@push.rocks/smartproxy 21.1.6 → 22.4.2

package/ts/proxies/smart-proxy/utils/route-helpers/nftables-helpers.ts

@@ -0,0 +1,202 @@
+/**
+ * NFTables Route Helper Functions
+ *
+ * This module provides utility functions for creating NFTables-based route configurations
+ * for high-performance packet forwarding at the kernel level.
+ */
+
+import type { IRouteConfig, IRouteMatch, IRouteAction, TPortRange } from '../../models/route-types.js';
+import { createHttpToHttpsRedirect } from './https-helpers.js';
+
+/**
+ * Create an NFTables-based route for high-performance packet forwarding
+ * @param nameOrDomains Name or domain(s) to match
+ * @param target Target host and port
+ * @param options Additional route options
+ * @returns Route configuration object
+ */
+export function createNfTablesRoute(
+  nameOrDomains: string | string[],
+  target: { host: string; port: number | 'preserve' },
+  options: {
+    ports?: TPortRange;
+    protocol?: 'tcp' | 'udp' | 'all';
+    preserveSourceIP?: boolean;
+    ipAllowList?: string[];
+    ipBlockList?: string[];
+    maxRate?: string;
+    priority?: number;
+    useTls?: boolean;
+    tableName?: string;
+    useIPSets?: boolean;
+    useAdvancedNAT?: boolean;
+  } = {}
+): IRouteConfig {
+  // Determine if this is a name or domain
+  let name: string;
+  let domains: string | string[] | undefined;
+
+  if (Array.isArray(nameOrDomains) || (typeof nameOrDomains === 'string' && nameOrDomains.includes('.'))) {
+    domains = nameOrDomains;
+    name = Array.isArray(nameOrDomains) ? nameOrDomains[0] : nameOrDomains;
+  } else {
+    name = nameOrDomains;
+    domains = undefined; // No domains
+  }
+
+  // Create route match
+  const match: IRouteMatch = {
+    domains,
+    ports: options.ports || 80
+  };
+
+  // Create route action
+  const action: IRouteAction = {
+    type: 'forward',
+    targets: [{
+      host: target.host,
+      port: target.port
+    }],
+    forwardingEngine: 'nftables',
+    nftables: {
+      protocol: options.protocol || 'tcp',
+      preserveSourceIP: options.preserveSourceIP,
+      maxRate: options.maxRate,
+      priority: options.priority,
+      tableName: options.tableName,
+      useIPSets: options.useIPSets,
+      useAdvancedNAT: options.useAdvancedNAT
+    }
+  };
+
+  // Add TLS options if needed
+  if (options.useTls) {
+    action.tls = {
+      mode: 'passthrough'
+    };
+  }
+
+  // Create the route config
+  const routeConfig: IRouteConfig = {
+    name,
+    match,
+    action
+  };
+
+  // Add security if allowed or blocked IPs are specified
+  if (options.ipAllowList?.length || options.ipBlockList?.length) {
+    routeConfig.security = {
+      ipAllowList: options.ipAllowList,
+      ipBlockList: options.ipBlockList
+    };
+  }
+
+  return routeConfig;
+}
+
+/**
+ * Create an NFTables-based TLS termination route
+ * @param nameOrDomains Name or domain(s) to match
+ * @param target Target host and port
+ * @param options Additional route options
+ * @returns Route configuration object
+ */
+export function createNfTablesTerminateRoute(
+  nameOrDomains: string | string[],
+  target: { host: string; port: number | 'preserve' },
+  options: {
+    ports?: TPortRange;
+    protocol?: 'tcp' | 'udp' | 'all';
+    preserveSourceIP?: boolean;
+    ipAllowList?: string[];
+    ipBlockList?: string[];
+    maxRate?: string;
+    priority?: number;
+    tableName?: string;
+    useIPSets?: boolean;
+    useAdvancedNAT?: boolean;
+    certificate?: 'auto' | { key: string; cert: string };
+  } = {}
+): IRouteConfig {
+  // Create basic NFTables route
+  const route = createNfTablesRoute(
+    nameOrDomains,
+    target,
+    {
+      ...options,
+      ports: options.ports || 443,
+      useTls: false
+    }
+  );
+
+  // Set TLS termination
+  route.action.tls = {
+    mode: 'terminate',
+    certificate: options.certificate || 'auto'
+  };
+
+  return route;
+}
+
+/**
+ * Create a complete NFTables-based HTTPS setup with HTTP redirect
+ * @param nameOrDomains Name or domain(s) to match
+ * @param target Target host and port
+ * @param options Additional route options
+ * @returns Array of two route configurations (HTTPS and HTTP redirect)
+ */
+export function createCompleteNfTablesHttpsServer(
+  nameOrDomains: string | string[],
+  target: { host: string; port: number | 'preserve' },
+  options: {
+    httpPort?: TPortRange;
+    httpsPort?: TPortRange;
+    protocol?: 'tcp' | 'udp' | 'all';
+    preserveSourceIP?: boolean;
+    ipAllowList?: string[];
+    ipBlockList?: string[];
+    maxRate?: string;
+    priority?: number;
+    tableName?: string;
+    useIPSets?: boolean;
+    useAdvancedNAT?: boolean;
+    certificate?: 'auto' | { key: string; cert: string };
+  } = {}
+): IRouteConfig[] {
+  // Create the HTTPS route using NFTables
+  const httpsRoute = createNfTablesTerminateRoute(
+    nameOrDomains,
+    target,
+    {
+      ...options,
+      ports: options.httpsPort || 443
+    }
+  );
+
+  // Determine the domain(s) for HTTP redirect
+  const domains = typeof nameOrDomains === 'string' && !nameOrDomains.includes('.')
+    ? undefined
+    : nameOrDomains;
+
+  // Extract the HTTPS port for the redirect destination
+  const httpsPort = typeof options.httpsPort === 'number'
+    ? options.httpsPort
+    : Array.isArray(options.httpsPort) && typeof options.httpsPort[0] === 'number'
+      ? options.httpsPort[0]
+      : 443;
+
+  // Create the HTTP redirect route (this uses standard forwarding, not NFTables)
+  const httpRedirectRoute = createHttpToHttpsRedirect(
+    domains as any, // Type cast needed since domains can be undefined now
+    httpsPort,
+    {
+      match: {
+        ports: options.httpPort || 80,
+        domains: domains as any // Type cast needed since domains can be undefined now
+      },
+      name: `HTTP to HTTPS Redirect for ${Array.isArray(domains) ? domains.join(', ') : domains || 'all domains'}`
+    }
+  );
+
+  return [httpsRoute, httpRedirectRoute];
+}

