Compare commits
16 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| b2a57ada5d | |||
| 62a3e1f4b7 | |||
| 3a1485213a | |||
| 9dbf6fdeb5 | |||
| 9496dd5336 | |||
| 29d28fba93 | |||
| 8196de4fa3 | |||
| 6fddafe9fd | |||
| 1e89062167 | |||
| 21a24fd95b | |||
| 03ef5e7f6e | |||
| 415b82a84a | |||
| f304cc67b4 | |||
| 0e12706176 | |||
| 6daf4c914d | |||
| 36e4341315 |
58
changelog.md
58
changelog.md
@ -1,5 +1,63 @@
|
||||
# Changelog
|
||||
|
||||
## 2025-03-11 - 3.41.1 - fix(SniHandler)
|
||||
Improve TLS SNI session resumption handling: connections containing a session ticket are now only rejected when no SNI is present and allowSessionTicket is disabled. Updated return values and logging for clearer resumption detection.
|
||||
|
||||
- Changed SniHandler.hasSessionResumption to return an object with 'isResumption' and 'hasSNI' flags.
|
||||
- Adjusted PortProxy logic to only terminate connections when a session ticket is detected without an accompanying SNI (when allowSessionTicket is false).
|
||||
- Enhanced debug logging to clearly differentiate between session resumption scenarios with and without SNI.
|
||||
|
||||
## 2025-03-11 - 3.41.0 - feat(PortProxy/TLS)
|
||||
Add allowSessionTicket option to control TLS session ticket handling
|
||||
|
||||
- Introduce 'allowSessionTicket' flag (default true) in PortProxy settings to enable or disable TLS session resumption via session tickets.
|
||||
- Update SniHandler with a new hasSessionResumption method to detect session ticket and PSK extensions in ClientHello messages.
|
||||
- Force connection cleanup during renegotiation and initial handshake when allowSessionTicket is set to false and a session ticket is detected.
|
||||
|
||||
## 2025-03-11 - 3.40.0 - feat(SniHandler)
|
||||
Add session cache support and tab reactivation detection to improve SNI extraction in TLS handshakes
|
||||
|
||||
- Introduce a session cache mechanism to store and retrieve cached SNI values based on client IP (and optionally client random) to better handle tab reactivation scenarios.
|
||||
- Implement functions to initialize, update, and clean up the session cache for TLS ClientHello messages.
|
||||
- Enhance SNI extraction logic to check for tab reactivation handshakes and to return cached SNI for resumed connections or 0-RTT scenarios.
|
||||
- Update PSK extension handling to safely skip over obfuscated ticket age bytes.
|
||||
|
||||
## 2025-03-11 - 3.39.0 - feat(PortProxy)
|
||||
Add domain-specific NetworkProxy integration support to PortProxy
|
||||
|
||||
- Introduced new properties 'useNetworkProxy' and 'networkProxyPort' in domain configurations.
|
||||
- Updated forwardToNetworkProxy to accept an optional custom proxy port parameter.
|
||||
- Enhanced TLS handshake processing to extract SNI and, if a matching domain config specifies NetworkProxy usage, forward the connection using the domain-specific port.
|
||||
- Refined connection routing logic to check for domain-specific NetworkProxy settings before falling back to default behavior.
|
||||
|
||||
## 2025-03-11 - 3.38.2 - fix(core)
|
||||
No code changes detected; bumping patch version for consistency.
|
||||
|
||||
|
||||
## 2025-03-11 - 3.38.1 - fix(PortProxy)
|
||||
Improve SNI extraction handling in PortProxy by passing explicit connection info to extractSNIWithResumptionSupport for better TLS renegotiation and debug logging.
|
||||
|
||||
- In the renegotiation handler, create and pass a connection info object (sourceIp, sourcePort, destIp, destPort) instead of a boolean flag.
|
||||
- Update the TLS handshake processing to construct a connection info object for detailed SNI extraction and logging.
|
||||
- Enhance consistency by using processTlsPacket with cached SNI hints during fallback.
