push.rocks/smartproxy
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
21.1.4
smartproxy/readme.md
Juergen Kunz 5fbcf81c2c
Some checks failed
Default (tags) / security (push) Successful in 1m2s
Details
Default (tags) / test (push) Failing after 46m14s
Details
Default (tags) / release (push) Has been skipped
Details
Default (tags) / metadata (push) Has been skipped
Details
fix(security): critical security and stability fixes
2025-08-14 14:30:54 +00:00

507 lines
14 KiB
Markdown
Raw Permalink Blame History

# @push.rocks/smartproxy 🚀
**The Swiss Army Knife of Node.js Proxies** - A unified, high-performance proxy toolkit that handles everything from simple HTTP forwarding to complex enterprise routing scenarios.
## 🎯 What is SmartProxy?
SmartProxy is a modern, production-ready proxy solution that brings order to the chaos of traffic management. Whether you're building microservices, deploying edge infrastructure, or need a battle-tested reverse proxy, SmartProxy has you covered.
### ⚡ Key Features
- **🔀 Unified Route-Based Configuration** - Clean match/action patterns for intuitive traffic routing
- **🔒 Automatic SSL/TLS with Let's Encrypt** - Zero-config HTTPS with automatic certificate provisioning
- **🎯 Flexible Matching Patterns** - Route by port, domain, path, client IP, TLS version, or custom logic
- **🚄 High-Performance Forwarding** - Choose between user-space or kernel-level (NFTables) forwarding
- **⚖️ Built-in Load Balancing** - Distribute traffic across multiple backends with health checks
- **🛡️ Enterprise Security** - IP filtering, rate limiting, authentication, and connection limits
- **🔌 WebSocket Support** - First-class WebSocket proxying with ping/pong management
- **🎮 Custom Socket Handlers** - Implement any protocol with full socket control
- **📊 Dynamic Port Management** - Add/remove ports at runtime without restarts
- **🔧 Protocol Detection** - Smart protocol detection for mixed-mode operation
## 📦 Installation
```bash
npm install @push.rocks/smartproxy
```
## 🚀 Quick Start
Let's get you up and running in 30 seconds:
```typescript
import { SmartProxy, createCompleteHttpsServer } from '@push.rocks/smartproxy';
// Create a proxy with automatic HTTPS
const proxy = new SmartProxy({
acme: {
email: 'ssl@example.com', // Your email for Let's Encrypt
useProduction: true // Use Let's Encrypt production servers
},
routes: [
// Complete HTTPS setup with one line
...createCompleteHttpsServer('app.example.com', {
host: 'localhost',
port: 3000
}, {
certificate: 'auto' // Magic! 🎩
})
]
});
await proxy.start();
console.log('🚀 Proxy running with automatic HTTPS!');
```
## 📚 Core Concepts
### 🏗️ Route-Based Architecture
SmartProxy uses a powerful match/action pattern that makes routing predictable and maintainable:
```typescript
{
match: {
ports: 443,
domains: 'api.example.com',
path: '/v1/*'
},
action: {
type: 'forward',
targets: [{ host: 'backend', port: 8080 }],
tls: { mode: 'terminate', certificate: 'auto' }
}
}
```
Every route has:
- **Match criteria** - What traffic to capture
- **Action** - What to do with it
- **Security** (optional) - Access controls and limits
- **Metadata** (optional) - Name, priority, tags
## 💡 Common Use Cases
### 🌐 Simple HTTP to HTTPS Redirect
```typescript
import { SmartProxy, createHttpToHttpsRedirect } from '@push.rocks/smartproxy';
const proxy = new SmartProxy({
routes: [
// Redirect all HTTP traffic to HTTPS
createHttpToHttpsRedirect(['example.com', '*.example.com'])
]
});
```
### ⚖️ Load Balancer with Health Checks
```typescript
import { createLoadBalancerRoute } from '@push.rocks/smartproxy';
const route = createLoadBalancerRoute(
'app.example.com',
[
{ host: 'server1.internal', port: 8080 },
{ host: 'server2.internal', port: 8080 },
{ host: 'server3.internal', port: 8080 }
],
{
tls: { mode: 'terminate', certificate: 'auto' },
loadBalancing: {
algorithm: 'round-robin',
healthCheck: {
path: '/health',
interval: 30000,
timeout: 5000
}
}
}
);
```
### 🔌 WebSocket Proxy
```typescript
import { createWebSocketRoute } from '@push.rocks/smartproxy';
const route = createWebSocketRoute(
'ws.example.com',
{ host: 'websocket-server', port: 8080 },
{
path: '/socket',
useTls: true,
certificate: 'auto',
pingInterval: 30000 // Keep connections alive
}
);
```
### 🚦 API Gateway with Rate Limiting
```typescript
import { createApiGatewayRoute, addRateLimiting } from '@push.rocks/smartproxy';
