ -219,12 +271,27 @@ export interface IRouteSecurity {
ipBlockList?: string[];
}
/**
* CORS configuration for a route
*/
export interface IRouteCors {
enabled: boolean; // Whether CORS is enabled for this route
allowOrigin?: string | string[]; // Allowed origins (*,domain.com,[domain1,domain2])
allowMethods?: string; // Allowed methods (GET,POST,etc.)
allowHeaders?: string; // Allowed headers
allowCredentials?: boolean; // Whether to allow credentials
exposeHeaders?: string; // Headers to expose to the client
maxAge?: number; // Preflight cache duration in seconds
preflight?: boolean; // Whether to respond to preflight requests
}
/**
* Headers configuration
*/
export interface IRouteHeaders {
request?: Record<string, string>;
response?: Record<string, string>;
request?: Record<string, string>; // Headers to add/modify for requests to backend
response?: Record<string, string>; // Headers to add/modify for responses to client
cors?: IRouteCors; // CORS configuration
}
/**

277
ts/proxies/smart-proxy/network-proxy-bridge.ts
View File

@ -1,7 +1,6 @@
import * as plugins from '../../plugins.js';
import { NetworkProxy } from '../network-proxy/index.js';
import { Port80Handler } from '../../http/port80/port80-handler.js';
import { Port80HandlerEvents } from '../../core/models/common-types.js';
import { subscribeToPort80Handler } from '../../core/utils/event-utils.js';
import type { ICertificateData } from '../../certificate/models/certificate-types.js';
import type { IConnectionRecord, ISmartProxyOptions } from './models/interfaces.js';
@ -11,8 +10,8 @@ import type { IRouteConfig } from './models/route-types.js';
* Manages NetworkProxy integration for TLS termination
*
* NetworkProxyBridge connects SmartProxy with NetworkProxy to handle TLS termination.
* It directly maps route configurations to NetworkProxy configuration format and manages
* certificate provisioning through Port80Handler when ACME is enabled.
* It directly passes route configurations to NetworkProxy and manages the physical
* connection piping between SmartProxy and NetworkProxy for TLS termination.
*
* It is used by SmartProxy for routes that have:
* - TLS mode of 'terminate' or 'terminate-and-reencrypt'
@ -49,7 +48,7 @@ export class NetworkProxyBridge {
*/
public async initialize(): Promise<void> {
if (!this.networkProxy && this.settings.useNetworkProxy && this.settings.useNetworkProxy.length > 0) {
// Configure NetworkProxy options based on PortProxy settings
// Configure NetworkProxy options based on SmartProxy settings
const networkProxyOptions: any = {
port: this.settings.networkProxyPort!,
portProxyIntegration: true,
@ -57,7 +56,6 @@ export class NetworkProxyBridge {
useExternalPort80Handler: !!this.port80Handler // Use Port80Handler if available
};
this.networkProxy = new NetworkProxy(networkProxyOptions);
console.log(`Initialized NetworkProxy on port ${this.settings.networkProxyPort}`);
@ -80,29 +78,8 @@ export class NetworkProxyBridge {
console.log(`Received certificate for ${data.domain} from Port80Handler, updating NetworkProxy`);
try {
// Find existing config for this domain
const existingConfigs = this.networkProxy.getProxyConfigs()
.filter(config => config.hostName === data.domain);
if (existingConfigs.length > 0) {
// Update existing configs with new certificate
for (const config of existingConfigs) {
config.privateKey = data.privateKey;
config.publicKey = data.certificate;
}
// Apply updated configs
this.networkProxy.updateProxyConfigs(existingConfigs)
.then(() => console.log(`Updated certificate for ${data.domain} in NetworkProxy`))
.catch(err => console.log(`Error updating certificate in NetworkProxy: ${err}`));
} else {
// Create a new config for this domain
console.log(`No existing config found for ${data.domain}, creating new config in NetworkProxy`);
}
} catch (err) {
console.log(`Error handling certificate event: ${err}`);
}
// Apply certificate directly to NetworkProxy
this.networkProxy.updateCertificate(data.domain, data.certificate, data.privateKey);
}
/**
@ -113,7 +90,9 @@ export class NetworkProxyBridge {
console.log(`NetworkProxy not initialized: cannot apply external certificate for ${data.domain}`);
return;
}
this.handleCertificateEvent(data);
// Apply certificate directly to NetworkProxy
this.networkProxy.updateCertificate(data.domain, data.certificate, data.privateKey);
}
/**
@ -155,92 +134,6 @@ export class NetworkProxyBridge {
}
}
/**
* Register domains from routes with Port80Handler for certificate management
*
* Extracts domains from routes that require TLS termination and registers them
* with the Port80Handler for certificate issuance and renewal.
