@push.rocks/smartproxy 19.5.19 → 19.5.21

package/ts/core/routing/route-utils.ts

@@ -0,0 +1,88 @@
+/**
+ * Route matching utilities for SmartProxy components
+ * 
+ * This file provides utility functions that use the unified matchers
+ * and additional route-specific utilities.
+ */
+
+import { DomainMatcher, PathMatcher, IpMatcher, HeaderMatcher } from './matchers/index.js';
+import { RouteSpecificity } from './specificity.js';
+import type { IRouteSpecificity } from './types.js';
+import type { IRouteConfig } from '../../proxies/smart-proxy/models/route-types.js';
+
+
+/**
+ * Match domains from a route against a given domain
+ * 
+ * @param domains Array or single domain pattern to match against
+ * @param domain Domain to match
+ * @returns Whether the domain matches any of the patterns
+ */
+export function matchRouteDomain(domains: string | string[] | undefined, domain: string | undefined): boolean {
+  // If no domains specified in the route, match all domains
+  if (!domains) {
+    return true;
+  }
+
+  // If no domain in the request, can't match domain-specific routes
+  if (!domain) {
+    return false;
+  }
+  
+  const patterns = Array.isArray(domains) ? domains : [domains];
+  return patterns.some(pattern => DomainMatcher.match(pattern, domain));
+}
+
+
+
+/**
+ * Calculate route specificity score
+ * Higher score means more specific matching criteria
+ * 
+ * @param match Match criteria to evaluate
+ * @returns Numeric specificity score
+ */
+export function calculateRouteSpecificity(match: {
+  domains?: string | string[];
+  path?: string;
+  clientIp?: string[];
+  tlsVersion?: string[];
+  headers?: Record<string, string | RegExp>;
+}): number {
+  let score = 0;
+  
+  // Path specificity using PathMatcher
+  if (match.path) {
+    score += PathMatcher.calculateSpecificity(match.path);
+  }
+  
+  // Domain specificity using DomainMatcher
+  if (match.domains) {
+    const domains = Array.isArray(match.domains) ? match.domains : [match.domains];
+    // Use the highest specificity among all domains
+    const domainScore = Math.max(...domains.map(d => DomainMatcher.calculateSpecificity(d)));
+    score += domainScore;
+  }
+  
+  // Headers specificity using HeaderMatcher
+  if (match.headers) {
+    const stringHeaders: Record<string, string> = {};
+    for (const [key, value] of Object.entries(match.headers)) {
+      stringHeaders[key] = value instanceof RegExp ? value.source : value;
+    }
+    score += HeaderMatcher.calculateSpecificity(stringHeaders);
+  }
+  
+  // Client IP adds some specificity
+  if (match.clientIp && match.clientIp.length > 0) {
+    // Use the first IP pattern for specificity
+    score += IpMatcher.calculateSpecificity(match.clientIp[0]);
+  }
+  
+  // TLS version adds minimal specificity
+  if (match.tlsVersion && match.tlsVersion.length > 0) {
+    score += match.tlsVersion.length * 10;
+  }
+  
+  return score;
+}

