3.7.3

changelog.md

@@ -1,5 +1,83 @@
 # Changelog
 
+## 2025-02-21 - 3.7.3 - fix(portproxy)
+Fix handling of connections in PortProxy to improve stability and performance.
+
+- Improved IP normalization and matching
+- Better SNI extraction and handling for TLS
+- Streamlined connection handling with robust error management
+
+## 2025-02-21 - 3.7.2 - fix(PortProxy)
+Improve SNICallback and connection handling in PortProxy
+
+- Fixed SNICallback to create minimal TLS context for SNI.
+- Changed connection setup to use net.connect for raw passthrough.
+
+## 2025-02-21 - 3.7.1 - fix(smartproxy.portproxy)
+Optimize SNI handling by simplifying context creation
+
+- Removed unnecessary SecureContext creation for SNI requests in PortProxy
+- Improved handling of SNI passthrough by acknowledging requests without context creation
+
+## 2025-02-21 - 3.7.0 - feat(PortProxy)
+Add optional source IP preservation support in PortProxy
+
+- Added a feature to optionally preserve the client's source IP when proxying connections.
+- Enhanced test cases to include scenarios for source IP preservation.
+
+## 2025-02-21 - 3.6.0 - feat(PortProxy)
+Add feature to preserve original client IP through chained proxies
+
+- Added support to bind local address in PortProxy to preserve original client IP.
+- Implemented test for chained proxies to ensure client IP is preserved.
+
+## 2025-02-21 - 3.5.0 - feat(PortProxy)
+Enhance PortProxy to support domain-specific target IPs
+
+- Introduced support for domain-specific target IP configurations in PortProxy.
+- Updated connection handling to prioritize domain-specific target IPs if provided.
+- Added tests to verify forwarding based on domain-specific target IPs.
+
+## 2025-02-21 - 3.4.4 - fix(PortProxy)
+Fixed handling of SNI domain connections and IP allowance checks
+
+- Improved logic for handling SNI domain checks, ensuring IPs are correctly verified.
+- Fixed issue where default allowed IPs were not being checked correctly for non-SNI connections.
+- Revised the SNICallback behavior to handle connections more gracefully when domain configurations are unavailable.
+
+## 2025-02-21 - 3.4.3 - fix(PortProxy)
+Fixed indentation issue and ensured proper cleanup of sockets in PortProxy
+
+- Fixed inconsistent indentation in IP allowance check.
+- Ensured proper cleanup of sockets on connection end in PortProxy.
+
+## 2025-02-21 - 3.4.2 - fix(smartproxy)
+Enhance SSL/TLS handling with SNI and error logging
+
+- Improved handling for SNI-enabled and non-SNI connections
+- Added detailed logging for connection establishment and rejections
+- Introduced error logging for TLS client errors and server errors
+
+## 2025-02-21 - 3.4.1 - fix(PortProxy)
+Normalize IP addresses for port proxy to handle IPv4-mapped IPv6 addresses.
+
+- Improved IP normalization logic in PortProxy to support IPv4-mapped IPv6 addresses.
+- Updated isAllowed function to expand patterns for better matching accuracy.
+
+## 2025-02-21 - 3.4.0 - feat(PortProxy)
+Enhanced PortProxy with custom target host and improved testing
+
+- PortProxy constructor now accepts 'fromPort', 'toPort', and optional 'toHost' directly from settings
+- Refactored test cases to cover forwarding to the custom host
+- Added support to handle multiple concurrent connections
+- Refactored internal connection handling logic to utilize default configurations
+
+## 2025-02-21 - 3.3.1 - fix(PortProxy)
+fixed import usage of net and tls libraries for PortProxy
+
+- Corrected the use of plugins for importing 'tls' and 'net' libraries in the PortProxy module.
+- Updated the constructor of PortProxy to accept combined tls options with ProxySettings.
+
 ## 2025-02-21 - 3.3.0 - feat(PortProxy)
 Enhanced PortProxy with domain and IP filtering, SNI support, and minimatch integration
 

