@push.rocks/smartproxy 19.5.19 → 19.5.21

package/ts/proxies/smart-proxy/route-connection-handler.ts

@@ -2,14 +2,18 @@ import * as plugins from '../../plugins.js';
 import type { IConnectionRecord, ISmartProxyOptions } from './models/interfaces.js';
 import { logger } from '../../core/utils/logger.js';
 // Route checking functions have been removed
-import type { IRouteConfig, IRouteAction, IRouteContext } from './models/route-types.js';
+import type { IRouteConfig, IRouteAction } from './models/route-types.js';
+import type { IRouteContext } from '../../core/models/route-context.js';
 import { ConnectionManager } from './connection-manager.js';
 import { SecurityManager } from './security-manager.js';
 import { TlsManager } from './tls-manager.js';
 import { HttpProxyBridge } from './http-proxy-bridge.js';
 import { TimeoutManager } from './timeout-manager.js';
-import { RouteManager } from './route-manager.js';
+import { SharedRouteManager as RouteManager } from '../../core/routing/route-manager.js';
 import { cleanupSocket, createIndependentSocketHandlers, setupSocketHandlers, createSocketWithErrorHandler, setupBidirectionalForwarding } from '../../core/utils/socket-utils.js';
+import { WrappedSocket } from '../../core/models/wrapped-socket.js';
+import { getUnderlyingSocket } from '../../core/models/socket-types.js';
+import { ProxyProtocolParser } from '../../core/utils/proxy-protocol.js';
 
 /**
  * Handles new connection processing and setup logic with support for route-based configuration
@@ -80,39 +84,52 @@ export class RouteConnectionHandler {
     const remoteIP = socket.remoteAddress || '';
     const localPort = socket.localPort || 0;
 
+    // Always wrap the socket to prepare for potential PROXY protocol
+    const wrappedSocket = new WrappedSocket(socket);
+    
+    // If this is from a trusted proxy, log it
+    if (this.settings.proxyIPs?.includes(remoteIP)) {
+      logger.log('debug', `Connection from trusted proxy ${remoteIP}, PROXY protocol parsing will be enabled`, {
+        remoteIP,
+        component: 'route-handler'
+      });
+    }
+
     // Validate IP against rate limits and connection limits
-    const ipValidation = this.securityManager.validateIP(remoteIP);
+    // Note: For wrapped sockets, this will use the underlying socket IP until PROXY protocol is parsed
+    const ipValidation = this.securityManager.validateIP(wrappedSocket.remoteAddress || '');
     if (!ipValidation.allowed) {
-      logger.log('warn', `Connection rejected`, { remoteIP, reason: ipValidation.reason, component: 'route-handler' });
-      cleanupSocket(socket, `rejected-${ipValidation.reason}`, { immediate: true });
+      logger.log('warn', `Connection rejected`, { remoteIP: wrappedSocket.remoteAddress, reason: ipValidation.reason, component: 'route-handler' });
+      cleanupSocket(wrappedSocket.socket, `rejected-${ipValidation.reason}`, { immediate: true });
       return;
     }
 
-    // Create a new connection record
-    const record = this.connectionManager.createConnection(socket);
+    // Create a new connection record with the wrapped socket
+    const record = this.connectionManager.createConnection(wrappedSocket);
     if (!record) {
       // Connection was rejected due to limit - socket already destroyed by connection manager
       return;
     }
     const connectionId = record.id;
 
-    // Apply socket optimizations
-    socket.setNoDelay(this.settings.noDelay);
+    // Apply socket optimizations (apply to underlying socket)
+    const underlyingSocket = wrappedSocket.socket;
+    underlyingSocket.setNoDelay(this.settings.noDelay);
 
     // Apply keep-alive settings if enabled
     if (this.settings.keepAlive) {
-      socket.setKeepAlive(true, this.settings.keepAliveInitialDelay);
+      underlyingSocket.setKeepAlive(true, this.settings.keepAliveInitialDelay);
       record.hasKeepAlive = true;
 
