Compare commits
22 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 156abbf5b4 | |||
| 1a90566622 | |||
| b48b90d613 | |||
| 124f8d48b7 | |||
| b2a57ada5d | |||
| 62a3e1f4b7 | |||
| 3a1485213a | |||
| 9dbf6fdeb5 | |||
| 9496dd5336 | |||
| 29d28fba93 | |||
| 8196de4fa3 | |||
| 6fddafe9fd | |||
| 1e89062167 | |||
| 21a24fd95b | |||
| 03ef5e7f6e | |||
| 415b82a84a | |||
| f304cc67b4 | |||
| 0e12706176 | |||
| 6daf4c914d | |||
| 36e4341315 | |||
| 474134d29c | |||
| 43378becd2 |
79
changelog.md
79
changelog.md
@ -1,5 +1,84 @@
|
||||
# Changelog
|
||||
|
||||
## 2025-03-12 - 3.41.3 - fix(TLS/SNI)
|
||||
Improve TLS session resumption handling and logging. Now, session resumption attempts are always logged with details, and connections without a proper SNI are rejected when allowSessionTicket is disabled. In addition, empty SNI extensions are explicitly treated as missing, ensuring stricter and more consistent TLS handshake validation.
|
||||
|
||||
- Always log session resumption in both renegotiation and initial ClientHello processing.
|
||||
- Terminate connections that attempt session resumption without SNI when allowSessionTicket is false.
|
||||
- Treat empty SNI extensions as absence of SNI to improve consistency in TLS handshake processing.
|
||||
|
||||
## 2025-03-11 - 3.41.2 - fix(SniHandler)
|
||||
Refactor hasSessionResumption to return detailed session resumption info
|
||||
|
||||
- Changed the return type of hasSessionResumption from boolean to an object with properties isResumption and hasSNI
|
||||
- Updated early return conditions to return { isResumption: false, hasSNI: false } when buffer is too short or invalid
|
||||
- Modified corresponding documentation to reflect the new return type
|
||||
|
||||
## 2025-03-11 - 3.41.1 - fix(SniHandler)
|
||||
Improve TLS SNI session resumption handling: connections containing a session ticket are now only rejected when no SNI is present and allowSessionTicket is disabled. Updated return values and logging for clearer resumption detection.
|
||||
|
||||
- Changed SniHandler.hasSessionResumption to return an object with 'isResumption' and 'hasSNI' flags.
|
||||
- Adjusted PortProxy logic to only terminate connections when a session ticket is detected without an accompanying SNI (when allowSessionTicket is false).
|
||||
- Enhanced debug logging to clearly differentiate between session resumption scenarios with and without SNI.
|
||||
|
||||
## 2025-03-11 - 3.41.0 - feat(PortProxy/TLS)
|
||||
Add allowSessionTicket option to control TLS session ticket handling
|
||||
|
||||
- Introduce 'allowSessionTicket' flag (default true) in PortProxy settings to enable or disable TLS session resumption via session tickets.
|
||||
- Update SniHandler with a new hasSessionResumption method to detect session ticket and PSK extensions in ClientHello messages.
|
||||
- Force connection cleanup during renegotiation and initial handshake when allowSessionTicket is set to false and a session ticket is detected.
|
||||
|
||||
## 2025-03-11 - 3.40.0 - feat(SniHandler)
|
||||
Add session cache support and tab reactivation detection to improve SNI extraction in TLS handshakes
|
||||
|
||||
- Introduce a session cache mechanism to store and retrieve cached SNI values based on client IP (and optionally client random) to better handle tab reactivation scenarios.
|
||||
- Implement functions to initialize, update, and clean up the session cache for TLS ClientHello messages.
|
||||
- Enhance SNI extraction logic to check for tab reactivation handshakes and to return cached SNI for resumed connections or 0-RTT scenarios.
|
||||
- Update PSK extension handling to safely skip over obfuscated ticket age bytes.
|
||||
|
||||
## 2025-03-11 - 3.39.0 - feat(PortProxy)
|
||||
Add domain-specific NetworkProxy integration support to PortProxy
|
||||
|
||||
- Introduced new properties 'useNetworkProxy' and 'networkProxyPort' in domain configurations.
|
||||
- Updated forwardToNetworkProxy to accept an optional custom proxy port parameter.
|
||||
- Enhanced TLS handshake processing to extract SNI and, if a matching domain config specifies NetworkProxy usage, forward the connection using the domain-specific port.
|
||||
- Refined connection routing logic to check for domain-specific NetworkProxy settings before falling back to default behavior.