let route = createApiGatewayRoute(
'api.example.com',
'/api',
{ host: 'api-backend', port: 8080 },
{
useTls: true,
certificate: 'auto',
addCorsHeaders: true
}
);
// Add rate limiting
route = addRateLimiting(route, {
maxRequests: 100,
window: 60, // seconds
keyBy: 'ip'
});
```
### 🎮 Custom Protocol Handler
```typescript
import { createSocketHandlerRoute, SocketHandlers } from '@push.rocks/smartproxy';
// Pre-built handlers
const echoRoute = createSocketHandlerRoute(
'echo.example.com',
7777,
SocketHandlers.echo
);
// Custom handler
const customRoute = createSocketHandlerRoute(
'custom.example.com',
9999,
async (socket, context) => {
console.log(`Connection from ${context.clientIp}`);
socket.write('Welcome to my custom protocol!\n');
socket.on('data', (data) => {
const command = data.toString().trim();
if (command === 'HELLO') {
socket.write('World!\n');
} else if (command === 'EXIT') {
socket.end('Goodbye!\n');
}
});
}
);
```
### ⚡ High-Performance NFTables Forwarding
For ultra-low latency, use kernel-level forwarding (Linux only, requires root):
```typescript
import { createNfTablesTerminateRoute } from '@push.rocks/smartproxy';
const route = createNfTablesTerminateRoute(
'fast.example.com',
{ host: 'backend', port: 8080 },
{
ports: 443,
certificate: 'auto',
preserveSourceIP: true,
maxRate: '1gbps'
}
);
```
## 🔧 Advanced Features
### 🎯 Dynamic Routing
Route traffic based on runtime conditions:
```typescript
{
match: {
ports: 443,
customMatcher: async (context) => {
// Route based on time of day
const hour = new Date().getHours();
return hour >= 9 && hour < 17; // Business hours only
}
},
action: {
type: 'forward',
targets: [{
host: (context) => {
// Dynamic host selection
return context.path.startsWith('/premium')
? 'premium-backend'
: 'standard-backend';
},
port: 8080
}]
}
}
```
### 🔒 Security Controls
Comprehensive security options per route:
```typescript
{
security: {
// IP-based access control
ipAllowList: ['10.0.0.0/8', '192.168.*'],
ipBlockList: ['192.168.1.100'],
// Connection limits
maxConnections: 1000,
maxConnectionsPerIp: 10,
// Rate limiting
rateLimit: {
maxRequests: 100,
windowMs: 60000
},
// Authentication
authentication: {
type: 'jwt',
secret: process.env.JWT_SECRET,
algorithms: ['HS256']
}
}
}
```
### 📊 Runtime Management
Control your proxy without restarts:
```typescript
// Add/remove ports dynamically
await proxy.addListeningPort(8443);
await proxy.removeListeningPort(8080);
// Update routes on the fly
await proxy.updateRoutes([...newRoutes]);
// Monitor status
const status = proxy.getStatus();
const metrics = proxy.getMetrics();
// Certificate management
await proxy.renewCertificate('example.com');
const certInfo = proxy.getCertificateInfo('example.com');
```
### 🔄 Header Manipulation
Transform requests and responses:
```typescript
{
action: {
headers: {
request: {
'X-Real-IP': '{clientIp}', // Template variables
'X-Request-ID': '{uuid}',
'X-Custom': 'value'
},
response: {
'X-Powered-By': 'SmartProxy',
'Strict-Transport-Security': 'max-age=31536000',
'X-Frame-Options': 'DENY'
}
}
}
}
```
## 🏛️ Architecture
SmartProxy is built with a modular, extensible architecture:
```
SmartProxy
├── 📋 Route Manager # Route matching and prioritization
├── 🔌 Port Manager # Dynamic port lifecycle
├── 🔒 Certificate Manager # ACME/Let's Encrypt automation
├── 🚦 Connection Manager # Connection pooling and limits
├── 📊 Metrics Collector # Performance monitoring
├── 🛡️ Security Manager # Access control and rate limiting
└── 🔧 Protocol Detectors # Smart protocol identification
```
## 🎯 Route Configuration Reference
### Match Criteria
```typescript
interface IRouteMatch {
ports: number | number[] | string; // 80, [80, 443], '8000-8999'
domains?: string | string[]; // 'example.com', '*.example.com'
path?: string; // '/api/*', '/users/:id'
clientIp?: string | string[]; // '10.0.0.0/8', ['192.168.*']
protocol?: 'tcp' | 'udp' | 'http' | 'https' | 'ws' | 'wss';
tlsVersion?: string | string[]; // ['TLSv1.2', 'TLSv1.3']
customMatcher?: (context) => boolean; // Custom logic
}
```
### Action Types
```typescript
interface IRouteAction {
type: 'forward' | 'redirect' | 'block' | 'socket-handler';
// For 'forward'
targets?: Array<{
host: string | string[] | ((context) => string);
port: number | ((context) => number);
}>;
// For 'redirect'
redirectUrl?: string; // With {domain}, {path}, {clientIp} templates
redirectCode?: number; // 301, 302, etc.
