3.41.6

changelog.md

@@ -1,5 +1,75 @@
 # Changelog
 
+## 2025-03-12 - 3.41.6 - fix(SniHandler)
+Refactor SniHandler: update whitespace, comment formatting, and consistent type definitions
+
+- Unified inline comment style and spacing in SniHandler
+- Refactored session cache type declaration for clarity
+- Adjusted buffer length calculations to include TLS record header consistently
+- Minor improvements to logging messages during ClientHello reassembly and SNI extraction
+
+## 2025-03-12 - 3.41.5 - fix(portproxy)
+Enforce TLS handshake and SNI validation on port 443 by blocking non-TLS connections and terminating session resumption attempts without SNI when allowSessionTicket is disabled.
+
+- Added explicit check to block non-TLS connections on port 443 to ensure proper TLS usage.
+- Enhanced logging for TLS ClientHello to include details on SNI extraction and session resumption status.
+- Terminate connections with missing SNI by setting termination reasons ('session_ticket_blocked' or 'no_sni_blocked').
+- Ensured consistent rejection of non-TLS handshakes on standard HTTPS port.
+
+## 2025-03-12 - 3.41.4 - fix(tls/sni)
+Improve logging for TLS session resumption by extracting and logging SNI values from ClientHello messages.
+
+- Added logging to output the extracted SNI value during renegotiation, initial ClientHello and in the SNI handler.
+- Enhanced error handling during SNI extraction to aid troubleshooting of TLS session resumption issues.
+
+## 2025-03-12 - 3.41.3 - fix(TLS/SNI)
+Improve TLS session resumption handling and logging. Now, session resumption attempts are always logged with details, and connections without a proper SNI are rejected when allowSessionTicket is disabled. In addition, empty SNI extensions are explicitly treated as missing, ensuring stricter and more consistent TLS handshake validation.
+
+- Always log session resumption in both renegotiation and initial ClientHello processing.
+- Terminate connections that attempt session resumption without SNI when allowSessionTicket is false.
+- Treat empty SNI extensions as absence of SNI to improve consistency in TLS handshake processing.
+
+## 2025-03-11 - 3.41.2 - fix(SniHandler)
+Refactor hasSessionResumption to return detailed session resumption info
+
+- Changed the return type of hasSessionResumption from boolean to an object with properties isResumption and hasSNI
+- Updated early return conditions to return { isResumption: false, hasSNI: false } when buffer is too short or invalid
+- Modified corresponding documentation to reflect the new return type
+
+## 2025-03-11 - 3.41.1 - fix(SniHandler)
+Improve TLS SNI session resumption handling: connections containing a session ticket are now only rejected when no SNI is present and allowSessionTicket is disabled. Updated return values and logging for clearer resumption detection.
+
+- Changed SniHandler.hasSessionResumption to return an object with 'isResumption' and 'hasSNI' flags.
+- Adjusted PortProxy logic to only terminate connections when a session ticket is detected without an accompanying SNI (when allowSessionTicket is false).
+- Enhanced debug logging to clearly differentiate between session resumption scenarios with and without SNI.
+
+## 2025-03-11 - 3.41.0 - feat(PortProxy/TLS)
+Add allowSessionTicket option to control TLS session ticket handling
+
+- Introduce 'allowSessionTicket' flag (default true) in PortProxy settings to enable or disable TLS session resumption via session tickets.
+- Update SniHandler with a new hasSessionResumption method to detect session ticket and PSK extensions in ClientHello messages.
+- Force connection cleanup during renegotiation and initial handshake when allowSessionTicket is set to false and a session ticket is detected.
+
+## 2025-03-11 - 3.40.0 - feat(SniHandler)
+Add session cache support and tab reactivation detection to improve SNI extraction in TLS handshakes
+
+- Introduce a session cache mechanism to store and retrieve cached SNI values based on client IP (and optionally client random) to better handle tab reactivation scenarios.
+- Implement functions to initialize, update, and clean up the session cache for TLS ClientHello messages.
+- Enhance SNI extraction logic to check for tab reactivation handshakes and to return cached SNI for resumed connections or 0-RTT scenarios.
+- Update PSK extension handling to safely skip over obfuscated ticket age bytes.
+
+## 2025-03-11 - 3.39.0 - feat(PortProxy)
+Add domain-specific NetworkProxy integration support to PortProxy
+
+- Introduced new properties 'useNetworkProxy' and 'networkProxyPort' in domain configurations.
+- Updated forwardToNetworkProxy to accept an optional custom proxy port parameter.
+- Enhanced TLS handshake processing to extract SNI and, if a matching domain config specifies NetworkProxy usage, forward the connection using the domain-specific port.
+- Refined connection routing logic to check for domain-specific NetworkProxy settings before falling back to default behavior.
+
+## 2025-03-11 - 3.38.2 - fix(core)
+No code changes detected; bumping patch version for consistency.
+
+
 ## 2025-03-11 - 3.38.1 - fix(PortProxy)
 Improve SNI extraction handling in PortProxy by passing explicit connection info to extractSNIWithResumptionSupport for better TLS renegotiation and debug logging.
 