package/ts/proxies/smart-proxy/utils/route-helpers/security-helpers.ts

@@ -0,0 +1,96 @@
+/**
+ * Security Route Helper Functions
+ *
+ * This module provides utility functions for adding security features to routes.
+ */
+
+import type { IRouteConfig } from '../../models/route-types.js';
+import { mergeRouteConfigs } from '../route-utils.js';
+
+/**
+ * Create a rate limiting route pattern
+ * @param baseRoute Base route to add rate limiting to
+ * @param rateLimit Rate limiting configuration
+ * @returns Route with rate limiting
+ */
+export function addRateLimiting(
+  baseRoute: IRouteConfig,
+  rateLimit: {
+    maxRequests: number;
+    window: number; // Time window in seconds
+    keyBy?: 'ip' | 'path' | 'header';
+    headerName?: string; // Required if keyBy is 'header'
+    errorMessage?: string;
+  }
+): IRouteConfig {
+  return mergeRouteConfigs(baseRoute, {
+    security: {
+      rateLimit: {
+        enabled: true,
+        maxRequests: rateLimit.maxRequests,
+        window: rateLimit.window,
+        keyBy: rateLimit.keyBy || 'ip',
+        headerName: rateLimit.headerName,
+        errorMessage: rateLimit.errorMessage || 'Rate limit exceeded. Please try again later.'
+      }
+    }
+  });
+}
+
+/**
+ * Create a basic authentication route pattern
+ * @param baseRoute Base route to add authentication to
+ * @param auth Authentication configuration
+ * @returns Route with basic authentication
+ */
+export function addBasicAuth(
+  baseRoute: IRouteConfig,
+  auth: {
+    users: Array<{ username: string; password: string }>;
+    realm?: string;
+    excludePaths?: string[];
+  }
+): IRouteConfig {
+  return mergeRouteConfigs(baseRoute, {
+    security: {
+      basicAuth: {
+        enabled: true,
+        users: auth.users,
+        realm: auth.realm || 'Restricted Area',
+        excludePaths: auth.excludePaths || []
+      }
+    }
+  });
+}
+
+/**
+ * Create a JWT authentication route pattern
+ * @param baseRoute Base route to add JWT authentication to
+ * @param jwt JWT authentication configuration
+ * @returns Route with JWT authentication
+ */
+export function addJwtAuth(
+  baseRoute: IRouteConfig,
+  jwt: {
+    secret: string;
+    algorithm?: string;
+    issuer?: string;
+    audience?: string;
+    expiresIn?: number; // Time in seconds
+    excludePaths?: string[];
+  }
+): IRouteConfig {
+  return mergeRouteConfigs(baseRoute, {
+    security: {
+      jwtAuth: {
+        enabled: true,
+        secret: jwt.secret,
+        algorithm: jwt.algorithm || 'HS256',
+        issuer: jwt.issuer,
+        audience: jwt.audience,
+        expiresIn: jwt.expiresIn,
+        excludePaths: jwt.excludePaths || []
+      }
+    }
+  });
+}

