@push.rocks/smartproxy 12.0.0 → 13.1.2

package/dist_ts/tls/utils/tls-utils.d.ts

@@ -0,0 +1,158 @@
+/**
+ * TLS record types as defined in various RFCs
+ */
+export declare enum TlsRecordType {
+    CHANGE_CIPHER_SPEC = 20,
+    ALERT = 21,
+    HANDSHAKE = 22,
+    APPLICATION_DATA = 23,
+    HEARTBEAT = 24
+}
+/**
+ * TLS handshake message types
+ */
+export declare enum TlsHandshakeType {
+    HELLO_REQUEST = 0,
+    CLIENT_HELLO = 1,
+    SERVER_HELLO = 2,
+    NEW_SESSION_TICKET = 4,
+    ENCRYPTED_EXTENSIONS = 8,// TLS 1.3
+    CERTIFICATE = 11,
+    SERVER_KEY_EXCHANGE = 12,
+    CERTIFICATE_REQUEST = 13,
+    SERVER_HELLO_DONE = 14,
+    CERTIFICATE_VERIFY = 15,
+    CLIENT_KEY_EXCHANGE = 16,
+    FINISHED = 20
+}
+/**
+ * TLS extension types
+ */
+export declare enum TlsExtensionType {
+    SERVER_NAME = 0,// SNI
+    MAX_FRAGMENT_LENGTH = 1,
+    CLIENT_CERTIFICATE_URL = 2,
+    TRUSTED_CA_KEYS = 3,
+    TRUNCATED_HMAC = 4,
+    STATUS_REQUEST = 5,// OCSP
+    SUPPORTED_GROUPS = 10,// Previously named "elliptic_curves"
+    EC_POINT_FORMATS = 11,
+    SIGNATURE_ALGORITHMS = 13,
+    APPLICATION_LAYER_PROTOCOL_NEGOTIATION = 16,// ALPN
+    SIGNED_CERTIFICATE_TIMESTAMP = 18,// Certificate Transparency
+    PADDING = 21,
+    SESSION_TICKET = 35,
+    PRE_SHARED_KEY = 41,// TLS 1.3
+    EARLY_DATA = 42,// TLS 1.3 0-RTT
+    SUPPORTED_VERSIONS = 43,// TLS 1.3
+    COOKIE = 44,// TLS 1.3
+    PSK_KEY_EXCHANGE_MODES = 45,// TLS 1.3
+    CERTIFICATE_AUTHORITIES = 47,// TLS 1.3
+    POST_HANDSHAKE_AUTH = 49,// TLS 1.3
+    SIGNATURE_ALGORITHMS_CERT = 50,// TLS 1.3
+    KEY_SHARE = 51
+}
+/**
+ * TLS alert levels
+ */
+export declare enum TlsAlertLevel {
+    WARNING = 1,
+    FATAL = 2
+}
+/**
+ * TLS alert description codes
+ */
+export declare enum TlsAlertDescription {
+    CLOSE_NOTIFY = 0,
+    UNEXPECTED_MESSAGE = 10,
+    BAD_RECORD_MAC = 20,
+    DECRYPTION_FAILED = 21,// TLS 1.0 only
+    RECORD_OVERFLOW = 22,
+    DECOMPRESSION_FAILURE = 30,// TLS 1.2 and below
+    HANDSHAKE_FAILURE = 40,
+    NO_CERTIFICATE = 41,// SSLv3 only
+    BAD_CERTIFICATE = 42,
+    UNSUPPORTED_CERTIFICATE = 43,
+    CERTIFICATE_REVOKED = 44,
+    CERTIFICATE_EXPIRED = 45,
+    CERTIFICATE_UNKNOWN = 46,
+    ILLEGAL_PARAMETER = 47,
+    UNKNOWN_CA = 48,
+    ACCESS_DENIED = 49,
+    DECODE_ERROR = 50,
+    DECRYPT_ERROR = 51,
+    EXPORT_RESTRICTION = 60,// TLS 1.0 only
+    PROTOCOL_VERSION = 70,
+    INSUFFICIENT_SECURITY = 71,
+    INTERNAL_ERROR = 80,
+    INAPPROPRIATE_FALLBACK = 86,
+    USER_CANCELED = 90,
+    NO_RENEGOTIATION = 100,// TLS 1.2 and below
+    MISSING_EXTENSION = 109,// TLS 1.3
+    UNSUPPORTED_EXTENSION = 110,// TLS 1.3
+    CERTIFICATE_REQUIRED = 111,// TLS 1.3
+    UNRECOGNIZED_NAME = 112,
+    BAD_CERTIFICATE_STATUS_RESPONSE = 113,
+    BAD_CERTIFICATE_HASH_VALUE = 114,// TLS 1.2 and below
+    UNKNOWN_PSK_IDENTITY = 115,
+    CERTIFICATE_REQUIRED_1_3 = 116,// TLS 1.3
+    NO_APPLICATION_PROTOCOL = 120
+}
+/**
+ * TLS version codes (major.minor)
+ */
+export declare const TlsVersion: {
+    SSL3: number[];
+    TLS1_0: number[];
+    TLS1_1: number[];
+    TLS1_2: number[];
+    TLS1_3: number[];
+};
+/**
+ * Utility functions for TLS protocol operations
+ */
+export declare class TlsUtils {
+    /**
+     * Checks if a buffer contains a TLS handshake record
+     * @param buffer The buffer to check
+     * @returns true if the buffer starts with a TLS handshake record
+     */
+    static isTlsHandshake(buffer: Buffer): boolean;
+    /**
+     * Checks if a buffer contains TLS application data
+     * @param buffer The buffer to check
+     * @returns true if the buffer starts with a TLS application data record
+     */
+    static isTlsApplicationData(buffer: Buffer): boolean;
+    /**
+     * Checks if a buffer contains a TLS alert record
+     * @param buffer The buffer to check
+     * @returns true if the buffer starts with a TLS alert record
+     */
+    static isTlsAlert(buffer: Buffer): boolean;
+    /**
+     * Checks if a buffer contains a TLS ClientHello message
+     * @param buffer The buffer to check
+     * @returns true if the buffer appears to be a ClientHello message
+     */
+    static isClientHello(buffer: Buffer): boolean;
+    /**
+     * Gets the record length from a TLS record header
+     * @param buffer Buffer containing a TLS record
+     * @returns The record length if the buffer is valid, -1 otherwise
+     */
+    static getTlsRecordLength(buffer: Buffer): number;
+    /**
+     * Creates a connection ID based on source/destination information
+     * Used to track fragmented ClientHello messages across multiple packets
+     *
+     * @param connectionInfo Object containing connection identifiers
+     * @returns A string ID for the connection
+     */
+    static createConnectionId(connectionInfo: {
+        sourceIp?: string;
+        sourcePort?: number;
+        destIp?: string;
+        destPort?: number;
+    }): string;
+}

