3.20.2

fix(PortProxy): Enhance connection cleanup handling in PortProxy
3.20.1
2025-03-01 20:31:50 +00:00 · 2025-03-01 20:31:50 +00:00 · 2025-03-01 17:32:31 +00:00 · 2025-03-01 17:32:31 +00:00 · 2025-03-01 17:19:27 +00:00 · 2025-03-01 17:19:27 +00:00
4 changed files with 136 additions and 48 deletions
--- a/changelog.md
+++ b/changelog.md
@ -1,5 +1,36 @@
 # Changelog

+## 2025-03-01 - 3.20.2 - fix(PortProxy)
+Enhance connection cleanup handling in PortProxy
+
+- Add checks to ensure timers are reset only if outgoing socket is active
+- Prevent setting outgoingActive if the connection is already closed
+
+## 2025-03-01 - 3.20.1 - fix(PortProxy)
+Improve IP allowance check for forced domains
+
+- Enhanced IP allowance check logic by incorporating blocked IPs and default allowed IPs for forced domains within port proxy configurations.
+
+## 2025-03-01 - 3.20.0 - feat(PortProxy)
+Enhance PortProxy with advanced connection cleanup and logging
+
+- Introduced `cleanupConnection` method for improved connection management.
+- Added logging for connection cleanup including special conditions.
+- Implemented parity check to clean up connections when outgoing side closes but incoming remains active.
+- Improved logging during interval checks for active connections and their durations.
+
+## 2025-03-01 - 3.19.0 - feat(PortProxy)
+Enhance PortProxy with default blocked IPs
+
+- Introduced defaultBlockedIPs in IPortProxySettings to handle globally blocked IPs.
+- Added logic for merging domain-specific and default allowed and blocked IPs for effective IP filtering.
+- Refactored helper functions for IP and port range checks to improve modularity in PortProxy.
+
+## 2025-02-27 - 3.18.2 - fix(portproxy)
+Fixed typographical errors in comments within PortProxy class.
+
+- Corrected typographical errors in comments within the PortProxy class.
+
 ## 2025-02-27 - 3.18.1 - fix(PortProxy)
 Refactor and enhance PortProxy test cases and handling

--- a/package.json
+++ b/package.json
@ -1,6 +1,6 @@
 {
  "name": "@push.rocks/smartproxy",
-  "version": "3.18.1",
+  "version": "3.20.2",
  "private": false,
  "description": "A powerful proxy package that effectively handles high traffic, with features such as SSL/TLS support, port proxying, WebSocket handling, and dynamic routing with authentication options.",
  "main": "dist_ts/index.js",
--- a/ts/00_commitinfo_data.ts
+++ b/ts/00_commitinfo_data.ts
@ -3,6 +3,6 @@
 */
 export const commitinfo = {
  name: '@push.rocks/smartproxy',
-  version: '3.18.1',
+  version: '3.20.2',
  description: 'A powerful proxy package that effectively handles high traffic, with features such as SSL/TLS support, port proxying, WebSocket handling, and dynamic routing with authentication options.'
 }
--- a/ts/classes.portproxy.ts
+++ b/ts/classes.portproxy.ts
@ -1,9 +1,10 @@
 import * as plugins from './plugins.js';

-/** Domain configuration with per‐domain allowed port ranges */
+/** Domain configuration with per-domain allowed port ranges */
 export interface IDomainConfig {
  domains: string[];         // Glob patterns for domain(s)
  allowedIPs: string[];      // Glob patterns for allowed IPs
+  blockedIPs?: string[];     // Glob patterns for blocked IPs
  targetIPs?: string[];      // If multiple targetIPs are given, use round robin.
  portRanges?: Array<{ from: number; to: number }>; // Optional port ranges
 }
@ -16,6 +17,7 @@ export interface IPortProxySettings extends plugins.tls.TlsOptions {
  domainConfigs: IDomainConfig[];
  sniEnabled?: boolean;
  defaultAllowedIPs?: string[];
+  defaultBlockedIPs?: string[];
  preserveSourceIP?: boolean;
  maxConnectionLifetime?: number; // (ms) force cleanup of long-lived connections
  globalPortRanges: Array<{ from: number; to: number }>; // Global allowed port ranges
@ -90,11 +92,42 @@ interface IConnectionRecord {
  outgoing: plugins.net.Socket | null;
  incomingStartTime: number;
  outgoingStartTime?: number;
+  outgoingClosedTime?: number;
  lockedDomain?: string; // New field to lock this connection to the initial SNI
  connectionClosed: boolean;
  cleanupTimer?: NodeJS.Timeout; // Timer to force cleanup after max lifetime/inactivity
 }

