v23.1.3

changelog.md

@@ -1,5 +1,19 @@
 # Changelog
 
+## 2026-02-12 - 23.1.3 - fix(rustproxy)
+install default rustls crypto provider early; detect and skip raw fast-path for HTTP connections and return proper HTTP 502 when no route matches
+
+- Install ring-based rustls crypto provider at startup to prevent panics from instant-acme/hyper-rustls calling ClientConfig::builder() before TLS listeners are initialized
+- Add a non-blocking 10ms peek to detect HTTP traffic in the TCP passthrough fast-path to avoid misrouting HTTP and ensure HTTP proxy handles CORS, errors, and request-level routing
+- Skip the fast-path and fall back to the HTTP proxy when HTTP is detected (with a debug log)
+- When no route matches for detected HTTP connections, send an HTTP 502 Bad Gateway response and close the connection instead of silently dropping it
+
+## 2026-02-11 - 23.1.2 - fix(core)
+use node: scoped builtin imports and add route unit tests
+
+- Replaced bare Node built-in imports (events, fs, http, https, net, path, tls, url, http2, buffer, crypto) with 'node:' specifiers for ESM/bundler compatibility (files updated include ts/plugins.ts, ts/core/models/socket-types.ts, ts/core/utils/enhanced-connection-pool.ts, ts/core/utils/socket-tracker.ts, ts/protocols/common/fragment-handler.ts, ts/protocols/tls/sni/client-hello-parser.ts, ts/protocols/tls/sni/sni-extraction.ts, ts/protocols/websocket/utils.ts, ts/tls/sni/sni-handler.ts).
+- Added new unit tests (test/test.bun.ts and test/test.deno.ts) covering route helpers, validators, matching, merging and cloning to improve test coverage.
+
 ## 2026-02-11 - 23.1.1 - fix(rust-proxy)
 increase rust proxy bridge maxPayloadSize to 100 MB and bump dependencies
 

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@push.rocks/smartproxy",
-  "version": "23.1.1",
+  "version": "23.1.3",
   "private": false,
   "description": "A powerful proxy package with unified route-based configuration for high traffic management. Features include SSL/TLS support, flexible routing patterns, WebSocket handling, advanced security options, and automatic ACME certificate management.",
   "main": "dist_ts/index.js",

rust/crates/rustproxy-passthrough/src/tcp_listener.rs

@@ -364,6 +364,10 @@ impl TcpListenerManager {
         // doesn't send initial data (e.g., SMTP, greeting-based protocols).
         // If a route matches by port alone and doesn't need domain/path/TLS info,
         // we can forward immediately without waiting for client data.
+        //
+        // IMPORTANT: HTTP connections must NOT use this path — they need the HTTP
+        // proxy for proper error responses, CORS handling, and request-level routing.
+        // We detect HTTP via a non-blocking peek before committing to raw forwarding.
         {
             let quick_ctx = rustproxy_routing::MatchContext {
                 port,
@@ -384,7 +388,28 @@ impl TcpListenerManager {
 