|
||||
|
||||
## 2025-03-11 - 3.38.0 - feat(SniHandler)
|
||||
Enhance SNI extraction to support fragmented ClientHello messages, TLS 1.3 early data, and improved PSK parsing
|
||||
|
||||
- Added isTlsApplicationData method for detecting TLS application data packets
|
||||
- Implemented handleFragmentedClientHello to buffer and reassemble fragmented ClientHello messages
|
||||
- Extended extractSNIWithResumptionSupport to accept connection information and use reassembled data
|
||||
- Added detection for TLS 1.3 early data (0-RTT) in the ClientHello, supporting session resumption scenarios
|
||||
- Improved logging and heuristics for handling potential connection racing in modern browsers
|
||||
|
||||
## 2025-03-11 - 3.37.3 - fix(snihandler)
|
||||
Enhance SNI extraction to support TLS 1.3 PSK-based session resumption by adding a dedicated extractSNIFromPSKExtension method and improved logging for session resumption indicators.
|
||||
|
||||
- Defined TLS_PSK_EXTENSION_TYPE and TLS_PSK_KE_MODES_EXTENSION_TYPE constants.
|
||||
- Added extractSNIFromPSKExtension method to handle ClientHello messages containing PSK identities.
|
||||
- Improved logging to indicate when session resumption indicators (ticket or PSK) are present but no standard SNI is found.
|
||||
- Enhanced extractSNIWithResumptionSupport to attempt PSK extraction if standard SNI extraction fails.
|
||||
|
||||
## 2025-03-11 - 3.37.2 - fix(PortProxy)
|
||||
Improve buffering and data handling during connection setup in PortProxy to prevent data loss
|
||||
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
{
|
||||
"name": "@push.rocks/smartproxy",
|
||||
"version": "3.37.2",
|
||||
"version": "3.41.1",
|
||||
"private": false,
|
||||
"description": "A powerful proxy package that effectively handles high traffic, with features such as SSL/TLS support, port proxying, WebSocket handling, dynamic routing with authentication options, and automatic ACME certificate management.",
|
||||
"main": "dist_ts/index.js",
|
||||
|
||||
@ -3,6 +3,6 @@
|
||||
*/
|
||||
export const commitinfo = {
|
||||
name: '@push.rocks/smartproxy',
|
||||
version: '3.37.2',
|
||||
version: '3.41.1',
|
||||
description: 'A powerful proxy package that effectively handles high traffic, with features such as SSL/TLS support, port proxying, WebSocket handling, dynamic routing with authentication options, and automatic ACME certificate management.'
|
||||
}
|
||||
|
||||
@ -11,6 +11,10 @@ export interface IDomainConfig {
|
||||
portRanges?: Array<{ from: number; to: number }>; // Optional port ranges
|
||||
// Allow domain-specific timeout override
|
||||
connectionTimeout?: number; // Connection timeout override (ms)
|
||||
|
||||
// NetworkProxy integration options for this specific domain
|
||||
useNetworkProxy?: boolean; // Whether to use NetworkProxy for this domain
|
||||
networkProxyPort?: number; // Override default NetworkProxy port for this domain
|
||||
}
|
||||
|
||||
/** Port proxy settings including global allowed port ranges */
|
||||
@ -47,6 +51,7 @@ export interface IPortProxySettings extends plugins.tls.TlsOptions {
|
||||
enableDetailedLogging?: boolean; // Enable detailed connection logging
|
||||
enableTlsDebugLogging?: boolean; // Enable TLS handshake debug logging
|
||||
enableRandomizedTimeouts?: boolean; // Randomize timeouts slightly to prevent thundering herd
|
||||
allowSessionTicket?: boolean; // Allow TLS session ticket for reconnection (default: true)
|
||||
|
||||
// Rate limiting and security
|
||||
maxConnectionsPerIP?: number; // Maximum simultaneous connections from a single IP
|
||||
@ -232,6 +237,8 @@ export class PortProxy {
|
||||
enableDetailedLogging: settingsArg.enableDetailedLogging || false,
|
||||
enableTlsDebugLogging: settingsArg.enableTlsDebugLogging || false,
|
||||
enableRandomizedTimeouts: settingsArg.enableRandomizedTimeouts || false,
|
||||