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@push.rocks/smartproxy",
-  "version": "3.38.1",
+  "version": "3.41.6",
   "private": false,
   "description": "A powerful proxy package that effectively handles high traffic, with features such as SSL/TLS support, port proxying, WebSocket handling, dynamic routing with authentication options, and automatic ACME certificate management.",
   "main": "dist_ts/index.js",

ts/00_commitinfo_data.ts

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@push.rocks/smartproxy',
-  version: '3.38.1',
+  version: '3.41.6',
   description: 'A powerful proxy package that effectively handles high traffic, with features such as SSL/TLS support, port proxying, WebSocket handling, dynamic routing with authentication options, and automatic ACME certificate management.'
 }

ts/classes.portproxy.ts

@@ -11,6 +11,10 @@ export interface IDomainConfig {
   portRanges?: Array<{ from: number; to: number }>; // Optional port ranges
   // Allow domain-specific timeout override
   connectionTimeout?: number; // Connection timeout override (ms)
+  
+  // NetworkProxy integration options for this specific domain
+  useNetworkProxy?: boolean; // Whether to use NetworkProxy for this domain
+  networkProxyPort?: number; // Override default NetworkProxy port for this domain
 }
 
 /** Port proxy settings including global allowed port ranges */
@@ -47,6 +51,7 @@ export interface IPortProxySettings extends plugins.tls.TlsOptions {
   enableDetailedLogging?: boolean; // Enable detailed connection logging
   enableTlsDebugLogging?: boolean; // Enable TLS handshake debug logging
   enableRandomizedTimeouts?: boolean; // Randomize timeouts slightly to prevent thundering herd
+  allowSessionTicket?: boolean; // Allow TLS session ticket for reconnection (default: true)
 
   // Rate limiting and security
   maxConnectionsPerIP?: number; // Maximum simultaneous connections from a single IP
@@ -232,6 +237,8 @@ export class PortProxy {
       enableDetailedLogging: settingsArg.enableDetailedLogging || false,
       enableTlsDebugLogging: settingsArg.enableTlsDebugLogging || false,
       enableRandomizedTimeouts: settingsArg.enableRandomizedTimeouts || false,
+      allowSessionTicket: settingsArg.allowSessionTicket !== undefined 
+                         ? settingsArg.allowSessionTicket : true,
 
       // Rate limiting defaults
       maxConnectionsPerIP: settingsArg.maxConnectionsPerIP || 100,
@@ -452,12 +459,14 @@ export class PortProxy {
    * @param socket - The incoming client socket
    * @param record - The connection record
    * @param initialData - Initial data chunk (TLS ClientHello)
+   * @param customProxyPort - Optional custom port for NetworkProxy (for domain-specific settings)
    */
   private forwardToNetworkProxy(
     connectionId: string,
     socket: plugins.net.Socket,
     record: IConnectionRecord,
-    initialData: Buffer
+    initialData: Buffer,
+    customProxyPort?: number
   ): void {
     // Ensure NetworkProxy is initialized
     if (!this.networkProxy) {
@@ -475,7 +484,8 @@ export class PortProxy {
       );
     }
 
