@push.rocks/smartproxy 15.0.2 → 16.0.2

package/ts/proxies/smart-proxy/models/route-types.ts

@@ -5,7 +5,7 @@ import type { TForwardingType } from '../../../forwarding/config/forwarding-type
 /**
  * Supported action types for route configurations
  */
-export type TRouteActionType = 'forward' | 'redirect' | 'block';
+export type TRouteActionType = 'forward' | 'redirect' | 'block' | 'static';
 
 /**
  * TLS handling modes for route configurations
@@ -23,14 +23,15 @@ export type TPortRange = number | number[] | Array<{ from: number; to: number }>
 export interface IRouteMatch {
   // Listen on these ports (required)
   ports: TPortRange;
-  
+
   // Optional domain patterns to match (default: all domains)
   domains?: string | string[];
-  
+
   // Advanced matching criteria
   path?: string;           // Match specific paths
   clientIp?: string[];     // Match specific client IPs
   tlsVersion?: string[];   // Match specific TLS versions
+  headers?: Record<string, string | RegExp>; // Match specific HTTP headers
 }
 
 /**
@@ -61,6 +62,25 @@ export interface IRouteRedirect {
   status: 301 | 302 | 307 | 308;
 }
 
+/**
+ * Authentication options
+ */
+export interface IRouteAuthentication {
+  type: 'basic' | 'digest' | 'oauth' | 'jwt';
+  credentials?: {
+    username: string;
+    password: string;
+  }[];
+  realm?: string;
+  jwtSecret?: string;
+  jwtIssuer?: string;
+  oauthProvider?: string;
+  oauthClientId?: string;
+  oauthClientSecret?: string;
+  oauthRedirectUri?: string;
+  [key: string]: any;  // Allow additional auth-specific options
+}
+
 /**
  * Security options for route actions
  */
@@ -68,10 +88,31 @@ export interface IRouteSecurity {
   allowedIps?: string[];
   blockedIps?: string[];
   maxConnections?: number;
-  authentication?: {
-    type: 'basic' | 'digest' | 'oauth';
-    // Auth-specific options would go here
-  };
+  authentication?: IRouteAuthentication;
+}
+
+/**
+ * Static file server configuration
+ */
+export interface IRouteStaticFiles {
+  root: string;
+  index?: string[];
+  headers?: Record<string, string>;
+  directory?: string;
+  indexFiles?: string[];
+  cacheControl?: string;
+  expires?: number;
+  followSymlinks?: boolean;
+  disableDirectoryListing?: boolean;
+}
+
+/**
+ * Test route response configuration
+ */
+export interface IRouteTestResponse {
+  status: number;
+  headers: Record<string, string>;
+  body: string;
 }
 
 /**
@@ -81,47 +122,136 @@ export interface IRouteAdvanced {
   timeout?: number;
   headers?: Record<string, string>;
   keepAlive?: boolean;
+  staticFiles?: IRouteStaticFiles;
+  testResponse?: IRouteTestResponse;
   // Additional advanced options would go here
 }
 
+/**
+ * WebSocket configuration
+ */
+export interface IRouteWebSocket {
+  enabled: boolean;
+  pingInterval?: number;
+  pingTimeout?: number;
+  maxPayloadSize?: number;
+}
+
+/**
+ * Load balancing configuration
+ */
+export interface IRouteLoadBalancing {
+  algorithm: 'round-robin' | 'least-connections' | 'ip-hash';
+  healthCheck?: {
+    path: string;
+    interval: number;
+    timeout: number;
+    unhealthyThreshold: number;
+    healthyThreshold: number;
+  };
+}
+
 /**
  * Action configuration for route handling
  */
 export interface IRouteAction {
   // Basic routing
   type: TRouteActionType;
-  
+
   // Target for forwarding
   target?: IRouteTarget;
-  
+
   // TLS handling
   tls?: IRouteTls;
-  
+
   // For redirects
   redirect?: IRouteRedirect;
-  
+
+  // For static files
+  static?: IRouteStaticFiles;
+
+  // WebSocket support
+  websocket?: IRouteWebSocket;
+
+  // Load balancing options
+  loadBalancing?: IRouteLoadBalancing;
+
   // Security options
   security?: IRouteSecurity;
-  
+
   // Advanced options
   advanced?: IRouteAdvanced;
 }
 
