3.4.4

changelog.md

@@ -1,5 +1,25 @@
 # Changelog
 
+## 2025-02-21 - 3.4.4 - fix(PortProxy)
+Fixed handling of SNI domain connections and IP allowance checks
+
+- Improved logic for handling SNI domain checks, ensuring IPs are correctly verified.
+- Fixed issue where default allowed IPs were not being checked correctly for non-SNI connections.
+- Revised the SNICallback behavior to handle connections more gracefully when domain configurations are unavailable.
+
+## 2025-02-21 - 3.4.3 - fix(PortProxy)
+Fixed indentation issue and ensured proper cleanup of sockets in PortProxy
+
+- Fixed inconsistent indentation in IP allowance check.
+- Ensured proper cleanup of sockets on connection end in PortProxy.
+
+## 2025-02-21 - 3.4.2 - fix(smartproxy)
+Enhance SSL/TLS handling with SNI and error logging
+
+- Improved handling for SNI-enabled and non-SNI connections
+- Added detailed logging for connection establishment and rejections
+- Introduced error logging for TLS client errors and server errors
+
 ## 2025-02-21 - 3.4.1 - fix(PortProxy)
 Normalize IP addresses for port proxy to handle IPv4-mapped IPv6 addresses.
 

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@push.rocks/smartproxy",
-  "version": "3.4.1",
+  "version": "3.4.4",
   "private": false,
   "description": "a proxy for handling high workloads of proxying",
   "main": "dist_ts/index.js",

ts/00_commitinfo_data.ts

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@push.rocks/smartproxy',
-  version: '3.4.1',
+  version: '3.4.4',
   description: 'a proxy for handling high workloads of proxying'
 }

ts/smartproxy.portproxy.ts

@@ -67,71 +67,102 @@ export class PortProxy {
     };
 
     const server = this.settings.sniEnabled
-      ? plugins.tls.createServer(this.settings)
+      ? plugins.tls.createServer({
+          ...this.settings,
+          SNICallback: (serverName: string, cb: (err: Error | null, ctx?: plugins.tls.SecureContext) => void) => {
+            console.log(`SNI request for domain: ${serverName}`);
+            const domainConfig = findMatchingDomain(serverName);
+            if (!domainConfig) {
+              // Always allow SNI for default IPs, even if domain doesn't match
+              console.log(`SNI domain ${serverName} not found, will check IP during connection`);
+            }
+            // Create context with the provided TLS settings
+            const ctx = plugins.tls.createSecureContext(this.settings);
+            cb(null, ctx);
+          }
+        })
       : plugins.net.createServer();
     
-    this.netServer = server.on('connection', (from: plugins.net.Socket) => {
+    const handleConnection = (from: plugins.net.Socket | plugins.tls.TLSSocket) => {
       const remoteIP = from.remoteAddress || '';
-        if (this.settings.sniEnabled && from instanceof plugins.tls.TLSSocket) {
-          const serverName = (from as any).servername || '';
-          const domainConfig = findMatchingDomain(serverName);
+      let serverName = '';
 
