3.30.6

changelog.md

@@ -1,5 +1,50 @@
 # Changelog
 
+## 2025-03-11 - 3.30.6 - fix(PortProxy)
+Improve TLS renegotiation handling in PortProxy by validating the new SNI against allowed domain configurations. If the new SNI is permitted based on existing IP rules, update the locked domain to allow connection reuse; otherwise, terminate the connection to prevent misrouting.
+
+- Added logic to check if a new SNI during renegotiation is allowed by comparing IP rules from the matching domain configuration.
+- Updated detailed logging to indicate when a valid SNI change is accepted and when it results in a mismatch termination.
+
+## 2025-03-10 - 3.30.5 - fix(internal)
+No uncommitted changes detected; project files and tests remain unchanged.
+
+
+## 2025-03-10 - 3.30.4 - fix(PortProxy)
+Fix TLS renegotiation handling and adjust TLS keep-alive timeouts in PortProxy implementation
+
+- Allow TLS renegotiation data without an explicit SNI extraction to pass through, ensuring valid renegotiations are not dropped (critical for Chrome).
+- Update TLS keep-alive timeout from an aggressive 30 minutes to a more generous 4 hours to reduce unnecessary reconnections.
+- Increase inactivity thresholds for TLS connections from 20 minutes to 2 hours with an additional verification interval extended from 5 to 15 minutes.
+- Adjust long-lived TLS connection timeout from 45 minutes to 8 hours for improved certificate context refresh in chained proxy scenarios.
+
+## 2025-03-10 - 3.30.3 - fix(classes.portproxy.ts)
+Simplify timeout management in PortProxy and fix chained proxy certificate refresh issues
+
+- Reduced TLS keep-alive timeout from 8 hours to 30 minutes to ensure frequent certificate refresh
+- Added aggressive TLS state refresh after 20 minutes of inactivity and secondary verification checks
+- Lowered long-lived TLS connection lifetime from 12 hours to 45 minutes to prevent stale certificates
+- Removed configurable timeout settings from the public API in favor of hardcoded sensible defaults
+- Simplified internal timeout management to reduce code complexity and improve certificate handling in chained proxies
+
+## 2025-03-10 - 3.31.0 - fix(classes.portproxy.ts)
+Simplified timeout management and fixed certificate issues in chained proxy scenarios
+
+- Dramatically reduced TLS keep-alive timeout from 8 hours to 30 minutes to ensure fresh certificates
+- Added aggressive certificate refresh after 20 minutes of inactivity (down from 4 hours)
+- Added secondary verification checks for TLS refresh operations
+- Reduced long-lived TLS connection lifetime from 12 hours to 45 minutes
+- Removed configurable timeouts completely from the public API in favor of hardcoded sensible defaults
+- Simplified interface by removing no-longer-configurable settings while maintaining internal compatibility
+- Reduced overall code complexity by eliminating complex timeout management
+- Fixed chained proxy certificate issues by ensuring more frequent certificate refreshes in all deployment scenarios
+
+## 2025-03-10 - 3.30.2 - fix(classes.portproxy.ts)
+Adjust TLS keep-alive timeout to refresh certificate context.
+
+- Modified TLS keep-alive timeout for connections to 8 hours to refresh certificate context.
+- Updated timeout log messages for clarity on TLS certificate refresh.
+
 ## 2025-03-10 - 3.30.1 - fix(PortProxy)
 Improve TLS keep-alive management and fix whitespace formatting
 

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@push.rocks/smartproxy",
-  "version": "3.30.1",
+  "version": "3.30.6",
   "private": false,
   "description": "A powerful proxy package that effectively handles high traffic, with features such as SSL/TLS support, port proxying, WebSocket handling, and dynamic routing with authentication options.",
   "main": "dist_ts/index.js",

ts/00_commitinfo_data.ts

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@push.rocks/smartproxy',
-  version: '3.30.1',
+  version: '3.30.6',
   description: 'A powerful proxy package that effectively handles high traffic, with features such as SSL/TLS support, port proxying, WebSocket handling, and dynamic routing with authentication options.'
 }

ts/classes.portproxy.ts

@@ -16,7 +16,12 @@ export interface IDomainConfig {
   networkProxyIndex?: number; // Optional index to specify which NetworkProxy to use (defaults to 0)
 }
 
