220 lines
8.2 KiB
Markdown
220 lines
8.2 KiB
Markdown
# @push.rocks/smartproxy
|
|
|
|
A powerful proxy package that effectively handles high traffic, with features such as SSL/TLS support, port proxying, WebSocket handling, and dynamic routing with authentication options.
|
|
|
|
## Features
|
|
|
|
- **HTTPS Reverse Proxy** - Route traffic to backend services based on hostname with TLS termination
|
|
- **WebSocket Support** - Full WebSocket proxying with heartbeat monitoring
|
|
- **TCP Port Forwarding** - Advanced port forwarding with SNI inspection and domain-based routing
|
|
- **HTTP to HTTPS Redirection** - Automatically redirect HTTP requests to HTTPS
|
|
- **Let's Encrypt Integration** - Automatic certificate management using ACME protocol
|
|
- **IP Filtering** - Control access with IP allow/block lists using glob patterns
|
|
- **IPTables Integration** - Direct manipulation of iptables for low-level port forwarding
|
|
- **Basic Authentication** - Support for basic auth on proxied routes
|
|
- **Connection Management** - Intelligent connection tracking and cleanup
|
|
|
|
## Installation
|
|
|
|
```bash
|
|
npm install @push.rocks/smartproxy
|
|
```
|
|
|
|
## Usage
|
|
|
|
### Basic Reverse Proxy Setup
|
|
|
|
```typescript
|
|
import { NetworkProxy } from '@push.rocks/smartproxy';
|
|
|
|
// Create a reverse proxy listening on port 443
|
|
const proxy = new NetworkProxy({
|
|
port: 443
|
|
});
|
|
|
|
// Define reverse proxy configurations
|
|
const proxyConfigs = [
|
|
{
|
|
hostName: 'example.com',
|
|
destinationIp: '127.0.0.1',
|
|
destinationPort: 3000,
|
|
publicKey: 'your-cert-content',
|
|
privateKey: 'your-key-content'
|
|
},
|
|
{
|
|
hostName: 'api.example.com',
|
|
destinationIp: '127.0.0.1',
|
|
destinationPort: 4000,
|
|
publicKey: 'your-cert-content',
|
|
privateKey: 'your-key-content',
|
|
// Optional basic auth
|
|
authentication: {
|
|
type: 'Basic',
|
|
user: 'admin',
|
|
pass: 'secret'
|
|
}
|
|
}
|
|
];
|
|
|
|
// Start the proxy and update configurations
|
|
(async () => {
|
|
await proxy.start();
|
|
await proxy.updateProxyConfigs(proxyConfigs);
|
|
|
|
// Add default headers to all responses
|
|
await proxy.addDefaultHeaders({
|
|
'Strict-Transport-Security': 'max-age=31536000; includeSubDomains; preload'
|
|
});
|
|
})();
|
|
```
|
|
|
|
### HTTP to HTTPS Redirection
|
|
|
|
```typescript
|
|
import { SslRedirect } from '@push.rocks/smartproxy';
|
|
|
|
// Create and start HTTP to HTTPS redirect service on port 80
|
|
const redirector = new SslRedirect(80);
|
|
redirector.start();
|
|
```
|
|
|
|
### TCP Port Forwarding with Domain-based Routing
|
|
|
|
```typescript
|
|
import { PortProxy } from '@push.rocks/smartproxy';
|
|
|
|
// Configure port proxy with domain-based routing
|
|
const portProxy = new PortProxy({
|
|
fromPort: 443,
|
|
toPort: 8443,
|
|
targetIP: 'localhost', // Default target host
|
|
sniEnabled: true, // Enable SNI inspection
|
|
globalPortRanges: [{ from: 443, to: 443 }],
|
|
defaultAllowedIPs: ['*'], // Allow all IPs by default
|
|
domainConfigs: [
|
|
{
|
|
domains: ['example.com', '*.example.com'], // Glob patterns for matching domains
|
|
allowedIPs: ['192.168.1.*'], // Restrict access by IP
|
|
blockedIPs: ['192.168.1.100'], // Block specific IPs
|
|
targetIPs: ['10.0.0.1', '10.0.0.2'], // Round-robin between multiple targets
|
|
portRanges: [{ from: 443, to: 443 }]
|
|
}
|
|
],
|
|
maxConnectionLifetime: 3600000, // 1 hour in milliseconds
|
|
preserveSourceIP: true
|
|
});
|
|
|
|
portProxy.start();
|
|
```
|
|
|
|
### IPTables Port Forwarding
|
|
|
|
```typescript
|
|
import { IPTablesProxy } from '@push.rocks/smartproxy';
|
|
|
|
// Configure IPTables to forward from port 80 to 8080
|
|
const iptables = new IPTablesProxy({
|
|
fromPort: 80,
|
|
toPort: 8080,
|
|
toHost: 'localhost',
|
|
preserveSourceIP: true,
|
|
deleteOnExit: true // Automatically clean up rules on process exit
|
|
});
|
|
|
|
iptables.start();
|
|
```
|
|
|
|
### Automatic HTTPS Certificate Management
|
|
|
|
```typescript
|
|
import { Port80Handler } from '@push.rocks/smartproxy';
|
|
|
|
// Create an ACME handler for Let's Encrypt
|
|
const acmeHandler = new Port80Handler();
|
|
|
|