|
||||
|
||||
## 2025-03-11 - 3.38.2 - fix(core)
|
||||
No code changes detected; bumping patch version for consistency.
|
||||
|
||||
|
||||
## 2025-03-11 - 3.38.1 - fix(PortProxy)
|
||||
Improve SNI extraction handling in PortProxy by passing explicit connection info to extractSNIWithResumptionSupport for better TLS renegotiation and debug logging.
|
||||
|
||||
- In the renegotiation handler, create and pass a connection info object (sourceIp, sourcePort, destIp, destPort) instead of a boolean flag.
|
||||
- Update the TLS handshake processing to construct a connection info object for detailed SNI extraction and logging.
|
||||
- Enhance consistency by using processTlsPacket with cached SNI hints during fallback.
|
||||
|
||||
## 2025-03-11 - 3.38.0 - feat(SniHandler)
|
||||
Enhance SNI extraction to support fragmented ClientHello messages, TLS 1.3 early data, and improved PSK parsing
|
||||
|
||||
- Added isTlsApplicationData method for detecting TLS application data packets
|
||||
- Implemented handleFragmentedClientHello to buffer and reassemble fragmented ClientHello messages
|
||||
- Extended extractSNIWithResumptionSupport to accept connection information and use reassembled data
|
||||
- Added detection for TLS 1.3 early data (0-RTT) in the ClientHello, supporting session resumption scenarios
|
||||
- Improved logging and heuristics for handling potential connection racing in modern browsers
|
||||
|
||||
## 2025-03-11 - 3.37.3 - fix(snihandler)
|
||||
Enhance SNI extraction to support TLS 1.3 PSK-based session resumption by adding a dedicated extractSNIFromPSKExtension method and improved logging for session resumption indicators.
|
||||
|
||||
- Defined TLS_PSK_EXTENSION_TYPE and TLS_PSK_KE_MODES_EXTENSION_TYPE constants.
|
||||
- Added extractSNIFromPSKExtension method to handle ClientHello messages containing PSK identities.
|
||||
- Improved logging to indicate when session resumption indicators (ticket or PSK) are present but no standard SNI is found.
|
||||
- Enhanced extractSNIWithResumptionSupport to attempt PSK extraction if standard SNI extraction fails.
|
||||
|
||||
## 2025-03-11 - 3.37.2 - fix(PortProxy)
|
||||
Improve buffering and data handling during connection setup in PortProxy to prevent data loss
|
||||
|
||||
- Added a safeDataHandler and processDataQueue to buffer incoming data reliably during the TLS handshake phase
|
||||
- Introduced a queue with pause/resume logic to avoid exceeding maxPendingDataSize and ensure all pending data is flushed before piping begins
|
||||
- Refactored the piping setup to install the renegotiation handler only after proper data flushing
|
||||
|
||||
## 2025-03-11 - 3.37.1 - fix(PortProxy/SNI)
|
||||
Refactor SNI extraction in PortProxy to use the dedicated SniHandler class
|
||||
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
{
|
||||
"name": "@push.rocks/smartproxy",
|
||||
"version": "3.37.1",
|
||||
"version": "3.41.3",
|
||||
"private": false,
|
||||
"description": "A powerful proxy package that effectively handles high traffic, with features such as SSL/TLS support, port proxying, WebSocket handling, dynamic routing with authentication options, and automatic ACME certificate management.",
|
||||
"main": "dist_ts/index.js",
|
||||
|
||||
@ -3,6 +3,6 @@
|
||||
*/
|
||||
export const commitinfo = {
|
||||
name: '@push.rocks/smartproxy',
|
||||
version: '3.37.1',
|
||||
version: '3.41.3',
|
||||
description: 'A powerful proxy package that effectively handles high traffic, with features such as SSL/TLS support, port proxying, WebSocket handling, dynamic routing with authentication options, and automatic ACME certificate management.'
