3.16.8

changelog.md

@@ -1,5 +1,12 @@
 # Changelog
 
+## 2025-02-27 - 3.16.8 - fix(PortProxy)
+Fix IP filtering for domain and global default allowed lists and improve port-based routing logic.
+
+- Improved logic to prioritize domain-specific allowed IPs over global defaults.
+- Fixed port-based rules application to handle global port ranges more effectively.
+- Enhanced rejection handling for unauthorized IP addresses in both domain-specific and default global lists.
+
 ## 2025-02-27 - 3.16.7 - fix(PortProxy)
 Improved IP validation logic in PortProxy to ensure correct domain matching and fallback
 

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@push.rocks/smartproxy",
-  "version": "3.16.7",
+  "version": "3.16.8",
   "private": false,
   "description": "A robust and versatile proxy package designed to handle high workloads, offering features like SSL redirection, port proxying, WebSocket support, and customizable routing and authentication.",
   "main": "dist_ts/index.js",

ts/00_commitinfo_data.ts

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@push.rocks/smartproxy',
-  version: '3.16.7',
+  version: '3.16.8',
   description: 'A robust and versatile proxy package designed to handle high workloads, offering features like SSL redirection, port proxying, WebSocket support, and customizable routing and authentication.'
 }

ts/classes.portproxy.ts

@@ -215,13 +215,13 @@ export class PortProxy {
           ? forcedDomain
           : (serverName ? this.settings.domains.find(config => plugins.minimatch(serverName, config.domain)) : undefined);
 
-        // New check: if a matching domain config exists, use its allowedIPs in preference.
+        // If a matching domain config exists, check its allowedIPs.
         if (domainConfig) {
           if (!isAllowed(remoteIP, domainConfig.allowedIPs)) {
             return rejectIncomingConnection('rejected', `Connection rejected: IP ${remoteIP} not allowed for domain ${domainConfig.domain}`);
           }
         } else if (this.settings.defaultAllowedIPs) {
-          // Fallback to default allowed IPs if no domain config is found.
+          // Only check default allowed IPs if no domain config matched.
           if (!isAllowed(remoteIP, this.settings.defaultAllowedIPs)) {
             return rejectIncomingConnection('rejected', `Connection rejected: IP ${remoteIP} not allowed by default allowed list`);
           }
@@ -313,9 +313,8 @@ export class PortProxy {
       };
 
       // --- PORT RANGE-BASED HANDLING ---
-      // If the local port is one of the globally listened ports, we may have port-based rules.
+      // Only apply port-based rules if the incoming port is within one of the global port ranges.
-      if (this.settings.globalPortRanges && this.settings.globalPortRanges.length > 0) {
+      if (this.settings.globalPortRanges && isPortInRanges(localPort, this.settings.globalPortRanges)) {
-        // If forwardAllGlobalRanges is enabled, always forward using the global targetIP.
         if (this.settings.forwardAllGlobalRanges) {
           if (this.settings.defaultAllowedIPs && !isAllowed(remoteIP, this.settings.defaultAllowedIPs)) {
             console.log(`Connection from ${remoteIP} rejected: IP ${remoteIP} not allowed in global default allowed list.`);