@push.rocks/smartproxy 19.2.3 → 19.2.5

package/ts/proxies/smart-proxy/certificate-manager.ts

@@ -3,6 +3,7 @@ import { NetworkProxy } from '../network-proxy/index.js';
 import type { IRouteConfig, IRouteTls } from './models/route-types.js';
 import type { IAcmeOptions } from './models/interfaces.js';
 import { CertStore } from './cert-store.js';
+import type { AcmeStateManager } from './acme-state-manager.js';
 
 export interface ICertStatus {
   domain: string;
@@ -38,6 +39,15 @@ export class SmartCertManager {
   // Callback to update SmartProxy routes for challenges
   private updateRoutesCallback?: (routes: IRouteConfig[]) => Promise<void>;
   
+  // Flag to track if challenge route is currently active
+  private challengeRouteActive: boolean = false;
+  
+  // Flag to track if provisioning is in progress
+  private isProvisioning: boolean = false;
+  
+  // ACME state manager reference
+  private acmeStateManager: AcmeStateManager | null = null;
+  
   constructor(
     private routes: IRouteConfig[],
     private certDir: string = './certs',
@@ -45,15 +55,39 @@ export class SmartCertManager {
       email?: string;
       useProduction?: boolean;
       port?: number;
+    },
+    private initialState?: {
+      challengeRouteActive?: boolean;
     }
   ) {
     this.certStore = new CertStore(certDir);
+    
+    // Apply initial state if provided
+    if (initialState) {
+      this.challengeRouteActive = initialState.challengeRouteActive || false;
+    }
   }
   
   public setNetworkProxy(networkProxy: NetworkProxy): void {
     this.networkProxy = networkProxy;
   }
   
+  /**
+   * Get the current state of the certificate manager
+   */
+  public getState(): { challengeRouteActive: boolean } {
+    return {
+      challengeRouteActive: this.challengeRouteActive
+    };
+  }
+  
+  /**
+   * Set the ACME state manager
+   */
+  public setAcmeStateManager(stateManager: AcmeStateManager): void {
+    this.acmeStateManager = stateManager;
+  }
+  
   /**
    * Set global ACME defaults from top-level configuration
    */
@@ -96,6 +130,14 @@ export class SmartCertManager {
       });
       
       await this.smartAcme.start();
+      
+      // Add challenge route once at initialization if not already active
+      if (!this.challengeRouteActive) {
+        console.log('Adding ACME challenge route during initialization');
+        await this.addChallengeRoute();
+      } else {
+        console.log('Challenge route already active from previous instance');
+      }
     }
     
     // Provision certificates for all routes
@@ -114,24 +156,37 @@ export class SmartCertManager {
       r.action.tls?.mode === 'terminate-and-reencrypt'
     );
     
-    for (const route of certRoutes) {
-      try {
-        await this.provisionCertificate(route);
-      } catch (error) {
-        console.error(`Failed to provision certificate for route ${route.name}: ${error}`);
+    // Set provisioning flag to prevent concurrent operations
+    this.isProvisioning = true;
+    
+    try {
+      for (const route of certRoutes) {
+        try {
+          await this.provisionCertificate(route, true); // Allow concurrent since we're managing it here
+        } catch (error) {
+          console.error(`Failed to provision certificate for route ${route.name}: ${error}`);
+        }
       }
+    } finally {
+      this.isProvisioning = false;
     }
   }
   
   /**
    * Provision certificate for a single route
    */
-  public async provisionCertificate(route: IRouteConfig): Promise<void> {
+  public async provisionCertificate(route: IRouteConfig, allowConcurrent: boolean = false): Promise<void> {
     const tls = route.action.tls;
     if (!tls || (tls.mode !== 'terminate' && tls.mode !== 'terminate-and-reencrypt')) {
       return;
     }
     
+    // Check if provisioning is already in progress (prevent concurrent provisioning)
+    if (!allowConcurrent && this.isProvisioning) {
+      console.log(`Certificate provisioning already in progress, skipping ${route.name}`);
+      return;
+    }
+    
     const domains = this.extractDomainsFromRoute(route);
     if (domains.length === 0) {
       console.warn(`Route ${route.name} has TLS termination but no domains`);
@@ -186,13 +241,12 @@ export class SmartCertManager {
     this.updateCertStatus(routeName, 'pending', 'acme');
     
     try {
-      // Add challenge route before requesting certificate
-      await this.addChallengeRoute();
-      
-      try {
-        // Use smartacme to get certificate
-        const cert = await this.smartAcme.getCertificateForDomain(primaryDomain);
+      // Challenge route should already be active from initialization
+      // No need to add it for each certificate
       
