3.41.8

fix(portproxy): Improve TLS handshake timeout handling and connection piping in PortProxy
3.41.7
2025-03-12 15:49:42 +00:00 · 2025-03-12 15:49:41 +00:00 · 2025-03-12 12:19:36 +00:00 · 2025-03-12 12:19:36 +00:00
5 changed files with 401 additions and 233 deletions
--- a/changelog.md
+++ b/changelog.md
@ -1,5 +1,21 @@
 # Changelog
 ## 2025-03-12 - 3.41.8 - fix(portproxy)
 Improve TLS handshake timeout handling and connection piping in PortProxy
 - Increase the default initial handshake timeout from 60 seconds to 120 seconds
 - Add a 30-second grace period before terminating connections waiting for initial TLS data
 - Refactor piping logic by removing redundant callback and establishing piping immediately after flushing buffered data
 - Enhance debug logging during TLS ClientHello processing for improved SNI extraction insights
 ## 2025-03-12 - 3.41.7 - fix(core)
 Refactor PortProxy and SniHandler: improve configuration handling, logging, and whitespace consistency
 - Standardized indentation and spacing for configuration properties in PortProxy settings (e.g. ACME options, keepAliveProbes, allowSessionTicket)
 - Simplified conditional formatting and improved inline comments in PortProxy
 - Enhanced logging messages in SniHandler for TLS handshake and session resumption detection
 - Improved debugging output (e.g. hexdump of initial TLS packet) and consistency of multi-line expressions
 ## 2025-03-12 - 3.41.6 - fix(SniHandler)
 Refactor SniHandler: update whitespace, comment formatting, and consistent type definitions
--- a/package.json
+++ b/package.json
@ -1,6 +1,6 @@
 {
  "name": "@push.rocks/smartproxy",
-  "version": "3.41.6",
+  "version": "3.41.8",
  "private": false,
  "description": "A powerful proxy package that effectively handles high traffic, with features such as SSL/TLS support, port proxying, WebSocket handling, dynamic routing with authentication options, and automatic ACME certificate management.",
  "main": "dist_ts/index.js",
--- a/ts/00_commitinfo_data.ts
+++ b/ts/00_commitinfo_data.ts
@ -3,6 +3,6 @@
 */
 export const commitinfo = {
  name: '@push.rocks/smartproxy',
-  version: '3.41.6',
+  version: '3.41.8',
  description: 'A powerful proxy package that effectively handles high traffic, with features such as SSL/TLS support, port proxying, WebSocket handling, dynamic routing with authentication options, and automatic ACME certificate management.'
 }
--- a/ts/classes.portproxy.ts
+++ b/ts/classes.portproxy.ts
@ -68,14 +68,14 @@ export interface IPortProxySettings extends plugins.tls.TlsOptions {
  // ACME certificate management options
  acme?: {
-    enabled?: boolean;              // Whether to enable automatic certificate management
+    enabled?: boolean; // Whether to enable automatic certificate management
-    port?: number;                  // Port to listen on for ACME challenges (default: 80)
+    port?: number; // Port to listen on for ACME challenges (default: 80)
-    contactEmail?: string;          // Email for Let's Encrypt account 
+    contactEmail?: string; // Email for Let's Encrypt account
-    useProduction?: boolean;        // Whether to use Let's Encrypt production (default: false for staging)
+    useProduction?: boolean; // Whether to use Let's Encrypt production (default: false for staging)
-    renewThresholdDays?: number;    // Days before expiry to renew certificates (default: 30)
+    renewThresholdDays?: number; // Days before expiry to renew certificates (default: 30)
-    autoRenew?: boolean;            // Whether to automatically renew certificates (default: true)
+    autoRenew?: boolean; // Whether to automatically renew certificates (default: true)
-    certificateStore?: string;      // Directory to store certificates (default: ./certs)
+    certificateStore?: string; // Directory to store certificates (default: ./certs)
-    skipConfiguredCerts?: boolean;  // Skip domains that already have certificates configured
+    skipConfiguredCerts?: boolean; // Skip domains that already have certificates configured
  };
 }
@ -216,7 +216,7 @@ export class PortProxy {
      targetIP: settingsArg.targetIP || 'localhost',
      // Timeout settings with reasonable defaults
-      initialDataTimeout: settingsArg.initialDataTimeout || 60000, // 60 seconds for initial handshake
+      initialDataTimeout: settingsArg.initialDataTimeout || 120000, // 120 seconds for initial handshake
      socketTimeout: ensureSafeTimeout(settingsArg.socketTimeout || 3600000), // 1 hour socket timeout
      inactivityCheckInterval: settingsArg.inactivityCheckInterval || 60000, // 60 seconds interval
      maxConnectionLifetime: ensureSafeTimeout(settingsArg.maxConnectionLifetime || 86400000), // 24 hours default
@ -232,13 +232,13 @@ export class PortProxy {
      // Feature flags
      disableInactivityCheck: settingsArg.disableInactivityCheck || false,
-      enableKeepAliveProbes: settingsArg.enableKeepAliveProbes !== undefined 
+      enableKeepAliveProbes:
-                            ? settingsArg.enableKeepAliveProbes : true,
+        settingsArg.enableKeepAliveProbes !== undefined ? settingsArg.enableKeepAliveProbes : true,
