Compare commits
6 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 483cbb3634 | |||
| c77b31b72c | |||
| 8cb8fa1a52 | |||
| 8e5bb12edb | |||
| 9be9a426ad | |||
| 32d875aed9 |
20
changelog.md
20
changelog.md
@ -1,5 +1,25 @@
|
||||
# Changelog
|
||||
|
||||
## 2025-02-21 - 3.6.0 - feat(PortProxy)
|
||||
Add feature to preserve original client IP through chained proxies
|
||||
|
||||
- Added support to bind local address in PortProxy to preserve original client IP.
|
||||
- Implemented test for chained proxies to ensure client IP is preserved.
|
||||
|
||||
## 2025-02-21 - 3.5.0 - feat(PortProxy)
|
||||
Enhance PortProxy to support domain-specific target IPs
|
||||
|
||||
- Introduced support for domain-specific target IP configurations in PortProxy.
|
||||
- Updated connection handling to prioritize domain-specific target IPs if provided.
|
||||
- Added tests to verify forwarding based on domain-specific target IPs.
|
||||
|
||||
## 2025-02-21 - 3.4.4 - fix(PortProxy)
|
||||
Fixed handling of SNI domain connections and IP allowance checks
|
||||
|
||||
- Improved logic for handling SNI domain checks, ensuring IPs are correctly verified.
|
||||
- Fixed issue where default allowed IPs were not being checked correctly for non-SNI connections.
|
||||
- Revised the SNICallback behavior to handle connections more gracefully when domain configurations are unavailable.
|
||||
|
||||
## 2025-02-21 - 3.4.3 - fix(PortProxy)
|
||||
Fixed indentation issue and ensured proper cleanup of sockets in PortProxy
|
||||
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
{
|
||||
"name": "@push.rocks/smartproxy",
|
||||
"version": "3.4.3",
|
||||
"version": "3.6.0",
|
||||
"private": false,
|
||||
"description": "a proxy for handling high workloads of proxying",
|
||||
"main": "dist_ts/index.js",
|
||||
|
||||
@ -95,6 +95,54 @@ tap.test('should forward TCP connections to custom host', async () => {
|
||||
await customHostProxy.stop();
|
||||
});
|
||||
|
||||
tap.test('should forward connections based on domain-specific target IP', async () => {
|
||||
// Create a second test server on a different port
|
||||
const TEST_SERVER_PORT_2 = TEST_SERVER_PORT + 100;
|
||||
const testServer2 = await createTestServer(TEST_SERVER_PORT_2);
|
||||
|
||||
// Create a proxy with domain-specific target IPs
|
||||
const domainProxy = new PortProxy({
|
||||
fromPort: PROXY_PORT + 2,
|
||||
toPort: TEST_SERVER_PORT, // default port
|
||||
toHost: 'localhost', // default host
|
||||
domains: [{
|
||||
domain: 'domain1.test',
|
||||
allowedIPs: ['127.0.0.1'],
|
||||
targetIP: '127.0.0.1'
|
||||
}, {
|
||||
domain: 'domain2.test',
|
||||
allowedIPs: ['127.0.0.1'],
|
||||
targetIP: 'localhost'
|
||||
}],
|
||||
sniEnabled: false, // We'll test without SNI first since this is a TCP proxy test
|
||||
defaultAllowedIPs: ['127.0.0.1']
|
||||
});
|
||||
|
||||
await domainProxy.start();
|
||||
|
||||
// Test default connection (should use default host)
|
||||
const response1 = await createTestClient(PROXY_PORT + 2, TEST_DATA);
|
||||
expect(response1).toEqual(`Echo: ${TEST_DATA}`);
|
||||
|
||||
// Create another proxy with different default host
|
||||
const domainProxy2 = new PortProxy({
|
||||
fromPort: PROXY_PORT + 3,
|
||||
toPort: TEST_SERVER_PORT,
|
||||
toHost: '127.0.0.1',
|
||||
domains: [],
|
||||