*
* @param routes The route configurations to extract domains from
*/
public registerDomainsWithPort80Handler(routes: IRouteConfig[]): void {
if (!this.port80Handler) {
console.log('Cannot register domains - Port80Handler not initialized');
return;
}
// Extract domains from routes that require TLS termination
const domainsToRegister = new Set<string>();
for (const route of routes) {
// Skip routes without domains or TLS configuration
if (!route.match.domains || !route.action.tls) continue;
// Only register domains for routes that terminate TLS
if (route.action.tls.mode !== 'terminate' && route.action.tls.mode !== 'terminate-and-reencrypt') continue;
// Extract domains from route
const domains = Array.isArray(route.match.domains)
? route.match.domains
: [route.match.domains];
// Add each domain to the set (avoiding duplicates)
for (const domain of domains) {
// Skip wildcards
if (domain.includes('*')) {
console.log(`Skipping wildcard domain for ACME: ${domain}`);
continue;
}
domainsToRegister.add(domain);
}
}
// Register each unique domain with Port80Handler
for (const domain of domainsToRegister) {
try {
this.port80Handler.addDomain({
domainName: domain,
sslRedirect: true,
acmeMaintenance: true,
// Include route reference if we can find it
routeReference: this.findRouteReferenceForDomain(domain, routes)
});
console.log(`Registered domain with Port80Handler: ${domain}`);
} catch (err) {
console.log(`Error registering domain ${domain} with Port80Handler: ${err}`);
}
}
}
/**
* Finds the route reference for a given domain
*
* @param domain The domain to find a route reference for
* @param routes The routes to search
* @returns The route reference if found, undefined otherwise
*/
private findRouteReferenceForDomain(domain: string, routes: IRouteConfig[]): { routeId?: string; routeName?: string } | undefined {
// Find the first route that matches this domain
for (const route of routes) {
if (!route.match.domains) continue;
const domains = Array.isArray(route.match.domains)
? route.match.domains
: [route.match.domains];
if (domains.includes(domain)) {
return {
routeId: undefined, // No explicit IDs in our current routes
routeName: route.name
};
}
}
return undefined;
}
/**
* Forwards a TLS connection to a NetworkProxy for handling
*/
@ -305,7 +198,6 @@ export class NetworkProxyBridge {
socket.pipe(proxySocket);
proxySocket.pipe(socket);
// Update activity on data transfer (caller should handle this)
if (this.settings.enableDetailedLogging) {
console.log(`[${connectionId}] TLS connection successfully forwarded to NetworkProxy`);
}
@ -315,13 +207,8 @@ export class NetworkProxyBridge {
/**
* Synchronizes routes to NetworkProxy
*
* This method directly maps route configurations to NetworkProxy format and updates
* the NetworkProxy with these configurations. It handles:
*
* - Extracting domain, target, and certificate information from routes
* - Converting TLS mode settings to NetworkProxy configuration
* - Applying security and advanced settings
* - Registering domains for ACME certificate provisioning when needed
* This method directly passes route configurations to NetworkProxy without any
* intermediate conversion. NetworkProxy natively understands route configurations.
*
* @param routes The route configurations to sync to NetworkProxy
*/
@ -332,140 +219,22 @@ export class NetworkProxyBridge {
}
try {
// Get SSL certificates from assets
// Import fs directly since it's not in plugins
const fs = await import('fs');
let defaultCertPair;
try {
defaultCertPair = {
key: fs.readFileSync('assets/certs/key.pem', 'utf8'),
cert: fs.readFileSync('assets/certs/cert.pem', 'utf8'),
};
} catch (certError) {
console.log(`Warning: Could not read default certificates: ${certError}`);
console.log(
'Using empty certificate placeholders - ACME will generate proper certificates if enabled'
// Filter only routes that are applicable to NetworkProxy (TLS termination)
const networkProxyRoutes = routes.filter(route => {
return (
route.action.type === 'forward' &&
route.action.tls &&
(route.action.tls.mode === 'terminate' || route.action.tls.mode === 'terminate-and-reencrypt')
);
});
// Use empty placeholders - NetworkProxy will use its internal defaults
// or ACME will generate proper ones if enabled
defaultCertPair = {
key: '',
cert: '',
};
}
// Map routes directly to NetworkProxy configs
const proxyConfigs = this.mapRoutesToNetworkProxyConfigs(routes, defaultCertPair);
// Update the proxy configs
await this.networkProxy.updateProxyConfigs(proxyConfigs);
console.log(`Synced ${proxyConfigs.length} configurations to NetworkProxy`);
// Register domains with Port80Handler for certificate issuance
if (this.port80Handler) {
this.registerDomainsWithPort80Handler(routes);
}
// Pass routes directly to NetworkProxy
await this.networkProxy.updateRouteConfigs(networkProxyRoutes);
console.log(`Synced ${networkProxyRoutes.length} routes directly to NetworkProxy`);
} catch (err) {
console.log(`Error syncing routes to NetworkProxy: ${err}`);
}
}
/**
* Map routes directly to NetworkProxy configuration format
*
* This method directly maps route configurations to NetworkProxy's format
* without any intermediate domain-based representation. It processes each route
* and creates appropriate NetworkProxy configs for domains that require TLS termination.