-    const proxyPort = this.networkProxy.getListeningPort();
+    // Use the custom port if provided, otherwise use the default NetworkProxy port
+    const proxyPort = customProxyPort || this.networkProxy.getListeningPort();
     const proxyHost = 'localhost'; // Assuming NetworkProxy runs locally
 
     if (this.settings.enableDetailedLogging) {
@@ -928,6 +938,41 @@ export class PortProxy {
                 destPort: record.incoming.localPort || 0
               };
               
+              // Check for session tickets if allowSessionTicket is disabled
+              if (this.settings.allowSessionTicket === false) {
+                // Analyze for session resumption attempt (session ticket or PSK)
+                const resumptionInfo = SniHandler.hasSessionResumption(renegChunk, this.settings.enableTlsDebugLogging);
+                
+                if (resumptionInfo.isResumption) {
+                  // Always log resumption attempt for easier debugging
+                  // Try to extract SNI for logging
+                  const extractedSNI = SniHandler.extractSNI(renegChunk, this.settings.enableTlsDebugLogging);
+                  console.log(
+                    `[${connectionId}] Session resumption detected in renegotiation. ` +
+                    `Has SNI: ${resumptionInfo.hasSNI ? 'Yes' : 'No'}, ` +
+                    `SNI value: ${extractedSNI || 'None'}, ` +
+                    `allowSessionTicket: ${this.settings.allowSessionTicket}`
+                  );
+                  
+                  // Block if there's session resumption without SNI
+                  if (!resumptionInfo.hasSNI) {
+                    console.log(
+                      `[${connectionId}] Session resumption detected in renegotiation without SNI and allowSessionTicket=false. ` +
+                      `Terminating connection to force new TLS handshake.`
+                    );
+                    this.initiateCleanupOnce(record, 'session_ticket_blocked');
+                    return;
+                  } else {
+                    if (this.settings.enableDetailedLogging) {
+                      console.log(
+                        `[${connectionId}] Session resumption with SNI detected in renegotiation. ` +
+                        `Allowing connection since SNI is present.`
+                      );
+                    }
+                  }
+                }
+              }
+              
               const newSNI = SniHandler.extractSNIWithResumptionSupport(renegChunk, connInfo, this.settings.enableTlsDebugLogging);
 
               // Skip if no SNI was found
@@ -963,6 +1008,9 @@ export class PortProxy {
         
         if (this.settings.enableDetailedLogging) {
           console.log(`[${connectionId}] TLS renegotiation handler installed for SNI domain: ${serverName}`);
+          if (this.settings.allowSessionTicket === false) {
+            console.log(`[${connectionId}] Session ticket usage is disabled. Connection will be reset on reconnection attempts.`);
+          }
         }
       }
 
@@ -1486,9 +1534,12 @@ export class PortProxy {
         );
       }
 
-      // Check if this connection should be forwarded directly to NetworkProxy based on port
+      // Check if this connection should be forwarded directly to NetworkProxy
-      const shouldUseNetworkProxy = this.settings.useNetworkProxy && 
+      // First check port-based forwarding settings
-                                    this.settings.useNetworkProxy.includes(localPort);
+      let shouldUseNetworkProxy = this.settings.useNetworkProxy && 
+                                 this.settings.useNetworkProxy.includes(localPort);
+      
+      // We'll look for domain-specific settings after SNI extraction
 
       if (shouldUseNetworkProxy) {
         // For NetworkProxy ports, we want to capture the TLS handshake and forward directly
@@ -1526,12 +1577,118 @@ export class PortProxy {
 
           initialDataReceived = true;
           connectionRecord.hasReceivedInitialData = true;
+          
+          // Block non-TLS connections on port 443
+          // Always enforce TLS on standard HTTPS port
+          if (!SniHandler.isTlsHandshake(chunk) && localPort === 443) {
+            console.log(
+              `[${connectionId}] Non-TLS connection detected on port 443. ` +
+              `Terminating connection - only TLS traffic is allowed on standard HTTPS port.`
+            );
+            if (connectionRecord.incomingTerminationReason === null) {
+              connectionRecord.incomingTerminationReason = 'non_tls_blocked';
+              this.incrementTerminationStat('incoming', 'non_tls_blocked');
+            }
+            socket.end();
+            this.cleanupConnection(connectionRecord, 'non_tls_blocked');
+            return;
+          }
 
           // Check if this looks like a TLS handshake
           if (SniHandler.isTlsHandshake(chunk)) {
             connectionRecord.isTLS = true;
             