+// Helper: Check if a port falls within any of the given port ranges.
+const isPortInRanges = (port: number, ranges: Array<{ from: number; to: number }>): boolean => {
+  return ranges.some(range => port >= range.from && port <= range.to);
+};
+
+// Helper: Check if a given IP matches any of the glob patterns.
+const isAllowed = (ip: string, patterns: string[]): boolean => {
+  const normalizeIP = (ip: string): string[] => {
+    if (ip.startsWith('::ffff:')) {
+      const ipv4 = ip.slice(7);
+      return [ip, ipv4];
+    }
+    if (/^\d{1,3}(\.\d{1,3}){3}$/.test(ip)) {
+      return [ip, `::ffff:${ip}`];
+    }
+    return [ip];
+  };
+  const normalizedIPVariants = normalizeIP(ip);
+  const expandedPatterns = patterns.flatMap(normalizeIP);
+  return normalizedIPVariants.some(ipVariant =>
+    expandedPatterns.some(pattern => plugins.minimatch(ipVariant, pattern))
+  );
+};
+
+// Helper: Check if an IP is allowed considering allowed and blocked glob patterns.
+const isGlobIPAllowed = (ip: string, allowed: string[], blocked: string[] = []): boolean => {
+  if (blocked.length > 0 && isAllowed(ip, blocked)) return false;
+  return isAllowed(ip, allowed);
+};
+
 export class PortProxy {
  private netServers: plugins.net.Server[] = [];
  settings: IPortProxySettings;
@ -125,6 +158,33 @@ export class PortProxy {
    this.terminationStats[side][reason] = (this.terminationStats[side][reason] || 0) + 1;
  }

+  /**
+   * Cleans up a connection record if not already cleaned up.
+   * Destroys both incoming and outgoing sockets, clears timers, and removes the record.
+   * Logs the cleanup event.
+   */
+  private cleanupConnection(record: IConnectionRecord, special: boolean = false): void {
+    if (!record.connectionClosed) {
+      record.connectionClosed = true;
+      if (record.cleanupTimer) {
+        clearTimeout(record.cleanupTimer);
+      }
+      if (!record.incoming.destroyed) {
+        record.incoming.destroy();
+      }
+      if (record.outgoing && !record.outgoing.destroyed) {
+        record.outgoing.destroy();
+      }
+      this.connectionRecords.delete(record);
+      const remoteIP = record.incoming.remoteAddress || 'unknown';
+      if (special) {
+        console.log(`Special parity cleanup: Connection from ${remoteIP} cleaned up due to duration difference.`);
+      } else {
+        console.log(`Connection from ${remoteIP} terminated. Active connections: ${this.connectionRecords.size}`);
+      }
+    }
+  }
+
  private getTargetIP(domainConfig: IDomainConfig): string {
    if (domainConfig.targetIPs && domainConfig.targetIPs.length > 0) {
      const currentIndex = this.domainTargetIndices.get(domainConfig) || 0;
@ -153,18 +213,9 @@ export class PortProxy {
      let incomingTerminationReason: string | null = null;
      let outgoingTerminationReason: string | null = null;

-      // Ensure cleanup happens only once for the entire connection record.
-      const cleanupOnce = async () => {
-        if (!connectionRecord.connectionClosed) {
-          connectionRecord.connectionClosed = true;
-          if (connectionRecord.cleanupTimer) {
-            clearTimeout(connectionRecord.cleanupTimer);
-          }
-          if (!socket.destroyed) socket.destroy();
-          if (connectionRecord.outgoing && !connectionRecord.outgoing.destroyed) connectionRecord.outgoing.destroy();
-          this.connectionRecords.delete(connectionRecord);
-          console.log(`Connection from ${remoteIP} terminated. Active connections: ${this.connectionRecords.size}`);
-        }
+      // Local cleanup function that delegates to the class method.
+      const cleanupOnce = () => {
+        this.cleanupConnection(connectionRecord);
      };