+      // Use smartacme to get certificate
+      const cert = await this.smartAcme.getCertificateForDomain(primaryDomain);
+    
       // SmartAcme's Cert object has these properties:
       // - publicKey: The certificate PEM string  
       // - privateKey: The private key PEM string
@@ -211,18 +265,9 @@ export class SmartCertManager {
       await this.applyCertificate(primaryDomain, certData);
       this.updateCertStatus(routeName, 'valid', 'acme', certData);
       
-        console.log(`Successfully provisioned ACME certificate for ${primaryDomain}`);
-      } catch (error) {
-        console.error(`Failed to provision ACME certificate for ${primaryDomain}: ${error}`);
-        this.updateCertStatus(routeName, 'error', 'acme', undefined, error.message);
-        throw error;
-      } finally {
-        // Always remove challenge route after provisioning
-        await this.removeChallengeRoute();
-      }
+      console.log(`Successfully provisioned ACME certificate for ${primaryDomain}`);
     } catch (error) {
-      // Handle outer try-catch from adding challenge route
-      console.error(`Failed to setup ACME challenge for ${primaryDomain}: ${error}`);
+      console.error(`Failed to provision ACME certificate for ${primaryDomain}: ${error}`);
       this.updateCertStatus(routeName, 'error', 'acme', undefined, error.message);
       throw error;
     }
@@ -337,6 +382,18 @@ export class SmartCertManager {
    * Add challenge route to SmartProxy
    */
   private async addChallengeRoute(): Promise<void> {
+    // Check with state manager first
+    if (this.acmeStateManager && this.acmeStateManager.isChallengeRouteActive()) {
+      console.log('Challenge route already active in global state, skipping');
+      this.challengeRouteActive = true;
+      return;
+    }
+    
+    if (this.challengeRouteActive) {
+      console.log('Challenge route already active locally, skipping');
+      return;
+    }
+    
     if (!this.updateRoutesCallback) {
       throw new Error('No route update callback set');
     }
@@ -346,20 +403,56 @@ export class SmartCertManager {
     }
     const challengeRoute = this.challengeRoute;
     
-    const updatedRoutes = [...this.routes, challengeRoute];
-    await this.updateRoutesCallback(updatedRoutes);
+    try {
+      const updatedRoutes = [...this.routes, challengeRoute];
+      await this.updateRoutesCallback(updatedRoutes);
+      this.challengeRouteActive = true;
+      
+      // Register with state manager
+      if (this.acmeStateManager) {
+        this.acmeStateManager.addChallengeRoute(challengeRoute);
+      }
+      
+      console.log('ACME challenge route successfully added');
+    } catch (error) {
+      console.error('Failed to add challenge route:', error);
+      if ((error as any).code === 'EADDRINUSE') {
+        throw new Error(`Port ${this.globalAcmeDefaults?.port || 80} is already in use for ACME challenges`);
+      }
+      throw error;
+    }
   }
   
   /**
    * Remove challenge route from SmartProxy
    */
   private async removeChallengeRoute(): Promise<void> {
+    if (!this.challengeRouteActive) {
+      console.log('Challenge route not active, skipping removal');
+      return;
+    }
+    
     if (!this.updateRoutesCallback) {
       return;
     }
     
-    const filteredRoutes = this.routes.filter(r => r.name !== 'acme-challenge');
-    await this.updateRoutesCallback(filteredRoutes);
+    try {
+      const filteredRoutes = this.routes.filter(r => r.name !== 'acme-challenge');
+      await this.updateRoutesCallback(filteredRoutes);
+      this.challengeRouteActive = false;
+      
+      // Remove from state manager
+      if (this.acmeStateManager) {
+        this.acmeStateManager.removeChallengeRoute('acme-challenge');
+      }
+      
+      console.log('ACME challenge route successfully removed');
+    } catch (error) {
+      console.error('Failed to remove challenge route:', error);
+      // Reset the flag even on error to avoid getting stuck
+      this.challengeRouteActive = false;
+      throw error;
+    }
   }
   
   /**
@@ -512,14 +605,19 @@ export class SmartCertManager {
       this.renewalTimer = null;
     }
     
+    // Always remove challenge route on shutdown
+    if (this.challengeRoute) {
+      console.log('Removing ACME challenge route during shutdown');
+      await this.removeChallengeRoute();
+    }
+    
     if (this.smartAcme) {
       await this.smartAcme.stop();
     }
     
