Compare commits
	
		
			52 Commits
		
	
	
		
			v4.0.0
			...
			6b2765a429
		
	
	| Author | SHA1 | Date | |
|---|---|---|---|
| 6b2765a429 | |||
| 9b5b8225bc | |||
| 54e81b3c32 | |||
| b7b47cd11f | |||
| 62061517fd | |||
| 531350a1c1 | |||
| 559a52af41 | |||
| f8c86c76ae | |||
| cc04e8786c | |||
| 9cb6e397b9 | |||
| 11b65bf684 | |||
| 4b30e377b9 | |||
| b10f35be4b | |||
| 426249e70e | |||
| ba0d9d0b8e | |||
| 151b8f498c | |||
| 0db4b07b22 | |||
| b55e2da23e | |||
| 3593e411cf | |||
| ca6f6de798 | |||
| 80d2f30804 | |||
| 22f46700f1 | |||
| 1611f65455 | |||
| c6350e271a | |||
| 0fb5e5ea50 | |||
| 35f6739b3c | |||
| 4634c68ea6 | |||
| e126032b61 | |||
| 7797c799dd | |||
| e8639e1b01 | |||
| 60a0ad106d | |||
| a70c123007 | |||
| 46aa7620b0 | |||
| f72db86e37 | |||
| d612df107e | |||
| 1c34578c36 | |||
| 1f9943b5a7 | |||
| 67ddf97547 | |||
| 8a96b45ece | |||
| 2b6464acd5 | |||
| efbb4335d7 | |||
| 9dd402054d | |||
| 6c1efc1dc0 | |||
| cad0e6a2b2 | |||
| 794e1292e5 | |||
| ee79f9ab7c | |||
| 107bc3b50b | |||
| 97982976c8 | |||
| fe60f88746 | |||
| 252a987344 | |||
| 677d30563f | |||
| 9aa747b5d4 | 
							
								
								
									
										174
									
								
								changelog.md
									
									
									
									
									
								
							
							
						
						
									
										174
									
								
								changelog.md
									
									
									
									
									
