|
|
|
|
@ -1,5 +1,6 @@
|
|
|
|
|
import * as plugins from './plugins.js';
|
|
|
|
|
import { NetworkProxy } from './classes.networkproxy.js';
|
|
|
|
|
import { SniHandler } from './classes.snihandler.js';
|
|
|
|
|
|
|
|
|
|
/** Domain configuration with per-domain allowed port ranges */
|
|
|
|
|
export interface IDomainConfig {
|
|
|
|
|
@ -10,6 +11,10 @@ export interface IDomainConfig {
|
|
|
|
|
portRanges?: Array<{ from: number; to: number }>; // Optional port ranges
|
|
|
|
|
// Allow domain-specific timeout override
|
|
|
|
|
connectionTimeout?: number; // Connection timeout override (ms)
|
|
|
|
|
|
|
|
|
|
// NetworkProxy integration options for this specific domain
|
|
|
|
|
useNetworkProxy?: boolean; // Whether to use NetworkProxy for this domain
|
|
|
|
|
networkProxyPort?: number; // Override default NetworkProxy port for this domain
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/** Port proxy settings including global allowed port ranges */
|
|
|
|
|
@ -46,6 +51,7 @@ export interface IPortProxySettings extends plugins.tls.TlsOptions {
|
|
|
|
|
enableDetailedLogging?: boolean; // Enable detailed connection logging
|
|
|
|
|
enableTlsDebugLogging?: boolean; // Enable TLS handshake debug logging
|
|
|
|
|
enableRandomizedTimeouts?: boolean; // Randomize timeouts slightly to prevent thundering herd
|
|
|
|
|
allowSessionTicket?: boolean; // Allow TLS session ticket for reconnection (default: true)
|
|
|
|
|
|
|
|
|
|
// Rate limiting and security
|
|
|
|
|
maxConnectionsPerIP?: number; // Maximum simultaneous connections from a single IP
|
|
|
|
|
@ -117,192 +123,8 @@ interface IConnectionRecord {
|
|
|
|
|
domainSwitches?: number; // Number of times the domain has been switched on this connection
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Extracts the SNI (Server Name Indication) from a TLS ClientHello packet.
|
|
|
|
|
* Enhanced for robustness and detailed logging.
|
|
|
|
|
* @param buffer - Buffer containing the TLS ClientHello.
|
|
|
|
|
* @param enableLogging - Whether to enable detailed logging.
|
|
|
|
|
* @returns The server name if found, otherwise undefined.
|
|
|
|
|
*/
|
|
|
|
|
function extractSNI(buffer: Buffer, enableLogging: boolean = false): string | undefined {
|
|
|
|
|
try {
|
|
|
|
|
// Check if buffer is too small for TLS
|
|
|
|
|
if (buffer.length < 5) {
|
|
|
|
|
if (enableLogging) console.log('Buffer too small for TLS header');
|
|
|
|
|
return undefined;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Check record type (has to be handshake - 22)
|
|
|
|
|
const recordType = buffer.readUInt8(0);
|
|
|
|
|
if (recordType !== 22) {
|
|
|
|
|
if (enableLogging) console.log(`Not a TLS handshake. Record type: ${recordType}`);
|
|
|
|
|
return undefined;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Check TLS version (has to be 3.1 or higher)
|
|
|
|
|
const majorVersion = buffer.readUInt8(1);
|
|
|
|
|
const minorVersion = buffer.readUInt8(2);
|
|
|
|
|
if (enableLogging) console.log(`TLS Version: ${majorVersion}.${minorVersion}`);
|
|
|
|
|
|
|
|
|
|
// Check record length
|
|
|
|
|
const recordLength = buffer.readUInt16BE(3);
|
|
|
|
|
if (buffer.length < 5 + recordLength) {
|
|
|
|
|
if (enableLogging)
|
|
|
|
|
console.log(
|
|
|
|
|
`Buffer too small for TLS record. Expected: ${5 + recordLength}, Got: ${buffer.length}`
|
|
|
|
|
);
|
|
|
|
|
return undefined;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
let offset = 5;
|
|
|
|
|
const handshakeType = buffer.readUInt8(offset);
|
|
|
|
|
if (handshakeType !== 1) {
|
|
|
|
|
if (enableLogging) console.log(`Not a ClientHello. Handshake type: ${handshakeType}`);
|
|
|
|
|
return undefined;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
offset += 4; // Skip handshake header (type + length)
|
|
|
|
|
|
|
|
|
|
// Client version
|
|
|
|
|
const clientMajorVersion = buffer.readUInt8(offset);
|
|
|
|
|
const clientMinorVersion = buffer.readUInt8(offset + 1);
|
|
|
|
|
if (enableLogging) console.log(`Client Version: ${clientMajorVersion}.${clientMinorVersion}`);
|
|
|
|
|
|
|
|
|
|
offset += 2 + 32; // Skip client version and random
|
|
|
|
|
|
|
|
|
|
// Session ID
|
|
|
|
|
const sessionIDLength = buffer.readUInt8(offset);
|
|
|
|
|
if (enableLogging) console.log(`Session ID Length: ${sessionIDLength}`);
|
|
|
|
|
offset += 1 + sessionIDLength; // Skip session ID
|
|
|
|
|
|
|
|
|
|
// Cipher suites
|
|
|
|
|
if (offset + 2 > buffer.length) {
|
|
|
|
|
if (enableLogging) console.log('Buffer too small for cipher suites length');
|