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@push.rocks/smartproxy",
-  "version": "3.3.0",
+  "version": "3.7.3",
   "private": false,
   "description": "a proxy for handling high workloads of proxying",
   "main": "dist_ts/index.js",

test/test.portproxy.ts

@@ -58,10 +58,13 @@ function createTestClient(port: number, data: string): Promise<string> {
 // Setup test environment
 tap.test('setup port proxy test environment', async () => {
   testServer = await createTestServer(TEST_SERVER_PORT);
-  portProxy = new PortProxy(PROXY_PORT, TEST_SERVER_PORT, {
+  portProxy = new PortProxy({
+    fromPort: PROXY_PORT,
+    toPort: TEST_SERVER_PORT,
+    toHost: 'localhost',
     domains: [],
     sniEnabled: false,
-    defaultAllowedIPs: ['127.0.0.1', '::ffff:127.0.0.1']
+    defaultAllowedIPs: ['127.0.0.1']
   });
 });
 
@@ -70,11 +73,76 @@ tap.test('should start port proxy', async () => {
   expect(portProxy.netServer.listening).toBeTrue();
 });
 
-tap.test('should forward TCP connections and data', async () => {
+tap.test('should forward TCP connections and data to localhost', async () => {
   const response = await createTestClient(PROXY_PORT, TEST_DATA);
   expect(response).toEqual(`Echo: ${TEST_DATA}`);
 });
 
+tap.test('should forward TCP connections to custom host', async () => {
+  // Create a new proxy instance with a custom host
+  const customHostProxy = new PortProxy({
+    fromPort: PROXY_PORT + 1,
+    toPort: TEST_SERVER_PORT,
+    toHost: '127.0.0.1',
+    domains: [],
+    sniEnabled: false,
+    defaultAllowedIPs: ['127.0.0.1']
+  });
+  
+  await customHostProxy.start();
+  const response = await createTestClient(PROXY_PORT + 1, TEST_DATA);
+  expect(response).toEqual(`Echo: ${TEST_DATA}`);
+  await customHostProxy.stop();
+});
+
+tap.test('should forward connections based on domain-specific target IP', async () => {
+  // Create a second test server on a different port
+  const TEST_SERVER_PORT_2 = TEST_SERVER_PORT + 100;
+  const testServer2 = await createTestServer(TEST_SERVER_PORT_2);
+
+  // Create a proxy with domain-specific target IPs
+  const domainProxy = new PortProxy({
+    fromPort: PROXY_PORT + 2,
+    toPort: TEST_SERVER_PORT,  // default port
+    toHost: 'localhost',       // default host
+    domains: [{
+      domain: 'domain1.test',
+      allowedIPs: ['127.0.0.1'],
+      targetIP: '127.0.0.1'
+    }, {
+      domain: 'domain2.test',
+      allowedIPs: ['127.0.0.1'],
+      targetIP: 'localhost'
+    }],
+    sniEnabled: false, // We'll test without SNI first since this is a TCP proxy test
+    defaultAllowedIPs: ['127.0.0.1']
+  });
+
+  await domainProxy.start();
+
+  // Test default connection (should use default host)
+  const response1 = await createTestClient(PROXY_PORT + 2, TEST_DATA);
+  expect(response1).toEqual(`Echo: ${TEST_DATA}`);
+
+  // Create another proxy with different default host
+  const domainProxy2 = new PortProxy({
+    fromPort: PROXY_PORT + 3,
+    toPort: TEST_SERVER_PORT,
+    toHost: '127.0.0.1',
+    domains: [],
+    sniEnabled: false,
+    defaultAllowedIPs: ['127.0.0.1']
+  });
+
+  await domainProxy2.start();
+  const response2 = await createTestClient(PROXY_PORT + 3, TEST_DATA);
+  expect(response2).toEqual(`Echo: ${TEST_DATA}`);
+
+  await domainProxy.stop();
+  await domainProxy2.stop();
+  await new Promise<void>((resolve) => testServer2.close(() => resolve()));
+});
+
 tap.test('should handle multiple concurrent connections', async () => {
   const concurrentRequests = 5;
   const requests = Array(concurrentRequests).fill(null).map((_, i) => 
@@ -107,6 +175,68 @@ tap.test('should stop port proxy', async () => {
 });
 