+/**
+ * Rate limiting configuration
+ */
+export interface IRouteRateLimit {
+  enabled: boolean;
+  maxRequests: number;
+  window: number; // Time window in seconds
+  keyBy?: 'ip' | 'path' | 'header';
+  headerName?: string;
+  errorMessage?: string;
+}
+
+/**
+ * Security features for routes
+ */
+export interface IRouteSecurity {
+  rateLimit?: IRouteRateLimit;
+  basicAuth?: {
+    enabled: boolean;
+    users: Array<{ username: string; password: string }>;
+    realm?: string;
+    excludePaths?: string[];
+  };
+  jwtAuth?: {
+    enabled: boolean;
+    secret: string;
+    algorithm?: string;
+    issuer?: string;
+    audience?: string;
+    expiresIn?: number;
+    excludePaths?: string[];
+  };
+  ipAllowList?: string[];
+  ipBlockList?: string[];
+}
+
+/**
+ * Headers configuration
+ */
+export interface IRouteHeaders {
+  request?: Record<string, string>;
+  response?: Record<string, string>;
+}
+
 /**
  * The core unified configuration interface
  */
 export interface IRouteConfig {
+  // Unique identifier
+  id?: string;
+
   // What to match
   match: IRouteMatch;
-  
+
   // What to do with matched traffic
   action: IRouteAction;
-  
+
+  // Custom headers
+  headers?: IRouteHeaders;
+
+  // Security features
+  security?: IRouteSecurity;
+
   // Optional metadata
   name?: string;             // Human-readable name for this route
   description?: string;      // Description of the route's purpose
   priority?: number;         // Controls matching order (higher = matched first)
   tags?: string[];           // Arbitrary tags for categorization
+  enabled?: boolean;         // Whether the route is active (default: true)
 }
 
 /**
@@ -130,7 +260,7 @@ export interface IRouteConfig {
 export interface IRoutedSmartProxyOptions {
   // The unified configuration array (required)
   routes: IRouteConfig[];
-  
+
   // Global/default settings
   defaults?: {
     target?: {
@@ -141,10 +271,10 @@ export interface IRoutedSmartProxyOptions {
     tls?: IRouteTls;
     // ...other defaults
   };
-  
+
   // Other global settings remain (acme, etc.)
   acme?: IAcmeOptions;
-  
+
   // Connection timeouts and other global settings
   initialDataTimeout?: number;
   socketTimeout?: number;
@@ -152,13 +282,13 @@ export interface IRoutedSmartProxyOptions {
   maxConnectionLifetime?: number;
   inactivityTimeout?: number;
   gracefulShutdownTimeout?: number;
-  
+
   // Socket optimization settings
   noDelay?: boolean;
   keepAlive?: boolean;
   keepAliveInitialDelay?: number;
   maxPendingDataSize?: number;
-  
+
   // Enhanced features
   disableInactivityCheck?: boolean;
   enableKeepAliveProbes?: boolean;
@@ -166,16 +296,16 @@ export interface IRoutedSmartProxyOptions {
   enableTlsDebugLogging?: boolean;
   enableRandomizedTimeouts?: boolean;
   allowSessionTicket?: boolean;
-  
+
   // Rate limiting and security
   maxConnectionsPerIP?: number;
   connectionRateLimitPerMinute?: number;
-  
+
   // Enhanced keep-alive settings
   keepAliveTreatment?: 'standard' | 'extended' | 'immortal';
   keepAliveInactivityMultiplier?: number;
   extendedKeepAliveLifetime?: number;
-  
+
   /**
    * Optional certificate provider callback. Return 'http01' to use HTTP-01 challenges,
    * or a static certificate object for immediate provisioning.

package/ts/proxies/smart-proxy/network-proxy-bridge.ts

@@ -4,10 +4,19 @@ import { Port80Handler } from '../../http/port80/port80-handler.js';
 import { Port80HandlerEvents } from '../../core/models/common-types.js';
 import { subscribeToPort80Handler } from '../../core/utils/event-utils.js';
 import type { ICertificateData } from '../../certificate/models/certificate-types.js';
-import type { IConnectionRecord, ISmartProxyOptions, IDomainConfig } from './models/interfaces.js';
+import type { IConnectionRecord, ISmartProxyOptions } from './models/interfaces.js';
+import type { IRouteConfig } from './models/route-types.js';
 
