3.4.4

fix(PortProxy): Fixed handling of SNI domain connections and IP allowance checks
3.4.3
2025-02-21 18:54:40 +00:00 · 2025-02-21 18:54:40 +00:00 · 2025-02-21 18:48:39 +00:00 · 2025-02-21 18:48:39 +00:00
4 changed files with 40 additions and 25 deletions
--- a/changelog.md
+++ b/changelog.md
@ -1,5 +1,18 @@
 # Changelog

+## 2025-02-21 - 3.4.4 - fix(PortProxy)
+Fixed handling of SNI domain connections and IP allowance checks
+
+- Improved logic for handling SNI domain checks, ensuring IPs are correctly verified.
+- Fixed issue where default allowed IPs were not being checked correctly for non-SNI connections.
+- Revised the SNICallback behavior to handle connections more gracefully when domain configurations are unavailable.
+
+## 2025-02-21 - 3.4.3 - fix(PortProxy)
+Fixed indentation issue and ensured proper cleanup of sockets in PortProxy
+
+- Fixed inconsistent indentation in IP allowance check.
+- Ensured proper cleanup of sockets on connection end in PortProxy.
+
 ## 2025-02-21 - 3.4.2 - fix(smartproxy)
 Enhance SSL/TLS handling with SNI and error logging

--- a/package.json
+++ b/package.json
@ -1,6 +1,6 @@
 {
  "name": "@push.rocks/smartproxy",
-  "version": "3.4.2",
+  "version": "3.4.4",
  "private": false,
  "description": "a proxy for handling high workloads of proxying",
  "main": "dist_ts/index.js",
--- a/ts/00_commitinfo_data.ts
+++ b/ts/00_commitinfo_data.ts
@ -3,6 +3,6 @@
 */
 export const commitinfo = {
  name: '@push.rocks/smartproxy',
-  version: '3.4.2',
+  version: '3.4.4',
  description: 'a proxy for handling high workloads of proxying'
 }
--- a/ts/smartproxy.portproxy.ts
+++ b/ts/smartproxy.portproxy.ts
@ -73,9 +73,8 @@ export class PortProxy {
            console.log(`SNI request for domain: ${serverName}`);
            const domainConfig = findMatchingDomain(serverName);
            if (!domainConfig) {
-              console.log(`SNI rejected: No matching domain config for ${serverName}`);
-              cb(new Error(`No configuration for domain: ${serverName}`));
-              return;
+              // Always allow SNI for default IPs, even if domain doesn't match
+              console.log(`SNI domain ${serverName} not found, will check IP during connection`);
            }
            // Create context with the provided TLS settings
            const ctx = plugins.tls.createSecureContext(this.settings);
@ -88,35 +87,36 @@ export class PortProxy {
      const remoteIP = from.remoteAddress || '';
      let serverName = '';

+      // First check if this IP is in the default allowed list
+      const isDefaultAllowed = this.settings.defaultAllowedIPs && isAllowed(remoteIP, this.settings.defaultAllowedIPs);
+
      if (this.settings.sniEnabled && from instanceof plugins.tls.TLSSocket) {
        serverName = (from as any).servername || '';
        console.log(`TLS Connection from ${remoteIP} for domain: ${serverName}`);
      }

-      // For TLS connections, we've already validated the domain in SNICallback
-      if (!this.settings.sniEnabled || from instanceof plugins.tls.TLSSocket) {
-        const domainConfig = serverName ? findMatchingDomain(serverName) : undefined;
-
+      // If IP is in defaultAllowedIPs, allow the connection regardless of SNI
+      if (isDefaultAllowed) {
+        console.log(`Connection allowed: IP ${remoteIP} is in default allowed list`);
+      } else if (this.settings.sniEnabled && serverName) {
+        // For SNI connections that aren't in default list, check domain-specific rules
+        const domainConfig = findMatchingDomain(serverName);
        if (!domainConfig) {
-          // If no matching domain config found, check default IPs if available
-          if (!this.settings.defaultAllowedIPs || !isAllowed(remoteIP, this.settings.defaultAllowedIPs)) {
-            console.log(`Connection rejected: No matching domain config for ${serverName || 'non-SNI'} from IP ${remoteIP}`);
-            from.end();
-            return;
-          }
-        } else {
-          // Check if IP is allowed for this domain
-          if (!isAllowed(remoteIP, domainConfig.allowedIPs)) {
-            console.log(`Connection rejected: IP ${remoteIP} not allowed for domain ${serverName}`);
-            from.end();
-            return;
-          }
-        }
-      } else if (!this.settings.defaultAllowedIPs || !isAllowed(remoteIP, this.settings.defaultAllowedIPs)) {
-          console.log(`Connection rejected: IP ${remoteIP} not allowed for non-SNI connection`);
+          console.log(`Connection rejected: No matching domain config for ${serverName} from IP ${remoteIP}`);
          from.end();
          return;
        }
+        if (!isAllowed(remoteIP, domainConfig.allowedIPs)) {
+          console.log(`Connection rejected: IP ${remoteIP} not allowed for domain ${serverName}`);
+          from.end();
+          return;
+        }
+      } else {
+        // Non-SNI connection and not in default list
+        console.log(`Connection rejected: IP ${remoteIP} not allowed for non-SNI connection`);
+        from.end();
+        return;
+      }

      const to = plugins.net.createConnection({
        host: this.settings.toHost!,
@ -150,6 +150,8 @@ export class PortProxy {
      to.on('end', () => {
        cleanUpSockets(from, to);
      });
+    };
+
    this.netServer = server
      .on('connection', handleConnection)
      .on('secureConnection', handleConnection)
Author	SHA1	Message	Date
Philipp Kunz	9be9a426ad	3.4.4	2025-02-21 18:54:40 +00:00
Philipp Kunz	32d875aed9	fix(PortProxy): Fixed handling of SNI domain connections and IP allowance checks	2025-02-21 18:54:40 +00:00
Philipp Kunz	4747462cff	3.4.3	2025-02-21 18:48:39 +00:00
Philipp Kunz	70f69ef1ea	fix(PortProxy): Fixed indentation issue and ensured proper cleanup of sockets in PortProxy	2025-02-21 18:48:39 +00:00