-    // Remove any active challenge routes
+    // Clear any pending challenges
     if (this.pendingChallenges.size > 0) {
       this.pendingChallenges.clear();
-      await this.removeChallengeRoute();
     }
   }
   

package/ts/proxies/smart-proxy/smart-proxy.ts

@@ -20,6 +20,12 @@ import type {
 } from './models/interfaces.js';
 import type { IRouteConfig } from './models/route-types.js';
 
+// Import mutex for route update synchronization
+import { Mutex } from './utils/mutex.js';
+
+// Import ACME state manager
+import { AcmeStateManager } from './acme-state-manager.js';
+
 /**
  * SmartProxy - Pure route-based API
  *
@@ -52,6 +58,11 @@ export class SmartProxy extends plugins.EventEmitter {
   // Certificate manager for ACME and static certificates
   private certManager: SmartCertManager | null = null;
   
+  // Global challenge route tracking
+  private globalChallengeRouteActive: boolean = false;
+  private routeUpdateLock: any = null; // Will be initialized as AsyncMutex
+  private acmeStateManager: AcmeStateManager;
+  
   /**
    * Constructor for SmartProxy
    *
@@ -171,6 +182,12 @@ export class SmartProxy extends plugins.EventEmitter {
     
     // Initialize NFTablesManager
     this.nftablesManager = new NFTablesManager(this.settings);
+    
+    // Initialize route update mutex for synchronization
+    this.routeUpdateLock = new Mutex();
+    
+    // Initialize ACME state manager
+    this.acmeStateManager = new AcmeStateManager();
   }
   
   /**
@@ -185,9 +202,10 @@ export class SmartProxy extends plugins.EventEmitter {
   private async createCertificateManager(
     routes: IRouteConfig[],
     certStore: string = './certs',
-    acmeOptions?: any
+    acmeOptions?: any,
+    initialState?: { challengeRouteActive?: boolean }
   ): Promise<SmartCertManager> {
-    const certManager = new SmartCertManager(routes, certStore, acmeOptions);
+    const certManager = new SmartCertManager(routes, certStore, acmeOptions, initialState);
     
     // Always set up the route update callback for ACME challenges
     certManager.setUpdateRoutesCallback(async (routes) => {
@@ -199,6 +217,9 @@ export class SmartProxy extends plugins.EventEmitter {
       certManager.setNetworkProxy(this.networkProxyBridge.getNetworkProxy());
     }
     
+    // Set the ACME state manager
+    certManager.setAcmeStateManager(this.acmeStateManager);
+    
     // Pass down the global ACME config if available
     if (this.settings.acme) {
       certManager.setGlobalAcmeDefaults(this.settings.acme);
@@ -441,7 +462,9 @@ export class SmartProxy extends plugins.EventEmitter {
 
     // Stop NetworkProxy
     await this.networkProxyBridge.stop();
-
+    
+    // Clear ACME state manager
+    this.acmeStateManager.clear();
 
     console.log('SmartProxy shutdown complete.');
   }
@@ -456,6 +479,29 @@ export class SmartProxy extends plugins.EventEmitter {
     throw new Error('updateDomainConfigs() is deprecated - use updateRoutes() instead');
   }
   
+  /**
+   * Verify the challenge route has been properly removed from routes
+   */
+  private async verifyChallengeRouteRemoved(): Promise<void> {
+    const maxRetries = 10;
+    const retryDelay = 100; // milliseconds
+    
+    for (let i = 0; i < maxRetries; i++) {
+      // Check if the challenge route is still in the active routes
+      const challengeRouteExists = this.settings.routes.some(r => r.name === 'acme-challenge');
+      
+      if (!challengeRouteExists) {
+        console.log('Challenge route successfully removed from routes');
+        return;
+      }
+      
+      // Wait before retrying
+      await plugins.smartdelay.delayFor(retryDelay);
+    }
+    
+    throw new Error('Failed to verify challenge route removal after ' + maxRetries + ' attempts');
+  }
+  
   /**
    * Update routes with new configuration
    *
@@ -480,70 +526,81 @@ export class SmartProxy extends plugins.EventEmitter {
    * ```
    */
   public async updateRoutes(newRoutes: IRouteConfig[]): Promise<void> {
-    console.log(`Updating routes (${newRoutes.length} routes)`);
+    return this.routeUpdateLock.runExclusive(async () => {
+      console.log(`Updating routes (${newRoutes.length} routes)`);
 