|
|
|
|
return undefined;
|
|
|
|
|
}
|
|
|
|
|
const cipherSuitesLength = buffer.readUInt16BE(offset);
|
|
|
|
|
if (enableLogging) console.log(`Cipher Suites Length: ${cipherSuitesLength}`);
|
|
|
|
|
offset += 2 + cipherSuitesLength; // Skip cipher suites
|
|
|
|
|
|
|
|
|
|
// Compression methods
|
|
|
|
|
if (offset + 1 > buffer.length) {
|
|
|
|
|
if (enableLogging) console.log('Buffer too small for compression methods length');
|
|
|
|
|
return undefined;
|
|
|
|
|
}
|
|
|
|
|
const compressionMethodsLength = buffer.readUInt8(offset);
|
|
|
|
|
if (enableLogging) console.log(`Compression Methods Length: ${compressionMethodsLength}`);
|
|
|
|
|
offset += 1 + compressionMethodsLength; // Skip compression methods
|
|
|
|
|
|
|
|
|
|
// Extensions
|
|
|
|
|
if (offset + 2 > buffer.length) {
|
|
|
|
|
if (enableLogging) console.log('Buffer too small for extensions length');
|
|
|
|
|
return undefined;
|
|
|
|
|
}
|
|
|
|
|
const extensionsLength = buffer.readUInt16BE(offset);
|
|
|
|
|
if (enableLogging) console.log(`Extensions Length: ${extensionsLength}`);
|
|
|
|
|
offset += 2;
|
|
|
|
|
const extensionsEnd = offset + extensionsLength;
|
|
|
|
|
|
|
|
|
|
if (extensionsEnd > buffer.length) {
|
|
|
|
|
if (enableLogging)
|
|
|
|
|
console.log(
|
|
|
|
|
`Buffer too small for extensions. Expected end: ${extensionsEnd}, Buffer length: ${buffer.length}`
|
|
|
|
|
);
|
|
|
|
|
return undefined;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Parse extensions
|
|
|
|
|
while (offset + 4 <= extensionsEnd) {
|
|
|
|
|
const extensionType = buffer.readUInt16BE(offset);
|
|
|
|
|
const extensionLength = buffer.readUInt16BE(offset + 2);
|
|
|
|
|
|
|
|
|
|
if (enableLogging)
|
|
|
|
|
console.log(`Extension Type: 0x${extensionType.toString(16)}, Length: ${extensionLength}`);
|
|
|
|
|
|
|
|
|
|
offset += 4;
|
|
|
|
|
|
|
|
|
|
if (extensionType === 0x0000) {
|
|
|
|
|
// SNI extension
|
|
|
|
|
if (offset + 2 > buffer.length) {
|
|
|
|
|
if (enableLogging) console.log('Buffer too small for SNI list length');
|
|
|
|
|
return undefined;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
const sniListLength = buffer.readUInt16BE(offset);
|
|
|
|
|
if (enableLogging) console.log(`SNI List Length: ${sniListLength}`);
|
|
|
|
|
offset += 2;
|
|
|
|
|
const sniListEnd = offset + sniListLength;
|
|
|
|
|
|
|
|
|
|
if (sniListEnd > buffer.length) {
|
|
|
|
|
if (enableLogging)
|
|
|
|
|
console.log(
|
|
|
|
|
`Buffer too small for SNI list. Expected end: ${sniListEnd}, Buffer length: ${buffer.length}`
|
|
|
|
|
);
|
|
|
|
|
return undefined;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
while (offset + 3 < sniListEnd) {
|
|
|
|
|
const nameType = buffer.readUInt8(offset++);
|
|
|
|
|
const nameLen = buffer.readUInt16BE(offset);
|
|
|
|
|
offset += 2;
|
|
|
|
|
|
|
|
|
|
if (enableLogging) console.log(`Name Type: ${nameType}, Name Length: ${nameLen}`);
|
|
|
|
|
|
|
|
|
|
if (nameType === 0) {
|
|
|
|
|
// host_name
|
|
|
|
|
if (offset + nameLen > buffer.length) {
|
|
|
|
|
if (enableLogging)
|
|
|
|
|
console.log(
|
|
|
|
|
`Buffer too small for hostname. Expected: ${offset + nameLen}, Got: ${
|
|
|
|
|
buffer.length
|
|
|
|
|
}`
|
|
|
|
|
);
|
|
|
|
|
return undefined;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
const serverName = buffer.toString('utf8', offset, offset + nameLen);
|
|
|
|
|
if (enableLogging) console.log(`Extracted SNI: ${serverName}`);
|
|
|
|
|
return serverName;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
offset += nameLen;
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
} else {
|
|
|
|
|
offset += extensionLength;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (enableLogging) console.log('No SNI extension found');
|
|
|
|
|
return undefined;
|
|
|
|
|
} catch (err) {
|
|
|
|
|
console.log(`Error extracting SNI: ${err}`);
|
|
|
|
|
return undefined;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Checks if a TLS record is a proper ClientHello message (more accurate than just checking record type)
|
|
|
|
|
* @param buffer - Buffer containing the TLS record
|
|
|
|
|
* @returns true if the buffer contains a proper ClientHello message
|
|
|
|
|
*/
|
|
|
|
|
function isClientHello(buffer: Buffer): boolean {
|
|
|
|
|
try {
|
|
|
|
|
if (buffer.length < 9) return false; // Too small for a proper ClientHello
|
|
|
|
|
|
|
|
|
|
// Check record type (has to be handshake - 22)
|
|
|
|
|
if (buffer.readUInt8(0) !== 22) return false;
|
|
|
|
|
|
|
|
|
|
// After the TLS record header (5 bytes), check the handshake type (1 for ClientHello)