// For 'socket-handler'
socketHandler?: (socket, context) => void | Promise<void>;
// TLS options
tls?: {
mode: 'terminate' | 'passthrough' | 'terminate-and-reencrypt';
certificate: 'auto' | { key: string; cert: string };
};
// WebSocket options
websocket?: {
enabled: boolean;
pingInterval?: number;
pingTimeout?: number;
};
}
```
## 🐛 Troubleshooting
### Certificate Issues
- ✅ Ensure domain points to your server
- ✅ Port 80 must be accessible for ACME challenges
- ✅ Check DNS propagation with `nslookup`
- ✅ Verify email in ACME configuration
### Connection Problems
- ✅ Check route priorities (higher = matched first)
- ✅ Verify security rules aren't blocking
- ✅ Test with `curl -v` for detailed output
- ✅ Enable debug mode for verbose logging
### Performance Tuning
- ✅ Use NFTables for high-traffic routes
- ✅ Enable connection pooling
- ✅ Adjust keep-alive settings
- ✅ Monitor with built-in metrics
### Debug Mode
```typescript
const proxy = new SmartProxy({
debug: true, // Enable verbose logging
routes: [...]
});
```
## 🚀 Migration from v20.x to v21.x
No breaking changes! v21.x adds enhanced socket cleanup, improved connection tracking, and better process exit handling.
## 🏆 Best Practices
1. **📝 Use Helper Functions** - They provide sensible defaults and prevent errors
2. **🎯 Set Route Priorities** - More specific routes should have higher priority
3. **🔒 Always Enable Security** - Use IP filtering and rate limiting for public services
4. **📊 Monitor Performance** - Use metrics to identify bottlenecks
5. **🔄 Regular Certificate Checks** - Monitor expiration and renewal status
6. **🛑 Graceful Shutdown** - Always call `proxy.stop()` for clean shutdown
7. **🎮 Test Your Routes** - Use the route testing utilities before production
## 📖 API Documentation
### SmartProxy Class
```typescript
class SmartProxy {
constructor(options: IRoutedSmartProxyOptions);
// Lifecycle
start(): Promise<void>;
stop(): Promise<void>;
// Route Management
updateRoutes(routes: IRouteConfig[]): Promise<void>;
addRoute(route: IRouteConfig): Promise<void>;
removeRoute(routeName: string): Promise<void>;
findMatchingRoute(context: Partial<IRouteContext>): IRouteConfig | null;
// Port Management
addListeningPort(port: number): Promise<void>;
removeListeningPort(port: number): Promise<void>;
getListeningPorts(): number[];
// Certificate Management
getCertificateInfo(domain: string): ICertificateInfo | null;
renewCertificate(domain: string): Promise<void>;
// Monitoring
getStatus(): IProxyStatus;
getMetrics(): IProxyMetrics;
}
```
### Helper Functions
All helper functions are fully typed and documented. Import them from the main package:
```typescript
import {
createHttpRoute,
createHttpsTerminateRoute,
createHttpsPassthroughRoute,
createHttpToHttpsRedirect,
createCompleteHttpsServer,
createLoadBalancerRoute,
createApiRoute,
createWebSocketRoute,
createSocketHandlerRoute,
createNfTablesRoute,
createPortMappingRoute,
createDynamicRoute,
createApiGatewayRoute,
addRateLimiting,
addBasicAuth,
addJwtAuth,
SocketHandlers
} from '@push.rocks/smartproxy';
```
## License and Legal Information
This repository contains open-source code that is licensed under the MIT License. A copy of the MIT License can be found in the [license](license) file within this repository.
**Please note:** The MIT License does not grant permission to use the trade names, trademarks, service marks, or product names of the project, except as required for reasonable and customary use in describing the origin of the work and reproducing the content of the NOTICE file.
### Trademarks
This project is owned and maintained by Task Venture Capital GmbH. The names and logos associated with Task Venture Capital GmbH and any related products or services are trademarks of Task Venture Capital GmbH and are not included within the scope of the MIT license granted herein. Use of these trademarks must comply with Task Venture Capital GmbH's Trademark Guidelines, and any usage must be approved in writing by Task Venture Capital GmbH.
### Company Information
Task Venture Capital GmbH
Registered at District court Bremen HRB 35230 HB, Germany
For any legal inquiries or if you require further information, please contact us via email at hello@task.vc.
By using this repository, you acknowledge that you have read this section, agree to comply with its terms, and understand that the licensing of the code does not imply endorsement by Task Venture Capital GmbH of any derivative works.
Reference in New Issue View Git Blame Copy Permalink