      enableDetailedLogging: settingsArg.enableDetailedLogging || false,
      enableTlsDebugLogging: settingsArg.enableTlsDebugLogging || false,
      enableRandomizedTimeouts: settingsArg.enableRandomizedTimeouts || false,
-      allowSessionTicket: settingsArg.allowSessionTicket !== undefined 
+      allowSessionTicket:
-                         ? settingsArg.allowSessionTicket : true,
+        settingsArg.allowSessionTicket !== undefined ? settingsArg.allowSessionTicket : true,
      // Rate limiting defaults
      maxConnectionsPerIP: settingsArg.maxConnectionsPerIP || 100,
@ -261,8 +261,8 @@ export class PortProxy {
        renewThresholdDays: 30,
        autoRenew: true,
        certificateStore: './certs',
-        skipConfiguredCerts: false
+        skipConfiguredCerts: false,
-      }
+      },
    };
    // Initialize NetworkProxy if enabled
@ -280,7 +280,7 @@ export class PortProxy {
      const networkProxyOptions: any = {
        port: this.settings.networkProxyPort!,
        portProxyIntegration: true,
-        logLevel: this.settings.enableDetailedLogging ? 'debug' : 'info'
+        logLevel: this.settings.enableDetailedLogging ? 'debug' : 'info',
      };
      // Add ACME settings if configured
@ -321,7 +321,7 @@ export class PortProxy {
    // Update settings
    this.settings.acme = {
      ...this.settings.acme,
-      ...acmeSettings
+      ...acmeSettings,
    };
    // If NetworkProxy is initialized, update its ACME settings
@ -379,17 +379,19 @@ export class PortProxy {
      try {
        certPair = {
          key: fs.readFileSync('assets/certs/key.pem', 'utf8'),
-          cert: fs.readFileSync('assets/certs/cert.pem', 'utf8')
+          cert: fs.readFileSync('assets/certs/cert.pem', 'utf8'),
        };
      } catch (certError) {
        console.log(`Warning: Could not read default certificates: ${certError}`);
-        console.log('Using empty certificate placeholders - ACME will generate proper certificates if enabled');
+        console.log(
          'Using empty certificate placeholders - ACME will generate proper certificates if enabled'
        );
        // Use empty placeholders - NetworkProxy will use its internal defaults
        // or ACME will generate proper ones if enabled
        certPair = {
          key: '',
-          cert: ''
+          cert: '',
        };
      }
@ -402,8 +404,8 @@ export class PortProxy {
      // Log ACME-eligible domains if ACME is enabled
      if (this.settings.acme?.enabled) {
        const acmeEligibleDomains = proxyConfigs
-          .filter(config => !config.hostName.includes('*')) // Exclude wildcards
+          .filter((config) => !config.hostName.includes('*')) // Exclude wildcards
-          .map(config => config.hostName);
+          .map((config) => config.hostName);
        if (acmeEligibleDomains.length > 0) {
          console.log(`Domains eligible for ACME certificates: ${acmeEligibleDomains.join(', ')}`);
@ -413,11 +415,16 @@ export class PortProxy {
      }
      // Update NetworkProxy with the converted configs
-      this.networkProxy.updateProxyConfigs(proxyConfigs).then(() => {
+      this.networkProxy
-        console.log(`Successfully synchronized ${proxyConfigs.length} domain configurations to NetworkProxy`);
+        .updateProxyConfigs(proxyConfigs)
-      }).catch(err => {
+        .then(() => {
-        console.log(`Error synchronizing configurations: ${err.message}`);
+          console.log(
-      });
+            `Successfully synchronized ${proxyConfigs.length} domain configurations to NetworkProxy`
          );
        })
        .catch((err) => {
          console.log(`Error synchronizing configurations: ${err.message}`);
        });
    } catch (err) {
      console.log(`Failed to sync configurations: ${err}`);
    }
@ -546,9 +553,7 @@ export class PortProxy {
      proxySocket.on('data', () => this.updateActivity(record));
      if (this.settings.enableDetailedLogging) {
-        console.log(
+        console.log(`[${connectionId}] TLS connection successfully forwarded to NetworkProxy`);
          `[${connectionId}] TLS connection successfully forwarded to NetworkProxy`
        );
      }
    });
  }
@ -849,77 +854,75 @@ export class PortProxy {
      // Process any remaining data in the queue before switching to piping
      processDataQueue();
-      // Setup function to establish piping - we'll use this after flushing data
+      // Set up piping immediately - don't delay this crucial step
-      const setupPiping = () => {
+      pipingEstablished = true;
        // Mark that we're switching to piping mode
        pipingEstablished = true;
        // Setup piping in both directions
        socket.pipe(targetSocket);
        targetSocket.pipe(socket);
        // Resume the socket to ensure data flows
        socket.resume();
        // Process any data that might be queued in the interim
        if (dataQueue.length > 0) {
          // Write any remaining queued data directly to the target socket
          for (const chunk of dataQueue) {
            targetSocket.write(chunk);
          }
          // Clear the queue
