feat(security): add managed security policies with IP intelligence and remote ingress firewall propagation
This commit is contained in:
+91
-3
@@ -27,12 +27,13 @@ import { RemoteIngressManager, TunnelManager } from './remoteingress/index.js';
|
||||
import { VpnManager, type IVpnManagerConfig } from './vpn/index.js';
|
||||
import { RouteConfigManager, ApiTokenManager, ReferenceResolver, DbSeeder, TargetProfileManager } from './config/index.js';
|
||||
import type { TIpAllowEntry } from './config/classes.route-config-manager.js';
|
||||
import { SecurityLogger, ContentScanner, IPReputationChecker } from './security/index.js';
|
||||
import { SecurityLogger, ContentScanner, IPReputationChecker, SecurityPolicyManager } from './security/index.js';
|
||||
import { type IHttp3Config, augmentRoutesWithHttp3 } from './http3/index.js';
|
||||
import { DnsManager } from './dns/manager.dns.js';
|
||||
import { AcmeConfigManager } from './acme/manager.acme-config.js';
|
||||
import { EmailDomainManager, SmartMtaStorageManager, buildEmailDnsRecords } from './email/index.js';
|
||||
import type { IRoute } from '../ts_interfaces/data/route-management.js';
|
||||
import type { ISecurityCompiledPolicy } from '../ts_interfaces/data/security-policy.js';
|
||||
|
||||
export interface IDcRouterOptions {
|
||||
/** Base directory for all dcrouter data. Defaults to ~/.serve.zone/dcrouter */
|
||||
@@ -284,6 +285,7 @@ export class DcRouter {
|
||||
// ACME configuration (DB-backed singleton, replaces tls.contactEmail)
|
||||
public acmeConfigManager?: AcmeConfigManager;
|
||||
public emailDomainManager?: EmailDomainManager;
|
||||
public securityPolicyManager?: SecurityPolicyManager;
|
||||
|
||||
// Auto-discovered public IP (populated by generateAuthoritativeRecords)
|
||||
public detectedPublicIp: string | null = null;
|
||||
@@ -471,12 +473,36 @@ export class DcRouter {
|
||||
);
|
||||
}
|
||||
|
||||
// SecurityPolicyManager: optional, depends on DcRouterDb — owns IP intelligence
|
||||
// and compiles the global block policy for SmartProxy and remote ingress edges.
|
||||
if (this.options.dbConfig?.enabled !== false) {
|
||||
this.serviceManager.addService(
|
||||
new plugins.taskbuffer.Service('SecurityPolicyManager')
|
||||
.optional()
|
||||
.dependsOn('DcRouterDb')
|
||||
.withStart(async () => {
|
||||
this.securityPolicyManager = new SecurityPolicyManager({
|
||||
onPolicyChanged: () => this.applySecurityPolicy(),
|
||||
});
|
||||
await this.securityPolicyManager.start();
|
||||
})
|
||||
.withStop(async () => {
|
||||
if (this.securityPolicyManager) {
|
||||
await this.securityPolicyManager.stop();
|
||||
this.securityPolicyManager = undefined;
|
||||
}
|
||||
})
|
||||
.withRetry({ maxRetries: 1, baseDelayMs: 500 }),
|
||||
);
|
||||
}
|
||||
|
||||
// SmartProxy: critical, depends on DcRouterDb + DnsManager + AcmeConfigManager (if enabled)
|
||||
const smartProxyDeps: string[] = [];
|
||||
if (this.options.dbConfig?.enabled !== false) {
|
||||
smartProxyDeps.push('DcRouterDb');
|
||||
smartProxyDeps.push('DnsManager');
|
||||
smartProxyDeps.push('AcmeConfigManager');
|
||||
smartProxyDeps.push('SecurityPolicyManager');
|
||||
}
|
||||
this.serviceManager.addService(
|
||||
new plugins.taskbuffer.Service('SmartProxy')
|
||||
@@ -971,6 +997,12 @@ export class DcRouter {
|
||||
logger.log('info', 'HTTP/3: Augmented qualifying HTTPS routes with QUIC/H3 configuration');
|
||||
}
|
||||
|
||||