allowSessionTicket: settingsArg.allowSessionTicket !== undefined
|
||||
? settingsArg.allowSessionTicket : true,
|
||||
|
||||
// Rate limiting defaults
|
||||
maxConnectionsPerIP: settingsArg.maxConnectionsPerIP || 100,
|
||||
@ -452,12 +459,14 @@ export class PortProxy {
|
||||
* @param socket - The incoming client socket
|
||||
* @param record - The connection record
|
||||
* @param initialData - Initial data chunk (TLS ClientHello)
|
||||
* @param customProxyPort - Optional custom port for NetworkProxy (for domain-specific settings)
|
||||
*/
|
||||
private forwardToNetworkProxy(
|
||||
connectionId: string,
|
||||
socket: plugins.net.Socket,
|
||||
record: IConnectionRecord,
|
||||
initialData: Buffer
|
||||
initialData: Buffer,
|
||||
customProxyPort?: number
|
||||
): void {
|
||||
// Ensure NetworkProxy is initialized
|
||||
if (!this.networkProxy) {
|
||||
@ -475,7 +484,8 @@ export class PortProxy {
|
||||
);
|
||||
}
|
||||
|
||||
const proxyPort = this.networkProxy.getListeningPort();
|
||||
// Use the custom port if provided, otherwise use the default NetworkProxy port
|
||||
const proxyPort = customProxyPort || this.networkProxy.getListeningPort();
|
||||
const proxyHost = 'localhost'; // Assuming NetworkProxy runs locally
|
||||
|
||||
if (this.settings.enableDetailedLogging) {
|
||||
@ -920,7 +930,38 @@ export class PortProxy {
|
||||
if (SniHandler.isClientHello(renegChunk)) {
|
||||
try {
|
||||
// Extract SNI from ClientHello
|
||||
const newSNI = SniHandler.extractSNIWithResumptionSupport(renegChunk, this.settings.enableTlsDebugLogging);
|
||||
// Create a connection info object for the existing connection
|
||||
const connInfo = {
|
||||
sourceIp: record.remoteIP,
|
||||
sourcePort: record.incoming.remotePort || 0,
|
||||
destIp: record.incoming.localAddress || '',
|
||||
destPort: record.incoming.localPort || 0
|
||||
};
|
||||
|
||||
// Check for session tickets if allowSessionTicket is disabled
|
||||
if (this.settings.allowSessionTicket === false) {
|
||||
// Analyze for session resumption attempt (session ticket or PSK)
|
||||
const resumptionInfo = SniHandler.hasSessionResumption(renegChunk, this.settings.enableTlsDebugLogging);
|
||||
|
||||
// Only block if there's a session ticket without SNI
|
||||
if (resumptionInfo.isResumption && !resumptionInfo.hasSNI) {
|
||||
console.log(
|
||||
`[${connectionId}] Session ticket detected in renegotiation without SNI and allowSessionTicket=false. ` +
|
||||
`Terminating connection to force new TLS handshake.`
|
||||
);
|
||||
this.initiateCleanupOnce(record, 'session_ticket_blocked');
|
||||
return;
|
||||
} else if (resumptionInfo.isResumption && resumptionInfo.hasSNI) {
|
||||
if (this.settings.enableTlsDebugLogging) {
|
||||
console.log(
|
||||
`[${connectionId}] Session ticket with SNI detected in renegotiation. ` +
|
||||
`Allowing connection since SNI is present.`
|
||||
);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
const newSNI = SniHandler.extractSNIWithResumptionSupport(renegChunk, connInfo, this.settings.enableTlsDebugLogging);
|
||||
|
||||
// Skip if no SNI was found
|
||||
if (!newSNI) return;
|
||||
@ -955,6 +996,9 @@ export class PortProxy {
|
||||
|
||||
if (this.settings.enableDetailedLogging) {
|
||||
console.log(`[${connectionId}] TLS renegotiation handler installed for SNI domain: ${serverName}`);
|
||||
if (this.settings.allowSessionTicket === false) {
|
||||
console.log(`[${connectionId}] Session ticket usage is disabled. Connection will be reset on reconnection attempts.`);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@ -1478,9 +1522,12 @@ export class PortProxy {
|
||||
);
|
||||
}
|
||||
|
||||
// Check if this connection should be forwarded directly to NetworkProxy based on port
|
||||
const shouldUseNetworkProxy = this.settings.useNetworkProxy &&
|
||||
this.settings.useNetworkProxy.includes(localPort);
|
||||