package/ts/core/routing/specificity.ts

@@ -0,0 +1,141 @@
+import type { IRouteConfig } from '../../proxies/smart-proxy/models/route-types.js';
+import type { IRouteSpecificity } from './types.js';
+import { DomainMatcher, PathMatcher, IpMatcher, HeaderMatcher } from './matchers/index.js';
+
+/**
+ * Unified route specificity calculator
+ * Provides consistent specificity scoring across all routing components
+ */
+export class RouteSpecificity {
+  /**
+   * Calculate the total specificity score for a route
+   * Higher scores indicate more specific routes that should match first
+   */
+  static calculate(route: IRouteConfig): IRouteSpecificity {
+    const specificity: IRouteSpecificity = {
+      pathSpecificity: 0,
+      domainSpecificity: 0,
+      ipSpecificity: 0,
+      headerSpecificity: 0,
+      tlsSpecificity: 0,
+      totalScore: 0
+    };
+
+    // Path specificity
+    if (route.match.path) {
+      specificity.pathSpecificity = PathMatcher.calculateSpecificity(route.match.path);
+    }
+
+    // Domain specificity
+    if (route.match.domains) {
+      const domains = Array.isArray(route.match.domains) 
+        ? route.match.domains 
+        : [route.match.domains];
+      
+      // Use the highest specificity among all domains
+      specificity.domainSpecificity = Math.max(
+        ...domains.map(d => DomainMatcher.calculateSpecificity(d))
+      );
+    }
+
+    // IP specificity (clientIp is an array of IPs)
+    if (route.match.clientIp && route.match.clientIp.length > 0) {
+      // Use the first IP pattern for specificity calculation
+      specificity.ipSpecificity = IpMatcher.calculateSpecificity(route.match.clientIp[0]);
+    }
+
+    // Header specificity (convert RegExp values to strings)
+    if (route.match.headers) {
+      const stringHeaders: Record<string, string> = {};
+      for (const [key, value] of Object.entries(route.match.headers)) {
+        stringHeaders[key] = value instanceof RegExp ? value.source : value;
+      }
+      specificity.headerSpecificity = HeaderMatcher.calculateSpecificity(stringHeaders);
+    }
+
+    // TLS version specificity
+    if (route.match.tlsVersion && route.match.tlsVersion.length > 0) {
+      specificity.tlsSpecificity = route.match.tlsVersion.length * 10;
+    }
+
+    // Calculate total score with weights
+    specificity.totalScore = 
+      specificity.pathSpecificity * 3 +      // Path is most important
+      specificity.domainSpecificity * 2 +    // Domain is second
+      specificity.ipSpecificity * 1.5 +      // IP is moderately important
+      specificity.headerSpecificity * 1 +    // Headers are less important
+      specificity.tlsSpecificity * 0.5;     // TLS is least important
+
+    return specificity;
+  }
+
+  /**
+   * Compare two routes and determine which is more specific
+   * @returns positive if route1 is more specific, negative if route2 is more specific, 0 if equal
+   */
+  static compare(route1: IRouteConfig, route2: IRouteConfig): number {
+    const spec1 = this.calculate(route1);
+    const spec2 = this.calculate(route2);
+
+    // First compare by total score
+    if (spec1.totalScore !== spec2.totalScore) {
+      return spec1.totalScore - spec2.totalScore;
+    }
+
+    // If total scores are equal, compare by individual components
+    // Path is most important tiebreaker
+    if (spec1.pathSpecificity !== spec2.pathSpecificity) {
+      return spec1.pathSpecificity - spec2.pathSpecificity;
+    }
+
+    // Then domain
+    if (spec1.domainSpecificity !== spec2.domainSpecificity) {
+      return spec1.domainSpecificity - spec2.domainSpecificity;
+    }
+
+    // Then IP
+    if (spec1.ipSpecificity !== spec2.ipSpecificity) {
+      return spec1.ipSpecificity - spec2.ipSpecificity;
+    }
+
+    // Then headers
+    if (spec1.headerSpecificity !== spec2.headerSpecificity) {
+      return spec1.headerSpecificity - spec2.headerSpecificity;
+    }
+
+    // Finally TLS
+    return spec1.tlsSpecificity - spec2.tlsSpecificity;
+  }
+
+  /**
+   * Sort routes by specificity (most specific first)
+   */
+  static sort(routes: IRouteConfig[]): IRouteConfig[] {
+    return [...routes].sort((a, b) => this.compare(b, a));
+  }
+
+  /**
+   * Find the most specific route from a list
+   */
+  static findMostSpecific(routes: IRouteConfig[]): IRouteConfig | null {
+    if (routes.length === 0) return null;
+    
+    return routes.reduce((most, current) => 
+      this.compare(current, most) > 0 ? current : most
+    );
+  }
+
+  /**
+   * Check if a route has any matching criteria
+   */
+  static hasMatchCriteria(route: IRouteConfig): boolean {
+    const match = route.match;
+    return !!(
+      match.domains ||
+      match.path ||
+      match.clientIp?.length ||
+      match.headers ||
+      match.tlsVersion?.length
+    );
+  }
+}