                 // Only use fast path for simple port-only forward routes with no TLS
                 if has_no_domain && has_no_path && is_forward && has_no_tls {
-                    if let Some(target) = quick_match.target {
+                    // Non-blocking peek: if client has already sent data that looks
+                    // like HTTP, skip fast path and let the normal path handle it
+                    // through the HTTP proxy (for CORS, error responses, path routing).
+                    let is_likely_http = {
+                        let mut probe = [0u8; 16];
+                        // Brief peek: HTTP clients send data immediately after connect.
+                        // Server-speaks-first protocols (SMTP etc.) send nothing initially.
+                        // 10ms is ample for any HTTP client while negligible for
+                        // server-speaks-first protocols (which wait seconds for greeting).
+                        match tokio::time::timeout(
+                            std::time::Duration::from_millis(10),
+                            stream.peek(&mut probe),
+                        ).await {
+                            Ok(Ok(n)) if n > 0 => sni_parser::is_http(&probe[..n]),
+                            _ => false,
+                        }
+                    };
+
+                    if is_likely_http {
+                        debug!("Fast-path skipped: HTTP detected from {}, using HTTP proxy", peer_addr);
+                        // Fall through to normal path for HTTP proxy handling
+                    } else if let Some(target) = quick_match.target {
                         let target_host = target.host.first().to_string();
                         let target_port = target.port.resolve(port);
                         let route_id = quick_match.route.id.as_deref();
@@ -562,6 +587,17 @@ impl TcpListenerManager {
             Some(rm) => rm,
             None => {
                 debug!("No route matched for port {} domain {:?}", port, domain);
+                if is_http {
+                    // Send a proper HTTP error instead of dropping the connection
+                    use tokio::io::AsyncWriteExt;
+                    let body = "No route matched";
+                    let resp = format!(
+                        "HTTP/1.1 502 Bad Gateway\r\nContent-Type: text/plain\r\nContent-Length: {}\r\nConnection: close\r\n\r\n{}",
+                        body.len(), body
+                    );
+                    let _ = stream.write_all(resp.as_bytes()).await;
+                    let _ = stream.shutdown().await;
+                }
                 return Ok(());
             }
         };

rust/crates/rustproxy/src/main.rs

@@ -29,6 +29,11 @@ struct Cli {
 
 #[tokio::main]
 async fn main() -> Result<()> {
+    // Install the default CryptoProvider early, before any TLS or ACME code runs.
+    // This prevents panics from instant-acme/hyper-rustls calling ClientConfig::builder()
+    // before TLS listeners have started. Idempotent — later calls harmlessly return Err.
+    let _ = rustls::crypto::ring::default_provider().install_default();
+
     let cli = Cli::parse();
 
