3.4.2

fix(smartproxy): Enhance SSL/TLS handling with SNI and error logging
3.4.1
2025-02-21 18:47:18 +00:00 · 2025-02-21 18:47:18 +00:00 · 2025-02-21 18:43:08 +00:00 · 2025-02-21 18:43:08 +00:00
5 changed files with 118 additions and 57 deletions
--- a/changelog.md
+++ b/changelog.md
@ -1,5 +1,18 @@
 # Changelog

+## 2025-02-21 - 3.4.2 - fix(smartproxy)
+Enhance SSL/TLS handling with SNI and error logging
+
+- Improved handling for SNI-enabled and non-SNI connections
+- Added detailed logging for connection establishment and rejections
+- Introduced error logging for TLS client errors and server errors
+
+## 2025-02-21 - 3.4.1 - fix(PortProxy)
+Normalize IP addresses for port proxy to handle IPv4-mapped IPv6 addresses.
+
+- Improved IP normalization logic in PortProxy to support IPv4-mapped IPv6 addresses.
+- Updated isAllowed function to expand patterns for better matching accuracy.
+
 ## 2025-02-21 - 3.4.0 - feat(PortProxy)
 Enhanced PortProxy with custom target host and improved testing

--- a/package.json
+++ b/package.json
@ -1,6 +1,6 @@
 {
  "name": "@push.rocks/smartproxy",
-  "version": "3.4.0",
+  "version": "3.4.2",
  "private": false,
  "description": "a proxy for handling high workloads of proxying",
  "main": "dist_ts/index.js",
--- a/test/test.portproxy.ts
+++ b/test/test.portproxy.ts
@ -64,7 +64,7 @@ tap.test('setup port proxy test environment', async () => {
    toHost: 'localhost',
    domains: [],
    sniEnabled: false,
-    defaultAllowedIPs: ['127.0.0.1', '::ffff:127.0.0.1']
+    defaultAllowedIPs: ['127.0.0.1']
  });
 });

@ -86,7 +86,7 @@ tap.test('should forward TCP connections to custom host', async () => {
    toHost: '127.0.0.1',
    domains: [],
    sniEnabled: false,
-    defaultAllowedIPs: ['127.0.0.1', '::ffff:127.0.0.1']
+    defaultAllowedIPs: ['127.0.0.1']
  });
  
  await customHostProxy.start();
--- a/ts/00_commitinfo_data.ts
+++ b/ts/00_commitinfo_data.ts
@ -3,6 +3,6 @@
 */
 export const commitinfo = {
  name: '@push.rocks/smartproxy',
-  version: '3.4.0',
+  version: '3.4.2',
  description: 'a proxy for handling high workloads of proxying'
 }
--- a/ts/smartproxy.portproxy.ts
+++ b/ts/smartproxy.portproxy.ts
@ -40,8 +40,26 @@ export class PortProxy {
      from.destroy();
      to.destroy();
    };
+    const normalizeIP = (ip: string): string[] => {
+      // Handle IPv4-mapped IPv6 addresses
+      if (ip.startsWith('::ffff:')) {
+        const ipv4 = ip.slice(7); // Remove '::ffff:' prefix
+        return [ip, ipv4];
+      }
+      // Handle IPv4 addresses by adding IPv4-mapped IPv6 variant
+      if (ip.match(/^\d{1,3}(\.\d{1,3}){3}$/)) {
+        return [ip, `::ffff:${ip}`];
+      }
+      return [ip];
+    };
+
    const isAllowed = (value: string, patterns: string[]): boolean => {
-      return patterns.some(pattern => plugins.minimatch(value, pattern));
+      // Expand patterns to include both IPv4 and IPv6 variants
+      const expandedPatterns = patterns.flatMap(normalizeIP);
+      // Check if any variant of the IP matches any expanded pattern
+      return normalizeIP(value).some(ip => 
+        expandedPatterns.some(pattern => plugins.minimatch(ip, pattern))
+      );
    };

    const findMatchingDomain = (serverName: string): DomainConfig | undefined => {
@ -49,70 +67,100 @@ export class PortProxy {
    };

    const server = this.settings.sniEnabled
-      ? plugins.tls.createServer(this.settings)
+      ? plugins.tls.createServer({
+          ...this.settings,
+          SNICallback: (serverName: string, cb: (err: Error | null, ctx?: plugins.tls.SecureContext) => void) => {
+            console.log(`SNI request for domain: ${serverName}`);
+            const domainConfig = findMatchingDomain(serverName);
+            if (!domainConfig) {
+              console.log(`SNI rejected: No matching domain config for ${serverName}`);
+              cb(new Error(`No configuration for domain: ${serverName}`));
+              return;
+            }
+            // Create context with the provided TLS settings
+            const ctx = plugins.tls.createSecureContext(this.settings);
+            cb(null, ctx);
+          }
+        })
      : plugins.net.createServer();
    
-    this.netServer = server.on('connection', (from: plugins.net.Socket) => {
+    const handleConnection = (from: plugins.net.Socket | plugins.tls.TLSSocket) => {
      const remoteIP = from.remoteAddress || '';
-        if (this.settings.sniEnabled && from instanceof plugins.tls.TLSSocket) {
-          const serverName = (from as any).servername || '';
-          const domainConfig = findMatchingDomain(serverName);
+      let serverName = '';