								
							| @@ -1,5 +1,179 @@ | ||||
| # Changelog | ||||
|  | ||||
| ## 2025-03-18 - 5.0.0 - BREAKING CHANGE(nftables) | ||||
| Replace IPTablesProxy with NfTablesProxy and update module exports in index.ts | ||||
|  | ||||
| - Removed ts/classes.iptablesproxy.ts | ||||
| - Added ts/classes.nftablesproxy.ts for enhanced nftables integration | ||||
| - Updated ts/index.ts to export NfTablesProxy instead of IPTablesProxy | ||||
|  | ||||
| ## 2025-03-18 - 4.3.0 - feat(Port80Handler) | ||||
| Add glob pattern support for domain certificate management in Port80Handler. Wildcard domains are now detected and skipped in certificate issuance and retrieval, ensuring that only explicit domains receive ACME certificates and improving route matching. | ||||
|  | ||||
| - Introduced isGlobPattern to detect wildcard domains. | ||||
| - Added getDomainInfoForRequest and domainMatchesPattern methods to enable glob pattern matching for domain configurations. | ||||
| - Modified setCertificate and getCertificate to prevent certificate operations for glob patterns. | ||||
| - Updated request handling to skip ACME challenge processing and certificate issuance for wildcard domains. | ||||
| - Updated documentation and tests to reflect the new glob pattern support. | ||||
|  | ||||
| ## 2025-03-18 - 4.2.6 - fix(Port80Handler) | ||||
| Restrict ACME HTTP-01 challenge handling to domains with acmeMaintenance or acmeForward enabled | ||||
|  | ||||
| - Updated challenge handler in ts/classes.port80handler.ts to include a check for (options.acmeMaintenance || options.acmeForward) | ||||
| - Prevents unintended processing of ACME challenges when ACME configuration is not enabled | ||||
|  | ||||
| ## 2025-03-18 - 4.2.5 - fix(networkproxy) | ||||
| Refactor certificate management components: rename AcmeCertManager to Port80Handler and update related event names from CertManagerEvents to Port80HandlerEvents. The changes update internal API usage in ts/classes.networkproxy.ts and ts/classes.port80handler.ts to unify and simplify ACME certificate handling and HTTP-01 challenge management. | ||||
|  | ||||
| - Renamed AcmeCertManager to Port80Handler in ts/classes.networkproxy.ts | ||||
| - Updated event names from CertManagerEvents to Port80HandlerEvents | ||||
| - Modified API calls for certificate issuance and renewal in ts/classes.port80handler.ts | ||||
| - Refactored domain registration and certificate extraction logic | ||||
|  | ||||
| ## 2025-03-18 - 4.2.4 - fix(ts/index.ts) | ||||
| Fix export order in ts/index.ts by moving the port proxy export back and adding interfaces export for proper module exposure | ||||
|  | ||||
| - Reorder exports to place './classes.pp.portproxy.js' in the correct position | ||||
| - Add export for './classes.pp.interfaces.js' to expose internal interfaces | ||||
|  | ||||
| ## 2025-03-18 - 4.2.3 - fix(connectionhandler) | ||||
| Remove unnecessary delay in TLS session ticket handling for connections without SNI | ||||
|  | ||||
| - Eliminated the extra setTimeout waiting period before cleaning up connections flagged as session_ticket_blocked_no_sni | ||||
| - Ensures immediate cleanup and improves connection responsiveness during TLS handshake failures | ||||
|  | ||||
| ## 2025-03-18 - 4.2.2 - fix(connectionhandler) | ||||
| Ensure proper termination of TLS connections without SNI by explicitly ending the socket after sending the unrecognized_name alert. This prevents the connection from hanging and avoids potential duplicate handling. | ||||
|  | ||||
| - Added socket.end() after uncorking the alert packet in ClientHello handling to force connection closure. | ||||
| - Prevents duplicate data events and ensures the warning alert is processed by clients like Chrome. | ||||
|  | ||||
| ## 2025-03-17 - 4.2.1 - fix(core) | ||||
| No uncommitted changes detected in the project. | ||||
|  | ||||
|  | ||||
| ## 2025-03-17 - 4.2.0 - feat(tlsalert) | ||||
| add sendForceSniSequence and sendFatalAndClose helper functions to TlsAlert for improved SNI enforcement | ||||
|  | ||||
| - Introduce sendForceSniSequence to combine multiple alerts and force clients to provide SNI | ||||
| - Add sendFatalAndClose to immediately send a fatal alert and close the connection | ||||
| - Enhance TLS alert handling for better browser compatibility and error management | ||||
|  | ||||
| ## 2025-03-17 - 4.1.16 - fix(tls) | ||||
| Improve TLS alert handling in connection handler: use the new TlsAlert class to send proper unrecognized_name alerts when a ClientHello is missing SNI and wait for a retry on the same connection before closing. Also, add alertFallbackTimeout tracking to connection records for better timeout management. | ||||
|  | ||||
| - Replaced hardcoded alert buffers in ConnectionHandler with calls to the TlsAlert class. | ||||
| - Removed old warnings and implemented a mechanism to remove existing 'data' listeners and await a new ClientHello. | ||||
| - Introduced alertFallbackTimeout property in connection records to track fallback timeout and ensure proper cleanup. | ||||
| - Extended the delay before closing the connection after sending an alert, providing the client more time to retry. | ||||
|  | ||||
| ## 2025-03-17 - 4.1.15 - fix(connectionhandler) | ||||
| Delay socket termination in TLS session resumption handling to allow proper alert processing | ||||
|  | ||||
| - Removed the immediate socket.end() call in finishConnection and moved it inside the setTimeout, ensuring that clients (especially Chrome) have additional time to process the TLS alert before connection termination | ||||
| - This prevents premature socket closure on ClientHello without SNI when session tickets are disallowed | ||||
|  | ||||
| ## 2025-03-17 - 4.1.14 - fix(ConnectionHandler) | ||||
| Use the correct TLS alert data and increase the delay before socket termination when session resumption without SNI is detected. | ||||
|  | ||||
| - Replaced certificateExpiredAlert with serverNameUnknownAlertData for sending the appropriate alert. | ||||
| - Increased the cleanup delay from 1000ms to 5000ms to allow a more graceful termination. | ||||
|  | ||||
| ## 2025-03-17 - 4.1.13 - fix(tls-handshake) | ||||
| Set certificate_expired TLS alert level to warning instead of fatal to allow graceful termination. | ||||
|  | ||||
| - In the TLS handshake alert for certificate_expired (0x2F), changed the alert level from 0x02 (fatal) to 0x01 (warning). | ||||
| - This change avoids abrupt connection termination, enabling a smoother handling of certificate expiration alerts. | ||||
|  | ||||
| ## 2025-03-17 - 4.1.12 - fix(classes.pp.connectionhandler) | ||||
| Replace unrecognized_name alert data with certificate_expired alert in TLS handshake handling for session resumption without SNI | ||||
|  | ||||
| - Switched the alert payload from serverNameUnknownAlertData to a new certificateExpiredAlert buffer | ||||
| - Now sends a fatal certificate_expired alert (code 47) instead of a warning unrecognized_name alert | ||||
| - Improves TLS error reporting and encourages immediate disconnection when a ClientHello lacks SNI and session tickets are disallowed | ||||
|  | ||||
| ## 2025-03-17 - 4.1.11 - fix(connectionhandler) | ||||
| Increase delay before cleaning up connections when session resumption is blocked due to missing SNI, allowing more natural socket termination. | ||||
|  | ||||
| - Changed cleanup delay in ts/classes.pp.connectionhandler.ts from 300ms to 1000ms. | ||||
| - This fix ensures that sockets get sufficient time to terminate gracefully. | ||||
|  | ||||
| ## 2025-03-16 - 4.1.10 - fix(connectionhandler) | ||||
| Increase delay timings for TLS alert transmission in session ticket blocking to allow graceful socket termination | ||||
|  | ||||
| - Updated finishConnection: replaced immediate socket.destroy with a graceful end call | ||||
| - Increased delay after successful write from 50ms to 200ms to allow alert processing | ||||
| - Raised safety timeout from 250ms to 400ms when waiting for 'drain' event | ||||
|  | ||||
| ## 2025-03-16 - 4.1.9 - fix(ConnectionHandler) | ||||
| Replace closeNotify alert with handshake failure alert in TLS ClientHello handling to properly signal missing SNI and enforce session ticket restrictions. | ||||
|  | ||||
| - Switched alert data sent on missing SNI from closeNotifyAlert to sslHandshakeFailureAlertData. | ||||
| - Ensures consistent TLS alert behavior during handshake failure. | ||||
|  | ||||
| ## 2025-03-16 - 4.1.8 - fix(ConnectionHandler/tls) | ||||
| Change the TLS alert sent when a ClientHello lacks SNI: use the close_notify alert instead of handshake_failure to prompt immediate retry with SNI. | ||||
|  | ||||
| - Replaced the previously sent handshake_failure alert (code 0x28) with a close_notify alert (code 0x00) in the TLS session resumption handling in ConnectionHandler. | ||||
| - This change encourages clients to immediately retry and include SNI when allowSessionTicket is false. | ||||
|  | ||||
| ## 2025-03-16 - 4.1.7 - fix(classes.pp.connectionhandler) | ||||
| Improve TLS alert handling in ClientHello when SNI is missing and session tickets are disallowed | ||||
|  | ||||
| - Replace the unrecognized_name alert with a handshake_failure alert to ensure better client behavior. | ||||
| - Refactor the alert sending mechanism using cork/uncork and add a safety timeout for the drain event. | ||||
| - Enhance logging for debugging TLS handshake failures when SNI is absent. | ||||
|  | ||||
| ## 2025-03-16 - 4.1.6 - fix(tls) | ||||
| Refine TLS ClientHello handling when allowSessionTicket is false by replacing extensive alert timeout logic with a concise warning alert and short delay, encouraging immediate client retry with proper SNI | ||||
|  | ||||
| - Update the TLS alert sending mechanism to use cork/uncork and a short, fixed delay instead of long timeouts | ||||
| - Remove redundant event listeners and excessive cleanup logic after sending the alert | ||||
| - Improve code clarity and encourage clients (e.g., Chrome) to retry handshake with SNI more responsively | ||||
|  | ||||
| ## 2025-03-16 - 4.1.5 - fix(TLS/ConnectionHandler) | ||||
| Improve handling of TLS session resumption without SNI by sending an 'unrecognized_name' alert instead of immediately terminating the connection. This change adds a grace period for the client to retry the handshake with proper SNI and cleans up the connection if no valid response is received. | ||||
|  | ||||
| - Send a TLS warning (unrecognized_name alert, code 112) when a ClientHello is received without SNI and session tickets are disallowed. | ||||
| - Utilize socket cork/uncork to ensure the alert is sent as a single packet. | ||||
| - Add a 5-second alert timeout and a subsequent 30-second grace period to allow clients to initiate a new handshake with SNI. | ||||
| - Clean up and terminate the connection if no valid SNI is provided after the grace period, logging appropriate termination reasons. | ||||
|  | ||||
| ## 2025-03-15 - 4.1.4 - fix(ConnectionHandler) | ||||
| Refactor ConnectionHandler code formatting for improved readability and consistency in log messages and whitespace handling | ||||
|  | ||||
| - Standardized indentation and spacing in method signatures and log statements | ||||
| - Aligned inline comments and string concatenations for clarity | ||||
| - Minor refactoring of parameter formatting without changing functionality | ||||
|  | ||||
| ## 2025-03-15 - 4.1.3 - fix(connectionhandler) | ||||
| Improve handling of TLS ClientHello messages when allowSessionTicket is disabled and no SNI is provided by sending a warning alert (unrecognized_name, code 0x70) with a proper callback and delay to ensure the alert is transmitted before closing the connection. | ||||
|  | ||||
| - Replace the fatal alert (0x02/0x40) with a warning alert (0x01/0x70) to notify clients to send SNI. | ||||
| - Use socket.write callback to wait 100ms after sending the alert before terminating the connection. | ||||
| - Remove the previous short (50ms) delay in favor of a more reliable delay mechanism before cleanup. | ||||
|  | ||||
| ## 2025-03-15 - 4.1.2 - fix(connectionhandler) | ||||
| Send proper TLS alert before terminating connections when SNI is missing and session tickets are disallowed. | ||||
|  | ||||
| - Added logic to transmit a fatal TLS alert (Handshake Failure) before closing the connection when no SNI is present with allowSessionTicket=false. | ||||
| - Introduced a slight 50ms delay after sending the alert to ensure the client receives the alert properly. | ||||
| - Applied these changes both for the initial ClientHello and when handling subsequent TLS data. | ||||
|  | ||||
| ## 2025-03-15 - 4.1.1 - fix(tls) | ||||
| Enforce strict SNI handling in TLS connections by terminating ClientHello messages lacking SNI when session tickets are disallowed and removing legacy session cache code. | ||||
|  | ||||
| - In classes.pp.connectionhandler.ts, if allowSessionTicket is false and no SNI is extracted from a ClientHello, the connection is terminated to force a new handshake with SNI. | ||||
| - In classes.pp.snihandler.ts, removed session cache and related cleanup functions used for tab reactivation, simplifying SNI extraction logic. | ||||
| - Improved logging in TLS processing to aid in diagnosing handshake and session resumption issues. | ||||
|  | ||||
| ## 2025-03-14 - 4.1.0 - feat(SniHandler) | ||||
| Enhance SNI extraction to support session caching and tab reactivation by adding session cache initialization, cleanup and helper methods. Update processTlsPacket to use cached SNI for session resumption and connection racing scenarios. | ||||
|  | ||||
| - Introduce initSessionCacheCleanup, cleanupSessionCache, createClientKey, cacheSession, and getCachedSession methods to manage SNI information. | ||||
| - Cache SNI based on client IP and client random to improve handling of fragmented ClientHello messages and tab reactivation. | ||||
| - Update processTlsPacket to leverage cached SNI when standard extraction fails, reducing redundant extraction and enhancing connection racing behavior. | ||||
|  | ||||
| ## 2025-03-14 - 4.0.0 - BREAKING CHANGE(core) | ||||
| refactor: reorganize internal module structure to use 'classes.pp.*' modules | ||||
|  | ||||
|   | ||||
| @@ -1,6 +1,6 @@ | ||||
| { | ||||
|   "name": "@push.rocks/smartproxy", | ||||
|   "version": "4.0.0", | ||||
|   "version": "5.0.0", | ||||
|   "private": false, | ||||
|   "description": "A powerful proxy package that effectively handles high traffic, with features such as SSL/TLS support, port proxying, WebSocket handling, dynamic routing with authentication options, and automatic ACME certificate management.", | ||||
|   "main": "dist_ts/index.js", | ||||
|   | ||||
| @@ -3,6 +3,6 @@ | ||||
|  */ | ||||
| export const commitinfo = { | ||||
|   name: '@push.rocks/smartproxy', | ||||
|   version: '4.0.0', | ||||
|   version: '5.0.0', | ||||
|   description: 'A powerful proxy package that effectively handles high traffic, with features such as SSL/TLS support, port proxying, WebSocket handling, dynamic routing with authentication options, and automatic ACME certificate management.' | ||||
| } | ||||
|   | ||||
| @@ -1,901 +0,0 @@ | ||||
| import { exec, execSync } from 'child_process'; | ||||
| import { promisify } from 'util'; | ||||
|  | ||||
| const execAsync = promisify(exec); | ||||
|  | ||||
| /** | ||||
|  * Represents a port range for forwarding | ||||
|  */ | ||||
| export interface IPortRange { | ||||
|   from: number; | ||||
|   to: number; | ||||
| } | ||||
|  | ||||
| /** | ||||
|  * Settings for IPTablesProxy. | ||||
|  */ | ||||
| export interface IIpTableProxySettings { | ||||
|   // Basic settings | ||||
|   fromPort: number | IPortRange | Array<number | IPortRange>; // Support single port, port range, or multiple ports/ranges | ||||
|   toPort: number | IPortRange | Array<number | IPortRange>; | ||||
|   toHost?: string; // Target host for proxying; defaults to 'localhost' | ||||
|    | ||||
|   // Advanced settings | ||||
|   preserveSourceIP?: boolean; // If true, the original source IP is preserved | ||||
|   deleteOnExit?: boolean;     // If true, clean up marked iptables rules before process exit | ||||
|   protocol?: 'tcp' | 'udp' | 'all'; // Protocol to forward, defaults to 'tcp' | ||||
|   enableLogging?: boolean;    // Enable detailed logging | ||||
|   ipv6Support?: boolean;      // Enable IPv6 support (ip6tables) | ||||
|    | ||||
|   // Source filtering | ||||
|   allowedSourceIPs?: string[]; // If provided, only these IPs are allowed | ||||
|   bannedSourceIPs?: string[];  // If provided, these IPs are blocked | ||||
|    | ||||
|   // Rule management | ||||
|   forceCleanSlate?: boolean;   // Clear all IPTablesProxy rules before starting | ||||
|   addJumpRule?: boolean;       // Add a custom chain for cleaner rule management | ||||
|   checkExistingRules?: boolean; // Check if rules already exist before adding | ||||
|    | ||||
|   // Integration with PortProxy/NetworkProxy | ||||
|   netProxyIntegration?: { | ||||
|     enabled: boolean; | ||||
|     redirectLocalhost?: boolean; // Redirect localhost traffic to NetworkProxy | ||||
|     sslTerminationPort?: number; // Port where NetworkProxy handles SSL termination | ||||
|   }; | ||||
| } | ||||
|  | ||||
| /** | ||||
|  * Represents a rule added to iptables | ||||
|  */ | ||||
| interface IpTablesRule { | ||||
|   table: string; | ||||
|   chain: string; | ||||
|   command: string; | ||||
|   tag: string; | ||||
|   added: boolean; | ||||
| } | ||||
|  | ||||
| /** | ||||
|  * IPTablesProxy sets up iptables NAT rules to forward TCP traffic. | ||||
|  * Enhanced with multi-port support, IPv6, and integration with PortProxy/NetworkProxy. | ||||
|  */ | ||||
| export class IPTablesProxy { | ||||
|   public settings: IIpTableProxySettings; | ||||
|   private rules: IpTablesRule[] = []; | ||||
|   private ruleTag: string; | ||||
|   private customChain: string | null = null; | ||||
|  | ||||
|   constructor(settings: IIpTableProxySettings) { | ||||
|     // Validate inputs to prevent command injection | ||||
|     this.validateSettings(settings); | ||||
|      | ||||
|     // Set default settings | ||||
|     this.settings = { | ||||
|       ...settings, | ||||
|       toHost: settings.toHost || 'localhost', | ||||
|       protocol: settings.protocol || 'tcp', | ||||
|       enableLogging: settings.enableLogging !== undefined ? settings.enableLogging : false, | ||||
|       ipv6Support: settings.ipv6Support !== undefined ? settings.ipv6Support : false, | ||||
|       checkExistingRules: settings.checkExistingRules !== undefined ? settings.checkExistingRules : true, | ||||
|       netProxyIntegration: settings.netProxyIntegration || { enabled: false } | ||||
|     }; | ||||
|      | ||||
|     // Generate a unique identifier for the rules added by this instance | ||||
|     this.ruleTag = `IPTablesProxy:${Date.now()}:${Math.random().toString(36).substr(2, 5)}`; | ||||
|      | ||||
|     if (this.settings.addJumpRule) { | ||||
|       this.customChain = `IPTablesProxy_${Math.random().toString(36).substr(2, 5)}`; | ||||
|     } | ||||
|  | ||||
|     // Register cleanup handlers if deleteOnExit is true | ||||
|     if (this.settings.deleteOnExit) { | ||||
|       const cleanup = () => { | ||||
|         try { | ||||
|           this.stopSync(); | ||||
|         } catch (err) { | ||||
|           console.error('Error cleaning iptables rules on exit:', err); | ||||
|         } | ||||
|       }; | ||||
|        | ||||
|       process.on('exit', cleanup); | ||||
|       process.on('SIGINT', () => { | ||||
|         cleanup(); | ||||
|         process.exit(); | ||||
|       }); | ||||
|       process.on('SIGTERM', () => { | ||||
|         cleanup(); | ||||
|         process.exit(); | ||||
|       }); | ||||
|     } | ||||
|   } | ||||
|  | ||||
|   /** | ||||
|    * Validates settings to prevent command injection and ensure valid values | ||||
|    */ | ||||
|   private validateSettings(settings: IIpTableProxySettings): void { | ||||
|     // Validate port numbers | ||||
|     const validatePorts = (port: number | IPortRange | Array<number | IPortRange>) => { | ||||
|       if (Array.isArray(port)) { | ||||
|         port.forEach(p => validatePorts(p)); | ||||
|         return; | ||||
|       } | ||||
|        | ||||
|       if (typeof port === 'number') { | ||||
|         if (port < 1 || port > 65535) { | ||||
|           throw new Error(`Invalid port number: ${port}`); | ||||
|         } | ||||
|       } else if (typeof port === 'object') { | ||||
|         if (port.from < 1 || port.from > 65535 || port.to < 1 || port.to > 65535 || port.from > port.to) { | ||||
|           throw new Error(`Invalid port range: ${port.from}-${port.to}`); | ||||
|         } | ||||
|       } | ||||
|     }; | ||||
|      | ||||
|     validatePorts(settings.fromPort); | ||||
|     validatePorts(settings.toPort); | ||||
|      | ||||
|     // Define regex patterns at the method level so they're available throughout | ||||
|     const ipRegex = /^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))?$/; | ||||
|     const ipv6Regex = /^(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))(\/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8]))?$/; | ||||
|      | ||||
|     // Validate IP addresses | ||||
|     const validateIPs = (ips?: string[]) => { | ||||
|       if (!ips) return; | ||||
|        | ||||
|       for (const ip of ips) { | ||||