|
||||
}
|
||||
|
||||
@ -11,6 +11,10 @@ export interface IDomainConfig {
|
||||
portRanges?: Array<{ from: number; to: number }>; // Optional port ranges
|
||||
// Allow domain-specific timeout override
|
||||
connectionTimeout?: number; // Connection timeout override (ms)
|
||||
|
||||
// NetworkProxy integration options for this specific domain
|
||||
useNetworkProxy?: boolean; // Whether to use NetworkProxy for this domain
|
||||
networkProxyPort?: number; // Override default NetworkProxy port for this domain
|
||||
}
|
||||
|
||||
/** Port proxy settings including global allowed port ranges */
|
||||
@ -47,6 +51,7 @@ export interface IPortProxySettings extends plugins.tls.TlsOptions {
|
||||
enableDetailedLogging?: boolean; // Enable detailed connection logging
|
||||
enableTlsDebugLogging?: boolean; // Enable TLS handshake debug logging
|
||||
enableRandomizedTimeouts?: boolean; // Randomize timeouts slightly to prevent thundering herd
|
||||
allowSessionTicket?: boolean; // Allow TLS session ticket for reconnection (default: true)
|
||||
|
||||
// Rate limiting and security
|
||||
maxConnectionsPerIP?: number; // Maximum simultaneous connections from a single IP
|
||||
@ -232,6 +237,8 @@ export class PortProxy {
|
||||
enableDetailedLogging: settingsArg.enableDetailedLogging || false,
|
||||
enableTlsDebugLogging: settingsArg.enableTlsDebugLogging || false,
|
||||
enableRandomizedTimeouts: settingsArg.enableRandomizedTimeouts || false,
|
||||
allowSessionTicket: settingsArg.allowSessionTicket !== undefined
|
||||
? settingsArg.allowSessionTicket : true,
|
||||
|
||||
// Rate limiting defaults
|
||||
maxConnectionsPerIP: settingsArg.maxConnectionsPerIP || 100,
|
||||
@ -452,12 +459,14 @@ export class PortProxy {
|
||||
* @param socket - The incoming client socket
|
||||
* @param record - The connection record
|
||||
* @param initialData - Initial data chunk (TLS ClientHello)
|
||||
* @param customProxyPort - Optional custom port for NetworkProxy (for domain-specific settings)
|
||||
*/
|
||||
private forwardToNetworkProxy(
|
||||
connectionId: string,
|
||||
socket: plugins.net.Socket,
|
||||
record: IConnectionRecord,
|
||||
initialData: Buffer
|
||||
initialData: Buffer,
|
||||
customProxyPort?: number
|
||||
): void {
|
||||
// Ensure NetworkProxy is initialized
|
||||
if (!this.networkProxy) {
|
||||
@ -475,7 +484,8 @@ export class PortProxy {
|
||||
);
|
||||
}
|
||||
|
||||
const proxyPort = this.networkProxy.getListeningPort();
|
||||
// Use the custom port if provided, otherwise use the default NetworkProxy port
|
||||
const proxyPort = customProxyPort || this.networkProxy.getListeningPort();
|
||||
const proxyHost = 'localhost'; // Assuming NetworkProxy runs locally
|
||||
|
||||
if (this.settings.enableDetailedLogging) {
|
||||
@ -566,44 +576,104 @@ export class PortProxy {
|
||||
connectionOptions.localAddress = record.remoteIP.replace('::ffff:', '');
|
||||
}
|
||||
|
||||
// Create a safe queue for incoming data using a Buffer array
|
||||
// We'll use this to ensure we don't lose data during handler transitions
|
||||
const dataQueue: Buffer[] = [];
|
||||
let queueSize = 0;
|
||||
let processingQueue = false;
|
||||
let drainPending = false;
|
||||
|
||||
// Flag to track if we've switched to the final piping mechanism
|
||||
// Once this is true, we no longer buffer data in dataQueue
|
||||
let pipingEstablished = false;
|
||||
|
||||
// Pause the incoming socket to prevent buffer overflows
|
||||
// This ensures we control the flow of data until piping is set up
|
||||
socket.pause();
|
||||
|
||||
// Temporary handler to collect data during connection setup
|
||||
const tempDataHandler = (chunk: Buffer) => {
|
||||
// Track bytes received
|
||||
record.bytesReceived += chunk.length;
|
||||
// Function to safely process the data queue without losing events
|
||||
const processDataQueue = () => {
|
||||
if (processingQueue || dataQueue.length === 0 || pipingEstablished) return;
|
||||
|
||||
processingQueue = true;
|
||||
|
||||
try {
|
||||
// Process all queued chunks with the current active handler
|
