3.4.2

fix(smartproxy): Enhance SSL/TLS handling with SNI and error logging
2025-02-21 18:47:18 +00:00 · 2025-02-21 18:47:18 +00:00
4 changed files with 91 additions and 55 deletions
--- a/changelog.md
+++ b/changelog.md
@ -1,5 +1,12 @@
 # Changelog

+## 2025-02-21 - 3.4.2 - fix(smartproxy)
+Enhance SSL/TLS handling with SNI and error logging
+
+- Improved handling for SNI-enabled and non-SNI connections
+- Added detailed logging for connection establishment and rejections
+- Introduced error logging for TLS client errors and server errors
+
 ## 2025-02-21 - 3.4.1 - fix(PortProxy)
 Normalize IP addresses for port proxy to handle IPv4-mapped IPv6 addresses.

--- a/package.json
+++ b/package.json
@ -1,6 +1,6 @@
 {
  "name": "@push.rocks/smartproxy",
-  "version": "3.4.1",
+  "version": "3.4.2",
  "private": false,
  "description": "a proxy for handling high workloads of proxying",
  "main": "dist_ts/index.js",
--- a/ts/00_commitinfo_data.ts
+++ b/ts/00_commitinfo_data.ts
@ -3,6 +3,6 @@
 */
 export const commitinfo = {
  name: '@push.rocks/smartproxy',
-  version: '3.4.1',
+  version: '3.4.2',
  description: 'a proxy for handling high workloads of proxying'
 }
--- a/ts/smartproxy.portproxy.ts
+++ b/ts/smartproxy.portproxy.ts
@ -67,71 +67,100 @@ export class PortProxy {
    };

    const server = this.settings.sniEnabled
-      ? plugins.tls.createServer(this.settings)
+      ? plugins.tls.createServer({
+          ...this.settings,
+          SNICallback: (serverName: string, cb: (err: Error | null, ctx?: plugins.tls.SecureContext) => void) => {
+            console.log(`SNI request for domain: ${serverName}`);
+            const domainConfig = findMatchingDomain(serverName);
+            if (!domainConfig) {
+              console.log(`SNI rejected: No matching domain config for ${serverName}`);
+              cb(new Error(`No configuration for domain: ${serverName}`));
+              return;
+            }
+            // Create context with the provided TLS settings
+            const ctx = plugins.tls.createSecureContext(this.settings);
+            cb(null, ctx);
+          }
+        })
      : plugins.net.createServer();
    
-    this.netServer = server.on('connection', (from: plugins.net.Socket) => {
+    const handleConnection = (from: plugins.net.Socket | plugins.tls.TLSSocket) => {
      const remoteIP = from.remoteAddress || '';
-        if (this.settings.sniEnabled && from instanceof plugins.tls.TLSSocket) {
-          const serverName = (from as any).servername || '';
-          const domainConfig = findMatchingDomain(serverName);
+      let serverName = '';

-          if (!domainConfig) {
-            // If no matching domain config found, check default IPs if available
-            if (!this.settings.defaultAllowedIPs || !isAllowed(remoteIP, this.settings.defaultAllowedIPs)) {
-              console.log(`Connection rejected: No matching domain config for ${serverName} from IP ${remoteIP}`);
-              from.end();
-              return;
-            }
-          } else {
-            // Check if IP is allowed for this domain
-            if (!isAllowed(remoteIP, domainConfig.allowedIPs)) {
-              console.log(`Connection rejected: IP ${remoteIP} not allowed for domain ${serverName}`);
-              from.end();
-              return;
-            }
+      if (this.settings.sniEnabled && from instanceof plugins.tls.TLSSocket) {
+        serverName = (from as any).servername || '';
+        console.log(`TLS Connection from ${remoteIP} for domain: ${serverName}`);
+      }
+
+      // For TLS connections, we've already validated the domain in SNICallback
+      if (!this.settings.sniEnabled || from instanceof plugins.tls.TLSSocket) {
+        const domainConfig = serverName ? findMatchingDomain(serverName) : undefined;
+
+        if (!domainConfig) {
+          // If no matching domain config found, check default IPs if available
+          if (!this.settings.defaultAllowedIPs || !isAllowed(remoteIP, this.settings.defaultAllowedIPs)) {
+            console.log(`Connection rejected: No matching domain config for ${serverName || 'non-SNI'} from IP ${remoteIP}`);
+            from.end();
+            return;
          }
-        } else if (!this.settings.defaultAllowedIPs || !isAllowed(remoteIP, this.settings.defaultAllowedIPs)) {
+        } else {
+          // Check if IP is allowed for this domain
+          if (!isAllowed(remoteIP, domainConfig.allowedIPs)) {
+            console.log(`Connection rejected: IP ${remoteIP} not allowed for domain ${serverName}`);
+            from.end();
+            return;
+          }
+        }
+      } else if (!this.settings.defaultAllowedIPs || !isAllowed(remoteIP, this.settings.defaultAllowedIPs)) {
          console.log(`Connection rejected: IP ${remoteIP} not allowed for non-SNI connection`);
          from.end();
          return;
        }