|
|
|
|
|
if (buffer.readUInt8(5) !== 1) return false;
|
|
|
|
|
|
|
|
|
|
// Basic checks passed, this appears to be a ClientHello
|
|
|
|
|
return true;
|
|
|
|
|
} catch (err) {
|
|
|
|
|
console.log(`Error checking for ClientHello: ${err}`);
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
// SNI functions are now imported from SniHandler class
|
|
|
|
|
// No need for wrapper functions
|
|
|
|
|
|
|
|
|
|
// Helper: Check if a port falls within any of the given port ranges
|
|
|
|
|
const isPortInRanges = (port: number, ranges: Array<{ from: number; to: number }>): boolean => {
|
|
|
|
|
@ -346,10 +168,7 @@ const generateConnectionId = (): string => {
|
|
|
|
|
return Math.random().toString(36).substring(2, 15) + Math.random().toString(36).substring(2, 15);
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
// Helper: Check if a buffer contains a TLS handshake
|
|
|
|
|
const isTlsHandshake = (buffer: Buffer): boolean => {
|
|
|
|
|
return buffer.length > 0 && buffer[0] === 22; // ContentType.handshake
|
|
|
|
|
};
|
|
|
|
|
// SNI functions are now imported from SniHandler class
|
|
|
|
|
|
|
|
|
|
// Helper: Ensure timeout values don't exceed Node.js max safe integer
|
|
|
|
|
const ensureSafeTimeout = (timeout: number): number => {
|
|
|
|
|
@ -418,6 +237,8 @@ export class PortProxy {
|
|
|
|
|
enableDetailedLogging: settingsArg.enableDetailedLogging || false,
|
|
|
|
|
enableTlsDebugLogging: settingsArg.enableTlsDebugLogging || false,
|
|
|
|
|
enableRandomizedTimeouts: settingsArg.enableRandomizedTimeouts || false,
|
|
|
|
|
allowSessionTicket: settingsArg.allowSessionTicket !== undefined
|
|
|
|
|
? settingsArg.allowSessionTicket : true,
|
|
|
|
|
|
|
|
|
|
// Rate limiting defaults
|
|
|
|
|
maxConnectionsPerIP: settingsArg.maxConnectionsPerIP || 100,
|
|
|
|
|
@ -638,12 +459,14 @@ export class PortProxy {
|
|
|
|
|
* @param socket - The incoming client socket
|
|
|
|
|
* @param record - The connection record
|
|
|
|
|
* @param initialData - Initial data chunk (TLS ClientHello)
|
|
|
|
|
* @param customProxyPort - Optional custom port for NetworkProxy (for domain-specific settings)
|
|
|
|
|
*/
|
|
|
|
|
private forwardToNetworkProxy(
|
|
|
|
|
connectionId: string,
|
|
|
|
|
socket: plugins.net.Socket,
|
|
|
|
|
record: IConnectionRecord,
|
|
|
|
|
initialData: Buffer
|
|
|
|
|
initialData: Buffer,
|
|
|
|
|
customProxyPort?: number
|
|
|
|
|
): void {
|
|
|
|
|
// Ensure NetworkProxy is initialized
|
|
|
|
|
if (!this.networkProxy) {
|
|
|
|
|
@ -661,7 +484,8 @@ export class PortProxy {
|
|
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
const proxyPort = this.networkProxy.getListeningPort();
|
|
|
|
|
// Use the custom port if provided, otherwise use the default NetworkProxy port
|
|
|
|
|
const proxyPort = customProxyPort || this.networkProxy.getListeningPort();
|
|
|
|
|
const proxyHost = 'localhost'; // Assuming NetworkProxy runs locally
|
|
|
|
|
|
|
|
|
|
if (this.settings.enableDetailedLogging) {
|
|
|
|
|
@ -752,44 +576,104 @@ export class PortProxy {
|
|
|
|
|
connectionOptions.localAddress = record.remoteIP.replace('::ffff:', '');
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Create a safe queue for incoming data using a Buffer array
|
|
|
|
|
// We'll use this to ensure we don't lose data during handler transitions
|
|
|
|
|
const dataQueue: Buffer[] = [];
|
|
|
|
|
let queueSize = 0;
|
|
|
|
|
let processingQueue = false;
|
|
|
|
|
let drainPending = false;
|
|
|
|
|
|
|
|
|
|
// Flag to track if we've switched to the final piping mechanism
|
|
|
|
|
// Once this is true, we no longer buffer data in dataQueue
|
|
|
|
|
let pipingEstablished = false;
|
|
|
|
|
|
|
|
|
|
// Pause the incoming socket to prevent buffer overflows
|
|
|
|
|
// This ensures we control the flow of data until piping is set up
|
|
|
|
|
socket.pause();
|
|
|
|
|
|
|
|
|
|
// Temporary handler to collect data during connection setup
|
|
|
|
|
const tempDataHandler = (chunk: Buffer) => {
|
|
|
|
|
// Track bytes received
|
|
|
|
|
record.bytesReceived += chunk.length;
|
|
|
|
|
// Function to safely process the data queue without losing events
|
|
|
|
|
const processDataQueue = () => {
|
|
|
|
|
if (processingQueue || dataQueue.length === 0 || pipingEstablished) return;
|
|
|
|
|
|
|
|
|
|
processingQueue = true;
|
|
|
|
|
|
|
|
|
|
try {
|
|
|
|
|
// Process all queued chunks with the current active handler
|
|
|
|
|
while (dataQueue.length > 0) {
|
|
|
|
|
const chunk = dataQueue.shift()!;
|
|
|
|
|