||||
while (dataQueue.length > 0) {
|
||||
const chunk = dataQueue.shift()!;
|
||||
queueSize -= chunk.length;
|
||||
|
||||
// Once piping is established, we shouldn't get here,
|
||||
// but just in case, pass to the outgoing socket directly
|
||||
if (pipingEstablished && record.outgoing) {
|
||||
record.outgoing.write(chunk);
|
||||
continue;
|
||||
}
|
||||
|
||||
// Track bytes received
|
||||
record.bytesReceived += chunk.length;
|
||||
|
||||
// Check for TLS handshake
|
||||
if (!record.isTLS && SniHandler.isTlsHandshake(chunk)) {
|
||||
record.isTLS = true;
|
||||
// Check for TLS handshake
|
||||
if (!record.isTLS && SniHandler.isTlsHandshake(chunk)) {
|
||||
record.isTLS = true;
|
||||
|
||||
if (this.settings.enableTlsDebugLogging) {
|
||||
console.log(
|
||||
`[${connectionId}] TLS handshake detected in tempDataHandler, ${chunk.length} bytes`
|
||||
);
|
||||
if (this.settings.enableTlsDebugLogging) {
|
||||
console.log(
|
||||
`[${connectionId}] TLS handshake detected in tempDataHandler, ${chunk.length} bytes`
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
// Check if adding this chunk would exceed the buffer limit
|
||||
const newSize = record.pendingDataSize + chunk.length;
|
||||
|
||||
if (this.settings.maxPendingDataSize && newSize > this.settings.maxPendingDataSize) {
|
||||
console.log(
|
||||
`[${connectionId}] Buffer limit exceeded for connection from ${record.remoteIP}: ${newSize} bytes > ${this.settings.maxPendingDataSize} bytes`
|
||||
);
|
||||
socket.end(); // Gracefully close the socket
|
||||
this.initiateCleanupOnce(record, 'buffer_limit_exceeded');
|
||||
return;
|
||||
}
|
||||
|
||||
// Buffer the chunk and update the size counter
|
||||
record.pendingData.push(Buffer.from(chunk));
|
||||
record.pendingDataSize = newSize;
|
||||
this.updateActivity(record);
|
||||
}
|
||||
} finally {
|
||||
processingQueue = false;
|
||||
|
||||
// If there's a pending drain and we've processed everything,
|
||||
// signal we're ready for more data if we haven't established piping yet
|
||||
if (drainPending && dataQueue.length === 0 && !pipingEstablished) {
|
||||
drainPending = false;
|
||||
socket.resume();
|
||||
}
|
||||
}
|
||||
|
||||
// Check if adding this chunk would exceed the buffer limit
|
||||
const newSize = record.pendingDataSize + chunk.length;
|
||||
|
||||
if (this.settings.maxPendingDataSize && newSize > this.settings.maxPendingDataSize) {
|
||||
console.log(
|
||||
`[${connectionId}] Buffer limit exceeded for connection from ${record.remoteIP}: ${newSize} bytes > ${this.settings.maxPendingDataSize} bytes`
|
||||
);
|
||||
socket.end(); // Gracefully close the socket
|
||||
return this.initiateCleanupOnce(record, 'buffer_limit_exceeded');
|
||||
}
|
||||
|
||||
// Buffer the chunk and update the size counter
|
||||
record.pendingData.push(Buffer.from(chunk));
|
||||
record.pendingDataSize = newSize;
|
||||
this.updateActivity(record);
|
||||
};
|
||||
|
||||
// Add the temp handler to capture all incoming data during connection setup
|
||||
socket.on('data', tempDataHandler);
|
||||
// Unified data handler that safely queues incoming data
|
||||
const safeDataHandler = (chunk: Buffer) => {
|
||||
// If piping is already established, just let the pipe handle it
|
||||
if (pipingEstablished) return;
|
||||
|
||||
// Add to our queue for orderly processing
|
||||
dataQueue.push(Buffer.from(chunk)); // Make a copy to be safe
|
||||
queueSize += chunk.length;
|
||||
|
||||
// If queue is getting large, pause socket until we catch up
|
||||
if (this.settings.maxPendingDataSize && queueSize > this.settings.maxPendingDataSize * 0.8) {
|
||||
socket.pause();
|
||||
drainPending = true;
|
||||
}
|
||||
|
||||
// Process the queue
|
||||
processDataQueue();
|
||||
};
|
||||
|
||||
// Add our safe data handler
|
||||
socket.on('data', safeDataHandler);
|
||||
|
||||
// Add initial chunk to pending data if present
|
||||
if (initialChunk) {
|
||||
@ -776,56 +846,32 @@ export class PortProxy {
|
||||
// Add the normal error handler for established connections
|
||||