package/dist_ts/tls/utils/tls-utils.js

@@ -0,0 +1,187 @@
+import * as plugins from '../../plugins.js';
+/**
+ * TLS record types as defined in various RFCs
+ */
+export var TlsRecordType;
+(function (TlsRecordType) {
+    TlsRecordType[TlsRecordType["CHANGE_CIPHER_SPEC"] = 20] = "CHANGE_CIPHER_SPEC";
+    TlsRecordType[TlsRecordType["ALERT"] = 21] = "ALERT";
+    TlsRecordType[TlsRecordType["HANDSHAKE"] = 22] = "HANDSHAKE";
+    TlsRecordType[TlsRecordType["APPLICATION_DATA"] = 23] = "APPLICATION_DATA";
+    TlsRecordType[TlsRecordType["HEARTBEAT"] = 24] = "HEARTBEAT";
+})(TlsRecordType || (TlsRecordType = {}));
+/**
+ * TLS handshake message types
+ */
+export var TlsHandshakeType;
+(function (TlsHandshakeType) {
+    TlsHandshakeType[TlsHandshakeType["HELLO_REQUEST"] = 0] = "HELLO_REQUEST";
+    TlsHandshakeType[TlsHandshakeType["CLIENT_HELLO"] = 1] = "CLIENT_HELLO";
+    TlsHandshakeType[TlsHandshakeType["SERVER_HELLO"] = 2] = "SERVER_HELLO";
+    TlsHandshakeType[TlsHandshakeType["NEW_SESSION_TICKET"] = 4] = "NEW_SESSION_TICKET";
+    TlsHandshakeType[TlsHandshakeType["ENCRYPTED_EXTENSIONS"] = 8] = "ENCRYPTED_EXTENSIONS";
+    TlsHandshakeType[TlsHandshakeType["CERTIFICATE"] = 11] = "CERTIFICATE";
+    TlsHandshakeType[TlsHandshakeType["SERVER_KEY_EXCHANGE"] = 12] = "SERVER_KEY_EXCHANGE";
+    TlsHandshakeType[TlsHandshakeType["CERTIFICATE_REQUEST"] = 13] = "CERTIFICATE_REQUEST";
+    TlsHandshakeType[TlsHandshakeType["SERVER_HELLO_DONE"] = 14] = "SERVER_HELLO_DONE";
+    TlsHandshakeType[TlsHandshakeType["CERTIFICATE_VERIFY"] = 15] = "CERTIFICATE_VERIFY";
+    TlsHandshakeType[TlsHandshakeType["CLIENT_KEY_EXCHANGE"] = 16] = "CLIENT_KEY_EXCHANGE";
+    TlsHandshakeType[TlsHandshakeType["FINISHED"] = 20] = "FINISHED";
+})(TlsHandshakeType || (TlsHandshakeType = {}));
+/**
+ * TLS extension types
+ */
+export var TlsExtensionType;
+(function (TlsExtensionType) {
+    TlsExtensionType[TlsExtensionType["SERVER_NAME"] = 0] = "SERVER_NAME";
+    TlsExtensionType[TlsExtensionType["MAX_FRAGMENT_LENGTH"] = 1] = "MAX_FRAGMENT_LENGTH";
+    TlsExtensionType[TlsExtensionType["CLIENT_CERTIFICATE_URL"] = 2] = "CLIENT_CERTIFICATE_URL";
+    TlsExtensionType[TlsExtensionType["TRUSTED_CA_KEYS"] = 3] = "TRUSTED_CA_KEYS";
+    TlsExtensionType[TlsExtensionType["TRUNCATED_HMAC"] = 4] = "TRUNCATED_HMAC";
+    TlsExtensionType[TlsExtensionType["STATUS_REQUEST"] = 5] = "STATUS_REQUEST";
+    TlsExtensionType[TlsExtensionType["SUPPORTED_GROUPS"] = 10] = "SUPPORTED_GROUPS";
+    TlsExtensionType[TlsExtensionType["EC_POINT_FORMATS"] = 11] = "EC_POINT_FORMATS";
+    TlsExtensionType[TlsExtensionType["SIGNATURE_ALGORITHMS"] = 13] = "SIGNATURE_ALGORITHMS";
+    TlsExtensionType[TlsExtensionType["APPLICATION_LAYER_PROTOCOL_NEGOTIATION"] = 16] = "APPLICATION_LAYER_PROTOCOL_NEGOTIATION";
+    TlsExtensionType[TlsExtensionType["SIGNED_CERTIFICATE_TIMESTAMP"] = 18] = "SIGNED_CERTIFICATE_TIMESTAMP";
+    TlsExtensionType[TlsExtensionType["PADDING"] = 21] = "PADDING";
