3.30.7

changelog.md

@@ -1,5 +1,23 @@
 # Changelog
 
+## 2025-03-11 - 3.30.7 - fix(PortProxy)
+Improve TLS renegotiation SNI handling by first checking if the new SNI is allowed under the existing domain config. If not, attempt to find an alternative domain config and update the locked domain accordingly; otherwise, terminate the connection on SNI mismatch.
+
+- Added a preliminary check against the original domain config to allow re-handshakes if the new SNI matches allowed patterns.
+- If the original config does not allow, search for an alternative domain config and validate IP rules.
+- Update the locked domain when allowed, ensuring connection reuse with valid certificate context.
+- Terminate the connection if no suitable domain config is found or IP restrictions are violated.
+
+## 2025-03-11 - 3.30.6 - fix(PortProxy)
+Improve TLS renegotiation handling in PortProxy by validating the new SNI against allowed domain configurations. If the new SNI is permitted based on existing IP rules, update the locked domain to allow connection reuse; otherwise, terminate the connection to prevent misrouting.
+
+- Added logic to check if a new SNI during renegotiation is allowed by comparing IP rules from the matching domain configuration.
+- Updated detailed logging to indicate when a valid SNI change is accepted and when it results in a mismatch termination.
+
+## 2025-03-10 - 3.30.5 - fix(internal)
+No uncommitted changes detected; project files and tests remain unchanged.
+
+
 ## 2025-03-10 - 3.30.4 - fix(PortProxy)
 Fix TLS renegotiation handling and adjust TLS keep-alive timeouts in PortProxy implementation
 

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@push.rocks/smartproxy",
-  "version": "3.30.4",
+  "version": "3.30.7",
   "private": false,
   "description": "A powerful proxy package that effectively handles high traffic, with features such as SSL/TLS support, port proxying, WebSocket handling, and dynamic routing with authentication options.",
   "main": "dist_ts/index.js",

ts/00_commitinfo_data.ts

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@push.rocks/smartproxy',
-  version: '3.30.4',
+  version: '3.30.7',
   description: 'A powerful proxy package that effectively handles high traffic, with features such as SSL/TLS support, port proxying, WebSocket handling, and dynamic routing with authentication options.'
 }

ts/classes.portproxy.ts

@@ -871,12 +871,75 @@ export class PortProxy {
                 return;
               }
               
-              // Only block if we positively identify a different SNI
+              // Check if the SNI has changed
               if (newSNI && newSNI !== record.lockedDomain) {
-                console.log(
-                  `[${connectionId}] Rehandshake detected with different SNI: ${newSNI} vs locked ${record.lockedDomain}. Terminating connection.`
-                );
-                this.initiateCleanupOnce(record, 'sni_mismatch');
+                // Always check whether the new SNI would be allowed by the EXISTING domain config first
+                // This ensures we're using the same ruleset that allowed the initial connection
+                let allowed = false;
+                
+                // First check if the exact original domain config would allow this new SNI
+                if (record.domainConfig) {
+                  // Check if the new SNI matches any domain pattern in the original domain config
+                  allowed = record.domainConfig.domains.some(d => plugins.minimatch(newSNI, d));
+                  
+                  if (allowed && this.settings.enableDetailedLogging) {
+                    console.log(
+                      `[${connectionId}] Rehandshake with new SNI: ${newSNI} matched existing domain config ` +
+                      `patterns ${record.domainConfig.domains.join(', ')}. Allowing connection reuse.`
+                    );
+                  }
+                }
+                
+                // If not allowed by the existing domain config, try to find another domain config
+                if (!allowed) {
+                  const newDomainConfig = this.settings.domainConfigs.find((config) =>
+                    config.domains.some((d) => plugins.minimatch(newSNI, d))
+                  );
+                  
+                  // If we found a matching domain config, check IP rules
+                  if (newDomainConfig) {
+                    const effectiveAllowedIPs = [
+                      ...newDomainConfig.allowedIPs,
+                      ...(this.settings.defaultAllowedIPs || []),
+                    ];
+                    const effectiveBlockedIPs = [
+                      ...(newDomainConfig.blockedIPs || []),
+                      ...(this.settings.defaultBlockedIPs || []),
+                    ];
+                    
+                    // Check if the IP is allowed for the new domain
+                    allowed = isGlobIPAllowed(record.remoteIP, effectiveAllowedIPs, effectiveBlockedIPs);
+                    
+                    if (allowed && this.settings.enableDetailedLogging) {
+                      console.log(
+                        `[${connectionId}] Rehandshake with new SNI: ${newSNI} (previously ${record.lockedDomain}). ` +
+                        `New domain is allowed by different domain config rules, permitting connection reuse.`
+                      );
+                    }
+                    
+                    // Update the domain config reference to the new one
+                    if (allowed) {
+                      record.domainConfig = newDomainConfig;
+                    }
+                  }
+                }
+                
+                if (allowed) {
+                  // Update the locked domain to the new domain
+                  record.lockedDomain = newSNI;
+                  if (this.settings.enableDetailedLogging) {
+                    console.log(
+                      `[${connectionId}] Updated locked domain for connection from ${record.remoteIP} to: ${newSNI}`
+                    );
+                  }
+                } else {
+                  // If we get here, either no matching domain config was found or the IP is not allowed
+                  console.log(
+                    `[${connectionId}] Rehandshake detected with different SNI: ${newSNI} vs locked ${record.lockedDomain}. ` +
+                    `New domain not allowed by any rules. Terminating connection.`
+                  );
+                  this.initiateCleanupOnce(record, 'sni_mismatch');
+                }
               } else if (newSNI && this.settings.enableDetailedLogging) {
                 console.log(
                   `[${connectionId}] Rehandshake detected with same SNI: ${newSNI}. Allowing.`