package/ts/core/routing/types.ts

@@ -0,0 +1,49 @@
+/**
+ * Core routing types used throughout the routing system
+ */
+
+export interface IPathMatchResult {
+  matches: boolean;
+  params?: Record<string, string>;
+  pathMatch?: string;
+  pathRemainder?: string;
+}
+
+export interface IRouteMatchResult {
+  matches: boolean;
+  score: number;
+  specificity: number;
+  matchedCriteria: string[];
+}
+
+export interface IDomainMatchOptions {
+  allowWildcards?: boolean;
+  caseInsensitive?: boolean;
+}
+
+export interface IIpMatchOptions {
+  allowCidr?: boolean;
+  allowRanges?: boolean;
+}
+
+export interface IHeaderMatchOptions {
+  caseInsensitive?: boolean;
+  exactMatch?: boolean;
+}
+
+export interface IRouteSpecificity {
+  pathSpecificity: number;
+  domainSpecificity: number;
+  ipSpecificity: number;
+  headerSpecificity: number;
+  tlsSpecificity: number;
+  totalScore: number;
+}
+
+export interface IMatcher<T = any, O = any> {
+  match(pattern: string, value: string, options?: O): T | boolean;
+}
+
+export interface IAsyncMatcher<T = any, O = any> {
+  match(pattern: string, value: string, options?: O): Promise<T | boolean>;
+}

package/ts/core/utils/index.ts

@@ -5,8 +5,6 @@
 export * from './validation-utils.js';
 export * from './ip-utils.js';
 export * from './template-utils.js';
-export * from './route-manager.js';
-export * from './route-utils.js';
 export * from './security-utils.js';
 export * from './shared-security-manager.js';
 export * from './websocket-utils.js';
@@ -17,3 +15,4 @@ export * from './lifecycle-component.js';
 export * from './binary-heap.js';
 export * from './enhanced-connection-pool.js';
 export * from './socket-utils.js';
+export * from './proxy-protocol.js';