 // Cleanup
+tap.test('should support optional source IP preservation in chained proxies', async () => {
+  // Test 1: Without IP preservation (default behavior)
+  const firstProxyDefault = new PortProxy({
+    fromPort: PROXY_PORT + 4,
+    toPort: PROXY_PORT + 5,
+    toHost: 'localhost',
+    domains: [],
+    sniEnabled: false,
+    defaultAllowedIPs: ['127.0.0.1', '::ffff:127.0.0.1']
+  });
+
+  const secondProxyDefault = new PortProxy({
+    fromPort: PROXY_PORT + 5,
+    toPort: TEST_SERVER_PORT,
+    toHost: 'localhost',
+    domains: [],
+    sniEnabled: false,
+    defaultAllowedIPs: ['127.0.0.1', '::ffff:127.0.0.1']
+  });
+
+  await secondProxyDefault.start();
+  await firstProxyDefault.start();
+
+  // This should work because we explicitly allow both IPv4 and IPv6 formats
+  const response1 = await createTestClient(PROXY_PORT + 4, TEST_DATA);
+  expect(response1).toEqual(`Echo: ${TEST_DATA}`);
+
+  await firstProxyDefault.stop();
+  await secondProxyDefault.stop();
+
+  // Test 2: With IP preservation
+  const firstProxyPreserved = new PortProxy({
+    fromPort: PROXY_PORT + 6,
+    toPort: PROXY_PORT + 7,
+    toHost: 'localhost',
+    domains: [],
+    sniEnabled: false,
+    defaultAllowedIPs: ['127.0.0.1'],
+    preserveSourceIP: true
+  });
+
+  const secondProxyPreserved = new PortProxy({
+    fromPort: PROXY_PORT + 7,
+    toPort: TEST_SERVER_PORT,
+    toHost: 'localhost',
+    domains: [],
+    sniEnabled: false,
+    defaultAllowedIPs: ['127.0.0.1'],
+    preserveSourceIP: true
+  });
+
+  await secondProxyPreserved.start();
+  await firstProxyPreserved.start();
+
+  // This should work with just IPv4 because source IP is preserved
+  const response2 = await createTestClient(PROXY_PORT + 6, TEST_DATA);
+  expect(response2).toEqual(`Echo: ${TEST_DATA}`);
+
+  await firstProxyPreserved.stop();
+  await secondProxyPreserved.stop();
+});
+
 tap.test('cleanup port proxy test environment', async () => {
   await new Promise<void>((resolve) => testServer.close(() => resolve()));
 });

ts/00_commitinfo_data.ts

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@push.rocks/smartproxy',
-  version: '3.3.0',
+  version: '3.7.3',
   description: 'a proxy for handling high workloads of proxying'
 }

ts/smartproxy.plugins.ts

@@ -2,9 +2,10 @@
 import * as http from 'http';
 import * as https from 'https';
 import * as net from 'net';
+import * as tls from 'tls';
 import * as url from 'url';
 
-export { http, https, net, url };
+export { http, https, net, tls, url };
 
 // tsclass scope
 import * as tsclass from '@tsclass/tsclass';

ts/smartproxy.portproxy.ts

@@ -1,30 +1,126 @@
 import * as plugins from './smartproxy.plugins.js';
-import * as net from 'net';
-import * as tls from 'tls';
 
-
-export interface DomainConfig {
-  domain: string;  // glob pattern for domain
-  allowedIPs: string[];  // glob patterns for IPs allowed to access this domain
+export interface IDomainConfig {
+  domain: string;         // glob pattern for domain
+  allowedIPs: string[];   // glob patterns for IPs allowed to access this domain
+  targetIP?: string;      // Optional target IP for this domain
 }
 