targetSocket.on('error', this.handleError('outgoing', record));
|
||||
|
||||
// Remove temporary data handler
|
||||
socket.removeListener('data', tempDataHandler);
|
||||
|
||||
// Flush all pending data to target
|
||||
if (record.pendingData.length > 0) {
|
||||
const combinedData = Buffer.concat(record.pendingData);
|
||||
targetSocket.write(combinedData, (err) => {
|
||||
if (err) {
|
||||
console.log(`[${connectionId}] Error writing pending data to target: ${err.message}`);
|
||||
return this.initiateCleanupOnce(record, 'write_error');
|
||||
}
|
||||
|
||||
// Now set up piping for future data and resume the socket
|
||||
socket.pipe(targetSocket);
|
||||
targetSocket.pipe(socket);
|
||||
socket.resume(); // Resume the socket after piping is established
|
||||
|
||||
if (this.settings.enableDetailedLogging) {
|
||||
console.log(
|
||||
`[${connectionId}] Connection established: ${record.remoteIP} -> ${targetHost}:${connectionOptions.port}` +
|
||||
`${
|
||||
serverName
|
||||
? ` (SNI: ${serverName})`
|
||||
: domainConfig
|
||||
? ` (Port-based for domain: ${domainConfig.domains.join(', ')})`
|
||||
: ''
|
||||
}` +
|
||||
` TLS: ${record.isTLS ? 'Yes' : 'No'}, Keep-Alive: ${
|
||||
record.hasKeepAlive ? 'Yes' : 'No'
|
||||
}`
|
||||
);
|
||||
} else {
|
||||
console.log(
|
||||
`Connection established: ${record.remoteIP} -> ${targetHost}:${connectionOptions.port}` +
|
||||
`${
|
||||
serverName
|
||||
? ` (SNI: ${serverName})`
|
||||
: domainConfig
|
||||
? ` (Port-based for domain: ${domainConfig.domains.join(', ')})`
|
||||
: ''
|
||||
}`
|
||||
);
|
||||
}
|
||||
});
|
||||
} else {
|
||||
// No pending data, so just set up piping
|
||||
// Process any remaining data in the queue before switching to piping
|
||||
processDataQueue();
|
||||
|
||||
// Setup function to establish piping - we'll use this after flushing data
|
||||
const setupPiping = () => {
|
||||
// Mark that we're switching to piping mode
|
||||
pipingEstablished = true;
|
||||
|
||||
// Setup piping in both directions
|
||||
socket.pipe(targetSocket);
|
||||
targetSocket.pipe(socket);
|
||||
socket.resume(); // Resume the socket after piping is established
|
||||
|
||||
|
||||
// Resume the socket to ensure data flows
|
||||
socket.resume();
|
||||
|
||||
// Process any data that might be queued in the interim
|
||||
if (dataQueue.length > 0) {
|
||||
// Write any remaining queued data directly to the target socket
|
||||
for (const chunk of dataQueue) {
|
||||
targetSocket.write(chunk);
|
||||
}
|
||||
// Clear the queue
|
||||
dataQueue.length = 0;
|
||||
queueSize = 0;
|
||||
}
|
||||
|
||||
if (this.settings.enableDetailedLogging) {
|
||||
console.log(
|
||||
`[${connectionId}] Connection established: ${record.remoteIP} -> ${targetHost}:${connectionOptions.port}` +
|
||||
@ -852,6 +898,23 @@ export class PortProxy {
|
||||
}`
|
||||
);
|
||||
}
|
||||
};
|
||||
|
||||
// Flush all pending data to target
|
||||
if (record.pendingData.length > 0) {
|
||||
const combinedData = Buffer.concat(record.pendingData);
|
||||
targetSocket.write(combinedData, (err) => {
|
||||
if (err) {
|
||||
console.log(`[${connectionId}] Error writing pending data to target: ${err.message}`);
|
||||
return this.initiateCleanupOnce(record, 'write_error');
|
||||
}
|
||||
|
||||
// Establish piping now that we've flushed the buffered data
|
||||
setupPiping();
|
||||
});
|
||||
} else {
|
||||
// No pending data, just establish piping immediately
|
||||
setupPiping();
|
||||
}
|
||||
|
||||
// Clear the buffer now that we've processed it
|
||||
@ -859,6 +922,7 @@ export class PortProxy {
|
||||
record.pendingDataSize = 0;
|
||||
|
||||
// Add the renegotiation handler for SNI validation with strict domain enforcement
|
||||
// This will be called after we've established piping
|
||||
if (serverName) {
|
||||
// Define a handler for checking renegotiation with improved detection
|
||||
const renegotiationHandler = (renegChunk: Buffer) => {
|
||||
@ -866,7 +930,46 @@ export class PortProxy {
|
||||
if (SniHandler.isClientHello(renegChunk)) {
|
||||
try {
|
||||
// Extract SNI from ClientHello
|
||||
