Compare commits
4 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
4fea28ffb7 | ||
|
|
ffc04c5b85 | ||
|
|
a459d77b6f | ||
|
|
b6d8b73599 |
@@ -1,5 +1,5 @@
|
||||
{
|
||||
"expiryDate": "2025-10-19T23:55:27.838Z",
|
||||
"issueDate": "2025-07-21T23:55:27.838Z",
|
||||
"savedAt": "2025-07-21T23:55:27.838Z"
|
||||
"expiryDate": "2025-10-20T10:10:52.985Z",
|
||||
"issueDate": "2025-07-22T10:10:52.985Z",
|
||||
"savedAt": "2025-07-22T10:10:52.986Z"
|
||||
}
|
||||
@@ -1,5 +1,14 @@
|
||||
# Changelog
|
||||
|
||||
## 2025-07-22 - 21.1.1 - fix(detection)
|
||||
Fix SNI detection in TLS detector
|
||||
|
||||
- Restored proper TLS detector implementation with ClientHello parsing
|
||||
- Fixed imports to use new protocols module locations
|
||||
- Added missing detectWithContext method for fragmented detection
|
||||
- Fixed method names to match BufferAccumulator interface
|
||||
- Removed unused import readUInt24BE
|
||||
|
||||
## 2025-07-21 - 21.1.0 - feat(protocols)
|
||||
Refactor protocol utilities into centralized protocols module
|
||||
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"name": "@push.rocks/smartproxy",
|
||||
"version": "21.1.0",
|
||||
"version": "21.1.2",
|
||||
"private": false,
|
||||
"description": "A powerful proxy package with unified route-based configuration for high traffic management. Features include SSL/TLS support, flexible routing patterns, WebSocket handling, advanced security options, and automatic ACME certificate management.",
|
||||
"main": "dist_ts/index.js",
|
||||
|
||||
@@ -124,4 +124,4 @@ tap.test('should parse HTTP headers correctly', async (tools) => {
|
||||
await proxy.stop();
|
||||
});
|
||||
|
||||
tap.start();
|
||||
export default tap.start();
|
||||
@@ -159,4 +159,4 @@ tap.test('should return 404 for non-existent challenge tokens', async (tapTest)
|
||||
await proxy.stop();
|
||||
});
|
||||
|
||||
tap.start();
|
||||
export default tap.start();
|
||||
@@ -215,4 +215,4 @@ tap.test('should handle HTTP request parsing correctly', async (tools) => {
|
||||
await proxy.stop();
|
||||
});
|
||||
|
||||
tap.start();
|
||||
export default tap.start();
|
||||
@@ -117,4 +117,4 @@ tap.test('should configure ACME challenge route', async () => {
|
||||
expect(challengeRoute.action.socketHandler).toBeDefined();
|
||||
});
|
||||
|
||||
tap.start();
|
||||
export default tap.start();
|
||||
@@ -119,4 +119,4 @@ tap.test('should defer certificate provisioning until ports are ready', async (t
|
||||
await proxy.stop();
|
||||
});
|
||||
|
||||
tap.start();
|
||||
export default tap.start();
|
||||
@@ -238,4 +238,4 @@ tap.test('should renew certificates', async () => {
|
||||
await proxy.stop();
|
||||
});
|
||||
|
||||
tap.start();
|
||||
export default tap.start();
|
||||
@@ -57,4 +57,4 @@ tap.test('should handle socket handler route type', async () => {
|
||||
expect(route.action.socketHandler).toBeDefined();
|
||||
});
|
||||
|
||||
tap.start();
|
||||
export default tap.start();
|
||||
@@ -143,4 +143,4 @@ tap.test('cleanup queue bug - verify queue processing handles more than batch si
|
||||
console.log('\n✓ Test complete: Cleanup queue now correctly processes all connections');
|
||||
});
|
||||
|
||||
tap.start();
|
||||
export default tap.start();
|
||||
@@ -239,4 +239,4 @@ tap.test('should handle clients that error during connection', async () => {
|
||||
console.log('\n✅ PASS: Connection error cleanup working correctly!');
|
||||
});
|
||||
|
||||
tap.start();
|
||||
export default tap.start();
|
||||
@@ -276,4 +276,4 @@ tap.test('comprehensive connection cleanup test - all scenarios', async () => {
