npm - @push.rocks/smartproxy - Versions diffs - 12.0.0 → 13.1.2 - Mend

@push.rocks/smartproxy 12.0.0 → 13.1.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (258) hide show

package/dist_ts/proxies/smart-proxy/security-manager.js ADDED Viewed

@@ -0,0 +1,149 @@
+import * as plugins from '../../plugins.js';
+/**
+ * Handles security aspects like IP tracking, rate limiting, and authorization
+ */
+export class SecurityManager {
+    constructor(settings) {
+        this.settings = settings;
+        this.connectionsByIP = new Map();
+        this.connectionRateByIP = new Map();
+    }
+    /**
+     * Get connections count by IP
+     */
+    getConnectionCountByIP(ip) {
+        return this.connectionsByIP.get(ip)?.size || 0;
+    }
+    /**
+     * Check and update connection rate for an IP
+     * @returns true if within rate limit, false if exceeding limit
+     */
+    checkConnectionRate(ip) {
+        const now = Date.now();
+        const minute = 60 * 1000;
+        if (!this.connectionRateByIP.has(ip)) {
+            this.connectionRateByIP.set(ip, [now]);
+            return true;
+        }
+        // Get timestamps and filter out entries older than 1 minute
+        const timestamps = this.connectionRateByIP.get(ip).filter((time) => now - time < minute);
+        timestamps.push(now);
+        this.connectionRateByIP.set(ip, timestamps);
+        // Check if rate exceeds limit
+        return timestamps.length <= this.settings.connectionRateLimitPerMinute;
+    }
+    /**
+     * Track connection by IP
+     */
+    trackConnectionByIP(ip, connectionId) {
+        if (!this.connectionsByIP.has(ip)) {
+            this.connectionsByIP.set(ip, new Set());
+        }
+        this.connectionsByIP.get(ip).add(connectionId);
+    }
+    /**
+     * Remove connection tracking for an IP
+     */
+    removeConnectionByIP(ip, connectionId) {
+        if (this.connectionsByIP.has(ip)) {
+            const connections = this.connectionsByIP.get(ip);
+            connections.delete(connectionId);
+            if (connections.size === 0) {
+                this.connectionsByIP.delete(ip);
+            }
+        }
+    }
+    /**
+     * Check if an IP is authorized using forwarding security rules
+     *
+     * This method is used to determine if an IP is allowed to connect, based on security
+     * rules configured in the forwarding configuration. The allowed and blocked IPs are
+     * typically derived from domain.forwarding.security.allowedIps and blockedIps through
+     * DomainConfigManager.getEffectiveIPRules().
+     *
+     * @param ip - The IP address to check
+     * @param allowedIPs - Array of allowed IP patterns from forwarding.security.allowedIps
+     * @param blockedIPs - Array of blocked IP patterns from forwarding.security.blockedIps
+     * @returns true if IP is authorized, false if blocked
+     */
+    isIPAuthorized(ip, allowedIPs, blockedIPs = []) {
+        // Skip IP validation if allowedIPs is empty
+        if (!ip || (allowedIPs.length === 0 && blockedIPs.length === 0)) {
+            return true;
+        }
+        // First check if IP is blocked - blocked IPs take precedence
+        if (blockedIPs.length > 0 && this.isGlobIPMatch(ip, blockedIPs)) {
+            return false;
+        }
+        // Then check if IP is allowed
+        return this.isGlobIPMatch(ip, allowedIPs);
+    }
+    /**
+     * Check if the IP matches any of the glob patterns from security configuration
+     *
+     * This method checks IP addresses against glob patterns and handles IPv4/IPv6 normalization.
+     * It's used to implement IP filtering based on the forwarding.security configuration.