*
* @param routes Array of route configurations to map
* @param defaultCertPair Default certificate to use if no custom certificate is specified
* @returns Array of NetworkProxy configurations
*/
public mapRoutesToNetworkProxyConfigs(
routes: IRouteConfig[],
defaultCertPair: { key: string; cert: string }
): plugins.tsclass.network.IReverseProxyConfig[] {
const configs: plugins.tsclass.network.IReverseProxyConfig[] = [];
for (const route of routes) {
// Skip routes without domains
if (!route.match.domains) continue;
// Skip non-forward routes
if (route.action.type !== 'forward') continue;
// Skip routes without TLS configuration
if (!route.action.tls || !route.action.target) continue;
// Skip routes that don't require TLS termination
if (route.action.tls.mode !== 'terminate' && route.action.tls.mode !== 'terminate-and-reencrypt') continue;
// Get domains from route
const domains = Array.isArray(route.match.domains)
? route.match.domains
: [route.match.domains];
// Create a config for each domain
for (const domain of domains) {
// Get certificate
let certKey = defaultCertPair.key;
let certCert = defaultCertPair.cert;
// Use custom certificate if specified
if (route.action.tls.certificate !== 'auto' && typeof route.action.tls.certificate === 'object') {
certKey = route.action.tls.certificate.key;
certCert = route.action.tls.certificate.cert;
}
// Determine target hosts and ports
const targetHosts = Array.isArray(route.action.target.host)
? route.action.target.host
: [route.action.target.host];
const targetPort = route.action.target.port;
// Create the NetworkProxy config
const config: plugins.tsclass.network.IReverseProxyConfig = {
hostName: domain,
privateKey: certKey,
publicKey: certCert,
destinationIps: targetHosts,
destinationPorts: [targetPort]
// Note: We can't include additional metadata as it's not supported in the interface
};
configs.push(config);
}
}
return configs;
}
/**
* @deprecated This method is kept for backward compatibility.
* Use mapRoutesToNetworkProxyConfigs() instead.
*/
public convertRoutesToNetworkProxyConfigs(
routes: IRouteConfig[],
defaultCertPair: { key: string; cert: string }
): plugins.tsclass.network.IReverseProxyConfig[] {
return this.mapRoutesToNetworkProxyConfigs(routes, defaultCertPair);
}
/**
* @deprecated This method is deprecated and will be removed in a future version.
* Use syncRoutesToNetworkProxy() instead.
*
* This legacy method exists only for backward compatibility and
* simply forwards to syncRoutesToNetworkProxy().
*/
public async syncDomainConfigsToNetworkProxy(): Promise<void> {
console.log('DEPRECATED: Method syncDomainConfigsToNetworkProxy will be removed in a future version.');
console.log('Please use syncRoutesToNetworkProxy() instead for direct route-based configuration.');
await this.syncRoutesToNetworkProxy(this.settings.routes || []);
}
/**
* Request a certificate for a specific domain
@ -496,12 +265,6 @@ export class NetworkProxyBridge {
domainOptions.routeReference = {
routeName
};
} else {
// Try to find a route reference from the current routes
const routeReference = this.findRouteReferenceForDomain(domain, this.settings.routes || []);
if (routeReference) {
domainOptions.routeReference = routeReference;
}
}
// Register the domain for certificate issuance

195
ts/proxies/smart-proxy/port-manager.ts Normal file
View File

@ -0,0 +1,195 @@
import * as plugins from '../../plugins.js';
import type { ISmartProxyOptions } from './models/interfaces.js';
import { RouteConnectionHandler } from './route-connection-handler.js';
/**
* PortManager handles the dynamic creation and removal of port listeners
*
* This class provides methods to add and remove listening ports at runtime,
* allowing SmartProxy to adapt to configuration changes without requiring
* a full restart.
*/
export class PortManager {
private servers: Map<number, plugins.net.Server> = new Map();
private settings: ISmartProxyOptions;
private routeConnectionHandler: RouteConnectionHandler;
private isShuttingDown: boolean = false;
/**
* Create a new PortManager
*
* @param settings The SmartProxy settings
* @param routeConnectionHandler The handler for new connections
*/
constructor(
settings: ISmartProxyOptions,
routeConnectionHandler: RouteConnectionHandler
) {
this.settings = settings;
this.routeConnectionHandler = routeConnectionHandler;
}
/**
* Start listening on a specific port
*
* @param port The port number to listen on
* @returns Promise that resolves when the server is listening or rejects on error
*/
public async addPort(port: number): Promise<void> {
// Check if we're already listening on this port
if (this.servers.has(port)) {
console.log(`PortManager: Already listening on port ${port}`);
return;
}
// Create a server for this port
const server = plugins.net.createServer((socket) => {
// Check if shutting down
if (this.isShuttingDown) {
socket.end();
socket.destroy();
return;
}
// Delegate to route connection handler
this.routeConnectionHandler.handleConnection(socket);
}).on('error', (err: Error) => {
console.log(`Server Error on port ${port}: ${err.message}`);
});
// Start listening on the port
return new Promise<void>((resolve, reject) => {
server.listen(port, () => {
const isNetworkProxyPort = this.settings.useNetworkProxy?.includes(port);
console.log(
`SmartProxy -> OK: Now listening on port ${port}${
isNetworkProxyPort ? ' (NetworkProxy forwarding enabled)' : ''
}`
);
// Store the server reference
this.servers.set(port, server);
resolve();
}).on('error', (err) => {
console.log(`Failed to listen on port ${port}: ${err.message}`);
reject(err);
});
});
}
/**
* Stop listening on a specific port
*
* @param port The port to stop listening on
* @returns Promise that resolves when the server is closed
*/
public async removePort(port: number): Promise<void> {
// Get the server for this port
const server = this.servers.get(port);
if (!server) {
console.log(`PortManager: Not listening on port ${port}`);
return;
}
// Close the server
return new Promise<void>((resolve) => {
server.close((err) => {
if (err) {
console.log(`Error closing server on port ${port}: ${err.message}`);
} else {
console.log(`SmartProxy -> Stopped listening on port ${port}`);
}
// Remove the server reference
this.servers.delete(port);
resolve();
});
});
}
/**
* Add multiple ports at once
*
* @param ports Array of ports to add
* @returns Promise that resolves when all servers are listening
*/
public async addPorts(ports: number[]): Promise<void> {
const uniquePorts = [...new Set(ports)];
await Promise.all(uniquePorts.map(port => this.addPort(port)));
}
/**
* Remove multiple ports at once
*
* @param ports Array of ports to remove
* @returns Promise that resolves when all servers are closed
*/
public async removePorts(ports: number[]): Promise<void> {
const uniquePorts = [...new Set(ports)];
await Promise.all(uniquePorts.map(port => this.removePort(port)));
}
/**
* Update listening ports to match the provided list
*
* This will add any ports that aren't currently listening,
* and remove any ports that are no longer needed.