|         if (!ipRegex.test(ip) && !ipv6Regex.test(ip)) { | ||||
|           throw new Error(`Invalid IP address format: ${ip}`); | ||||
|         } | ||||
|       } | ||||
|     }; | ||||
|      | ||||
|     validateIPs(settings.allowedSourceIPs); | ||||
|     validateIPs(settings.bannedSourceIPs); | ||||
|      | ||||
|     // Validate toHost - only allow hostnames or IPs | ||||
|     if (settings.toHost) { | ||||
|       const hostRegex = /^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$/; | ||||
|       if (!hostRegex.test(settings.toHost) && !ipRegex.test(settings.toHost) && !ipv6Regex.test(settings.toHost)) { | ||||
|         throw new Error(`Invalid host format: ${settings.toHost}`); | ||||
|       } | ||||
|     } | ||||
|   } | ||||
|    | ||||
|   /** | ||||
|    * Normalizes port specifications into an array of port ranges | ||||
|    */ | ||||
|   private normalizePortSpec(portSpec: number | IPortRange | Array<number | IPortRange>): IPortRange[] { | ||||
|     const result: IPortRange[] = []; | ||||
|      | ||||
|     if (Array.isArray(portSpec)) { | ||||
|       // If it's an array, process each element | ||||
|       for (const spec of portSpec) { | ||||
|         result.push(...this.normalizePortSpec(spec)); | ||||
|       } | ||||
|     } else if (typeof portSpec === 'number') { | ||||
|       // Single port becomes a range with the same start and end | ||||
|       result.push({ from: portSpec, to: portSpec }); | ||||
|     } else { | ||||
|       // Already a range | ||||
|       result.push(portSpec); | ||||
|     } | ||||
|      | ||||
|     return result; | ||||
|   } | ||||
|  | ||||
|   /** | ||||
|    * Gets the appropriate iptables command based on settings | ||||
|    */ | ||||
|   private getIptablesCommand(isIpv6: boolean = false): string { | ||||
|     return isIpv6 ? 'ip6tables' : 'iptables'; | ||||
|   } | ||||
|  | ||||
|   /** | ||||
|    * Checks if a rule already exists in iptables | ||||
|    */ | ||||
|   private async ruleExists(table: string, command: string, isIpv6: boolean = false): Promise<boolean> { | ||||
|     try { | ||||
|       const iptablesCmd = this.getIptablesCommand(isIpv6); | ||||
|       const { stdout } = await execAsync(`${iptablesCmd}-save -t ${table}`); | ||||
|       // Convert the command to the format found in iptables-save output | ||||
|       // (This is a simplification - in reality, you'd need more parsing) | ||||
|       const rulePattern = command.replace(`${iptablesCmd} -t ${table} -A `, '-A '); | ||||
|       return stdout.split('\n').some(line => line.trim() === rulePattern); | ||||
|     } catch (err) { | ||||
|       this.log('error', `Failed to check if rule exists: ${err}`); | ||||
|       return false; | ||||
|     } | ||||
|   } | ||||
|  | ||||
|   /** | ||||
|    * Sets up a custom chain for better rule management | ||||
|    */ | ||||
|   private async setupCustomChain(isIpv6: boolean = false): Promise<boolean> { | ||||
|     if (!this.customChain) return true; | ||||
|      | ||||
|     const iptablesCmd = this.getIptablesCommand(isIpv6); | ||||
|     const table = 'nat'; | ||||
|      | ||||
|     try { | ||||
|       // Create the chain | ||||
|       await execAsync(`${iptablesCmd} -t ${table} -N ${this.customChain}`); | ||||
|       this.log('info', `Created custom chain: ${this.customChain}`); | ||||
|        | ||||
|       // Add jump rule to PREROUTING chain | ||||
|       const jumpCommand = `${iptablesCmd} -t ${table} -A PREROUTING -j ${this.customChain} -m comment --comment "${this.ruleTag}:JUMP"`; | ||||
|       await execAsync(jumpCommand); | ||||
|       this.log('info', `Added jump rule to ${this.customChain}`); | ||||
|        | ||||
|       // Store the jump rule | ||||
|       this.rules.push({ | ||||
|         table, | ||||
|         chain: 'PREROUTING', | ||||
|         command: jumpCommand, | ||||
|         tag: `${this.ruleTag}:JUMP`, | ||||
|         added: true | ||||
|       }); | ||||
|        | ||||
|       return true; | ||||
|     } catch (err) { | ||||
|       this.log('error', `Failed to set up custom chain: ${err}`); | ||||
|       return false; | ||||
|     } | ||||
|   } | ||||
|  | ||||
|   /** | ||||
|    * Add a source IP filter rule | ||||
|    */ | ||||
|   private async addSourceIPFilter(isIpv6: boolean = false): Promise<boolean> { | ||||
|     if (!this.settings.allowedSourceIPs && !this.settings.bannedSourceIPs) { | ||||
|       return true; | ||||
|     } | ||||
|      | ||||
|     const iptablesCmd = this.getIptablesCommand(isIpv6); | ||||
|     const table = 'nat'; | ||||
|     const chain = this.customChain || 'PREROUTING'; | ||||
|      | ||||
|     try { | ||||
|       // Add banned IPs first (explicit deny) | ||||
|       if (this.settings.bannedSourceIPs && this.settings.bannedSourceIPs.length > 0) { | ||||
|         for (const ip of this.settings.bannedSourceIPs) { | ||||
|           const command = `${iptablesCmd} -t ${table} -A ${chain} -s ${ip} -j DROP -m comment --comment "${this.ruleTag}:BANNED"`; | ||||
|            | ||||
|           // Check if rule already exists | ||||
|           if (this.settings.checkExistingRules && await this.ruleExists(table, command, isIpv6)) { | ||||
|             this.log('info', `Rule already exists, skipping: ${command}`); | ||||
|             continue; | ||||
|           } | ||||
|            | ||||
|           await execAsync(command); | ||||
|           this.log('info', `Added banned IP rule: ${command}`); | ||||
|            | ||||
|           this.rules.push({ | ||||
|             table, | ||||
|             chain, | ||||
|             command, | ||||
|             tag: `${this.ruleTag}:BANNED`, | ||||
|             added: true | ||||
|           }); | ||||
|         } | ||||
|       } | ||||
|        | ||||
|       // Add allowed IPs (explicit allow) | ||||
|       if (this.settings.allowedSourceIPs && this.settings.allowedSourceIPs.length > 0) { | ||||
|         // First add a default deny for all | ||||
|         const denyAllCommand = `${iptablesCmd} -t ${table} -A ${chain} -p ${this.settings.protocol} -j DROP -m comment --comment "${this.ruleTag}:DENY_ALL"`; | ||||
|          | ||||
|         // Add allow rules for specific IPs | ||||
|         for (const ip of this.settings.allowedSourceIPs) { | ||||
|           const command = `${iptablesCmd} -t ${table} -A ${chain} -s ${ip} -p ${this.settings.protocol} -j ACCEPT -m comment --comment "${this.ruleTag}:ALLOWED"`; | ||||
|            | ||||
|           // Check if rule already exists | ||||
|           if (this.settings.checkExistingRules && await this.ruleExists(table, command, isIpv6)) { | ||||
|             this.log('info', `Rule already exists, skipping: ${command}`); | ||||
|             continue; | ||||
|           } | ||||
|            | ||||
|           await execAsync(command); | ||||
|           this.log('info', `Added allowed IP rule: ${command}`); | ||||
|            | ||||
|           this.rules.push({ | ||||
|             table, | ||||
|             chain, | ||||
|             command, | ||||
|             tag: `${this.ruleTag}:ALLOWED`, | ||||
|             added: true | ||||
|           }); | ||||
|         } | ||||
|          | ||||
|         // Now add the default deny after all allows | ||||
|         if (this.settings.checkExistingRules && await this.ruleExists(table, denyAllCommand, isIpv6)) { | ||||
|           this.log('info', `Rule already exists, skipping: ${denyAllCommand}`); | ||||
|         } else { | ||||
|           await execAsync(denyAllCommand); | ||||
|           this.log('info', `Added default deny rule: ${denyAllCommand}`); | ||||
|            | ||||
|           this.rules.push({ | ||||
|             table, | ||||
|             chain, | ||||
|             command: denyAllCommand, | ||||
|             tag: `${this.ruleTag}:DENY_ALL`, | ||||
|             added: true | ||||
|           }); | ||||
|         } | ||||
|       } | ||||
|        | ||||
|       return true; | ||||
|     } catch (err) { | ||||
|       this.log('error', `Failed to add source IP filter rules: ${err}`); | ||||
|       return false; | ||||
|     } | ||||
|   } | ||||
|  | ||||
|   /** | ||||
|    * Adds a port forwarding rule | ||||
|    */ | ||||
|   private async addPortForwardingRule( | ||||
|     fromPortRange: IPortRange, | ||||
|     toPortRange: IPortRange, | ||||
|     isIpv6: boolean = false | ||||
|   ): Promise<boolean> { | ||||
|     const iptablesCmd = this.getIptablesCommand(isIpv6); | ||||
|     const table = 'nat'; | ||||
|     const chain = this.customChain || 'PREROUTING'; | ||||
|      | ||||
|     try { | ||||
|       // Handle single port case | ||||
|       if (fromPortRange.from === fromPortRange.to && toPortRange.from === toPortRange.to) { | ||||
|         // Single port forward | ||||
|         const command = `${iptablesCmd} -t ${table} -A ${chain} -p ${this.settings.protocol} --dport ${fromPortRange.from} ` + | ||||
|           `-j DNAT --to-destination ${this.settings.toHost}:${toPortRange.from} ` + | ||||
|           `-m comment --comment "${this.ruleTag}:DNAT"`; | ||||
|          | ||||
|         // Check if rule already exists | ||||
|         if (this.settings.checkExistingRules && await this.ruleExists(table, command, isIpv6)) { | ||||
|           this.log('info', `Rule already exists, skipping: ${command}`); | ||||
|         } else { | ||||
|           await execAsync(command); | ||||
|           this.log('info', `Added port forwarding rule: ${command}`); | ||||
|            | ||||
|           this.rules.push({ | ||||
|             table, | ||||
|             chain, | ||||
|             command, | ||||
|             tag: `${this.ruleTag}:DNAT`, | ||||
|             added: true | ||||
|           }); | ||||
|         } | ||||
|       } else if (fromPortRange.to - fromPortRange.from === toPortRange.to - toPortRange.from) { | ||||
|         // Port range forward with equal ranges | ||||
|         const command = `${iptablesCmd} -t ${table} -A ${chain} -p ${this.settings.protocol} --dport ${fromPortRange.from}:${fromPortRange.to} ` + | ||||
|           `-j DNAT --to-destination ${this.settings.toHost}:${toPortRange.from}-${toPortRange.to} ` + | ||||
|           `-m comment --comment "${this.ruleTag}:DNAT_RANGE"`; | ||||
|          | ||||
|         // Check if rule already exists | ||||
|         if (this.settings.checkExistingRules && await this.ruleExists(table, command, isIpv6)) { | ||||
|           this.log('info', `Rule already exists, skipping: ${command}`); | ||||
|         } else { | ||||
|           await execAsync(command); | ||||
|           this.log('info', `Added port range forwarding rule: ${command}`); | ||||
|            | ||||
|           this.rules.push({ | ||||
|             table, | ||||
|             chain, | ||||
|             command, | ||||
|             tag: `${this.ruleTag}:DNAT_RANGE`, | ||||
|             added: true | ||||
|           }); | ||||
|         } | ||||
|       } else { | ||||
|         // Unequal port ranges need individual rules | ||||
|         for (let i = 0; i <= fromPortRange.to - fromPortRange.from; i++) { | ||||
|           const fromPort = fromPortRange.from + i; | ||||
|           const toPort = toPortRange.from + i % (toPortRange.to - toPortRange.from + 1); | ||||
|            | ||||
|           const command = `${iptablesCmd} -t ${table} -A ${chain} -p ${this.settings.protocol} --dport ${fromPort} ` + | ||||
|             `-j DNAT --to-destination ${this.settings.toHost}:${toPort} ` + | ||||
|             `-m comment --comment "${this.ruleTag}:DNAT_INDIVIDUAL"`; | ||||
|            | ||||
|           // Check if rule already exists | ||||
|           if (this.settings.checkExistingRules && await this.ruleExists(table, command, isIpv6)) { | ||||
|             this.log('info', `Rule already exists, skipping: ${command}`); | ||||
|             continue; | ||||
|           } | ||||
|            | ||||
|           await execAsync(command); | ||||
|           this.log('info', `Added individual port forwarding rule: ${command}`); | ||||
|            | ||||
|           this.rules.push({ | ||||
|             table, | ||||
|             chain, | ||||
|             command, | ||||
|             tag: `${this.ruleTag}:DNAT_INDIVIDUAL`, | ||||
|             added: true | ||||
|           }); | ||||
|         } | ||||
|       } | ||||
|        | ||||
|       // If preserveSourceIP is false, add a MASQUERADE rule | ||||
|       if (!this.settings.preserveSourceIP) { | ||||
|         // For port range | ||||
|         const masqCommand = `${iptablesCmd} -t nat -A POSTROUTING -p ${this.settings.protocol} -d ${this.settings.toHost} ` + | ||||
|           `--dport ${toPortRange.from}:${toPortRange.to} -j MASQUERADE ` + | ||||
|           `-m comment --comment "${this.ruleTag}:MASQ"`; | ||||
|          | ||||
|         // Check if rule already exists | ||||
|         if (this.settings.checkExistingRules && await this.ruleExists('nat', masqCommand, isIpv6)) { | ||||
|           this.log('info', `Rule already exists, skipping: ${masqCommand}`); | ||||
|         } else { | ||||
|           await execAsync(masqCommand); | ||||
|           this.log('info', `Added MASQUERADE rule: ${masqCommand}`); | ||||
|            | ||||
|           this.rules.push({ | ||||
|             table: 'nat', | ||||
|             chain: 'POSTROUTING', | ||||
|             command: masqCommand, | ||||
|             tag: `${this.ruleTag}:MASQ`, | ||||
|             added: true | ||||
|           }); | ||||
|         } | ||||
|       } | ||||
|        | ||||
|       return true; | ||||
|     } catch (err) { | ||||
|       this.log('error', `Failed to add port forwarding rule: ${err}`); | ||||
|        | ||||
|       // Try to roll back any rules that were already added | ||||
|       await this.rollbackRules(); | ||||
|        | ||||
|       return false; | ||||
|     } | ||||
|   } | ||||
|  | ||||
|   /** | ||||
|    * Special handling for NetworkProxy integration | ||||
|    */ | ||||
|   private async setupNetworkProxyIntegration(isIpv6: boolean = false): Promise<boolean> { | ||||
|     if (!this.settings.netProxyIntegration?.enabled) { | ||||
|       return true; | ||||
|     } | ||||
|      | ||||
|     const netProxyConfig = this.settings.netProxyIntegration; | ||||
|     const iptablesCmd = this.getIptablesCommand(isIpv6); | ||||
|     const table = 'nat'; | ||||
|     const chain = this.customChain || 'PREROUTING'; | ||||
|      | ||||
|     try { | ||||
|       // If redirectLocalhost is true, set up special rule to redirect localhost traffic to NetworkProxy | ||||
|       if (netProxyConfig.redirectLocalhost && netProxyConfig.sslTerminationPort) { | ||||
|         const redirectCommand = `${iptablesCmd} -t ${table} -A OUTPUT -p tcp -d 127.0.0.1 -j REDIRECT ` + | ||||
|           `--to-port ${netProxyConfig.sslTerminationPort} ` + | ||||
|           `-m comment --comment "${this.ruleTag}:NETPROXY_REDIRECT"`; | ||||
|          | ||||
|         // Check if rule already exists | ||||
|         if (this.settings.checkExistingRules && await this.ruleExists(table, redirectCommand, isIpv6)) { | ||||
|           this.log('info', `Rule already exists, skipping: ${redirectCommand}`); | ||||
|         } else { | ||||
|           await execAsync(redirectCommand); | ||||
|           this.log('info', `Added NetworkProxy redirection rule: ${redirectCommand}`); | ||||
|            | ||||
|           this.rules.push({ | ||||
|             table, | ||||
|             chain: 'OUTPUT', | ||||
|             command: redirectCommand, | ||||
|             tag: `${this.ruleTag}:NETPROXY_REDIRECT`, | ||||
|             added: true | ||||
|           }); | ||||
|         } | ||||
|       } | ||||
|        | ||||
|       return true; | ||||
|     } catch (err) { | ||||
|       this.log('error', `Failed to set up NetworkProxy integration: ${err}`); | ||||
|       return false; | ||||
|     } | ||||
|   } | ||||
|  | ||||
|   /** | ||||
|    * Rolls back rules that were added in case of error | ||||
|    */ | ||||
|   private async rollbackRules(): Promise<void> { | ||||
|     // Process rules in reverse order (LIFO) | ||||
|     for (let i = this.rules.length - 1; i >= 0; i--) { | ||||
|       const rule = this.rules[i]; | ||||
|        | ||||
|       if (rule.added) { | ||||
|         try { | ||||
|           // Convert -A (add) to -D (delete) | ||||
|           const deleteCommand = rule.command.replace('-A', '-D'); | ||||
|           await execAsync(deleteCommand); | ||||
|           this.log('info', `Rolled back rule: ${deleteCommand}`); | ||||
|            | ||||
|           rule.added = false; | ||||
|         } catch (err) { | ||||
|           this.log('error', `Failed to roll back rule: ${err}`); | ||||
|         } | ||||
|       } | ||||
|     } | ||||
|   } | ||||
|  | ||||
|   /** | ||||
|    * Sets up iptables rules for port forwarding with enhanced features | ||||
|    */ | ||||
|   public async start(): Promise<void> { | ||||
|     // Optionally clean the slate first | ||||
|     if (this.settings.forceCleanSlate) { | ||||
|       await IPTablesProxy.cleanSlate(); | ||||
|     } | ||||
|      | ||||
|     // First set up any custom chains | ||||
|     if (this.settings.addJumpRule) { | ||||
|       const chainSetupSuccess = await this.setupCustomChain(); | ||||
|       if (!chainSetupSuccess) { | ||||
|         throw new Error('Failed to set up custom chain'); | ||||
|       } | ||||
|        | ||||
|       // For IPv6 if enabled | ||||
|       if (this.settings.ipv6Support) { | ||||
|         const chainSetupSuccessIpv6 = await this.setupCustomChain(true); | ||||
|         if (!chainSetupSuccessIpv6) { | ||||
|           this.log('warn', 'Failed to set up IPv6 custom chain, continuing with IPv4 only'); | ||||
|         } | ||||
|       } | ||||
|     } | ||||
|      | ||||
|     // Add source IP filters | ||||
|     await this.addSourceIPFilter(); | ||||
|     if (this.settings.ipv6Support) { | ||||
|       await this.addSourceIPFilter(true); | ||||
|     } | ||||
|      | ||||
|     // Set up NetworkProxy integration if enabled | ||||
|     if (this.settings.netProxyIntegration?.enabled) { | ||||
|       const netProxySetupSuccess = await this.setupNetworkProxyIntegration(); | ||||
|       if (!netProxySetupSuccess) { | ||||
|         this.log('warn', 'Failed to set up NetworkProxy integration'); | ||||
|       } | ||||
|        | ||||
|       if (this.settings.ipv6Support) { | ||||
|         await this.setupNetworkProxyIntegration(true); | ||||
|       } | ||||
|     } | ||||
|      | ||||
|     // Normalize port specifications | ||||
|     const fromPortRanges = this.normalizePortSpec(this.settings.fromPort); | ||||
|     const toPortRanges = this.normalizePortSpec(this.settings.toPort); | ||||
|      | ||||
|     // Handle the case where fromPort and toPort counts don't match | ||||
|     if (fromPortRanges.length !== toPortRanges.length) { | ||||
|       if (toPortRanges.length === 1) { | ||||
|         // If there's only one toPort, use it for all fromPorts | ||||
|         for (const fromRange of fromPortRanges) { | ||||
|           await this.addPortForwardingRule(fromRange, toPortRanges[0]); | ||||
|            | ||||
|           if (this.settings.ipv6Support) { | ||||
|             await this.addPortForwardingRule(fromRange, toPortRanges[0], true); | ||||
|           } | ||||
|         } | ||||
|       } else { | ||||
|         throw new Error('Mismatched port counts: fromPort and toPort arrays must have equal length or toPort must be a single value'); | ||||
|       } | ||||
|     } else { | ||||
|       // Add port forwarding rules for each port specification | ||||
|       for (let i = 0; i < fromPortRanges.length; i++) { | ||||
|         await this.addPortForwardingRule(fromPortRanges[i], toPortRanges[i]); | ||||
|          | ||||
|         if (this.settings.ipv6Support) { | ||||
|           await this.addPortForwardingRule(fromPortRanges[i], toPortRanges[i], true); | ||||
|         } | ||||
|       } | ||||
|     } | ||||
|      | ||||
|     // Final check - ensure we have at least one rule added | ||||
|     if (this.rules.filter(r => r.added).length === 0) { | ||||
|       throw new Error('No rules were added'); | ||||
|     } | ||||
|   } | ||||
|  | ||||
|   /** | ||||
|    * Removes all added iptables rules | ||||
|    */ | ||||
|   public async stop(): Promise<void> { | ||||
|     // Process rules in reverse order (LIFO) | ||||
|     for (let i = this.rules.length - 1; i >= 0; i--) { | ||||
|       const rule = this.rules[i]; | ||||
|        | ||||
|       if (rule.added) { | ||||
|         try { | ||||
|           // Convert -A (add) to -D (delete) | ||||
|           const deleteCommand = rule.command.replace('-A', '-D'); | ||||
|           await execAsync(deleteCommand); | ||||
|           this.log('info', `Removed rule: ${deleteCommand}`); | ||||
|            | ||||
|           rule.added = false; | ||||
|         } catch (err) { | ||||
|           this.log('error', `Failed to remove rule: ${err}`); | ||||
|         } | ||||
|       } | ||||
|     } | ||||
|      | ||||
|     // If we created a custom chain, we need to clean it up | ||||
|     if (this.customChain) { | ||||
|       try { | ||||
|         // First flush the chain | ||||
|         await execAsync(`iptables -t nat -F ${this.customChain}`); | ||||
|         this.log('info', `Flushed custom chain: ${this.customChain}`); | ||||
|          | ||||
|         // Then delete it | ||||
|         await execAsync(`iptables -t nat -X ${this.customChain}`); | ||||
