3.7.0

changelog.md

@@ -1,5 +1,37 @@
 # Changelog
 
+## 2025-02-21 - 3.7.0 - feat(PortProxy)
+Add optional source IP preservation support in PortProxy
+
+- Added a feature to optionally preserve the client's source IP when proxying connections.
+- Enhanced test cases to include scenarios for source IP preservation.
+
+## 2025-02-21 - 3.6.0 - feat(PortProxy)
+Add feature to preserve original client IP through chained proxies
+
+- Added support to bind local address in PortProxy to preserve original client IP.
+- Implemented test for chained proxies to ensure client IP is preserved.
+
+## 2025-02-21 - 3.5.0 - feat(PortProxy)
+Enhance PortProxy to support domain-specific target IPs
+
+- Introduced support for domain-specific target IP configurations in PortProxy.
+- Updated connection handling to prioritize domain-specific target IPs if provided.
+- Added tests to verify forwarding based on domain-specific target IPs.
+
+## 2025-02-21 - 3.4.4 - fix(PortProxy)
+Fixed handling of SNI domain connections and IP allowance checks
+
+- Improved logic for handling SNI domain checks, ensuring IPs are correctly verified.
+- Fixed issue where default allowed IPs were not being checked correctly for non-SNI connections.
+- Revised the SNICallback behavior to handle connections more gracefully when domain configurations are unavailable.
+
+## 2025-02-21 - 3.4.3 - fix(PortProxy)
+Fixed indentation issue and ensured proper cleanup of sockets in PortProxy
+
+- Fixed inconsistent indentation in IP allowance check.
+- Ensured proper cleanup of sockets on connection end in PortProxy.
+
 ## 2025-02-21 - 3.4.2 - fix(smartproxy)
 Enhance SSL/TLS handling with SNI and error logging
 

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@push.rocks/smartproxy",
-  "version": "3.4.2",
+  "version": "3.7.0",
   "private": false,
   "description": "a proxy for handling high workloads of proxying",
   "main": "dist_ts/index.js",

test/test.portproxy.ts

@@ -95,6 +95,54 @@ tap.test('should forward TCP connections to custom host', async () => {
   await customHostProxy.stop();
 });
 
+tap.test('should forward connections based on domain-specific target IP', async () => {
+  // Create a second test server on a different port
+  const TEST_SERVER_PORT_2 = TEST_SERVER_PORT + 100;
+  const testServer2 = await createTestServer(TEST_SERVER_PORT_2);
+
+  // Create a proxy with domain-specific target IPs
+  const domainProxy = new PortProxy({
+    fromPort: PROXY_PORT + 2,
+    toPort: TEST_SERVER_PORT,  // default port
+    toHost: 'localhost',       // default host
+    domains: [{
+      domain: 'domain1.test',
+      allowedIPs: ['127.0.0.1'],
+      targetIP: '127.0.0.1'
+    }, {
+      domain: 'domain2.test',
+      allowedIPs: ['127.0.0.1'],
+      targetIP: 'localhost'
+    }],
+    sniEnabled: false, // We'll test without SNI first since this is a TCP proxy test
+    defaultAllowedIPs: ['127.0.0.1']
+  });
+
+  await domainProxy.start();
+
+  // Test default connection (should use default host)
+  const response1 = await createTestClient(PROXY_PORT + 2, TEST_DATA);
+  expect(response1).toEqual(`Echo: ${TEST_DATA}`);
+
+  // Create another proxy with different default host
+  const domainProxy2 = new PortProxy({
+    fromPort: PROXY_PORT + 3,
+    toPort: TEST_SERVER_PORT,
+    toHost: '127.0.0.1',
+    domains: [],
+    sniEnabled: false,
+    defaultAllowedIPs: ['127.0.0.1']
+  });
+
+  await domainProxy2.start();
+  const response2 = await createTestClient(PROXY_PORT + 3, TEST_DATA);
+  expect(response2).toEqual(`Echo: ${TEST_DATA}`);
+
+  await domainProxy.stop();
+  await domainProxy2.stop();
+  await new Promise<void>((resolve) => testServer2.close(() => resolve()));
+});
+
 tap.test('should handle multiple concurrent connections', async () => {
   const concurrentRequests = 5;
   const requests = Array(concurrentRequests).fill(null).map((_, i) => 
@@ -127,6 +175,68 @@ tap.test('should stop port proxy', async () => {
 });
 