queueSize -= chunk.length;
|
|
|
|
|
|
|
|
|
|
// Once piping is established, we shouldn't get here,
|
|
|
|
|
// but just in case, pass to the outgoing socket directly
|
|
|
|
|
if (pipingEstablished && record.outgoing) {
|
|
|
|
|
record.outgoing.write(chunk);
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Track bytes received
|
|
|
|
|
record.bytesReceived += chunk.length;
|
|
|
|
|
|
|
|
|
|
// Check for TLS handshake
|
|
|
|
|
if (!record.isTLS && isTlsHandshake(chunk)) {
|
|
|
|
|
record.isTLS = true;
|
|
|
|
|
// Check for TLS handshake
|
|
|
|
|
if (!record.isTLS && SniHandler.isTlsHandshake(chunk)) {
|
|
|
|
|
record.isTLS = true;
|
|
|
|
|
|
|
|
|
|
if (this.settings.enableTlsDebugLogging) {
|
|
|
|
|
console.log(
|
|
|
|
|
`[${connectionId}] TLS handshake detected in tempDataHandler, ${chunk.length} bytes`
|
|
|
|
|
);
|
|
|
|
|
if (this.settings.enableTlsDebugLogging) {
|
|
|
|
|
console.log(
|
|
|
|
|
`[${connectionId}] TLS handshake detected in tempDataHandler, ${chunk.length} bytes`
|
|
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Check if adding this chunk would exceed the buffer limit
|
|
|
|
|
const newSize = record.pendingDataSize + chunk.length;
|
|
|
|
|
|
|
|
|
|
if (this.settings.maxPendingDataSize && newSize > this.settings.maxPendingDataSize) {
|
|
|
|
|
console.log(
|
|
|
|
|
`[${connectionId}] Buffer limit exceeded for connection from ${record.remoteIP}: ${newSize} bytes > ${this.settings.maxPendingDataSize} bytes`
|
|
|
|
|
);
|
|
|
|
|
socket.end(); // Gracefully close the socket
|
|
|
|
|
this.initiateCleanupOnce(record, 'buffer_limit_exceeded');
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Buffer the chunk and update the size counter
|
|
|
|
|
record.pendingData.push(Buffer.from(chunk));
|
|
|
|
|
record.pendingDataSize = newSize;
|
|
|
|
|
this.updateActivity(record);
|
|
|
|
|
}
|
|
|
|
|
} finally {
|
|
|
|
|
processingQueue = false;
|
|
|
|
|
|
|
|
|
|
// If there's a pending drain and we've processed everything,
|
|
|
|
|
// signal we're ready for more data if we haven't established piping yet
|
|
|
|
|
if (drainPending && dataQueue.length === 0 && !pipingEstablished) {
|
|
|
|
|
drainPending = false;
|
|
|
|
|
socket.resume();
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Check if adding this chunk would exceed the buffer limit
|
|
|
|
|
const newSize = record.pendingDataSize + chunk.length;
|
|
|
|
|
|
|
|
|
|
if (this.settings.maxPendingDataSize && newSize > this.settings.maxPendingDataSize) {
|
|
|
|
|
console.log(
|
|
|
|
|
`[${connectionId}] Buffer limit exceeded for connection from ${record.remoteIP}: ${newSize} bytes > ${this.settings.maxPendingDataSize} bytes`
|
|
|
|
|
);
|
|
|
|
|
socket.end(); // Gracefully close the socket
|
|
|
|
|
return this.initiateCleanupOnce(record, 'buffer_limit_exceeded');
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Buffer the chunk and update the size counter
|
|
|
|
|
record.pendingData.push(Buffer.from(chunk));
|
|
|
|
|
record.pendingDataSize = newSize;
|
|
|
|
|
this.updateActivity(record);
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
// Add the temp handler to capture all incoming data during connection setup
|
|
|
|
|
socket.on('data', tempDataHandler);
|
|
|
|
|
// Unified data handler that safely queues incoming data
|
|
|
|
|
const safeDataHandler = (chunk: Buffer) => {
|
|
|
|
|
// If piping is already established, just let the pipe handle it
|
|
|
|
|
if (pipingEstablished) return;
|
|
|
|
|
|
|
|
|
|
// Add to our queue for orderly processing
|
|
|
|
|
dataQueue.push(Buffer.from(chunk)); // Make a copy to be safe
|
|
|
|
|
queueSize += chunk.length;
|
|
|
|
|
|
|
|
|
|
// If queue is getting large, pause socket until we catch up
|
|
|
|
|
if (this.settings.maxPendingDataSize && queueSize > this.settings.maxPendingDataSize * 0.8) {
|
|
|
|
|
socket.pause();
|
|
|
|
|
drainPending = true;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Process the queue
|
|
|
|
|
processDataQueue();
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
// Add our safe data handler
|
|
|
|
|
socket.on('data', safeDataHandler);
|
|
|
|
|
|
|
|
|
|
// Add initial chunk to pending data if present
|
|
|
|
|
if (initialChunk) {
|
|
|
|
|
@ -962,56 +846,32 @@ export class PortProxy {
|
|
|
|
|
// Add the normal error handler for established connections
|
|
|
|
|
targetSocket.on('error', this.handleError('outgoing', record));
|
|
|
|
|
|
|
|
|
|
// Remove temporary data handler
|
|
|
|
|
socket.removeListener('data', tempDataHandler);
|
|
|