-        const to = plugins.net.createConnection({
-          host: this.settings.toHost!,
-          port: this.settings.toPort,
-        });
-        console.log(`Connection established: ${remoteIP} -> ${this.settings.toHost}:${this.settings.toPort}${this.settings.sniEnabled ? ` (SNI: ${(from as any).servername || 'none'})` : ''}`);
-        from.setTimeout(120000);
-        from.pipe(to);
-        to.pipe(from);
-        from.on('error', () => {
-          cleanUpSockets(from, to);
-        });
-        to.on('error', () => {
-          cleanUpSockets(from, to);
-        });
-        from.on('close', () => {
-          cleanUpSockets(from, to);
-        });
-        to.on('close', () => {
-          cleanUpSockets(from, to);
-        });
-        from.on('timeout', () => {
-          cleanUpSockets(from, to);
-        });
-        to.on('timeout', () => {
-          cleanUpSockets(from, to);
-        });
-        from.on('end', () => {
-          cleanUpSockets(from, to);
-        });
-        to.on('end', () => {
-          cleanUpSockets(from, to);
-        });
+      const to = plugins.net.createConnection({
+        host: this.settings.toHost!,
+        port: this.settings.toPort,
+      });
+      console.log(`Connection established: ${remoteIP} -> ${this.settings.toHost}:${this.settings.toPort}${serverName ? ` (SNI: ${serverName})` : ''}`);
+      from.setTimeout(120000);
+      from.pipe(to);
+      to.pipe(from);
+      from.on('error', () => {
+        cleanUpSockets(from, to);
+      });
+      to.on('error', () => {
+        cleanUpSockets(from, to);
+      });
+      from.on('close', () => {
+        cleanUpSockets(from, to);
+      });
+      to.on('close', () => {
+        cleanUpSockets(from, to);
+      });
+      from.on('timeout', () => {
+        cleanUpSockets(from, to);
+      });
+      to.on('timeout', () => {
+        cleanUpSockets(from, to);
+      });
+      from.on('end', () => {
+        cleanUpSockets(from, to);
+      });
+      to.on('end', () => {
+        cleanUpSockets(from, to);
+      });
+    this.netServer = server
+      .on('connection', handleConnection)
+      .on('secureConnection', handleConnection)
+      .on('tlsClientError', (err, tlsSocket) => {
+        console.log(`TLS Client Error: ${err.message}`);
+      })
+      .on('error', (err) => {
+        console.log(`Server Error: ${err.message}`);
      })
      .listen(this.settings.fromPort);
-    console.log(`PortProxy -> OK: Now listening on port ${this.settings.fromPort}`);
+    console.log(`PortProxy -> OK: Now listening on port ${this.settings.fromPort}${this.settings.sniEnabled ? ' (SNI enabled)' : ''}`);
  }

  public async stop() {
Author	SHA1	Message	Date
Philipp Kunz	2be1c57dd7	3.4.2	2025-02-21 18:47:18 +00:00
Philipp Kunz	58bd6b4a85	fix(smartproxy): Enhance SSL/TLS handling with SNI and error logging	2025-02-21 18:47:18 +00:00