*
* @param ports Array of ports that should be listening
* @returns Promise that resolves when all operations are complete
*/
public async updatePorts(ports: number[]): Promise<void> {
const targetPorts = new Set(ports);
const currentPorts = new Set(this.servers.keys());
// Find ports to add and remove
const portsToAdd = ports.filter(port => !currentPorts.has(port));
const portsToRemove = Array.from(currentPorts).filter(port => !targetPorts.has(port));
// Log the changes
if (portsToAdd.length > 0) {
console.log(`PortManager: Adding new listeners for ports: ${portsToAdd.join(', ')}`);
}
if (portsToRemove.length > 0) {
console.log(`PortManager: Removing listeners for ports: ${portsToRemove.join(', ')}`);
}
// Add and remove ports
await this.removePorts(portsToRemove);
await this.addPorts(portsToAdd);
}
/**
* Get all ports that are currently listening
*
* @returns Array of port numbers
*/
public getListeningPorts(): number[] {
return Array.from(this.servers.keys());
}
/**
* Mark the port manager as shutting down
*/
public setShuttingDown(isShuttingDown: boolean): void {
this.isShuttingDown = isShuttingDown;
}
/**
* Close all listening servers
*
* @returns Promise that resolves when all servers are closed
*/
public async closeAll(): Promise<void> {
const allPorts = Array.from(this.servers.keys());
await this.removePorts(allPorts);
}
/**
* Get all server instances (for testing or debugging)
*/
public getServers(): Map<number, plugins.net.Server> {
return new Map(this.servers);
}
}

177
ts/proxies/smart-proxy/route-connection-handler.ts
View File

@ -8,7 +8,8 @@ import {
} from './models/interfaces.js';
import type {
IRouteConfig,
IRouteAction
IRouteAction,
IRouteContext
} from './models/route-types.js';
import { ConnectionManager } from './connection-manager.js';
import { SecurityManager } from './security-manager.js';
@ -24,6 +25,9 @@ import type { ForwardingHandler } from '../../forwarding/handlers/base-handler.j
export class RouteConnectionHandler {
private settings: ISmartProxyOptions;
// Cache for route contexts to avoid recreation
private routeContextCache: Map<string, IRouteContext> = new Map();
constructor(
settings: ISmartProxyOptions,
private connectionManager: ConnectionManager,
@ -36,6 +40,47 @@ export class RouteConnectionHandler {
this.settings = settings;
}
/**
* Create a route context object for port and host mapping functions
*/
private createRouteContext(options: {
connectionId: string;
port: number;
domain?: string;
clientIp: string;
serverIp: string;
isTls: boolean;
tlsVersion?: string;
routeName?: string;
routeId?: string;
path?: string;
query?: string;
headers?: Record<string, string>;
}): IRouteContext {
return {
// Connection information
port: options.port,
domain: options.domain,
clientIp: options.clientIp,
serverIp: options.serverIp,
path: options.path,
query: options.query,
headers: options.headers,
// TLS information
isTls: options.isTls,
tlsVersion: options.tlsVersion,
// Route information
routeName: options.routeName,
routeId: options.routeId,
// Additional properties
timestamp: Date.now(),
connectionId: options.connectionId
};
}
/**
* Handle a new incoming connection
*/
@ -325,7 +370,7 @@ export class RouteConnectionHandler {
): void {
const connectionId = record.id;
const action = route.action;
// We should have a target configuration for forwarding
if (!action.target) {
console.log(`[${connectionId}] Forward action missing target configuration`);
@ -333,24 +378,82 @@ export class RouteConnectionHandler {
this.connectionManager.cleanupConnection(record, 'missing_target');
return;
}
// Create the routing context for this connection
const routeContext = this.createRouteContext({
connectionId: record.id,
port: record.localPort,
domain: record.lockedDomain,
clientIp: record.remoteIP,
serverIp: socket.localAddress || '',
isTls: record.isTLS || false,
tlsVersion: record.tlsVersion,
routeName: route.name,
routeId: route.id
});
// Cache the context for potential reuse
this.routeContextCache.set(connectionId, routeContext);
// Determine host using function or static value
let targetHost: string | string[];
if (typeof action.target.host === 'function') {
try {
targetHost = action.target.host(routeContext);
if (this.settings.enableDetailedLogging) {
console.log(`[${connectionId}] Dynamic host resolved to: ${Array.isArray(targetHost) ? targetHost.join(', ') : targetHost}`);
}
} catch (err) {
console.log(`[${connectionId}] Error in host mapping function: ${err}`);
socket.end();
this.connectionManager.cleanupConnection(record, 'host_mapping_error');
return;
}
} else {
targetHost = action.target.host;
}
// If an array of hosts, select one randomly for load balancing
const selectedHost = Array.isArray(targetHost)
? targetHost[Math.floor(Math.random() * targetHost.length)]
: targetHost;
// Determine port using function or static value
let targetPort: number;
if (typeof action.target.port === 'function') {
try {
targetPort = action.target.port(routeContext);
if (this.settings.enableDetailedLogging) {
console.log(`[${connectionId}] Dynamic port mapping: ${record.localPort} -> ${targetPort}`);