// Add domains to manage certificates for
|
|
acmeHandler.addDomain('example.com');
|
|
acmeHandler.addDomain('api.example.com');
|
|
```
|
|
|
|
## Configuration Options
|
|
|
|
### NetworkProxy Options
|
|
|
|
| Option | Description | Default |
|
|
|----------------|---------------------------------------------------|---------|
|
|
| `port` | Port to listen on for HTTPS connections | - |
|
|
|
|
### PortProxy Settings
|
|
|
|
| Option | Description | Default |
|
|
|--------------------------|--------------------------------------------------------|-------------|
|
|
| `fromPort` | Port to listen on | - |
|
|
| `toPort` | Destination port to forward to | - |
|
|
| `targetIP` | Default destination IP if not specified in domainConfig | 'localhost' |
|
|
| `sniEnabled` | Enable SNI inspection for TLS connections | false |
|
|
| `defaultAllowedIPs` | IP patterns allowed by default | - |
|
|
| `defaultBlockedIPs` | IP patterns blocked by default | - |
|
|
| `preserveSourceIP` | Preserve the original client IP | false |
|
|
| `maxConnectionLifetime` | Maximum time in ms to keep a connection open | 600000 |
|
|
| `globalPortRanges` | Array of port ranges to listen on | - |
|
|
| `forwardAllGlobalRanges` | Forward all global range connections to targetIP | false |
|
|
| `gracefulShutdownTimeout`| Time in ms to wait during shutdown | 30000 |
|
|
|
|
### IPTablesProxy Settings
|
|
|
|
| Option | Description | Default |
|
|
|-------------------|---------------------------------------------|-------------|
|
|
| `fromPort` | Source port to forward from | - |
|
|
| `toPort` | Destination port to forward to | - |
|
|
| `toHost` | Destination host to forward to | 'localhost' |
|
|
| `preserveSourceIP`| Preserve the original client IP | false |
|
|
| `deleteOnExit` | Remove iptables rules when process exits | false |
|
|
|
|
## Advanced Features
|
|
|
|
### Connection Management and Monitoring
|
|
|
|
The `PortProxy` class includes built-in connection tracking and monitoring:
|
|
|
|
- Automatic cleanup of idle connections
|
|
- Timeouts for connections that exceed maximum lifetime
|
|
- Detailed logging of connection states
|
|
- Termination statistics
|
|
|
|
### WebSocket Support
|
|
|
|
The `NetworkProxy` class provides WebSocket support with:
|
|
|
|
- WebSocket connection proxying
|
|
- Automatic heartbeat monitoring
|
|
- Connection cleanup for inactive WebSockets
|
|
|
|
### SNI-based Routing
|
|
|
|
The `PortProxy` class can inspect the SNI (Server Name Indication) field in TLS handshakes to route connections based on the requested domain:
|
|
|
|
- Multiple backend targets per domain
|
|
- Round-robin load balancing
|
|
- Domain-specific allowed IP ranges
|
|
- Protection against SNI renegotiation attacks
|
|
|
|
## License and Legal Information
|
|
|
|
This repository contains open-source code that is licensed under the MIT License. A copy of the MIT License can be found in the [license](license) file within this repository.
|
|
|
|
**Please note:** The MIT License does not grant permission to use the trade names, trademarks, service marks, or product names of the project, except as required for reasonable and customary use in describing the origin of the work and reproducing the content of the NOTICE file.
|
|
|
|
### Trademarks
|
|
|
|
This project is owned and maintained by Task Venture Capital GmbH. The names and logos associated with Task Venture Capital GmbH and any related products or services are trademarks of Task Venture Capital GmbH and are not included within the scope of the MIT license granted herein. Use of these trademarks must comply with Task Venture Capital GmbH's Trademark Guidelines, and any usage must be approved in writing by Task Venture Capital GmbH.
|
|
|
|
### Company Information
|
|
|
|
Task Venture Capital GmbH
|
|
Registered at District court Bremen HRB 35230 HB, Germany
|
|
|
|
For any legal inquiries or if you require further information, please contact us via email at hello@task.vc.
|
|
|
|
By using this repository, you acknowledge that you have read this section, agree to comply with its terms, and understand that the licensing of the code does not imply endorsement by Task Venture Capital GmbH of any derivative works.
|