+    TlsExtensionType[TlsExtensionType["SESSION_TICKET"] = 35] = "SESSION_TICKET";
+    TlsExtensionType[TlsExtensionType["PRE_SHARED_KEY"] = 41] = "PRE_SHARED_KEY";
+    TlsExtensionType[TlsExtensionType["EARLY_DATA"] = 42] = "EARLY_DATA";
+    TlsExtensionType[TlsExtensionType["SUPPORTED_VERSIONS"] = 43] = "SUPPORTED_VERSIONS";
+    TlsExtensionType[TlsExtensionType["COOKIE"] = 44] = "COOKIE";
+    TlsExtensionType[TlsExtensionType["PSK_KEY_EXCHANGE_MODES"] = 45] = "PSK_KEY_EXCHANGE_MODES";
+    TlsExtensionType[TlsExtensionType["CERTIFICATE_AUTHORITIES"] = 47] = "CERTIFICATE_AUTHORITIES";
+    TlsExtensionType[TlsExtensionType["POST_HANDSHAKE_AUTH"] = 49] = "POST_HANDSHAKE_AUTH";
+    TlsExtensionType[TlsExtensionType["SIGNATURE_ALGORITHMS_CERT"] = 50] = "SIGNATURE_ALGORITHMS_CERT";
+    TlsExtensionType[TlsExtensionType["KEY_SHARE"] = 51] = "KEY_SHARE";
+})(TlsExtensionType || (TlsExtensionType = {}));
+/**
+ * TLS alert levels
+ */
+export var TlsAlertLevel;
+(function (TlsAlertLevel) {
+    TlsAlertLevel[TlsAlertLevel["WARNING"] = 1] = "WARNING";
+    TlsAlertLevel[TlsAlertLevel["FATAL"] = 2] = "FATAL";
+})(TlsAlertLevel || (TlsAlertLevel = {}));
+/**
+ * TLS alert description codes
+ */
+export var TlsAlertDescription;
+(function (TlsAlertDescription) {
+    TlsAlertDescription[TlsAlertDescription["CLOSE_NOTIFY"] = 0] = "CLOSE_NOTIFY";
+    TlsAlertDescription[TlsAlertDescription["UNEXPECTED_MESSAGE"] = 10] = "UNEXPECTED_MESSAGE";
+    TlsAlertDescription[TlsAlertDescription["BAD_RECORD_MAC"] = 20] = "BAD_RECORD_MAC";
+    TlsAlertDescription[TlsAlertDescription["DECRYPTION_FAILED"] = 21] = "DECRYPTION_FAILED";
+    TlsAlertDescription[TlsAlertDescription["RECORD_OVERFLOW"] = 22] = "RECORD_OVERFLOW";
+    TlsAlertDescription[TlsAlertDescription["DECOMPRESSION_FAILURE"] = 30] = "DECOMPRESSION_FAILURE";
+    TlsAlertDescription[TlsAlertDescription["HANDSHAKE_FAILURE"] = 40] = "HANDSHAKE_FAILURE";
+    TlsAlertDescription[TlsAlertDescription["NO_CERTIFICATE"] = 41] = "NO_CERTIFICATE";
+    TlsAlertDescription[TlsAlertDescription["BAD_CERTIFICATE"] = 42] = "BAD_CERTIFICATE";
+    TlsAlertDescription[TlsAlertDescription["UNSUPPORTED_CERTIFICATE"] = 43] = "UNSUPPORTED_CERTIFICATE";
+    TlsAlertDescription[TlsAlertDescription["CERTIFICATE_REVOKED"] = 44] = "CERTIFICATE_REVOKED";
+    TlsAlertDescription[TlsAlertDescription["CERTIFICATE_EXPIRED"] = 45] = "CERTIFICATE_EXPIRED";
+    TlsAlertDescription[TlsAlertDescription["CERTIFICATE_UNKNOWN"] = 46] = "CERTIFICATE_UNKNOWN";
+    TlsAlertDescription[TlsAlertDescription["ILLEGAL_PARAMETER"] = 47] = "ILLEGAL_PARAMETER";
+    TlsAlertDescription[TlsAlertDescription["UNKNOWN_CA"] = 48] = "UNKNOWN_CA";
+    TlsAlertDescription[TlsAlertDescription["ACCESS_DENIED"] = 49] = "ACCESS_DENIED";
+    TlsAlertDescription[TlsAlertDescription["DECODE_ERROR"] = 50] = "DECODE_ERROR";
+    TlsAlertDescription[TlsAlertDescription["DECRYPT_ERROR"] = 51] = "DECRYPT_ERROR";
+    TlsAlertDescription[TlsAlertDescription["EXPORT_RESTRICTION"] = 60] = "EXPORT_RESTRICTION";