 /**
  * Manages NetworkProxy integration for TLS termination
+ *
+ * NetworkProxyBridge connects SmartProxy with NetworkProxy to handle TLS termination.
+ * It directly maps route configurations to NetworkProxy configuration format and manages
+ * certificate provisioning through Port80Handler when ACME is enabled.
+ *
+ * It is used by SmartProxy for routes that have:
+ * - TLS mode of 'terminate' or 'terminate-and-reencrypt'
+ * - Certificate set to 'auto' or custom certificate
  */
 export class NetworkProxyBridge {
   private networkProxy: NetworkProxy | null = null;
@@ -58,8 +67,8 @@ export class NetworkProxyBridge {
         this.networkProxy.setExternalPort80Handler(this.port80Handler);
       }
 
-      // Convert and apply domain configurations to NetworkProxy
-      await this.syncDomainConfigsToNetworkProxy();
+      // Apply route configurations to NetworkProxy
+      await this.syncRoutesToNetworkProxy(this.settings.routes || []);
     }
   }
   
@@ -147,35 +156,90 @@ export class NetworkProxyBridge {
   }
   
   /**
-   * Register domains with Port80Handler
+   * Register domains from routes with Port80Handler for certificate management
+   *
+   * Extracts domains from routes that require TLS termination and registers them
+   * with the Port80Handler for certificate issuance and renewal.
+   *
+   * @param routes The route configurations to extract domains from
    */
-  public registerDomainsWithPort80Handler(domains: string[]): void {
+  public registerDomainsWithPort80Handler(routes: IRouteConfig[]): void {
     if (!this.port80Handler) {
       console.log('Cannot register domains - Port80Handler not initialized');
       return;
     }
-    
-    for (const domain of domains) {
-      // Skip wildcards
-      if (domain.includes('*')) {
-        console.log(`Skipping wildcard domain for ACME: ${domain}`);
-        continue;
+
+    // Extract domains from routes that require TLS termination
+    const domainsToRegister = new Set<string>();
+
+    for (const route of routes) {
+      // Skip routes without domains or TLS configuration
+      if (!route.match.domains || !route.action.tls) continue;
+
+      // Only register domains for routes that terminate TLS
+      if (route.action.tls.mode !== 'terminate' && route.action.tls.mode !== 'terminate-and-reencrypt') continue;
+
+      // Extract domains from route
+      const domains = Array.isArray(route.match.domains)
+        ? route.match.domains
+        : [route.match.domains];
+
+      // Add each domain to the set (avoiding duplicates)
+      for (const domain of domains) {
+        // Skip wildcards
+        if (domain.includes('*')) {
+          console.log(`Skipping wildcard domain for ACME: ${domain}`);
+          continue;
+        }
+
+        domainsToRegister.add(domain);
       }
-      
-      // Register the domain
+    }
+
+    // Register each unique domain with Port80Handler
+    for (const domain of domainsToRegister) {
       try {
         this.port80Handler.addDomain({
           domainName: domain,
           sslRedirect: true,
-          acmeMaintenance: true
+          acmeMaintenance: true,
+          // Include route reference if we can find it
+          routeReference: this.findRouteReferenceForDomain(domain, routes)
         });
-        
+
         console.log(`Registered domain with Port80Handler: ${domain}`);
       } catch (err) {
         console.log(`Error registering domain ${domain} with Port80Handler: ${err}`);
       }
     }
   }
+
+  /**
+   * Finds the route reference for a given domain
+   *
+   * @param domain The domain to find a route reference for
+   * @param routes The routes to search
+   * @returns The route reference if found, undefined otherwise
+   */
+  private findRouteReferenceForDomain(domain: string, routes: IRouteConfig[]): { routeId?: string; routeName?: string } | undefined {
+    // Find the first route that matches this domain
+    for (const route of routes) {
+      if (!route.match.domains) continue;
+
+      const domains = Array.isArray(route.match.domains)
+        ? route.match.domains
+        : [route.match.domains];
+
+      if (domains.includes(domain)) {
+        return {
+          routeId: undefined, // No explicit IDs in our current routes
+          routeName: route.name
+        };
+      }
+    }
+
+    return undefined;
+  }
   
   /**
    * Forwards a TLS connection to a NetworkProxy for handling
@@ -249,9 +313,19 @@ export class NetworkProxyBridge {
   }
   