       // Apply enhanced TCP keep-alive options if enabled
       if (this.settings.enableKeepAliveProbes) {
         try {
           // These are platform-specific and may not be available
-          if ('setKeepAliveProbes' in socket) {
-            (socket as any).setKeepAliveProbes(10);
+          if ('setKeepAliveProbes' in underlyingSocket) {
+            (underlyingSocket as any).setKeepAliveProbes(10);
           }
-          if ('setKeepAliveInterval' in socket) {
-            (socket as any).setKeepAliveInterval(1000);
+          if ('setKeepAliveInterval' in underlyingSocket) {
+            (underlyingSocket as any).setKeepAliveInterval(1000);
           }
         } catch (err) {
           // Ignore errors - these are optional enhancements
@@ -150,19 +167,19 @@ export class RouteConnectionHandler {
     }
 
     // Handle the connection - wait for initial data to determine if it's TLS
-    this.handleInitialData(socket, record);
+    this.handleInitialData(wrappedSocket, record);
   }
 
   /**
    * Handle initial data from a connection to determine routing
    */
-  private handleInitialData(socket: plugins.net.Socket, record: IConnectionRecord): void {
+  private handleInitialData(socket: plugins.net.Socket | WrappedSocket, record: IConnectionRecord): void {
     const connectionId = record.id;
     const localPort = record.localPort;
     let initialDataReceived = false;
 
     // Check if any routes on this port require TLS handling
-    const allRoutes = this.routeManager.getAllRoutes();
+    const allRoutes = this.routeManager.getRoutes();
     const needsTlsHandling = allRoutes.some(route => {
       // Check if route matches this port
       const matchesPort = this.routeManager.getRoutesForPort(localPort).includes(route);
@@ -176,9 +193,11 @@ export class RouteConnectionHandler {
 
     // If no routes require TLS handling and it's not port 443, route immediately
     if (!needsTlsHandling && localPort !== 443) {
+      // Extract underlying socket for socket-utils functions
+      const underlyingSocket = getUnderlyingSocket(socket);
       // Set up proper socket handlers for immediate routing
       setupSocketHandlers(
-        socket,
+        underlyingSocket,
         (reason) => {
           // Only cleanup if connection hasn't been fully established
           // Check if outgoing connection exists and is connected
@@ -277,17 +296,8 @@ export class RouteConnectionHandler {
       }
     });
 
-    // First data handler to capture initial TLS handshake
-    socket.once('data', (chunk: Buffer) => {
-      // Clear the initial timeout since we've received data
-      if (initialTimeout) {
-        clearTimeout(initialTimeout);
-        initialTimeout = null;
-      }
-
-      initialDataReceived = true;
-      record.hasReceivedInitialData = true;
-
+    // Handler for processing initial data (after potential PROXY protocol)
+    const processInitialData = (chunk: Buffer) => {
       // Block non-TLS connections on port 443
       if (!this.tlsManager.isTlsHandshake(chunk) && localPort === 443) {
         logger.log('warn', `Non-TLS connection ${connectionId} detected on port 443. Terminating connection - only TLS traffic is allowed on standard HTTPS port.`, {
@@ -363,6 +373,67 @@ export class RouteConnectionHandler {
 