+    TlsAlertDescription[TlsAlertDescription["PROTOCOL_VERSION"] = 70] = "PROTOCOL_VERSION";
+    TlsAlertDescription[TlsAlertDescription["INSUFFICIENT_SECURITY"] = 71] = "INSUFFICIENT_SECURITY";
+    TlsAlertDescription[TlsAlertDescription["INTERNAL_ERROR"] = 80] = "INTERNAL_ERROR";
+    TlsAlertDescription[TlsAlertDescription["INAPPROPRIATE_FALLBACK"] = 86] = "INAPPROPRIATE_FALLBACK";
+    TlsAlertDescription[TlsAlertDescription["USER_CANCELED"] = 90] = "USER_CANCELED";
+    TlsAlertDescription[TlsAlertDescription["NO_RENEGOTIATION"] = 100] = "NO_RENEGOTIATION";
+    TlsAlertDescription[TlsAlertDescription["MISSING_EXTENSION"] = 109] = "MISSING_EXTENSION";
+    TlsAlertDescription[TlsAlertDescription["UNSUPPORTED_EXTENSION"] = 110] = "UNSUPPORTED_EXTENSION";
+    TlsAlertDescription[TlsAlertDescription["CERTIFICATE_REQUIRED"] = 111] = "CERTIFICATE_REQUIRED";
+    TlsAlertDescription[TlsAlertDescription["UNRECOGNIZED_NAME"] = 112] = "UNRECOGNIZED_NAME";
+    TlsAlertDescription[TlsAlertDescription["BAD_CERTIFICATE_STATUS_RESPONSE"] = 113] = "BAD_CERTIFICATE_STATUS_RESPONSE";
+    TlsAlertDescription[TlsAlertDescription["BAD_CERTIFICATE_HASH_VALUE"] = 114] = "BAD_CERTIFICATE_HASH_VALUE";
+    TlsAlertDescription[TlsAlertDescription["UNKNOWN_PSK_IDENTITY"] = 115] = "UNKNOWN_PSK_IDENTITY";
+    TlsAlertDescription[TlsAlertDescription["CERTIFICATE_REQUIRED_1_3"] = 116] = "CERTIFICATE_REQUIRED_1_3";
+    TlsAlertDescription[TlsAlertDescription["NO_APPLICATION_PROTOCOL"] = 120] = "NO_APPLICATION_PROTOCOL";
+})(TlsAlertDescription || (TlsAlertDescription = {}));
+/**
+ * TLS version codes (major.minor)
+ */
+export const TlsVersion = {
+    SSL3: [0x03, 0x00],
+    TLS1_0: [0x03, 0x01],
+    TLS1_1: [0x03, 0x02],
+    TLS1_2: [0x03, 0x03],
+    TLS1_3: [0x03, 0x04],
+};
+/**
+ * Utility functions for TLS protocol operations
+ */
+export class TlsUtils {
+    /**
+     * Checks if a buffer contains a TLS handshake record
+     * @param buffer The buffer to check
+     * @returns true if the buffer starts with a TLS handshake record
+     */
+    static isTlsHandshake(buffer) {
+        return buffer.length > 0 && buffer[0] === TlsRecordType.HANDSHAKE;
+    }
+    /**
+     * Checks if a buffer contains TLS application data
+     * @param buffer The buffer to check
+     * @returns true if the buffer starts with a TLS application data record
+     */
+    static isTlsApplicationData(buffer) {
+        return buffer.length > 0 && buffer[0] === TlsRecordType.APPLICATION_DATA;
+    }
+    /**
+     * Checks if a buffer contains a TLS alert record
+     * @param buffer The buffer to check
+     * @returns true if the buffer starts with a TLS alert record
+     */
+    static isTlsAlert(buffer) {
+        return buffer.length > 0 && buffer[0] === TlsRecordType.ALERT;
+    }
+    /**
+     * Checks if a buffer contains a TLS ClientHello message
+     * @param buffer The buffer to check
+     * @returns true if the buffer appears to be a ClientHello message
+     */
+    static isClientHello(buffer) {