package/ts/core/utils/proxy-protocol.ts

@@ -0,0 +1,246 @@
+import * as plugins from '../../plugins.js';
+import { logger } from './logger.js';
+
+/**
+ * Interface representing parsed PROXY protocol information
+ */
+export interface IProxyInfo {
+  protocol: 'TCP4' | 'TCP6' | 'UNKNOWN';
+  sourceIP: string;
+  sourcePort: number;
+  destinationIP: string;
+  destinationPort: number;
+}
+
+/**
+ * Interface for parse result including remaining data
+ */
+export interface IProxyParseResult {
+  proxyInfo: IProxyInfo | null;
+  remainingData: Buffer;
+}
+
+/**
+ * Parser for PROXY protocol v1 (text format)
+ * Spec: https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
+ */
+export class ProxyProtocolParser {
+  static readonly PROXY_V1_SIGNATURE = 'PROXY ';
+  static readonly MAX_HEADER_LENGTH = 107; // Max length for v1 header
+  static readonly HEADER_TERMINATOR = '\r\n';
+  
+  /**
+   * Parse PROXY protocol v1 header from buffer
+   * Returns proxy info and remaining data after header
+   */
+  static parse(data: Buffer): IProxyParseResult {
+    // Check if buffer starts with PROXY signature
+    if (!data.toString('ascii', 0, 6).startsWith(this.PROXY_V1_SIGNATURE)) {
+      return {
+        proxyInfo: null,
+        remainingData: data
+      };
+    }
+    
+    // Find header terminator
+    const headerEndIndex = data.indexOf(this.HEADER_TERMINATOR);
+    if (headerEndIndex === -1) {
+      // Header incomplete, need more data
+      if (data.length > this.MAX_HEADER_LENGTH) {
+        // Header too long, invalid
+        throw new Error('PROXY protocol header exceeds maximum length');
+      }
+      return {
+        proxyInfo: null,
+        remainingData: data
+      };
+    }
+    
+    // Extract header line
+    const headerLine = data.toString('ascii', 0, headerEndIndex);
+    const remainingData = data.slice(headerEndIndex + 2); // Skip \r\n
+    
+    // Parse header
+    const parts = headerLine.split(' ');
+    
+    if (parts.length < 2) {
+      throw new Error(`Invalid PROXY protocol header format: ${headerLine}`);
+    }
+    
+    const [signature, protocol] = parts;
+    
+    // Validate protocol
+    if (!['TCP4', 'TCP6', 'UNKNOWN'].includes(protocol)) {
+      throw new Error(`Invalid PROXY protocol: ${protocol}`);
+    }
+    
+    // For UNKNOWN protocol, ignore addresses
+    if (protocol === 'UNKNOWN') {
+      return {
+        proxyInfo: {
+          protocol: 'UNKNOWN',
+          sourceIP: '',
+          sourcePort: 0,
+          destinationIP: '',
+          destinationPort: 0
+        },
+        remainingData
+      };
+    }
+    
+    // For TCP4/TCP6, we need all 6 parts
+    if (parts.length !== 6) {
+      throw new Error(`Invalid PROXY protocol header format: ${headerLine}`);
+    }
+    
+    const [, , srcIP, dstIP, srcPort, dstPort] = parts;
+    
+    // Validate and parse ports
+    const sourcePort = parseInt(srcPort, 10);
+    const destinationPort = parseInt(dstPort, 10);
+    
+    if (isNaN(sourcePort) || sourcePort < 0 || sourcePort > 65535) {
+      throw new Error(`Invalid source port: ${srcPort}`);
+    }
+    
+    if (isNaN(destinationPort) || destinationPort < 0 || destinationPort > 65535) {
+      throw new Error(`Invalid destination port: ${dstPort}`);
+    }
+    
+    // Validate IP addresses
+    const protocolType = protocol as 'TCP4' | 'TCP6' | 'UNKNOWN';
+    if (!this.isValidIP(srcIP, protocolType)) {
+      throw new Error(`Invalid source IP for ${protocol}: ${srcIP}`);
+    }
+    
+    if (!this.isValidIP(dstIP, protocolType)) {
+      throw new Error(`Invalid destination IP for ${protocol}: ${dstIP}`);
+    }
+    
+    return {
+      proxyInfo: {
+        protocol: protocol as 'TCP4' | 'TCP6',
+        sourceIP: srcIP,
+        sourcePort,
+        destinationIP: dstIP,
+        destinationPort
+      },
+      remainingData
+    };
+  }
+  
+  /**
+   * Generate PROXY protocol v1 header
+   */
+  static generate(info: IProxyInfo): Buffer {
+    if (info.protocol === 'UNKNOWN') {
+      return Buffer.from(`PROXY UNKNOWN\r\n`, 'ascii');
+    }
+    
+    const header = `PROXY ${info.protocol} ${info.sourceIP} ${info.destinationIP} ${info.sourcePort} ${info.destinationPort}\r\n`;
+    
+    if (header.length > this.MAX_HEADER_LENGTH) {
+      throw new Error('Generated PROXY protocol header exceeds maximum length');
+    }
+    
+    return Buffer.from(header, 'ascii');
+  }
+  
+  /**
+   * Validate IP address format
+   */
+  private static isValidIP(ip: string, protocol: 'TCP4' | 'TCP6' | 'UNKNOWN'): boolean {
+    if (protocol === 'TCP4') {
+      return plugins.net.isIPv4(ip);
+    } else if (protocol === 'TCP6') {
+      return plugins.net.isIPv6(ip);
+    }
+    return false;
+  }
+  
+  /**
+   * Attempt to read a complete PROXY protocol header from a socket
+   * Returns null if no PROXY protocol detected or incomplete
+   */
+  static async readFromSocket(socket: plugins.net.Socket, timeout: number = 5000): Promise<IProxyParseResult | null> {
+    return new Promise((resolve) => {
+      let buffer = Buffer.alloc(0);
+      let resolved = false;
+      
+      const cleanup = () => {
+        socket.removeListener('data', onData);
+        socket.removeListener('error', onError);
+        clearTimeout(timer);
+      };
+      
+      const timer = setTimeout(() => {
+        if (!resolved) {
+          resolved = true;
+          cleanup();
+          resolve({
+            proxyInfo: null,
+            remainingData: buffer
+          });
+        }
+      }, timeout);
+      
+      const onData = (chunk: Buffer) => {
+        buffer = Buffer.concat([buffer, chunk]);
+        
+        // Check if we have enough data
+        if (!buffer.toString('ascii', 0, Math.min(6, buffer.length)).startsWith(this.PROXY_V1_SIGNATURE)) {
+          // Not PROXY protocol
+          resolved = true;
+          cleanup();
+          resolve({
+            proxyInfo: null,
+            remainingData: buffer
+          });
+          return;
+        }
+        
+        // Try to parse
+        try {
+          const result = this.parse(buffer);
+          if (result.proxyInfo) {
+            // Successfully parsed
+            resolved = true;
+            cleanup();
+            resolve(result);
+          } else if (buffer.length > this.MAX_HEADER_LENGTH) {
+            // Header too long
+            resolved = true;
+            cleanup();
+            resolve({
+              proxyInfo: null,
+              remainingData: buffer
+            });
+          }
+          // Otherwise continue reading
+        } catch (error) {
+          // Parse error
+          logger.log('error', `PROXY protocol parse error: ${error.message}`);
+          resolved = true;
+          cleanup();
+          resolve({
+            proxyInfo: null,
+            remainingData: buffer
+          });
+        }
+      };
+      
+      const onError = (error: Error) => {
+        logger.log('error', `Socket error while reading PROXY protocol: ${error.message}`);
+        resolved = true;
+        cleanup();
+        resolve({
+          proxyInfo: null,
+          remainingData: buffer
+        });
+      };
+      
+      socket.on('data', onData);
+      socket.on('error', onError);
+    });
+  }
+}