-export interface ProxySettings {
-  domains: DomainConfig[];
+export interface IProxySettings extends plugins.tls.TlsOptions {
+  // Port configuration
+  fromPort: number;
+  toPort: number;
+  toHost?: string;        // Target host to proxy to, defaults to 'localhost'
+
+  // Domain and security settings
+  domains: IDomainConfig[];
   sniEnabled?: boolean;
-  tlsOptions?: tls.TlsOptions;
-  defaultAllowedIPs?: string[];  // Optional default IP patterns if no matching domain found
+  defaultAllowedIPs?: string[]; // Optional default IP patterns if no matching domain found
+  preserveSourceIP?: boolean;   // Whether to preserve the client's source IP when proxying
+}
+
+/**
+ * Extract SNI (Server Name Indication) from a TLS ClientHello packet.
+ * Returns the server name if found, or undefined.
+ */
+function extractSNI(buffer: Buffer): string | undefined {
+  let offset = 0;
+  // We need at least 5 bytes for the record header.
+  if (buffer.length < 5) {
+    return undefined;
+  }
+
+  // TLS record header
+  const recordType = buffer.readUInt8(0);
+  if (recordType !== 22) { // 22 = handshake
+    return undefined;
+  }
+  // Read record length
+  const recordLength = buffer.readUInt16BE(3);
+  if (buffer.length < 5 + recordLength) {
+    // Not all data arrived yet; in production you might need to accumulate more data.
+    return undefined;
+  }
+
+  offset = 5;
+  // Handshake message type should be 1 for ClientHello.
+  const handshakeType = buffer.readUInt8(offset);
+  if (handshakeType !== 1) {
+    return undefined;
+  }
+  // Skip handshake header (1 byte type + 3 bytes length)
+  offset += 4;
+
+  // Skip client version (2 bytes) and random (32 bytes)
+  offset += 2 + 32;
+
+  // Session ID
+  const sessionIDLength = buffer.readUInt8(offset);
+  offset += 1 + sessionIDLength;
+
+  // Cipher suites
+  const cipherSuitesLength = buffer.readUInt16BE(offset);
+  offset += 2 + cipherSuitesLength;
+
+  // Compression methods
+  const compressionMethodsLength = buffer.readUInt8(offset);
+  offset += 1 + compressionMethodsLength;
+
+  // Extensions length
+  if (offset + 2 > buffer.length) {
+    return undefined;
+  }
+  const extensionsLength = buffer.readUInt16BE(offset);
+  offset += 2;
+  const extensionsEnd = offset + extensionsLength;
+
+  // Iterate over extensions
+  while (offset + 4 <= extensionsEnd) {
+    const extensionType = buffer.readUInt16BE(offset);
+    const extensionLength = buffer.readUInt16BE(offset + 2);
+    offset += 4;
+
+    // Check for SNI extension (type 0)
+    if (extensionType === 0x0000) {
+      // SNI extension: first 2 bytes are the SNI list length.
+      if (offset + 2 > buffer.length) {
+        return undefined;
+      }
+      const sniListLength = buffer.readUInt16BE(offset);
+      offset += 2;
+      const sniListEnd = offset + sniListLength;
+      // Loop through the list; typically there is one entry.
+      while (offset + 3 < sniListEnd) {
+        const nameType = buffer.readUInt8(offset);
+        offset++;
+        const nameLen = buffer.readUInt16BE(offset);
+        offset += 2;
+        if (nameType === 0) { // host_name
+          if (offset + nameLen > buffer.length) {
+            return undefined;
+          }
+          const serverName = buffer.toString('utf8', offset, offset + nameLen);
+          return serverName;
+        }
+        offset += nameLen;
+      }
+      break;
+    } else {
+      offset += extensionLength;
+    }
+  }
+  return undefined;
 }
 
 export class PortProxy {
   netServer: plugins.net.Server;
-  fromPort: number;
-  toPort: number;
-  settings: ProxySettings;
+  settings: IProxySettings;
 