-/** Port proxy settings including global allowed port ranges */
+/** 
+ * Port proxy settings including global allowed port ranges
+ * 
+ * NOTE: In version 3.31.0+, timeout settings have been simplified and hardcoded with sensible defaults
+ * to ensure TLS certificate safety in all deployment scenarios, especially chained proxies.
+ */
 export interface IPortProxySettings extends plugins.tls.TlsOptions {
   fromPort: number;
   toPort: number;
@@ -27,14 +32,10 @@ export interface IPortProxySettings extends plugins.tls.TlsOptions {
   defaultBlockedIPs?: string[];
   preserveSourceIP?: boolean;
 
-  // Timeout settings
+  // Simplified timeout settings
-  initialDataTimeout?: number; // Timeout for initial data/SNI (ms), default: 60000 (60s)
-  socketTimeout?: number; // Socket inactivity timeout (ms), default: 3600000 (1h)
-  inactivityCheckInterval?: number; // How often to check for inactive connections (ms), default: 60000 (60s)
-  maxConnectionLifetime?: number; // Default max connection lifetime (ms), default: 86400000 (24h)
-  inactivityTimeout?: number; // Inactivity timeout (ms), default: 14400000 (4h)
-
   gracefulShutdownTimeout?: number; // (ms) maximum time to wait for connections to close during shutdown
+  
+  // Ranged port settings
   globalPortRanges: Array<{ from: number; to: number }>; // Global allowed port ranges
   forwardAllGlobalRanges?: boolean; // When true, forwards all connections on global port ranges to the global targetIP
 
@@ -44,9 +45,7 @@ export interface IPortProxySettings extends plugins.tls.TlsOptions {
   keepAliveInitialDelay?: number; // Initial delay before sending keepalive probes (ms)
   maxPendingDataSize?: number; // Maximum bytes to buffer during connection setup
 
-  // Enhanced features
+  // Logging settings
-  disableInactivityCheck?: boolean; // Disable inactivity checking entirely
-  enableKeepAliveProbes?: boolean; // Enable TCP keep-alive probes
   enableDetailedLogging?: boolean; // Enable detailed connection logging
   enableTlsDebugLogging?: boolean; // Enable TLS handshake debug logging
   enableRandomizedTimeouts?: boolean; // Randomize timeouts slightly to prevent thundering herd
@@ -55,12 +54,7 @@ export interface IPortProxySettings extends plugins.tls.TlsOptions {
   maxConnectionsPerIP?: number; // Maximum simultaneous connections from a single IP
   connectionRateLimitPerMinute?: number; // Max new connections per minute from a single IP
 
-  // Enhanced keep-alive settings
+  // NetworkProxy integration
-  keepAliveTreatment?: 'standard' | 'extended' | 'immortal'; // How to treat keep-alive connections
-  keepAliveInactivityMultiplier?: number; // Multiplier for inactivity timeout for keep-alive connections
-  extendedKeepAliveLifetime?: number; // Extended lifetime for keep-alive connections (ms)
-
-  // New property for NetworkProxy integration
   networkProxies?: NetworkProxy[]; // Array of NetworkProxy instances to use for TLS termination
 }
 
@@ -332,7 +326,22 @@ const randomizeTimeout = (baseTimeout: number, variationPercent: number = 5): nu
 
 export class PortProxy {
   private netServers: plugins.net.Server[] = [];
-  settings: IPortProxySettings;
+  
+  // Define the internal settings interface to include all fields, including those removed from the public interface
+  settings: IPortProxySettings & {
+    // Internal fields removed from public interface in 3.31.0+
+    initialDataTimeout: number;
+    socketTimeout: number;
+    inactivityCheckInterval: number;
+    maxConnectionLifetime: number;
+    inactivityTimeout: number;
+    disableInactivityCheck: boolean;
+    enableKeepAliveProbes: boolean;
+    keepAliveTreatment: 'standard' | 'extended' | 'immortal';
+    keepAliveInactivityMultiplier: number;
+    extendedKeepAliveLifetime: number;
+  };
+  
   private connectionRecords: Map<string, IConnectionRecord> = new Map();
   private connectionLogger: NodeJS.Timeout | null = null;
   private isShuttingDown: boolean = false;
@@ -357,42 +366,41 @@ export class PortProxy {
   private networkProxies: NetworkProxy[] = [];
 
   constructor(settingsArg: IPortProxySettings) {
-    // Set reasonable defaults for all settings
+    // Set hardcoded sensible defaults for all settings
     this.settings = {
       ...settingsArg,
       targetIP: settingsArg.targetIP || 'localhost',
 
