|
|
|
|
@ -216,7 +216,7 @@ export class PortProxy {
|
|
|
|
|
targetIP: settingsArg.targetIP || 'localhost',
|
|
|
|
|
|
|
|
|
|
// Timeout settings with reasonable defaults
|
|
|
|
|
initialDataTimeout: settingsArg.initialDataTimeout || 60000, // 60 seconds for initial handshake
|
|
|
|
|
initialDataTimeout: settingsArg.initialDataTimeout || 120000, // 120 seconds for initial handshake
|
|
|
|
|
socketTimeout: ensureSafeTimeout(settingsArg.socketTimeout || 3600000), // 1 hour socket timeout
|
|
|
|
|
inactivityCheckInterval: settingsArg.inactivityCheckInterval || 60000, // 60 seconds interval
|
|
|
|
|
maxConnectionLifetime: ensureSafeTimeout(settingsArg.maxConnectionLifetime || 86400000), // 24 hours default
|
|
|
|
|
@ -232,13 +232,13 @@ export class PortProxy {
|
|
|
|
|
|
|
|
|
|
// Feature flags
|
|
|
|
|
disableInactivityCheck: settingsArg.disableInactivityCheck || false,
|
|
|
|
|
enableKeepAliveProbes: settingsArg.enableKeepAliveProbes !== undefined
|
|
|
|
|
? settingsArg.enableKeepAliveProbes : true,
|
|
|
|
|
enableKeepAliveProbes:
|
|
|
|
|
settingsArg.enableKeepAliveProbes !== undefined ? settingsArg.enableKeepAliveProbes : true,
|
|
|
|
|
enableDetailedLogging: settingsArg.enableDetailedLogging || false,
|
|
|
|
|
enableTlsDebugLogging: settingsArg.enableTlsDebugLogging || false,
|
|
|
|
|
enableRandomizedTimeouts: settingsArg.enableRandomizedTimeouts || false,
|
|
|
|
|
allowSessionTicket: settingsArg.allowSessionTicket !== undefined
|
|
|
|
|
? settingsArg.allowSessionTicket : true,
|
|
|
|
|
allowSessionTicket:
|
|
|
|
|
settingsArg.allowSessionTicket !== undefined ? settingsArg.allowSessionTicket : true,
|
|
|
|
|
|
|
|
|
|
// Rate limiting defaults
|
|
|
|
|
maxConnectionsPerIP: settingsArg.maxConnectionsPerIP || 100,
|
|
|
|
|
@ -261,8 +261,8 @@ export class PortProxy {
|
|
|
|
|
renewThresholdDays: 30,
|
|
|
|
|
autoRenew: true,
|
|
|
|
|
certificateStore: './certs',
|
|
|
|
|
skipConfiguredCerts: false
|
|
|
|
|
}
|
|
|
|
|
skipConfiguredCerts: false,
|
|
|
|
|
},
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
// Initialize NetworkProxy if enabled
|
|
|
|
|
@ -280,7 +280,7 @@ export class PortProxy {
|
|
|
|
|
const networkProxyOptions: any = {
|
|
|
|
|
port: this.settings.networkProxyPort!,
|
|
|
|
|
portProxyIntegration: true,
|
|
|
|
|
logLevel: this.settings.enableDetailedLogging ? 'debug' : 'info'
|
|
|
|
|
logLevel: this.settings.enableDetailedLogging ? 'debug' : 'info',
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
// Add ACME settings if configured
|
|
|
|
|
@ -321,7 +321,7 @@ export class PortProxy {
|
|
|
|
|
// Update settings
|
|
|
|
|
this.settings.acme = {
|
|
|
|
|
...this.settings.acme,
|
|
|
|
|
...acmeSettings
|
|
|
|
|
...acmeSettings,
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
// If NetworkProxy is initialized, update its ACME settings
|
|
|
|
|
@ -379,17 +379,19 @@ export class PortProxy {
|
|
|
|
|
try {
|
|
|
|
|
certPair = {
|
|
|
|
|
key: fs.readFileSync('assets/certs/key.pem', 'utf8'),
|
|
|
|
|
cert: fs.readFileSync('assets/certs/cert.pem', 'utf8')
|
|
|
|
|
cert: fs.readFileSync('assets/certs/cert.pem', 'utf8'),
|
|
|
|
|
};
|
|
|
|
|
} catch (certError) {
|
|
|
|
|
console.log(`Warning: Could not read default certificates: ${certError}`);
|
|
|
|
|
console.log('Using empty certificate placeholders - ACME will generate proper certificates if enabled');
|
|
|
|
|
console.log(
|
|
|
|
|
'Using empty certificate placeholders - ACME will generate proper certificates if enabled'
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
// Use empty placeholders - NetworkProxy will use its internal defaults
|
|
|
|
|