|
||||
console.log('- NFTables connections');
|
||||
});
|
||||
|
||||
tap.start();
|
||||
export default tap.start();
|
||||
@@ -296,4 +296,4 @@ tap.test('Cleanup and shutdown', async () => {
|
||||
allServers.length = 0;
|
||||
});
|
||||
|
||||
tap.start();
|
||||
export default tap.start();
|
||||
@@ -80,28 +80,38 @@ tap.test('Protocol Detection - Unknown Protocol', async () => {
|
||||
});
|
||||
|
||||
tap.test('Protocol Detection - Fragmented HTTP', async () => {
|
||||
const connectionId = 'test-connection-1';
|
||||
// Create connection context
|
||||
const context = smartproxy.detection.ProtocolDetector.createConnectionContext({
|
||||
sourceIp: '127.0.0.1',
|
||||
sourcePort: 12345,
|
||||
destIp: '127.0.0.1',
|
||||
destPort: 80,
|
||||
socketId: 'test-connection-1'
|
||||
});
|
||||
|
||||
// First fragment
|
||||
const fragment1 = Buffer.from('GET /test HT');
|
||||
let result = await smartproxy.detection.ProtocolDetector.detectWithConnectionTracking(
|
||||
let result = await smartproxy.detection.ProtocolDetector.detectWithContext(
|
||||
fragment1,
|
||||
connectionId
|
||||
context
|
||||
);
|
||||
expect(result.protocol).toEqual('http');
|
||||
expect(result.isComplete).toEqual(false);
|
||||
|
||||
// Second fragment
|
||||
const fragment2 = Buffer.from('TP/1.1\r\nHost: example.com\r\n\r\n');
|
||||
result = await smartproxy.detection.ProtocolDetector.detectWithConnectionTracking(
|
||||
result = await smartproxy.detection.ProtocolDetector.detectWithContext(
|
||||
fragment2,
|
||||
connectionId
|
||||
context
|
||||
);
|
||||
expect(result.protocol).toEqual('http');
|
||||
expect(result.isComplete).toEqual(true);
|
||||
expect(result.connectionInfo.method).toEqual('GET');
|
||||
expect(result.connectionInfo.path).toEqual('/test');
|
||||
expect(result.connectionInfo.domain).toEqual('example.com');
|
||||
|
||||
// Clean up fragments
|
||||
smartproxy.detection.ProtocolDetector.cleanupConnection(context);
|
||||
});
|
||||
|
||||
tap.test('Protocol Detection - HTTP Methods', async () => {
|
||||
@@ -128,4 +138,9 @@ tap.test('Protocol Detection - Invalid Data', async () => {
|
||||
expect(result.protocol).toEqual('unknown');
|
||||
});
|
||||
|
||||
tap.start();
|
||||
tap.test('cleanup detection', async () => {
|
||||
// Clean up the protocol detector instance
|
||||
smartproxy.detection.ProtocolDetector.destroy();
|
||||
});
|
||||
|
||||
export default tap.start();
|
||||
@@ -79,4 +79,4 @@ tap.test('should verify certificate manager callback is preserved on updateRoute
|
||||
console.log('Fix verified: Certificate manager callback is preserved on updateRoutes');
|
||||
});
|
||||
|
||||
tap.start();
|
||||
export default tap.start();
|
||||
@@ -180,4 +180,4 @@ tap.test('should handle ACME HTTP-01 challenges on port 80 with HttpProxy', asyn
|
||||
console.log('Test passed: ACME HTTP-01 challenges on port 80 use HttpProxy');
|
||||
});
|
||||
|
||||
tap.start();
|
||||
export default tap.start();
|
||||
@@ -242,4 +242,4 @@ tap.test('should handle ACME challenges on port 8080 with improved port binding
|
||||
}
|
||||
});
|
||||
|
||||
tap.start();
|
||||
export default tap.start();
|
||||
@@ -117,4 +117,4 @@ tap.test('Cleanup HttpProxy SecurityManager', async () => {
|
||||
securityManager.clearIPTracking();
|
||||
});
|
||||
|
||||
tap.start();
|
||||
export default tap.start();
|
||||
@@ -247,4 +247,4 @@ tap.test('keepalive support - verify keepalive connections are properly handled'
|
||||
console.log(' - Zombie detection respects keepalive settings');
|
||||
});
|
||||