sniEnabled: false,
|
||||
defaultAllowedIPs: ['127.0.0.1']
|
||||
});
|
||||
|
||||
await domainProxy2.start();
|
||||
const response2 = await createTestClient(PROXY_PORT + 3, TEST_DATA);
|
||||
expect(response2).toEqual(`Echo: ${TEST_DATA}`);
|
||||
|
||||
await domainProxy.stop();
|
||||
await domainProxy2.stop();
|
||||
await new Promise<void>((resolve) => testServer2.close(() => resolve()));
|
||||
});
|
||||
|
||||
tap.test('should handle multiple concurrent connections', async () => {
|
||||
const concurrentRequests = 5;
|
||||
const requests = Array(concurrentRequests).fill(null).map((_, i) =>
|
||||
@ -127,6 +175,37 @@ tap.test('should stop port proxy', async () => {
|
||||
});
|
||||
|
||||
// Cleanup
|
||||
tap.test('should preserve client IP through chained proxies', async () => {
|
||||
// Create two proxies in chain
|
||||
const firstProxy = new PortProxy({
|
||||
fromPort: PROXY_PORT + 4,
|
||||
toPort: PROXY_PORT + 5, // Point to second proxy
|
||||
toHost: 'localhost',
|
||||
domains: [],
|
||||
sniEnabled: false,
|
||||
defaultAllowedIPs: ['127.0.0.1']
|
||||
});
|
||||
|
||||
const secondProxy = new PortProxy({
|
||||
fromPort: PROXY_PORT + 5,
|
||||
toPort: TEST_SERVER_PORT,
|
||||
toHost: 'localhost',
|
||||
domains: [],
|
||||
sniEnabled: false,
|
||||
defaultAllowedIPs: ['127.0.0.1']
|
||||
});
|
||||
|
||||
await secondProxy.start();
|
||||
await firstProxy.start();
|
||||
|
||||
// Connect through the chain
|
||||
const response = await createTestClient(PROXY_PORT + 4, TEST_DATA);
|
||||
expect(response).toEqual(`Echo: ${TEST_DATA}`);
|
||||
|
||||
await firstProxy.stop();
|
||||
await secondProxy.stop();
|
||||
});
|
||||
|
||||
tap.test('cleanup port proxy test environment', async () => {
|
||||
await new Promise<void>((resolve) => testServer.close(() => resolve()));
|
||||
});
|
||||
|
||||
@ -3,6 +3,6 @@
|
||||
*/
|
||||
export const commitinfo = {
|
||||
name: '@push.rocks/smartproxy',
|
||||
version: '3.4.3',
|
||||
version: '3.6.0',
|
||||
description: 'a proxy for handling high workloads of proxying'
|
||||
}
|
||||
|
||||
@ -4,6 +4,7 @@ import * as plugins from './smartproxy.plugins.js';
|
||||
export interface DomainConfig {
|
||||
domain: string; // glob pattern for domain
|
||||
allowedIPs: string[]; // glob patterns for IPs allowed to access this domain
|
||||
targetIP?: string; // Optional target IP for this domain
|
||||
}
|
||||
|
||||
export interface ProxySettings extends plugins.tls.TlsOptions {
|
||||
@ -73,9 +74,8 @@ export class PortProxy {
|
||||
console.log(`SNI request for domain: ${serverName}`);
|
||||
const domainConfig = findMatchingDomain(serverName);
|
||||
if (!domainConfig) {
|
||||
console.log(`SNI rejected: No matching domain config for ${serverName}`);
|
||||
cb(new Error(`No configuration for domain: ${serverName}`));
|
||||
return;
|
||||
// Always allow SNI for default IPs, even if domain doesn't match
|
||||
console.log(`SNI domain ${serverName} not found, will check IP during connection`);
|
||||
}
|
||||
// Create context with the provided TLS settings
|
||||
const ctx = plugins.tls.createSecureContext(this.settings);
|
||||
@ -88,41 +88,48 @@ export class PortProxy {
|
||||
const remoteIP = from.remoteAddress || '';
|
||||
let serverName = '';
|
||||
|
||||
// First check if this IP is in the default allowed list