// or ACME will generate proper ones if enabled
|
|
|
|
|
certPair = {
|
|
|
|
|
key: '',
|
|
|
|
|
cert: ''
|
|
|
|
|
cert: '',
|
|
|
|
|
};
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@ -402,8 +404,8 @@ export class PortProxy {
|
|
|
|
|
// Log ACME-eligible domains if ACME is enabled
|
|
|
|
|
if (this.settings.acme?.enabled) {
|
|
|
|
|
const acmeEligibleDomains = proxyConfigs
|
|
|
|
|
.filter(config => !config.hostName.includes('*')) // Exclude wildcards
|
|
|
|
|
.map(config => config.hostName);
|
|
|
|
|
.filter((config) => !config.hostName.includes('*')) // Exclude wildcards
|
|
|
|
|
.map((config) => config.hostName);
|
|
|
|
|
|
|
|
|
|
if (acmeEligibleDomains.length > 0) {
|
|
|
|
|
console.log(`Domains eligible for ACME certificates: ${acmeEligibleDomains.join(', ')}`);
|
|
|
|
|
@ -413,9 +415,14 @@ export class PortProxy {
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Update NetworkProxy with the converted configs
|
|
|
|
|
this.networkProxy.updateProxyConfigs(proxyConfigs).then(() => {
|
|
|
|
|
console.log(`Successfully synchronized ${proxyConfigs.length} domain configurations to NetworkProxy`);
|
|
|
|
|
}).catch(err => {
|
|
|
|
|
this.networkProxy
|
|
|
|
|
.updateProxyConfigs(proxyConfigs)
|
|
|
|
|
.then(() => {
|
|
|
|
|
console.log(
|
|
|
|
|
`Successfully synchronized ${proxyConfigs.length} domain configurations to NetworkProxy`
|
|
|
|
|
);
|
|
|
|
|
})
|
|
|
|
|
.catch((err) => {
|
|
|
|
|
console.log(`Error synchronizing configurations: ${err.message}`);
|
|
|
|
|
});
|
|
|
|
|
} catch (err) {
|
|
|
|
|
@ -546,9 +553,7 @@ export class PortProxy {
|
|
|
|
|
proxySocket.on('data', () => this.updateActivity(record));
|
|
|
|
|
|
|
|
|
|
if (this.settings.enableDetailedLogging) {
|
|
|
|
|
console.log(
|
|
|
|
|
`[${connectionId}] TLS connection successfully forwarded to NetworkProxy`
|
|
|
|
|
);
|
|
|
|
|
console.log(`[${connectionId}] TLS connection successfully forwarded to NetworkProxy`);
|
|
|
|
|
}
|
|
|
|
|
});
|
|
|
|
|
}
|
|
|
|
|
@ -849,16 +854,35 @@ export class PortProxy {
|
|
|
|
|
// Process any remaining data in the queue before switching to piping
|
|
|
|
|
processDataQueue();
|
|
|
|
|
|
|
|
|
|
// Setup function to establish piping - we'll use this after flushing data
|
|
|
|
|
const setupPiping = () => {
|
|
|
|
|
// Mark that we're switching to piping mode
|
|
|
|
|
// Set up piping immediately - don't delay this crucial step
|
|
|
|
|
pipingEstablished = true;
|
|
|
|
|
|
|
|
|
|
// Setup piping in both directions
|
|
|
|
|
// Flush all pending data to target
|
|
|
|
|
if (record.pendingData.length > 0) {
|
|
|
|
|
const combinedData = Buffer.concat(record.pendingData);
|
|
|
|
|
|
|
|
|
|
if (this.settings.enableDetailedLogging) {
|
|
|
|
|
console.log(`[${connectionId}] Forwarding ${combinedData.length} bytes of initial data to target`);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Write pending data immediately
|
|
|
|
|
targetSocket.write(combinedData, (err) => {
|
|
|
|
|
if (err) {
|
|
|
|
|
console.log(`[${connectionId}] Error writing pending data to target: ${err.message}`);
|
|
|
|
|
return this.initiateCleanupOnce(record, 'write_error');
|
|
|
|
|
}
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
// Clear the buffer now that we've processed it
|
|
|
|
|
record.pendingData = [];
|
|
|
|
|
record.pendingDataSize = 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Setup piping in both directions without any delays
|
|
|
|
|
socket.pipe(targetSocket);
|
|
|
|
|
targetSocket.pipe(socket);
|
|
|
|
|
|
|
|
|
|
// Resume the socket to ensure data flows
|
|
|
|
|
// Resume the socket to ensure data flows - CRITICAL!