      // Helper to reject an incoming connection.
@ -212,6 +263,8 @@ export class PortProxy {
        } else if (side === 'outgoing' && outgoingTerminationReason === null) {
          outgoingTerminationReason = 'normal';
          this.incrementTerminationStat('outgoing', 'normal');
+          // Record the time when outgoing socket closed.
+          connectionRecord.outgoingClosedTime = Date.now();
        }
        cleanupOnce();
      };
@ -231,17 +284,25 @@ export class PortProxy {
              config.domains.some(d => plugins.minimatch(serverName, d))
            ) : undefined);

-        // If a matching domain config exists, check its allowedIPs.
+        // Effective IP check: merge allowed IPs with default allowed, and remove blocked IPs.
        if (domainConfig) {
-          if (!isAllowed(remoteIP, domainConfig.allowedIPs)) {
+          const effectiveAllowedIPs: string[] = [
+            ...domainConfig.allowedIPs,
+            ...(this.settings.defaultAllowedIPs || [])
+          ];
+          const effectiveBlockedIPs: string[] = [
+            ...(domainConfig.blockedIPs || []),
+            ...(this.settings.defaultBlockedIPs || [])
+          ];
+          if (!isGlobIPAllowed(remoteIP, effectiveAllowedIPs, effectiveBlockedIPs)) {
            return rejectIncomingConnection('rejected', `Connection rejected: IP ${remoteIP} not allowed for domain ${domainConfig.domains.join(', ')}`);
          }
        } else if (this.settings.defaultAllowedIPs) {
-          // Only check default allowed IPs if no domain config matched.
-          if (!isAllowed(remoteIP, this.settings.defaultAllowedIPs)) {
+          if (!isGlobIPAllowed(remoteIP, this.settings.defaultAllowedIPs, this.settings.defaultBlockedIPs || [])) {
            return rejectIncomingConnection('rejected', `Connection rejected: IP ${remoteIP} not allowed by default allowed list`);
          }
        }
+
        const targetHost = domainConfig ? this.getTargetIP(domainConfig) : this.settings.targetIP!;
        const connectionOptions: plugins.net.NetConnectOpts = {
          host: targetHost,
@ -293,6 +354,7 @@ export class PortProxy {

        // Initialize a cleanup timer for max connection lifetime.
        if (this.settings.maxConnectionLifetime) {
+          // Flags to track if data was seen from each side.
          let incomingActive = false;
          let outgoingActive = false;
          const resetCleanupTimer = () => {
@ -309,15 +371,19 @@ export class PortProxy {

          resetCleanupTimer();

+          // Only reset the timer if outgoing socket is still active.
          socket.on('data', () => {
            incomingActive = true;
-            if (incomingActive && outgoingActive) {
+            // Check if outgoing has not been closed before resetting timer.
+            if (!connectionRecord.outgoingClosedTime && incomingActive && outgoingActive) {
              resetCleanupTimer();
              incomingActive = false;
              outgoingActive = false;
            }
          });
          targetSocket.on('data', () => {
+            // If outgoing is closed, do not set outgoingActive.
+            if (connectionRecord.outgoingClosedTime) return;
            outgoingActive = true;
            if (incomingActive && outgoingActive) {
              resetCleanupTimer();
@ -341,6 +407,7 @@ export class PortProxy {
          setupConnection('', undefined, {
            domains: ['global'],
            allowedIPs: this.settings.defaultAllowedIPs || [],
+            blockedIPs: this.settings.defaultBlockedIPs || [],
            targetIPs: [this.settings.targetIP!],
            portRanges: []
          }, localPort);
@ -351,7 +418,15 @@ export class PortProxy {
            domain => domain.portRanges && domain.portRanges.length > 0 && isPortInRanges(localPort, domain.portRanges)
          );
          if (forcedDomain) {
-            if (!isAllowed(remoteIP, forcedDomain.allowedIPs)) {
+            const effectiveAllowedIPs: string[] = [
+              ...forcedDomain.allowedIPs,
+              ...(this.settings.defaultAllowedIPs || [])
+            ];
+            const effectiveBlockedIPs: string[] = [
+              ...(forcedDomain.blockedIPs || []),
+              ...(this.settings.defaultBlockedIPs || [])
+            ];
+            if (!isGlobIPAllowed(remoteIP, effectiveAllowedIPs, effectiveBlockedIPs)) {
              console.log(`Connection from ${remoteIP} rejected: IP not allowed for domain ${forcedDomain.domains.join(', ')} on port ${localPort}.`);
              socket.end();
              return;
@ -413,7 +488,7 @@ export class PortProxy {
          listeningPorts.add(port);
        }
      }
-      // Also ensure the default fromPort is listened to if it isn’t already in the ranges.
+      // Also ensure the default fromPort is listened to if it isn't already in the ranges.
      listeningPorts.add(this.settings.fromPort);
    } else {
      listeningPorts.add(this.settings.fromPort);
@ -432,7 +507,7 @@ export class PortProxy {
      this.netServers.push(server);
    }

