# @push.rocks/smartproxy 🚀 **The Swiss Army Knife of Node.js Proxies** - A unified, high-performance proxy toolkit that handles everything from simple HTTP forwarding to complex enterprise routing scenarios. ## 🎯 What is SmartProxy? SmartProxy is a modern, production-ready proxy solution that brings order to the chaos of traffic management. Whether you're building microservices, deploying edge infrastructure, or need a battle-tested reverse proxy, SmartProxy has you covered. ### ⚡ Key Features - **🔀 Unified Route-Based Configuration** - Clean match/action patterns for intuitive traffic routing - **🔒 Automatic SSL/TLS with Let's Encrypt** - Zero-config HTTPS with automatic certificate provisioning - **🎯 Flexible Matching Patterns** - Route by port, domain, path, client IP, TLS version, or custom logic - **🚄 High-Performance Forwarding** - Choose between user-space or kernel-level (NFTables) forwarding - **⚖️ Built-in Load Balancing** - Distribute traffic across multiple backends with health checks - **🛡️ Enterprise Security** - IP filtering, rate limiting, authentication, and connection limits - **🔌 WebSocket Support** - First-class WebSocket proxying with ping/pong management - **🎮 Custom Socket Handlers** - Implement any protocol with full socket control - **📊 Dynamic Port Management** - Add/remove ports at runtime without restarts - **🔧 Protocol Detection** - Smart protocol detection for mixed-mode operation ## 📦 Installation ```bash npm install @push.rocks/smartproxy ``` ## 🚀 Quick Start Let's get you up and running in 30 seconds: ```typescript import { SmartProxy, createCompleteHttpsServer } from '@push.rocks/smartproxy'; // Create a proxy with automatic HTTPS const proxy = new SmartProxy({ acme: { email: 'ssl@example.com', // Your email for Let's Encrypt useProduction: true // Use Let's Encrypt production servers }, routes: [ // Complete HTTPS setup with one line ...createCompleteHttpsServer('app.example.com', { host: 'localhost', port: 3000 }, { certificate: 'auto' // Magic! 🎩 }) ] }); await proxy.start(); console.log('🚀 Proxy running with automatic HTTPS!'); ``` ## 📚 Core Concepts ### 🏗️ Route-Based Architecture SmartProxy uses a powerful match/action pattern that makes routing predictable and maintainable: ```typescript { match: { ports: 443, domains: 'api.example.com', path: '/v1/*' }, action: { type: 'forward', targets: [{ host: 'backend', port: 8080 }], tls: { mode: 'terminate', certificate: 'auto' } } } ``` Every route has: - **Match criteria** - What traffic to capture - **Action** - What to do with it - **Security** (optional) - Access controls and limits - **Metadata** (optional) - Name, priority, tags ## 💡 Common Use Cases ### 🌐 Simple HTTP to HTTPS Redirect ```typescript import { SmartProxy, createHttpToHttpsRedirect } from '@push.rocks/smartproxy'; const proxy = new SmartProxy({ routes: [ // Redirect all HTTP traffic to HTTPS createHttpToHttpsRedirect(['example.com', '*.example.com']) ] }); ``` ### ⚖️ Load Balancer with Health Checks ```typescript import { createLoadBalancerRoute } from '@push.rocks/smartproxy'; const route = createLoadBalancerRoute( 'app.example.com', [ { host: 'server1.internal', port: 8080 }, { host: 'server2.internal', port: 8080 }, { host: 'server3.internal', port: 8080 } ], { tls: { mode: 'terminate', certificate: 'auto' }, loadBalancing: { algorithm: 'round-robin', healthCheck: { path: '/health', interval: 30000, timeout: 5000 } } } ); ``` ### 🔌 WebSocket Proxy ```typescript import { createWebSocketRoute } from '@push.rocks/smartproxy'; const route = createWebSocketRoute( 'ws.example.com', { host: 'websocket-server', port: 8080 }, { path: '/socket', useTls: true, certificate: 'auto', pingInterval: 30000 // Keep connections alive } ); ``` ### 🚦 API Gateway with Rate Limiting ```typescript import { createApiGatewayRoute, addRateLimiting } from '@push.rocks/smartproxy'; let route = createApiGatewayRoute( 'api.example.com', '/api', { host: 'api-backend', port: 8080 }, { useTls: true, certificate: 'auto', addCorsHeaders: true } ); // Add rate limiting route = addRateLimiting(route, { maxRequests: 100, window: 60, // seconds keyBy: 'ip' }); ``` ### 🎮 Custom Protocol Handler ```typescript import { createSocketHandlerRoute, SocketHandlers } from '@push.rocks/smartproxy'; // Pre-built handlers const echoRoute = createSocketHandlerRoute( 'echo.example.com', 7777, SocketHandlers.echo ); // Custom handler const customRoute = createSocketHandlerRoute( 'custom.example.com', 9999, async (socket, context) => { console.log(`Connection from ${context.clientIp}`); socket.write('Welcome to my custom protocol!