       // Find the appropriate route for this connection
       this.routeConnection(socket, record, serverName, chunk);
+    };
+
+    // First data handler to capture initial TLS handshake or PROXY protocol
+    socket.once('data', async (chunk: Buffer) => {
+      // Clear the initial timeout since we've received data
+      if (initialTimeout) {
+        clearTimeout(initialTimeout);
+        initialTimeout = null;
+      }
+
+      initialDataReceived = true;
+      record.hasReceivedInitialData = true;
+
+      // Check if this is from a trusted proxy and might have PROXY protocol
+      if (this.settings.proxyIPs?.includes(socket.remoteAddress || '') && this.settings.acceptProxyProtocol !== false) {
+        // Check if this starts with PROXY protocol
+        if (chunk.toString('ascii', 0, Math.min(6, chunk.length)).startsWith('PROXY ')) {
+          try {
+            const parseResult = ProxyProtocolParser.parse(chunk);
+            
+            if (parseResult.proxyInfo) {
+              // Update the wrapped socket with real client info (if it's a WrappedSocket)
+              if (socket instanceof WrappedSocket) {
+                socket.setProxyInfo(parseResult.proxyInfo.sourceIP, parseResult.proxyInfo.sourcePort);
+              }
+              
+              // Update connection record with real client info
+              record.remoteIP = parseResult.proxyInfo.sourceIP;
+              record.remotePort = parseResult.proxyInfo.sourcePort;
+              
+              logger.log('info', `PROXY protocol parsed successfully`, {
+                connectionId,
+                realClientIP: parseResult.proxyInfo.sourceIP,
+                realClientPort: parseResult.proxyInfo.sourcePort,
+                proxyIP: socket.remoteAddress,
+                component: 'route-handler'
+              });
+              
+              // Process remaining data if any
+              if (parseResult.remainingData.length > 0) {
+                processInitialData(parseResult.remainingData);
+              } else {
+                // Wait for more data
+                socket.once('data', processInitialData);
+              }
+              return;
+            }
+          } catch (error) {
+            logger.log('error', `Failed to parse PROXY protocol from trusted proxy`, {
+              connectionId,
+              error: error.message,
+              proxyIP: socket.remoteAddress,
+              component: 'route-handler'
+            });
+            // Continue processing as normal data
+          }
+        }
+      }
+
+      // Process as normal data (no PROXY protocol)
+      processInitialData(chunk);
     });
   }
 
@@ -370,7 +441,7 @@ export class RouteConnectionHandler {
    * Route the connection based on match criteria
    */
   private routeConnection(
-    socket: plugins.net.Socket,
+    socket: plugins.net.Socket | WrappedSocket,
     record: IConnectionRecord,
     serverName: string,
     initialChunk?: Buffer
@@ -385,15 +456,21 @@ export class RouteConnectionHandler {
     // For HTTP proxy ports without TLS, skip domain check since domain info comes from HTTP headers
     const skipDomainCheck = isHttpProxyPort && !record.isTLS;
 
-    // Find matching route
-    const routeMatch = this.routeManager.findMatchingRoute({
+    // Create route context for matching
+    const routeContext: IRouteContext = {
       port: localPort,
-      domain: serverName,
+      domain: skipDomainCheck ? undefined : serverName, // Skip domain if HTTP proxy without TLS
       clientIp: remoteIP,
+      serverIp: socket.localAddress || '',
       path: undefined, // We don't have path info at this point
+      isTls: record.isTLS,
       tlsVersion: undefined, // We don't extract TLS version yet
-      skipDomainCheck: skipDomainCheck,
-    });
+      timestamp: Date.now(),
+      connectionId: record.id
+    };
+
+    // Find matching route
+    const routeMatch = this.routeManager.findMatchingRoute(routeContext);
 
     if (!routeMatch) {
       logger.log('warn', `No route found for ${serverName || 'connection'} on port ${localPort} (connection: ${connectionId})`, {
@@ -552,7 +629,7 @@ export class RouteConnectionHandler {
    * Handle a forward action for a route
    */
   private handleForwardAction(
-    socket: plugins.net.Socket,
+    socket: plugins.net.Socket | WrappedSocket,
     record: IConnectionRecord,
     route: IRouteConfig,
     initialChunk?: Buffer
@@ -869,7 +946,7 @@ export class RouteConnectionHandler {
    * Handle a socket-handler action for a route
    */
   private async handleSocketHandlerAction(
-    socket: plugins.net.Socket,
+    socket: plugins.net.Socket | WrappedSocket,
     record: IConnectionRecord,
     route: IRouteConfig,
     initialChunk?: Buffer
@@ -933,8 +1010,9 @@ export class RouteConnectionHandler {
     });
     
     try {
-      // Call the handler with socket AND context
-      const result = route.action.socketHandler(socket, routeContext);
+      // Call the handler with the appropriate socket (extract underlying if needed)
+      const handlerSocket = getUnderlyingSocket(socket);
+      const result = route.action.socketHandler(handlerSocket, routeContext);
       