|
||||
tap.start();
|
||||
export default tap.start();
|
||||
@@ -109,4 +109,4 @@ tap.test('Cleanup deduplicator', async () => {
|
||||
expect(deduplicator).toBeInstanceOf(LogDeduplicator);
|
||||
});
|
||||
|
||||
tap.start();
|
||||
export default tap.start();
|
||||
@@ -149,4 +149,4 @@ tap.test('should not have memory leaks in long-running operations', async (tools
|
||||
});
|
||||
|
||||
// Run with: node --expose-gc test.memory-leak-check.node.ts
|
||||
tap.start();
|
||||
export default tap.start();
|
||||
@@ -57,4 +57,4 @@ tap.test('memory leak fixes verification', async () => {
|
||||
console.log('\n✅ All memory leak fixes verified!');
|
||||
});
|
||||
|
||||
tap.start();
|
||||
export default tap.start();
|
||||
@@ -128,4 +128,4 @@ tap.test('memory leak fixes - unit tests', async () => {
|
||||
console.log('\n✅ All memory leak fixes verified!');
|
||||
});
|
||||
|
||||
tap.start();
|
||||
export default tap.start();
|
||||
@@ -258,4 +258,4 @@ tap.test('should clean up resources', async () => {
|
||||
});
|
||||
});
|
||||
|
||||
tap.start();
|
||||
export default tap.start();
|
||||
@@ -192,4 +192,4 @@ tap.test('simple proxy chain test - identify connection accumulation', async ()
|
||||
expect(finalCounts.proxy2).toEqual(0);
|
||||
});
|
||||
|
||||
tap.start();
|
||||
export default tap.start();
|
||||
@@ -130,4 +130,4 @@ tap.test('PROXY protocol v1 generator', async () => {
|
||||
// Skipping integration tests for now - focus on unit tests
|
||||
// Integration tests would require more complex setup and teardown
|
||||
|
||||
tap.start();
|
||||
export default tap.start();
|
||||
@@ -198,4 +198,4 @@ tap.test('should handle routing failures without leaking connections', async ()
|
||||
console.log('\n✅ PASS: Routing failures cleaned up correctly!');
|
||||
});
|
||||
|
||||
tap.start();
|
||||
export default tap.start();
|
||||
@@ -113,4 +113,4 @@ tap.test('should set update routes callback on certificate manager', async () =>
|
||||
await proxy.stop();
|
||||
});
|
||||
|
||||
tap.start();
|
||||
export default tap.start();
|
||||
@@ -58,4 +58,4 @@ tap.test('route security should be correctly configured', async () => {
|
||||
expect(isBlockedIPAllowed).toBeFalse();
|
||||
});
|
||||
|
||||
tap.start();
|
||||
export default tap.start();
|
||||
@@ -336,4 +336,4 @@ tap.test('real code integration test - verify fix is applied', async () => {
|
||||
console.log('Real code integration test passed - fix is correctly applied!');
|
||||
});
|
||||
|
||||
tap.start();
|
||||
export default tap.start();
|
||||
@@ -154,4 +154,4 @@ tap.test('Cleanup SharedSecurityManager', async () => {
|
||||
securityManager.clearIPTracking();
|
||||
});
|
||||
|
||||
tap.start();
|
||||
export default tap.start();
|
||||
@@ -51,4 +51,4 @@ tap.test('should verify SmartAcme cert managers are accessible', async () => {
|
||||
expect(memoryCertManager).toBeDefined();
|
||||
});
|
||||
|
||||
tap.start();
|
||||
export default tap.start();
|
||||
@@ -141,4 +141,4 @@ tap.test('stuck connection cleanup - verify connections to hanging backends are
|
||||
console.log('✓ Test complete: Stuck connections are properly detected and cleaned up');
|
||||
});
|
||||
|
||||
tap.start();
|
||||
export default tap.start();
|
||||
@@ -155,4 +155,4 @@ tap.test('long-lived connection survival test', async (tools) => {
|
||||
console.log('✅ Long-lived connection survived past 30-second timeout!');
|
||||
});
|
||||
|
||||
tap.start();
|
||||
export default tap.start();
|
||||
@@ -303,4 +303,4 @@ tap.test('zombie connection cleanup - verify inactivity check detects and cleans