const newSNI = SniHandler.extractSNIWithResumptionSupport(renegChunk, this.settings.enableTlsDebugLogging);
|
||||
// Create a connection info object for the existing connection
|
||||
const connInfo = {
|
||||
sourceIp: record.remoteIP,
|
||||
sourcePort: record.incoming.remotePort || 0,
|
||||
destIp: record.incoming.localAddress || '',
|
||||
destPort: record.incoming.localPort || 0
|
||||
};
|
||||
|
||||
// Check for session tickets if allowSessionTicket is disabled
|
||||
if (this.settings.allowSessionTicket === false) {
|
||||
// Analyze for session resumption attempt (session ticket or PSK)
|
||||
const resumptionInfo = SniHandler.hasSessionResumption(renegChunk, this.settings.enableTlsDebugLogging);
|
||||
|
||||
if (resumptionInfo.isResumption) {
|
||||
// Always log resumption attempt for easier debugging
|
||||
console.log(
|
||||
`[${connectionId}] Session resumption detected in renegotiation. ` +
|
||||
`Has SNI: ${resumptionInfo.hasSNI ? 'Yes' : 'No'}, allowSessionTicket: ${this.settings.allowSessionTicket}`
|
||||
);
|
||||
|
||||
// Block if there's session resumption without SNI
|
||||
if (!resumptionInfo.hasSNI) {
|
||||
console.log(
|
||||
`[${connectionId}] Session resumption detected in renegotiation without SNI and allowSessionTicket=false. ` +
|
||||
`Terminating connection to force new TLS handshake.`
|
||||
);
|
||||
this.initiateCleanupOnce(record, 'session_ticket_blocked');
|
||||
return;
|
||||
} else {
|
||||
if (this.settings.enableDetailedLogging) {
|
||||
console.log(
|
||||
`[${connectionId}] Session resumption with SNI detected in renegotiation. ` +
|
||||
`Allowing connection since SNI is present.`
|
||||
);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
const newSNI = SniHandler.extractSNIWithResumptionSupport(renegChunk, connInfo, this.settings.enableTlsDebugLogging);
|
||||
|
||||
// Skip if no SNI was found
|
||||
if (!newSNI) return;
|
||||
@ -895,8 +998,16 @@ export class PortProxy {
|
||||
// Store the handler in the connection record so we can remove it during cleanup
|
||||
record.renegotiationHandler = renegotiationHandler;
|
||||
|
||||
// Add the listener
|
||||
// The renegotiation handler is added when piping is established
|
||||
// Making it part of setupPiping ensures proper sequencing of event handlers
|
||||
socket.on('data', renegotiationHandler);
|
||||
|
||||
if (this.settings.enableDetailedLogging) {
|
||||
console.log(`[${connectionId}] TLS renegotiation handler installed for SNI domain: ${serverName}`);
|
||||
if (this.settings.allowSessionTicket === false) {
|
||||
console.log(`[${connectionId}] Session ticket usage is disabled. Connection will be reset on reconnection attempts.`);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// Set connection timeout with simpler logic
|
||||
@ -1056,13 +1167,16 @@ export class PortProxy {
|
||||
const bytesReceived = record.bytesReceived;
|
||||
const bytesSent = record.bytesSent;
|
||||
|
||||
// Remove the renegotiation handler if present
|
||||
if (record.renegotiationHandler && record.incoming) {
|
||||
// Remove all data handlers (both standard and renegotiation) to make sure we clean up properly
|
||||
if (record.incoming) {
|
||||
try {
|
||||
record.incoming.removeListener('data', record.renegotiationHandler);
|
||||
// Remove our safe data handler
|
||||
record.incoming.removeAllListeners('data');
|
||||
|
||||
// Reset the handler references
|
||||
record.renegotiationHandler = undefined;
|
||||
} catch (err) {
|
||||
console.log(`[${record.id}] Error removing renegotiation handler: ${err}`);
|
||||
console.log(`[${record.id}] Error removing data handlers: ${err}`);
|
||||
}
|
||||
}
|
||||
|
||||
@ -1416,9 +1530,12 @@ export class PortProxy {
|
||||
);
|
||||
}
|
||||
|
||||
// Check if this connection should be forwarded directly to NetworkProxy based on port
|
||||
const shouldUseNetworkProxy = this.settings.useNetworkProxy &&
|
||||
this.settings.useNetworkProxy.includes(localPort);
|
||||
// Check if this connection should be forwarded directly to NetworkProxy
|
||||
// First check port-based forwarding settings
