3.4.3

changelog.md

@@ -1,5 +1,24 @@
 # Changelog
 
+## 2025-02-21 - 3.4.3 - fix(PortProxy)
+Fixed indentation issue and ensured proper cleanup of sockets in PortProxy
+
+- Fixed inconsistent indentation in IP allowance check.
+- Ensured proper cleanup of sockets on connection end in PortProxy.
+
+## 2025-02-21 - 3.4.2 - fix(smartproxy)
+Enhance SSL/TLS handling with SNI and error logging
+
+- Improved handling for SNI-enabled and non-SNI connections
+- Added detailed logging for connection establishment and rejections
+- Introduced error logging for TLS client errors and server errors
+
+## 2025-02-21 - 3.4.1 - fix(PortProxy)
+Normalize IP addresses for port proxy to handle IPv4-mapped IPv6 addresses.
+
+- Improved IP normalization logic in PortProxy to support IPv4-mapped IPv6 addresses.
+- Updated isAllowed function to expand patterns for better matching accuracy.
+
 ## 2025-02-21 - 3.4.0 - feat(PortProxy)
 Enhanced PortProxy with custom target host and improved testing
 

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@push.rocks/smartproxy",
-  "version": "3.4.0",
+  "version": "3.4.3",
   "private": false,
   "description": "a proxy for handling high workloads of proxying",
   "main": "dist_ts/index.js",

test/test.portproxy.ts

@@ -64,7 +64,7 @@ tap.test('setup port proxy test environment', async () => {
     toHost: 'localhost',
     domains: [],
     sniEnabled: false,
-    defaultAllowedIPs: ['127.0.0.1', '::ffff:127.0.0.1']
+    defaultAllowedIPs: ['127.0.0.1']
   });
 });
 
@@ -86,7 +86,7 @@ tap.test('should forward TCP connections to custom host', async () => {
     toHost: '127.0.0.1',
     domains: [],
     sniEnabled: false,
-    defaultAllowedIPs: ['127.0.0.1', '::ffff:127.0.0.1']
+    defaultAllowedIPs: ['127.0.0.1']
   });
   
   await customHostProxy.start();

ts/00_commitinfo_data.ts

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@push.rocks/smartproxy',
-  version: '3.4.0',
+  version: '3.4.3',
   description: 'a proxy for handling high workloads of proxying'
 }

ts/smartproxy.portproxy.ts

@@ -40,8 +40,26 @@ export class PortProxy {
       from.destroy();
       to.destroy();
     };
+    const normalizeIP = (ip: string): string[] => {
+      // Handle IPv4-mapped IPv6 addresses
+      if (ip.startsWith('::ffff:')) {
+        const ipv4 = ip.slice(7); // Remove '::ffff:' prefix
+        return [ip, ipv4];
+      }
+      // Handle IPv4 addresses by adding IPv4-mapped IPv6 variant
+      if (ip.match(/^\d{1,3}(\.\d{1,3}){3}$/)) {
+        return [ip, `::ffff:${ip}`];
+      }
+      return [ip];
+    };
+
     const isAllowed = (value: string, patterns: string[]): boolean => {
-      return patterns.some(pattern => plugins.minimatch(value, pattern));
+      // Expand patterns to include both IPv4 and IPv6 variants
+      const expandedPatterns = patterns.flatMap(normalizeIP);
+      // Check if any variant of the IP matches any expanded pattern
+      return normalizeIP(value).some(ip => 
+        expandedPatterns.some(pattern => plugins.minimatch(ip, pattern))
+      );
     };
 
     const findMatchingDomain = (serverName: string): DomainConfig | undefined => {
@@ -49,70 +67,102 @@ export class PortProxy {
     };
 
     const server = this.settings.sniEnabled
-      ? plugins.tls.createServer(this.settings)
+      ? plugins.tls.createServer({
+          ...this.settings,
+          SNICallback: (serverName: string, cb: (err: Error | null, ctx?: plugins.tls.SecureContext) => void) => {
+            console.log(`SNI request for domain: ${serverName}`);
+            const domainConfig = findMatchingDomain(serverName);
+            if (!domainConfig) {
+              console.log(`SNI rejected: No matching domain config for ${serverName}`);
+              cb(new Error(`No configuration for domain: ${serverName}`));
+              return;
+            }
+            // Create context with the provided TLS settings
+            const ctx = plugins.tls.createSecureContext(this.settings);
+            cb(null, ctx);
+          }
+        })
       : plugins.net.createServer();
     
-    this.netServer = server.on('connection', (from: plugins.net.Socket) => {
+    const handleConnection = (from: plugins.net.Socket | plugins.tls.TLSSocket) => {
       const remoteIP = from.remoteAddress || '';
-        if (this.settings.sniEnabled && from instanceof plugins.tls.TLSSocket) {
-          const serverName = (from as any).servername || '';
-          const domainConfig = findMatchingDomain(serverName);
+      let serverName = '';
 