|
||||
expect(details.inner.halfZombies.length).toEqual(0);
|
||||
});
|
||||
|
||||
tap.start();
|
||||
export default tap.start();
|
||||
@@ -49,11 +49,15 @@ export class HttpDetector implements IProtocolDetector {
|
||||
return null;
|
||||
}
|
||||
|
||||
// Check if we have complete headers first
|
||||
const headersEnd = buffer.indexOf('\r\n\r\n');
|
||||
const isComplete = headersEnd !== -1;
|
||||
|
||||
// Extract routing information
|
||||
const routing = RoutingExtractor.extract(buffer, 'http');
|
||||
|
||||
// If we don't need full headers, we can return early
|
||||
if (quickResult.confidence >= 95 && !options?.extractFullHeaders) {
|
||||
// If we don't need full headers and we have complete headers, we can return early
|
||||
if (quickResult.confidence >= 95 && !options?.extractFullHeaders && isComplete) {
|
||||
return {
|
||||
protocol: 'http',
|
||||
connectionInfo: {
|
||||
@@ -66,10 +70,6 @@ export class HttpDetector implements IProtocolDetector {
|
||||
};
|
||||
}
|
||||
|
||||
// Check if we have complete headers
|
||||
const headersEnd = buffer.indexOf('\r\n\r\n');
|
||||
const isComplete = headersEnd !== -1;
|
||||
|
||||
return {
|
||||
protocol: 'http',
|
||||
connectionInfo: {
|
||||
|
||||
@@ -5,7 +5,7 @@
|
||||
// TLS detector doesn't need plugins imports
|
||||
import type { IProtocolDetector } from '../models/interfaces.js';
|
||||
import type { IDetectionResult, IDetectionOptions, IConnectionInfo } from '../models/detection-types.js';
|
||||
import { readUInt16BE, BufferAccumulator } from '../utils/buffer-utils.js';
|
||||
import { readUInt16BE } from '../utils/buffer-utils.js';
|
||||
import { tlsVersionToString } from '../utils/parser-utils.js';
|
||||
|
||||
// Import from protocols
|
||||
@@ -24,17 +24,6 @@ export class TlsDetector implements IProtocolDetector {
|
||||
*/
|
||||
private static readonly MIN_TLS_HEADER_SIZE = 5;
|
||||
|
||||
/**
|
||||
* Fragment tracking for incomplete handshakes
|
||||
*/
|
||||
private static fragmentedBuffers = new Map<string, BufferAccumulator>();
|
||||
|
||||
/**
|
||||
* Create connection ID from context
|
||||
*/
|
||||
private createConnectionId(context: { sourceIp?: string; sourcePort?: number; destIp?: string; destPort?: number }): string {
|
||||
return `${context.sourceIp || 'unknown'}:${context.sourcePort || 0}->${context.destIp || 'unknown'}:${context.destPort || 0}`;
|
||||
}
|
||||
|
||||
/**
|
||||
* Detect TLS protocol from buffer
|
||||
@@ -224,29 +213,11 @@ export class TlsDetector implements IProtocolDetector {
|
||||
*/
|
||||
detectWithContext(
|
||||
buffer: Buffer,
|
||||
context: { sourceIp?: string; sourcePort?: number; destIp?: string; destPort?: number },
|
||||
_context: { sourceIp?: string; sourcePort?: number; destIp?: string; destPort?: number },
|
||||
options?: IDetectionOptions
|
||||
): IDetectionResult | null {
|
||||
const connectionId = this.createConnectionId(context);
|
||||
|
||||
// Get or create buffer accumulator for this connection
|
||||
let accumulator = TlsDetector.fragmentedBuffers.get(connectionId);
|
||||
if (!accumulator) {
|
||||
accumulator = new BufferAccumulator();
|
||||
TlsDetector.fragmentedBuffers.set(connectionId, accumulator);
|
||||
}
|
||||
|
||||
// Add new data
|
||||
accumulator.append(buffer);
|
||||
|
||||
// Try detection on accumulated data
|
||||
const result = this.detect(accumulator.getBuffer(), options);
|
||||
|
||||
// If detection is complete or we have too much data, clean up
|
||||
if (result?.isComplete || accumulator.length() > 65536) {
|
||||