|
|
|
|
|
|
|
// Flush all pending data to target
|
|
|
|
|
if (record.pendingData.length > 0) {
|
|
|
|
|
const combinedData = Buffer.concat(record.pendingData);
|
|
|
|
|
targetSocket.write(combinedData, (err) => {
|
|
|
|
|
if (err) {
|
|
|
|
|
console.log(`[${connectionId}] Error writing pending data to target: ${err.message}`);
|
|
|
|
|
return this.initiateCleanupOnce(record, 'write_error');
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Now set up piping for future data and resume the socket
|
|
|
|
|
socket.pipe(targetSocket);
|
|
|
|
|
targetSocket.pipe(socket);
|
|
|
|
|
socket.resume(); // Resume the socket after piping is established
|
|
|
|
|
|
|
|
|
|
if (this.settings.enableDetailedLogging) {
|
|
|
|
|
console.log(
|
|
|
|
|
`[${connectionId}] Connection established: ${record.remoteIP} -> ${targetHost}:${connectionOptions.port}` +
|
|
|
|
|
`${
|
|
|
|
|
serverName
|
|
|
|
|
? ` (SNI: ${serverName})`
|
|
|
|
|
: domainConfig
|
|
|
|
|
? ` (Port-based for domain: ${domainConfig.domains.join(', ')})`
|
|
|
|
|
: ''
|
|
|
|
|
}` +
|
|
|
|
|
` TLS: ${record.isTLS ? 'Yes' : 'No'}, Keep-Alive: ${
|
|
|
|
|
record.hasKeepAlive ? 'Yes' : 'No'
|
|
|
|
|
}`
|
|
|
|
|
);
|
|
|
|
|
} else {
|
|
|
|
|
console.log(
|
|
|
|
|
`Connection established: ${record.remoteIP} -> ${targetHost}:${connectionOptions.port}` +
|
|
|
|
|
`${
|
|
|
|
|
serverName
|
|
|
|
|
? ` (SNI: ${serverName})`
|
|
|
|
|
: domainConfig
|
|
|
|
|
? ` (Port-based for domain: ${domainConfig.domains.join(', ')})`
|
|
|
|
|
: ''
|
|
|
|
|
}`
|
|
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
});
|
|
|
|
|
} else {
|
|
|
|
|
// No pending data, so just set up piping
|
|
|
|
|
// Process any remaining data in the queue before switching to piping
|
|
|
|
|
processDataQueue();
|
|
|
|
|
|
|
|
|
|
// Setup function to establish piping - we'll use this after flushing data
|
|
|
|
|
const setupPiping = () => {
|
|
|
|
|
// Mark that we're switching to piping mode
|
|
|
|
|
pipingEstablished = true;
|
|
|
|
|
|
|
|
|
|
// Setup piping in both directions
|
|
|
|
|
socket.pipe(targetSocket);
|
|
|
|
|
targetSocket.pipe(socket);
|
|
|
|
|
socket.resume(); // Resume the socket after piping is established
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
// Resume the socket to ensure data flows
|
|
|
|
|
socket.resume();
|
|
|
|
|
|
|
|
|
|
// Process any data that might be queued in the interim
|
|
|
|
|
if (dataQueue.length > 0) {
|
|
|
|
|
// Write any remaining queued data directly to the target socket
|
|
|
|
|
for (const chunk of dataQueue) {
|
|
|
|
|
targetSocket.write(chunk);
|
|
|
|
|
}
|
|
|
|
|
// Clear the queue
|
|
|
|
|
dataQueue.length = 0;
|
|
|
|
|
queueSize = 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (this.settings.enableDetailedLogging) {
|
|
|
|
|
console.log(
|
|
|
|
|
`[${connectionId}] Connection established: ${record.remoteIP} -> ${targetHost}:${connectionOptions.port}` +
|
|
|
|
|
@ -1038,6 +898,23 @@ export class PortProxy {
|
|
|
|
|
}`
|
|
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
// Flush all pending data to target
|
|
|
|
|
if (record.pendingData.length > 0) {
|
|
|
|
|
const combinedData = Buffer.concat(record.pendingData);
|
|
|
|
|
targetSocket.write(combinedData, (err) => {
|
|
|
|
|
if (err) {
|
|
|
|
|
console.log(`[${connectionId}] Error writing pending data to target: ${err.message}`);
|
|
|
|
|
return this.initiateCleanupOnce(record, 'write_error');
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Establish piping now that we've flushed the buffered data
|
|
|
|
|
setupPiping();
|
|
|
|
|
});
|
|
|
|
|
} else {
|
|
|
|
|
// No pending data, just establish piping immediately
|
|
|
|
|
setupPiping();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Clear the buffer now that we've processed it
|
|
|
|
|
@ -1045,14 +922,46 @@ export class PortProxy {
|
|
|
|
|
record.pendingDataSize = 0;
|
|
|
|
|
|
|
|
|
|
// Add the renegotiation handler for SNI validation with strict domain enforcement
|
|
|
|
|
// This will be called after we've established piping
|
|
|
|
|
if (serverName) {
|
|
|
|
|
// Define a handler for checking renegotiation with improved detection
|
|
|
|
|
const renegotiationHandler = (renegChunk: Buffer) => {
|
|
|
|
|
// Only process if this looks like a TLS ClientHello
|
|
|
|
|
if (isClientHello(renegChunk)) {
|
|
|
|
|
if (SniHandler.isClientHello(renegChunk)) {
|
|
|
|
|
try {
|
|
|
|
|
// Extract SNI from ClientHello
|
|
|
|
|
const newSNI = extractSNI(renegChunk, this.settings.enableTlsDebugLogging);