\n'); socket.on('data', (data) => { const command = data.toString().trim(); if (command === 'HELLO') { socket.write('World!\n'); } else if (command === 'EXIT') { socket.end('Goodbye!\n'); } }); } ); ``` ### ⚡ High-Performance NFTables Forwarding For ultra-low latency, use kernel-level forwarding (Linux only, requires root): ```typescript import { createNfTablesTerminateRoute } from '@push.rocks/smartproxy'; const route = createNfTablesTerminateRoute( 'fast.example.com', { host: 'backend', port: 8080 }, { ports: 443, certificate: 'auto', preserveSourceIP: true, maxRate: '1gbps' } ); ``` ## 🔧 Advanced Features ### 🎯 Dynamic Routing Route traffic based on runtime conditions: ```typescript { match: { ports: 443, customMatcher: async (context) => { // Route based on time of day const hour = new Date().getHours(); return hour >= 9 && hour < 17; // Business hours only } }, action: { type: 'forward', targets: [{ host: (context) => { // Dynamic host selection return context.path.startsWith('/premium') ? 'premium-backend' : 'standard-backend'; }, port: 8080 }] } } ``` ### 🔒 Security Controls Comprehensive security options per route: ```typescript { security: { // IP-based access control ipAllowList: ['10.0.0.0/8', '192.168.*'], ipBlockList: ['192.168.1.100'], // Connection limits maxConnections: 1000, maxConnectionsPerIp: 10, // Rate limiting rateLimit: { maxRequests: 100, windowMs: 60000 }, // Authentication authentication: { type: 'jwt', secret: process.env.JWT_SECRET, algorithms: ['HS256'] } } } ``` ### 📊 Runtime Management Control your proxy without restarts: ```typescript // Add/remove ports dynamically await proxy.addListeningPort(8443); await proxy.removeListeningPort(8080); // Update routes on the fly await proxy.updateRoutes([...newRoutes]); // Monitor status const status = proxy.getStatus(); const metrics = proxy.getMetrics(); // Certificate management await proxy.renewCertificate('example.com'); const certInfo = proxy.getCertificateInfo('example.com'); ``` ### 🔄 Header Manipulation Transform requests and responses: ```typescript { action: { headers: { request: { 'X-Real-IP': '{clientIp}', // Template variables 'X-Request-ID': '{uuid}', 'X-Custom': 'value' }, response: { 'X-Powered-By': 'SmartProxy', 'Strict-Transport-Security': 'max-age=31536000', 'X-Frame-Options': 'DENY' } } } } ``` ## 🏛️ Architecture SmartProxy is built with a modular, extensible architecture: ``` SmartProxy ├── 📋 Route Manager # Route matching and prioritization ├── 🔌 Port Manager # Dynamic port lifecycle ├── 🔒 Certificate Manager # ACME/Let's Encrypt automation ├── 🚦 Connection Manager # Connection pooling and limits ├── 📊 Metrics Collector # Performance monitoring ├── 🛡️ Security Manager # Access control and rate limiting └── 🔧 Protocol Detectors # Smart protocol identification ``` ## 🎯 Route Configuration Reference ### Match Criteria ```typescript interface IRouteMatch { ports: number | number[] | string; // 80, [80, 443], '8000-8999' domains?: string | string[]; // 'example.com', '*.example.com' path?: string; // '/api/*', '/users/:id' clientIp?: string | string[]; // '10.0.0.0/8', ['192.168.*'] protocol?: 'tcp' | 'udp' | 'http' | 'https' | 'ws' | 'wss'; tlsVersion?: string | string[]; // ['TLSv1.2', 'TLSv1.3'] customMatcher?: (context) => boolean; // Custom logic } ``` ### Action Types ```typescript interface IRouteAction { type: 'forward' | 'redirect' | 'block' | 'socket-handler'; // For 'forward' targets?: Array<{ host: string | string[] | ((context) => string); port: number | ((context) => number); }>; // For 'redirect' redirectUrl?: string; // With {domain}, {path}, {clientIp} templates redirectCode?: number; // 301, 302, etc. // For 'socket-handler' socketHandler?: (socket, context) => void | Promise; // TLS options tls?: { mode: 'terminate' | 'passthrough' | 'terminate-and-reencrypt'; certificate: 