          dataQueue.length = 0;
          queueSize = 0;
        }
        if (this.settings.enableDetailedLogging) {
          console.log(
            `[${connectionId}] Connection established: ${record.remoteIP} -> ${targetHost}:${connectionOptions.port}` +
              `${
                serverName
                  ? ` (SNI: ${serverName})`
                  : domainConfig
                  ? ` (Port-based for domain: ${domainConfig.domains.join(', ')})`
                  : ''
              }` +
              ` TLS: ${record.isTLS ? 'Yes' : 'No'}, Keep-Alive: ${
                record.hasKeepAlive ? 'Yes' : 'No'
              }`
          );
        } else {
          console.log(
            `Connection established: ${record.remoteIP} -> ${targetHost}:${connectionOptions.port}` +
              `${
                serverName
                  ? ` (SNI: ${serverName})`
                  : domainConfig
                  ? ` (Port-based for domain: ${domainConfig.domains.join(', ')})`
                  : ''
              }`
          );
        }
      };
      // Flush all pending data to target
      if (record.pendingData.length > 0) {
        const combinedData = Buffer.concat(record.pendingData);
        if (this.settings.enableDetailedLogging) {
          console.log(`[${connectionId}] Forwarding ${combinedData.length} bytes of initial data to target`);
        }
        // Write pending data immediately
        targetSocket.write(combinedData, (err) => {
          if (err) {
            console.log(`[${connectionId}] Error writing pending data to target: ${err.message}`);
            return this.initiateCleanupOnce(record, 'write_error');
          }
          // Establish piping now that we've flushed the buffered data
          setupPiping();
        });
-      } else {
+        
-        // No pending data, just establish piping immediately
+        // Clear the buffer now that we've processed it
-        setupPiping();
+        record.pendingData = [];
        record.pendingDataSize = 0;
      }
      // Setup piping in both directions without any delays
      socket.pipe(targetSocket);
      targetSocket.pipe(socket);
      // Resume the socket to ensure data flows - CRITICAL!
      socket.resume();
      // Process any data that might be queued in the interim
      if (dataQueue.length > 0) {
        // Write any remaining queued data directly to the target socket
        for (const chunk of dataQueue) {
          targetSocket.write(chunk);
        }
        // Clear the queue
        dataQueue.length = 0;
        queueSize = 0;
      }
      if (this.settings.enableDetailedLogging) {
        console.log(
          `[${connectionId}] Connection established: ${record.remoteIP} -> ${targetHost}:${connectionOptions.port}` +
            `${
              serverName
                ? ` (SNI: ${serverName})`
                : domainConfig
                ? ` (Port-based for domain: ${domainConfig.domains.join(', ')})`
                : ''
            }` +
            ` TLS: ${record.isTLS ? 'Yes' : 'No'}, Keep-Alive: ${
              record.hasKeepAlive ? 'Yes' : 'No'
            }`
        );
      } else {
        console.log(
          `Connection established: ${record.remoteIP} -> ${targetHost}:${connectionOptions.port}` +
            `${
              serverName
                ? ` (SNI: ${serverName})`
                : domainConfig
                ? ` (Port-based for domain: ${domainConfig.domains.join(', ')})`
                : ''
            }`
        );
      }
      // Clear the buffer now that we've processed it
      record.pendingData = [];
      record.pendingDataSize = 0;
      // Add the renegotiation handler for SNI validation with strict domain enforcement
      // This will be called after we've established piping
@ -935,30 +938,36 @@ export class PortProxy {
                sourceIp: record.remoteIP,
                sourcePort: record.incoming.remotePort || 0,
                destIp: record.incoming.localAddress || '',
-                destPort: record.incoming.localPort || 0
+                destPort: record.incoming.localPort || 0,
              };
              // Check for session tickets if allowSessionTicket is disabled
              if (this.settings.allowSessionTicket === false) {
                // Analyze for session resumption attempt (session ticket or PSK)
-                const resumptionInfo = SniHandler.hasSessionResumption(renegChunk, this.settings.enableTlsDebugLogging);
+                const resumptionInfo = SniHandler.hasSessionResumption(
                  renegChunk,
                  this.settings.enableTlsDebugLogging
                );
                if (resumptionInfo.isResumption) {
                  // Always log resumption attempt for easier debugging
                  // Try to extract SNI for logging
-                  const extractedSNI = SniHandler.extractSNI(renegChunk, this.settings.enableTlsDebugLogging);
+                  const extractedSNI = SniHandler.extractSNI(
                    renegChunk,
                    this.settings.enableTlsDebugLogging
                  );