-          if (!domainConfig) {
-            // If no matching domain config found, check default IPs if available
-            if (!this.settings.defaultAllowedIPs || !isAllowed(remoteIP, this.settings.defaultAllowedIPs)) {
-              console.log(`Connection rejected: No matching domain config for ${serverName} from IP ${remoteIP}`);
-              from.end();
-              return;
-            }
-          } else {
-            // Check if IP is allowed for this domain
-            if (!isAllowed(remoteIP, domainConfig.allowedIPs)) {
-              console.log(`Connection rejected: IP ${remoteIP} not allowed for domain ${serverName}`);
-              from.end();
-              return;
-            }
+      if (this.settings.sniEnabled && from instanceof plugins.tls.TLSSocket) {
+        serverName = (from as any).servername || '';
+        console.log(`TLS Connection from ${remoteIP} for domain: ${serverName}`);
+      }
+
+      // For TLS connections, we've already validated the domain in SNICallback
+      if (!this.settings.sniEnabled || from instanceof plugins.tls.TLSSocket) {
+        const domainConfig = serverName ? findMatchingDomain(serverName) : undefined;
+
+        if (!domainConfig) {
+          // If no matching domain config found, check default IPs if available
+          if (!this.settings.defaultAllowedIPs || !isAllowed(remoteIP, this.settings.defaultAllowedIPs)) {
+            console.log(`Connection rejected: No matching domain config for ${serverName || 'non-SNI'} from IP ${remoteIP}`);
+            from.end();
+            return;
+          }
+        } else {
+          // Check if IP is allowed for this domain
+          if (!isAllowed(remoteIP, domainConfig.allowedIPs)) {
+            console.log(`Connection rejected: IP ${remoteIP} not allowed for domain ${serverName}`);
+            from.end();
+            return;
           }
-        } else if (!this.settings.defaultAllowedIPs || !isAllowed(remoteIP, this.settings.defaultAllowedIPs)) {
-          console.log(`Connection rejected: IP ${remoteIP} not allowed for non-SNI connection`);
-          from.end();
-          return;
         }
+      } else if (!this.settings.defaultAllowedIPs || !isAllowed(remoteIP, this.settings.defaultAllowedIPs)) {
+        console.log(`Connection rejected: IP ${remoteIP} not allowed for non-SNI connection`);
+        from.end();
+        return;
+      }
 
-        const to = plugins.net.createConnection({
-          host: this.settings.toHost!,
-          port: this.settings.toPort,
-        });
-        from.setTimeout(120000);
-        from.pipe(to);
-        to.pipe(from);
-        from.on('error', () => {
-          cleanUpSockets(from, to);
-        });
-        to.on('error', () => {
-          cleanUpSockets(from, to);
-        });
-        from.on('close', () => {
-          cleanUpSockets(from, to);
-        });
-        to.on('close', () => {
-          cleanUpSockets(from, to);
-        });
-        from.on('timeout', () => {
-          cleanUpSockets(from, to);
-        });
-        to.on('timeout', () => {
-          cleanUpSockets(from, to);
-        });
-        from.on('end', () => {
-          cleanUpSockets(from, to);
-        });
-        to.on('end', () => {
-          cleanUpSockets(from, to);
-        });
+      const to = plugins.net.createConnection({
+        host: this.settings.toHost!,
+        port: this.settings.toPort,
+      });
+      console.log(`Connection established: ${remoteIP} -> ${this.settings.toHost}:${this.settings.toPort}${serverName ? ` (SNI: ${serverName})` : ''}`);
+      from.setTimeout(120000);
+      from.pipe(to);
+      to.pipe(from);
+      from.on('error', () => {
+        cleanUpSockets(from, to);
+      });
+      to.on('error', () => {
+        cleanUpSockets(from, to);
+      });
+      from.on('close', () => {
+        cleanUpSockets(from, to);
+      });
+      to.on('close', () => {
+        cleanUpSockets(from, to);
+      });
+      from.on('timeout', () => {
+        cleanUpSockets(from, to);
+      });
+      to.on('timeout', () => {
+        cleanUpSockets(from, to);
+      });
+      from.on('end', () => {
+        cleanUpSockets(from, to);
+      });
+      to.on('end', () => {
+        cleanUpSockets(from, to);
+      });
+    };
+
+    this.netServer = server
+      .on('connection', handleConnection)
+      .on('secureConnection', handleConnection)
+      .on('tlsClientError', (err, tlsSocket) => {
+        console.log(`TLS Client Error: ${err.message}`);
+      })
+      .on('error', (err) => {
+        console.log(`Server Error: ${err.message}`);
       })
       .listen(this.settings.fromPort);
-    console.log(`PortProxy -> OK: Now listening on port ${this.settings.fromPort}`);
+    console.log(`PortProxy -> OK: Now listening on port ${this.settings.fromPort}${this.settings.sniEnabled ? ' (SNI enabled)' : ''}`);
   }
 
   public async stop() {