|
||||
const isDefaultAllowed = this.settings.defaultAllowedIPs && isAllowed(remoteIP, this.settings.defaultAllowedIPs);
|
||||
|
||||
if (this.settings.sniEnabled && from instanceof plugins.tls.TLSSocket) {
|
||||
serverName = (from as any).servername || '';
|
||||
console.log(`TLS Connection from ${remoteIP} for domain: ${serverName}`);
|
||||
}
|
||||
|
||||
// For TLS connections, we've already validated the domain in SNICallback
|
||||
if (!this.settings.sniEnabled || from instanceof plugins.tls.TLSSocket) {
|
||||
const domainConfig = serverName ? findMatchingDomain(serverName) : undefined;
|
||||
|
||||
// If IP is in defaultAllowedIPs, allow the connection regardless of SNI
|
||||
if (isDefaultAllowed) {
|
||||
console.log(`Connection allowed: IP ${remoteIP} is in default allowed list`);
|
||||
} else if (this.settings.sniEnabled && serverName) {
|
||||
// For SNI connections that aren't in default list, check domain-specific rules
|
||||
const domainConfig = findMatchingDomain(serverName);
|
||||
if (!domainConfig) {
|
||||
// If no matching domain config found, check default IPs if available
|
||||
if (!this.settings.defaultAllowedIPs || !isAllowed(remoteIP, this.settings.defaultAllowedIPs)) {
|
||||
console.log(`Connection rejected: No matching domain config for ${serverName || 'non-SNI'} from IP ${remoteIP}`);
|
||||
from.end();
|
||||
return;
|
||||
}
|
||||
} else {
|
||||
// Check if IP is allowed for this domain
|
||||
if (!isAllowed(remoteIP, domainConfig.allowedIPs)) {
|
||||
console.log(`Connection rejected: IP ${remoteIP} not allowed for domain ${serverName}`);
|
||||
from.end();
|
||||
return;
|
||||
}
|
||||
console.log(`Connection rejected: No matching domain config for ${serverName} from IP ${remoteIP}`);
|
||||
from.end();
|
||||
return;
|
||||
}
|
||||
} else if (!this.settings.defaultAllowedIPs || !isAllowed(remoteIP, this.settings.defaultAllowedIPs)) {
|
||||
if (!isAllowed(remoteIP, domainConfig.allowedIPs)) {
|
||||
console.log(`Connection rejected: IP ${remoteIP} not allowed for domain ${serverName}`);
|
||||
from.end();
|
||||
return;
|
||||
}
|
||||
} else {
|
||||
// Non-SNI connection and not in default list
|
||||
console.log(`Connection rejected: IP ${remoteIP} not allowed for non-SNI connection`);
|
||||
from.end();
|
||||
return;
|
||||
}
|
||||
|
||||
// Determine target host - use domain-specific targetIP if available
|
||||
const domainConfig = serverName ? findMatchingDomain(serverName) : undefined;
|
||||
const targetHost = domainConfig?.targetIP || this.settings.toHost!;
|
||||
|
||||
// Create connection with IP binding to preserve original client IP
|
||||
const to = plugins.net.createConnection({
|
||||
host: this.settings.toHost!,
|
||||
host: targetHost,
|
||||
port: this.settings.toPort,
|
||||
localAddress: remoteIP.replace('::ffff:', ''), // Remove IPv6 mapping if present
|
||||
});
|
||||
console.log(`Connection established: ${remoteIP} -> ${this.settings.toHost}:${this.settings.toPort}${serverName ? ` (SNI: ${serverName})` : ''}`);
|
||||
console.log(`Connection established: ${remoteIP} -> ${targetHost}:${this.settings.toPort}${serverName ? ` (SNI: ${serverName})` : ''}`);
|
||||
from.setTimeout(120000);
|
||||
from.pipe(to);
|
||||
to.pipe(from);
|
||||
|
||||
Reference in New Issue
Block a user