 // Cleanup
+tap.test('should support optional source IP preservation in chained proxies', async () => {
+  // Test 1: Without IP preservation (default behavior)
+  const firstProxyDefault = new PortProxy({
+    fromPort: PROXY_PORT + 4,
+    toPort: PROXY_PORT + 5,
+    toHost: 'localhost',
+    domains: [],
+    sniEnabled: false,
+    defaultAllowedIPs: ['127.0.0.1', '::ffff:127.0.0.1']
+  });
+
+  const secondProxyDefault = new PortProxy({
+    fromPort: PROXY_PORT + 5,
+    toPort: TEST_SERVER_PORT,
+    toHost: 'localhost',
+    domains: [],
+    sniEnabled: false,
+    defaultAllowedIPs: ['127.0.0.1', '::ffff:127.0.0.1']
+  });
+
+  await secondProxyDefault.start();
+  await firstProxyDefault.start();
+
+  // This should work because we explicitly allow both IPv4 and IPv6 formats
+  const response1 = await createTestClient(PROXY_PORT + 4, TEST_DATA);
+  expect(response1).toEqual(`Echo: ${TEST_DATA}`);
+
+  await firstProxyDefault.stop();
+  await secondProxyDefault.stop();
+
+  // Test 2: With IP preservation
+  const firstProxyPreserved = new PortProxy({
+    fromPort: PROXY_PORT + 6,
+    toPort: PROXY_PORT + 7,
+    toHost: 'localhost',
+    domains: [],
+    sniEnabled: false,
+    defaultAllowedIPs: ['127.0.0.1'],
+    preserveSourceIP: true
+  });
+
+  const secondProxyPreserved = new PortProxy({
+    fromPort: PROXY_PORT + 7,
+    toPort: TEST_SERVER_PORT,
+    toHost: 'localhost',
+    domains: [],
+    sniEnabled: false,
+    defaultAllowedIPs: ['127.0.0.1'],
+    preserveSourceIP: true
+  });
+
+  await secondProxyPreserved.start();
+  await firstProxyPreserved.start();
+
+  // This should work with just IPv4 because source IP is preserved
+  const response2 = await createTestClient(PROXY_PORT + 6, TEST_DATA);
+  expect(response2).toEqual(`Echo: ${TEST_DATA}`);
+
+  await firstProxyPreserved.stop();
+  await secondProxyPreserved.stop();
+});
+
 tap.test('cleanup port proxy test environment', async () => {
   await new Promise<void>((resolve) => testServer.close(() => resolve()));
 });

ts/00_commitinfo_data.ts

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@push.rocks/smartproxy',
-  version: '3.4.2',
+  version: '3.7.0',
   description: 'a proxy for handling high workloads of proxying'
 }

ts/smartproxy.portproxy.ts

@@ -4,6 +4,7 @@ import * as plugins from './smartproxy.plugins.js';
 export interface DomainConfig {
   domain: string;  // glob pattern for domain
   allowedIPs: string[];  // glob patterns for IPs allowed to access this domain
+  targetIP?: string;  // Optional target IP for this domain
 }
 
 export interface ProxySettings extends plugins.tls.TlsOptions {
@@ -16,6 +17,7 @@ export interface ProxySettings extends plugins.tls.TlsOptions {
   domains: DomainConfig[];
   sniEnabled?: boolean;
   defaultAllowedIPs?: string[];  // Optional default IP patterns if no matching domain found
+  preserveSourceIP?: boolean;    // Whether to preserve the client's source IP when proxying
 }
 
 export class PortProxy {
@@ -73,9 +75,8 @@ export class PortProxy {
             console.log(`SNI request for domain: ${serverName}`);
             const domainConfig = findMatchingDomain(serverName);
             if (!domainConfig) {
-              console.log(`SNI rejected: No matching domain config for ${serverName}`);
+              // Always allow SNI for default IPs, even if domain doesn't match
-              cb(new Error(`No configuration for domain: ${serverName}`));
+              console.log(`SNI domain ${serverName} not found, will check IP during connection`);
-              return;
             }
             // Create context with the provided TLS settings
             const ctx = plugins.tls.createSecureContext(this.settings);
@@ -88,41 +89,54 @@ export class PortProxy {
       const remoteIP = from.remoteAddress || '';
       let serverName = '';
 