|
|
|
|
|
// Create a connection info object for the existing connection
|
|
|
|
|
const connInfo = {
|
|
|
|
|
sourceIp: record.remoteIP,
|
|
|
|
|
sourcePort: record.incoming.remotePort || 0,
|
|
|
|
|
destIp: record.incoming.localAddress || '',
|
|
|
|
|
destPort: record.incoming.localPort || 0
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
// Check for session tickets if allowSessionTicket is disabled
|
|
|
|
|
if (this.settings.allowSessionTicket === false) {
|
|
|
|
|
// Analyze for session resumption attempt (session ticket or PSK)
|
|
|
|
|
const resumptionInfo = SniHandler.hasSessionResumption(renegChunk, this.settings.enableTlsDebugLogging);
|
|
|
|
|
|
|
|
|
|
// Only block if there's a session ticket without SNI
|
|
|
|
|
if (resumptionInfo.isResumption && !resumptionInfo.hasSNI) {
|
|
|
|
|
console.log(
|
|
|
|
|
`[${connectionId}] Session ticket detected in renegotiation without SNI and allowSessionTicket=false. ` +
|
|
|
|
|
`Terminating connection to force new TLS handshake.`
|
|
|
|
|
);
|
|
|
|
|
this.initiateCleanupOnce(record, 'session_ticket_blocked');
|
|
|
|
|
return;
|
|
|
|
|
} else if (resumptionInfo.isResumption && resumptionInfo.hasSNI) {
|
|
|
|
|
if (this.settings.enableTlsDebugLogging) {
|
|
|
|
|
console.log(
|
|
|
|
|
`[${connectionId}] Session ticket with SNI detected in renegotiation. ` +
|
|
|
|
|
`Allowing connection since SNI is present.`
|
|
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
const newSNI = SniHandler.extractSNIWithResumptionSupport(renegChunk, connInfo, this.settings.enableTlsDebugLogging);
|
|
|
|
|
|
|
|
|
|
// Skip if no SNI was found
|
|
|
|
|
if (!newSNI) return;
|
|
|
|
|
@ -1081,8 +990,16 @@ export class PortProxy {
|
|
|
|
|
// Store the handler in the connection record so we can remove it during cleanup
|
|
|
|
|
record.renegotiationHandler = renegotiationHandler;
|
|
|
|
|
|
|
|
|
|
// Add the listener
|
|
|
|
|
// The renegotiation handler is added when piping is established
|
|
|
|
|
// Making it part of setupPiping ensures proper sequencing of event handlers
|
|
|
|
|
socket.on('data', renegotiationHandler);
|
|
|
|
|
|
|
|
|
|
if (this.settings.enableDetailedLogging) {
|
|
|
|
|
console.log(`[${connectionId}] TLS renegotiation handler installed for SNI domain: ${serverName}`);
|
|
|
|
|
if (this.settings.allowSessionTicket === false) {
|
|
|
|
|
console.log(`[${connectionId}] Session ticket usage is disabled. Connection will be reset on reconnection attempts.`);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Set connection timeout with simpler logic
|
|
|
|
|
@ -1242,13 +1159,16 @@ export class PortProxy {
|
|
|
|
|
const bytesReceived = record.bytesReceived;
|
|
|
|
|
const bytesSent = record.bytesSent;
|
|
|
|
|
|
|
|
|
|
// Remove the renegotiation handler if present
|
|
|
|
|
if (record.renegotiationHandler && record.incoming) {
|
|
|
|
|
// Remove all data handlers (both standard and renegotiation) to make sure we clean up properly
|
|
|
|
|
if (record.incoming) {
|
|
|
|
|
try {
|
|
|
|
|
record.incoming.removeListener('data', record.renegotiationHandler);
|
|
|
|
|
// Remove our safe data handler
|
|
|
|
|
record.incoming.removeAllListeners('data');
|
|
|
|
|
|
|
|
|
|
// Reset the handler references
|
|
|
|
|
record.renegotiationHandler = undefined;
|
|
|
|
|
} catch (err) {
|
|
|
|
|
console.log(`[${record.id}] Error removing renegotiation handler: ${err}`);
|
|
|
|
|
console.log(`[${record.id}] Error removing data handlers: ${err}`);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@ -1602,9 +1522,12 @@ export class PortProxy {
|
|
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Check if this connection should be forwarded directly to NetworkProxy based on port
|
|
|
|
|
const shouldUseNetworkProxy = this.settings.useNetworkProxy &&
|
|
|
|
|
this.settings.useNetworkProxy.includes(localPort);
|
|
|
|
|
// Check if this connection should be forwarded directly to NetworkProxy
|
|
|
|
|
// First check port-based forwarding settings
|
|
|
|
|
let shouldUseNetworkProxy = this.settings.useNetworkProxy &&
|
|
|
|
|
this.settings.useNetworkProxy.includes(localPort);
|
|
|
|
|
|
|
|
|
|
// We'll look for domain-specific settings after SNI extraction
|
|
|
|
|
|
|
|
|
|
if (shouldUseNetworkProxy) {
|
|
|
|
|
// For NetworkProxy ports, we want to capture the TLS handshake and forward directly
|
|
|
|
|
@ -1644,10 +1567,79 @@ export class PortProxy {
|
|
|
|
|
connectionRecord.hasReceivedInitialData = true;
|
|
|
|
|
|
|
|
|
|
// Check if this looks like a TLS handshake