-  constructor(fromPortArg: number, toPortArg: number, settings: ProxySettings) {
-    this.fromPort = fromPortArg;
-    this.toPort = toPortArg;
-    this.settings = settings;
+  constructor(settings: IProxySettings) {
+    this.settings = {
+      ...settings,
+      toHost: settings.toHost || 'localhost'
+    };
   }
 
   public async start() {
@@ -38,77 +134,139 @@ export class PortProxy {
       from.destroy();
       to.destroy();
     };
-    const isAllowed = (value: string, patterns: string[]): boolean => {
-      return patterns.some(pattern => plugins.minimatch(value, pattern));
+
+    const normalizeIP = (ip: string): string[] => {
+      // Handle IPv4-mapped IPv6 addresses
+      if (ip.startsWith('::ffff:')) {
+        const ipv4 = ip.slice(7); // Remove '::ffff:' prefix
+        return [ip, ipv4];
+      }
+      // Handle IPv4 addresses by adding IPv4-mapped IPv6 variant
+      if (/^\d{1,3}(\.\d{1,3}){3}$/.test(ip)) {
+        return [ip, `::ffff:${ip}`];
+      }
+      return [ip];
     };
 
-    const findMatchingDomain = (serverName: string): DomainConfig | undefined => {
+    const isAllowed = (value: string, patterns: string[]): boolean => {
+      // Expand patterns to include both IPv4 and IPv6 variants
+      const expandedPatterns = patterns.flatMap(normalizeIP);
+      // Check if any variant of the IP matches any expanded pattern
+      return normalizeIP(value).some(ip =>
+        expandedPatterns.some(pattern => plugins.minimatch(ip, pattern))
+      );
+    };
+
+    const findMatchingDomain = (serverName: string): IDomainConfig | undefined => {
       return this.settings.domains.find(config => plugins.minimatch(serverName, config.domain));
     };
 
-    const server = this.settings.sniEnabled ? tls.createServer(this.settings.tlsOptions || {}) : net.createServer();
-    
-    this.netServer = server.on('connection', (from: net.Socket) => {
-      const remoteIP = from.remoteAddress || '';
-        if (this.settings.sniEnabled && from instanceof tls.TLSSocket) {
-          const serverName = (from as any).servername || '';
-          const domainConfig = findMatchingDomain(serverName);
+    // Always create a plain net server for TLS passthrough.
+    this.netServer = plugins.net.createServer((socket: plugins.net.Socket) => {
+      const remoteIP = socket.remoteAddress || '';
+      
+      // If SNI is enabled, we peek at the first chunk to extract the SNI.
+      if (this.settings.sniEnabled) {
+        socket.once('data', (chunk: Buffer) => {
+          // Try to extract the server name from the ClientHello.
+          const serverName = extractSNI(chunk) || '';
+          console.log(`Received connection from ${remoteIP} with SNI: ${serverName}`);
 