|
|
|
|
|
socket.resume();
|
|
|
|
|
|
|
|
|
|
// Process any data that might be queued in the interim
|
|
|
|
|
@ -898,28 +922,7 @@ export class PortProxy {
|
|
|
|
|
}`
|
|
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
// Flush all pending data to target
|
|
|
|
|
if (record.pendingData.length > 0) {
|
|
|
|
|
const combinedData = Buffer.concat(record.pendingData);
|
|
|
|
|
targetSocket.write(combinedData, (err) => {
|
|
|
|
|
if (err) {
|
|
|
|
|
console.log(`[${connectionId}] Error writing pending data to target: ${err.message}`);
|
|
|
|
|
return this.initiateCleanupOnce(record, 'write_error');
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Establish piping now that we've flushed the buffered data
|
|
|
|
|
setupPiping();
|
|
|
|
|
});
|
|
|
|
|
} else {
|
|
|
|
|
// No pending data, just establish piping immediately
|
|
|
|
|
setupPiping();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Clear the buffer now that we've processed it
|
|
|
|
|
record.pendingData = [];
|
|
|
|
|
record.pendingDataSize = 0;
|
|
|
|
|
|
|
|
|
|
// Add the renegotiation handler for SNI validation with strict domain enforcement
|
|
|
|
|
// This will be called after we've established piping
|
|
|
|
|
@ -935,18 +938,24 @@ export class PortProxy {
|
|
|
|
|
sourceIp: record.remoteIP,
|
|
|
|
|
sourcePort: record.incoming.remotePort || 0,
|
|
|
|
|
destIp: record.incoming.localAddress || '',
|
|
|
|
|
destPort: record.incoming.localPort || 0
|
|
|
|
|
destPort: record.incoming.localPort || 0,
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
// Check for session tickets if allowSessionTicket is disabled
|
|
|
|
|
if (this.settings.allowSessionTicket === false) {
|
|
|
|
|
// Analyze for session resumption attempt (session ticket or PSK)
|
|
|
|
|
const resumptionInfo = SniHandler.hasSessionResumption(renegChunk, this.settings.enableTlsDebugLogging);
|
|
|
|
|
const resumptionInfo = SniHandler.hasSessionResumption(
|
|
|
|
|
renegChunk,
|
|
|
|
|
this.settings.enableTlsDebugLogging
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
if (resumptionInfo.isResumption) {
|
|
|
|
|
// Always log resumption attempt for easier debugging
|
|
|
|
|
// Try to extract SNI for logging
|
|
|
|
|
const extractedSNI = SniHandler.extractSNI(renegChunk, this.settings.enableTlsDebugLogging);
|
|
|
|
|
const extractedSNI = SniHandler.extractSNI(
|
|
|
|
|
renegChunk,
|
|
|
|
|
this.settings.enableTlsDebugLogging
|
|
|
|
|
);
|
|
|
|
|
console.log(
|
|
|
|
|
`[${connectionId}] Session resumption detected in renegotiation. ` +
|
|
|
|
|
`Has SNI: ${resumptionInfo.hasSNI ? 'Yes' : 'No'}, ` +
|
|
|
|
|
@ -973,7 +982,11 @@ export class PortProxy {
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
const newSNI = SniHandler.extractSNIWithResumptionSupport(renegChunk, connInfo, this.settings.enableTlsDebugLogging);
|
|
|
|
|
const newSNI = SniHandler.extractSNIWithResumptionSupport(
|
|
|
|
|
renegChunk,
|
|
|
|
|
connInfo,
|
|
|
|
|
this.settings.enableTlsDebugLogging
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
// Skip if no SNI was found
|
|
|
|
|
if (!newSNI) return;
|
|
|
|
|