TlsDetector.fragmentedBuffers.delete(connectionId);
|
||||
}
|
||||
|
||||
return result;
|
||||
// This method is deprecated - TLS detection should use the fragment manager
|
||||
// from the parent detector system, not maintain its own fragments
|
||||
return this.detect(buffer, options);
|
||||
}
|
||||
}
|
||||
@@ -18,6 +18,7 @@ export class ProtocolDetector {
|
||||
private fragmentManager: DetectionFragmentManager;
|
||||
private tlsDetector: TlsDetector;
|
||||
private httpDetector: HttpDetector;
|
||||
private connectionProtocols: Map<string, 'tls' | 'http'> = new Map();
|
||||
|
||||
constructor() {
|
||||
this.fragmentManager = new DetectionFragmentManager();
|
||||
@@ -120,20 +121,84 @@ export class ProtocolDetector {
|
||||
};
|
||||
}
|
||||
|
||||
const connectionId = DetectionFragmentManager.createConnectionId(context);
|
||||
|
||||
// Check if we already know the protocol for this connection
|
||||
const knownProtocol = this.connectionProtocols.get(connectionId);
|
||||
|
||||
if (knownProtocol === 'http') {
|
||||
const result = this.httpDetector.detectWithContext(buffer, context, options);
|
||||
if (result) {
|
||||
if (result.isComplete) {
|
||||
this.connectionProtocols.delete(connectionId);
|
||||
}
|
||||
return result;
|
||||
}
|
||||
} else if (knownProtocol === 'tls') {
|
||||
// Handle TLS with fragment accumulation
|
||||
const handler = this.fragmentManager.getHandler('tls');
|
||||
const fragmentResult = handler.addFragment(connectionId, buffer);
|
||||
|
||||
if (fragmentResult.error) {
|
||||
handler.complete(connectionId);
|
||||
this.connectionProtocols.delete(connectionId);
|
||||
return {
|
||||
protocol: 'unknown',
|
||||
connectionInfo: { protocol: 'unknown' },
|
||||
isComplete: true
|
||||
};
|
||||
}
|
||||
|
||||
const result = this.tlsDetector.detect(fragmentResult.buffer!, options);
|
||||
if (result) {
|
||||
if (result.isComplete) {
|
||||
handler.complete(connectionId);
|
||||
this.connectionProtocols.delete(connectionId);
|
||||
}
|
||||
return result;
|
||||
}
|
||||
}
|
||||
|
||||
// If we don't know the protocol yet, try to detect it
|
||||
if (!knownProtocol) {
|
||||
// First peek to determine protocol type
|
||||
if (this.tlsDetector.canHandle(buffer)) {
|
||||
const result = this.tlsDetector.detectWithContext(buffer, context, options);
|
||||
this.connectionProtocols.set(connectionId, 'tls');
|
||||
// Handle TLS with fragment accumulation
|
||||
const handler = this.fragmentManager.getHandler('tls');
|
||||
const fragmentResult = handler.addFragment(connectionId, buffer);
|
||||
|
||||
if (fragmentResult.error) {
|
||||
handler.complete(connectionId);
|
||||
this.connectionProtocols.delete(connectionId);
|
||||
return {
|
||||
protocol: 'unknown',
|
||||
connectionInfo: { protocol: 'unknown' },
|
||||
isComplete: true
|
||||
};
|
||||
}
|
||||
|
||||
const result = this.tlsDetector.detect(fragmentResult.buffer!, options);
|
||||
if (result) {
|
||||
if (result.isComplete) {
|
||||
handler.complete(connectionId);
|
||||
this.connectionProtocols.delete(connectionId);
|
||||
}
|
||||
return result;
|
||||
}
|
||||
}
|
||||
|
||||
if (this.httpDetector.canHandle(buffer)) {
|
||||
this.connectionProtocols.set(connectionId, 'http');
|
||||
const result = this.httpDetector.detectWithContext(buffer, context, options);
|
||||
if (result) {
|
||||
if (result.isComplete) {
|
||||
this.connectionProtocols.delete(connectionId);
|
||||
}
|
||||
return result;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// Can't determine protocol
|
||||
return {
|
||||
