3.16.9

fix(portproxy): Extend domain input validation to support string arrays in port proxy configurations.
3.16.8
2025-02-27 15:46:14 +00:00 · 2025-02-27 15:46:14 +00:00 · 2025-02-27 15:41:03 +00:00 · 2025-02-27 15:41:03 +00:00
4 changed files with 34 additions and 15 deletions
--- a/changelog.md
+++ b/changelog.md
@ -1,5 +1,19 @@
 # Changelog

+## 2025-02-27 - 3.16.9 - fix(portproxy)
+Extend domain input validation to support string arrays in port proxy configurations.
+
+- Modify IDomainConfig interface to allow domain specification as string array.
+- Update connection setup logic to handle multiple domain patterns.
+- Enhance domain rejection logging to include all domain patterns.
+
+## 2025-02-27 - 3.16.8 - fix(PortProxy)
+Fix IP filtering for domain and global default allowed lists and improve port-based routing logic.
+
+- Improved logic to prioritize domain-specific allowed IPs over global defaults.
+- Fixed port-based rules application to handle global port ranges more effectively.
+- Enhanced rejection handling for unauthorized IP addresses in both domain-specific and default global lists.
+
 ## 2025-02-27 - 3.16.7 - fix(PortProxy)
 Improved IP validation logic in PortProxy to ensure correct domain matching and fallback

--- a/package.json
+++ b/package.json
@ -1,6 +1,6 @@
 {
  "name": "@push.rocks/smartproxy",
-  "version": "3.16.7",
+  "version": "3.16.9",
  "private": false,
  "description": "A robust and versatile proxy package designed to handle high workloads, offering features like SSL redirection, port proxying, WebSocket support, and customizable routing and authentication.",
  "main": "dist_ts/index.js",
--- a/ts/00_commitinfo_data.ts
+++ b/ts/00_commitinfo_data.ts
@ -3,6 +3,6 @@
 */
 export const commitinfo = {
  name: '@push.rocks/smartproxy',
-  version: '3.16.7',
+  version: '3.16.9',
  description: 'A robust and versatile proxy package designed to handle high workloads, offering features like SSL redirection, port proxying, WebSocket support, and customizable routing and authentication.'
 }
--- a/ts/classes.portproxy.ts
+++ b/ts/classes.portproxy.ts
@ -2,7 +2,7 @@ import * as plugins from './plugins.js';

 /** Domain configuration with per‐domain allowed port ranges */
 export interface IDomainConfig {
-  domain: string;         // Glob pattern for domain
+  domain: string | string[];         // Glob pattern or patterns for domain(s)
  allowedIPs: string[];              // Glob patterns for allowed IPs
  targetIP?: string;                 // Optional target IP for this domain
  portRanges?: Array<{ from: number; to: number }>; // Optional domain-specific allowed port ranges
@ -213,15 +213,21 @@ export class PortProxy {
        // If a forcedDomain is provided (port-based routing), use it; otherwise, use SNI-based lookup.
        const domainConfig = forcedDomain
          ? forcedDomain
-          : (serverName ? this.settings.domains.find(config => plugins.minimatch(serverName, config.domain)) : undefined);
+          : (serverName ? this.settings.domains.find(config => {
+              if (typeof config.domain === 'string') {
+                return plugins.minimatch(serverName, config.domain);
+              } else {
+                return config.domain.some(d => plugins.minimatch(serverName, d));
+              }
+            }) : undefined);

-        // New check: if a matching domain config exists, use its allowedIPs in preference.
+        // If a matching domain config exists, check its allowedIPs.
        if (domainConfig) {
          if (!isAllowed(remoteIP, domainConfig.allowedIPs)) {
-            return rejectIncomingConnection('rejected', `Connection rejected: IP ${remoteIP} not allowed for domain ${domainConfig.domain}`);
+            return rejectIncomingConnection('rejected', `Connection rejected: IP ${remoteIP} not allowed for domain ${Array.isArray(domainConfig.domain) ? domainConfig.domain.join(', ') : domainConfig.domain}`);
          }
        } else if (this.settings.defaultAllowedIPs) {
-          // Fallback to default allowed IPs if no domain config is found.
+          // Only check default allowed IPs if no domain config matched.
          if (!isAllowed(remoteIP, this.settings.defaultAllowedIPs)) {
            return rejectIncomingConnection('rejected', `Connection rejected: IP ${remoteIP} not allowed by default allowed list`);
          }
@ -241,7 +247,7 @@ export class PortProxy {

        console.log(
          `Connection established: ${remoteIP} -> ${targetHost}:${connectionOptions.port}` +
-          `${serverName ? ` (SNI: ${serverName})` : forcedDomain ? ` (Port-based for domain: ${forcedDomain.domain})` : ''}`
+          `${serverName ? ` (SNI: ${serverName})` : forcedDomain ? ` (Port-based for domain: ${Array.isArray(forcedDomain.domain) ? forcedDomain.domain.join(', ') : forcedDomain.domain})` : ''}`
        );

        if (initialChunk) {
@ -313,9 +319,8 @@ export class PortProxy {
      };

      // --- PORT RANGE-BASED HANDLING ---
-      // If the local port is one of the globally listened ports, we may have port-based rules.
-      if (this.settings.globalPortRanges && this.settings.globalPortRanges.length > 0) {
-        // If forwardAllGlobalRanges is enabled, always forward using the global targetIP.
+      // Only apply port-based rules if the incoming port is within one of the global port ranges.
+      if (this.settings.globalPortRanges && isPortInRanges(localPort, this.settings.globalPortRanges)) {
        if (this.settings.forwardAllGlobalRanges) {
          if (this.settings.defaultAllowedIPs && !isAllowed(remoteIP, this.settings.defaultAllowedIPs)) {
            console.log(`Connection from ${remoteIP} rejected: IP ${remoteIP} not allowed in global default allowed list.`);
@ -337,11 +342,11 @@ export class PortProxy {
          );
          if (forcedDomain) {
            if (!isAllowed(remoteIP, forcedDomain.allowedIPs)) {
-              console.log(`Connection from ${remoteIP} rejected: IP not allowed for domain ${forcedDomain.domain} on port ${localPort}.`);
+              console.log(`Connection from ${remoteIP} rejected: IP not allowed for domain ${Array.isArray(forcedDomain.domain) ? forcedDomain.domain.join(', ') : forcedDomain.domain} on port ${localPort}.`);
              socket.end();
              return;
            }
-            console.log(`Port-based connection from ${remoteIP} on port ${localPort} matched domain ${forcedDomain.domain}.`);
+            console.log(`Port-based connection from ${remoteIP} on port ${localPort} matched domain ${Array.isArray(forcedDomain.domain) ? forcedDomain.domain.join(', ') : forcedDomain.domain}.`);
            setupConnection('', undefined, forcedDomain, localPort);
            return;
          }
Author	SHA1	Message	Date
Philipp Kunz	60333b0a59	3.16.9	2025-02-27 15:46:14 +00:00
Philipp Kunz	1aa409907b	fix(portproxy): Extend domain input validation to support string arrays in port proxy configurations.	2025-02-27 15:46:14 +00:00
Philipp Kunz	adee6afc76	3.16.8	2025-02-27 15:41:03 +00:00
Philipp Kunz	4a0792142f	fix(PortProxy): Fix IP filtering for domain and global default allowed lists and improve port-based routing logic.	2025-02-27 15:41:03 +00:00