@ -1007,9 +1020,13 @@ export class PortProxy {
|
|
|
|
|
socket.on('data', renegotiationHandler);
|
|
|
|
|
|
|
|
|
|
if (this.settings.enableDetailedLogging) {
|
|
|
|
|
console.log(`[${connectionId}] TLS renegotiation handler installed for SNI domain: ${serverName}`);
|
|
|
|
|
console.log(
|
|
|
|
|
`[${connectionId}] TLS renegotiation handler installed for SNI domain: ${serverName}`
|
|
|
|
|
);
|
|
|
|
|
if (this.settings.allowSessionTicket === false) {
|
|
|
|
|
console.log(`[${connectionId}] Session ticket usage is disabled. Connection will be reset on reconnection attempts.`);
|
|
|
|
|
console.log(
|
|
|
|
|
`[${connectionId}] Session ticket usage is disabled. Connection will be reset on reconnection attempts.`
|
|
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
@ -1402,7 +1419,11 @@ export class PortProxy {
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Initialize NetworkProxy if needed (useNetworkProxy is set but networkProxy isn't initialized)
|
|
|
|
|
if (this.settings.useNetworkProxy && this.settings.useNetworkProxy.length > 0 && !this.networkProxy) {
|
|
|
|
|
if (
|
|
|
|
|
this.settings.useNetworkProxy &&
|
|
|
|
|
this.settings.useNetworkProxy.length > 0 &&
|
|
|
|
|
!this.networkProxy
|
|
|
|
|
) {
|
|
|
|
|
await this.initializeNetworkProxy();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@ -1413,7 +1434,11 @@ export class PortProxy {
|
|
|
|
|
|
|
|
|
|
// Log ACME status
|
|
|
|
|
if (this.settings.acme?.enabled) {
|
|
|
|
|
console.log(`ACME certificate management is enabled (${this.settings.acme.useProduction ? 'Production' : 'Staging'} mode)`);
|
|
|
|
|
console.log(
|
|
|
|
|
`ACME certificate management is enabled (${
|
|
|
|
|
this.settings.acme.useProduction ? 'Production' : 'Staging'
|
|
|
|
|
} mode)`
|
|
|
|
|
);
|
|
|
|
|
console.log(`ACME HTTP challenge server on port ${this.settings.acme.port}`);
|
|
|
|
|
|
|
|
|
|
// Register domains for ACME certificates if enabled
|
|
|
|
|
@ -1536,8 +1561,8 @@ export class PortProxy {
|
|
|
|
|
|
|
|
|
|
// Check if this connection should be forwarded directly to NetworkProxy
|
|
|
|
|
// First check port-based forwarding settings
|
|
|
|
|
let shouldUseNetworkProxy = this.settings.useNetworkProxy &&
|
|
|
|
|
this.settings.useNetworkProxy.includes(localPort);
|
|
|
|
|
let shouldUseNetworkProxy =
|
|
|
|
|
this.settings.useNetworkProxy && this.settings.useNetworkProxy.includes(localPort);
|
|
|
|
|
|
|
|
|
|
// We'll look for domain-specific settings after SNI extraction
|
|
|
|
|
|
|
|
|
|
@ -1548,9 +1573,12 @@ export class PortProxy {
|
|
|
|
|
// Set an initial timeout for handshake data
|
|
|
|
|
let initialTimeout: NodeJS.Timeout | null = setTimeout(() => {
|
|
|
|
|
if (!initialDataReceived) {
|
|
|
|
|
console.log(
|
|
|
|
|
`[${connectionId}] Initial data timeout (${this.settings.initialDataTimeout}ms) for connection from ${remoteIP} on port ${localPort}`
|
|
|
|
|
);
|
|
|
|
|
console.log(`[${connectionId}] Initial data warning (${this.settings.initialDataTimeout}ms) for connection from ${remoteIP}`);
|
|
|
|
|
|
|
|
|
|
// Add a grace period instead of immediate termination
|
|
|
|
|
setTimeout(() => {
|