// Check if this connection should be forwarded directly to NetworkProxy
|
||||
// First check port-based forwarding settings
|
||||
let shouldUseNetworkProxy = this.settings.useNetworkProxy &&
|
||||
this.settings.useNetworkProxy.includes(localPort);
|
||||
|
||||
// We'll look for domain-specific settings after SNI extraction
|
||||
|
||||
if (shouldUseNetworkProxy) {
|
||||
// For NetworkProxy ports, we want to capture the TLS handshake and forward directly
|
||||
@ -1523,7 +1570,76 @@ export class PortProxy {
|
||||
if (SniHandler.isTlsHandshake(chunk)) {
|
||||
connectionRecord.isTLS = true;
|
||||
|
||||
// Forward directly to NetworkProxy without SNI processing
|
||||
// Check for session tickets if allowSessionTicket is disabled
|
||||
if (this.settings.allowSessionTicket === false && SniHandler.isClientHello(chunk)) {
|
||||
// Analyze for session resumption attempt
|
||||
const resumptionInfo = SniHandler.hasSessionResumption(chunk, this.settings.enableTlsDebugLogging);
|
||||
|
||||
// Only block if there's a session ticket without SNI
|
||||
if (resumptionInfo.isResumption && !resumptionInfo.hasSNI) {
|
||||
console.log(
|
||||
`[${connectionId}] Session ticket detected in initial ClientHello without SNI and allowSessionTicket=false. ` +
|
||||
`Terminating connection to force new TLS handshake.`
|
||||
);
|
||||
if (connectionRecord.incomingTerminationReason === null) {
|
||||
connectionRecord.incomingTerminationReason = 'session_ticket_blocked';
|
||||
this.incrementTerminationStat('incoming', 'session_ticket_blocked');
|
||||
}
|
||||
socket.end();
|
||||
this.cleanupConnection(connectionRecord, 'session_ticket_blocked');
|
||||
return;
|
||||
} else if (resumptionInfo.isResumption && resumptionInfo.hasSNI) {
|
||||
if (this.settings.enableTlsDebugLogging) {
|
||||
console.log(
|
||||
`[${connectionId}] Session ticket with SNI detected in initial ClientHello. ` +
|
||||
`Allowing connection since SNI is present.`
|
||||
);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// Try to extract SNI for domain-specific NetworkProxy handling
|
||||
const connInfo = {
|
||||
sourceIp: remoteIP,
|
||||
sourcePort: socket.remotePort || 0,
|
||||
destIp: socket.localAddress || '',
|
||||
destPort: socket.localPort || 0
|
||||
};
|
||||
|
||||
// Extract SNI to check for domain-specific NetworkProxy settings
|
||||
const serverName = SniHandler.processTlsPacket(
|
||||
chunk,
|
||||
connInfo,
|
||||
this.settings.enableTlsDebugLogging
|
||||
);
|
||||
|
||||
if (serverName) {
|
||||
// If we got an SNI, check for domain-specific NetworkProxy settings
|
||||
const domainConfig = this.settings.domainConfigs.find((config) =>
|
||||
config.domains.some((d) => plugins.minimatch(serverName, d))
|
||||
);
|
||||
|
||||
// Save domain config and SNI in connection record
|
||||
connectionRecord.domainConfig = domainConfig;
|
||||
connectionRecord.lockedDomain = serverName;
|
||||
|
||||
// Use domain-specific NetworkProxy port if configured
|
||||
if (domainConfig?.useNetworkProxy) {
|
||||
const networkProxyPort = domainConfig.networkProxyPort || this.settings.networkProxyPort;
|
||||
|
||||
if (this.settings.enableDetailedLogging) {
|
||||
console.log(
|
||||
`[${connectionId}] Using domain-specific NetworkProxy for ${serverName} on port ${networkProxyPort}`
|
||||
);
|
||||
}
|
||||
|
||||
// Forward to NetworkProxy with domain-specific port
|
||||
this.forwardToNetworkProxy(connectionId, socket, connectionRecord, chunk, networkProxyPort);
|
||||
return;
|
||||
}
|
||||
}
|
||||
|
||||
// Forward directly to NetworkProxy without domain-specific settings
|
||||
this.forwardToNetworkProxy(connectionId, socket, connectionRecord, chunk);
|
||||
} else {
|
||||
// If not TLS, use normal direct connection
|
||||
@ -1590,7 +1706,15 @@ export class PortProxy {
|
||||
`[${connectionId}] TLS handshake detected from ${remoteIP}, ${chunk.length} bytes`
|
||||
);
|
||||