-            // Forward directly to NetworkProxy without SNI processing
+            // Check for TLS ClientHello with either no SNI or session tickets
+            if (this.settings.allowSessionTicket === false && SniHandler.isClientHello(chunk)) {
+              // Extract SNI first
+              const extractedSNI = SniHandler.extractSNI(chunk, this.settings.enableTlsDebugLogging);
+              const hasSNI = !!extractedSNI;
+              
+              // Analyze for session resumption attempt
+              const resumptionInfo = SniHandler.hasSessionResumption(chunk, this.settings.enableTlsDebugLogging);
+              
+              // Always log for debugging purposes
+              console.log(
+                `[${connectionId}] TLS ClientHello detected with allowSessionTicket=false. ` +
+                `Has SNI: ${hasSNI ? 'Yes' : 'No'}, ` +
+                `SNI value: ${extractedSNI || 'None'}, ` +
+                `Has session resumption: ${resumptionInfo.isResumption ? 'Yes' : 'No'}`
+              );
+              
+              // Block if this is a connection with session resumption but no SNI
+              if (resumptionInfo.isResumption && !hasSNI) {
+                console.log(
+                  `[${connectionId}] Session resumption detected in initial ClientHello without SNI and allowSessionTicket=false. ` +
+                  `Terminating connection to force new TLS handshake.`
+                );
+                if (connectionRecord.incomingTerminationReason === null) {
+                  connectionRecord.incomingTerminationReason = 'session_ticket_blocked';
+                  this.incrementTerminationStat('incoming', 'session_ticket_blocked');
+                }
+                socket.end();
+                this.cleanupConnection(connectionRecord, 'session_ticket_blocked');
+                return;
+              }
+              
+              // Also block if this is a TLS connection without SNI when allowSessionTicket is false
+              // This forces clients to send SNI which helps with routing
+              if (!hasSNI && localPort === 443) {
+                console.log(
+                  `[${connectionId}] TLS ClientHello detected on port 443 without SNI and allowSessionTicket=false. ` +
+                  `Terminating connection to force proper SNI in handshake.`
+                );
+                if (connectionRecord.incomingTerminationReason === null) {
+                  connectionRecord.incomingTerminationReason = 'no_sni_blocked';
+                  this.incrementTerminationStat('incoming', 'no_sni_blocked');
+                }
+                socket.end();
+                this.cleanupConnection(connectionRecord, 'no_sni_blocked');
+                return;
+              }
+            }
+            
+            // Try to extract SNI for domain-specific NetworkProxy handling
+            const connInfo = {
+              sourceIp: remoteIP,
+              sourcePort: socket.remotePort || 0,
+              destIp: socket.localAddress || '',
+              destPort: socket.localPort || 0
+            };
+            
+            // Extract SNI to check for domain-specific NetworkProxy settings
+            const serverName = SniHandler.processTlsPacket(
+              chunk, 
+              connInfo,
+              this.settings.enableTlsDebugLogging
+            );
+            
+            if (serverName) {
+              // If we got an SNI, check for domain-specific NetworkProxy settings
+              const domainConfig = this.settings.domainConfigs.find((config) =>
+                config.domains.some((d) => plugins.minimatch(serverName, d))
+              );
+              
+              // Save domain config and SNI in connection record
+              connectionRecord.domainConfig = domainConfig;
+              connectionRecord.lockedDomain = serverName;
+              
+              // Use domain-specific NetworkProxy port if configured
+              if (domainConfig?.useNetworkProxy) {
+                const networkProxyPort = domainConfig.networkProxyPort || this.settings.networkProxyPort;
+                
+                if (this.settings.enableDetailedLogging) {
+                  console.log(
+                    `[${connectionId}] Using domain-specific NetworkProxy for ${serverName} on port ${networkProxyPort}`
+                  );
+                }
+                
+                // Forward to NetworkProxy with domain-specific port
+                this.forwardToNetworkProxy(connectionId, socket, connectionRecord, chunk, networkProxyPort);
+                return;
+              }
+            }
+            
+            // Forward directly to NetworkProxy without domain-specific settings
             this.forwardToNetworkProxy(connectionId, socket, connectionRecord, chunk);
           } else {
             // If not TLS, use normal direct connection
@@ -1657,6 +1814,29 @@ export class PortProxy {
 