-      // Timeout settings with reasonable defaults
+      // Hardcoded timeout settings optimized for TLS safety in all deployment scenarios
-      initialDataTimeout: settingsArg.initialDataTimeout || 60000, // 60 seconds for initial handshake
+      initialDataTimeout: 60000, // 60 seconds for initial handshake
-      socketTimeout: ensureSafeTimeout(settingsArg.socketTimeout || 3600000), // 1 hour socket timeout
+      socketTimeout: 1800000, // 30 minutes - short enough for regular certificate refresh
-      inactivityCheckInterval: settingsArg.inactivityCheckInterval || 60000, // 60 seconds interval
+      inactivityCheckInterval: 60000, // 60 seconds interval for regular cleanup
-      maxConnectionLifetime: ensureSafeTimeout(settingsArg.maxConnectionLifetime || 86400000), // 24 hours default
+      maxConnectionLifetime: 3600000, // 1 hour maximum lifetime for all connections
-      inactivityTimeout: ensureSafeTimeout(settingsArg.inactivityTimeout || 14400000), // 4 hours inactivity timeout
+      inactivityTimeout: 1800000, // 30 minutes inactivity timeout
       
       gracefulShutdownTimeout: settingsArg.gracefulShutdownTimeout || 30000, // 30 seconds
 
       // Socket optimization settings
       noDelay: settingsArg.noDelay !== undefined ? settingsArg.noDelay : true,
       keepAlive: settingsArg.keepAlive !== undefined ? settingsArg.keepAlive : true,
-      keepAliveInitialDelay: settingsArg.keepAliveInitialDelay || 10000, // 10 seconds (reduced for responsiveness)
+      keepAliveInitialDelay: settingsArg.keepAliveInitialDelay || 10000, // 10 seconds
       maxPendingDataSize: settingsArg.maxPendingDataSize || 10 * 1024 * 1024, // 10MB to handle large TLS handshakes
 
-      // Feature flags
+      // Feature flags - simplified with sensible defaults
-      disableInactivityCheck: settingsArg.disableInactivityCheck || false,
+      disableInactivityCheck: false, // Always enable inactivity checks for TLS safety
-      enableKeepAliveProbes:
+      enableKeepAliveProbes: true, // Always enable keep-alive probes for connection health
-        settingsArg.enableKeepAliveProbes !== undefined ? settingsArg.enableKeepAliveProbes : true, // Enable by default
       enableDetailedLogging: settingsArg.enableDetailedLogging || false,
       enableTlsDebugLogging: settingsArg.enableTlsDebugLogging || false,
-      enableRandomizedTimeouts: settingsArg.enableRandomizedTimeouts || false, // Disable randomization by default
+      enableRandomizedTimeouts: settingsArg.enableRandomizedTimeouts || false,
 
       // Rate limiting defaults
       maxConnectionsPerIP: settingsArg.maxConnectionsPerIP || 100, // 100 connections per IP
       connectionRateLimitPerMinute: settingsArg.connectionRateLimitPerMinute || 300, // 300 per minute
 
-      // Enhanced keep-alive settings
+      // Keep-alive settings with sensible defaults that ensure certificate safety
-      keepAliveTreatment: settingsArg.keepAliveTreatment || 'extended', // Extended by default
+      keepAliveTreatment: 'standard', // Always use standard treatment for certificate safety
-      keepAliveInactivityMultiplier: settingsArg.keepAliveInactivityMultiplier || 6, // 6x normal inactivity timeout
+      keepAliveInactivityMultiplier: 2, // 2x normal inactivity timeout for minimal extension
-      extendedKeepAliveLifetime: settingsArg.extendedKeepAliveLifetime || 7 * 24 * 60 * 60 * 1000, // 7 days
+      extendedKeepAliveLifetime: 3 * 60 * 60 * 1000, // 3 hours maximum (previously was 7 days!)
     };
 
     // Store NetworkProxy instances if provided
@@ -507,7 +515,9 @@ export class PortProxy {
             );
           }
 
-          // Let the NetworkProxy handle the TLS renegotiation
+          // NOTE: We don't need to explicitly forward the renegotiation packets
+          // because socket.pipe(proxySocket) is already handling that.
+          // The pipe ensures all data (including renegotiation) flows through properly.
           // Just update the activity timestamp to prevent timeouts
           record.lastActivity = Date.now();
         }
@@ -840,14 +850,66 @@ export class PortProxy {
 