   /**
-   * Synchronizes domain configurations to NetworkProxy
+   * Synchronizes routes to NetworkProxy
+   *
+   * This method directly maps route configurations to NetworkProxy format and updates
+   * the NetworkProxy with these configurations. It handles:
+   *
+   * - Extracting domain, target, and certificate information from routes
+   * - Converting TLS mode settings to NetworkProxy configuration
+   * - Applying security and advanced settings
+   * - Registering domains for ACME certificate provisioning when needed
+   *
+   * @param routes The route configurations to sync to NetworkProxy
    */
-  public async syncDomainConfigsToNetworkProxy(): Promise<void> {
+  public async syncRoutesToNetworkProxy(routes: IRouteConfig[]): Promise<void> {
     if (!this.networkProxy) {
       console.log('Cannot sync configurations - NetworkProxy not initialized');
       return;
@@ -262,9 +336,9 @@ export class NetworkProxyBridge {
       // Import fs directly since it's not in plugins
       const fs = await import('fs');
 
-      let certPair;
+      let defaultCertPair;
       try {
-        certPair = {
+        defaultCertPair = {
           key: fs.readFileSync('assets/certs/key.pem', 'utf8'),
           cert: fs.readFileSync('assets/certs/cert.pem', 'utf8'),
         };
@@ -276,49 +350,130 @@ export class NetworkProxyBridge {
 
         // Use empty placeholders - NetworkProxy will use its internal defaults
         // or ACME will generate proper ones if enabled
-        certPair = {
+        defaultCertPair = {
           key: '',
           cert: '',
         };
       }
 
-      // Convert domain configs to NetworkProxy configs
-      const proxyConfigs = this.networkProxy.convertSmartProxyConfigs(
-        this.settings.domainConfigs,
-        certPair
-      );
-
-      // Log ACME-eligible domains
-      const acmeEnabled = !!this.settings.acme?.enabled;
-      if (acmeEnabled) {
-        const acmeEligibleDomains = proxyConfigs
-          .filter((config) => !config.hostName.includes('*')) // Exclude wildcards
-          .map((config) => config.hostName);
-
-        if (acmeEligibleDomains.length > 0) {
-          console.log(`Domains eligible for ACME certificates: ${acmeEligibleDomains.join(', ')}`);
-          
-          // Register these domains with Port80Handler if available
-          if (this.port80Handler) {
-            this.registerDomainsWithPort80Handler(acmeEligibleDomains);
-          }
-        } else {
-          console.log('No domains eligible for ACME certificates found in configuration');
-        }
-      }
+      // Map routes directly to NetworkProxy configs
+      const proxyConfigs = this.mapRoutesToNetworkProxyConfigs(routes, defaultCertPair);
 