|
|
|
|
if (!initialDataReceived) {
|
|
|
|
|
console.log(`[${connectionId}] Final initial data timeout after grace period`);
|
|
|
|
|
if (connectionRecord.incomingTerminationReason === null) {
|
|
|
|
|
connectionRecord.incomingTerminationReason = 'initial_timeout';
|
|
|
|
|
this.incrementTerminationStat('incoming', 'initial_timeout');
|
|
|
|
|
@ -1558,6 +1586,8 @@ export class PortProxy {
|
|
|
|
|
socket.end();
|
|
|
|
|
this.cleanupConnection(connectionRecord, 'initial_timeout');
|
|
|
|
|
}
|
|
|
|
|
}, 30000); // 30 second grace period
|
|
|
|
|
}
|
|
|
|
|
}, this.settings.initialDataTimeout!);
|
|
|
|
|
|
|
|
|
|
// Make sure timeout doesn't keep the process alive
|
|
|
|
|
@ -1601,11 +1631,17 @@ export class PortProxy {
|
|
|
|
|
// Check for TLS ClientHello with either no SNI or session tickets
|
|
|
|
|
if (this.settings.allowSessionTicket === false && SniHandler.isClientHello(chunk)) {
|
|
|
|
|
// Extract SNI first
|
|
|
|
|
const extractedSNI = SniHandler.extractSNI(chunk, this.settings.enableTlsDebugLogging);
|
|
|
|
|
const extractedSNI = SniHandler.extractSNI(
|
|
|
|
|
chunk,
|
|
|
|
|
this.settings.enableTlsDebugLogging
|
|
|
|
|
);
|
|
|
|
|
const hasSNI = !!extractedSNI;
|
|
|
|
|
|
|
|
|
|
// Analyze for session resumption attempt
|
|
|
|
|
const resumptionInfo = SniHandler.hasSessionResumption(chunk, this.settings.enableTlsDebugLogging);
|
|
|
|
|
const resumptionInfo = SniHandler.hasSessionResumption(
|
|
|
|
|
chunk,
|
|
|
|
|
this.settings.enableTlsDebugLogging
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
// Always log for debugging purposes
|
|
|
|
|
console.log(
|
|
|
|
|
@ -1652,7 +1688,7 @@ export class PortProxy {
|
|
|
|
|
sourceIp: remoteIP,
|
|
|
|
|
sourcePort: socket.remotePort || 0,
|
|
|
|
|
destIp: socket.localAddress || '',
|
|
|
|
|
destPort: socket.localPort || 0
|
|
|
|
|
destPort: socket.localPort || 0,
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
// Extract SNI to check for domain-specific NetworkProxy settings
|
|
|
|
|
@ -1674,7 +1710,8 @@ export class PortProxy {
|
|
|
|
|
|
|
|
|
|
// Use domain-specific NetworkProxy port if configured
|
|
|
|
|
if (domainConfig?.useNetworkProxy) {
|
|
|
|
|
const networkProxyPort = domainConfig.networkProxyPort || this.settings.networkProxyPort;
|
|
|
|
|
const networkProxyPort =
|
|
|
|
|
domainConfig.networkProxyPort || this.settings.networkProxyPort;
|
|
|
|
|
|
|
|
|
|
if (this.settings.enableDetailedLogging) {
|
|
|
|
|
console.log(
|
|
|
|
|
@ -1683,7 +1720,13 @@ export class PortProxy {
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Forward to NetworkProxy with domain-specific port
|
|
|
|
|
this.forwardToNetworkProxy(connectionId, socket, connectionRecord, chunk, networkProxyPort);
|
|
|
|
|
this.forwardToNetworkProxy(
|
|
|
|
|
connectionId,
|
|
|
|
|
socket,
|
|
|
|
|
connectionRecord,
|
|
|
|
|
chunk,
|
|
|
|
|
networkProxyPort
|
|
|
|
|
);
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
@ -1693,10 +1736,16 @@ export class PortProxy {
|
|
|
|
|
} else {
|
|
|
|
|
// If not TLS, use normal direct connection
|
|
|
|
|
console.log(`[${connectionId}] Non-TLS connection on NetworkProxy port ${localPort}`);