}
// Store the resolved target port in the context for potential future use
routeContext.targetPort = targetPort;
} catch (err) {
console.log(`[${connectionId}] Error in port mapping function: ${err}`);
socket.end();
this.connectionManager.cleanupConnection(record, 'port_mapping_error');
return;
}
} else if (action.target.preservePort) {
// Use incoming port if preservePort is true
targetPort = record.localPort;
} else {
// Use static port from configuration
targetPort = action.target.port;
}
// Store the resolved host in the context
routeContext.targetHost = selectedHost;
// Determine if this needs TLS handling
if (action.tls) {
switch (action.tls.mode) {
case 'passthrough':
// For TLS passthrough, just forward directly
if (this.settings.enableDetailedLogging) {
console.log(`[${connectionId}] Using TLS passthrough to ${action.target.host}`);
console.log(`[${connectionId}] Using TLS passthrough to ${selectedHost}:${targetPort}`);
}
// Allow for array of hosts
const targetHost = Array.isArray(action.target.host)
? action.target.host[Math.floor(Math.random() * action.target.host.length)]
: action.target.host;
// Determine target port - either target port or preserve incoming port
const targetPort = action.target.preservePort ? record.localPort : action.target.port;
return this.setupDirectConnection(
socket,
record,
@ -358,7 +461,7 @@ export class RouteConnectionHandler {
record.lockedDomain,
initialChunk,
undefined,
targetHost,
selectedHost,
targetPort
);
@ -402,14 +505,36 @@ export class RouteConnectionHandler {
console.log(`[${connectionId}] Using basic forwarding to ${action.target.host}:${action.target.port}`);
}
// Allow for array of hosts
const targetHost = Array.isArray(action.target.host)
? action.target.host[Math.floor(Math.random() * action.target.host.length)]
: action.target.host;
// Determine target port - either target port or preserve incoming port
const targetPort = action.target.preservePort ? record.localPort : action.target.port;
// Get the appropriate host value
let targetHost: string;
if (typeof action.target.host === 'function') {
// For function-based host, use the same routeContext created earlier
const hostResult = action.target.host(routeContext);
targetHost = Array.isArray(hostResult)
? hostResult[Math.floor(Math.random() * hostResult.length)]
: hostResult;
} else {
// For static host value
targetHost = Array.isArray(action.target.host)
? action.target.host[Math.floor(Math.random() * action.target.host.length)]
: action.target.host;
}
// Determine port - either function-based, static, or preserve incoming port
let targetPort: number;
if (typeof action.target.port === 'function') {
targetPort = action.target.port(routeContext);
} else if (action.target.preservePort) {
targetPort = record.localPort;
} else {
targetPort = action.target.port;
}
// Update the connection record and context with resolved values
record.targetHost = targetHost;
record.targetPort = targetPort;
return this.setupDirectConnection(
socket,
record,
@ -552,13 +677,23 @@ export class RouteConnectionHandler {
// Determine target host and port if not provided
const finalTargetHost = targetHost ||
record.targetHost ||
(this.settings.defaults?.target?.host || 'localhost');
// Determine target port
const finalTargetPort = targetPort ||
record.targetPort ||
(overridePort !== undefined ? overridePort :
(this.settings.defaults?.target?.port || 443));
// Update record with final target information
record.targetHost = finalTargetHost;
record.targetPort = finalTargetPort;
if (this.settings.enableDetailedLogging) {
console.log(`[${connectionId}] Setting up direct connection to ${finalTargetHost}:${finalTargetPort}`);
}
// Setup connection options
const connectionOptions: plugins.net.NetConnectOpts = {
host: finalTargetHost,

76
ts/proxies/smart-proxy/route-manager.ts
View File

@ -58,36 +58,88 @@ export class RouteManager extends plugins.EventEmitter {
/**
* Rebuild the port mapping for fast lookups
* Also logs information about the ports being listened on
*/
private rebuildPortMap(): void {
this.portMap.clear();
this.portRangeCache.clear(); // Clear cache when rebuilding
// Track ports for logging
const portToRoutesMap = new Map<number, string[]>();
for (const route of this.routes) {
const ports = this.expandPortRange(route.match.ports);
// Skip if no ports were found
if (ports.length === 0) {
console.warn(`Route ${route.name || 'unnamed'} has no valid ports to listen on`);
continue;
}
for (const port of ports) {
// Add to portMap for routing
if (!this.portMap.has(port)) {
this.portMap.set(port, []);
}
this.portMap.get(port)!.push(route);
// Add to tracking for logging
if (!portToRoutesMap.has(port)) {
portToRoutesMap.set(port, []);
}
portToRoutesMap.get(port)!.push(route.name || 'unnamed');
}
}
// Log summary of ports and routes
const totalPorts = this.portMap.size;
const totalRoutes = this.routes.length;
console.log(`Route manager configured with ${totalRoutes} routes across ${totalPorts} ports`);
// Log port details if detailed logging is enabled
const enableDetailedLogging = this.options.enableDetailedLogging;