|
|
|
|
|
if (isTlsHandshake(chunk)) {
|
|
|
|
|
if (SniHandler.isTlsHandshake(chunk)) {
|
|
|
|
|
connectionRecord.isTLS = true;
|
|
|
|
|
|
|
|
|
|
// Forward directly to NetworkProxy without SNI processing
|
|
|
|
|
// Check for session tickets if allowSessionTicket is disabled
|
|
|
|
|
if (this.settings.allowSessionTicket === false && SniHandler.isClientHello(chunk)) {
|
|
|
|
|
// Analyze for session resumption attempt
|
|
|
|
|
const resumptionInfo = SniHandler.hasSessionResumption(chunk, this.settings.enableTlsDebugLogging);
|
|
|
|
|
|
|
|
|
|
// Only block if there's a session ticket without SNI
|
|
|
|
|
if (resumptionInfo.isResumption && !resumptionInfo.hasSNI) {
|
|
|
|
|
console.log(
|
|
|
|
|
`[${connectionId}] Session ticket detected in initial ClientHello without SNI and allowSessionTicket=false. ` +
|
|
|
|
|
`Terminating connection to force new TLS handshake.`
|
|
|
|
|
);
|
|
|
|
|
if (connectionRecord.incomingTerminationReason === null) {
|
|
|
|
|
connectionRecord.incomingTerminationReason = 'session_ticket_blocked';
|
|
|
|
|
this.incrementTerminationStat('incoming', 'session_ticket_blocked');
|
|
|
|
|
}
|
|
|
|
|
socket.end();
|
|
|
|
|
this.cleanupConnection(connectionRecord, 'session_ticket_blocked');
|
|
|
|
|
return;
|
|
|
|
|
} else if (resumptionInfo.isResumption && resumptionInfo.hasSNI) {
|
|
|
|
|
if (this.settings.enableTlsDebugLogging) {
|
|
|
|
|
console.log(
|
|
|
|
|
`[${connectionId}] Session ticket with SNI detected in initial ClientHello. ` +
|
|
|
|
|
`Allowing connection since SNI is present.`
|
|
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Try to extract SNI for domain-specific NetworkProxy handling
|
|
|
|
|
const connInfo = {
|
|
|
|
|
sourceIp: remoteIP,
|
|
|
|
|
sourcePort: socket.remotePort || 0,
|
|
|
|
|
destIp: socket.localAddress || '',
|
|
|
|
|
destPort: socket.localPort || 0
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
// Extract SNI to check for domain-specific NetworkProxy settings
|
|
|
|
|
const serverName = SniHandler.processTlsPacket(
|
|
|
|
|
chunk,
|
|
|
|
|
connInfo,
|
|
|
|
|
this.settings.enableTlsDebugLogging
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
if (serverName) {
|
|
|
|
|
// If we got an SNI, check for domain-specific NetworkProxy settings
|
|
|
|
|
const domainConfig = this.settings.domainConfigs.find((config) =>
|
|
|
|
|
config.domains.some((d) => plugins.minimatch(serverName, d))
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
// Save domain config and SNI in connection record
|
|
|
|
|
connectionRecord.domainConfig = domainConfig;
|
|
|
|
|
connectionRecord.lockedDomain = serverName;
|
|
|
|
|
|
|
|
|
|
// Use domain-specific NetworkProxy port if configured
|
|
|
|
|
if (domainConfig?.useNetworkProxy) {
|
|
|
|
|
const networkProxyPort = domainConfig.networkProxyPort || this.settings.networkProxyPort;
|
|
|
|
|
|
|
|
|
|
if (this.settings.enableDetailedLogging) {
|
|
|
|
|
console.log(
|
|
|
|
|
`[${connectionId}] Using domain-specific NetworkProxy for ${serverName} on port ${networkProxyPort}`
|
|
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Forward to NetworkProxy with domain-specific port
|
|
|
|
|
this.forwardToNetworkProxy(connectionId, socket, connectionRecord, chunk, networkProxyPort);
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Forward directly to NetworkProxy without domain-specific settings
|
|
|
|
|
this.forwardToNetworkProxy(connectionId, socket, connectionRecord, chunk);
|
|
|
|
|
} else {
|
|
|
|
|
// If not TLS, use normal direct connection
|
|
|
|
|
@ -1706,7 +1698,7 @@ export class PortProxy {
|
|
|
|
|
this.updateActivity(connectionRecord);
|
|
|
|
|
|
|
|
|
|
// Check for TLS handshake if this is the first chunk
|
|
|
|
|
if (!connectionRecord.isTLS && isTlsHandshake(chunk)) {
|
|
|
|
|
if (!connectionRecord.isTLS && SniHandler.isTlsHandshake(chunk)) {
|
|
|
|
|
connectionRecord.isTLS = true;
|
|
|
|
|
|
|
|
|
|
if (this.settings.enableTlsDebugLogging) {
|
|
|
|
|
@ -1714,7 +1706,15 @@ export class PortProxy {
|
|
|
|
|
`[${connectionId}] TLS handshake detected from ${remoteIP}, ${chunk.length} bytes`
|
|
|
|
|
);
|
|
|
|
|
// Try to extract SNI and log detailed debug info
|
|
|
|
|
extractSNI(chunk, true);
|
|
|
|
|
// Create connection info for debug logging
|
|
|
|
|
const debugConnInfo = {
|
|
|
|
|
sourceIp: remoteIP,
|
|
|
|
|
sourcePort: socket.remotePort || 0,
|
|
|
|
|
destIp: socket.localAddress || '',
|
|
|
|
|
destPort: socket.localPort || 0
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