@@ -173,13 +238,28 @@ export class ProtocolDetector {
|
||||
/**
|
||||
* Clean up old connection tracking entries
|
||||
*
|
||||
* @param maxAge Maximum age in milliseconds (default: 30 seconds)
|
||||
* @param _maxAge Maximum age in milliseconds (default: 30 seconds)
|
||||
*/
|
||||
static cleanupConnections(maxAge: number = 30000): void {
|
||||
static cleanupConnections(_maxAge: number = 30000): void {
|
||||
// Cleanup is now handled internally by the fragment manager
|
||||
this.getInstance().fragmentManager.cleanup();
|
||||
}
|
||||
|
||||
/**
|
||||
* Clean up fragments for a specific connection
|
||||
*/
|
||||
static cleanupConnection(context: IConnectionContext): void {
|
||||
const instance = this.getInstance();
|
||||
const connectionId = DetectionFragmentManager.createConnectionId(context);
|
||||
|
||||
// Clean up both TLS and HTTP fragments for this connection
|
||||
instance.fragmentManager.getHandler('tls').complete(connectionId);
|
||||
instance.fragmentManager.getHandler('http').complete(connectionId);
|
||||
|
||||
// Remove from connection protocols tracking
|
||||
instance.connectionProtocols.delete(connectionId);
|
||||
}
|
||||
|
||||
/**
|
||||
* Extract domain from connection info
|
||||
*/
|
||||
|
||||
@@ -5,6 +5,7 @@ import { connectionLogDeduplicator } from '../../core/utils/log-deduplicator.js'
|
||||
import { LifecycleComponent } from '../../core/utils/lifecycle-component.js';
|
||||
import { cleanupSocket } from '../../core/utils/socket-utils.js';
|
||||
import { WrappedSocket } from '../../core/models/wrapped-socket.js';
|
||||
import { ProtocolDetector } from '../../detection/index.js';
|
||||
import type { SmartProxy } from './smart-proxy.js';
|
||||
|
||||
/**
|
||||
@@ -323,6 +324,18 @@ export class ConnectionManager extends LifecycleComponent {
|
||||
this.smartProxy.metricsCollector.removeConnection(record.id);
|
||||
}
|
||||
|
||||
// Clean up protocol detection fragments
|
||||
const context = ProtocolDetector.createConnectionContext({
|
||||
sourceIp: record.remoteIP,
|
||||
sourcePort: record.incoming?.remotePort || 0,
|
||||
destIp: record.incoming?.localAddress || '',
|
||||
destPort: record.localPort,
|
||||
socketId: record.id
|
||||
});
|
||||
|
||||
// Clean up any pending detection fragments for this connection
|
||||
ProtocolDetector.cleanupConnection(context);
|
||||
|
||||
if (record.cleanupTimer) {
|
||||
clearTimeout(record.cleanupTimer);
|
||||
record.cleanupTimer = undefined;
|
||||
|
||||
@@ -303,18 +303,18 @@ export class RouteConnectionHandler {
|
||||
|
||||
// Handler for processing initial data (after potential PROXY protocol)
|
||||
const processInitialData = async (chunk: Buffer) => {
|
||||
// Use ProtocolDetector to identify protocol
|
||||
const connectionId = ProtocolDetector.createConnectionId({
|
||||
// Create connection context for protocol detection
|
||||
const context = ProtocolDetector.createConnectionContext({
|
||||
sourceIp: record.remoteIP,
|
||||
sourcePort: socket.remotePort,
|
||||
destIp: socket.localAddress,
|
||||
destPort: socket.localPort,
|
||||
sourcePort: socket.remotePort || 0,
|
||||
destIp: socket.localAddress || '',
|
||||
destPort: socket.localPort || 0,
|
||||
socketId: record.id
|
||||
});
|
||||
|
||||
const detectionResult = await ProtocolDetector.detectWithConnectionTracking(
|
||||
const detectionResult = await ProtocolDetector.detectWithContext(
|
||||
chunk,
|
||||
connectionId,
|
||||
context,
|
||||
{ extractFullHeaders: false } // Only extract essential info for routing
|
||||
);
|
||||
|
||||
|
||||
Reference in New Issue
Block a user