-          if (!domainConfig) {
-            // If no matching domain config found, check default IPs if available
-            if (!this.settings.defaultAllowedIPs || !isAllowed(remoteIP, this.settings.defaultAllowedIPs)) {
+          // Check if the IP is allowed by default.
+          const isDefaultAllowed = this.settings.defaultAllowedIPs && isAllowed(remoteIP, this.settings.defaultAllowedIPs);
+          if (!isDefaultAllowed && serverName) {
+            const domainConfig = findMatchingDomain(serverName);
+            if (!domainConfig) {
               console.log(`Connection rejected: No matching domain config for ${serverName} from IP ${remoteIP}`);
-              from.end();
+              socket.end();
               return;
             }
-          } else {
-            // Check if IP is allowed for this domain
             if (!isAllowed(remoteIP, domainConfig.allowedIPs)) {
               console.log(`Connection rejected: IP ${remoteIP} not allowed for domain ${serverName}`);
-              from.end();
+              socket.end();
               return;
             }
+          } else if (!isDefaultAllowed && !serverName) {
+            console.log(`Connection rejected: No SNI and IP ${remoteIP} not in default allowed list`);
+            socket.end();
+            return;
+          } else {
+            console.log(`Connection allowed: IP ${remoteIP} is in default allowed list`);
           }
-        } else if (!this.settings.defaultAllowedIPs || !isAllowed(remoteIP, this.settings.defaultAllowedIPs)) {
+
+          // Determine target host.
+          const domainConfig = serverName ? findMatchingDomain(serverName) : undefined;
+          const targetHost = domainConfig?.targetIP || this.settings.toHost!;
+
+          // Create connection options.
+          const connectionOptions: plugins.net.NetConnectOpts = {
+            host: targetHost,
+            port: this.settings.toPort,
+          };
+          if (this.settings.preserveSourceIP) {
+            connectionOptions.localAddress = remoteIP.replace('::ffff:', '');
+          }
+
+          const to = plugins.net.connect(connectionOptions);
+          console.log(`Connection established: ${remoteIP} -> ${targetHost}:${this.settings.toPort}${serverName ? ` (SNI: ${serverName})` : ''}`);
+
+          // Unshift the data chunk back so that the TLS handshake can complete at the backend.
+          socket.unshift(chunk);
+          socket.setTimeout(120000);
+          socket.pipe(to);
+          to.pipe(socket);
+
+          const errorHandler = () => {
+            cleanUpSockets(socket, to);
+          };
+          socket.on('error', errorHandler);
+          to.on('error', errorHandler);
+          socket.on('close', errorHandler);
+          to.on('close', errorHandler);
+          socket.on('timeout', errorHandler);
+          to.on('timeout', errorHandler);
+          socket.on('end', errorHandler);
+          to.on('end', errorHandler);
+        });
+      } else {
+        // If SNI is not enabled, use defaultAllowedIPs check.
+        if (!this.settings.defaultAllowedIPs || !isAllowed(remoteIP, this.settings.defaultAllowedIPs)) {
           console.log(`Connection rejected: IP ${remoteIP} not allowed for non-SNI connection`);
-          from.end();
+          socket.end();
           return;
         }
-
-        const to = net.createConnection({
-          host: 'localhost',
-          port: this.toPort,
-        });
-        from.setTimeout(120000);
-        from.pipe(to);
-        to.pipe(from);
-        from.on('error', () => {
-          cleanUpSockets(from, to);
-        });
-        to.on('error', () => {
-          cleanUpSockets(from, to);
-        });
-        from.on('close', () => {
-          cleanUpSockets(from, to);
-        });
-        to.on('close', () => {
-          cleanUpSockets(from, to);
-        });
-        from.on('timeout', () => {
-          cleanUpSockets(from, to);
-        });
-        to.on('timeout', () => {
-          cleanUpSockets(from, to);
-        });
-        from.on('end', () => {
-          cleanUpSockets(from, to);
-        });
-        to.on('end', () => {
-          cleanUpSockets(from, to);
-        });
-      })
-      .listen(this.fromPort);
-    console.log(`PortProxy -> OK: Now listening on port ${this.fromPort}`);
+        const targetHost = this.settings.toHost!;
+        const connectionOptions: plugins.net.NetConnectOpts = {
+          host: targetHost,
+          port: this.settings.toPort,
+        };
+        if (this.settings.preserveSourceIP) {
+          connectionOptions.localAddress = remoteIP.replace('::ffff:', '');
+        }
+        const to = plugins.net.connect(connectionOptions);
+        console.log(`Connection established: ${remoteIP} -> ${targetHost}:${this.settings.toPort}`);
+        socket.setTimeout(120000);
+        socket.pipe(to);
+        to.pipe(socket);
+        const errorHandler = () => {
+          cleanUpSockets(socket, to);
+        };
+        socket.on('error', errorHandler);
+        to.on('error', errorHandler);
+        socket.on('close', errorHandler);
+        to.on('close', errorHandler);
+        socket.on('timeout', errorHandler);
+        to.on('timeout', errorHandler);
+        socket.on('end', errorHandler);
+        to.on('end', errorHandler);
+      }
+    })
+    .on('error', (err: Error) => {
+      console.log(`Server Error: ${err.message}`);
+    })
+    .listen(this.settings.fromPort, () => {
+      console.log(`PortProxy -> OK: Now listening on port ${this.settings.fromPort}${this.settings.sniEnabled ? ' (SNI passthrough enabled)' : ''}`);
+    });
   }
 
   public async stop() {
@@ -118,4 +276,4 @@ export class PortProxy {
     });
     await done.promise;
   }
-}
+}