'auto' | { key: string; cert: string }; }; // WebSocket options websocket?: { enabled: boolean; pingInterval?: number; pingTimeout?: number; }; } ``` ## 🐛 Troubleshooting ### Certificate Issues - ✅ Ensure domain points to your server - ✅ Port 80 must be accessible for ACME challenges - ✅ Check DNS propagation with `nslookup` - ✅ Verify email in ACME configuration ### Connection Problems - ✅ Check route priorities (higher = matched first) - ✅ Verify security rules aren't blocking - ✅ Test with `curl -v` for detailed output - ✅ Enable debug mode for verbose logging ### Performance Tuning - ✅ Use NFTables for high-traffic routes - ✅ Enable connection pooling - ✅ Adjust keep-alive settings - ✅ Monitor with built-in metrics ### Debug Mode ```typescript const proxy = new SmartProxy({ debug: true, // Enable verbose logging routes: [...] }); ``` ## 🚀 Migration from v20.x to v21.x No breaking changes! v21.x adds enhanced socket cleanup, improved connection tracking, and better process exit handling. ## 🏆 Best Practices 1. **📝 Use Helper Functions** - They provide sensible defaults and prevent errors 2. **🎯 Set Route Priorities** - More specific routes should have higher priority 3. **🔒 Always Enable Security** - Use IP filtering and rate limiting for public services 4. **📊 Monitor Performance** - Use metrics to identify bottlenecks 5. **🔄 Regular Certificate Checks** - Monitor expiration and renewal status 6. **🛑 Graceful Shutdown** - Always call `proxy.stop()` for clean shutdown 7. **🎮 Test Your Routes** - Use the route testing utilities before production ## 📖 API Documentation ### SmartProxy Class ```typescript class SmartProxy { constructor(options: IRoutedSmartProxyOptions); // Lifecycle start(): Promise; stop(): Promise; // Route Management updateRoutes(routes: IRouteConfig[]): Promise; addRoute(route: IRouteConfig): Promise; removeRoute(routeName: string): Promise; findMatchingRoute(context: Partial): IRouteConfig | null; // Port Management addListeningPort(port: number): Promise; removeListeningPort(port: number): Promise; getListeningPorts(): number[]; // Certificate Management getCertificateInfo(domain: string): ICertificateInfo | null; renewCertificate(domain: string): Promise; // Monitoring getStatus(): IProxyStatus; getMetrics(): IProxyMetrics; } ``` ### Helper Functions All helper functions are fully typed and documented. Import them from the main package: ```typescript import { createHttpRoute, createHttpsTerminateRoute, createHttpsPassthroughRoute, createHttpToHttpsRedirect, createCompleteHttpsServer, createLoadBalancerRoute, createApiRoute, createWebSocketRoute, createSocketHandlerRoute, createNfTablesRoute, createPortMappingRoute, createDynamicRoute, createApiGatewayRoute, addRateLimiting, addBasicAuth, addJwtAuth, SocketHandlers } from '@push.rocks/smartproxy'; ``` ## License and Legal Information This repository contains open-source code that is licensed under the MIT License. A copy of the MIT License can be found in the [license](license) file within this repository. **Please note:** The MIT License does not grant permission to use the trade names, trademarks, service marks, or product names of the project, except as required for reasonable and customary use in describing the origin of the work and reproducing the content of the NOTICE file. ### Trademarks This project is owned and maintained by Task Venture Capital GmbH. The names and logos associated with Task Venture Capital GmbH and any related products or services are trademarks of Task Venture Capital GmbH and are not included within the scope of the MIT license granted herein. Use of these trademarks must comply with Task Venture Capital GmbH's Trademark Guidelines, and any usage must be approved in writing by Task Venture Capital GmbH. ### Company Information Task Venture Capital GmbH Registered at District court Bremen HRB 35230 HB, Germany For any legal inquiries or if you require further information, please contact us via email at hello@task.vc. By using this repository, you acknowledge that you have read this section, agree to comply with its terms, and understand that the licensing of the code does not imply endorsement by Task Venture Capital GmbH of any derivative works.