|
||||
let shouldUseNetworkProxy = this.settings.useNetworkProxy &&
|
||||
this.settings.useNetworkProxy.includes(localPort);
|
||||
|
||||
// We'll look for domain-specific settings after SNI extraction
|
||||
|
||||
if (shouldUseNetworkProxy) {
|
||||
// For NetworkProxy ports, we want to capture the TLS handshake and forward directly
|
||||
@ -1461,7 +1578,84 @@ export class PortProxy {
|
||||
if (SniHandler.isTlsHandshake(chunk)) {
|
||||
connectionRecord.isTLS = true;
|
||||
|
||||
// Forward directly to NetworkProxy without SNI processing
|
||||
// Check for session tickets if allowSessionTicket is disabled
|
||||
if (this.settings.allowSessionTicket === false && SniHandler.isClientHello(chunk)) {
|
||||
// Analyze for session resumption attempt
|
||||
const resumptionInfo = SniHandler.hasSessionResumption(chunk, this.settings.enableTlsDebugLogging);
|
||||
|
||||
if (resumptionInfo.isResumption) {
|
||||
// Always log resumption attempt for easier debugging
|
||||
console.log(
|
||||
`[${connectionId}] Session resumption detected in initial ClientHello. ` +
|
||||
`Has SNI: ${resumptionInfo.hasSNI ? 'Yes' : 'No'}, allowSessionTicket: ${this.settings.allowSessionTicket}`
|
||||
);
|
||||
|
||||
// Block if there's session resumption without SNI
|
||||
if (!resumptionInfo.hasSNI) {
|
||||
console.log(
|
||||
`[${connectionId}] Session resumption detected in initial ClientHello without SNI and allowSessionTicket=false. ` +
|
||||
`Terminating connection to force new TLS handshake.`
|
||||
);
|
||||
if (connectionRecord.incomingTerminationReason === null) {
|
||||
connectionRecord.incomingTerminationReason = 'session_ticket_blocked';
|
||||
this.incrementTerminationStat('incoming', 'session_ticket_blocked');
|
||||
}
|
||||
socket.end();
|
||||
this.cleanupConnection(connectionRecord, 'session_ticket_blocked');
|
||||
return;
|
||||
} else {
|
||||
if (this.settings.enableDetailedLogging) {
|
||||
console.log(
|
||||
`[${connectionId}] Session resumption with SNI detected in initial ClientHello. ` +
|
||||
`Allowing connection since SNI is present.`
|
||||
);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// Try to extract SNI for domain-specific NetworkProxy handling
|
||||
const connInfo = {
|
||||
sourceIp: remoteIP,
|
||||
sourcePort: socket.remotePort || 0,
|
||||
destIp: socket.localAddress || '',
|
||||
destPort: socket.localPort || 0
|
||||
};
|
||||
|
||||
// Extract SNI to check for domain-specific NetworkProxy settings
|
||||
const serverName = SniHandler.processTlsPacket(
|
||||
chunk,
|
||||
connInfo,
|
||||
this.settings.enableTlsDebugLogging
|
||||
);
|
||||
|
||||
if (serverName) {
|
||||
// If we got an SNI, check for domain-specific NetworkProxy settings
|
||||
const domainConfig = this.settings.domainConfigs.find((config) =>
|
||||
config.domains.some((d) => plugins.minimatch(serverName, d))
|
||||
);
|
||||
|
||||
// Save domain config and SNI in connection record
|
||||
connectionRecord.domainConfig = domainConfig;
|
||||
connectionRecord.lockedDomain = serverName;
|
||||
|
||||
// Use domain-specific NetworkProxy port if configured
|
||||
if (domainConfig?.useNetworkProxy) {
|
||||
const networkProxyPort = domainConfig.networkProxyPort || this.settings.networkProxyPort;
|
||||
|
||||
if (this.settings.enableDetailedLogging) {
|
||||
console.log(
|
||||
`[${connectionId}] Using domain-specific NetworkProxy for ${serverName} on port ${networkProxyPort}`
|
||||
);
|
||||
}
|
||||
|
||||
// Forward to NetworkProxy with domain-specific port
|
||||
this.forwardToNetworkProxy(connectionId, socket, connectionRecord, chunk, networkProxyPort);
|
||||
return;
|
||||
}
|
||||
}
|
||||
|
||||
// Forward directly to NetworkProxy without domain-specific settings
|
||||
this.forwardToNetworkProxy(connectionId, socket, connectionRecord, chunk);
|
||||
} else {
|
||||
// If not TLS, use normal direct connection
|
||||
@ -1528,7 +1722,15 @@ export class PortProxy {
|
||||
`[${connectionId}] TLS handshake detected from ${remoteIP}, ${chunk.length} bytes`
|
||||
);
|
||||
// Try to extract SNI and log detailed debug info