if (enableDetailedLogging) {
for (const [port, routes] of this.portMap.entries()) {
console.log(`Port ${port}: ${routes.length} routes (${portToRoutesMap.get(port)!.join(', ')})`);
}
}
}
/**
* Expand a port range specification into an array of individual ports
* Uses caching to improve performance for frequently used port ranges
*
* @public - Made public to allow external code to interpret port ranges
*/
private expandPortRange(portRange: TPortRange): number[] {
public expandPortRange(portRange: TPortRange): number[] {
// For simple number, return immediately
if (typeof portRange === 'number') {
return [portRange];
}
// Create a cache key for this port range
const cacheKey = JSON.stringify(portRange);
// Check if we have a cached result
if (this.portRangeCache.has(cacheKey)) {
return this.portRangeCache.get(cacheKey)!;
}
// Process the port range
let result: number[] = [];
if (Array.isArray(portRange)) {
// Handle array of port objects or numbers
return portRange.flatMap(item => {
result = portRange.flatMap(item => {
if (typeof item === 'number') {
return [item];
} else if (typeof item === 'object' && 'from' in item && 'to' in item) {
// Handle port range object - check valid range
if (item.from > item.to) {
console.warn(`Invalid port range: from (${item.from}) > to (${item.to})`);
return [];
}
// Handle port range object
const ports: number[] = [];
for (let p = item.from; p <= item.to; p++) {
@ -98,14 +150,24 @@ export class RouteManager extends plugins.EventEmitter {
return [];
});
}
return [];
// Cache the result
this.portRangeCache.set(cacheKey, result);
return result;
}
/**
* Memoization cache for expanded port ranges
*/
private portRangeCache: Map<string, number[]> = new Map();
/**
* Get all ports that should be listened on
* This method automatically infers all required ports from route configurations
*/
public getListeningPorts(): number[] {
// Return the unique set of ports from all routes
return Array.from(this.portMap.keys());
}

111
ts/proxies/smart-proxy/smart-proxy.ts
View File

@ -6,7 +6,7 @@ import { SecurityManager } from './security-manager.js';
import { TlsManager } from './tls-manager.js';
import { NetworkProxyBridge } from './network-proxy-bridge.js';
import { TimeoutManager } from './timeout-manager.js';
// import { PortRangeManager } from './port-range-manager.js';
import { PortManager } from './port-manager.js';
import { RouteManager } from './route-manager.js';
import { RouteConnectionHandler } from './route-connection-handler.js';
@ -39,7 +39,8 @@ import type { IRouteConfig } from './models/route-types.js';
* - Advanced options (timeout, headers, etc.)
*/
export class SmartProxy extends plugins.EventEmitter {
private netServers: plugins.net.Server[] = [];
// Port manager handles dynamic listener management
private portManager: PortManager;
private connectionLogger: NodeJS.Timeout | null = null;
private isShuttingDown: boolean = false;
@ -49,8 +50,7 @@ export class SmartProxy extends plugins.EventEmitter {
private tlsManager: TlsManager;
private networkProxyBridge: NetworkProxyBridge;
private timeoutManager: TimeoutManager;
// private portRangeManager: PortRangeManager;
private routeManager: RouteManager;
public routeManager: RouteManager; // Made public for route management
private routeConnectionHandler: RouteConnectionHandler;
// Port80Handler for ACME certificate management
@ -151,8 +151,6 @@ export class SmartProxy extends plugins.EventEmitter {
// Create the route manager
this.routeManager = new RouteManager(this.settings);
// Create port range manager
// this.portRangeManager = new PortRangeManager(this.settings);
// Create other required components
this.tlsManager = new TlsManager(this.settings);
@ -168,6 +166,9 @@ export class SmartProxy extends plugins.EventEmitter {
this.timeoutManager,
this.routeManager
);
// Initialize port manager
this.portManager = new PortManager(this.settings, this.routeConnectionHandler);
}
/**
@ -271,33 +272,8 @@ export class SmartProxy extends plugins.EventEmitter {
// Get listening ports from RouteManager
const listeningPorts = this.routeManager.getListeningPorts();
// Create servers for each port
for (const port of listeningPorts) {
const server = plugins.net.createServer((socket) => {
// Check if shutting down
if (this.isShuttingDown) {
socket.end();
socket.destroy();
return;
}
// Delegate to route connection handler
this.routeConnectionHandler.handleConnection(socket);
}).on('error', (err: Error) => {
console.log(`Server Error on port ${port}: ${err.message}`);
});
server.listen(port, () => {
const isNetworkProxyPort = this.settings.useNetworkProxy?.includes(port);
console.log(
`SmartProxy -> OK: Now listening on port ${port}${
isNetworkProxyPort ? ' (NetworkProxy forwarding enabled)' : ''
}`
);
});
this.netServers.push(server);
}
// Start port listeners using the PortManager
await this.portManager.addPorts(listeningPorts);
// Set up periodic connection logging and inactivity checks
this.connectionLogger = setInterval(() => {
@ -383,6 +359,7 @@ export class SmartProxy extends plugins.EventEmitter {