+      // First check if this IP is in the default allowed list
+      const isDefaultAllowed = this.settings.defaultAllowedIPs && isAllowed(remoteIP, this.settings.defaultAllowedIPs);
+
       if (this.settings.sniEnabled && from instanceof plugins.tls.TLSSocket) {
         serverName = (from as any).servername || '';
         console.log(`TLS Connection from ${remoteIP} for domain: ${serverName}`);
       }
 
-      // For TLS connections, we've already validated the domain in SNICallback
+      // If IP is in defaultAllowedIPs, allow the connection regardless of SNI
-      if (!this.settings.sniEnabled || from instanceof plugins.tls.TLSSocket) {
+      if (isDefaultAllowed) {
-        const domainConfig = serverName ? findMatchingDomain(serverName) : undefined;
+        console.log(`Connection allowed: IP ${remoteIP} is in default allowed list`);
-
+      } else if (this.settings.sniEnabled && serverName) {
+        // For SNI connections that aren't in default list, check domain-specific rules
+        const domainConfig = findMatchingDomain(serverName);
         if (!domainConfig) {
-          // If no matching domain config found, check default IPs if available
+          console.log(`Connection rejected: No matching domain config for ${serverName} from IP ${remoteIP}`);
-          if (!this.settings.defaultAllowedIPs || !isAllowed(remoteIP, this.settings.defaultAllowedIPs)) {
-            console.log(`Connection rejected: No matching domain config for ${serverName || 'non-SNI'} from IP ${remoteIP}`);
-            from.end();
-            return;
-          }
-        } else {
-          // Check if IP is allowed for this domain
-          if (!isAllowed(remoteIP, domainConfig.allowedIPs)) {
-            console.log(`Connection rejected: IP ${remoteIP} not allowed for domain ${serverName}`);
-            from.end();
-            return;
-          }
-        }
-      } else if (!this.settings.defaultAllowedIPs || !isAllowed(remoteIP, this.settings.defaultAllowedIPs)) {
-          console.log(`Connection rejected: IP ${remoteIP} not allowed for non-SNI connection`);
           from.end();
           return;
         }
+        if (!isAllowed(remoteIP, domainConfig.allowedIPs)) {
+          console.log(`Connection rejected: IP ${remoteIP} not allowed for domain ${serverName}`);
+          from.end();
+          return;
+        }
+      } else {
+        // Non-SNI connection and not in default list
+        console.log(`Connection rejected: IP ${remoteIP} not allowed for non-SNI connection`);
+        from.end();
+        return;
+      }
 
-      const to = plugins.net.createConnection({
+      // Determine target host - use domain-specific targetIP if available
-        host: this.settings.toHost!,
+      const domainConfig = serverName ? findMatchingDomain(serverName) : undefined;
+      const targetHost = domainConfig?.targetIP || this.settings.toHost!;
+      
+      // Create connection, optionally preserving the client's source IP
+      const connectionOptions: plugins.net.NetConnectOpts = {
+        host: targetHost,
         port: this.settings.toPort,
-      });
+      };
-      console.log(`Connection established: ${remoteIP} -> ${this.settings.toHost}:${this.settings.toPort}${serverName ? ` (SNI: ${serverName})` : ''}`);
+
+      // Only set localAddress if preserveSourceIP is enabled
+      if (this.settings.preserveSourceIP) {
+        connectionOptions.localAddress = remoteIP.replace('::ffff:', ''); // Remove IPv6 mapping if present
+      }
+
+      const to = plugins.net.createConnection(connectionOptions);
+      console.log(`Connection established: ${remoteIP} -> ${targetHost}:${this.settings.toPort}${serverName ? ` (SNI: ${serverName})` : ''}`);
       from.setTimeout(120000);
       from.pipe(to);
       to.pipe(from);
@@ -150,6 +164,8 @@ export class PortProxy {
       to.on('end', () => {
         cleanUpSockets(from, to);
       });
+    };
+
     this.netServer = server
       .on('connection', handleConnection)
       .on('secureConnection', handleConnection)