|
|
|
|
|
this.setupDirectConnection(connectionId, socket, connectionRecord, undefined, undefined, chunk);
|
|
|
|
|
this.setupDirectConnection(
|
|
|
|
|
connectionId,
|
|
|
|
|
socket,
|
|
|
|
|
connectionRecord,
|
|
|
|
|
undefined,
|
|
|
|
|
undefined,
|
|
|
|
|
chunk
|
|
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
} else {
|
|
|
|
|
// For non-NetworkProxy ports, proceed with normal processing
|
|
|
|
|
|
|
|
|
|
@ -1718,9 +1767,12 @@ export class PortProxy {
|
|
|
|
|
if (this.settings.sniEnabled) {
|
|
|
|
|
initialTimeout = setTimeout(() => {
|
|
|
|
|
if (!initialDataReceived) {
|
|
|
|
|
console.log(
|
|
|
|
|
`[${connectionId}] Initial data timeout (${this.settings.initialDataTimeout}ms) for connection from ${remoteIP} on port ${localPort}`
|
|
|
|
|
);
|
|
|
|
|
console.log(`[${connectionId}] Initial data warning (${this.settings.initialDataTimeout}ms) for connection from ${remoteIP}`);
|
|
|
|
|
|
|
|
|
|
// Add a grace period instead of immediate termination
|
|
|
|
|
setTimeout(() => {
|
|
|
|
|
if (!initialDataReceived) {
|
|
|
|
|
console.log(`[${connectionId}] Final initial data timeout after grace period`);
|
|
|
|
|
if (connectionRecord.incomingTerminationReason === null) {
|
|
|
|
|
connectionRecord.incomingTerminationReason = 'initial_timeout';
|
|
|
|
|
this.incrementTerminationStat('incoming', 'initial_timeout');
|
|
|
|
|
@ -1728,6 +1780,8 @@ export class PortProxy {
|
|
|
|
|
socket.end();
|
|
|
|
|
this.cleanupConnection(connectionRecord, 'initial_timeout');
|
|
|
|
|
}
|
|
|
|
|
}, 30000); // 30 second grace period
|
|
|
|
|
}
|
|
|
|
|
}, this.settings.initialDataTimeout!);
|
|
|
|
|
|
|
|
|
|
// Make sure timeout doesn't keep the process alive
|
|
|
|
|
@ -1760,7 +1814,7 @@ export class PortProxy {
|
|
|
|
|
sourceIp: remoteIP,
|
|
|
|
|
sourcePort: socket.remotePort || 0,
|
|
|
|
|
destIp: socket.localAddress || '',
|
|
|
|
|
destPort: socket.localPort || 0
|
|
|
|
|
destPort: socket.localPort || 0,
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
SniHandler.extractSNIWithResumptionSupport(chunk, debugConnInfo, true);
|
|
|
|
|
@ -1823,7 +1877,8 @@ export class PortProxy {
|
|
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
const networkProxyPort = domainConfig.networkProxyPort || this.settings.networkProxyPort;
|
|
|
|
|
const networkProxyPort =
|
|
|
|
|
domainConfig.networkProxyPort || this.settings.networkProxyPort;
|
|
|
|
|
|
|
|
|
|
if (initialChunk && connectionRecord.isTLS) {
|
|
|
|
|
// For TLS connections with initial chunk, forward to NetworkProxy
|
|
|
|
|
@ -1861,7 +1916,10 @@ export class PortProxy {
|
|
|
|
|
)}`
|
|
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
} else if (this.settings.defaultAllowedIPs && this.settings.defaultAllowedIPs.length > 0) {
|
|
|
|
|
} else if (
|
|
|
|
|
this.settings.defaultAllowedIPs &&
|
|
|
|
|
this.settings.defaultAllowedIPs.length > 0
|
|
|
|
|
) {
|
|
|
|
|
if (
|
|
|
|
|
!isGlobIPAllowed(
|
|
|
|
|
remoteIP,
|
|
|
|
|
@ -1974,6 +2032,7 @@ export class PortProxy {
|
|
|
|
|
initialDataReceived = false;
|
|
|
|
|
|
|
|
|
|