     // Initialize tracing - write to stderr so stdout is reserved for management IPC

test/test.bun.ts

@@ -0,0 +1,123 @@
+import { tap, expect } from '@git.zone/tstest/tapbundle';
+
+import {
+  createHttpsTerminateRoute,
+  createCompleteHttpsServer,
+  createHttpRoute,
+} from '../ts/proxies/smart-proxy/utils/route-helpers.js';
+
+import {
+  mergeRouteConfigs,
+  cloneRoute,
+  routeMatchesPath,
+} from '../ts/proxies/smart-proxy/utils/route-utils.js';
+
+import {
+  validateRoutes,
+  validateRouteConfig,
+} from '../ts/proxies/smart-proxy/utils/route-validator.js';
+
+import type { IRouteConfig } from '../ts/proxies/smart-proxy/models/route-types.js';
+
+tap.test('route creation - createHttpsTerminateRoute produces correct structure', async () => {
+  const route = createHttpsTerminateRoute('secure.example.com', { host: '127.0.0.1', port: 8443 });
+  expect(route).toHaveProperty('match');
+  expect(route).toHaveProperty('action');
+  expect(route.action.type).toEqual('forward');
+  expect(route.action.tls).toBeDefined();
+  expect(route.action.tls!.mode).toEqual('terminate');
+  expect(route.match.domains).toEqual('secure.example.com');
+});
+
+tap.test('route creation - createCompleteHttpsServer returns redirect and main route', async () => {
+  const routes = createCompleteHttpsServer('app.example.com', { host: '127.0.0.1', port: 3000 });
+  expect(routes).toBeArray();
+  expect(routes.length).toBeGreaterThanOrEqual(2);
+  // Should have an HTTP→HTTPS redirect and an HTTPS route
+  const hasRedirect = routes.some((r) => r.action.type === 'forward' && r.action.redirect !== undefined);
+  const hasHttps = routes.some((r) => r.action.tls?.mode === 'terminate');
+  expect(hasRedirect || hasHttps).toBeTrue();
+});
+
+tap.test('route validation - validateRoutes on a set of routes', async () => {
+  const routes: IRouteConfig[] = [
+    createHttpRoute('a.com', { host: '127.0.0.1', port: 3000 }),
+    createHttpRoute('b.com', { host: '127.0.0.1', port: 4000 }),
+  ];
+  const result = validateRoutes(routes);
+  expect(result.valid).toBeTrue();
+  expect(result.errors).toHaveLength(0);
+});
+
+tap.test('route validation - validateRoutes catches invalid route in set', async () => {
+  const routes: any[] = [
+    createHttpRoute('valid.com', { host: '127.0.0.1', port: 3000 }),
+    { match: { ports: 80 } }, // missing action
+  ];
+  const result = validateRoutes(routes);
+  expect(result.valid).toBeFalse();
+  expect(result.errors.length).toBeGreaterThan(0);
+});
+
+tap.test('path matching - routeMatchesPath with exact path', async () => {
+  const route = createHttpRoute('example.com', { host: '127.0.0.1', port: 3000 });
+  route.match.path = '/api';
+  expect(routeMatchesPath(route, '/api')).toBeTrue();
+  expect(routeMatchesPath(route, '/other')).toBeFalse();
+});
+
+tap.test('path matching - route without path matches everything', async () => {
+  const route = createHttpRoute('example.com', { host: '127.0.0.1', port: 3000 });
+  // No path set, should match any path
+  expect(routeMatchesPath(route, '/anything')).toBeTrue();
+  expect(routeMatchesPath(route, '/')).toBeTrue();
+});
+
+tap.test('route merging - mergeRouteConfigs combines routes', async () => {
+  const base = createHttpRoute('example.com', { host: '127.0.0.1', port: 3000 });
+  base.priority = 10;
+  base.name = 'base-route';
+
+  const merged = mergeRouteConfigs(base, {
+    priority: 50,
+    name: 'merged-route',
+  });
+
+  expect(merged.priority).toEqual(50);
+  expect(merged.name).toEqual('merged-route');
+  // Original route fields should be preserved
+  expect(merged.match.domains).toEqual('example.com');
+  expect(merged.action.targets![0].host).toEqual('127.0.0.1');
+});
+
+tap.test('route merging - mergeRouteConfigs does not mutate original', async () => {
+  const base = createHttpRoute('example.com', { host: '127.0.0.1', port: 3000 });
+  base.name = 'original';
+
+  const merged = mergeRouteConfigs(base, { name: 'changed' });
+  expect(base.name).toEqual('original');
+  expect(merged.name).toEqual('changed');
+});
+
+tap.test('route cloning - cloneRoute produces independent copy', async () => {
+  const original = createHttpRoute('example.com', { host: '127.0.0.1', port: 3000 });
+  original.priority = 42;
+  original.name = 'original-route';
+
+  const cloned = cloneRoute(original);
+
+  // Should be equal in value
+  expect(cloned.match.domains).toEqual('example.com');
+  expect(cloned.priority).toEqual(42);
+  expect(cloned.name).toEqual('original-route');
+  expect(cloned.action.targets![0].host).toEqual('127.0.0.1');
+  expect(cloned.action.targets![0].port).toEqual(3000);
+
+  // Should be independent - modifying clone shouldn't affect original
+  cloned.name = 'cloned-route';
+  cloned.priority = 99;
+  expect(original.name).toEqual('original-route');
+  expect(original.priority).toEqual(42);
+});
+
+export default tap.start();