-          if (!domainConfig) {
-            // If no matching domain config found, check default IPs if available
-            if (!this.settings.defaultAllowedIPs || !isAllowed(remoteIP, this.settings.defaultAllowedIPs)) {
-              console.log(`Connection rejected: No matching domain config for ${serverName} from IP ${remoteIP}`);
-              from.end();
-              return;
-            }
-          } else {
-            // Check if IP is allowed for this domain
-            if (!isAllowed(remoteIP, domainConfig.allowedIPs)) {
-              console.log(`Connection rejected: IP ${remoteIP} not allowed for domain ${serverName}`);
-              from.end();
-              return;
-            }
+      if (this.settings.sniEnabled && from instanceof plugins.tls.TLSSocket) {
+        serverName = (from as any).servername || '';
+        console.log(`TLS Connection from ${remoteIP} for domain: ${serverName}`);
+      }
+
+      // For TLS connections, we've already validated the domain in SNICallback
+      if (!this.settings.sniEnabled || from instanceof plugins.tls.TLSSocket) {
+        const domainConfig = serverName ? findMatchingDomain(serverName) : undefined;
+
+        if (!domainConfig) {
+          // If no matching domain config found, check default IPs if available
+          if (!this.settings.defaultAllowedIPs || !isAllowed(remoteIP, this.settings.defaultAllowedIPs)) {
+            console.log(`Connection rejected: No matching domain config for ${serverName || 'non-SNI'} from IP ${remoteIP}`);
+            from.end();
+            return;
          }
-        } else if (!this.settings.defaultAllowedIPs || !isAllowed(remoteIP, this.settings.defaultAllowedIPs)) {
+        } else {
+          // Check if IP is allowed for this domain
+          if (!isAllowed(remoteIP, domainConfig.allowedIPs)) {
+            console.log(`Connection rejected: IP ${remoteIP} not allowed for domain ${serverName}`);
+            from.end();
+            return;
+          }
+        }
+      } else if (!this.settings.defaultAllowedIPs || !isAllowed(remoteIP, this.settings.defaultAllowedIPs)) {
          console.log(`Connection rejected: IP ${remoteIP} not allowed for non-SNI connection`);
          from.end();
          return;
        }

-        const to = plugins.net.createConnection({
-          host: this.settings.toHost!,
-          port: this.settings.toPort,
-        });
-        from.setTimeout(120000);
-        from.pipe(to);
-        to.pipe(from);
-        from.on('error', () => {
-          cleanUpSockets(from, to);
-        });
-        to.on('error', () => {
-          cleanUpSockets(from, to);
-        });
-        from.on('close', () => {
-          cleanUpSockets(from, to);
-        });
-        to.on('close', () => {
-          cleanUpSockets(from, to);
-        });
-        from.on('timeout', () => {
-          cleanUpSockets(from, to);
-        });
-        to.on('timeout', () => {
-          cleanUpSockets(from, to);
-        });
-        from.on('end', () => {
-          cleanUpSockets(from, to);
-        });
-        to.on('end', () => {
-          cleanUpSockets(from, to);
-        });
+      const to = plugins.net.createConnection({
+        host: this.settings.toHost!,
+        port: this.settings.toPort,
+      });
+      console.log(`Connection established: ${remoteIP} -> ${this.settings.toHost}:${this.settings.toPort}${serverName ? ` (SNI: ${serverName})` : ''}`);
+      from.setTimeout(120000);
+      from.pipe(to);
+      to.pipe(from);
+      from.on('error', () => {
+        cleanUpSockets(from, to);
+      });
+      to.on('error', () => {
+        cleanUpSockets(from, to);
+      });
+      from.on('close', () => {
+        cleanUpSockets(from, to);
+      });
+      to.on('close', () => {
+        cleanUpSockets(from, to);
+      });
+      from.on('timeout', () => {
+        cleanUpSockets(from, to);
+      });
+      to.on('timeout', () => {
+        cleanUpSockets(from, to);
+      });
+      from.on('end', () => {
+        cleanUpSockets(from, to);
+      });
+      to.on('end', () => {
+        cleanUpSockets(from, to);
+      });
+    this.netServer = server
+      .on('connection', handleConnection)
+      .on('secureConnection', handleConnection)
+      .on('tlsClientError', (err, tlsSocket) => {
+        console.log(`TLS Client Error: ${err.message}`);
+      })
+      .on('error', (err) => {
+        console.log(`Server Error: ${err.message}`);
      })
      .listen(this.settings.fromPort);
-    console.log(`PortProxy -> OK: Now listening on port ${this.settings.fromPort}`);
+    console.log(`PortProxy -> OK: Now listening on port ${this.settings.fromPort}${this.settings.sniEnabled ? ' (SNI enabled)' : ''}`);
  }

  public async stop() {
Author	SHA1	Message	Date
Philipp Kunz	2be1c57dd7	3.4.2	2025-02-21 18:47:18 +00:00
Philipp Kunz	58bd6b4a85	fix(smartproxy): Enhance SSL/TLS handling with SNI and error logging	2025-02-21 18:47:18 +00:00
Philipp Kunz	63e1cd48e8	3.4.1	2025-02-21 18:43:08 +00:00
Philipp Kunz	5150ddc18e	fix(PortProxy): Normalize IP addresses for port proxy to handle IPv4-mapped IPv6 addresses.	2025-02-21 18:43:08 +00:00