           // Save domain config in connection record
           connectionRecord.domainConfig = domainConfig;
+          
+          // Check if this domain should use NetworkProxy (domain-specific setting)
+          if (domainConfig?.useNetworkProxy && this.networkProxy) {
+            if (this.settings.enableDetailedLogging) {
+              console.log(
+                `[${connectionId}] Domain ${serverName} is configured to use NetworkProxy`
+              );
+            }
+            
+            const networkProxyPort = domainConfig.networkProxyPort || this.settings.networkProxyPort;
+            
+            if (initialChunk && connectionRecord.isTLS) {
+              // For TLS connections with initial chunk, forward to NetworkProxy
+              this.forwardToNetworkProxy(
+                connectionId, 
+                socket, 
+                connectionRecord, 
+                initialChunk,
+                networkProxyPort // Pass the domain-specific NetworkProxy port if configured
+              );
+              return; // Skip normal connection setup
+            }
+          }
 
           // IP validation is skipped if allowedIPs is empty
           if (domainConfig) {
@@ -1800,6 +1980,22 @@ export class PortProxy {
             }
 
             initialDataReceived = true;
+            
+            // Block non-TLS connections on port 443
+            // Always enforce TLS on standard HTTPS port
+            if (!SniHandler.isTlsHandshake(chunk) && localPort === 443) {
+              console.log(
+                `[${connectionId}] Non-TLS connection detected on port 443 in SNI handler. ` +
+                `Terminating connection - only TLS traffic is allowed on standard HTTPS port.`
+              );
+              if (connectionRecord.incomingTerminationReason === null) {
+                connectionRecord.incomingTerminationReason = 'non_tls_blocked';
+                this.incrementTerminationStat('incoming', 'non_tls_blocked');
+              }
+              socket.end();
+              this.cleanupConnection(connectionRecord, 'non_tls_blocked');
+              return;
+            }
 
             // Try to extract SNI
             let serverName = '';
@@ -1812,6 +2008,46 @@ export class PortProxy {
                   `[${connectionId}] Extracting SNI from TLS handshake, ${chunk.length} bytes`
                 );
               }
+              
+              // Check for session tickets if allowSessionTicket is disabled
+              if (this.settings.allowSessionTicket === false && SniHandler.isClientHello(chunk)) {
+                // Analyze for session resumption attempt
+                const resumptionInfo = SniHandler.hasSessionResumption(chunk, this.settings.enableTlsDebugLogging);
+                
+                if (resumptionInfo.isResumption) {
+                  // Always log resumption attempt for easier debugging
+                  // Try to extract SNI for logging
+                  const extractedSNI = SniHandler.extractSNI(chunk, this.settings.enableTlsDebugLogging);
+                  console.log(
+                    `[${connectionId}] Session resumption detected in SNI handler. ` +
+                    `Has SNI: ${resumptionInfo.hasSNI ? 'Yes' : 'No'}, ` +
+                    `SNI value: ${extractedSNI || 'None'}, ` +
+                    `allowSessionTicket: ${this.settings.allowSessionTicket}`
+                  );
+                  
+                  // Block if there's session resumption without SNI
+                  if (!resumptionInfo.hasSNI) {
+                    console.log(
+                      `[${connectionId}] Session resumption detected in SNI handler without SNI and allowSessionTicket=false. ` +
+                      `Terminating connection to force new TLS handshake.`
+                    );
+                    if (connectionRecord.incomingTerminationReason === null) {
+                      connectionRecord.incomingTerminationReason = 'session_ticket_blocked';
+                      this.incrementTerminationStat('incoming', 'session_ticket_blocked');
+                    }
+                    socket.end();
+                    this.cleanupConnection(connectionRecord, 'session_ticket_blocked');
+                    return;
+                  } else {
+                    if (this.settings.enableDetailedLogging) {
+                      console.log(
+                        `[${connectionId}] Session resumption with SNI detected in SNI handler. ` +
+                        `Allowing connection since SNI is present.`
+                      );
+                    }
+                  }
+                }
+              }
 
               // Create connection info object for SNI extraction
               const connInfo = {