                  console.log(
                    `[${connectionId}] Session resumption detected in renegotiation. ` +
-                    `Has SNI: ${resumptionInfo.hasSNI ? 'Yes' : 'No'}, ` +
+                      `Has SNI: ${resumptionInfo.hasSNI ? 'Yes' : 'No'}, ` +
-                    `SNI value: ${extractedSNI || 'None'}, ` +
+                      `SNI value: ${extractedSNI || 'None'}, ` +
-                    `allowSessionTicket: ${this.settings.allowSessionTicket}`
+                      `allowSessionTicket: ${this.settings.allowSessionTicket}`
                  );
                  // Block if there's session resumption without SNI
                  if (!resumptionInfo.hasSNI) {
                    console.log(
                      `[${connectionId}] Session resumption detected in renegotiation without SNI and allowSessionTicket=false. ` +
-                      `Terminating connection to force new TLS handshake.`
+                        `Terminating connection to force new TLS handshake.`
                    );
                    this.initiateCleanupOnce(record, 'session_ticket_blocked');
                    return;
@ -966,14 +975,18 @@ export class PortProxy {
                    if (this.settings.enableDetailedLogging) {
                      console.log(
                        `[${connectionId}] Session resumption with SNI detected in renegotiation. ` +
-                        `Allowing connection since SNI is present.`
+                          `Allowing connection since SNI is present.`
                      );
                    }
                  }
                }
              }
-              const newSNI = SniHandler.extractSNIWithResumptionSupport(renegChunk, connInfo, this.settings.enableTlsDebugLogging);
+              const newSNI = SniHandler.extractSNIWithResumptionSupport(
                renegChunk,
                connInfo,
                this.settings.enableTlsDebugLogging
              );
              // Skip if no SNI was found
              if (!newSNI) return;
@ -983,7 +996,7 @@ export class PortProxy {
                // Log and terminate the connection for any SNI change
                console.log(
                  `[${connectionId}] Renegotiation with different SNI: ${record.lockedDomain} -> ${newSNI}. ` +
-                  `Terminating connection - SNI domain switching is not allowed.`
+                    `Terminating connection - SNI domain switching is not allowed.`
                );
                this.initiateCleanupOnce(record, 'sni_mismatch');
              } else if (this.settings.enableDetailedLogging) {
@ -1007,9 +1020,13 @@ export class PortProxy {
        socket.on('data', renegotiationHandler);
        if (this.settings.enableDetailedLogging) {
-          console.log(`[${connectionId}] TLS renegotiation handler installed for SNI domain: ${serverName}`);
+          console.log(
            `[${connectionId}] TLS renegotiation handler installed for SNI domain: ${serverName}`
          );
          if (this.settings.allowSessionTicket === false) {
-            console.log(`[${connectionId}] Session ticket usage is disabled. Connection will be reset on reconnection attempts.`);
+            console.log(
              `[${connectionId}] Session ticket usage is disabled. Connection will be reset on reconnection attempts.`
            );
          }
        }
      }
@ -1402,7 +1419,11 @@ export class PortProxy {
    }
    // Initialize NetworkProxy if needed (useNetworkProxy is set but networkProxy isn't initialized)
-    if (this.settings.useNetworkProxy && this.settings.useNetworkProxy.length > 0 && !this.networkProxy) {
+    if (
      this.settings.useNetworkProxy &&
      this.settings.useNetworkProxy.length > 0 &&
      !this.networkProxy
    ) {
      await this.initializeNetworkProxy();
    }
@ -1413,7 +1434,11 @@ export class PortProxy {
      // Log ACME status
      if (this.settings.acme?.enabled) {
-        console.log(`ACME certificate management is enabled (${this.settings.acme.useProduction ? 'Production' : 'Staging'} mode)`);
+        console.log(
          `ACME certificate management is enabled (${
            this.settings.acme.useProduction ? 'Production' : 'Staging'
          } mode)`
        );
        console.log(`ACME HTTP challenge server on port ${this.settings.acme.port}`);
        // Register domains for ACME certificates if enabled
@ -1536,8 +1561,8 @@ export class PortProxy {
      // Check if this connection should be forwarded directly to NetworkProxy
      // First check port-based forwarding settings
-      let shouldUseNetworkProxy = this.settings.useNetworkProxy && 
+      let shouldUseNetworkProxy =
-                                 this.settings.useNetworkProxy.includes(localPort);
+        this.settings.useNetworkProxy && this.settings.useNetworkProxy.includes(localPort);
      // We'll look for domain-specific settings after SNI extraction
@ -1548,15 +1573,20 @@ export class PortProxy {
        // Set an initial timeout for handshake data
        let initialTimeout: NodeJS.Timeout | null = setTimeout(() => {
          if (!initialDataReceived) {