+     *
+     * @param ip - The IP address to check
+     * @param patterns - Array of glob patterns from forwarding.security.allowedIps or blockedIps
+     * @returns true if IP matches any pattern, false otherwise
+     */
+    isGlobIPMatch(ip, patterns) {
+        if (!ip || !patterns || patterns.length === 0)
+            return false;
+        // Handle IPv4/IPv6 normalization for proper matching
+        const normalizeIP = (ip) => {
+            if (!ip)
+                return [];
+            // Handle IPv4-mapped IPv6 addresses (::ffff:127.0.0.1)
+            if (ip.startsWith('::ffff:')) {
+                const ipv4 = ip.slice(7);
+                return [ip, ipv4];
+            }
+            // Handle IPv4 addresses by also checking IPv4-mapped form
+            if (/^\d{1,3}(\.\d{1,3}){3}$/.test(ip)) {
+                return [ip, `::ffff:${ip}`];
+            }
+            return [ip];
+        };
+        // Normalize the IP being checked
+        const normalizedIPVariants = normalizeIP(ip);
+        if (normalizedIPVariants.length === 0)
+            return false;
+        // Normalize the pattern IPs for consistent comparison
+        const expandedPatterns = patterns.flatMap(normalizeIP);
+        // Check for any match between normalized IP variants and patterns
+        return normalizedIPVariants.some((ipVariant) => expandedPatterns.some((pattern) => plugins.minimatch(ipVariant, pattern)));
+    }
+    /**
+     * Check if IP should be allowed considering connection rate and max connections
+     * @returns Object with result and reason
+     */
+    validateIP(ip) {
+        // Check connection count limit
+        if (this.settings.maxConnectionsPerIP &&
+            this.getConnectionCountByIP(ip) >= this.settings.maxConnectionsPerIP) {
+            return {
+                allowed: false,
+                reason: `Maximum connections per IP (${this.settings.maxConnectionsPerIP}) exceeded`
+            };
+        }
+        // Check connection rate limit
+        if (this.settings.connectionRateLimitPerMinute &&
+            !this.checkConnectionRate(ip)) {
+            return {
+                allowed: false,
+                reason: `Connection rate limit (${this.settings.connectionRateLimitPerMinute}/min) exceeded`
+            };
+        }
+        return { allowed: true };
+    }
+    /**
+     * Clears all IP tracking data (for shutdown)