-    // Get existing routes that use NFTables
-    const oldNfTablesRoutes = this.settings.routes.filter(
-      r => r.action.forwardingEngine === 'nftables'
-    );
-    
-    // Get new routes that use NFTables
-    const newNfTablesRoutes = newRoutes.filter(
-      r => r.action.forwardingEngine === 'nftables'
-    );
-    
-    // Find routes to remove, update, or add
-    for (const oldRoute of oldNfTablesRoutes) {
-      const newRoute = newNfTablesRoutes.find(r => r.name === oldRoute.name);
+      // Get existing routes that use NFTables
+      const oldNfTablesRoutes = this.settings.routes.filter(
+        r => r.action.forwardingEngine === 'nftables'
+      );
       
-      if (!newRoute) {
-        // Route was removed
-        await this.nftablesManager.deprovisionRoute(oldRoute);
-      } else {
-        // Route was updated
-        await this.nftablesManager.updateRoute(oldRoute, newRoute);
+      // Get new routes that use NFTables
+      const newNfTablesRoutes = newRoutes.filter(
+        r => r.action.forwardingEngine === 'nftables'
+      );
+      
+      // Find routes to remove, update, or add
+      for (const oldRoute of oldNfTablesRoutes) {
+        const newRoute = newNfTablesRoutes.find(r => r.name === oldRoute.name);
+        
+        if (!newRoute) {
+          // Route was removed
+          await this.nftablesManager.deprovisionRoute(oldRoute);
+        } else {
+          // Route was updated
+          await this.nftablesManager.updateRoute(oldRoute, newRoute);
+        }
       }
-    }
-    
-    // Find new routes to add
-    for (const newRoute of newNfTablesRoutes) {
-      const oldRoute = oldNfTablesRoutes.find(r => r.name === newRoute.name);
       
-      if (!oldRoute) {
-        // New route
-        await this.nftablesManager.provisionRoute(newRoute);
+      // Find new routes to add
+      for (const newRoute of newNfTablesRoutes) {
+        const oldRoute = oldNfTablesRoutes.find(r => r.name === newRoute.name);
+        
+        if (!oldRoute) {
+          // New route
+          await this.nftablesManager.provisionRoute(newRoute);
+        }
       }
-    }
 
-    // Update routes in RouteManager
-    this.routeManager.updateRoutes(newRoutes);
+      // Update routes in RouteManager
+      this.routeManager.updateRoutes(newRoutes);
 
-    // Get the new set of required ports
-    const requiredPorts = this.routeManager.getListeningPorts();
+      // Get the new set of required ports
+      const requiredPorts = this.routeManager.getListeningPorts();
 
-    // Update port listeners to match the new configuration
-    await this.portManager.updatePorts(requiredPorts);
-    
-    // Update settings with the new routes
-    this.settings.routes = newRoutes;
+      // Update port listeners to match the new configuration
+      await this.portManager.updatePorts(requiredPorts);
+      
+      // Update settings with the new routes
+      this.settings.routes = newRoutes;
 
-    // If NetworkProxy is initialized, resync the configurations
-    if (this.networkProxyBridge.getNetworkProxy()) {
-      await this.networkProxyBridge.syncRoutesToNetworkProxy(newRoutes);
-    }
+      // If NetworkProxy is initialized, resync the configurations
+      if (this.networkProxyBridge.getNetworkProxy()) {
+        await this.networkProxyBridge.syncRoutesToNetworkProxy(newRoutes);
+      }
 
-    // Update certificate manager with new routes
-    if (this.certManager) {
-      const existingAcmeOptions = this.certManager.getAcmeOptions();
-      await this.certManager.stop();
-      
-      // Use the helper method to create and configure the certificate manager
-      this.certManager = await this.createCertificateManager(
-        newRoutes,
-        './certs',
-        existingAcmeOptions
-      );
-    }
+      // Update certificate manager with new routes
+      if (this.certManager) {
+        const existingAcmeOptions = this.certManager.getAcmeOptions();
+        const existingState = this.certManager.getState();
+        
+        // Store global state before stopping
+        this.globalChallengeRouteActive = existingState.challengeRouteActive;
+        
+        await this.certManager.stop();
+        
+        // Verify the challenge route has been properly removed
+        await this.verifyChallengeRouteRemoved();
+        
+        // Create new certificate manager with preserved state
+        this.certManager = await this.createCertificateManager(
+          newRoutes,
+          './certs',
+          existingAcmeOptions,
+          { challengeRouteActive: this.globalChallengeRouteActive }
+        );
+      }
+    });
   }
   