|         this.log('info', `Deleted custom chain: ${this.customChain}`); | ||||
|          | ||||
|         // Same for IPv6 if enabled | ||||
|         if (this.settings.ipv6Support) { | ||||
|           try { | ||||
|             await execAsync(`ip6tables -t nat -F ${this.customChain}`); | ||||
|             await execAsync(`ip6tables -t nat -X ${this.customChain}`); | ||||
|             this.log('info', `Deleted IPv6 custom chain: ${this.customChain}`); | ||||
|           } catch (err) { | ||||
|             this.log('error', `Failed to delete IPv6 custom chain: ${err}`); | ||||
|           } | ||||
|         } | ||||
|       } catch (err) { | ||||
|         this.log('error', `Failed to delete custom chain: ${err}`); | ||||
|       } | ||||
|     } | ||||
|      | ||||
|     // Clear rules array | ||||
|     this.rules = []; | ||||
|   } | ||||
|  | ||||
|   /** | ||||
|    * Synchronous version of stop, for use in exit handlers | ||||
|    */ | ||||
|   public stopSync(): void { | ||||
|     // Process rules in reverse order (LIFO) | ||||
|     for (let i = this.rules.length - 1; i >= 0; i--) { | ||||
|       const rule = this.rules[i]; | ||||
|        | ||||
|       if (rule.added) { | ||||
|         try { | ||||
|           // Convert -A (add) to -D (delete) | ||||
|           const deleteCommand = rule.command.replace('-A', '-D'); | ||||
|           execSync(deleteCommand); | ||||
|           this.log('info', `Removed rule: ${deleteCommand}`); | ||||
|            | ||||
|           rule.added = false; | ||||
|         } catch (err) { | ||||
|           this.log('error', `Failed to remove rule: ${err}`); | ||||
|         } | ||||
|       } | ||||
|     } | ||||
|      | ||||
|     // If we created a custom chain, we need to clean it up | ||||
|     if (this.customChain) { | ||||
|       try { | ||||
|         // First flush the chain | ||||
|         execSync(`iptables -t nat -F ${this.customChain}`); | ||||
|          | ||||
|         // Then delete it | ||||
|         execSync(`iptables -t nat -X ${this.customChain}`); | ||||
|         this.log('info', `Deleted custom chain: ${this.customChain}`); | ||||
|          | ||||
|         // Same for IPv6 if enabled | ||||
|         if (this.settings.ipv6Support) { | ||||
|           try { | ||||
|             execSync(`ip6tables -t nat -F ${this.customChain}`); | ||||
|             execSync(`ip6tables -t nat -X ${this.customChain}`); | ||||
|           } catch (err) { | ||||
|             // IPv6 failures are non-critical | ||||
|           } | ||||
|         } | ||||
|       } catch (err) { | ||||
|         this.log('error', `Failed to delete custom chain: ${err}`); | ||||
|       } | ||||
|     } | ||||
|      | ||||
|     // Clear rules array | ||||
|     this.rules = []; | ||||
|   } | ||||
|  | ||||
|   /** | ||||
|    * Asynchronously cleans up any iptables rules in the nat table that were added by this module. | ||||
|    * It looks for rules with comments containing "IPTablesProxy:". | ||||
|    */ | ||||
|   public static async cleanSlate(): Promise<void> { | ||||
|     await IPTablesProxy.cleanSlateInternal(); | ||||
|      | ||||
|     // Also clean IPv6 rules | ||||
|     await IPTablesProxy.cleanSlateInternal(true); | ||||
|   } | ||||
|    | ||||
|   /** | ||||
|    * Internal implementation of cleanSlate with IPv6 support | ||||
|    */ | ||||
|   private static async cleanSlateInternal(isIpv6: boolean = false): Promise<void> { | ||||
|     const iptablesCmd = isIpv6 ? 'ip6tables' : 'iptables'; | ||||
|      | ||||
|     try { | ||||
|       const { stdout } = await execAsync(`${iptablesCmd}-save -t nat`); | ||||
|       const lines = stdout.split('\n'); | ||||
|       const proxyLines = lines.filter(line => line.includes('IPTablesProxy:')); | ||||
|        | ||||
|       // First, find and remove any custom chains | ||||
|       const customChains = new Set<string>(); | ||||
|       const jumpRules: string[] = []; | ||||
|        | ||||
|       for (const line of proxyLines) { | ||||
|         if (line.includes('IPTablesProxy:JUMP')) { | ||||
|           // Extract chain name from jump rule | ||||
|           const match = line.match(/\s+-j\s+(\S+)\s+/); | ||||
|           if (match && match[1].startsWith('IPTablesProxy_')) { | ||||
|             customChains.add(match[1]); | ||||
|             jumpRules.push(line); | ||||
|           } | ||||
|         } | ||||
|       } | ||||
|        | ||||
|       // Remove jump rules first | ||||
|       for (const line of jumpRules) { | ||||
|         const trimmedLine = line.trim(); | ||||
|         if (trimmedLine.startsWith('-A')) { | ||||
|           // Replace the "-A" with "-D" to form a deletion command | ||||
|           const deleteRule = trimmedLine.replace('-A', '-D'); | ||||
|           const cmd = `${iptablesCmd} -t nat ${deleteRule}`; | ||||
|           try { | ||||
|             await execAsync(cmd); | ||||
|             console.log(`Cleaned up iptables jump rule: ${cmd}`); | ||||
|           } catch (err) { | ||||
|             console.error(`Failed to remove iptables jump rule: ${cmd}`, err); | ||||
|           } | ||||
|         } | ||||
|       } | ||||
|        | ||||
|       // Then remove all other rules | ||||
|       for (const line of proxyLines) { | ||||
|         if (!line.includes('IPTablesProxy:JUMP')) { // Skip jump rules we already handled | ||||
|           const trimmedLine = line.trim(); | ||||
|           if (trimmedLine.startsWith('-A')) { | ||||
|             // Replace the "-A" with "-D" to form a deletion command | ||||
|             const deleteRule = trimmedLine.replace('-A', '-D'); | ||||
|             const cmd = `${iptablesCmd} -t nat ${deleteRule}`; | ||||
|             try { | ||||
|               await execAsync(cmd); | ||||
|               console.log(`Cleaned up iptables rule: ${cmd}`); | ||||
|             } catch (err) { | ||||
|               console.error(`Failed to remove iptables rule: ${cmd}`, err); | ||||
|             } | ||||
|           } | ||||
|         } | ||||
|       } | ||||
|        | ||||
|       // Finally clean up custom chains | ||||
|       for (const chain of customChains) { | ||||
|         try { | ||||
|           // Flush the chain | ||||
|           await execAsync(`${iptablesCmd} -t nat -F ${chain}`); | ||||
|           console.log(`Flushed custom chain: ${chain}`); | ||||
|            | ||||
|           // Delete the chain | ||||
|           await execAsync(`${iptablesCmd} -t nat -X ${chain}`); | ||||
|           console.log(`Deleted custom chain: ${chain}`); | ||||
|         } catch (err) { | ||||
|           console.error(`Failed to delete custom chain ${chain}:`, err); | ||||
|         } | ||||
|       } | ||||
|     } catch (err) { | ||||
|       console.error(`Failed to run ${iptablesCmd}-save: ${err}`); | ||||
|     } | ||||
|   } | ||||
|  | ||||
|   /** | ||||
|    * Synchronously cleans up any iptables rules in the nat table that were added by this module. | ||||
|    * It looks for rules with comments containing "IPTablesProxy:". | ||||
|    * This method is intended for use in process exit handlers. | ||||
|    */ | ||||
|   public static cleanSlateSync(): void { | ||||
|     IPTablesProxy.cleanSlateSyncInternal(); | ||||
|      | ||||
|     // Also clean IPv6 rules | ||||
|     IPTablesProxy.cleanSlateSyncInternal(true); | ||||
|   } | ||||
|    | ||||
|   /** | ||||
|    * Internal implementation of cleanSlateSync with IPv6 support | ||||
|    */ | ||||
|   private static cleanSlateSyncInternal(isIpv6: boolean = false): void { | ||||
|     const iptablesCmd = isIpv6 ? 'ip6tables' : 'iptables'; | ||||
|      | ||||
|     try { | ||||
|       const stdout = execSync(`${iptablesCmd}-save -t nat`).toString(); | ||||
|       const lines = stdout.split('\n'); | ||||
|       const proxyLines = lines.filter(line => line.includes('IPTablesProxy:')); | ||||
|        | ||||
|       // First, find and remove any custom chains | ||||
|       const customChains = new Set<string>(); | ||||
|       const jumpRules: string[] = []; | ||||
|        | ||||
|       for (const line of proxyLines) { | ||||
|         if (line.includes('IPTablesProxy:JUMP')) { | ||||
|           // Extract chain name from jump rule | ||||
|           const match = line.match(/\s+-j\s+(\S+)\s+/); | ||||
|           if (match && match[1].startsWith('IPTablesProxy_')) { | ||||
|             customChains.add(match[1]); | ||||
|             jumpRules.push(line); | ||||
|           } | ||||
|         } | ||||
|       } | ||||
|        | ||||
|       // Remove jump rules first | ||||
|       for (const line of jumpRules) { | ||||
|         const trimmedLine = line.trim(); | ||||
|         if (trimmedLine.startsWith('-A')) { | ||||
|           // Replace the "-A" with "-D" to form a deletion command | ||||
|           const deleteRule = trimmedLine.replace('-A', '-D'); | ||||
|           const cmd = `${iptablesCmd} -t nat ${deleteRule}`; | ||||
|           try { | ||||
|             execSync(cmd); | ||||
|             console.log(`Cleaned up iptables jump rule: ${cmd}`); | ||||
|           } catch (err) { | ||||
|             console.error(`Failed to remove iptables jump rule: ${cmd}`, err); | ||||
|           } | ||||
|         } | ||||
|       } | ||||
|        | ||||
|       // Then remove all other rules | ||||
|       for (const line of proxyLines) { | ||||
|         if (!line.includes('IPTablesProxy:JUMP')) { // Skip jump rules we already handled | ||||
|           const trimmedLine = line.trim(); | ||||
|           if (trimmedLine.startsWith('-A')) { | ||||
|             const deleteRule = trimmedLine.replace('-A', '-D'); | ||||
|             const cmd = `${iptablesCmd} -t nat ${deleteRule}`; | ||||
|             try { | ||||
|               execSync(cmd); | ||||
|               console.log(`Cleaned up iptables rule: ${cmd}`); | ||||
|             } catch (err) { | ||||
|               console.error(`Failed to remove iptables rule: ${cmd}`, err); | ||||
|             } | ||||
|           } | ||||
|         } | ||||
|       } | ||||
|        | ||||
|       // Finally clean up custom chains | ||||
|       for (const chain of customChains) { | ||||
|         try { | ||||
|           // Flush the chain | ||||
|           execSync(`${iptablesCmd} -t nat -F ${chain}`); | ||||
|            | ||||
|           // Delete the chain | ||||
|           execSync(`${iptablesCmd} -t nat -X ${chain}`); | ||||
|           console.log(`Deleted custom chain: ${chain}`); | ||||
|         } catch (err) { | ||||
|           console.error(`Failed to delete custom chain ${chain}:`, err); | ||||
|         } | ||||
|       } | ||||
|     } catch (err) { | ||||
|       console.error(`Failed to run ${iptablesCmd}-save: ${err}`); | ||||
|     } | ||||
|   } | ||||
|    | ||||
|   /** | ||||
|    * Logging utility that respects the enableLogging setting | ||||
|    */ | ||||
|   private log(level: 'info' | 'warn' | 'error', message: string): void { | ||||
|     if (!this.settings.enableLogging && level === 'info') { | ||||
|       return; | ||||
|     } | ||||
|      | ||||
|     const timestamp = new Date().toISOString(); | ||||
|      | ||||
|     switch (level) { | ||||
|       case 'info': | ||||
|         console.log(`[${timestamp}] [INFO] ${message}`); | ||||
|         break; | ||||
|       case 'warn': | ||||
|         console.warn(`[${timestamp}] [WARN] ${message}`); | ||||
|         break; | ||||
|       case 'error': | ||||
|         console.error(`[${timestamp}] [ERROR] ${message}`); | ||||
|         break; | ||||
|     } | ||||
|   } | ||||
| } | ||||
| @@ -1,6 +1,6 @@ | ||||
| import * as plugins from './plugins.js'; | ||||
| import { ProxyRouter } from './classes.router.js'; | ||||
| import { AcmeCertManager, CertManagerEvents } from './classes.port80handler.js'; | ||||
| import { Port80Handler, Port80HandlerEvents, type IDomainOptions } from './classes.port80handler.js'; | ||||
| import * as fs from 'fs'; | ||||
| import * as path from 'path'; | ||||
| import { fileURLToPath } from 'url'; | ||||
| @@ -72,8 +72,8 @@ export class NetworkProxy { | ||||
|   private defaultCertificates: { key: string; cert: string }; | ||||
|   private certificateCache: Map<string, { key: string; cert: string; expires?: Date }> = new Map(); | ||||
|    | ||||
|   // ACME certificate manager | ||||
|   private certManager: AcmeCertManager | null = null; | ||||
|   // Port80Handler for certificate management | ||||
|   private port80Handler: Port80Handler | null = null; | ||||
|   private certificateStoreDir: string; | ||||
|    | ||||
|   // New connection pool for backend connections | ||||
| @@ -375,16 +375,16 @@ export class NetworkProxy { | ||||
|   } | ||||
|  | ||||
|   /** | ||||
|    * Initializes the ACME certificate manager for automatic certificate issuance | ||||
|    * Initializes the Port80Handler for ACME certificate management | ||||
|    * @private | ||||
|    */ | ||||
|   private async initializeAcmeManager(): Promise<void> { | ||||
|   private async initializePort80Handler(): Promise<void> { | ||||
|     if (!this.options.acme.enabled) { | ||||
|       return; | ||||
|     } | ||||
|      | ||||
|     // Create certificate manager | ||||
|     this.certManager = new AcmeCertManager({ | ||||
|     this.port80Handler = new Port80Handler({ | ||||
|       port: this.options.acme.port, | ||||
|       contactEmail: this.options.acme.contactEmail, | ||||
|       useProduction: this.options.acme.useProduction, | ||||
| @@ -394,32 +394,32 @@ export class NetworkProxy { | ||||
|     }); | ||||
|      | ||||
|     // Register event handlers | ||||
|     this.certManager.on(CertManagerEvents.CERTIFICATE_ISSUED, this.handleCertificateIssued.bind(this)); | ||||
|     this.certManager.on(CertManagerEvents.CERTIFICATE_RENEWED, this.handleCertificateIssued.bind(this)); | ||||
|     this.certManager.on(CertManagerEvents.CERTIFICATE_FAILED, this.handleCertificateFailed.bind(this)); | ||||
|     this.certManager.on(CertManagerEvents.CERTIFICATE_EXPIRING, (data) => { | ||||
|     this.port80Handler.on(Port80HandlerEvents.CERTIFICATE_ISSUED, this.handleCertificateIssued.bind(this)); | ||||
|     this.port80Handler.on(Port80HandlerEvents.CERTIFICATE_RENEWED, this.handleCertificateIssued.bind(this)); | ||||
|     this.port80Handler.on(Port80HandlerEvents.CERTIFICATE_FAILED, this.handleCertificateFailed.bind(this)); | ||||
|     this.port80Handler.on(Port80HandlerEvents.CERTIFICATE_EXPIRING, (data) => { | ||||
|       this.log('info', `Certificate for ${data.domain} expires in ${data.daysRemaining} days`); | ||||
|     }); | ||||
|      | ||||
|     // Start the manager | ||||
|     // Start the handler | ||||
|     try { | ||||
|       await this.certManager.start(); | ||||
|       this.log('info', `ACME Certificate Manager started on port ${this.options.acme.port}`); | ||||
|       await this.port80Handler.start(); | ||||
|       this.log('info', `Port80Handler started on port ${this.options.acme.port}`); | ||||
|        | ||||
|       // Add domains from proxy configs | ||||
|       this.registerDomainsWithAcmeManager(); | ||||
|       this.registerDomainsWithPort80Handler(); | ||||
|     } catch (error) { | ||||
|       this.log('error', `Failed to start ACME Certificate Manager: ${error}`); | ||||
|       this.certManager = null; | ||||
|       this.log('error', `Failed to start Port80Handler: ${error}`); | ||||
|       this.port80Handler = null; | ||||
|     } | ||||
|   } | ||||
|    | ||||
|   /** | ||||
|    * Registers domains from proxy configs with the ACME manager | ||||
|    * Registers domains from proxy configs with the Port80Handler | ||||
|    * @private | ||||
|    */ | ||||
|   private registerDomainsWithAcmeManager(): void { | ||||
|     if (!this.certManager) return; | ||||
|   private registerDomainsWithPort80Handler(): void { | ||||
|     if (!this.port80Handler) return; | ||||
|      | ||||
|     // Get all hostnames from proxy configs | ||||
|     this.proxyConfigs.forEach(config => { | ||||
| @@ -461,26 +461,32 @@ export class NetworkProxy { | ||||
|             this.log('warn', `Failed to extract expiry date from certificate for ${hostname}`); | ||||
|           } | ||||
|            | ||||
|           // Update the certificate in the manager | ||||
|           this.certManager.setCertificate(hostname, cert, key, expiryDate); | ||||
|           // Update the certificate in the handler | ||||
|           this.port80Handler.setCertificate(hostname, cert, key, expiryDate); | ||||
|            | ||||
|           // Also update our own certificate cache | ||||
|           this.updateCertificateCache(hostname, cert, key, expiryDate); | ||||
|            | ||||
|           this.log('info', `Loaded existing certificate for ${hostname}`); | ||||
|         } else { | ||||
|           // Register the domain for certificate issuance | ||||
|           this.certManager.addDomain(hostname); | ||||
|           // Register the domain for certificate issuance with new domain options format | ||||
|           const domainOptions: IDomainOptions = { | ||||
|             domainName: hostname, | ||||
|             sslRedirect: true, | ||||
|             acmeMaintenance: true | ||||
|           }; | ||||
|            | ||||
|           this.port80Handler.addDomain(domainOptions); | ||||
|           this.log('info', `Registered domain for ACME certificate issuance: ${hostname}`); | ||||
|         } | ||||
|       } catch (error) { | ||||
|         this.log('error', `Error registering domain ${hostname} with ACME manager: ${error}`); | ||||
|         this.log('error', `Error registering domain ${hostname} with Port80Handler: ${error}`); | ||||
|       } | ||||
|     }); | ||||
|   } | ||||
|    | ||||
|   /** | ||||
|    * Handles newly issued or renewed certificates from ACME manager | ||||
|    * Handles newly issued or renewed certificates from Port80Handler | ||||
|    * @private | ||||
|    */ | ||||
|   private handleCertificateIssued(data: { domain: string; certificate: string; privateKey: string; expiryDate: Date }): void { | ||||
| @@ -556,13 +562,21 @@ export class NetworkProxy { | ||||
|     } | ||||
|      | ||||
|     // Check if we should trigger certificate issuance | ||||
|     if (this.options.acme?.enabled && this.certManager && !domain.includes('*')) { | ||||
|     if (this.options.acme?.enabled && this.port80Handler && !domain.includes('*')) { | ||||
|       // Check if this domain is already registered | ||||
|       const certData = this.certManager.getCertificate(domain); | ||||
|       const certData = this.port80Handler.getCertificate(domain); | ||||
|        | ||||
|       if (!certData) { | ||||
|         this.log('info', `No certificate found for ${domain}, registering for issuance`); | ||||
|         this.certManager.addDomain(domain); | ||||
|          | ||||
|         // Register with new domain options format | ||||
|         const domainOptions: IDomainOptions = { | ||||
|           domainName: domain, | ||||
|           sslRedirect: true, | ||||
|           acmeMaintenance: true | ||||
|         }; | ||||
|          | ||||
|         this.port80Handler.addDomain(domainOptions); | ||||
|       } | ||||
|     } | ||||
|      | ||||
| @@ -587,9 +601,9 @@ export class NetworkProxy { | ||||
|   public async start(): Promise<void> { | ||||
|     this.startTime = Date.now(); | ||||
|      | ||||
|     // Initialize ACME certificate manager if enabled | ||||
|     // Initialize Port80Handler if enabled | ||||
|     if (this.options.acme.enabled) { | ||||
|       await this.initializeAcmeManager(); | ||||
|       await this.initializePort80Handler(); | ||||
|     } | ||||
|      | ||||
|     // Create the HTTPS server | ||||
| @@ -1588,13 +1602,13 @@ export class NetworkProxy { | ||||
|     } | ||||
|     this.connectionPool.clear(); | ||||
|      | ||||
|     // Stop ACME certificate manager if it's running | ||||
|     if (this.certManager) { | ||||
|     // Stop Port80Handler if it's running | ||||
|     if (this.port80Handler) { | ||||
|       try { | ||||
|         await this.certManager.stop(); | ||||
|         this.log('info', 'ACME Certificate Manager stopped'); | ||||
|         await this.port80Handler.stop(); | ||||
|         this.log('info', 'Port80Handler stopped'); | ||||
|       } catch (error) { | ||||
|         this.log('error', 'Error stopping ACME Certificate Manager', error); | ||||
|         this.log('error', 'Error stopping Port80Handler', error); | ||||
|       } | ||||
|     } | ||||
|      | ||||
| @@ -1619,8 +1633,8 @@ export class NetworkProxy { | ||||
|       return false; | ||||
|     } | ||||
|      | ||||
|     if (!this.certManager) { | ||||
|       this.log('error', 'ACME certificate manager is not initialized'); | ||||
|     if (!this.port80Handler) { | ||||
|       this.log('error', 'Port80Handler is not initialized'); | ||||
|       return false; | ||||
|     } | ||||
|      | ||||
| @@ -1631,7 +1645,14 @@ export class NetworkProxy { | ||||
|     } | ||||
|      | ||||
|     try { | ||||
|       this.certManager.addDomain(domain); | ||||
|       // Use the new domain options format | ||||
|       const domainOptions: IDomainOptions = { | ||||
|         domainName: domain, | ||||
|         sslRedirect: true, | ||||
|         acmeMaintenance: true | ||||
|       }; | ||||
|        | ||||
|       this.port80Handler.addDomain(domainOptions); | ||||
|       this.log('info', `Certificate request submitted for domain: ${domain}`); | ||||
|       return true; | ||||
|     } catch (error) { | ||||
|   | ||||
							