       // Handle async handlers properly
       if (result instanceof Promise) {
@@ -988,7 +1066,7 @@ export class RouteConnectionHandler {
    * Sets up a direct connection to the target
    */
   private setupDirectConnection(
-    socket: plugins.net.Socket,
+    socket: plugins.net.Socket | WrappedSocket,
     record: IConnectionRecord,
     serverName?: string,
     initialChunk?: Buffer,
@@ -1094,7 +1172,7 @@ export class RouteConnectionHandler {
         // Clean up the connection record - this is critical!
         this.connectionManager.cleanupConnection(record, `connection_failed_${(error as any).code || 'unknown'}`);
       },
-      onConnect: () => {
+      onConnect: async () => {
         if (this.settings.enableDetailedLogging) {
           logger.log('info', `Connection ${connectionId} established to target ${finalTargetHost}:${finalTargetPort}`, {
             connectionId,
@@ -1110,6 +1188,56 @@ export class RouteConnectionHandler {
         // Add the normal error handler for established connections
         targetSocket.on('error', this.connectionManager.handleError('outgoing', record));
         
+        // Check if we should send PROXY protocol header
+        const shouldSendProxyProtocol = record.routeConfig?.action?.sendProxyProtocol || 
+                                       this.settings.sendProxyProtocol;
+        
+        if (shouldSendProxyProtocol) {
+          try {
+            // Generate PROXY protocol header
+            const proxyInfo = {
+              protocol: (record.remoteIP.includes(':') ? 'TCP6' : 'TCP4') as 'TCP4' | 'TCP6',
+              sourceIP: record.remoteIP,
+              sourcePort: record.remotePort || socket.remotePort || 0,
+              destinationIP: socket.localAddress || '',
+              destinationPort: socket.localPort || 0
+            };
+            
+            const proxyHeader = ProxyProtocolParser.generate(proxyInfo);
+            
+            // Send PROXY protocol header first
+            await new Promise<void>((resolve, reject) => {
+              targetSocket.write(proxyHeader, (err) => {
+                if (err) {
+                  logger.log('error', `Failed to send PROXY protocol header`, {
+                    connectionId,
+                    error: err.message,
+                    component: 'route-handler'
+                  });
+                  reject(err);
+                } else {
+                  logger.log('info', `PROXY protocol header sent to backend`, {
+                    connectionId,
+                    targetHost: finalTargetHost,
+                    targetPort: finalTargetPort,
+                    sourceIP: proxyInfo.sourceIP,
+                    sourcePort: proxyInfo.sourcePort,
+                    component: 'route-handler'
+                  });
+                  resolve();
+                }
+              });
+            });
+          } catch (error) {
+            logger.log('error', `Error sending PROXY protocol header`, {
+              connectionId,
+              error: error.message,
+              component: 'route-handler'
+            });
+            // Continue anyway - don't break the connection
+          }
+        }
+        
         // Flush any pending data to target
         if (record.pendingData.length > 0) {
           const combinedData = Buffer.concat(record.pendingData);
@@ -1138,7 +1266,10 @@ export class RouteConnectionHandler {
         }
 
         // Use centralized bidirectional forwarding setup
-        setupBidirectionalForwarding(socket, targetSocket, {
+        // Extract underlying sockets for socket-utils functions
+        const incomingSocket = getUnderlyingSocket(socket);
+        
+        setupBidirectionalForwarding(incomingSocket, targetSocket, {
           onClientData: (chunk) => {
             record.bytesReceived += chunk.length;
             this.timeoutManager.updateActivity(record);

package/ts/proxies/smart-proxy/smart-proxy.ts

@@ -8,7 +8,7 @@ import { TlsManager } from './tls-manager.js';
 import { HttpProxyBridge } from './http-proxy-bridge.js';
 import { TimeoutManager } from './timeout-manager.js';
 import { PortManager } from './port-manager.js';
-import { RouteManager } from './route-manager.js';
+import { SharedRouteManager as RouteManager } from '../../core/routing/route-manager.js';
 import { RouteConnectionHandler } from './route-connection-handler.js';
 import { NFTablesManager } from './nftables-manager.js';
 