test/test.deno.ts

@@ -0,0 +1,111 @@
+import { tap, expect } from '@git.zone/tstest/tapbundle';
+
+import {
+  createHttpRoute,
+  createHttpsTerminateRoute,
+  createLoadBalancerRoute,
+} from '../ts/proxies/smart-proxy/utils/route-helpers.js';
+
+import {
+  findMatchingRoutes,
+  findBestMatchingRoute,
+  routeMatchesDomain,
+  routeMatchesPort,
+  routeMatchesPath,
+} from '../ts/proxies/smart-proxy/utils/route-utils.js';
+
+import {
+  validateRouteConfig,
+  isValidDomain,
+  isValidPort,
+} from '../ts/proxies/smart-proxy/utils/route-validator.js';
+
+import type { IRouteConfig } from '../ts/proxies/smart-proxy/models/route-types.js';
+
+tap.test('route creation - createHttpRoute produces correct structure', async () => {
+  const route = createHttpRoute('example.com', { host: '127.0.0.1', port: 3000 });
+  expect(route).toHaveProperty('match');
+  expect(route).toHaveProperty('action');
+  expect(route.match.domains).toEqual('example.com');
+  expect(route.action.type).toEqual('forward');
+  expect(route.action.targets).toBeArray();
+  expect(route.action.targets![0].host).toEqual('127.0.0.1');
+  expect(route.action.targets![0].port).toEqual(3000);
+});
+
+tap.test('route creation - createHttpRoute with array of domains', async () => {
+  const route = createHttpRoute(['a.com', 'b.com'], { host: 'localhost', port: 8080 });
+  expect(route.match.domains).toEqual(['a.com', 'b.com']);
+});
+
+tap.test('route validation - validateRouteConfig accepts valid route', async () => {
+  const route = createHttpRoute('valid.example.com', { host: '10.0.0.1', port: 8080 });
+  const result = validateRouteConfig(route);
+  expect(result.valid).toBeTrue();
+  expect(result.errors).toHaveLength(0);
+});
+
+tap.test('route validation - validateRouteConfig rejects missing action', async () => {
+  const badRoute = { match: { ports: 80 } } as any;
+  const result = validateRouteConfig(badRoute);
+  expect(result.valid).toBeFalse();
+  expect(result.errors.length).toBeGreaterThan(0);
+});
+
+tap.test('route validation - isValidDomain checks correctly', async () => {
+  expect(isValidDomain('example.com')).toBeTrue();
+  expect(isValidDomain('*.example.com')).toBeTrue();
+  expect(isValidDomain('')).toBeFalse();
+});
+
+tap.test('route validation - isValidPort checks correctly', async () => {
+  expect(isValidPort(80)).toBeTrue();
+  expect(isValidPort(443)).toBeTrue();
+  expect(isValidPort(0)).toBeFalse();
+  expect(isValidPort(70000)).toBeFalse();
+  expect(isValidPort(-1)).toBeFalse();
+});
+
+tap.test('domain matching - exact domain', async () => {
+  const route = createHttpRoute('example.com', { host: '127.0.0.1', port: 3000 });
+  expect(routeMatchesDomain(route, 'example.com')).toBeTrue();
+  expect(routeMatchesDomain(route, 'other.com')).toBeFalse();
+});
+
+tap.test('domain matching - wildcard domain', async () => {
+  const route = createHttpRoute('*.example.com', { host: '127.0.0.1', port: 3000 });
+  expect(routeMatchesDomain(route, 'sub.example.com')).toBeTrue();
+  expect(routeMatchesDomain(route, 'example.com')).toBeFalse();
+});
+
+tap.test('port matching - single port', async () => {
+  const route = createHttpRoute('example.com', { host: '127.0.0.1', port: 3000 });
+  // createHttpRoute defaults to port 80
+  expect(routeMatchesPort(route, 80)).toBeTrue();
+  expect(routeMatchesPort(route, 443)).toBeFalse();
+});
+
+tap.test('route finding - findBestMatchingRoute selects by priority', async () => {
+  const lowPriority = createHttpRoute('example.com', { host: '127.0.0.1', port: 3000 });
+  lowPriority.priority = 10;
+
+  const highPriority = createHttpRoute('example.com', { host: '127.0.0.1', port: 4000 });
+  highPriority.priority = 100;
+
+  const routes: IRouteConfig[] = [lowPriority, highPriority];
+  const best = findBestMatchingRoute(routes, { domain: 'example.com', port: 80 });
+  expect(best).toBeDefined();
+  expect(best!.priority).toEqual(100);
+  expect(best!.action.targets![0].port).toEqual(4000);
+});
+
+tap.test('route finding - findMatchingRoutes returns all matches', async () => {
+  const route1 = createHttpRoute('example.com', { host: '127.0.0.1', port: 3000 });
+  const route2 = createHttpRoute('example.com', { host: '127.0.0.1', port: 4000 });
+  const route3 = createHttpRoute('other.com', { host: '127.0.0.1', port: 5000 });
+
+  const matches = findMatchingRoutes([route1, route2, route3], { domain: 'example.com', port: 80 });
+  expect(matches).toHaveLength(2);
+});
+
+export default tap.start();