								
								
									
										2045
									
								
								ts/classes.nftablesproxy.ts
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										2045
									
								
								ts/classes.nftablesproxy.ts
									
									
									
									
									
										Normal file
									
								
							
										
											
												File diff suppressed because it is too large
												Load Diff
											
										
									
								
							| @@ -1,9 +1,58 @@ | ||||
| import * as plugins from './plugins.js'; | ||||
| import { IncomingMessage, ServerResponse } from 'http'; | ||||
|  | ||||
| /** | ||||
|  * Represents a domain certificate with various status information | ||||
|  * Custom error classes for better error handling | ||||
|  */ | ||||
| export class Port80HandlerError extends Error { | ||||
|   constructor(message: string) { | ||||
|     super(message); | ||||
|     this.name = 'Port80HandlerError'; | ||||
|   } | ||||
| } | ||||
|  | ||||
| export class CertificateError extends Port80HandlerError { | ||||
|   constructor( | ||||
|     message: string, | ||||
|     public readonly domain: string, | ||||
|     public readonly isRenewal: boolean = false | ||||
|   ) { | ||||
|     super(`${message} for domain ${domain}${isRenewal ? ' (renewal)' : ''}`); | ||||
|     this.name = 'CertificateError'; | ||||
|   } | ||||
| } | ||||
|  | ||||
| export class ServerError extends Port80HandlerError { | ||||
|   constructor(message: string, public readonly code?: string) { | ||||
|     super(message); | ||||
|     this.name = 'ServerError'; | ||||
|   } | ||||
| } | ||||
|  | ||||
| /** | ||||
|  * Domain forwarding configuration | ||||
|  */ | ||||
| export interface IForwardConfig { | ||||
|   ip: string; | ||||
|   port: number; | ||||
| } | ||||
|  | ||||
| /** | ||||
|  * Domain configuration options | ||||
|  */ | ||||
| export interface IDomainOptions { | ||||
|   domainName: string; | ||||
|   sslRedirect: boolean;   // if true redirects the request to port 443 | ||||
|   acmeMaintenance: boolean; // tries to always have a valid cert for this domain | ||||
|   forward?: IForwardConfig; // forwards all http requests to that target | ||||
|   acmeForward?: IForwardConfig; // forwards letsencrypt requests to this config | ||||
| } | ||||
|  | ||||
| /** | ||||
|  * Represents a domain configuration with certificate status information | ||||
|  */ | ||||
| interface IDomainCertificate { | ||||
|   options: IDomainOptions; | ||||
|   certObtained: boolean; | ||||
|   obtainingInProgress: boolean; | ||||
|   certificate?: string; | ||||
| @@ -15,9 +64,9 @@ interface IDomainCertificate { | ||||
| } | ||||
|  | ||||
| /** | ||||
|  * Configuration options for the ACME Certificate Manager | ||||
|  * Configuration options for the Port80Handler | ||||
|  */ | ||||
| interface IAcmeCertManagerOptions { | ||||
| interface IPort80HandlerOptions { | ||||
|   port?: number; | ||||
|   contactEmail?: string; | ||||
|   useProduction?: boolean; | ||||
| @@ -29,7 +78,7 @@ interface IAcmeCertManagerOptions { | ||||
| /** | ||||
|  * Certificate data that can be emitted via events or set from outside | ||||
|  */ | ||||
| interface ICertificateData { | ||||
| export interface ICertificateData { | ||||
|   domain: string; | ||||
|   certificate: string; | ||||
|   privateKey: string; | ||||
| @@ -37,34 +86,54 @@ interface ICertificateData { | ||||
| } | ||||
|  | ||||
| /** | ||||
|  * Events emitted by the ACME Certificate Manager | ||||
|  * Events emitted by the Port80Handler | ||||
|  */ | ||||
| export enum CertManagerEvents { | ||||
| export enum Port80HandlerEvents { | ||||
|   CERTIFICATE_ISSUED = 'certificate-issued', | ||||
|   CERTIFICATE_RENEWED = 'certificate-renewed', | ||||
|   CERTIFICATE_FAILED = 'certificate-failed', | ||||
|   CERTIFICATE_EXPIRING = 'certificate-expiring', | ||||
|   MANAGER_STARTED = 'manager-started', | ||||
|   MANAGER_STOPPED = 'manager-stopped', | ||||
|   REQUEST_FORWARDED = 'request-forwarded', | ||||
| } | ||||
|  | ||||
| /** | ||||
|  * Improved ACME Certificate Manager with event emission and external certificate management | ||||
|  * Certificate failure payload type | ||||
|  */ | ||||
| export class AcmeCertManager extends plugins.EventEmitter { | ||||
| export interface ICertificateFailure { | ||||
|   domain: string; | ||||
|   error: string; | ||||
|   isRenewal: boolean; | ||||
| } | ||||
|  | ||||
| /** | ||||
|  * Certificate expiry payload type | ||||
|  */ | ||||
| export interface ICertificateExpiring { | ||||
|   domain: string; | ||||
|   expiryDate: Date; | ||||
|   daysRemaining: number; | ||||
| } | ||||
|  | ||||
| /** | ||||
|  * Port80Handler with ACME certificate management and request forwarding capabilities | ||||
|  * Now with glob pattern support for domain matching | ||||
|  */ | ||||
| export class Port80Handler extends plugins.EventEmitter { | ||||
|   private domainCertificates: Map<string, IDomainCertificate>; | ||||
|   private server: plugins.http.Server | null = null; | ||||
|   private acmeClient: plugins.acme.Client | null = null; | ||||
|   private accountKey: string | null = null; | ||||
|   private renewalTimer: NodeJS.Timeout | null = null; | ||||
|   private isShuttingDown: boolean = false; | ||||
|   private options: Required<IAcmeCertManagerOptions>; | ||||
|   private options: Required<IPort80HandlerOptions>; | ||||
|  | ||||
|   /** | ||||
|    * Creates a new ACME Certificate Manager | ||||
|    * Creates a new Port80Handler | ||||
|    * @param options Configuration options | ||||
|    */ | ||||
|   constructor(options: IAcmeCertManagerOptions = {}) { | ||||
|   constructor(options: IPort80HandlerOptions = {}) { | ||||
|     super(); | ||||
|     this.domainCertificates = new Map<string, IDomainCertificate>(); | ||||
|      | ||||
| @@ -73,7 +142,7 @@ export class AcmeCertManager extends plugins.EventEmitter { | ||||
|       port: options.port ?? 80, | ||||
|       contactEmail: options.contactEmail ?? 'admin@example.com', | ||||
|       useProduction: options.useProduction ?? false, // Safer default: staging | ||||
|       renewThresholdDays: options.renewThresholdDays ?? 30, | ||||
|       renewThresholdDays: options.renewThresholdDays ?? 10, // Changed to 10 days as per requirements | ||||
|       httpsRedirectPort: options.httpsRedirectPort ?? 443, | ||||
|       renewCheckIntervalHours: options.renewCheckIntervalHours ?? 24, | ||||
|     }; | ||||
| @@ -84,11 +153,11 @@ export class AcmeCertManager extends plugins.EventEmitter { | ||||
|    */ | ||||
|   public async start(): Promise<void> { | ||||
|     if (this.server) { | ||||
|       throw new Error('Server is already running'); | ||||
|       throw new ServerError('Server is already running'); | ||||
|     } | ||||
|      | ||||
|     if (this.isShuttingDown) { | ||||
|       throw new Error('Server is shutting down'); | ||||
|       throw new ServerError('Server is shutting down'); | ||||
|     } | ||||
|  | ||||
|     return new Promise((resolve, reject) => { | ||||
| @@ -97,22 +166,39 @@ export class AcmeCertManager extends plugins.EventEmitter { | ||||
|          | ||||
|         this.server.on('error', (error: NodeJS.ErrnoException) => { | ||||
|           if (error.code === 'EACCES') { | ||||
|             reject(new Error(`Permission denied to bind to port ${this.options.port}. Try running with elevated privileges or use a port > 1024.`)); | ||||
|             reject(new ServerError(`Permission denied to bind to port ${this.options.port}. Try running with elevated privileges or use a port > 1024.`, error.code)); | ||||
|           } else if (error.code === 'EADDRINUSE') { | ||||
|             reject(new Error(`Port ${this.options.port} is already in use.`)); | ||||
|             reject(new ServerError(`Port ${this.options.port} is already in use.`, error.code)); | ||||
|           } else { | ||||
|             reject(error); | ||||
|             reject(new ServerError(error.message, error.code)); | ||||
|           } | ||||
|         }); | ||||
|          | ||||
|         this.server.listen(this.options.port, () => { | ||||
|           console.log(`AcmeCertManager is listening on port ${this.options.port}`); | ||||
|           console.log(`Port80Handler is listening on port ${this.options.port}`); | ||||
|           this.startRenewalTimer(); | ||||
|           this.emit(CertManagerEvents.MANAGER_STARTED, this.options.port); | ||||
|           this.emit(Port80HandlerEvents.MANAGER_STARTED, this.options.port); | ||||
|            | ||||
|           // Start certificate process for domains with acmeMaintenance enabled | ||||
|           for (const [domain, domainInfo] of this.domainCertificates.entries()) { | ||||
|             // Skip glob patterns for certificate issuance | ||||
|             if (this.isGlobPattern(domain)) { | ||||
|               console.log(`Skipping initial certificate for glob pattern: ${domain}`); | ||||
|               continue; | ||||
|             } | ||||
|              | ||||
|             if (domainInfo.options.acmeMaintenance && !domainInfo.certObtained && !domainInfo.obtainingInProgress) { | ||||
|               this.obtainCertificate(domain).catch(err => { | ||||
|                 console.error(`Error obtaining initial certificate for ${domain}:`, err); | ||||
|               }); | ||||
|             } | ||||
|           } | ||||
|            | ||||
|           resolve(); | ||||
|         }); | ||||
|       } catch (error) { | ||||
|         reject(error); | ||||
|         const message = error instanceof Error ? error.message : 'Unknown error starting server'; | ||||
|         reject(new ServerError(message)); | ||||
|       } | ||||
|     }); | ||||
|   } | ||||
| @@ -138,7 +224,7 @@ export class AcmeCertManager extends plugins.EventEmitter { | ||||
|         this.server.close(() => { | ||||
|           this.server = null; | ||||
|           this.isShuttingDown = false; | ||||
|           this.emit(CertManagerEvents.MANAGER_STOPPED); | ||||
|           this.emit(Port80HandlerEvents.MANAGER_STOPPED); | ||||
|           resolve(); | ||||
|         }); | ||||
|       } else { | ||||
| @@ -149,13 +235,41 @@ export class AcmeCertManager extends plugins.EventEmitter { | ||||
|   } | ||||
|  | ||||
|   /** | ||||
|    * Adds a domain to be managed for certificates | ||||
|    * @param domain The domain to add | ||||
|    * Adds a domain with configuration options | ||||
|    * @param options Domain configuration options | ||||
|    */ | ||||
|   public addDomain(domain: string): void { | ||||
|     if (!this.domainCertificates.has(domain)) { | ||||
|       this.domainCertificates.set(domain, { certObtained: false, obtainingInProgress: false }); | ||||
|       console.log(`Domain added: ${domain}`); | ||||
|   public addDomain(options: IDomainOptions): void { | ||||
|     if (!options.domainName || typeof options.domainName !== 'string') { | ||||
|       throw new Port80HandlerError('Invalid domain name'); | ||||
|     } | ||||
|      | ||||
|     const domainName = options.domainName; | ||||
|      | ||||
|     if (!this.domainCertificates.has(domainName)) { | ||||
|       this.domainCertificates.set(domainName, { | ||||
|         options, | ||||
|         certObtained: false, | ||||
|         obtainingInProgress: false | ||||
|       }); | ||||
|        | ||||
|       console.log(`Domain added: ${domainName} with configuration:`, { | ||||
|         sslRedirect: options.sslRedirect, | ||||
|         acmeMaintenance: options.acmeMaintenance, | ||||
|         hasForward: !!options.forward, | ||||
|         hasAcmeForward: !!options.acmeForward | ||||
|       }); | ||||
|        | ||||
|       // If acmeMaintenance is enabled and not a glob pattern, start certificate process immediately | ||||
|       if (options.acmeMaintenance && this.server && !this.isGlobPattern(domainName)) { | ||||
|         this.obtainCertificate(domainName).catch(err => { | ||||
|           console.error(`Error obtaining initial certificate for ${domainName}:`, err); | ||||
|         }); | ||||
|       } | ||||
|     } else { | ||||
|       // Update existing domain with new options | ||||
|       const existing = this.domainCertificates.get(domainName)!; | ||||
|       existing.options = options; | ||||
|       console.log(`Domain ${domainName} configuration updated`); | ||||
|     } | ||||
|   } | ||||
|  | ||||
| @@ -177,10 +291,30 @@ export class AcmeCertManager extends plugins.EventEmitter { | ||||
|    * @param expiryDate Optional expiry date | ||||
|    */ | ||||
|   public setCertificate(domain: string, certificate: string, privateKey: string, expiryDate?: Date): void { | ||||
|     if (!domain || !certificate || !privateKey) { | ||||
|       throw new Port80HandlerError('Domain, certificate and privateKey are required'); | ||||
|     } | ||||
|      | ||||
|     // Don't allow setting certificates for glob patterns | ||||
|     if (this.isGlobPattern(domain)) { | ||||
|       throw new Port80HandlerError('Cannot set certificate for glob pattern domains'); | ||||
|     } | ||||
|      | ||||
|     let domainInfo = this.domainCertificates.get(domain); | ||||
|      | ||||
|     if (!domainInfo) { | ||||
|       domainInfo = { certObtained: false, obtainingInProgress: false }; | ||||
|       // Create default domain options if not already configured | ||||
|       const defaultOptions: IDomainOptions = { | ||||
|         domainName: domain, | ||||
|         sslRedirect: true, | ||||
|         acmeMaintenance: true | ||||
|       }; | ||||
|        | ||||
|       domainInfo = {  | ||||
|         options: defaultOptions,  | ||||
|         certObtained: false,  | ||||
|         obtainingInProgress: false  | ||||
|       }; | ||||
|       this.domainCertificates.set(domain, domainInfo); | ||||
|     } | ||||
|      | ||||
| @@ -192,27 +326,18 @@ export class AcmeCertManager extends plugins.EventEmitter { | ||||
|     if (expiryDate) { | ||||
|       domainInfo.expiryDate = expiryDate; | ||||
|     } else { | ||||
|       // Try to extract expiry date from certificate | ||||
|       try { | ||||
|         // This is a simplistic approach - in a real implementation, use a proper | ||||
|         // certificate parsing library like node-forge or x509 | ||||
|         const matches = certificate.match(/Not After\s*:\s*(.*?)(?:\n|$)/i); | ||||
|         if (matches && matches[1]) { | ||||
|           domainInfo.expiryDate = new Date(matches[1]); | ||||
|         } | ||||
|       } catch (error) { | ||||
|         console.warn(`Failed to extract expiry date from certificate for ${domain}`); | ||||
|       } | ||||
|       // Extract expiry date from certificate | ||||
|       domainInfo.expiryDate = this.extractExpiryDateFromCertificate(certificate, domain); | ||||
|     } | ||||
|      | ||||
|     console.log(`Certificate set for ${domain}`); | ||||
|      | ||||
|     // Emit certificate event | ||||
|     this.emitCertificateEvent(CertManagerEvents.CERTIFICATE_ISSUED, { | ||||
|     this.emitCertificateEvent(Port80HandlerEvents.CERTIFICATE_ISSUED, { | ||||
|       domain, | ||||
|       certificate, | ||||
|       privateKey, | ||||
|       expiryDate: domainInfo.expiryDate || new Date(Date.now() + 90 * 24 * 60 * 60 * 1000) // 90 days default | ||||
|       expiryDate: domainInfo.expiryDate || this.getDefaultExpiryDate() | ||||
|     }); | ||||
|   } | ||||
|    | ||||
| @@ -221,6 +346,11 @@ export class AcmeCertManager extends plugins.EventEmitter { | ||||
|    * @param domain The domain to get the certificate for | ||||
|    */ | ||||
|   public getCertificate(domain: string): ICertificateData | null { | ||||
|     // Can't get certificates for glob patterns | ||||
|     if (this.isGlobPattern(domain)) { | ||||
|       return null; | ||||
|     } | ||||
|      | ||||
|     const domainInfo = this.domainCertificates.get(domain); | ||||
|      | ||||
|     if (!domainInfo || !domainInfo.certObtained || !domainInfo.certificate || !domainInfo.privateKey) { | ||||
| @@ -231,10 +361,69 @@ export class AcmeCertManager extends plugins.EventEmitter { | ||||
|       domain, | ||||
|       certificate: domainInfo.certificate, | ||||
|       privateKey: domainInfo.privateKey, | ||||
|       expiryDate: domainInfo.expiryDate || new Date(Date.now() + 90 * 24 * 60 * 60 * 1000) // 90 days default | ||||
|       expiryDate: domainInfo.expiryDate || this.getDefaultExpiryDate() | ||||
|     }; | ||||
|   } | ||||
|  | ||||
|   /** | ||||
|    * Check if a domain is a glob pattern | ||||
|    * @param domain Domain to check | ||||
|    * @returns True if the domain is a glob pattern | ||||
|    */ | ||||
|   private isGlobPattern(domain: string): boolean { | ||||
|     return domain.includes('*'); | ||||
|   } | ||||
|    | ||||
|   /** | ||||
|    * Get domain info for a specific domain, using glob pattern matching if needed | ||||
|    * @param requestDomain The actual domain from the request | ||||
|    * @returns The domain info or null if not found | ||||
|    */ | ||||
|   private getDomainInfoForRequest(requestDomain: string): { domainInfo: IDomainCertificate, pattern: string } | null { | ||||
|     // Try direct match first | ||||
|     if (this.domainCertificates.has(requestDomain)) { | ||||
|       return { | ||||
|         domainInfo: this.domainCertificates.get(requestDomain)!, | ||||
|         pattern: requestDomain | ||||
|       }; | ||||
|     } | ||||
|      | ||||
|     // Then try glob patterns | ||||
|     for (const [pattern, domainInfo] of this.domainCertificates.entries()) { | ||||
|       if (this.isGlobPattern(pattern) && this.domainMatchesPattern(requestDomain, pattern)) { | ||||
|         return { domainInfo, pattern }; | ||||
|       } | ||||
|     } | ||||
|      | ||||
|     return null; | ||||
|   } | ||||
|    | ||||
|   /** | ||||
|    * Check if a domain matches a glob pattern | ||||
|    * @param domain The domain to check | ||||
|    * @param pattern The pattern to match against | ||||
|    * @returns True if the domain matches the pattern | ||||
|    */ | ||||
|   private domainMatchesPattern(domain: string, pattern: string): boolean { | ||||
|     // Handle different glob pattern styles | ||||
|     if (pattern.startsWith('*.')) { | ||||
|       // *.example.com matches any subdomain | ||||
|       const suffix = pattern.substring(2); | ||||
|       return domain.endsWith(suffix) && domain.includes('.') && domain !== suffix; | ||||
|     } else if (pattern.endsWith('.*')) { | ||||
|       // example.* matches any TLD | ||||
|       const prefix = pattern.substring(0, pattern.length - 2); | ||||
|       const domainParts = domain.split('.'); | ||||
|       return domain.startsWith(prefix + '.') && domainParts.length >= 2; | ||||
|     } else if (pattern === '*') { | ||||
|       // Wildcard matches everything | ||||
|       return true; | ||||
|     } else { | ||||
|       // Exact match (shouldn't reach here as we check exact matches first) | ||||
|       return domain === pattern; | ||||
|     } | ||||
|   } | ||||
|  | ||||
|   /** | ||||
|    * Lazy initialization of the ACME client | ||||
|    * @returns An ACME client instance | ||||
| @@ -244,23 +433,28 @@ export class AcmeCertManager extends plugins.EventEmitter { | ||||
|       return this.acmeClient; | ||||
|     } | ||||
|      | ||||
|     // Generate a new account key | ||||
|     this.accountKey = (await plugins.acme.forge.createPrivateKey()).toString(); | ||||
|      | ||||
|     this.acmeClient = new plugins.acme.Client({ | ||||
|       directoryUrl: this.options.useProduction  | ||||
|         ? plugins.acme.directory.letsencrypt.production  | ||||
|         : plugins.acme.directory.letsencrypt.staging, | ||||
|       accountKey: this.accountKey, | ||||
|     }); | ||||
|      | ||||
|     // Create a new account | ||||
|     await this.acmeClient.createAccount({ | ||||
|       termsOfServiceAgreed: true, | ||||
|       contact: [`mailto:${this.options.contactEmail}`], | ||||
|     }); | ||||
|      | ||||
|     return this.acmeClient; | ||||
|     try { | ||||
|       // Generate a new account key | ||||
|       this.accountKey = (await plugins.acme.forge.createPrivateKey()).toString(); | ||||
|        | ||||
|       this.acmeClient = new plugins.acme.Client({ | ||||
|         directoryUrl: this.options.useProduction  | ||||
|           ? plugins.acme.directory.letsencrypt.production  | ||||
|           : plugins.acme.directory.letsencrypt.staging, | ||||
|         accountKey: this.accountKey, | ||||
|       }); | ||||
|        | ||||
|       // Create a new account | ||||
|       await this.acmeClient.createAccount({ | ||||
|         termsOfServiceAgreed: true, | ||||
|         contact: [`mailto:${this.options.contactEmail}`], | ||||
|       }); | ||||
|        | ||||
|       return this.acmeClient; | ||||
|     } catch (error) { | ||||
|       const message = error instanceof Error ? error.message : 'Unknown error initializing ACME client'; | ||||
|       throw new Port80HandlerError(`Failed to initialize ACME client: ${message}`); | ||||
|     } | ||||
|   } | ||||
|  | ||||
|   /** | ||||
| @@ -279,22 +473,42 @@ export class AcmeCertManager extends plugins.EventEmitter { | ||||
|     // Extract domain (ignoring any port in the Host header) | ||||
|     const domain = hostHeader.split(':')[0]; | ||||