|
||||
SniHandler.extractSNIWithResumptionSupport(chunk, true);
|
||||
// Create connection info for debug logging
|
||||
const debugConnInfo = {
|
||||
sourceIp: remoteIP,
|
||||
sourcePort: socket.remotePort || 0,
|
||||
destIp: socket.localAddress || '',
|
||||
destPort: socket.localPort || 0
|
||||
};
|
||||
|
||||
SniHandler.extractSNIWithResumptionSupport(chunk, debugConnInfo, true);
|
||||
}
|
||||
}
|
||||
});
|
||||
@ -1579,6 +1781,29 @@ export class PortProxy {
|
||||
|
||||
// Save domain config in connection record
|
||||
connectionRecord.domainConfig = domainConfig;
|
||||
|
||||
// Check if this domain should use NetworkProxy (domain-specific setting)
|
||||
if (domainConfig?.useNetworkProxy && this.networkProxy) {
|
||||
if (this.settings.enableDetailedLogging) {
|
||||
console.log(
|
||||
`[${connectionId}] Domain ${serverName} is configured to use NetworkProxy`
|
||||
);
|
||||
}
|
||||
|
||||
const networkProxyPort = domainConfig.networkProxyPort || this.settings.networkProxyPort;
|
||||
|
||||
if (initialChunk && connectionRecord.isTLS) {
|
||||
// For TLS connections with initial chunk, forward to NetworkProxy
|
||||
this.forwardToNetworkProxy(
|
||||
connectionId,
|
||||
socket,
|
||||
connectionRecord,
|
||||
initialChunk,
|
||||
networkProxyPort // Pass the domain-specific NetworkProxy port if configured
|
||||
);
|
||||
return; // Skip normal connection setup
|
||||
}
|
||||
}
|
||||
|
||||
// IP validation is skipped if allowedIPs is empty
|
||||
if (domainConfig) {
|
||||
@ -1734,8 +1959,58 @@ export class PortProxy {
|
||||
`[${connectionId}] Extracting SNI from TLS handshake, ${chunk.length} bytes`
|
||||
);
|
||||
}
|
||||
|
||||
// Check for session tickets if allowSessionTicket is disabled
|
||||
if (this.settings.allowSessionTicket === false && SniHandler.isClientHello(chunk)) {
|
||||
// Analyze for session resumption attempt
|
||||
const resumptionInfo = SniHandler.hasSessionResumption(chunk, this.settings.enableTlsDebugLogging);
|
||||
|
||||
if (resumptionInfo.isResumption) {
|
||||
// Always log resumption attempt for easier debugging
|
||||
console.log(
|
||||
`[${connectionId}] Session resumption detected in SNI handler. ` +
|
||||
`Has SNI: ${resumptionInfo.hasSNI ? 'Yes' : 'No'}, allowSessionTicket: ${this.settings.allowSessionTicket}`
|
||||
);
|
||||
|
||||
// Block if there's session resumption without SNI
|
||||
if (!resumptionInfo.hasSNI) {
|
||||
console.log(
|
||||
`[${connectionId}] Session resumption detected in SNI handler without SNI and allowSessionTicket=false. ` +
|
||||
`Terminating connection to force new TLS handshake.`
|
||||
);
|
||||
if (connectionRecord.incomingTerminationReason === null) {
|
||||
connectionRecord.incomingTerminationReason = 'session_ticket_blocked';
|
||||
this.incrementTerminationStat('incoming', 'session_ticket_blocked');
|
||||
}
|
||||
socket.end();
|
||||
this.cleanupConnection(connectionRecord, 'session_ticket_blocked');
|
||||
return;
|
||||
} else {
|
||||
if (this.settings.enableDetailedLogging) {
|
||||
console.log(
|
||||
`[${connectionId}] Session resumption with SNI detected in SNI handler. ` +
|
||||
`Allowing connection since SNI is present.`
|
||||
);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
serverName = SniHandler.extractSNIWithResumptionSupport(chunk, this.settings.enableTlsDebugLogging) || '';
|
||||
// Create connection info object for SNI extraction
|
||||
const connInfo = {
|
||||
sourceIp: remoteIP,
|
||||
sourcePort: socket.remotePort || 0,
|
||||
destIp: socket.localAddress || '',
|
||||
destPort: socket.localPort || 0
|
||||
};
|
||||
|
||||
// Use the new processTlsPacket method for comprehensive handling
|
||||
serverName = SniHandler.processTlsPacket(
|
||||
chunk,
|
||||
connInfo,
|
||||
this.settings.enableTlsDebugLogging,
|
||||
connectionRecord.lockedDomain // Pass any previously negotiated domain as a hint
|
||||
) || '';
|
||||
}
|
||||
|
||||
// Lock the connection to the negotiated SNI.
|
||||
|
||||
File diff suppressed because it is too large
Load Diff
Reference in New Issue
Block a user