+     */
+    clearIPTracking() {
+        this.connectionsByIP.clear();
+        this.connectionRateByIP.clear();
+    }
+}
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoic2VjdXJpdHktbWFuYWdlci5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uL3RzL3Byb3hpZXMvc21hcnQtcHJveHkvc2VjdXJpdHktbWFuYWdlci50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiQUFBQSxPQUFPLEtBQUssT0FBTyxNQUFNLGtCQUFrQixDQUFDO0FBRzVDOztHQUVHO0FBQ0gsTUFBTSxPQUFPLGVBQWU7SUFJMUIsWUFBb0IsUUFBNEI7UUFBNUIsYUFBUSxHQUFSLFFBQVEsQ0FBb0I7UUFIeEMsb0JBQWUsR0FBNkIsSUFBSSxHQUFHLEVBQUUsQ0FBQztRQUN0RCx1QkFBa0IsR0FBMEIsSUFBSSxHQUFHLEVBQUUsQ0FBQztJQUVYLENBQUM7SUFFcEQ7O09BRUc7SUFDSSxzQkFBc0IsQ0FBQyxFQUFVO1FBQ3RDLE9BQU8sSUFBSSxDQUFDLGVBQWUsQ0FBQyxHQUFHLENBQUMsRUFBRSxDQUFDLEVBQUUsSUFBSSxJQUFJLENBQUMsQ0FBQztJQUNqRCxDQUFDO0lBRUQ7OztPQUdHO0lBQ0ksbUJBQW1CLENBQUMsRUFBVTtRQUNuQyxNQUFNLEdBQUcsR0FBRyxJQUFJLENBQUMsR0FBRyxFQUFFLENBQUM7UUFDdkIsTUFBTSxNQUFNLEdBQUcsRUFBRSxHQUFHLElBQUksQ0FBQztRQUV6QixJQUFJLENBQUMsSUFBSSxDQUFDLGtCQUFrQixDQUFDLEdBQUcsQ0FBQyxFQUFFLENBQUMsRUFBRSxDQUFDO1lBQ3JDLElBQUksQ0FBQyxrQkFBa0IsQ0FBQyxHQUFHLENBQUMsRUFBRSxFQUFFLENBQUMsR0FBRyxDQUFDLENBQUMsQ0FBQztZQUN2QyxPQUFPLElBQUksQ0FBQztRQUNkLENBQUM7UUFFRCw0REFBNEQ7UUFDNUQsTUFBTSxVQUFVLEdBQUcsSUFBSSxDQUFDLGtCQUFrQixDQUFDLEdBQUcsQ0FBQyxFQUFFLENBQUUsQ0FBQyxNQUFNLENBQUMsQ0FBQyxJQUFJLEVBQUUsRUFBRSxDQUFDLEdBQUcsR0FBRyxJQUFJLEdBQUcsTUFBTSxDQUFDLENBQUM7UUFDMUYsVUFBVSxDQUFDLElBQUksQ0FBQyxHQUFHLENBQUMsQ0FBQztRQUNyQixJQUFJLENBQUMsa0JBQWtCLENBQUMsR0FBRyxDQUFDLEVBQUUsRUFBRSxVQUFVLENBQUMsQ0FBQztRQUU1Qyw4QkFBOEI7UUFDOUIsT0FBTyxVQUFVLENBQUMsTUFBTSxJQUFJLElBQUksQ0FBQyxRQUFRLENBQUMsNEJBQTZCLENBQUM7SUFDMUUsQ0FBQztJQUVEOztPQUVHO0lBQ0ksbUJBQW1CLENBQUMsRUFBVSxFQUFFLFlBQW9CO1FBQ3pELElBQUksQ0FBQyxJQUFJLENBQUMsZUFBZSxDQUFDLEdBQUcsQ0FBQyxFQUFFLENBQUMsRUFBRSxDQUFDO1lBQ2xDLElBQUksQ0FBQyxlQUFlLENBQUMsR0FBRyxDQUFDLEVBQUUsRUFBRSxJQUFJLEdBQUcsRUFBRSxDQUFDLENBQUM7UUFDMUMsQ0FBQztRQUNELElBQUksQ0FBQyxlQUFlLENBQUMsR0FBRyxDQUFDLEVBQUUsQ0FBRSxDQUFDLEdBQUcsQ0FBQyxZQUFZLENBQUMsQ0FBQztJQUNsRCxDQUFDO0lBRUQ7O09BRUc7SUFDSSxvQkFBb0IsQ0FBQyxFQUFVLEVBQUUsWUFBb0I7UUFDMUQsSUFBSSxJQUFJLENBQUMsZUFBZSxDQUFDLEdBQUcsQ0FBQyxFQUFFLENBQUMsRUFBRSxDQUFDO1lBQ2pDLE1BQU0sV0FBVyxHQUFHLElBQUksQ0FBQyxlQUFlLENBQUMsR0FBRyxDQUFDLEVBQUUsQ0FBRSxDQUFDO1lBQ2xELFdBQVcsQ0FBQyxNQUFNLENBQUMsWUFBWSxDQUFDLENBQUM7WUFDakMsSUFBSSxXQUFXLENBQUMsSUFBSSxLQUFLLENBQUMsRUFBRSxDQUFDO2dCQUMzQixJQUFJLENBQUMsZUFBZSxDQUFDLE1BQU0sQ0FBQyxFQUFFLENBQUMsQ0FBQztZQUNsQyxDQUFDO1FBQ0gsQ0FBQztJQUNILENBQUM7SUFFRDs7Ozs7Ozs7Ozs7O09BWUc7SUFDSSxjQUFjLENBQUMsRUFBVSxFQUFFLFVBQW9CLEVBQUUsYUFBdUIsRUFBRTtRQUMvRSw0Q0FBNEM7UUFDNUMsSUFBSSxDQUFDLEVBQUUsSUFBSSxDQUFDLFVBQVUsQ0FBQyxNQUFNLEtBQUssQ0FBQyxJQUFJLFVBQVUsQ0FBQyxNQUFNLEtBQUssQ0FBQyxDQUFDLEVBQUUsQ0FBQztZQUNoRSxPQUFPLElBQUksQ0FBQztRQUNkLENBQUM7UUFFRCw2REFBNkQ7UUFDN0QsSUFBSSxVQUFVLENBQUMsTUFBTSxHQUFHLENBQUMsSUFBSSxJQUFJLENBQUMsYUFBYSxDQUFDLEVBQUUsRUFBRSxVQUFVLENBQUMsRUFBRSxDQUFDO1lBQ2hFLE9BQU8sS0FBSyxDQUFDO1FBQ2YsQ0FBQztRQUVELDhCQUE4QjtRQUM5QixPQUFPLElBQUksQ0FBQyxhQUFhLENBQUMsRUFBRSxFQUFFLFVBQVUsQ0FBQyxDQUFDO0lBQzVDLENBQUM7SUFFRDs7Ozs7Ozs7O09BU0c7SUFDSyxhQUFhLENBQUMsRUFBVSxFQUFFLFFBQWtCO1FBQ2xELElBQUksQ0FBQyxFQUFFLElBQUksQ0FBQyxRQUFRLElBQUksUUFBUSxDQUFDLE1BQU0sS0FBSyxDQUFDO1lBQUUsT0FBTyxLQUFLLENBQUM7UUFFNUQscURBQXFEO1FBQ3JELE1BQU0sV0FBVyxHQUFHLENBQUMsRUFBVSxFQUFZLEVBQUU7WUFDM0MsSUFBSSxDQUFDLEVBQUU7Z0JBQUUsT0FBTyxFQUFFLENBQUM7WUFDbkIsdURBQXVEO1lBQ3ZELElBQUksRUFBRSxDQUFDLFVBQVUsQ0FBQyxTQUFTLENBQUMsRUFBRSxDQUFDO2dCQUM3QixNQUFNLElBQUksR0FBRyxFQUFFLENBQUMsS0FBSyxDQUFDLENBQUMsQ0FBQyxDQUFDO2dCQUN6QixPQUFPLENBQUMsRUFBRSxFQUFFLElBQUksQ0FBQyxDQUFDO1lBQ3BCLENBQUM7WUFDRCwwREFBMEQ7WUFDMUQsSUFBSSx5QkFBeUIsQ0FBQyxJQUFJLENBQUMsRUFBRSxDQUFDLEVBQUUsQ0FBQztnQkFDdkMsT0FBTyxDQUFDLEVBQUUsRUFBRSxVQUFVLEVBQUUsRUFBRSxDQUFDLENBQUM7WUFDOUIsQ0FBQztZQUNELE9BQU8sQ0FBQyxFQUFFLENBQUMsQ0FBQztRQUNkLENBQUMsQ0FBQztRQUVGLGlDQUFpQztRQUNqQyxNQUFNLG9CQUFvQixHQUFHLFdBQVcsQ0FBQyxFQUFFLENBQUMsQ0FBQztRQUM3QyxJQUFJLG9CQUFvQixDQUFDLE1BQU0sS0FBSyxDQUFDO1lBQUUsT0FBTyxLQUFLLENBQUM7UUFFcEQsc0RBQXNEO1FBQ3RELE1BQU0sZ0JBQWdCLEdBQUcsUUFBUSxDQUFDLE9BQU8sQ0FBQyxXQUFXLENBQUMsQ0FBQztRQUV2RCxrRUFBa0U7UUFDbEUsT0FBTyxvQkFBb0IsQ0FBQyxJQUFJLENBQUMsQ0FBQyxTQUFTLEVBQUUsRUFBRSxDQUM3QyxnQkFBZ0IsQ0FBQyxJQUFJLENBQUMsQ0FBQyxPQUFPLEVBQUUsRUFBRSxDQUFDLE9BQU8sQ0FBQyxTQUFTLENBQUMsU0FBUyxFQUFFLE9BQU8sQ0FBQyxDQUFDLENBQzFFLENBQUM7SUFDSixDQUFDO0lBRUQ7OztPQUdHO0lBQ0ksVUFBVSxDQUFDLEVBQVU7UUFDMUIsK0JBQStCO1FBQy9CLElBQ0UsSUFBSSxDQUFDLFFBQVEsQ0FBQyxtQkFBbUI7WUFDakMsSUFBSSxDQUFDLHNCQUFzQixDQUFDLEVBQUUsQ0FBQyxJQUFJLElBQUksQ0FBQyxRQUFRLENBQUMsbUJBQW1CLEVBQ3BFLENBQUM7WUFDRCxPQUFPO2dCQUNMLE9BQU8sRUFBRSxLQUFLO2dCQUNkLE1BQU0sRUFBRSwrQkFBK0IsSUFBSSxDQUFDLFFBQVEsQ0FBQyxtQkFBbUIsWUFBWTthQUNyRixDQUFDO1FBQ0osQ0FBQztRQUVELDhCQUE4QjtRQUM5QixJQUNFLElBQUksQ0FBQyxRQUFRLENBQUMsNEJBQTRCO1lBQzFDLENBQUMsSUFBSSxDQUFDLG1CQUFtQixDQUFDLEVBQUUsQ0FBQyxFQUM3QixDQUFDO1lBQ0QsT0FBTztnQkFDTCxPQUFPLEVBQUUsS0FBSztnQkFDZCxNQUFNLEVBQUUsMEJBQTBCLElBQUksQ0FBQyxRQUFRLENBQUMsNEJBQTRCLGdCQUFnQjthQUM3RixDQUFDO1FBQ0osQ0FBQztRQUVELE9BQU8sRUFBRSxPQUFPLEVBQUUsSUFBSSxFQUFFLENBQUM7SUFDM0IsQ0FBQztJQUVEOztPQUVHO0lBQ0ksZUFBZTtRQUNwQixJQUFJLENBQUMsZUFBZSxDQUFDLEtBQUssRUFBRSxDQUFDO1FBQzdCLElBQUksQ0FBQyxrQkFBa0IsQ0FBQyxLQUFLLEVBQUUsQ0FBQztJQUNsQyxDQUFDO0NBQ0YifQ==

package/dist_ts/proxies/smart-proxy/smart-proxy.d.ts ADDED Viewed

@@ -0,0 +1,63 @@
+import * as plugins from '../../plugins.js';
+import { DomainConfigManager } from './domain-config-manager.js';
+import type { ISmartProxyOptions, IDomainConfig } from './models/interfaces.js';
+export type { ISmartProxyOptions as IPortProxySettings, IDomainConfig };
+/**
+ * SmartProxy - Main class that coordinates all components
+ */
+export declare class SmartProxy extends plugins.EventEmitter {
+    private netServers;
+    private connectionLogger;
+    private isShuttingDown;
+    private connectionManager;
+    private securityManager;
+    domainConfigManager: DomainConfigManager;
+    private tlsManager;
+    private networkProxyBridge;
+    private timeoutManager;
+    private portRangeManager;
+    private connectionHandler;
+    private port80Handler;
+    private certProvisioner?;
+    constructor(settingsArg: ISmartProxyOptions);
+    /**
+     * The settings for the port proxy
+     */
+    settings: ISmartProxyOptions;
+    /**
+     * Initialize the Port80Handler for ACME certificate management
+     */
+    private initializePort80Handler;
+    /**
+     * Start the proxy server
+     */
+    start(): Promise<void>;
+    /**
+     * Stop the proxy server
+     */
+    stop(): Promise<void>;
+    /**
+     * Updates the domain configurations for the proxy
+     */
+    updateDomainConfigs(newDomainConfigs: IDomainConfig[]): Promise<void>;
+    /**
+     * Request a certificate for a specific domain
+     */
+    requestCertificate(domain: string): Promise<boolean>;
+    /**
+     * Validates if a domain name is valid for certificate issuance
+     */
+    private isValidDomain;
+    /**
+     * Get statistics about current connections
+     */
+    getStatistics(): any;
+    /**
+     * Get a list of eligible domains for ACME certificates
+     */
+    getEligibleDomainsForCertificates(): string[];
+    /**
+     * Get status of certificates managed by Port80Handler
+     */
+    getCertificateStatus(): any;
+}