|  | ||||
|     // If the request is for an ACME HTTP-01 challenge, handle it | ||||
|     if (req.url && req.url.startsWith('/.well-known/acme-challenge/')) { | ||||
|       this.handleAcmeChallenge(req, res, domain); | ||||
|       return; | ||||
|     } | ||||
|  | ||||
|     if (!this.domainCertificates.has(domain)) { | ||||
|     // Get domain config, using glob pattern matching if needed | ||||
|     const domainMatch = this.getDomainInfoForRequest(domain); | ||||
|      | ||||
|     if (!domainMatch) { | ||||
|       res.statusCode = 404; | ||||
|       res.end('Domain not configured'); | ||||
|       return; | ||||
|     } | ||||
|  | ||||
|     const domainInfo = this.domainCertificates.get(domain)!; | ||||
|     const { domainInfo, pattern } = domainMatch; | ||||
|     const options = domainInfo.options; | ||||
|  | ||||
|     // If certificate exists, redirect to HTTPS | ||||
|     if (domainInfo.certObtained) { | ||||
|     // If the request is for an ACME HTTP-01 challenge, handle it | ||||
|     if (req.url && req.url.startsWith('/.well-known/acme-challenge/') && (options.acmeMaintenance || options.acmeForward)) { | ||||
|       // Check if we should forward ACME requests | ||||
|       if (options.acmeForward) { | ||||
|         this.forwardRequest(req, res, options.acmeForward, 'ACME challenge'); | ||||
|         return; | ||||
|       } | ||||
|        | ||||
|       // Only handle ACME challenges for non-glob patterns | ||||
|       if (!this.isGlobPattern(pattern)) { | ||||
|         this.handleAcmeChallenge(req, res, domain); | ||||
|         return; | ||||
|       } | ||||
|     } | ||||
|  | ||||
|     // Check if we should forward non-ACME requests | ||||
|     if (options.forward) { | ||||
|       this.forwardRequest(req, res, options.forward, 'HTTP'); | ||||
|       return; | ||||
|     } | ||||
|  | ||||
|     // If certificate exists and sslRedirect is enabled, redirect to HTTPS | ||||
|     // (Skip for glob patterns as they won't have certificates) | ||||
|     if (!this.isGlobPattern(pattern) && domainInfo.certObtained && options.sslRedirect) { | ||||
|       const httpsPort = this.options.httpsRedirectPort; | ||||
|       const portSuffix = httpsPort === 443 ? '' : `:${httpsPort}`; | ||||
|       const redirectUrl = `https://${domain}${portSuffix}${req.url || '/'}`; | ||||
| @@ -302,17 +516,94 @@ export class AcmeCertManager extends plugins.EventEmitter { | ||||
|       res.statusCode = 301; | ||||
|       res.setHeader('Location', redirectUrl); | ||||
|       res.end(`Redirecting to ${redirectUrl}`); | ||||
|     } else { | ||||
|       return; | ||||
|     } | ||||
|      | ||||
|     // Handle case where certificate maintenance is enabled but not yet obtained | ||||
|     // (Skip for glob patterns as they can't have certificates) | ||||
|     if (!this.isGlobPattern(pattern) && options.acmeMaintenance && !domainInfo.certObtained) { | ||||
|       // Trigger certificate issuance if not already running | ||||
|       if (!domainInfo.obtainingInProgress) { | ||||
|         this.obtainCertificate(domain).catch(err => { | ||||
|           this.emit(CertManagerEvents.CERTIFICATE_FAILED, { domain, error: err.message }); | ||||
|           const errorMessage = err instanceof Error ? err.message : 'Unknown error'; | ||||
|           this.emit(Port80HandlerEvents.CERTIFICATE_FAILED, { | ||||
|             domain, | ||||
|             error: errorMessage, | ||||
|             isRenewal: false | ||||
|           }); | ||||
|           console.error(`Error obtaining certificate for ${domain}:`, err); | ||||
|         }); | ||||
|       } | ||||
|        | ||||
|       res.statusCode = 503; | ||||
|       res.end('Certificate issuance in progress, please try again later.'); | ||||
|       return; | ||||
|     } | ||||
|      | ||||
|     // Default response for unhandled request | ||||
|     res.statusCode = 404; | ||||
|     res.end('No handlers configured for this request'); | ||||
|   } | ||||
|    | ||||
|   /** | ||||
|    * Forwards an HTTP request to the specified target | ||||
|    * @param req The original request | ||||
|    * @param res The response object | ||||
|    * @param target The forwarding target (IP and port) | ||||
|    * @param requestType Type of request for logging | ||||
|    */ | ||||
|   private forwardRequest( | ||||
|     req: plugins.http.IncomingMessage,  | ||||
|     res: plugins.http.ServerResponse, | ||||
|     target: IForwardConfig, | ||||
|     requestType: string | ||||
|   ): void { | ||||
|     const options = { | ||||
|       hostname: target.ip, | ||||
|       port: target.port, | ||||
|       path: req.url, | ||||
|       method: req.method, | ||||
|       headers: { ...req.headers } | ||||
|     }; | ||||
|      | ||||
|     const domain = req.headers.host?.split(':')[0] || 'unknown'; | ||||
|     console.log(`Forwarding ${requestType} request for ${domain} to ${target.ip}:${target.port}`); | ||||
|      | ||||
|     const proxyReq = plugins.http.request(options, (proxyRes) => { | ||||
|       // Copy status code | ||||
|       res.statusCode = proxyRes.statusCode || 500; | ||||
|        | ||||
|       // Copy headers | ||||
|       for (const [key, value] of Object.entries(proxyRes.headers)) { | ||||
|         if (value) res.setHeader(key, value); | ||||
|       } | ||||
|        | ||||
|       // Pipe response data | ||||
|       proxyRes.pipe(res); | ||||
|        | ||||
|       this.emit(Port80HandlerEvents.REQUEST_FORWARDED, { | ||||
|         domain, | ||||
|         requestType, | ||||
|         target: `${target.ip}:${target.port}`, | ||||
|         statusCode: proxyRes.statusCode | ||||
|       }); | ||||
|     }); | ||||
|      | ||||
|     proxyReq.on('error', (error) => { | ||||
|       console.error(`Error forwarding request to ${target.ip}:${target.port}:`, error); | ||||
|       if (!res.headersSent) { | ||||
|         res.statusCode = 502; | ||||
|         res.end(`Proxy error: ${error.message}`); | ||||
|       } else { | ||||
|         res.end(); | ||||
|       } | ||||
|     }); | ||||
|      | ||||
|     // Pipe original request to proxy request | ||||
|     if (req.readable) { | ||||
|       req.pipe(proxyReq); | ||||
|     } else { | ||||
|       proxyReq.end(); | ||||
|     } | ||||
|   } | ||||
|  | ||||
| @@ -351,10 +642,21 @@ export class AcmeCertManager extends plugins.EventEmitter { | ||||
|    * @param isRenewal Whether this is a renewal attempt | ||||
|    */ | ||||
|   private async obtainCertificate(domain: string, isRenewal: boolean = false): Promise<void> { | ||||
|     // Don't allow certificate issuance for glob patterns | ||||
|     if (this.isGlobPattern(domain)) { | ||||
|       throw new CertificateError('Cannot obtain certificates for glob pattern domains', domain, isRenewal); | ||||
|     } | ||||
|      | ||||
|     // Get the domain info | ||||
|     const domainInfo = this.domainCertificates.get(domain); | ||||
|     if (!domainInfo) { | ||||
|       throw new Error(`Domain not found: ${domain}`); | ||||
|       throw new CertificateError('Domain not found', domain, isRenewal); | ||||
|     } | ||||
|      | ||||
|     // Verify that acmeMaintenance is enabled | ||||
|     if (!domainInfo.options.acmeMaintenance) { | ||||
|       console.log(`Skipping certificate issuance for ${domain} - acmeMaintenance is disabled`); | ||||
|       return; | ||||
|     } | ||||
|      | ||||
|     // Prevent concurrent certificate issuance | ||||
| @@ -377,40 +679,8 @@ export class AcmeCertManager extends plugins.EventEmitter { | ||||
|       // Get the authorizations for the order | ||||
|       const authorizations = await client.getAuthorizations(order); | ||||
|        | ||||
|       for (const authz of authorizations) { | ||||
|         const challenge = authz.challenges.find(ch => ch.type === 'http-01'); | ||||
|         if (!challenge) { | ||||
|           throw new Error('HTTP-01 challenge not found'); | ||||
|         } | ||||
|          | ||||
|         // Get the key authorization for the challenge | ||||
|         const keyAuthorization = await client.getChallengeKeyAuthorization(challenge); | ||||
|          | ||||
|         // Store the challenge data | ||||
|         domainInfo.challengeToken = challenge.token; | ||||
|         domainInfo.challengeKeyAuthorization = keyAuthorization; | ||||
|  | ||||
|         // ACME client type definition workaround - use compatible approach | ||||
|         // First check if challenge verification is needed | ||||
|         const authzUrl = authz.url; | ||||
|          | ||||
|         try { | ||||
|           // Check if authzUrl exists and perform verification | ||||
|           if (authzUrl) { | ||||
|             await client.verifyChallenge(authz, challenge); | ||||
|           } | ||||
|            | ||||
|           // Complete the challenge | ||||
|           await client.completeChallenge(challenge); | ||||
|            | ||||
|           // Wait for validation | ||||
|           await client.waitForValidStatus(challenge); | ||||
|           console.log(`HTTP-01 challenge completed for ${domain}`); | ||||
|         } catch (error) { | ||||
|           console.error(`Challenge error for ${domain}:`, error); | ||||
|           throw error; | ||||
|         } | ||||
|       } | ||||
|       // Process each authorization | ||||
|       await this.processAuthorizations(client, domain, authorizations); | ||||
|  | ||||
|       // Generate a CSR and private key | ||||
|       const [csrBuffer, privateKeyBuffer] = await plugins.acme.forge.createCsr({ | ||||
| @@ -436,28 +706,20 @@ export class AcmeCertManager extends plugins.EventEmitter { | ||||
|       delete domainInfo.challengeKeyAuthorization; | ||||
|        | ||||
|       // Extract expiry date from certificate | ||||
|       try { | ||||
|         const matches = certificate.match(/Not After\s*:\s*(.*?)(?:\n|$)/i); | ||||
|         if (matches && matches[1]) { | ||||
|           domainInfo.expiryDate = new Date(matches[1]); | ||||
|           console.log(`Certificate for ${domain} will expire on ${domainInfo.expiryDate.toISOString()}`); | ||||
|         } | ||||
|       } catch (error) { | ||||
|         console.warn(`Failed to extract expiry date from certificate for ${domain}`); | ||||
|       } | ||||
|       domainInfo.expiryDate = this.extractExpiryDateFromCertificate(certificate, domain); | ||||
|  | ||||
|       console.log(`Certificate ${isRenewal ? 'renewed' : 'obtained'} for ${domain}`); | ||||
|        | ||||
|       // Emit the appropriate event | ||||
|       const eventType = isRenewal  | ||||
|         ? CertManagerEvents.CERTIFICATE_RENEWED  | ||||
|         : CertManagerEvents.CERTIFICATE_ISSUED; | ||||
|         ? Port80HandlerEvents.CERTIFICATE_RENEWED  | ||||
|         : Port80HandlerEvents.CERTIFICATE_ISSUED; | ||||
|        | ||||
|       this.emitCertificateEvent(eventType, { | ||||
|         domain, | ||||
|         certificate, | ||||
|         privateKey, | ||||
|         expiryDate: domainInfo.expiryDate || new Date(Date.now() + 90 * 24 * 60 * 60 * 1000) // 90 days default | ||||
|         expiryDate: domainInfo.expiryDate || this.getDefaultExpiryDate() | ||||
|       }); | ||||
|        | ||||
|     } catch (error: any) { | ||||
| @@ -473,17 +735,76 @@ export class AcmeCertManager extends plugins.EventEmitter { | ||||
|       } | ||||
|        | ||||
|       // Emit failure event | ||||
|       this.emit(CertManagerEvents.CERTIFICATE_FAILED, { | ||||
|       this.emit(Port80HandlerEvents.CERTIFICATE_FAILED, { | ||||
|         domain, | ||||
|         error: error.message || 'Unknown error', | ||||
|         isRenewal | ||||
|       }); | ||||
|       } as ICertificateFailure); | ||||
|        | ||||
|       throw new CertificateError( | ||||
|         error.message || 'Certificate issuance failed', | ||||
|         domain, | ||||
|         isRenewal | ||||
|       ); | ||||
|     } finally { | ||||
|       // Reset flag whether successful or not | ||||
|       domainInfo.obtainingInProgress = false; | ||||
|     } | ||||
|   } | ||||
|  | ||||
|   /** | ||||
|    * Process ACME authorizations by verifying and completing challenges | ||||
|    * @param client ACME client  | ||||
|    * @param domain Domain name | ||||
|    * @param authorizations Authorizations to process | ||||
|    */ | ||||
|   private async processAuthorizations( | ||||
|     client: plugins.acme.Client, | ||||
|     domain: string, | ||||
|     authorizations: plugins.acme.Authorization[] | ||||
|   ): Promise<void> { | ||||
|     const domainInfo = this.domainCertificates.get(domain); | ||||
|     if (!domainInfo) { | ||||
|       throw new CertificateError('Domain not found during authorization', domain); | ||||
|     } | ||||
|      | ||||
|     for (const authz of authorizations) { | ||||
|       const challenge = authz.challenges.find(ch => ch.type === 'http-01'); | ||||
|       if (!challenge) { | ||||
|         throw new CertificateError('HTTP-01 challenge not found', domain); | ||||
|       } | ||||
|        | ||||
|       // Get the key authorization for the challenge | ||||
|       const keyAuthorization = await client.getChallengeKeyAuthorization(challenge); | ||||
|        | ||||
|       // Store the challenge data | ||||
|       domainInfo.challengeToken = challenge.token; | ||||
|       domainInfo.challengeKeyAuthorization = keyAuthorization; | ||||
|  | ||||
|       // ACME client type definition workaround - use compatible approach | ||||
|       // First check if challenge verification is needed | ||||
|       const authzUrl = authz.url; | ||||
|        | ||||
|       try { | ||||
|         // Check if authzUrl exists and perform verification | ||||
|         if (authzUrl) { | ||||
|           await client.verifyChallenge(authz, challenge); | ||||
|         } | ||||
|          | ||||
|         // Complete the challenge | ||||
|         await client.completeChallenge(challenge); | ||||
|          | ||||
|         // Wait for validation | ||||
|         await client.waitForValidStatus(challenge); | ||||
|         console.log(`HTTP-01 challenge completed for ${domain}`); | ||||
|       } catch (error) { | ||||
|         const errorMessage = error instanceof Error ? error.message : 'Unknown challenge error'; | ||||
|         console.error(`Challenge error for ${domain}:`, error); | ||||
|         throw new CertificateError(`Challenge verification failed: ${errorMessage}`, domain); | ||||
|       } | ||||
|     } | ||||
|   } | ||||
|  | ||||
|   /** | ||||
|    * Starts the certificate renewal timer | ||||
|    */ | ||||
| @@ -519,6 +840,16 @@ export class AcmeCertManager extends plugins.EventEmitter { | ||||
|     const renewThresholdMs = this.options.renewThresholdDays * 24 * 60 * 60 * 1000; | ||||
|      | ||||
|     for (const [domain, domainInfo] of this.domainCertificates.entries()) { | ||||
|       // Skip glob patterns | ||||
|       if (this.isGlobPattern(domain)) { | ||||
|         continue; | ||||
|       } | ||||
|        | ||||
|       // Skip domains with acmeMaintenance disabled | ||||
|       if (!domainInfo.options.acmeMaintenance) { | ||||
|         continue; | ||||
|       } | ||||
|        | ||||
|       // Skip domains without certificates or already in renewal | ||||
|       if (!domainInfo.certObtained || domainInfo.obtainingInProgress) { | ||||
|         continue; | ||||
| @@ -534,26 +865,67 @@ export class AcmeCertManager extends plugins.EventEmitter { | ||||
|       // Check if certificate is near expiry | ||||
|       if (timeUntilExpiry <= renewThresholdMs) { | ||||
|         console.log(`Certificate for ${domain} expires soon, renewing...`); | ||||
|         this.emit(CertManagerEvents.CERTIFICATE_EXPIRING, { | ||||
|          | ||||
|         const daysRemaining = Math.ceil(timeUntilExpiry / (24 * 60 * 60 * 1000)); | ||||
|          | ||||
|         this.emit(Port80HandlerEvents.CERTIFICATE_EXPIRING, { | ||||
|           domain, | ||||
|           expiryDate: domainInfo.expiryDate, | ||||
|           daysRemaining: Math.ceil(timeUntilExpiry / (24 * 60 * 60 * 1000)) | ||||
|         }); | ||||
|           daysRemaining | ||||
|         } as ICertificateExpiring); | ||||
|          | ||||
|         // Start renewal process | ||||
|         this.obtainCertificate(domain, true).catch(err => { | ||||
|           console.error(`Error renewing certificate for ${domain}:`, err); | ||||
|           const errorMessage = err instanceof Error ? err.message : 'Unknown error'; | ||||
|           console.error(`Error renewing certificate for ${domain}:`, errorMessage); | ||||
|         }); | ||||
|       } | ||||
|     } | ||||
|   } | ||||
|    | ||||
|   /** | ||||
|    * Extract expiry date from certificate using a more robust approach | ||||
|    * @param certificate Certificate PEM string | ||||
|    * @param domain Domain for logging | ||||
|    * @returns Extracted expiry date or default | ||||
|    */ | ||||
|   private extractExpiryDateFromCertificate(certificate: string, domain: string): Date { | ||||
|     try { | ||||
|       // This is still using regex, but in a real implementation you would use | ||||
|       // a library like node-forge or x509 to properly parse the certificate | ||||
|       const matches = certificate.match(/Not After\s*:\s*(.*?)(?:\n|$)/i); | ||||
|       if (matches && matches[1]) { | ||||
|         const expiryDate = new Date(matches[1]); | ||||
|          | ||||
|         // Validate that we got a valid date | ||||
|         if (!isNaN(expiryDate.getTime())) { | ||||
|           console.log(`Certificate for ${domain} will expire on ${expiryDate.toISOString()}`); | ||||
|           return expiryDate; | ||||
|         } | ||||
|       } | ||||
|        | ||||
|       console.warn(`Could not extract valid expiry date from certificate for ${domain}, using default`); | ||||
|       return this.getDefaultExpiryDate(); | ||||
|     } catch (error) { | ||||
|       console.warn(`Failed to extract expiry date from certificate for ${domain}, using default`); | ||||
|       return this.getDefaultExpiryDate(); | ||||
|     } | ||||
|   } | ||||
|    | ||||
|   /** | ||||
|    * Get a default expiry date (90 days from now) | ||||
|    * @returns Default expiry date | ||||
|    */ | ||||
|   private getDefaultExpiryDate(): Date { | ||||
|     return new Date(Date.now() + 90 * 24 * 60 * 60 * 1000); // 90 days default | ||||
|   } | ||||
|    | ||||
|   /** | ||||
|    * Emits a certificate event with the certificate data | ||||
|    * @param eventType The event type to emit | ||||
|    * @param data The certificate data | ||||
|    */ | ||||
|   private emitCertificateEvent(eventType: CertManagerEvents, data: ICertificateData): void { | ||||
|   private emitCertificateEvent(eventType: Port80HandlerEvents, data: ICertificateData): void { | ||||
|     this.emit(eventType, data); | ||||
|   } | ||||
| } | ||||
| @@ -1,5 +1,9 @@ | ||||
| import * as plugins from './plugins.js'; | ||||
| import type { IConnectionRecord, IDomainConfig, IPortProxySettings } from './classes.pp.interfaces.js'; | ||||
| import type { | ||||
|   IConnectionRecord, | ||||
|   IDomainConfig, | ||||
|   IPortProxySettings, | ||||
| } from './classes.pp.interfaces.js'; | ||||
| import { ConnectionManager } from './classes.pp.connectionmanager.js'; | ||||
| import { SecurityManager } from './classes.pp.securitymanager.js'; | ||||
| import { DomainConfigManager } from './classes.pp.domainconfigmanager.js'; | ||||
| @@ -73,8 +77,8 @@ export class ConnectionHandler { | ||||
|     if (this.settings.enableDetailedLogging) { | ||||
|       console.log( | ||||
|         `[${connectionId}] New connection from ${remoteIP} on port ${localPort}. ` + | ||||
|         `Keep-Alive: ${record.hasKeepAlive ? 'Enabled' : 'Disabled'}. ` + | ||||
|         `Active connections: ${this.connectionManager.getConnectionCount()}` | ||||
|           `Keep-Alive: ${record.hasKeepAlive ? 'Enabled' : 'Disabled'}. ` + | ||||
|           `Active connections: ${this.connectionManager.getConnectionCount()}` | ||||
|       ); | ||||
|     } else { | ||||
|       console.log( | ||||
| @@ -94,7 +98,10 @@ export class ConnectionHandler { | ||||
|   /** | ||||
|    * Handle a connection that should be forwarded to NetworkProxy | ||||
|    */ | ||||
|   private handleNetworkProxyConnection(socket: plugins.net.Socket, record: IConnectionRecord): void { | ||||
|   private handleNetworkProxyConnection( | ||||
|     socket: plugins.net.Socket, | ||||
|     record: IConnectionRecord | ||||
|   ): void { | ||||
|     const connectionId = record.id; | ||||
|     let initialDataReceived = false; | ||||
|  | ||||
| @@ -104,7 +111,7 @@ export class ConnectionHandler { | ||||
|         console.log( | ||||
|           `[${connectionId}] Initial data warning (${this.settings.initialDataTimeout}ms) for connection from ${record.remoteIP}` | ||||
|         ); | ||||
|          | ||||
|  | ||||
|         // Add a grace period instead of immediate termination | ||||
|         setTimeout(() => { | ||||
|           if (!initialDataReceived) { | ||||
| @@ -144,7 +151,7 @@ export class ConnectionHandler { | ||||
|       if (!this.tlsManager.isTlsHandshake(chunk) && localPort === 443) { | ||||
|         console.log( | ||||
|           `[${connectionId}] Non-TLS connection detected on port 443. ` + | ||||