+        // Minimum ClientHello size (TLS record header + handshake header)
+        if (buffer.length < 9) {
+            return false;
+        }
+        // Check record type (must be TLS_HANDSHAKE_RECORD_TYPE)
+        if (buffer[0] !== TlsRecordType.HANDSHAKE) {
+            return false;
+        }
+        // Skip version and length in TLS record header (5 bytes total)
+        // Check handshake type at byte 5 (must be CLIENT_HELLO)
+        return buffer[5] === TlsHandshakeType.CLIENT_HELLO;
+    }
+    /**
+     * Gets the record length from a TLS record header
+     * @param buffer Buffer containing a TLS record
+     * @returns The record length if the buffer is valid, -1 otherwise
+     */
+    static getTlsRecordLength(buffer) {
+        if (buffer.length < 5) {
+            return -1;
+        }
+        // Bytes 3-4 contain the record length (big-endian)
+        return (buffer[3] << 8) + buffer[4];
+    }
+    /**
+     * Creates a connection ID based on source/destination information
+     * Used to track fragmented ClientHello messages across multiple packets
+     *
+     * @param connectionInfo Object containing connection identifiers
+     * @returns A string ID for the connection
+     */
+    static createConnectionId(connectionInfo) {
+        const { sourceIp, sourcePort, destIp, destPort } = connectionInfo;
+        return `${sourceIp}:${sourcePort}-${destIp}:${destPort}`;
+    }
+}
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoidGxzLXV0aWxzLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vdHMvdGxzL3V0aWxzL3Rscy11dGlscy50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiQUFBQSxPQUFPLEtBQUssT0FBTyxNQUFNLGtCQUFrQixDQUFDO0FBRTVDOztHQUVHO0FBQ0gsTUFBTSxDQUFOLElBQVksYUFNWDtBQU5ELFdBQVksYUFBYTtJQUN2Qiw4RUFBdUIsQ0FBQTtJQUN2QixvREFBVSxDQUFBO0lBQ1YsNERBQWMsQ0FBQTtJQUNkLDBFQUFxQixDQUFBO0lBQ3JCLDREQUFjLENBQUE7QUFDaEIsQ0FBQyxFQU5XLGFBQWEsS0FBYixhQUFhLFFBTXhCO0FBRUQ7O0dBRUc7QUFDSCxNQUFNLENBQU4sSUFBWSxnQkFhWDtBQWJELFdBQVksZ0JBQWdCO0lBQzFCLHlFQUFpQixDQUFBO0lBQ2pCLHVFQUFnQixDQUFBO0lBQ2hCLHVFQUFnQixDQUFBO0lBQ2hCLG1GQUFzQixDQUFBO0lBQ3RCLHVGQUF3QixDQUFBO0lBQ3hCLHNFQUFnQixDQUFBO0lBQ2hCLHNGQUF3QixDQUFBO0lBQ3hCLHNGQUF3QixDQUFBO0lBQ3hCLGtGQUFzQixDQUFBO0lBQ3RCLG9GQUF1QixDQUFBO0lBQ3ZCLHNGQUF3QixDQUFBO0lBQ3hCLGdFQUFhLENBQUE7QUFDZixDQUFDLEVBYlcsZ0JBQWdCLEtBQWhCLGdCQUFnQixRQWEzQjtBQUVEOztHQUVHO0FBQ0gsTUFBTSxDQUFOLElBQVksZ0JBdUJYO0FBdkJELFdBQVksZ0JBQWdCO0lBQzFCLHFFQUFlLENBQUE7SUFDZixxRkFBdUIsQ0FBQTtJQUN2QiwyRkFBMEIsQ0FBQTtJQUMxQiw2RUFBbUIsQ0FBQTtJQUNuQiwyRUFBa0IsQ0FBQTtJQUNsQiwyRUFBa0IsQ0FBQTtJQUNsQixnRkFBcUIsQ0FBQTtJQUNyQixnRkFBcUIsQ0FBQTtJQUNyQix3RkFBeUIsQ0FBQTtJQUN6Qiw0SEFBMkMsQ0FBQTtJQUMzQyx3R0FBaUMsQ0FBQTtJQUNqQyw4REFBWSxDQUFBO0lBQ1osNEVBQW1CLENBQUE7SUFDbkIsNEVBQW1CLENBQUE7SUFDbkIsb0VBQWUsQ0FBQTtJQUNmLG9GQUF1QixDQUFBO0lBQ3ZCLDREQUFXLENBQUE7SUFDWCw0RkFBMkIsQ0FBQTtJQUMzQiw4RkFBNEIsQ0FBQTtJQUM1QixzRkFBd0IsQ0FBQTtJQUN4QixrR0FBOEIsQ0FBQTtJQUM5QixrRUFBYyxDQUFBO0FBQ2hCLENBQUMsRUF2QlcsZ0JBQWdCLEtBQWhCLGdCQUFnQixRQXVCM0I7QUFFRDs7R0FFRztBQUNILE1BQU0sQ0FBTixJQUFZLGFBR1g7QUFIRCxXQUFZLGFBQWE7SUFDdkIsdURBQVcsQ0FBQTtJQUNYLG1EQUFTLENBQUE7QUFDWCxDQUFDLEVBSFcsYUFBYSxLQUFiLGFBQWEsUUFHeEI7QUFFRDs7R0FFRztBQUNILE1BQU0sQ0FBTixJQUFZLG1CQW1DWDtBQW5DRCxXQUFZLG1CQUFtQjtJQUM3Qiw2RUFBZ0IsQ0FBQTtJQUNoQiwwRkFBdUIsQ0FBQTtJQUN2QixrRkFBbUIsQ0FBQTtJQUNuQix3RkFBc0IsQ0FBQTtJQUN0QixvRkFBb0IsQ0FBQTtJQUNwQixnR0FBMEIsQ0FBQTtJQUMxQix3RkFBc0IsQ0FBQTtJQUN0QixrRkFBbUIsQ0FBQTtJQUNuQixvRkFBb0IsQ0FBQTtJQUNwQixvR0FBNEIsQ0FBQTtJQUM1Qiw0RkFBd0IsQ0FBQTtJQUN4Qiw0RkFBd0IsQ0FBQTtJQUN4Qiw0RkFBd0IsQ0FBQTtJQUN4Qix3RkFBc0IsQ0FBQTtJQUN0QiwwRUFBZSxDQUFBO0lBQ2YsZ0ZBQWtCLENBQUE7SUFDbEIsOEVBQWlCLENBQUE7SUFDakIsZ0ZBQWtCLENBQUE7SUFDbEIsMEZBQXVCLENBQUE7SUFDdkIsc0ZBQXFCLENBQUE7SUFDckIsZ0dBQTBCLENBQUE7SUFDMUIsa0ZBQW1CLENBQUE7SUFDbkIsa0dBQTJCLENBQUE7SUFDM0IsZ0ZBQWtCLENBQUE7SUFDbEIsdUZBQXNCLENBQUE7SUFDdEIseUZBQXVCLENBQUE7SUFDdkIsaUdBQTJCLENBQUE7SUFDM0IsK0ZBQTBCLENBQUE7SUFDMUIseUZBQXVCLENBQUE7SUFDdkIscUhBQXFDLENBQUE7SUFDckMsMkdBQWdDLENBQUE7SUFDaEMsK0ZBQTBCLENBQUE7SUFDMUIsdUdBQThCLENBQUE7SUFDOUIscUdBQTZCLENBQUE7QUFDL0IsQ0FBQyxFQW5DVyxtQkFBbUIsS0FBbkIsbUJBQW1CLFFBbUM5QjtBQUVEOztHQUVHO0FBQ0gsTUFBTSxDQUFDLE1BQU0sVUFBVSxHQUFHO0lBQ3hCLElBQUksRUFBRSxDQUFDLElBQUksRUFBRSxJQUFJLENBQUM7SUFDbEIsTUFBTSxFQUFFLENBQUMsSUFBSSxFQUFFLElBQUksQ0FBQztJQUNwQixNQUFNLEVBQUUsQ0FBQyxJQUFJLEVBQUUsSUFBSSxDQUFDO0lBQ3BCLE1BQU0sRUFBRSxDQUFDLElBQUksRUFBRSxJQUFJLENBQUM7SUFDcEIsTUFBTSxFQUFFLENBQUMsSUFBSSxFQUFFLElBQUksQ0FBQztDQUNyQixDQUFDO0FBRUY7O0dBRUc7QUFDSCxNQUFNLE9BQU8sUUFBUTtJQUNuQjs7OztPQUlHO0lBQ0ksTUFBTSxDQUFDLGNBQWMsQ0FBQyxNQUFjO1FBQ3pDLE9BQU8sTUFBTSxDQUFDLE1BQU0sR0FBRyxDQUFDLElBQUksTUFBTSxDQUFDLENBQUMsQ0FBQyxLQUFLLGFBQWEsQ0FBQyxTQUFTLENBQUM7SUFDcEUsQ0FBQztJQUVEOzs7O09BSUc7SUFDSSxNQUFNLENBQUMsb0JBQW9CLENBQUMsTUFBYztRQUMvQyxPQUFPLE1BQU0sQ0FBQyxNQUFNLEdBQUcsQ0FBQyxJQUFJLE1BQU0sQ0FBQyxDQUFDLENBQUMsS0FBSyxhQUFhLENBQUMsZ0JBQWdCLENBQUM7SUFDM0UsQ0FBQztJQUVEOzs7O09BSUc7SUFDSSxNQUFNLENBQUMsVUFBVSxDQUFDLE1BQWM7UUFDckMsT0FBTyxNQUFNLENBQUMsTUFBTSxHQUFHLENBQUMsSUFBSSxNQUFNLENBQUMsQ0FBQyxDQUFDLEtBQUssYUFBYSxDQUFDLEtBQUssQ0FBQztJQUNoRSxDQUFDO0lBRUQ7Ozs7T0FJRztJQUNJLE1BQU0sQ0FBQyxhQUFhLENBQUMsTUFBYztRQUN4QyxrRUFBa0U7UUFDbEUsSUFBSSxNQUFNLENBQUMsTUFBTSxHQUFHLENBQUMsRUFBRSxDQUFDO1lBQ3RCLE9BQU8sS0FBSyxDQUFDO1FBQ2YsQ0FBQztRQUVELHdEQUF3RDtRQUN4RCxJQUFJLE1BQU0sQ0FBQyxDQUFDLENBQUMsS0FBSyxhQUFhLENBQUMsU0FBUyxFQUFFLENBQUM7WUFDMUMsT0FBTyxLQUFLLENBQUM7UUFDZixDQUFDO1FBRUQsK0RBQStEO1FBQy9ELHdEQUF3RDtRQUN4RCxPQUFPLE1BQU0sQ0FBQyxDQUFDLENBQUMsS0FBSyxnQkFBZ0IsQ0FBQyxZQUFZLENBQUM7SUFDckQsQ0FBQztJQUVEOzs7O09BSUc7SUFDSSxNQUFNLENBQUMsa0JBQWtCLENBQUMsTUFBYztRQUM3QyxJQUFJLE1BQU0sQ0FBQyxNQUFNLEdBQUcsQ0FBQyxFQUFFLENBQUM7WUFDdEIsT0FBTyxDQUFDLENBQUMsQ0FBQztRQUNaLENBQUM7UUFFRCxtREFBbUQ7UUFDbkQsT0FBTyxDQUFDLE1BQU0sQ0FBQyxDQUFDLENBQUMsSUFBSSxDQUFDLENBQUMsR0FBRyxNQUFNLENBQUMsQ0FBQyxDQUFDLENBQUM7SUFDdEMsQ0FBQztJQUVEOzs7Ozs7T0FNRztJQUNJLE1BQU0sQ0FBQyxrQkFBa0IsQ0FBQyxjQUtoQztRQUNDLE1BQU0sRUFBRSxRQUFRLEVBQUUsVUFBVSxFQUFFLE1BQU0sRUFBRSxRQUFRLEVBQUUsR0FBRyxjQUFjLENBQUM7UUFDbEUsT0FBTyxHQUFHLFFBQVEsSUFBSSxVQUFVLElBQUksTUFBTSxJQUFJLFFBQVEsRUFBRSxDQUFDO0lBQzNELENBQUM7Q0FDRiJ9