   /**

package/ts/proxies/smart-proxy/utils/mutex.ts

@@ -0,0 +1,45 @@
+/**
+ * Simple mutex implementation for async operations
+ */
+export class Mutex {
+  private isLocked: boolean = false;
+  private waitQueue: Array<() => void> = [];
+
+  /**
+   * Acquire the lock
+   */
+  async acquire(): Promise<void> {
+    return new Promise<void>((resolve) => {
+      if (!this.isLocked) {
+        this.isLocked = true;
+        resolve();
+      } else {
+        this.waitQueue.push(resolve);
+      }
+    });
+  }
+
+  /**
+   * Release the lock
+   */
+  release(): void {
+    this.isLocked = false;
+    const nextResolve = this.waitQueue.shift();
+    if (nextResolve) {
+      this.isLocked = true;
+      nextResolve();
+    }
+  }
+
+  /**
+   * Run a function exclusively with the lock
+   */
+  async runExclusive<T>(fn: () => Promise<T>): Promise<T> {
+    await this.acquire();
+    try {
+      return await fn();
+    } finally {
+      this.release();
+    }
+  }
+}

package/ts/common/port80-adapter.ts

@@ -1,111 +0,0 @@
-import * as plugins from '../plugins.js';
-
-import type {
-  IForwardConfig as ILegacyForwardConfig,
-  IDomainOptions
-} from './types.js';
-
-import type {
-  IForwardConfig
-} from '../forwarding/config/forwarding-types.js';
-
-/**
- * Converts a forwarding configuration target to the legacy format
- * for Port80Handler
- */
-export function convertToLegacyForwardConfig(
-  forwardConfig: IForwardConfig
-): ILegacyForwardConfig {
-  // Determine host from the target configuration
-  const host = Array.isArray(forwardConfig.target.host)
-    ? forwardConfig.target.host[0]  // Use the first host in the array
-    : forwardConfig.target.host;
-
-  // Extract port number, handling different port formats
-  let port: number;
-  if (typeof forwardConfig.target.port === 'function') {
-    // Use a default port for function-based ports in adapter context
-    port = 80;
-  } else if (forwardConfig.target.port === 'preserve') {
-    // For 'preserve', use the default port 80 in this adapter context
-    port = 80;
-  } else {
-    port = forwardConfig.target.port;
-  }
-
-  return {
-    ip: host,
-    port: port
-  };
-}
-
-/**
- * Creates Port80Handler domain options from a domain name and forwarding config
- */
-export function createPort80HandlerOptions(
-  domain: string,
-  forwardConfig: IForwardConfig
-): IDomainOptions {
-  // Determine if we should redirect HTTP to HTTPS
-  let sslRedirect = false;
-  if (forwardConfig.http?.redirectToHttps) {
-    sslRedirect = true;
-  }
-  
-  // Determine if ACME maintenance should be enabled
-  // Enable by default for termination types, unless explicitly disabled
-  const requiresTls = 
-    forwardConfig.type === 'https-terminate-to-http' || 
-    forwardConfig.type === 'https-terminate-to-https';
-  
-  const acmeMaintenance = 
-    requiresTls && 
-    forwardConfig.acme?.enabled !== false;
-  
-  // Set up forwarding configuration
-  const options: IDomainOptions = {
-    domainName: domain,
-    sslRedirect,
-    acmeMaintenance
-  };
-  
-  // Add ACME challenge forwarding if configured
-  if (forwardConfig.acme?.forwardChallenges) {
-    options.acmeForward = {
-      ip: Array.isArray(forwardConfig.acme.forwardChallenges.host) 
-        ? forwardConfig.acme.forwardChallenges.host[0]
-        : forwardConfig.acme.forwardChallenges.host,
-      port: forwardConfig.acme.forwardChallenges.port
-    };
-  }
-  
-  // Add HTTP forwarding if this is an HTTP-only config or if HTTP is enabled
-  const supportsHttp = 
-    forwardConfig.type === 'http-only' || 
-    (forwardConfig.http?.enabled !== false &&
-     (forwardConfig.type === 'https-terminate-to-http' || 
-      forwardConfig.type === 'https-terminate-to-https'));
-  
-  if (supportsHttp) {
-    // Determine port value handling different formats
-    let port: number;
-    if (typeof forwardConfig.target.port === 'function') {
-      // Use a default port for function-based ports
-      port = 80;
-    } else if (forwardConfig.target.port === 'preserve') {
-      // For 'preserve', use 80 in this adapter context
-      port = 80;
-    } else {
-      port = forwardConfig.target.port;
-    }
-
-    options.forward = {
-      ip: Array.isArray(forwardConfig.target.host) 
-        ? forwardConfig.target.host[0]
-        : forwardConfig.target.host,
-      port: port
-    };
-  }
-  
-  return options;
-}