-          if (!domainConfig) {
-            // If no matching domain config found, check default IPs if available
-            if (!this.settings.defaultAllowedIPs || !isAllowed(remoteIP, this.settings.defaultAllowedIPs)) {
-              console.log(`Connection rejected: No matching domain config for ${serverName} from IP ${remoteIP}`);
-              from.end();
-              return;
-            }
-          } else {
-            // Check if IP is allowed for this domain
-            if (!isAllowed(remoteIP, domainConfig.allowedIPs)) {
-              console.log(`Connection rejected: IP ${remoteIP} not allowed for domain ${serverName}`);
-              from.end();
-              return;
-            }
-          }
-        } else if (!this.settings.defaultAllowedIPs || !isAllowed(remoteIP, this.settings.defaultAllowedIPs)) {
-          console.log(`Connection rejected: IP ${remoteIP} not allowed for non-SNI connection`);
+      // First check if this IP is in the default allowed list
+      const isDefaultAllowed = this.settings.defaultAllowedIPs && isAllowed(remoteIP, this.settings.defaultAllowedIPs);
+
+      if (this.settings.sniEnabled && from instanceof plugins.tls.TLSSocket) {
+        serverName = (from as any).servername || '';
+        console.log(`TLS Connection from ${remoteIP} for domain: ${serverName}`);
+      }
+
+      // If IP is in defaultAllowedIPs, allow the connection regardless of SNI
+      if (isDefaultAllowed) {
+        console.log(`Connection allowed: IP ${remoteIP} is in default allowed list`);
+      } else if (this.settings.sniEnabled && serverName) {
+        // For SNI connections that aren't in default list, check domain-specific rules
+        const domainConfig = findMatchingDomain(serverName);
+        if (!domainConfig) {
+          console.log(`Connection rejected: No matching domain config for ${serverName} from IP ${remoteIP}`);
           from.end();
           return;
         }
+        if (!isAllowed(remoteIP, domainConfig.allowedIPs)) {
+          console.log(`Connection rejected: IP ${remoteIP} not allowed for domain ${serverName}`);
+          from.end();
+          return;
+        }
+      } else {
+        // Non-SNI connection and not in default list
+        console.log(`Connection rejected: IP ${remoteIP} not allowed for non-SNI connection`);
+        from.end();
+        return;
+      }
 
-        const to = plugins.net.createConnection({
-          host: this.settings.toHost!,
-          port: this.settings.toPort,
-        });
-        console.log(`Connection established: ${remoteIP} -> ${this.settings.toHost}:${this.settings.toPort}${this.settings.sniEnabled ? ` (SNI: ${(from as any).servername || 'none'})` : ''}`);
-        from.setTimeout(120000);
-        from.pipe(to);
-        to.pipe(from);
-        from.on('error', () => {
-          cleanUpSockets(from, to);
-        });
-        to.on('error', () => {
-          cleanUpSockets(from, to);
-        });
-        from.on('close', () => {
-          cleanUpSockets(from, to);
-        });
-        to.on('close', () => {
-          cleanUpSockets(from, to);
-        });
-        from.on('timeout', () => {
-          cleanUpSockets(from, to);
-        });
-        to.on('timeout', () => {
-          cleanUpSockets(from, to);
-        });
-        from.on('end', () => {
-          cleanUpSockets(from, to);
-        });
-        to.on('end', () => {
-          cleanUpSockets(from, to);
-        });
+      const to = plugins.net.createConnection({
+        host: this.settings.toHost!,
+        port: this.settings.toPort,
+      });
+      console.log(`Connection established: ${remoteIP} -> ${this.settings.toHost}:${this.settings.toPort}${serverName ? ` (SNI: ${serverName})` : ''}`);
+      from.setTimeout(120000);
+      from.pipe(to);
+      to.pipe(from);
+      from.on('error', () => {
+        cleanUpSockets(from, to);
+      });
+      to.on('error', () => {
+        cleanUpSockets(from, to);
+      });
+      from.on('close', () => {
+        cleanUpSockets(from, to);
+      });
+      to.on('close', () => {
+        cleanUpSockets(from, to);
+      });
+      from.on('timeout', () => {
+        cleanUpSockets(from, to);
+      });
+      to.on('timeout', () => {
+        cleanUpSockets(from, to);
+      });
+      from.on('end', () => {
+        cleanUpSockets(from, to);
+      });
+      to.on('end', () => {
+        cleanUpSockets(from, to);
+      });
+    };
+
+    this.netServer = server
+      .on('connection', handleConnection)
+      .on('secureConnection', handleConnection)
+      .on('tlsClientError', (err, tlsSocket) => {
+        console.log(`TLS Client Error: ${err.message}`);
+      })
+      .on('error', (err) => {
+        console.log(`Server Error: ${err.message}`);
       })
       .listen(this.settings.fromPort);
-    console.log(`PortProxy -> OK: Now listening on port ${this.settings.fromPort}`);
+    console.log(`PortProxy -> OK: Now listening on port ${this.settings.fromPort}${this.settings.sniEnabled ? ' (SNI enabled)' : ''}`);
   }
 
   public async stop() {