       // Add the renegotiation listener for SNI validation
       if (serverName) {
+        // This listener will check for TLS renegotiation attempts
+        // Note: We don't need to explicitly forward the renegotiation packets
+        // since socket.pipe(targetSocket) is already set up earlier and handles that
         socket.on('data', (renegChunk: Buffer) => {
           if (renegChunk.length > 0 && renegChunk.readUInt8(0) === 22) {
             try {
               // Try to extract SNI from potential renegotiation
               const newSNI = extractSNI(renegChunk, this.settings.enableTlsDebugLogging);
-              if (newSNI && newSNI !== record.lockedDomain) {
+              
+              // IMPORTANT: If we can't extract an SNI from renegotiation, we MUST allow it through
+              // Otherwise valid renegotiations that don't explicitly repeat the SNI will break
+              if (newSNI === undefined) {
+                if (this.settings.enableDetailedLogging) {
                   console.log(
-                  `[${connectionId}] Rehandshake detected with different SNI: ${newSNI} vs locked ${record.lockedDomain}. Terminating connection.`
+                    `[${connectionId}] Rehandshake detected without SNI, allowing it through.`
+                  );
+                }
+                // Let it pass through - this is critical for Chrome's TLS handling
+                return;
+              }
+              
+              // Check if the SNI has changed
+              if (newSNI && newSNI !== record.lockedDomain) {
+                // Instead of immediately terminating, check if the new SNI would be allowed
+                // by the same ruleset that allowed the initial connection
+                const newDomainConfig = this.settings.domainConfigs.find((config) =>
+                  config.domains.some((d) => plugins.minimatch(newSNI, d))
+                );
+                
+                // If we found a matching domain config, check IP rules
+                if (newDomainConfig) {
+                  const effectiveAllowedIPs = [
+                    ...newDomainConfig.allowedIPs,
+                    ...(this.settings.defaultAllowedIPs || []),
+                  ];
+                  const effectiveBlockedIPs = [
+                    ...(newDomainConfig.blockedIPs || []),
+                    ...(this.settings.defaultBlockedIPs || []),
+                  ];
+                  
+                  // Check if the IP is allowed for the new domain
+                  if (isGlobIPAllowed(record.remoteIP, effectiveAllowedIPs, effectiveBlockedIPs)) {
+                    // Allow the domain switch - Chrome is reusing the connection for a different domain
+                    if (this.settings.enableDetailedLogging) {
+                      console.log(
+                        `[${connectionId}] Rehandshake with new SNI: ${newSNI} (previously ${record.lockedDomain}). ` +
+                        `New domain is allowed by rules, permitting connection reuse.`
+                      );
+                    }
+                    
+                    // Update the locked domain to the new domain
+                    record.lockedDomain = newSNI;
+                    return;
+                  }
+                }
+                
+                // If we get here, either no matching domain config was found or the IP is not allowed
+                console.log(
+                  `[${connectionId}] Rehandshake detected with different SNI: ${newSNI} vs locked ${record.lockedDomain}. ` +
+                  `New domain not allowed by rules. Terminating connection.`
                 );
                 this.initiateCleanupOnce(record, 'sni_mismatch');
               } else if (newSNI && this.settings.enableDetailedLogging) {
@@ -856,6 +918,8 @@ export class PortProxy {
                 );
               }
             } catch (err) {
+              // Always allow the renegotiation to continue if we encounter an error
+              // This ensures Chrome can complete its TLS renegotiation
               console.log(
                 `[${connectionId}] Error processing potential renegotiation: ${err}. Allowing connection to continue.`
               );
@@ -878,22 +942,23 @@ export class PortProxy {
         }
         // No cleanup timer for immortal connections
       }
-      // For TLS keep-alive connections, use a very extended timeout
+      // For TLS keep-alive connections, use a more generous timeout now that
+      // we've fixed the renegotiation handling issue that was causing certificate problems
       else if (record.hasKeepAlive && record.isTLS) {
-        // For TLS keep-alive connections, use a very extended timeout
+        // Use a longer timeout for TLS connections now that renegotiation handling is fixed
-        // This helps prevent certificate errors after sleep/wake cycles
+        // This reduces unnecessary reconnections while still ensuring certificate freshness
-        const tlsKeepAliveTimeout = 14 * 24 * 60 * 60 * 1000; // 14 days for TLS keep-alive
+        const tlsKeepAliveTimeout = 4 * 60 * 60 * 1000; // 4 hours for TLS keep-alive - increased from 30 minutes
         const safeTimeout = ensureSafeTimeout(tlsKeepAliveTimeout);
 
