v25.17.9

changelog.md

@@ -1,5 +1,18 @@
 # Changelog
 
+## 2026-03-20 - 25.17.9 - fix(rustproxy-http)
+correct HTTP/3 host extraction and avoid protocol filtering during UDP route lookup
+
+- Use the URI host or strip the port from the Host header so HTTP/3 requests match routes consistently with TCP/HTTP handling.
+- Remove protocol filtering from HTTP/3 route lookup because QUIC transport already constrains routing to UDP and protocol validation happens earlier.
+
+## 2026-03-20 - 25.17.8 - fix(rustproxy)
+use SNI-based certificate resolution for QUIC TLS connections
+
+- Replaces static first-certificate selection with the shared CertResolver used by the TCP/TLS path.
+- Ensures QUIC connections can present the correct certificate per requested domain.
+- Keeps HTTP/3 ALPN configuration while improving multi-domain TLS handling.
+
 ## 2026-03-20 - 25.17.7 - fix(readme)
 document QUIC and HTTP/3 compatibility caveats
 

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@push.rocks/smartproxy",
-  "version": "25.17.7",
+  "version": "25.17.9",
   "private": false,
   "description": "A powerful proxy package with unified route-based configuration for high traffic management. Features include SSL/TLS support, flexible routing patterns, WebSocket handling, advanced security options, and automatic ACME certificate management.",
   "main": "dist_ts/index.js",

rust/crates/rustproxy-http/src/h3_service.rs

@@ -143,10 +143,11 @@ async fn handle_h3_request(
     let uri = request.uri().clone();
     let path = uri.path().to_string();
 
-    // Extract host from :authority or Host header
-    let host = request.uri().authority()
-        .map(|a| a.as_str().to_string())
-        .or_else(|| request.headers().get("host").and_then(|v| v.to_str().ok()).map(|s| s.to_string()))
+    // Extract host from :authority or Host header (strip port to match TCP/HTTP path)
+    let host = request.uri().host()
+        .map(|h| h.to_string())
+        .or_else(|| request.headers().get("host").and_then(|v| v.to_str().ok())
+            .map(|h| h.split(':').next().unwrap_or(h).to_string()))
         .unwrap_or_default();
 
     debug!("HTTP/3 {} {} (host: {}, client: {})", method, path, host, client_ip);
@@ -160,7 +161,8 @@ async fn handle_h3_request(
         tls_version: Some("TLSv1.3"),
         headers: None,
         is_tls: true,
-        protocol: Some("http"),
+        protocol: None,  // Don't filter on protocol — transport: Udp already excludes TCP routes,
+                         // and the route was already protocol-validated at the QUIC accept level.
         transport: Some(TransportProtocol::Udp),
     };
 

rust/crates/rustproxy/src/lib.rs

@@ -1003,44 +1003,25 @@ impl RustProxy {
     fn build_quic_tls_config(
         tls_configs: &HashMap<String, TlsCertConfig>,
     ) -> Option<Arc<rustls::ServerConfig>> {
-        // Find the first available cert (prefer wildcard, then any)
-        let cert_config = tls_configs.get("*")
-            .or_else(|| tls_configs.values().next());
-
-        let cert_config = match cert_config {
-            Some(c) => c,
-            None => return None,
-        };
-
-        // Parse cert chain from PEM
-        let mut cert_reader = std::io::BufReader::new(cert_config.cert_pem.as_bytes());
-        let certs: Vec<rustls::pki_types::CertificateDer<'static>> =
-            rustls_pemfile::certs(&mut cert_reader)
-                .filter_map(|r| r.ok())
-                .collect();
-
-        if certs.is_empty() {
+        if tls_configs.is_empty() {
             return None;
         }
 
-        // Parse private key from PEM
-        let mut key_reader = std::io::BufReader::new(cert_config.key_pem.as_bytes());
-        let key = match rustls_pemfile::private_key(&mut key_reader) {
-            Ok(Some(key)) => key,
-            _ => return None,
-        };
-
-        let mut tls_config = match rustls::ServerConfig::builder()
-            .with_no_client_auth()
-            .with_single_cert(certs, key)
-        {
-            Ok(c) => c,
+        // Reuse CertResolver for SNI-based cert selection (same as TCP/TLS path).
+        // This ensures QUIC connections get the correct certificate for each domain
+        // instead of a single static cert.
+        let resolver = match rustproxy_passthrough::tls_handler::CertResolver::new(tls_configs) {
+            Ok(r) => r,
             Err(e) => {
-                warn!("Failed to build QUIC TLS config: {}", e);
+                warn!("Failed to build QUIC cert resolver: {}", e);
                 return None;
             }
         };
 
+        let mut tls_config = rustls::ServerConfig::builder()
+            .with_no_client_auth()
+            .with_cert_resolver(Arc::new(resolver));
+
         // QUIC requires h3 ALPN
         tls_config.alpn_protocols = vec![b"h3".to_vec()];
 

ts/00_commitinfo_data.ts

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@push.rocks/smartproxy',
-  version: '25.17.7',
+  version: '25.17.9',
   description: 'A powerful proxy package with unified route-based configuration for high traffic management. Features include SSL/TLS support, flexible routing patterns, WebSocket handling, advanced security options, and automatic ACME certificate management.'
 }