ts/00_commitinfo_data.ts

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@push.rocks/smartproxy',
-  version: '23.1.1',
+  version: '23.1.3',
   description: 'A powerful proxy package with unified route-based configuration for high traffic management. Features include SSL/TLS support, flexible routing patterns, WebSocket handling, advanced security options, and automatic ACME certificate management.'
 }

ts/core/models/socket-types.ts

@@ -1,4 +1,4 @@
-import * as net from 'net';
+import * as net from 'node:net';
 import { WrappedSocket } from './wrapped-socket.js';
 
 /**

ts/core/utils/enhanced-connection-pool.ts

@@ -1,7 +1,7 @@
 import { LifecycleComponent } from './lifecycle-component.js';
 import { BinaryHeap } from './binary-heap.js';
 import { AsyncMutex } from './async-utils.js';
-import { EventEmitter } from 'events';
+import { EventEmitter } from 'node:events';
 
 /**
  * Interface for pooled connection

ts/core/utils/socket-tracker.ts

@@ -3,7 +3,7 @@
  * Provides standardized socket cleanup with proper listener and timer management
  */
 
-import type { Socket } from 'net';
+import type { Socket } from 'node:net';
 
 export type SocketTracked = {
   cleanup: () => void;

ts/plugins.ts

@@ -1,13 +1,13 @@
 // node native scope
-import { EventEmitter } from 'events';
+import { EventEmitter } from 'node:events';
-import * as fs from 'fs';
+import * as fs from 'node:fs';
-import * as http from 'http';
+import * as http from 'node:http';
-import * as https from 'https';
+import * as https from 'node:https';
-import * as net from 'net';
+import * as net from 'node:net';
-import * as path from 'path';
+import * as path from 'node:path';
-import * as tls from 'tls';
+import * as tls from 'node:tls';
-import * as url from 'url';
+import * as url from 'node:url';
-import * as http2 from 'http2';
+import * as http2 from 'node:http2';
 
 export { EventEmitter, fs, http, https, net, path, tls, url, http2 };
 

ts/protocols/common/fragment-handler.ts

@@ -5,7 +5,7 @@
  * that may span multiple TCP packets.
  */
 
-import { Buffer } from 'buffer';
+import { Buffer } from 'node:buffer';
 
 /**
  * Fragment tracking information

ts/protocols/tls/sni/client-hello-parser.ts

@@ -1,4 +1,4 @@
-import { Buffer } from 'buffer';
+import { Buffer } from 'node:buffer';
 import { 
   TlsRecordType,
   TlsHandshakeType,

ts/protocols/tls/sni/sni-extraction.ts

@@ -1,4 +1,4 @@
-import { Buffer } from 'buffer';
+import { Buffer } from 'node:buffer';
 import { TlsExtensionType, TlsUtils } from '../utils/tls-utils.js';
 import {
   ClientHelloParser,

ts/protocols/websocket/utils.ts

@@ -2,7 +2,7 @@
  * WebSocket Protocol Utilities
  */
 
-import * as crypto from 'crypto';
+import * as crypto from 'node:crypto';
 import { WEBSOCKET_MAGIC_STRING } from './constants.js';
 import type { RawData } from './types.js';
 

ts/tls/sni/sni-handler.ts

@@ -1,4 +1,4 @@
-import { Buffer } from 'buffer';
+import { Buffer } from 'node:buffer';
 import { 
   TlsRecordType,
   TlsHandshakeType,