-            console.log(
+            console.log(`[${connectionId}] Initial data warning (${this.settings.initialDataTimeout}ms) for connection from ${remoteIP}`);
-              `[${connectionId}] Initial data timeout (${this.settings.initialDataTimeout}ms) for connection from ${remoteIP} on port ${localPort}`
+            
-            );
+            // Add a grace period instead of immediate termination
-            if (connectionRecord.incomingTerminationReason === null) {
+            setTimeout(() => {
-              connectionRecord.incomingTerminationReason = 'initial_timeout';
+              if (!initialDataReceived) {
-              this.incrementTerminationStat('incoming', 'initial_timeout');
+                console.log(`[${connectionId}] Final initial data timeout after grace period`);
-            }
+                if (connectionRecord.incomingTerminationReason === null) {
-            socket.end();
+                  connectionRecord.incomingTerminationReason = 'initial_timeout';
-            this.cleanupConnection(connectionRecord, 'initial_timeout');
+                  this.incrementTerminationStat('incoming', 'initial_timeout');
                }
                socket.end();
                this.cleanupConnection(connectionRecord, 'initial_timeout');
              }
            }, 30000); // 30 second grace period
          }
        }, this.settings.initialDataTimeout!);
@ -1583,7 +1613,7 @@ export class PortProxy {
          if (!SniHandler.isTlsHandshake(chunk) && localPort === 443) {
            console.log(
              `[${connectionId}] Non-TLS connection detected on port 443. ` +
-              `Terminating connection - only TLS traffic is allowed on standard HTTPS port.`
+                `Terminating connection - only TLS traffic is allowed on standard HTTPS port.`
            );
            if (connectionRecord.incomingTerminationReason === null) {
              connectionRecord.incomingTerminationReason = 'non_tls_blocked';
@ -1601,25 +1631,31 @@ export class PortProxy {
            // Check for TLS ClientHello with either no SNI or session tickets
            if (this.settings.allowSessionTicket === false && SniHandler.isClientHello(chunk)) {
              // Extract SNI first
-              const extractedSNI = SniHandler.extractSNI(chunk, this.settings.enableTlsDebugLogging);
+              const extractedSNI = SniHandler.extractSNI(
                chunk,
                this.settings.enableTlsDebugLogging
              );
              const hasSNI = !!extractedSNI;
              // Analyze for session resumption attempt
-              const resumptionInfo = SniHandler.hasSessionResumption(chunk, this.settings.enableTlsDebugLogging);
+              const resumptionInfo = SniHandler.hasSessionResumption(
                chunk,
                this.settings.enableTlsDebugLogging
              );
              // Always log for debugging purposes
              console.log(
                `[${connectionId}] TLS ClientHello detected with allowSessionTicket=false. ` +
-                `Has SNI: ${hasSNI ? 'Yes' : 'No'}, ` +
+                  `Has SNI: ${hasSNI ? 'Yes' : 'No'}, ` +
-                `SNI value: ${extractedSNI || 'None'}, ` +
+                  `SNI value: ${extractedSNI || 'None'}, ` +
-                `Has session resumption: ${resumptionInfo.isResumption ? 'Yes' : 'No'}`
+                  `Has session resumption: ${resumptionInfo.isResumption ? 'Yes' : 'No'}`
              );
              // Block if this is a connection with session resumption but no SNI
              if (resumptionInfo.isResumption && !hasSNI) {
                console.log(
                  `[${connectionId}] Session resumption detected in initial ClientHello without SNI and allowSessionTicket=false. ` +
-                  `Terminating connection to force new TLS handshake.`
+                    `Terminating connection to force new TLS handshake.`
                );
                if (connectionRecord.incomingTerminationReason === null) {
                  connectionRecord.incomingTerminationReason = 'session_ticket_blocked';
@ -1635,7 +1671,7 @@ export class PortProxy {
              if (!hasSNI && localPort === 443) {
                console.log(
                  `[${connectionId}] TLS ClientHello detected on port 443 without SNI and allowSessionTicket=false. ` +
-                  `Terminating connection to force proper SNI in handshake.`
+                    `Terminating connection to force proper SNI in handshake.`
                );
                if (connectionRecord.incomingTerminationReason === null) {
                  connectionRecord.incomingTerminationReason = 'no_sni_blocked';
@ -1652,7 +1688,7 @@ export class PortProxy {
              sourceIp: remoteIP,
              sourcePort: socket.remotePort || 0,
              destIp: socket.localAddress || '',
-              destPort: socket.localPort || 0
+              destPort: socket.localPort || 0,
            };
            // Extract SNI to check for domain-specific NetworkProxy settings
@ -1674,7 +1710,8 @@ export class PortProxy {