|           `Terminating connection - only TLS traffic is allowed on standard HTTPS port.` | ||||
|             `Terminating connection - only TLS traffic is allowed on standard HTTPS port.` | ||||
|         ); | ||||
|         if (record.incomingTerminationReason === null) { | ||||
|           record.incomingTerminationReason = 'non_tls_blocked'; | ||||
| @@ -159,8 +166,8 @@ export class ConnectionHandler { | ||||
|       if (this.tlsManager.isTlsHandshake(chunk)) { | ||||
|         record.isTLS = true; | ||||
|  | ||||
|         // Check session tickets if they're disabled | ||||
|         if (this.settings.allowSessionTicket === false && this.tlsManager.isClientHello(chunk)) { | ||||
|         // Check for ClientHello to extract SNI - but don't enforce it for NetworkProxy | ||||
|         if (this.tlsManager.isClientHello(chunk)) { | ||||
|           // Create connection info for SNI extraction | ||||
|           const connInfo = { | ||||
|             sourceIp: record.remoteIP, | ||||
| @@ -169,14 +176,14 @@ export class ConnectionHandler { | ||||
|             destPort: socket.localPort || 0, | ||||
|           }; | ||||
|  | ||||
|           // Extract SNI for domain-specific NetworkProxy handling | ||||
|           // Extract SNI for domain-specific NetworkProxy handling if available | ||||
|           const serverName = this.tlsManager.extractSNI(chunk, connInfo); | ||||
|  | ||||
|           // For NetworkProxy connections, we'll allow session tickets even without SNI | ||||
|           // We'll only use the serverName if available to determine the specific NetworkProxy port | ||||
|           if (serverName) { | ||||
|             // If we got an SNI, check for domain-specific NetworkProxy settings | ||||
|             const domainConfig = this.domainConfigManager.findDomainConfig(serverName); | ||||
|  | ||||
|             // Save domain config and SNI in connection record | ||||
|             const domainConfig = this.domainConfigManager.findDomainConfig(serverName); | ||||
|             record.domainConfig = domainConfig; | ||||
|             record.lockedDomain = serverName; | ||||
|  | ||||
| @@ -201,6 +208,14 @@ export class ConnectionHandler { | ||||
|               ); | ||||
|               return; | ||||
|             } | ||||
|           } else if ( | ||||
|             this.settings.allowSessionTicket === false && | ||||
|             this.settings.enableDetailedLogging | ||||
|           ) { | ||||
|             // Log that we're allowing a session resumption without SNI for NetworkProxy | ||||
|             console.log( | ||||
|               `[${connectionId}] Allowing session resumption without SNI for NetworkProxy forwarding` | ||||
|             ); | ||||
|           } | ||||
|         } | ||||
|  | ||||
| @@ -215,14 +230,10 @@ export class ConnectionHandler { | ||||
|         ); | ||||
|       } else { | ||||
|         // If not TLS, use normal direct connection | ||||
|         console.log(`[${connectionId}] Non-TLS connection on NetworkProxy port ${record.localPort}`); | ||||
|         this.setupDirectConnection( | ||||
|           socket, | ||||
|           record, | ||||
|           undefined, | ||||
|           undefined, | ||||
|           chunk | ||||
|         console.log( | ||||
|           `[${connectionId}] Non-TLS connection on NetworkProxy port ${record.localPort}` | ||||
|         ); | ||||
|         this.setupDirectConnection(socket, record, undefined, undefined, chunk); | ||||
|       } | ||||
|     }); | ||||
|   } | ||||
| @@ -255,7 +266,7 @@ export class ConnectionHandler { | ||||
|           console.log( | ||||
|             `[${connectionId}] Initial data warning (${this.settings.initialDataTimeout}ms) for connection from ${record.remoteIP}` | ||||
|           ); | ||||
|            | ||||
|  | ||||
|           // Add a grace period instead of immediate termination | ||||
|           setTimeout(() => { | ||||
|             if (!initialDataReceived) { | ||||
| @@ -340,14 +351,13 @@ export class ConnectionHandler { | ||||
|       record.domainConfig = domainConfig; | ||||
|  | ||||
|       // Check if this domain should use NetworkProxy (domain-specific setting) | ||||
|       if (domainConfig &&  | ||||
|           this.domainConfigManager.shouldUseNetworkProxy(domainConfig) &&  | ||||
|           this.networkProxyBridge.getNetworkProxy()) { | ||||
|          | ||||
|       if ( | ||||
|         domainConfig && | ||||
|         this.domainConfigManager.shouldUseNetworkProxy(domainConfig) && | ||||
|         this.networkProxyBridge.getNetworkProxy() | ||||
|       ) { | ||||
|         if (this.settings.enableDetailedLogging) { | ||||
|           console.log( | ||||
|             `[${connectionId}] Domain ${serverName} is configured to use NetworkProxy` | ||||
|           ); | ||||
|           console.log(`[${connectionId}] Domain ${serverName} is configured to use NetworkProxy`); | ||||
|         } | ||||
|  | ||||
|         const networkProxyPort = this.domainConfigManager.getNetworkProxyPort(domainConfig); | ||||
| @@ -369,23 +379,24 @@ export class ConnectionHandler { | ||||
|       // IP validation | ||||
|       if (domainConfig) { | ||||
|         const ipRules = this.domainConfigManager.getEffectiveIPRules(domainConfig); | ||||
|          | ||||
|  | ||||
|         // Skip IP validation if allowedIPs is empty | ||||
|         if ( | ||||
|           domainConfig.allowedIPs.length > 0 && | ||||
|           !this.securityManager.isIPAuthorized(record.remoteIP, ipRules.allowedIPs, ipRules.blockedIPs) | ||||
|           !this.securityManager.isIPAuthorized( | ||||
|             record.remoteIP, | ||||
|             ipRules.allowedIPs, | ||||
|             ipRules.blockedIPs | ||||
|           ) | ||||
|         ) { | ||||
|           return rejectIncomingConnection( | ||||
|             'rejected', | ||||
|             `Connection rejected: IP ${record.remoteIP} not allowed for domain ${domainConfig.domains.join( | ||||
|               ', ' | ||||
|             )}` | ||||
|             `Connection rejected: IP ${ | ||||
|               record.remoteIP | ||||
|             } not allowed for domain ${domainConfig.domains.join(', ')}` | ||||
|           ); | ||||
|         } | ||||
|       } else if ( | ||||
|         this.settings.defaultAllowedIPs && | ||||
|         this.settings.defaultAllowedIPs.length > 0 | ||||
|       ) { | ||||
|       } else if (this.settings.defaultAllowedIPs && this.settings.defaultAllowedIPs.length > 0) { | ||||
|         if ( | ||||
|           !this.securityManager.isIPAuthorized( | ||||
|             record.remoteIP, | ||||
| @@ -452,28 +463,36 @@ export class ConnectionHandler { | ||||
|       } else { | ||||
|         // Attempt to find a matching forced domain config based on the local port. | ||||
|         const forcedDomain = this.domainConfigManager.findDomainConfigForPort(localPort); | ||||
|          | ||||
|  | ||||
|         if (forcedDomain) { | ||||
|           const ipRules = this.domainConfigManager.getEffectiveIPRules(forcedDomain); | ||||
|            | ||||
|           if (!this.securityManager.isIPAuthorized(record.remoteIP, ipRules.allowedIPs, ipRules.blockedIPs)) { | ||||
|  | ||||
|           if ( | ||||
|             !this.securityManager.isIPAuthorized( | ||||
|               record.remoteIP, | ||||
|               ipRules.allowedIPs, | ||||
|               ipRules.blockedIPs | ||||
|             ) | ||||
|           ) { | ||||
|             console.log( | ||||
|               `[${connectionId}] Connection from ${record.remoteIP} rejected: IP not allowed for domain ${forcedDomain.domains.join( | ||||
|               `[${connectionId}] Connection from ${ | ||||
|                 record.remoteIP | ||||
|               } rejected: IP not allowed for domain ${forcedDomain.domains.join( | ||||
|                 ', ' | ||||
|               )} on port ${localPort}.` | ||||
|             ); | ||||
|             socket.end(); | ||||
|             return; | ||||
|           } | ||||
|            | ||||
|  | ||||
|           if (this.settings.enableDetailedLogging) { | ||||
|             console.log( | ||||
|               `[${connectionId}] Port-based connection from ${record.remoteIP} on port ${localPort} matched domain ${forcedDomain.domains.join( | ||||
|                 ', ' | ||||
|               )}.` | ||||
|               `[${connectionId}] Port-based connection from ${ | ||||
|                 record.remoteIP | ||||
|               } on port ${localPort} matched domain ${forcedDomain.domains.join(', ')}.` | ||||
|             ); | ||||
|           } | ||||
|            | ||||
|  | ||||
|           setupConnection('', undefined, forcedDomain, localPort); | ||||
|           return; | ||||
|         } | ||||
| @@ -491,14 +510,14 @@ export class ConnectionHandler { | ||||
|           clearTimeout(initialTimeout); | ||||
|           initialTimeout = null; | ||||
|         } | ||||
|          | ||||
|  | ||||
|         initialDataReceived = true; | ||||
|          | ||||
|  | ||||
|         // Block non-TLS connections on port 443 | ||||
|         if (!this.tlsManager.isTlsHandshake(chunk) && localPort === 443) { | ||||
|           console.log( | ||||
|             `[${connectionId}] Non-TLS connection detected on port 443 in SNI handler. ` + | ||||
|             `Terminating connection - only TLS traffic is allowed on standard HTTPS port.` | ||||
|               `Terminating connection - only TLS traffic is allowed on standard HTTPS port.` | ||||
|           ); | ||||
|           if (record.incomingTerminationReason === null) { | ||||
|             record.incomingTerminationReason = 'non_tls_blocked'; | ||||
| @@ -531,6 +550,77 @@ export class ConnectionHandler { | ||||
|  | ||||
|           // Extract SNI | ||||
|           serverName = this.tlsManager.extractSNI(chunk, connInfo) || ''; | ||||
|  | ||||
|           // If allowSessionTicket is false and this is a ClientHello with no SNI, terminate the connection | ||||
|           if ( | ||||
|             this.settings.allowSessionTicket === false && | ||||
|             this.tlsManager.isClientHello(chunk) && | ||||
|             !serverName | ||||
|           ) { | ||||
|             // Block ClientHello without SNI when allowSessionTicket is false | ||||
|             console.log( | ||||
|               `[${connectionId}] No SNI detected in ClientHello and allowSessionTicket=false. ` + | ||||
|                 `Sending warning unrecognized_name alert to encourage immediate retry with SNI.` | ||||
|             ); | ||||
|  | ||||
|             // Set the termination reason first | ||||
|             if (record.incomingTerminationReason === null) { | ||||
|               record.incomingTerminationReason = 'session_ticket_blocked_no_sni'; | ||||
|               this.connectionManager.incrementTerminationStat( | ||||
|                 'incoming', | ||||
|                 'session_ticket_blocked_no_sni' | ||||
|               ); | ||||
|             } | ||||
|  | ||||
|             // Create a warning-level alert for unrecognized_name | ||||
|             // This encourages Chrome to retry immediately with SNI | ||||
|             const serverNameUnknownAlertData = Buffer.from([ | ||||
|               0x15, // Alert record type | ||||
|               0x03, | ||||
|               0x03, // TLS 1.2 version | ||||
|               0x00, | ||||
|               0x02, // Length | ||||
|               0x01, // Warning alert level (not fatal) | ||||
|               0x70, // unrecognized_name alert (code 112) | ||||
|             ]); | ||||
|  | ||||
|             try { | ||||
|               // Use cork/uncork to ensure the alert is sent as a single packet | ||||
|               socket.cork(); | ||||
|               const writeSuccessful = socket.write(serverNameUnknownAlertData); | ||||
|               socket.uncork(); | ||||
|               socket.end(); | ||||
|                | ||||
|               // Function to handle the clean socket termination - but more gradually | ||||
|               const finishConnection = () => { | ||||
|                 this.connectionManager.cleanupConnection(record, 'session_ticket_blocked_no_sni'); | ||||
|               }; | ||||
|                | ||||
|               if (writeSuccessful) { | ||||
|                 // Wait longer before ending connection to ensure alert is processed by client | ||||
|                 setTimeout(finishConnection, 200); // Increased from 50ms to 200ms | ||||
|               } else { | ||||
|                 // If the kernel buffer was full, wait for the drain event | ||||
|                 socket.once('drain', () => { | ||||
|                   // Wait longer after drain as well | ||||
|                   setTimeout(finishConnection, 200); | ||||
|                 }); | ||||
|                  | ||||
|                 // Safety timeout is increased too | ||||
|                 setTimeout(() => { | ||||
|                   socket.removeAllListeners('drain'); | ||||
|                   finishConnection(); | ||||
|                 }, 400); // Increased from 250ms to 400ms | ||||
|               } | ||||
|             } catch (err) { | ||||
|               // If we can't send the alert, fall back to immediate termination | ||||
|               console.log(`[${connectionId}] Error sending TLS alert: ${err.message}`); | ||||
|               socket.end(); | ||||
|               this.connectionManager.cleanupConnection(record, 'session_ticket_blocked_no_sni'); | ||||
|             } | ||||
|  | ||||
|             return; | ||||
|           } | ||||
|         } | ||||
|  | ||||
|         // Lock the connection to the negotiated SNI. | ||||
| @@ -577,23 +667,21 @@ export class ConnectionHandler { | ||||
|     overridePort?: number | ||||
|   ): void { | ||||
|     const connectionId = record.id; | ||||
|      | ||||
|  | ||||
|     // Determine target host | ||||
|     const targetHost = domainConfig  | ||||
|       ? this.domainConfigManager.getTargetIP(domainConfig)  | ||||
|     const targetHost = domainConfig | ||||
|       ? this.domainConfigManager.getTargetIP(domainConfig) | ||||
|       : this.settings.targetIP!; | ||||
|      | ||||
|  | ||||
|     // Determine target port | ||||
|     const targetPort = overridePort !== undefined  | ||||
|       ? overridePort  | ||||
|       : this.settings.toPort; | ||||
|      | ||||
|     const targetPort = overridePort !== undefined ? overridePort : this.settings.toPort; | ||||
|  | ||||
|     // Setup connection options | ||||
|     const connectionOptions: plugins.net.NetConnectOpts = { | ||||
|       host: targetHost, | ||||
|       port: targetPort, | ||||
|     }; | ||||
|      | ||||
|  | ||||
|     // Preserve source IP if configured | ||||
|     if (this.settings.preserveSourceIP) { | ||||
|       connectionOptions.localAddress = record.remoteIP.replace('::ffff:', ''); | ||||
| @@ -850,18 +938,20 @@ export class ConnectionHandler { | ||||
|  | ||||
|       // Process any remaining data in the queue before switching to piping | ||||
|       processDataQueue(); | ||||
|        | ||||
|  | ||||
|       // Set up piping immediately | ||||
|       pipingEstablished = true; | ||||
|        | ||||
|  | ||||
|       // Flush all pending data to target | ||||
|       if (record.pendingData.length > 0) { | ||||
|         const combinedData = Buffer.concat(record.pendingData); | ||||
|          | ||||
|  | ||||
|         if (this.settings.enableDetailedLogging) { | ||||
|           console.log(`[${connectionId}] Forwarding ${combinedData.length} bytes of initial data to target`); | ||||
|           console.log( | ||||
|             `[${connectionId}] Forwarding ${combinedData.length} bytes of initial data to target` | ||||
|           ); | ||||
|         } | ||||
|          | ||||
|  | ||||
|         // Write pending data immediately | ||||
|         targetSocket.write(combinedData, (err) => { | ||||
|           if (err) { | ||||
| @@ -869,19 +959,19 @@ export class ConnectionHandler { | ||||
|             return this.connectionManager.initiateCleanupOnce(record, 'write_error'); | ||||
|           } | ||||
|         }); | ||||
|          | ||||
|  | ||||
|         // Clear the buffer now that we've processed it | ||||
|         record.pendingData = []; | ||||
|         record.pendingDataSize = 0; | ||||
|       } | ||||
|        | ||||
|  | ||||
|       // Setup piping in both directions without any delays | ||||
|       socket.pipe(targetSocket); | ||||
|       targetSocket.pipe(socket); | ||||
|        | ||||
|  | ||||
|       // Resume the socket to ensure data flows | ||||
|       socket.resume(); | ||||
|        | ||||
|  | ||||
|       // Process any data that might be queued in the interim | ||||
|       if (dataQueue.length > 0) { | ||||
|         // Write any remaining queued data directly to the target socket | ||||
| @@ -892,7 +982,7 @@ export class ConnectionHandler { | ||||
|         dataQueue.length = 0; | ||||
|         queueSize = 0; | ||||
|       } | ||||
|        | ||||
|  | ||||
|       if (this.settings.enableDetailedLogging) { | ||||
|         console.log( | ||||
|           `[${connectionId}] Connection established: ${record.remoteIP} -> ${targetHost}:${connectionOptions.port}` + | ||||
| @@ -957,15 +1047,12 @@ export class ConnectionHandler { | ||||
|       } | ||||
|  | ||||
|       // Set connection timeout | ||||
|       record.cleanupTimer = this.timeoutManager.setupConnectionTimeout( | ||||
|         record, | ||||
|         (record, reason) => { | ||||
|           console.log( | ||||
|             `[${connectionId}] Connection from ${record.remoteIP} exceeded max lifetime, forcing cleanup.` | ||||
|           ); | ||||
|           this.connectionManager.initiateCleanupOnce(record, reason); | ||||
|         } | ||||
|       ); | ||||
|       record.cleanupTimer = this.timeoutManager.setupConnectionTimeout(record, (record, reason) => { | ||||
|         console.log( | ||||
|           `[${connectionId}] Connection from ${record.remoteIP} exceeded max lifetime, forcing cleanup.` | ||||
|         ); | ||||
|         this.connectionManager.initiateCleanupOnce(record, reason); | ||||
|       }); | ||||
|  | ||||
|       // Mark TLS handshake as complete for TLS connections | ||||
|       if (record.isTLS) { | ||||
| @@ -979,4 +1066,4 @@ export class ConnectionHandler { | ||||
|       } | ||||
|     }); | ||||
|   } | ||||
| } | ||||
| } | ||||
|   | ||||
| @@ -104,6 +104,7 @@ export interface IConnectionRecord { | ||||
|   lockedDomain?: string; // Used to lock this connection to the initial SNI | ||||
|   connectionClosed: boolean; // Flag to prevent multiple cleanup attempts | ||||
|   cleanupTimer?: NodeJS.Timeout; // Timer for max lifetime/inactivity | ||||
|   alertFallbackTimeout?: NodeJS.Timeout; // Timer for fallback after alert | ||||
|   lastActivity: number; // Last activity timestamp for inactivity detection | ||||
|   pendingData: Buffer[]; // Buffer to hold data during connection setup | ||||
|   pendingDataSize: number; // Track total size of pending data | ||||
|   | ||||
| @@ -22,27 +22,6 @@ export class SniHandler { | ||||
|   private static fragmentedBuffers: Map<string, Buffer> = new Map(); | ||||
|   private static fragmentTimeout: number = 1000; // ms to wait for fragments before cleanup | ||||
|  | ||||
|   /** | ||||
|    * Extract the client random value from a ClientHello message | ||||
|    * | ||||
|    * @param buffer - The buffer containing the ClientHello | ||||
|    * @returns The 32-byte client random or undefined if extraction fails | ||||
|    */ | ||||
|   private static extractClientRandom(buffer: Buffer): Buffer | undefined { | ||||
|     try { | ||||
|       if (!this.isClientHello(buffer) || buffer.length < 46) { | ||||
|         return undefined; | ||||
|       } | ||||
|  | ||||
|       // In a ClientHello message, the client random starts at position 11 | ||||
|       // after record header (5 bytes), handshake type (1 byte), | ||||
|       // handshake length (3 bytes), and client version (2 bytes) | ||||
|       return buffer.slice(11, 11 + 32); | ||||
|     } catch (error) { | ||||
|       return undefined; | ||||
|     } | ||||
|   } | ||||
|  | ||||
|   /** | ||||
|    * Checks if a buffer contains a TLS handshake message (record type 22) | ||||
|    * @param buffer - The buffer to check | ||||
| @@ -1174,7 +1153,7 @@ export class SniHandler { | ||||
|    * | ||||
|    * The method uses connection tracking to handle fragmented ClientHello | ||||
|    * messages and various TLS 1.3 behaviors, including Chrome's connection | ||||
|    * racing patterns. | ||||
|    * racing patterns and tab reactivation behaviors. | ||||
|    * | ||||
|    * @param buffer - The buffer containing TLS data | ||||
|    * @param connectionInfo - Connection metadata (IPs and ports) | ||||
| @@ -1217,7 +1196,7 @@ export class SniHandler { | ||||
|  | ||||
|     // Handle application data with cached SNI (for connection racing) | ||||
|     if (this.isTlsApplicationData(buffer)) { | ||||
|       // First check if explicit cachedSni was provided | ||||
|       // If explicit cachedSni was provided, use it | ||||
|       if (cachedSni) { | ||||
|         log(`Using provided cached SNI for application data: ${cachedSni}`); | ||||
|         return cachedSni; | ||||
|   | ||||
							