const compiledSecurityPolicy = await this.securityPolicyManager?.compileSmartProxyPolicy();
|
||||
const mergedSecurityPolicy = this.mergeSecurityPolicies(
|
||||
(this.options.smartProxyConfig as any)?.securityPolicy,
|
||||
compiledSecurityPolicy,
|
||||
);
|
||||
|
||||
// If we have routes or need a basic SmartProxy instance, create it
|
||||
if (routes.length > 0 || this.options.smartProxyConfig) {
|
||||
logger.log('info', 'Setting up SmartProxy with combined configuration');
|
||||
@@ -1002,6 +1034,7 @@ export class DcRouter {
|
||||
// --- always set by dcrouter (after spread) ---
|
||||
routes,
|
||||
acme: acmeConfig,
|
||||
...(mergedSecurityPolicy ? { securityPolicy: mergedSecurityPolicy } as any : {}),
|
||||
certStore: {
|
||||
loadAll: async () => {
|
||||
const docs = await ProxyCertDoc.findAll();
|
||||
@@ -1244,8 +1277,60 @@ export class DcRouter {
|
||||
logger.log('info', `SmartProxy started with ${routes.length} routes`);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
|
||||
public async applySecurityPolicy(): Promise<void> {
|
||||
if (!this.securityPolicyManager) {
|
||||
return;
|
||||
}
|
||||
|
||||
const compiledSmartProxyPolicy = await this.securityPolicyManager.compileSmartProxyPolicy();
|
||||
const mergedSecurityPolicy = this.mergeSecurityPolicies(
|
||||
(this.options.smartProxyConfig as any)?.securityPolicy,
|
||||
compiledSmartProxyPolicy,
|
||||
);
|
||||
|
||||
if (this.smartProxy && mergedSecurityPolicy) {
|
||||
const smartProxyWithPolicyApi = this.smartProxy as any;
|
||||
if (typeof smartProxyWithPolicyApi.updateSecurityPolicy === 'function') {
|
||||
await smartProxyWithPolicyApi.updateSecurityPolicy(mergedSecurityPolicy);
|
||||
}
|
||||
}
|
||||
|
||||
const firewallConfig = await this.securityPolicyManager.compileRemoteIngressFirewall();
|
||||
if (this.remoteIngressManager) {
|
||||
(this.remoteIngressManager as any).setFirewallConfig?.(firewallConfig);
|
||||
}
|
||||
if (this.tunnelManager) {
|
||||
await this.tunnelManager.syncAllowedEdges();
|
||||
}
|
||||
}
|
||||
|
||||
private mergeSecurityPolicies(
|
||||
...policies: Array<Partial<ISecurityCompiledPolicy> | undefined>
|
||||
): ISecurityCompiledPolicy | undefined {
|
||||
const blockedIps = new Set<string>();
|
||||
const blockedCidrs = new Set<string>();
|
||||
|
||||
for (const policy of policies) {
|
||||
for (const ip of policy?.blockedIps || []) {
|
||||
if (ip) blockedIps.add(ip);
|
||||
}
|
||||
for (const cidr of policy?.blockedCidrs || []) {
|
||||
if (cidr) blockedCidrs.add(cidr);
|
||||
}
|
||||
}
|
||||
|
||||
if (blockedIps.size === 0 && blockedCidrs.size === 0) {
|
||||
return undefined;
|
||||
}
|
||||
|
||||
return {
|
||||
blockedIps: [...blockedIps].sort(),
|
||||
blockedCidrs: [...blockedCidrs].sort(),
|
||||
};
|
||||
}
|
||||
|
||||
|
||||
|
||||
/**
|
||||
* Generate SmartProxy routes for email configuration
|
||||
@@ -2232,6 +2317,9 @@ export class DcRouter {
|
||||
// Initialize the edge registration manager
|
||||
this.remoteIngressManager = new RemoteIngressManager();
|
||||
await this.remoteIngressManager.initialize();
|
||||
this.remoteIngressManager.setFirewallConfig(
|
||||
await this.securityPolicyManager?.compileRemoteIngressFirewall(),
|
||||
);
|
||||
|
||||
// Pass current bootstrap routes so the manager can derive edge ports initially.
|
||||
// Once RouteConfigManager applies the full DB set, the onRoutesApplied callback
|
||||
|
||||
Reference in New Issue
Block a user