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@push.rocks/smartproxy",
-  "version": "12.0.0",
+  "version": "13.1.2",
   "private": false,
   "description": "A powerful proxy package that effectively handles high traffic, with features such as SSL/TLS support, port proxying, WebSocket handling, dynamic routing with authentication options, and automatic ACME certificate management.",
   "main": "dist_ts/index.js",

package/readme.md

@@ -8,30 +8,77 @@ A high-performance proxy toolkit for Node.js, offering:
 - Advanced TCP/SNI-based proxying with IP filtering and rules
 - Unified forwarding configuration system for all proxy types
 
+## Project Architecture Overview
+
+SmartProxy has been restructured using a modern, modular architecture to improve maintainability and clarity:
+
+```
+/ts
+├── /core                     # Core functionality
+│   ├── /models               # Data models and interfaces
+│   ├── /utils                # Shared utilities (IP validation, logging, etc.)
+│   └── /events               # Common event definitions
+├── /certificate              # Certificate management
+│   ├── /acme                 # ACME-specific functionality
+│   ├── /providers            # Certificate providers (static, ACME)
+│   └── /storage              # Certificate storage mechanisms
+├── /forwarding               # Forwarding system
+│   ├── /handlers             # Various forwarding handlers
+│   │   ├── base-handler.ts   # Abstract base handler
+│   │   ├── http-handler.ts   # HTTP-only handler
+│   │   └── ...               # Other handlers
+│   ├── /config               # Configuration models
+│   │   ├── forwarding-types.ts     # Type definitions
+│   │   ├── domain-config.ts        # Domain config utilities
+│   │   └── domain-manager.ts       # Domain routing manager
+│   └── /factory              # Factory for creating handlers
+├── /proxies                  # Different proxy implementations
+│   ├── /smart-proxy          # SmartProxy implementation
+│   │   ├── /models           # SmartProxy-specific interfaces
+│   │   ├── smart-proxy.ts    # Main SmartProxy class
+│   │   └── ...               # Supporting classes
+│   ├── /network-proxy        # NetworkProxy implementation
+│   │   ├── /models           # NetworkProxy-specific interfaces
+│   │   ├── network-proxy.ts  # Main NetworkProxy class
+│   │   └── ...               # Supporting classes
+│   └── /nftables-proxy       # NfTablesProxy implementation
+├── /tls                      # TLS-specific functionality
+│   ├── /sni                  # SNI handling components
+│   └── /alerts               # TLS alerts system
+└── /http                     # HTTP-specific functionality
+    ├── /port80               # Port80Handler components
+    ├── /router               # HTTP routing system
+    └── /redirects            # Redirect handlers
+```
+
 ## Exports
 The following classes and interfaces are provided:
 