@@ -162,8 +162,20 @@ export class SmartProxy extends plugins.EventEmitter {
       this.timeoutManager
     );
     
-    // Create the route manager
-    this.routeManager = new RouteManager(this.settings);
+    // Create the route manager with SharedRouteManager API
+    // Create a logger adapter to match ILogger interface
+    const loggerAdapter = {
+      debug: (message: string, data?: any) => logger.log('debug', message, data),
+      info: (message: string, data?: any) => logger.log('info', message, data),
+      warn: (message: string, data?: any) => logger.log('warn', message, data),
+      error: (message: string, data?: any) => logger.log('error', message, data)
+    };
+    
+    this.routeManager = new RouteManager({
+      logger: loggerAdapter,
+      enableDetailedLogging: this.settings.enableDetailedLogging,
+      routes: this.settings.routes
+    });
 
     
     // Create other required components

package/ts/proxies/smart-proxy/utils/route-utils.ts

@@ -92,6 +92,8 @@ export function mergeRouteConfigs(
   return mergedRoute;
 }
 
+import { DomainMatcher, PathMatcher, HeaderMatcher } from '../../../core/routing/matchers/index.js';
+
 /**
  * Check if a route matches a domain
  * @param route The route to check
@@ -107,14 +109,7 @@ export function routeMatchesDomain(route: IRouteConfig, domain: string): boolean
     ? route.match.domains 
     : [route.match.domains];
   
-  return domains.some(d => {
-    // Handle wildcard domains
-    if (d.startsWith('*.')) {
-      const suffix = d.substring(2);
-      return domain.endsWith(suffix) && domain.split('.').length > suffix.split('.').length;
-    }
-    return d.toLowerCase() === domain.toLowerCase();
-  });
+  return domains.some(d => DomainMatcher.match(d, domain));
 }
 
 /**
@@ -160,28 +155,7 @@ export function routeMatchesPath(route: IRouteConfig, path: string): boolean {
     return true; // No path specified means it matches any path
   }
   
-  // Handle exact path
-  if (route.match.path === path) {
-    return true;
-  }
-  
-  // Handle path prefix with trailing slash (e.g., /api/)
-  if (route.match.path.endsWith('/') && path.startsWith(route.match.path)) {
-    return true;
-  }
-  
-  // Handle exact path match without trailing slash
-  if (!route.match.path.endsWith('/') && path === route.match.path) {
-    return true;
-  }
-  
-  // Handle wildcard paths (e.g., /api/*)
-  if (route.match.path.endsWith('*')) {
-    const prefix = route.match.path.slice(0, -1);
-    return path.startsWith(prefix);
-  }
-  
-  return false;
+  return PathMatcher.match(route.match.path, path).matches;
 }
 
 /**
@@ -198,25 +172,13 @@ export function routeMatchesHeaders(
     return true; // No headers specified means it matches any headers
   }
   
-  // Check each header in the route's match criteria
-  return Object.entries(route.match.headers).every(([key, value]) => {
-    // If the header isn't present in the request, it doesn't match
-    if (!headers[key]) {
-      return false;
-    }
-    
-    // Handle exact match
-    if (typeof value === 'string') {
-      return headers[key] === value;
-    }
-    
-    // Handle regex match
-    if (value instanceof RegExp) {
-      return value.test(headers[key]);
-    }
-    
-    return false;
-  });
+  // Convert RegExp patterns to strings for HeaderMatcher
+  const stringHeaders: Record<string, string> = {};
+  for (const [key, value] of Object.entries(route.match.headers)) {
+    stringHeaders[key] = value instanceof RegExp ? value.source : value;
+  }
+  
+  return HeaderMatcher.matchAll(stringHeaders, headers);
 }
 
 /**