-    // Log active connection count and longest running durations every 10 seconds.
+    // Log active connection count, longest running durations, and run parity checks every 10 seconds.
    this.connectionLogger = setInterval(() => {
      const now = Date.now();
      let maxIncoming = 0;
@ -442,6 +517,12 @@ export class PortProxy {
        if (record.outgoingStartTime) {
          maxOutgoing = Math.max(maxOutgoing, now - record.outgoingStartTime);
        }
+        // Parity check: if outgoing socket closed and incoming remains active for >1 minute, trigger special cleanup.
+        if (record.outgoingClosedTime && !record.incoming.destroyed && (now - record.outgoingClosedTime > 60000)) {
+          const remoteIP = record.incoming.remoteAddress || 'unknown';
+          console.log(`Parity check triggered: Incoming socket for ${remoteIP} has been active >1 minute after outgoing closed.`);
+          this.cleanupConnection(record, true);
+        }
      }
      console.log(
        `(Interval Log) Active connections: ${this.connectionRecords.size}. ` +
@ -466,28 +547,4 @@ export class PortProxy {
    }
    await Promise.all(closePromises);
  }
-}
-
-// Helper: Check if a port falls within any of the given port ranges.
-const isPortInRanges = (port: number, ranges: Array<{ from: number; to: number }>): boolean => {
-  return ranges.some(range => port >= range.from && port <= range.to);
-};
-
-// Helper: Check if a given IP matches any of the glob patterns.
-const isAllowed = (ip: string, patterns: string[]): boolean => {
-  const normalizeIP = (ip: string): string[] => {
-    if (ip.startsWith('::ffff:')) {
-      const ipv4 = ip.slice(7);
-      return [ip, ipv4];
-    }
-    if (/^\d{1,3}(\.\d{1,3}){3}$/.test(ip)) {
-      return [ip, `::ffff:${ip}`];
-    }
-    return [ip];
-  };
-  const normalizedIPVariants = normalizeIP(ip);
-  const expandedPatterns = patterns.flatMap(normalizeIP);
-  return normalizedIPVariants.some(ipVariant =>
-    expandedPatterns.some(pattern => plugins.minimatch(ipVariant, pattern))
-  );
-};
+}
Author	SHA1	Message	Date
Philipp Kunz	8ddffcd6e5	3.20.2	2025-03-01 20:31:50 +00:00
Philipp Kunz	a5a7781c17	fix(PortProxy): Enhance connection cleanup handling in PortProxy	2025-03-01 20:31:50 +00:00
Philipp Kunz	d647e77cdf	3.20.1	2025-03-01 17:32:31 +00:00
Philipp Kunz	9161336197	fix(PortProxy): Improve IP allowance check for forced domains	2025-03-01 17:32:31 +00:00
Philipp Kunz	2e63d13dd4	3.20.0	2025-03-01 17:19:27 +00:00
Philipp Kunz	af6ed735d5	feat(PortProxy): Enhance PortProxy with advanced connection cleanup and logging	2025-03-01 17:19:27 +00:00
Philipp Kunz	7d38f29ef3	3.19.0	2025-03-01 13:17:05 +00:00
Philipp Kunz	0df26d4367	feat(PortProxy): Enhance PortProxy with default blocked IPs	2025-03-01 13:17:05 +00:00
Philipp Kunz	f9a6e2d748	3.18.2	2025-02-27 21:25:03 +00:00
Philipp Kunz	1cb6302750	fix(portproxy): Fixed typographical errors in comments within PortProxy class.	2025-02-27 21:25:03 +00:00