SniHandler.extractSNIWithResumptionSupport(chunk, debugConnInfo, true);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
});
|
|
|
|
|
@ -1743,7 +1743,7 @@ export class PortProxy {
|
|
|
|
|
connectionRecord.hasReceivedInitialData = true;
|
|
|
|
|
|
|
|
|
|
// Check if this looks like a TLS handshake
|
|
|
|
|
const isTlsHandshakeDetected = initialChunk && isTlsHandshake(initialChunk);
|
|
|
|
|
const isTlsHandshakeDetected = initialChunk && SniHandler.isTlsHandshake(initialChunk);
|
|
|
|
|
if (isTlsHandshakeDetected) {
|
|
|
|
|
connectionRecord.isTLS = true;
|
|
|
|
|
|
|
|
|
|
@ -1765,6 +1765,29 @@ export class PortProxy {
|
|
|
|
|
|
|
|
|
|
// Save domain config in connection record
|
|
|
|
|
connectionRecord.domainConfig = domainConfig;
|
|
|
|
|
|
|
|
|
|
// Check if this domain should use NetworkProxy (domain-specific setting)
|
|
|
|
|
if (domainConfig?.useNetworkProxy && this.networkProxy) {
|
|
|
|
|
if (this.settings.enableDetailedLogging) {
|
|
|
|
|
console.log(
|
|
|
|
|
`[${connectionId}] Domain ${serverName} is configured to use NetworkProxy`
|
|
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
const networkProxyPort = domainConfig.networkProxyPort || this.settings.networkProxyPort;
|
|
|
|
|
|
|
|
|
|
if (initialChunk && connectionRecord.isTLS) {
|
|
|
|
|
// For TLS connections with initial chunk, forward to NetworkProxy
|
|
|
|
|
this.forwardToNetworkProxy(
|
|
|
|
|
connectionId,
|
|
|
|
|
socket,
|
|
|
|
|
connectionRecord,
|
|
|
|
|
initialChunk,
|
|
|
|
|
networkProxyPort // Pass the domain-specific NetworkProxy port if configured
|
|
|
|
|
);
|
|
|
|
|
return; // Skip normal connection setup
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// IP validation is skipped if allowedIPs is empty
|
|
|
|
|
if (domainConfig) {
|
|
|
|
|
@ -1912,7 +1935,7 @@ export class PortProxy {
|
|
|
|
|
// Try to extract SNI
|
|
|
|
|
let serverName = '';
|
|
|
|
|
|
|
|
|
|
if (isTlsHandshake(chunk)) {
|
|
|
|
|
if (SniHandler.isTlsHandshake(chunk)) {
|
|
|
|
|
connectionRecord.isTLS = true;
|
|
|
|
|
|
|
|
|
|
if (this.settings.enableTlsDebugLogging) {
|
|
|
|
|
@ -1920,8 +1943,50 @@ export class PortProxy {
|
|
|
|
|
`[${connectionId}] Extracting SNI from TLS handshake, ${chunk.length} bytes`
|
|
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Check for session tickets if allowSessionTicket is disabled
|
|
|
|
|
if (this.settings.allowSessionTicket === false && SniHandler.isClientHello(chunk)) {
|
|
|
|
|
// Analyze for session resumption attempt
|
|
|
|
|
const resumptionInfo = SniHandler.hasSessionResumption(chunk, this.settings.enableTlsDebugLogging);
|
|
|
|
|
|
|
|
|
|
// Only block if there's a session ticket without SNI
|
|
|
|
|
if (resumptionInfo.isResumption && !resumptionInfo.hasSNI) {
|
|
|
|
|
console.log(
|
|
|
|
|
`[${connectionId}] Session ticket detected in initial ClientHello without SNI and allowSessionTicket=false. ` +
|
|
|
|
|
`Terminating connection to force new TLS handshake.`
|
|
|
|
|
);
|
|
|
|
|
if (connectionRecord.incomingTerminationReason === null) {
|
|
|
|
|
connectionRecord.incomingTerminationReason = 'session_ticket_blocked';
|
|
|
|
|
this.incrementTerminationStat('incoming', 'session_ticket_blocked');
|
|
|
|
|
}
|
|
|
|
|
socket.end();
|
|
|
|
|
this.cleanupConnection(connectionRecord, 'session_ticket_blocked');
|
|
|
|
|
return;
|
|
|
|
|
} else if (resumptionInfo.isResumption && resumptionInfo.hasSNI) {
|
|
|
|
|
if (this.settings.enableTlsDebugLogging) {
|
|
|
|
|
console.log(
|
|
|
|
|
`[${connectionId}] Session ticket with SNI detected in initial ClientHello. ` +
|
|
|
|
|
`Allowing connection since SNI is present.`
|
|
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
serverName = extractSNI(chunk, this.settings.enableTlsDebugLogging) || '';
|
|
|
|
|
// Create connection info object for SNI extraction
|
|
|
|
|
const connInfo = {
|
|
|
|
|
sourceIp: remoteIP,
|
|
|
|
|
sourcePort: socket.remotePort || 0,
|
|
|
|
|
destIp: socket.localAddress || '',
|
|
|
|
|
destPort: socket.localPort || 0
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
// Use the new processTlsPacket method for comprehensive handling
|
|
|
|
|
serverName = SniHandler.processTlsPacket(
|
|
|
|
|
chunk,
|
|
|
|
|
connInfo,
|
|
|
|
|
this.settings.enableTlsDebugLogging,
|
|
|
|
|
connectionRecord.lockedDomain // Pass any previously negotiated domain as a hint
|
|
|
|
|
) || '';
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Lock the connection to the negotiated SNI.
|
|
|
|
|
|