public async stop() {
console.log('SmartProxy shutting down...');
this.isShuttingDown = true;
this.portManager.setShuttingDown(true);
// Stop CertProvisioner if active
if (this.certProvisioner) {
@ -401,31 +378,14 @@ export class SmartProxy extends plugins.EventEmitter {
}
}
// Stop accepting new connections
const closeServerPromises: Promise<void>[] = this.netServers.map(
(server) =>
new Promise<void>((resolve) => {
if (!server.listening) {
resolve();
return;
}
server.close((err) => {
if (err) {
console.log(`Error closing server: ${err.message}`);
}
resolve();
});
})
);
// Stop the connection logger
if (this.connectionLogger) {
clearInterval(this.connectionLogger);
this.connectionLogger = null;
}
// Wait for servers to close
await Promise.all(closeServerPromises);
// Stop all port listeners
await this.portManager.closeAll();
console.log('All servers closed. Cleaning up active connections...');
// Clean up all active connections
@ -434,8 +394,6 @@ export class SmartProxy extends plugins.EventEmitter {
// Stop NetworkProxy
await this.networkProxyBridge.stop();
// Clear all servers
this.netServers = [];
console.log('SmartProxy shutdown complete.');
}
@ -479,6 +437,12 @@ export class SmartProxy extends plugins.EventEmitter {
// Update routes in RouteManager
this.routeManager.updateRoutes(newRoutes);
// Get the new set of required ports
const requiredPorts = this.routeManager.getListeningPorts();
// Update port listeners to match the new configuration
await this.portManager.updatePorts(requiredPorts);
// If NetworkProxy is initialized, resync the configurations
if (this.networkProxyBridge.getNetworkProxy()) {
await this.networkProxyBridge.syncRoutesToNetworkProxy(newRoutes);
@ -609,6 +573,41 @@ export class SmartProxy extends plugins.EventEmitter {
return true;
}
/**
* Add a new listening port without changing the route configuration
*
* This allows you to add a port listener without updating routes.
* Useful for preparing to listen on a port before adding routes for it.
*
* @param port The port to start listening on
* @returns Promise that resolves when the port is listening
*/
public async addListeningPort(port: number): Promise<void> {
return this.portManager.addPort(port);
}
/**
* Stop listening on a specific port without changing the route configuration
*
* This allows you to stop a port listener without updating routes.
* Useful for temporary maintenance or port changes.
*
* @param port The port to stop listening on
* @returns Promise that resolves when the port is closed
*/
public async removeListeningPort(port: number): Promise<void> {
return this.portManager.removePort(port);
}
/**
* Get a list of all ports currently being listened on
*
* @returns Array of port numbers
*/
public getListeningPorts(): number[] {
return this.portManager.getListeningPorts();
}
/**
* Get statistics about current connections
*/
@ -638,7 +637,9 @@ export class SmartProxy extends plugins.EventEmitter {
terminationStats,
acmeEnabled: !!this.port80Handler,
port80HandlerPort: this.port80Handler ? this.settings.acme?.port : null,
routes: this.routeManager.getListeningPorts().length
routes: this.routeManager.getListeningPorts().length,
listeningPorts: this.portManager.getListeningPorts(),
activePorts: this.portManager.getListeningPorts().length
};
}

168
ts/proxies/smart-proxy/utils/route-helpers.ts
View File

@ -14,9 +14,11 @@
* - Static file server routes (createStaticFileRoute)
* - API routes (createApiRoute)
* - WebSocket routes (createWebSocketRoute)
* - Port mapping routes (createPortMappingRoute, createOffsetPortMappingRoute)
* - Dynamic routing (createDynamicRoute, createSmartLoadBalancer)
*/
import type { IRouteConfig, IRouteMatch, IRouteAction, IRouteTarget, TPortRange } from '../models/route-types.js';
import type { IRouteConfig, IRouteMatch, IRouteAction, IRouteTarget, TPortRange, IRouteContext } from '../models/route-types.js';
/**
* Create an HTTP-only route configuration
@ -452,4 +454,168 @@ export function createWebSocketRoute(
priority: options.priority || 100, // Higher priority for WebSocket routes
...options
};
}
/**
* Create a helper function that applies a port offset
* @param offset The offset to apply to the matched port
* @returns A function that adds the offset to the matched port
*/
export function createPortOffset(offset: number): (context: IRouteContext) => number {
return (context: IRouteContext) => context.port + offset;
}
/**
* Create a port mapping route with context-based port function
* @param options Port mapping route options
* @returns Route configuration object
*/
export function createPortMappingRoute(options: {
sourcePortRange: TPortRange;
targetHost: string | string[] | ((context: IRouteContext) => string | string[]);
portMapper: (context: IRouteContext) => number;
name?: string;
domains?: string | string[];
priority?: number;
[key: string]: any;
}): IRouteConfig {
// Create route match
const match: IRouteMatch = {
ports: options.sourcePortRange,
domains: options.domains
};
// Create route action
const action: IRouteAction = {
type: 'forward',
target: {
host: options.targetHost,