              // Use domain-specific NetworkProxy port if configured
              if (domainConfig?.useNetworkProxy) {
-                const networkProxyPort = domainConfig.networkProxyPort || this.settings.networkProxyPort;
+                const networkProxyPort =
                  domainConfig.networkProxyPort || this.settings.networkProxyPort;
                if (this.settings.enableDetailedLogging) {
                  console.log(
@ -1683,7 +1720,13 @@ export class PortProxy {
                }
                // Forward to NetworkProxy with domain-specific port
-                this.forwardToNetworkProxy(connectionId, socket, connectionRecord, chunk, networkProxyPort);
+                this.forwardToNetworkProxy(
                  connectionId,
                  socket,
                  connectionRecord,
                  chunk,
                  networkProxyPort
                );
                return;
              }
            }
@ -1693,10 +1736,16 @@ export class PortProxy {
          } else {
            // If not TLS, use normal direct connection
            console.log(`[${connectionId}] Non-TLS connection on NetworkProxy port ${localPort}`);
-            this.setupDirectConnection(connectionId, socket, connectionRecord, undefined, undefined, chunk);
+            this.setupDirectConnection(
              connectionId,
              socket,
              connectionRecord,
              undefined,
              undefined,
              chunk
            );
          }
        });
      } else {
        // For non-NetworkProxy ports, proceed with normal processing
@ -1718,15 +1767,20 @@ export class PortProxy {
        if (this.settings.sniEnabled) {
          initialTimeout = setTimeout(() => {
            if (!initialDataReceived) {
-              console.log(
+              console.log(`[${connectionId}] Initial data warning (${this.settings.initialDataTimeout}ms) for connection from ${remoteIP}`);
-                `[${connectionId}] Initial data timeout (${this.settings.initialDataTimeout}ms) for connection from ${remoteIP} on port ${localPort}`
+              
-              );
+              // Add a grace period instead of immediate termination
-              if (connectionRecord.incomingTerminationReason === null) {
+              setTimeout(() => {
-                connectionRecord.incomingTerminationReason = 'initial_timeout';
+                if (!initialDataReceived) {
-                this.incrementTerminationStat('incoming', 'initial_timeout');
+                  console.log(`[${connectionId}] Final initial data timeout after grace period`);
-              }
+                  if (connectionRecord.incomingTerminationReason === null) {
-              socket.end();
+                    connectionRecord.incomingTerminationReason = 'initial_timeout';
-              this.cleanupConnection(connectionRecord, 'initial_timeout');
+                    this.incrementTerminationStat('incoming', 'initial_timeout');
                  }
                  socket.end();
                  this.cleanupConnection(connectionRecord, 'initial_timeout');
                }
              }, 30000); // 30 second grace period
            }
          }, this.settings.initialDataTimeout!);
@ -1760,7 +1814,7 @@ export class PortProxy {
                sourceIp: remoteIP,
                sourcePort: socket.remotePort || 0,
                destIp: socket.localAddress || '',
-                destPort: socket.localPort || 0
+                destPort: socket.localPort || 0,
              };
              SniHandler.extractSNIWithResumptionSupport(chunk, debugConnInfo, true);
@ -1823,7 +1877,8 @@ export class PortProxy {
              );
            }
-            const networkProxyPort = domainConfig.networkProxyPort || this.settings.networkProxyPort;
+            const networkProxyPort =
              domainConfig.networkProxyPort || this.settings.networkProxyPort;
            if (initialChunk && connectionRecord.isTLS) {
              // For TLS connections with initial chunk, forward to NetworkProxy
@ -1861,7 +1916,10 @@ export class PortProxy {
                )}`
              );
            }
-          } else if (this.settings.defaultAllowedIPs && this.settings.defaultAllowedIPs.length > 0) {
+          } else if (
            this.settings.defaultAllowedIPs &&
            this.settings.defaultAllowedIPs.length > 0
          ) {
            if (
              !isGlobIPAllowed(
                remoteIP,
@ -1974,6 +2032,7 @@ export class PortProxy {
          initialDataReceived = false;
          socket.once('data', (chunk: Buffer) => {
            // Clear timeout immediately
            if (initialTimeout) {
              clearTimeout(initialTimeout);
              initialTimeout = null;
@ -1981,12 +2040,29 @@ export class PortProxy {
            initialDataReceived = true;
            // Add debugging ONLY if detailed logging is enabled - avoid heavy processing
            if (this.settings.enableTlsDebugLogging && SniHandler.isClientHello(chunk)) {
              // Move heavy debug logging to a separate async task to not block the flow
              setImmediate(() => {