socket.once('data', (chunk: Buffer) => {
|
|
|
|
|
// Clear timeout immediately
|
|
|
|
|
if (initialTimeout) {
|
|
|
|
|
clearTimeout(initialTimeout);
|
|
|
|
|
initialTimeout = null;
|
|
|
|
|
@ -1981,6 +2040,23 @@ export class PortProxy {
|
|
|
|
|
|
|
|
|
|
initialDataReceived = true;
|
|
|
|
|
|
|
|
|
|
// Add debugging ONLY if detailed logging is enabled - avoid heavy processing
|
|
|
|
|
if (this.settings.enableTlsDebugLogging && SniHandler.isClientHello(chunk)) {
|
|
|
|
|
// Move heavy debug logging to a separate async task to not block the flow
|
|
|
|
|
setImmediate(() => {
|
|
|
|
|
try {
|
|
|
|
|
const resumptionInfo = SniHandler.hasSessionResumption(chunk, true);
|
|
|
|
|
const standardSNI = SniHandler.extractSNI(chunk, true);
|
|
|
|
|
const pskSNI = SniHandler.extractSNIFromPSKExtension(chunk, true);
|
|
|
|
|
|
|
|
|
|
console.log(`[${connectionId}] ClientHello details: isResumption=${resumptionInfo.isResumption}, hasSNI=${resumptionInfo.hasSNI}`);
|
|
|
|
|
console.log(`[${connectionId}] SNI extraction results: standardSNI=${standardSNI || 'none'}, pskSNI=${pskSNI || 'none'}`);
|
|
|
|
|
} catch (err) {
|
|
|
|
|
console.log(`[${connectionId}] Error in debug logging: ${err}`);
|
|
|
|
|
}
|
|
|
|
|
});
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Block non-TLS connections on port 443
|
|
|
|
|
// Always enforce TLS on standard HTTPS port
|
|
|
|
|
if (!SniHandler.isTlsHandshake(chunk) && localPort === 443) {
|
|
|
|
|
@ -2012,12 +2088,18 @@ export class PortProxy {
|
|
|
|
|
// Check for session tickets if allowSessionTicket is disabled
|
|
|
|
|
if (this.settings.allowSessionTicket === false && SniHandler.isClientHello(chunk)) {
|
|
|
|
|
// Analyze for session resumption attempt
|
|
|
|
|
const resumptionInfo = SniHandler.hasSessionResumption(chunk, this.settings.enableTlsDebugLogging);
|
|
|
|
|
const resumptionInfo = SniHandler.hasSessionResumption(
|
|
|
|
|
chunk,
|
|
|
|
|
this.settings.enableTlsDebugLogging
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
if (resumptionInfo.isResumption) {
|
|
|
|
|
// Always log resumption attempt for easier debugging
|
|
|
|
|
// Try to extract SNI for logging
|
|
|
|
|
const extractedSNI = SniHandler.extractSNI(chunk, this.settings.enableTlsDebugLogging);
|
|
|
|
|
const extractedSNI = SniHandler.extractSNI(
|
|
|
|
|
chunk,
|
|
|
|
|
this.settings.enableTlsDebugLogging
|
|
|
|
|
);
|
|
|
|
|
console.log(
|
|
|
|
|
`[${connectionId}] Session resumption detected in SNI handler. ` +
|
|
|
|
|
`Has SNI: ${resumptionInfo.hasSNI ? 'Yes' : 'No'}, ` +
|
|
|
|
|
@ -2054,11 +2136,12 @@ export class PortProxy {
|
|
|
|
|
sourceIp: remoteIP,
|
|
|
|
|
sourcePort: socket.remotePort || 0,
|
|
|
|
|
destIp: socket.localAddress || '',
|
|
|
|
|
destPort: socket.localPort || 0
|
|
|
|
|
destPort: socket.localPort || 0,
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
// Use the new processTlsPacket method for comprehensive handling
|
|
|
|
|
serverName = SniHandler.processTlsPacket(
|
|
|
|
|
serverName =
|
|
|
|
|
SniHandler.processTlsPacket(
|
|
|
|
|
chunk,
|
|
|
|
|
connInfo,
|
|
|
|
|
this.settings.enableTlsDebugLogging,
|
|
|
|
|
|