// Try to extract SNI and log detailed debug info
|
||||
SniHandler.extractSNIWithResumptionSupport(chunk, true);
|
||||
// Create connection info for debug logging
|
||||
const debugConnInfo = {
|
||||
sourceIp: remoteIP,
|
||||
sourcePort: socket.remotePort || 0,
|
||||
destIp: socket.localAddress || '',
|
||||
destPort: socket.localPort || 0
|
||||
};
|
||||
|
||||
SniHandler.extractSNIWithResumptionSupport(chunk, debugConnInfo, true);
|
||||
}
|
||||
}
|
||||
});
|
||||
@ -1641,6 +1765,29 @@ export class PortProxy {
|
||||
|
||||
// Save domain config in connection record
|
||||
connectionRecord.domainConfig = domainConfig;
|
||||
|
||||
// Check if this domain should use NetworkProxy (domain-specific setting)
|
||||
if (domainConfig?.useNetworkProxy && this.networkProxy) {
|
||||
if (this.settings.enableDetailedLogging) {
|
||||
console.log(
|
||||
`[${connectionId}] Domain ${serverName} is configured to use NetworkProxy`
|
||||
);
|
||||
}
|
||||
|
||||
const networkProxyPort = domainConfig.networkProxyPort || this.settings.networkProxyPort;
|
||||
|
||||
if (initialChunk && connectionRecord.isTLS) {
|
||||
// For TLS connections with initial chunk, forward to NetworkProxy
|
||||
this.forwardToNetworkProxy(
|
||||
connectionId,
|
||||
socket,
|
||||
connectionRecord,
|
||||
initialChunk,
|
||||
networkProxyPort // Pass the domain-specific NetworkProxy port if configured
|
||||
);
|
||||
return; // Skip normal connection setup
|
||||
}
|
||||
}
|
||||
|
||||
// IP validation is skipped if allowedIPs is empty
|
||||
if (domainConfig) {
|
||||
@ -1796,8 +1943,50 @@ export class PortProxy {
|
||||
`[${connectionId}] Extracting SNI from TLS handshake, ${chunk.length} bytes`
|
||||
);
|
||||
}
|
||||
|
||||
// Check for session tickets if allowSessionTicket is disabled
|
||||
if (this.settings.allowSessionTicket === false && SniHandler.isClientHello(chunk)) {
|
||||
// Analyze for session resumption attempt
|
||||
const resumptionInfo = SniHandler.hasSessionResumption(chunk, this.settings.enableTlsDebugLogging);
|
||||
|
||||
// Only block if there's a session ticket without SNI
|
||||
if (resumptionInfo.isResumption && !resumptionInfo.hasSNI) {
|
||||
console.log(
|
||||
`[${connectionId}] Session ticket detected in initial ClientHello without SNI and allowSessionTicket=false. ` +
|
||||
`Terminating connection to force new TLS handshake.`
|
||||
);
|
||||
if (connectionRecord.incomingTerminationReason === null) {
|
||||
connectionRecord.incomingTerminationReason = 'session_ticket_blocked';
|
||||
this.incrementTerminationStat('incoming', 'session_ticket_blocked');
|
||||
}
|
||||
socket.end();
|
||||
this.cleanupConnection(connectionRecord, 'session_ticket_blocked');
|
||||
return;
|
||||
} else if (resumptionInfo.isResumption && resumptionInfo.hasSNI) {
|
||||
if (this.settings.enableTlsDebugLogging) {
|
||||
console.log(
|
||||
`[${connectionId}] Session ticket with SNI detected in initial ClientHello. ` +
|
||||
`Allowing connection since SNI is present.`
|
||||
);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
serverName = SniHandler.extractSNIWithResumptionSupport(chunk, this.settings.enableTlsDebugLogging) || '';
|
||||
// Create connection info object for SNI extraction
|
||||
const connInfo = {
|
||||
sourceIp: remoteIP,
|
||||
sourcePort: socket.remotePort || 0,
|
||||
destIp: socket.localAddress || '',
|
||||
destPort: socket.localPort || 0
|
||||
};
|
||||
|
||||
// Use the new processTlsPacket method for comprehensive handling
|
||||
serverName = SniHandler.processTlsPacket(
|
||||
chunk,
|
||||
connInfo,
|
||||
this.settings.enableTlsDebugLogging,
|
||||
connectionRecord.lockedDomain // Pass any previously negotiated domain as a hint
|
||||
) || '';
|
||||
}
|
||||
|
||||
// Lock the connection to the negotiated SNI.
|
||||
|
||||
File diff suppressed because it is too large
Load Diff
Reference in New Issue
Block a user