         record.cleanupTimer = setTimeout(() => {
           console.log(
             `[${connectionId}] TLS keep-alive connection from ${
               record.remoteIP
-            } exceeded extended lifetime (${plugins.prettyMs(
+            } exceeded max lifetime (${plugins.prettyMs(
               tlsKeepAliveTimeout
-            )}), forcing cleanup.`
+            )}), forcing cleanup to refresh certificate context.`
           );
-          this.initiateCleanupOnce(record, 'tls_extended_lifetime');
+          this.initiateCleanupOnce(record, 'tls_certificate_refresh');
         }, safeTimeout);
 
         // Make sure timeout doesn't keep the process alive
@@ -903,7 +968,7 @@ export class PortProxy {
 
         if (this.settings.enableDetailedLogging) {
           console.log(
-            `[${connectionId}] TLS keep-alive connection with enhanced protection, lifetime: ${plugins.prettyMs(
+            `[${connectionId}] TLS keep-alive connection with aggressive certificate refresh protection, lifetime: ${plugins.prettyMs(
               tlsKeepAliveTimeout
             )}`
           );
@@ -1053,15 +1118,41 @@ export class PortProxy {
         // For TLS keep-alive connections after sleep/long inactivity, force close
         // to make browser establish a new connection with fresh certificate context
         if (record.isTLS && record.tlsHandshakeComplete) {
-          if (timeDiff > 4 * 60 * 60 * 1000) {
+          // More generous timeout now that we've fixed the renegotiation handling
-            // If inactive for more than 4 hours
+          if (timeDiff > 2 * 60 * 60 * 1000) {
+            // If inactive for more than 2 hours (increased from 20 minutes)
             console.log(
               `[${record.id}] TLS connection inactive for ${plugins.prettyMs(timeDiff)}. ` +
                 `Closing to force new connection with fresh certificate.`
             );
             return this.initiateCleanupOnce(record, 'certificate_refresh_needed');
+          } else if (timeDiff > 30 * 60 * 1000) {
+            // For shorter but still significant inactivity (30+ minutes), refresh TLS state
+            console.log(
+              `[${record.id}] TLS connection inactive for ${plugins.prettyMs(timeDiff)}. ` +
+                `Refreshing TLS state.`
+            );
+            this.refreshTlsStateAfterSleep(record);
+            
+            // Add an additional check in 15 minutes if no activity
+            const refreshCheckId = record.id;
+            const refreshCheck = setTimeout(() => {
+              const currentRecord = this.connectionRecords.get(refreshCheckId);
+              if (currentRecord && Date.now() - currentRecord.lastActivity > 15 * 60 * 1000) {
+                console.log(
+                  `[${refreshCheckId}] No activity detected after TLS refresh. ` +
+                    `Closing connection to ensure certificate freshness.`
+                );
+                this.initiateCleanupOnce(currentRecord, 'tls_refresh_verification_failed');
+              }
+            }, 15 * 60 * 1000);
+            
+            // Make sure timeout doesn't keep the process alive
+            if (refreshCheck.unref) {
+              refreshCheck.unref();
+            }
           } else {
-            // For shorter inactivity periods, try to refresh the TLS state
+            // For shorter inactivity periods, try to refresh the TLS state normally
             this.refreshTlsStateAfterSleep(record);
           }
         }
@@ -1097,12 +1188,12 @@ export class PortProxy {
         const connectionAge = Date.now() - record.incomingStartTime;
         const hourInMs = 60 * 60 * 1000;
 
-        // For TLS browser connections that are very old, it's better to force a new connection
+        // For TLS browser connections, use a more generous timeout now that 
-        // rather than trying to refresh the state, to avoid certificate issues
+        // we've fixed the renegotiation handling issues
-        if (record.isTLS && record.hasKeepAlive && connectionAge > 12 * hourInMs) {
+        if (record.isTLS && record.hasKeepAlive && connectionAge > 8 * hourInMs) { // 8 hours instead of 45 minutes
           console.log(
             `[${record.id}] Long-lived TLS connection (${plugins.prettyMs(connectionAge)}). ` +
-              `Closing to ensure proper certificate handling on browser reconnect.`
+              `Closing to ensure proper certificate handling on browser reconnect in proxy chain.`
           );
           return this.initiateCleanupOnce(record, 'certificate_context_refresh');
         }