								
								
									
										258
									
								
								ts/classes.pp.tlsalert.ts
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										258
									
								
								ts/classes.pp.tlsalert.ts
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,258 @@ | ||||
| import * as net from 'net'; | ||||
|  | ||||
| /** | ||||
|  * TlsAlert class for managing TLS alert messages | ||||
|  */ | ||||
| export class TlsAlert { | ||||
|   // TLS Alert Levels | ||||
|   static readonly LEVEL_WARNING = 0x01; | ||||
|   static readonly LEVEL_FATAL = 0x02; | ||||
|    | ||||
|   // TLS Alert Description Codes - RFC 8446 (TLS 1.3) / RFC 5246 (TLS 1.2) | ||||
|   static readonly CLOSE_NOTIFY = 0x00; | ||||
|   static readonly UNEXPECTED_MESSAGE = 0x0A; | ||||
|   static readonly BAD_RECORD_MAC = 0x14; | ||||
|   static readonly DECRYPTION_FAILED = 0x15; // TLS 1.0 only | ||||
|   static readonly RECORD_OVERFLOW = 0x16; | ||||
|   static readonly DECOMPRESSION_FAILURE = 0x1E; // TLS 1.2 and below | ||||
|   static readonly HANDSHAKE_FAILURE = 0x28; | ||||
|   static readonly NO_CERTIFICATE = 0x29; // SSLv3 only | ||||
|   static readonly BAD_CERTIFICATE = 0x2A; | ||||
|   static readonly UNSUPPORTED_CERTIFICATE = 0x2B; | ||||
|   static readonly CERTIFICATE_REVOKED = 0x2C; | ||||
|   static readonly CERTIFICATE_EXPIRED = 0x2F; | ||||
|   static readonly CERTIFICATE_UNKNOWN = 0x30; | ||||
|   static readonly ILLEGAL_PARAMETER = 0x2F; | ||||
|   static readonly UNKNOWN_CA = 0x30; | ||||
|   static readonly ACCESS_DENIED = 0x31; | ||||
|   static readonly DECODE_ERROR = 0x32; | ||||
|   static readonly DECRYPT_ERROR = 0x33; | ||||
|   static readonly EXPORT_RESTRICTION = 0x3C; // TLS 1.0 only | ||||
|   static readonly PROTOCOL_VERSION = 0x46; | ||||
|   static readonly INSUFFICIENT_SECURITY = 0x47; | ||||
|   static readonly INTERNAL_ERROR = 0x50; | ||||
|   static readonly INAPPROPRIATE_FALLBACK = 0x56; | ||||
|   static readonly USER_CANCELED = 0x5A; | ||||
|   static readonly NO_RENEGOTIATION = 0x64; // TLS 1.2 and below | ||||
|   static readonly MISSING_EXTENSION = 0x6D; // TLS 1.3 | ||||
|   static readonly UNSUPPORTED_EXTENSION = 0x6E; // TLS 1.3 | ||||
|   static readonly CERTIFICATE_REQUIRED = 0x6F; // TLS 1.3 | ||||
|   static readonly UNRECOGNIZED_NAME = 0x70; | ||||
|   static readonly BAD_CERTIFICATE_STATUS_RESPONSE = 0x71; | ||||
|   static readonly BAD_CERTIFICATE_HASH_VALUE = 0x72; // TLS 1.2 and below | ||||
|   static readonly UNKNOWN_PSK_IDENTITY = 0x73; | ||||
|   static readonly CERTIFICATE_REQUIRED_1_3 = 0x74; // TLS 1.3 | ||||
|   static readonly NO_APPLICATION_PROTOCOL = 0x78; | ||||
|    | ||||
|   /** | ||||
|    * Create a TLS alert buffer with the specified level and description code | ||||
|    *  | ||||
|    * @param level Alert level (warning or fatal) | ||||
|    * @param description Alert description code | ||||
|    * @param tlsVersion TLS version bytes (default is TLS 1.2: 0x0303) | ||||
|    * @returns Buffer containing the TLS alert message | ||||
|    */ | ||||
|   static create( | ||||
|     level: number, | ||||
|     description: number, | ||||
|     tlsVersion: [number, number] = [0x03, 0x03] | ||||
|   ): Buffer { | ||||
|     return Buffer.from([ | ||||
|       0x15, // Alert record type | ||||
|       tlsVersion[0], | ||||
|       tlsVersion[1], // TLS version (default to TLS 1.2: 0x0303) | ||||
|       0x00, | ||||
|       0x02, // Length | ||||
|       level, // Alert level | ||||
|       description, // Alert description | ||||
|     ]); | ||||
|   } | ||||
|    | ||||
|   /** | ||||
|    * Create a warning-level TLS alert | ||||
|    *  | ||||
|    * @param description Alert description code | ||||
|    * @returns Buffer containing the warning-level TLS alert message | ||||
|    */ | ||||
|   static createWarning(description: number): Buffer { | ||||
|     return this.create(this.LEVEL_WARNING, description); | ||||
|   } | ||||
|    | ||||
|   /** | ||||
|    * Create a fatal-level TLS alert | ||||
|    *  | ||||
|    * @param description Alert description code | ||||
|    * @returns Buffer containing the fatal-level TLS alert message | ||||
|    */ | ||||
|   static createFatal(description: number): Buffer { | ||||
|     return this.create(this.LEVEL_FATAL, description); | ||||
|   } | ||||
|    | ||||
|   /** | ||||
|    * Send a TLS alert to a socket and optionally close the connection | ||||
|    *  | ||||
|    * @param socket The socket to send the alert to | ||||
|    * @param level Alert level (warning or fatal) | ||||
|    * @param description Alert description code | ||||
|    * @param closeAfterSend Whether to close the connection after sending the alert | ||||
|    * @param closeDelay Milliseconds to wait before closing the connection (default: 200ms) | ||||
|    * @returns Promise that resolves when the alert has been sent | ||||
|    */ | ||||
|   static async send( | ||||
|     socket: net.Socket, | ||||
|     level: number, | ||||
|     description: number, | ||||
|     closeAfterSend: boolean = false, | ||||
|     closeDelay: number = 200 | ||||
|   ): Promise<void> { | ||||
|     const alert = this.create(level, description); | ||||
|      | ||||
|     return new Promise<void>((resolve, reject) => { | ||||
|       try { | ||||
|         // Ensure the alert is written as a single packet | ||||
|         socket.cork(); | ||||
|         const writeSuccessful = socket.write(alert, (err) => { | ||||
|           if (err) { | ||||
|             reject(err); | ||||
|             return; | ||||
|           } | ||||
|            | ||||
|           if (closeAfterSend) { | ||||
|             setTimeout(() => { | ||||
|               socket.end(); | ||||
|               resolve(); | ||||
|             }, closeDelay); | ||||
|           } else { | ||||
|             resolve(); | ||||
|           } | ||||
|         }); | ||||
|         socket.uncork(); | ||||
|          | ||||
|         // If write wasn't successful immediately, wait for drain | ||||
|         if (!writeSuccessful && !closeAfterSend) { | ||||
|           socket.once('drain', () => { | ||||
|             resolve(); | ||||
|           }); | ||||
|         } | ||||
|       } catch (err) { | ||||
|         reject(err); | ||||
|       } | ||||
|     }); | ||||
|   } | ||||
|    | ||||
|   /** | ||||
|    * Pre-defined TLS alert messages | ||||
|    */ | ||||
|   static readonly alerts = { | ||||
|     // Warning level alerts | ||||
|     closeNotify: TlsAlert.createWarning(TlsAlert.CLOSE_NOTIFY), | ||||
|     unsupportedExtension: TlsAlert.createWarning(TlsAlert.UNSUPPORTED_EXTENSION), | ||||
|     certificateRequired: TlsAlert.createWarning(TlsAlert.CERTIFICATE_REQUIRED), | ||||
|     unrecognizedName: TlsAlert.createWarning(TlsAlert.UNRECOGNIZED_NAME), | ||||
|     noRenegotiation: TlsAlert.createWarning(TlsAlert.NO_RENEGOTIATION), | ||||
|     userCanceled: TlsAlert.createWarning(TlsAlert.USER_CANCELED), | ||||
|      | ||||
|     // Warning level alerts for session resumption | ||||
|     certificateExpiredWarning: TlsAlert.createWarning(TlsAlert.CERTIFICATE_EXPIRED), | ||||
|     handshakeFailureWarning: TlsAlert.createWarning(TlsAlert.HANDSHAKE_FAILURE), | ||||
|     insufficientSecurityWarning: TlsAlert.createWarning(TlsAlert.INSUFFICIENT_SECURITY), | ||||
|      | ||||
|     // Fatal level alerts | ||||
|     unexpectedMessage: TlsAlert.createFatal(TlsAlert.UNEXPECTED_MESSAGE), | ||||
|     badRecordMac: TlsAlert.createFatal(TlsAlert.BAD_RECORD_MAC), | ||||
|     recordOverflow: TlsAlert.createFatal(TlsAlert.RECORD_OVERFLOW), | ||||
|     handshakeFailure: TlsAlert.createFatal(TlsAlert.HANDSHAKE_FAILURE), | ||||
|     badCertificate: TlsAlert.createFatal(TlsAlert.BAD_CERTIFICATE), | ||||
|     certificateExpired: TlsAlert.createFatal(TlsAlert.CERTIFICATE_EXPIRED), | ||||
|     certificateUnknown: TlsAlert.createFatal(TlsAlert.CERTIFICATE_UNKNOWN), | ||||
|     illegalParameter: TlsAlert.createFatal(TlsAlert.ILLEGAL_PARAMETER), | ||||
|     unknownCA: TlsAlert.createFatal(TlsAlert.UNKNOWN_CA), | ||||
|     accessDenied: TlsAlert.createFatal(TlsAlert.ACCESS_DENIED), | ||||
|     decodeError: TlsAlert.createFatal(TlsAlert.DECODE_ERROR), | ||||
|     decryptError: TlsAlert.createFatal(TlsAlert.DECRYPT_ERROR), | ||||
|     protocolVersion: TlsAlert.createFatal(TlsAlert.PROTOCOL_VERSION), | ||||
|     insufficientSecurity: TlsAlert.createFatal(TlsAlert.INSUFFICIENT_SECURITY), | ||||
|     internalError: TlsAlert.createFatal(TlsAlert.INTERNAL_ERROR), | ||||
|     unrecognizedNameFatal: TlsAlert.createFatal(TlsAlert.UNRECOGNIZED_NAME), | ||||
|   }; | ||||
|    | ||||
|   /** | ||||
|    * Utility method to send a warning-level unrecognized_name alert | ||||
|    * Specifically designed for SNI issues to encourage the client to retry with SNI | ||||
|    *  | ||||
|    * @param socket The socket to send the alert to | ||||
|    * @returns Promise that resolves when the alert has been sent | ||||
|    */ | ||||
|   static async sendSniRequired(socket: net.Socket): Promise<void> { | ||||
|     return this.send(socket, this.LEVEL_WARNING, this.UNRECOGNIZED_NAME); | ||||
|   } | ||||
|    | ||||
|   /** | ||||
|    * Utility method to send a close_notify alert and close the connection | ||||
|    *  | ||||
|    * @param socket The socket to send the alert to | ||||
|    * @param closeDelay Milliseconds to wait before closing the connection (default: 200ms) | ||||
|    * @returns Promise that resolves when the alert has been sent and the connection closed | ||||
|    */ | ||||
|   static async sendCloseNotify(socket: net.Socket, closeDelay: number = 200): Promise<void> { | ||||
|     return this.send(socket, this.LEVEL_WARNING, this.CLOSE_NOTIFY, true, closeDelay); | ||||
|   } | ||||
|    | ||||
|   /** | ||||
|    * Utility method to send a certificate_expired alert to force new TLS session | ||||
|    *  | ||||
|    * @param socket The socket to send the alert to | ||||
|    * @param fatal Whether to send as a fatal alert (default: false) | ||||
|    * @param closeAfterSend Whether to close the connection after sending the alert (default: true) | ||||
|    * @param closeDelay Milliseconds to wait before closing the connection (default: 200ms) | ||||
|    * @returns Promise that resolves when the alert has been sent | ||||
|    */ | ||||
|   static async sendCertificateExpired( | ||||
|     socket: net.Socket, | ||||
|     fatal: boolean = false, | ||||
|     closeAfterSend: boolean = true, | ||||
|     closeDelay: number = 200 | ||||
|   ): Promise<void> { | ||||
|     const level = fatal ? this.LEVEL_FATAL : this.LEVEL_WARNING; | ||||
|     return this.send(socket, level, this.CERTIFICATE_EXPIRED, closeAfterSend, closeDelay); | ||||
|   } | ||||
|    | ||||
|   /** | ||||
|    * Send a sequence of alerts to force SNI from clients | ||||
|    * This combines multiple alerts to ensure maximum browser compatibility | ||||
|    *  | ||||
|    * @param socket The socket to send the alerts to | ||||
|    * @returns Promise that resolves when all alerts have been sent | ||||
|    */ | ||||
|   static async sendForceSniSequence(socket: net.Socket): Promise<void> { | ||||
|     try { | ||||
|       // Send unrecognized_name (warning) | ||||
|       socket.cork(); | ||||
|       socket.write(this.alerts.unrecognizedName); | ||||
|       socket.uncork(); | ||||
|        | ||||
|       // Give the socket time to send the alert | ||||
|       return new Promise((resolve) => { | ||||
|         setTimeout(resolve, 50); | ||||
|       }); | ||||
|     } catch (err) { | ||||
|       return Promise.reject(err); | ||||
|     } | ||||
|   } | ||||
|    | ||||
|   /** | ||||
|    * Send a fatal level alert that immediately terminates the connection | ||||
|    *  | ||||
|    * @param socket The socket to send the alert to | ||||
|    * @param description Alert description code | ||||
|    * @param closeDelay Milliseconds to wait before closing the connection (default: 100ms) | ||||
|    * @returns Promise that resolves when the alert has been sent and the connection closed | ||||
|    */ | ||||
|   static async sendFatalAndClose( | ||||
|     socket: net.Socket,  | ||||
|     description: number,  | ||||
|     closeDelay: number = 100 | ||||
|   ): Promise<void> { | ||||
|     return this.send(socket, this.LEVEL_FATAL, description, true, closeDelay); | ||||
|   } | ||||
| } | ||||
| @@ -1,6 +1,7 @@ | ||||
| export * from './classes.iptablesproxy.js'; | ||||
| export * from './classes.nftablesproxy.js'; | ||||
| export * from './classes.networkproxy.js'; | ||||
| export * from './classes.pp.portproxy.js'; | ||||
| export * from './classes.port80handler.js'; | ||||
| export * from './classes.sslredirect.js'; | ||||
| export * from './classes.pp.portproxy.js'; | ||||
| export * from './classes.pp.snihandler.js'; | ||||
| export * from './classes.pp.interfaces.js'; | ||||
|   | ||||
		Reference in New Issue
	
	Block a user