port: options.portMapper
}
};
// Create the route config
return {
match,
action,
name: options.name || `Port Mapping Route for ${options.domains || 'all domains'}`,
priority: options.priority,
...options
};
}
/**
* Create a simple offset port mapping route
* @param options Offset port mapping route options
* @returns Route configuration object
*/
export function createOffsetPortMappingRoute(options: {
ports: TPortRange;
targetHost: string | string[];
offset: number;
name?: string;
domains?: string | string[];
priority?: number;
[key: string]: any;
}): IRouteConfig {
return createPortMappingRoute({
sourcePortRange: options.ports,
targetHost: options.targetHost,
portMapper: (context) => context.port + options.offset,
name: options.name || `Offset Mapping (${options.offset > 0 ? '+' : ''}${options.offset}) for ${options.domains || 'all domains'}`,
domains: options.domains,
priority: options.priority,
...options
});
}
/**
* Create a dynamic route with context-based host and port mapping
* @param options Dynamic route options
* @returns Route configuration object
*/
export function createDynamicRoute(options: {
ports: TPortRange;
targetHost: (context: IRouteContext) => string | string[];
portMapper: (context: IRouteContext) => number;
name?: string;
domains?: string | string[];
path?: string;
clientIp?: string[];
priority?: number;
[key: string]: any;
}): IRouteConfig {
// Create route match
const match: IRouteMatch = {
ports: options.ports,
domains: options.domains,
path: options.path,
clientIp: options.clientIp
};
// Create route action
const action: IRouteAction = {
type: 'forward',
target: {
host: options.targetHost,
port: options.portMapper
}
};
// Create the route config
return {
match,
action,
name: options.name || `Dynamic Route for ${options.domains || 'all domains'}`,
priority: options.priority,
...options
};
}
/**
* Create a smart load balancer with dynamic domain-based backend selection
* @param options Smart load balancer options
* @returns Route configuration object
*/
export function createSmartLoadBalancer(options: {
ports: TPortRange;
domainTargets: Record<string, string | string[]>;
portMapper: (context: IRouteContext) => number;
name?: string;
defaultTarget?: string | string[];
priority?: number;
[key: string]: any;
}): IRouteConfig {
// Extract all domain keys to create the match criteria
const domains = Object.keys(options.domainTargets);
// Create the smart host selector function
const hostSelector = (context: IRouteContext) => {
const domain = context.domain || '';
return options.domainTargets[domain] || options.defaultTarget || 'localhost';
};
// Create route match
const match: IRouteMatch = {
ports: options.ports,
domains
};
// Create route action
const action: IRouteAction = {
type: 'forward',
target: {
host: hostSelector,
port: options.portMapper
}
};
// Create the route config
return {
match,
action,
name: options.name || `Smart Load Balancer for ${domains.join(', ')}`,
priority: options.priority,
...options
};
}

29
ts/proxies/smart-proxy/utils/route-validators.ts
View File

@ -9,14 +9,24 @@ import type { IRouteConfig, IRouteMatch, IRouteAction, TPortRange } from '../mod
/**
* Validates a port range or port number
* @param port Port number or port range
* @param port Port number, port range, or port function
* @returns True if valid, false otherwise
*/
export function isValidPort(port: TPortRange): boolean {
export function isValidPort(port: any): boolean {
if (typeof port === 'number') {
return port > 0 && port < 65536; // Valid port range is 1-65535
} else if (Array.isArray(port)) {
return port.every(p => typeof p === 'number' && p > 0 && p < 65536);
return port.every(p =>
(typeof p === 'number' && p > 0 && p < 65536) ||
(typeof p === 'object' && 'from' in p && 'to' in p &&
p.from > 0 && p.from < 65536 && p.to > 0 && p.to < 65536)
);
} else if (typeof port === 'function') {
// For function-based ports, we can't validate the result at config time
// so we just check that it's a function
return true;
} else if (typeof port === 'object' && 'from' in port && 'to' in port) {
return port.from > 0 && port.from < 65536 && port.to > 0 && port.to < 65536;
}
return false;
}
@ -100,11 +110,20 @@ export function validateRouteAction(action: IRouteAction): { valid: boolean; err
// Validate target host
if (!action.target.host) {
errors.push('Target host is required');
} else if (typeof action.target.host !== 'string' &&
!Array.isArray(action.target.host) &&
typeof action.target.host !== 'function') {
errors.push('Target host must be a string, array of strings, or function');
}
// Validate target port
if (!action.target.port || !isValidPort(action.target.port)) {
errors.push('Valid target port is required');
if (action.target.port === undefined) {
errors.push('Target port is required');
} else if (typeof action.target.port !== 'number' &&
typeof action.target.port !== 'function') {
errors.push('Target port must be a number or a function');
} else if (typeof action.target.port === 'number' && !isValidPort(action.target.port)) {
errors.push('Target port must be between 1 and 65535');
}
}