-- **NetworkProxy** (ts/networkproxy/classes.np.networkproxy.ts)
+- **NetworkProxy** (`ts/proxies/network-proxy/network-proxy.ts`)
   HTTP/HTTPS reverse proxy with TLS termination, WebSocket support,
   connection pooling, and optional ACME integration.
-- **Port80Handler** (ts/port80handler/classes.port80handler.ts)
+- **Port80Handler** (`ts/http/port80/port80-handler.ts`)
   ACME HTTP-01 challenge handler and certificate manager.
-- **NfTablesProxy** (ts/nfttablesproxy/classes.nftablesproxy.ts)
+- **NfTablesProxy** (`ts/proxies/nftables-proxy/nftables-proxy.ts`)
   Low-level port forwarding using nftables NAT rules.
-- **Redirect**, **SslRedirect** (ts/redirect/classes.redirect.ts)
+- **Redirect**, **SslRedirect** (`ts/http/redirects/redirect-handler.ts`)
   HTTP/HTTPS redirect server and shortcut for HTTP→HTTPS.
-- **SmartProxy** (ts/smartproxy/classes.smartproxy.ts)
+- **SmartProxy** (`ts/proxies/smart-proxy/smart-proxy.ts`)
   TCP/SNI-based proxy with dynamic routing, IP filtering, and unified certificates.
-- **SniHandler** (ts/smartproxy/classes.pp.snihandler.ts)
+- **SniHandler** (`ts/tls/sni/sni-handler.ts`)
   Static utilities to extract SNI hostnames from TLS handshakes.
-- **Forwarding Handlers** (ts/smartproxy/forwarding/*.ts)
+- **Forwarding Handlers** (`ts/forwarding/handlers/*.ts`)
   Unified forwarding handlers for different connection types (HTTP, HTTPS passthrough, TLS termination).
-- **Interfaces**
-  - IPortProxySettings, IDomainConfig (ts/smartproxy/classes.pp.interfaces.ts)
-  - INetworkProxyOptions (ts/networkproxy/classes.np.types.ts)
-  - IAcmeOptions, IDomainOptions (ts/common/types.ts)
-  - INfTableProxySettings (ts/nfttablesproxy/classes.nftablesproxy.ts)
-  - IForwardConfig, ForwardingType (ts/smartproxy/types/forwarding.types.ts)
+- **Core Utilities**
+  - **ValidationUtils** (`ts/core/utils/validation-utils.ts`) for domain, port, and configuration validation
+  - **IpUtils** (`ts/core/utils/ip-utils.ts`) for IP address validation and filtering
+
+- **Interfaces and Types**
+  - `ISmartProxyOptions`, `IDomainConfig` (`ts/proxies/smart-proxy/models/interfaces.ts`)
+  - `INetworkProxyOptions` (`ts/proxies/network-proxy/models/types.ts`)
+  - `IAcmeOptions`, `IDomainOptions` (`ts/certificate/models/certificate-types.ts`)
+  - `INfTableProxySettings` (`ts/proxies/nftables-proxy/models/interfaces.ts`)
+  - `IForwardConfig`, `TForwardingType` (`ts/forwarding/config/forwarding-types.ts`)
 
 ## Installation
 Install via npm:
@@ -189,16 +236,34 @@ const sni = SniHandler.extractSNI(buffer);
 const complete = SniHandler.handleFragmentedClientHello(buf, connId);
 ```
 
+### 7. Core Utilities (ValidationUtils, IpUtils)
+```typescript
+import { ValidationUtils, IpUtils } from '@push.rocks/smartproxy';
+
+// Validate a domain name
+const isValidDomain = ValidationUtils.isValidDomainName('example.com');
+
+// Check if an IP is allowed based on filters
+const isAllowed = IpUtils.isIPAuthorized(
+  '192.168.1.1',
+  ['192.168.1.*'], // allowed IPs
+  ['192.168.1.100'] // blocked IPs
+);
+
+// Convert CIDR to glob patterns
+const globPatterns = IpUtils.cidrToGlobPatterns('10.0.0.0/24');
+```
+
 ## API Reference
-For full configuration options and type definitions, see the TypeScript interfaces in the `ts/` directory:
-- `INetworkProxyOptions` (ts/networkproxy/classes.np.types.ts)
-- `IAcmeOptions`, `IDomainOptions`, `IForwardConfig` (ts/common/types.ts)
-- `INfTableProxySettings` (ts/nfttablesproxy/classes.nftablesproxy.ts)
-- `IPortProxySettings`, `IDomainConfig` (ts/smartproxy/classes.pp.interfaces.ts)
+For full configuration options and type definitions, see the TypeScript interfaces:
+- `INetworkProxyOptions` (`ts/proxies/network-proxy/models/types.ts`)
+- `IAcmeOptions`, `IDomainOptions` (`ts/certificate/models/certificate-types.ts`)
+- `IForwardConfig` (`ts/forwarding/config/forwarding-types.ts`)
+- `INfTableProxySettings` (`ts/proxies/nftables-proxy/models/interfaces.ts`)
+- `ISmartProxyOptions`, `IDomainConfig` (`ts/proxies/smart-proxy/models/interfaces.ts`)
 
 ## Architecture & Flow Diagrams
 
-
 ```mermaid
 flowchart TB
     Client([Client])
@@ -400,6 +465,9 @@ sequenceDiagram
 - SNI Utilities (SniHandler)
   • Robust ClientHello parsing, fragmentation & session resumption support
 
+- Core Utilities
+  • ValidationUtils and IpUtils for configuration validation and IP management
+
 ## Certificate Hooks & Events
 
 Listen for certificate events via EventEmitter:
@@ -566,9 +634,9 @@ For more complex scenarios, additional options can be specified:
 - `qos`, `netProxyIntegration` (objects)
 
 ### Redirect / SslRedirect
-- Constructor options: `httpPort`, `httpsPort`, `sslOptions`, `rules` (RedirectRule[])
+- Constructor options: `httpPort`, `httpsPort`, `sslOptions`, `rules` (IRedirectRule[])
 
-### SmartProxy (IPortProxySettings)
+### SmartProxy (ISmartProxyOptions)
 - `fromPort`, `toPort` (number)
 - `domainConfigs` (IDomainConfig[]) - Using unified forwarding configuration
 - `sniEnabled`, `preserveSourceIP` (booleans)