-      // Update NetworkProxy with the converted configs
+      // Update the proxy configs
       await this.networkProxy.updateProxyConfigs(proxyConfigs);
-      console.log(`Successfully synchronized ${proxyConfigs.length} domain configurations to NetworkProxy`);
+      console.log(`Synced ${proxyConfigs.length} configurations to NetworkProxy`);
+
+      // Register domains with Port80Handler for certificate issuance
+      if (this.port80Handler) {
+        this.registerDomainsWithPort80Handler(routes);
+      }
     } catch (err) {
-      console.log(`Failed to sync configurations: ${err}`);
+      console.log(`Error syncing routes to NetworkProxy: ${err}`);
     }
   }
+
+  /**
+   * Map routes directly to NetworkProxy configuration format
+   *
+   * This method directly maps route configurations to NetworkProxy's format
+   * without any intermediate domain-based representation. It processes each route
+   * and creates appropriate NetworkProxy configs for domains that require TLS termination.
+   *
+   * @param routes Array of route configurations to map
+   * @param defaultCertPair Default certificate to use if no custom certificate is specified
+   * @returns Array of NetworkProxy configurations
+   */
+  public mapRoutesToNetworkProxyConfigs(
+    routes: IRouteConfig[],
+    defaultCertPair: { key: string; cert: string }
+  ): plugins.tsclass.network.IReverseProxyConfig[] {
+    const configs: plugins.tsclass.network.IReverseProxyConfig[] = [];
+
+    for (const route of routes) {
+      // Skip routes without domains
+      if (!route.match.domains) continue;
+
+      // Skip non-forward routes
+      if (route.action.type !== 'forward') continue;
+
+      // Skip routes without TLS configuration
+      if (!route.action.tls || !route.action.target) continue;
+
+      // Skip routes that don't require TLS termination
+      if (route.action.tls.mode !== 'terminate' && route.action.tls.mode !== 'terminate-and-reencrypt') continue;
+
+      // Get domains from route
+      const domains = Array.isArray(route.match.domains)
+        ? route.match.domains
+        : [route.match.domains];
+
+      // Create a config for each domain
+      for (const domain of domains) {
+        // Get certificate
+        let certKey = defaultCertPair.key;
+        let certCert = defaultCertPair.cert;
+
+        // Use custom certificate if specified
+        if (route.action.tls.certificate !== 'auto' && typeof route.action.tls.certificate === 'object') {
+          certKey = route.action.tls.certificate.key;
+          certCert = route.action.tls.certificate.cert;
+        }
+
+        // Determine target hosts and ports
+        const targetHosts = Array.isArray(route.action.target.host)
+          ? route.action.target.host
+          : [route.action.target.host];
+
+        const targetPort = route.action.target.port;
+
+        // Create the NetworkProxy config
+        const config: plugins.tsclass.network.IReverseProxyConfig = {
+          hostName: domain,
+          privateKey: certKey,
+          publicKey: certCert,
+          destinationIps: targetHosts,
+          destinationPorts: [targetPort]
+          // Note: We can't include additional metadata as it's not supported in the interface
+        };
+
+        configs.push(config);
+      }
+    }
+
+    return configs;
+  }
+
+  /**
+   * @deprecated This method is kept for backward compatibility.
+   * Use mapRoutesToNetworkProxyConfigs() instead.
+   */
+  public convertRoutesToNetworkProxyConfigs(
+    routes: IRouteConfig[],
+    defaultCertPair: { key: string; cert: string }
+  ): plugins.tsclass.network.IReverseProxyConfig[] {
+    return this.mapRoutesToNetworkProxyConfigs(routes, defaultCertPair);
+  }
+
+  /**
+   * @deprecated This method is deprecated and will be removed in a future version.
+   * Use syncRoutesToNetworkProxy() instead.
+   *
+   * This legacy method exists only for backward compatibility and
+   * simply forwards to syncRoutesToNetworkProxy().
+   */
+  public async syncDomainConfigsToNetworkProxy(): Promise<void> {
+    console.log('DEPRECATED: Method syncDomainConfigsToNetworkProxy will be removed in a future version.');
+    console.log('Please use syncRoutesToNetworkProxy() instead for direct route-based configuration.');
+    await this.syncRoutesToNetworkProxy(this.settings.routes || []);
+  }
   
   /**
    * Request a certificate for a specific domain
+   *
+   * @param domain The domain to request a certificate for
+   * @param routeName Optional route name to associate with this certificate
    */
-  public async requestCertificate(domain: string): Promise<boolean> {
+  public async requestCertificate(domain: string, routeName?: string): Promise<boolean> {
     // Delegate to Port80Handler if available
     if (this.port80Handler) {
       try {
@@ -328,14 +483,30 @@ export class NetworkProxyBridge {
           console.log(`Certificate already exists for ${domain}`);
           return true;
         }
-        
-        // Register the domain for certificate issuance
-        this.port80Handler.addDomain({
+
+        // Build the domain options
+        const domainOptions: any = {
           domainName: domain,
           sslRedirect: true,
-          acmeMaintenance: true
-        });
-        
+          acmeMaintenance: true,
+        };
+
+        // Add route reference if available
+        if (routeName) {
+          domainOptions.routeReference = {
+            routeName
+          };
+        } else {
+          // Try to find a route reference from the current routes
+          const routeReference = this.findRouteReferenceForDomain(domain, this.settings.routes || []);
+          if (routeReference) {
+            domainOptions.routeReference = routeReference;
+          }
+        }
+
+        // Register the domain for certificate issuance
+        this.port80Handler.addDomain(domainOptions);
+
         console.log(`Domain ${domain} registered for certificate issuance`);
         return true;
       } catch (err) {
@@ -343,7 +514,7 @@ export class NetworkProxyBridge {
         return false;
       }
     }
-    
+
     // Fall back to NetworkProxy if Port80Handler is not available
     if (!this.networkProxy) {
       console.log('Cannot request certificate - NetworkProxy not initialized');