                try {
                  const resumptionInfo = SniHandler.hasSessionResumption(chunk, true);
                  const standardSNI = SniHandler.extractSNI(chunk, true);
                  const pskSNI = SniHandler.extractSNIFromPSKExtension(chunk, true);
                  console.log(`[${connectionId}] ClientHello details: isResumption=${resumptionInfo.isResumption}, hasSNI=${resumptionInfo.hasSNI}`);
                  console.log(`[${connectionId}] SNI extraction results: standardSNI=${standardSNI || 'none'}, pskSNI=${pskSNI || 'none'}`);
                } catch (err) {
                  console.log(`[${connectionId}] Error in debug logging: ${err}`);
                }
              });
            }
            // Block non-TLS connections on port 443
            // Always enforce TLS on standard HTTPS port
            if (!SniHandler.isTlsHandshake(chunk) && localPort === 443) {
              console.log(
                `[${connectionId}] Non-TLS connection detected on port 443 in SNI handler. ` +
-                `Terminating connection - only TLS traffic is allowed on standard HTTPS port.`
+                  `Terminating connection - only TLS traffic is allowed on standard HTTPS port.`
              );
              if (connectionRecord.incomingTerminationReason === null) {
                connectionRecord.incomingTerminationReason = 'non_tls_blocked';
@ -2012,24 +2088,30 @@ export class PortProxy {
              // Check for session tickets if allowSessionTicket is disabled
              if (this.settings.allowSessionTicket === false && SniHandler.isClientHello(chunk)) {
                // Analyze for session resumption attempt
-                const resumptionInfo = SniHandler.hasSessionResumption(chunk, this.settings.enableTlsDebugLogging);
+                const resumptionInfo = SniHandler.hasSessionResumption(
                  chunk,
                  this.settings.enableTlsDebugLogging
                );
                if (resumptionInfo.isResumption) {
                  // Always log resumption attempt for easier debugging
                  // Try to extract SNI for logging
-                  const extractedSNI = SniHandler.extractSNI(chunk, this.settings.enableTlsDebugLogging);
+                  const extractedSNI = SniHandler.extractSNI(
                    chunk,
                    this.settings.enableTlsDebugLogging
                  );
                  console.log(
                    `[${connectionId}] Session resumption detected in SNI handler. ` +
-                    `Has SNI: ${resumptionInfo.hasSNI ? 'Yes' : 'No'}, ` +
+                      `Has SNI: ${resumptionInfo.hasSNI ? 'Yes' : 'No'}, ` +
-                    `SNI value: ${extractedSNI || 'None'}, ` +
+                      `SNI value: ${extractedSNI || 'None'}, ` +
-                    `allowSessionTicket: ${this.settings.allowSessionTicket}`
+                      `allowSessionTicket: ${this.settings.allowSessionTicket}`
                  );
                  // Block if there's session resumption without SNI
                  if (!resumptionInfo.hasSNI) {
                    console.log(
                      `[${connectionId}] Session resumption detected in SNI handler without SNI and allowSessionTicket=false. ` +
-                      `Terminating connection to force new TLS handshake.`
+                        `Terminating connection to force new TLS handshake.`
                    );
                    if (connectionRecord.incomingTerminationReason === null) {
                      connectionRecord.incomingTerminationReason = 'session_ticket_blocked';
@ -2042,7 +2124,7 @@ export class PortProxy {
                    if (this.settings.enableDetailedLogging) {
                      console.log(
                        `[${connectionId}] Session resumption with SNI detected in SNI handler. ` +
-                        `Allowing connection since SNI is present.`
+                          `Allowing connection since SNI is present.`
                      );
                    }
                  }
@ -2054,16 +2136,17 @@ export class PortProxy {
                sourceIp: remoteIP,
                sourcePort: socket.remotePort || 0,
                destIp: socket.localAddress || '',
-                destPort: socket.localPort || 0
+                destPort: socket.localPort || 0,
              };
              // Use the new processTlsPacket method for comprehensive handling
-              serverName = SniHandler.processTlsPacket(
+              serverName =
-                chunk, 
+                SniHandler.processTlsPacket(
-                connInfo,
+                  chunk,
-                this.settings.enableTlsDebugLogging,
+                  connInfo,
-                connectionRecord.lockedDomain // Pass any previously negotiated domain as a hint
+                  this.settings.enableTlsDebugLogging,
-              ) || '';
+                  connectionRecord.lockedDomain // Pass any previously negotiated domain as a hint
                ) || '';
            }
            // Lock the connection to the negotiated SNI.