package/ts/core/utils/security-utils.ts

@@ -1,9 +1,5 @@
 import * as plugins from '../../plugins.js';
-import { 
-  matchIpPattern, 
-  ipToNumber,
-  matchIpCidr
-} from './route-utils.js';
+import { IpMatcher } from '../routing/matchers/ip.js';
 
 /**
  * Security utilities for IP validation, rate limiting, 
@@ -90,7 +86,7 @@ export function isIPAuthorized(
   // First check if IP is blocked - blocked IPs take precedence
   if (blockedIPs.length > 0) {
     for (const pattern of blockedIPs) {
-      if (matchIpPattern(pattern, ip)) {
+      if (IpMatcher.match(pattern, ip)) {
         return false;
       }
     }
@@ -104,7 +100,7 @@ export function isIPAuthorized(
   // Then check if IP is allowed in the explicit allow list
   if (allowedIPs.length > 0) {
     for (const pattern of allowedIPs) {
-      if (matchIpPattern(pattern, ip)) {
+      if (IpMatcher.match(pattern, ip)) {
         return true;
       }
     }

package/ts/index.ts

@@ -2,28 +2,18 @@
  * SmartProxy main module exports
  */
 
-// Legacy exports (to maintain backward compatibility)
-// Migrated to the new proxies structure
+// NFTables proxy exports
 export * from './proxies/nftables-proxy/index.js';
 
-// Export HttpProxy elements selectively to avoid RouteManager ambiguity
+// Export HttpProxy elements
 export { HttpProxy, CertificateManager, ConnectionPool, RequestHandler, WebSocketHandler } from './proxies/http-proxy/index.js';
 export type { IMetricsTracker, MetricsTracker } from './proxies/http-proxy/index.js';
-// Export models except IAcmeOptions to avoid conflict
 export type { IHttpProxyOptions, ICertificateEntry, ILogger } from './proxies/http-proxy/models/types.js';
-export { RouteManager as HttpProxyRouteManager } from './proxies/http-proxy/models/types.js';
-
-// Backward compatibility exports (deprecated)
-export { HttpProxy as NetworkProxy } from './proxies/http-proxy/index.js';
-export type { IHttpProxyOptions as INetworkProxyOptions } from './proxies/http-proxy/models/types.js';
-export { HttpProxyBridge as NetworkProxyBridge } from './proxies/smart-proxy/index.js';
-
-// Certificate and Port80 modules have been removed - use SmartCertManager instead
-// Redirect module has been removed - use route-based redirects instead
+export { SharedRouteManager as HttpProxyRouteManager } from './core/routing/route-manager.js';
 
 // Export SmartProxy elements selectively to avoid RouteManager ambiguity
 export { SmartProxy, ConnectionManager, SecurityManager, TimeoutManager, TlsManager, HttpProxyBridge, RouteConnectionHandler, SmartCertManager } from './proxies/smart-proxy/index.js';
-export { RouteManager } from './proxies/smart-proxy/route-manager.js';
+export { SharedRouteManager as RouteManager } from './core/routing/route-manager.js';
 // Export smart-proxy models
 export type { ISmartProxyOptions, IConnectionRecord, IRouteConfig, IRouteMatch, IRouteAction, IRouteTls, IRouteContext } from './proxies/smart-proxy/models/index.js';
 export type { TSmartProxyCertProvisionObject } from './proxies/smart-proxy/models/interfaces.js';