--- a/ts/classes.snihandler.ts
+++ b/ts/classes.snihandler.ts
@ -1321,6 +1321,7 @@ export class SniHandler {
   * @param cachedSni - Optional cached SNI from previous connections (for racing detection)
   * @returns The extracted server name or undefined if not found or more data needed
   */
  public static processTlsPacket(
    buffer: Buffer,
    connectionInfo: {
@ -1373,6 +1374,74 @@ export class SniHandler {
      return undefined;
    }
    // Enhanced session resumption detection
    if (this.isClientHello(buffer)) {
      const resumptionInfo = this.hasSessionResumption(buffer, enableLogging);
      if (resumptionInfo.isResumption) {
        log(`Session resumption detected in TLS packet`);
        // Always try standard SNI extraction first
        const standardSni = this.extractSNI(buffer, enableLogging);
        if (standardSni) {
          log(`Found standard SNI in session resumption: ${standardSni}`);
          // Cache this SNI
          this.cacheSession(connectionInfo.sourceIp, standardSni);
          return standardSni;
        }
        // Enhanced session resumption SNI extraction
        // Try extracting from PSK identity
        const pskSni = this.extractSNIFromPSKExtension(buffer, enableLogging);
        if (pskSni) {
          log(`Extracted SNI from PSK extension: ${pskSni}`);
          this.cacheSession(connectionInfo.sourceIp, pskSni);
          return pskSni;
        }
        // Additional check for SNI in session tickets
        if (enableLogging) {
          log(`Checking for session ticket information to extract server name...`);
          // Log more details for debugging
          try {
            // Look at the raw buffer for patterns
            log(`Buffer hexdump (first 100 bytes): ${buffer.slice(0, 100).toString('hex')}`);
            // Try to find hostname-like patterns in the buffer
            const bufferStr = buffer.toString('utf8', 0, buffer.length);
            const hostnamePattern =
              /([a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?\.)+[a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?/gi;
            const hostMatches = bufferStr.match(hostnamePattern);
            if (hostMatches && hostMatches.length > 0) {
              log(`Possible hostnames found in buffer: ${hostMatches.join(', ')}`);
              // Check if any match looks like a valid domain
              for (const match of hostMatches) {
                if (match.includes('.') && match.length > 3) {
                  log(`Potential SNI found in session data: ${match}`);
                  // Don't automatically use this - just log for debugging
                }
              }
            }
          } catch (e) {
            log(`Error scanning for patterns: ${e}`);
          }
        }
        // If we still don't have SNI, check for cached sessions
        const cachedSni = this.getCachedSession(connectionInfo.sourceIp);
        if (cachedSni) {
          log(`Using cached SNI for session resumption: ${cachedSni}`);
          return cachedSni;
        }
        log(`Session resumption without extractable SNI`);
        // If allowSessionTicket=false, should be rejected by caller
      }
    }
    // For handshake messages, try the full extraction process
    const sni = this.extractSNIWithResumptionSupport(buffer, connectionInfo, enableLogging);
Author	SHA1	Message	Date
Philipp Kunz	985031e9ac	3.41.8 Some checks failed Default (tags) / security (push) Successful in 37s Details Default (tags) / test (push) Failing after 1m8s Details Default (tags) / release (push) Has been skipped Details Default (tags) / metadata (push) Has been skipped Details	2025-03-12 15:49:42 +00:00
Philipp Kunz	4c0105ad09	fix(portproxy): Improve TLS handshake timeout handling and connection piping in PortProxy	2025-03-12 15:49:41 +00:00
Philipp Kunz	06896b3102	3.41.7 Some checks failed Default (tags) / security (push) Successful in 35s Details Default (tags) / test (push) Failing after 1m0s Details Default (tags) / release (push) Has been skipped Details Default (tags) / metadata (push) Has been skipped Details	2025-03-12 12:19:36 +00:00
Philipp Kunz	7fe455b4df	fix(core): Refactor PortProxy and SniHandler: improve configuration handling, logging, and whitespace consistency	2025-03-12 12:19:36 +00:00