package/ts/proxies/smart-proxy/utils/route-helpers/socket-handlers.ts

@@ -0,0 +1,337 @@
+/**
+ * Socket Handler Functions
+ *
+ * This module provides pre-built socket handlers for common use cases
+ * like echoing, proxying, HTTP responses, and redirects.
+ */
+
+import * as plugins from '../../../../plugins.js';
+import type { IRouteConfig, TPortRange, IRouteContext } from '../../models/route-types.js';
+import { ProtocolDetector } from '../../../../detection/index.js';
+import { createSocketTracker } from '../../../../core/utils/socket-tracker.js';
+
+/**
+ * Pre-built socket handlers for common use cases
+ */
+export const SocketHandlers = {
+  /**
+   * Simple echo server handler
+   */
+  echo: (socket: plugins.net.Socket, context: IRouteContext) => {
+    socket.write('ECHO SERVER READY\n');
+    socket.on('data', data => socket.write(data));
+  },
+
+  /**
+   * TCP proxy handler
+   */
+  proxy: (targetHost: string, targetPort: number) => (socket: plugins.net.Socket, context: IRouteContext) => {
+    const target = plugins.net.connect(targetPort, targetHost);
+    socket.pipe(target);
+    target.pipe(socket);
+    socket.on('close', () => target.destroy());
+    target.on('close', () => socket.destroy());
+    target.on('error', (err) => {
+      console.error('Proxy target error:', err);
+      socket.destroy();
+    });
+  },
+
+  /**
+   * Line-based protocol handler
+   */
+  lineProtocol: (handler: (line: string, socket: plugins.net.Socket) => void) => (socket: plugins.net.Socket, context: IRouteContext) => {
+    let buffer = '';
+    socket.on('data', (data) => {
+      buffer += data.toString();
+      const lines = buffer.split('\n');
+      buffer = lines.pop() || '';
+      lines.forEach(line => {
+        if (line.trim()) {
+          handler(line.trim(), socket);
+        }
+      });
+    });
+  },
+
+  /**
+   * Simple HTTP response handler (for testing)
+   */
+  httpResponse: (statusCode: number, body: string) => (socket: plugins.net.Socket, context: IRouteContext) => {
+    const response = [
+      `HTTP/1.1 ${statusCode} ${statusCode === 200 ? 'OK' : 'Error'}`,
+      'Content-Type: text/plain',
+      `Content-Length: ${body.length}`,
+      'Connection: close',
+      '',
+      body
+    ].join('\r\n');
+
+    socket.write(response);
+    socket.end();
+  },
+
+  /**
+   * Block connection immediately
+   */
+  block: (message?: string) => (socket: plugins.net.Socket, context: IRouteContext) => {
+    const finalMessage = message || `Connection blocked from ${context.clientIp}`;
+    if (finalMessage) {
+      socket.write(finalMessage);
+    }
+    socket.end();
+  },
+
+  /**
+   * HTTP block response
+   */
+  httpBlock: (statusCode: number = 403, message?: string) => (socket: plugins.net.Socket, context: IRouteContext) => {
+    const defaultMessage = `Access forbidden for ${context.domain || context.clientIp}`;
+    const finalMessage = message || defaultMessage;
+
+    const response = [
+      `HTTP/1.1 ${statusCode} ${finalMessage}`,
+      'Content-Type: text/plain',
+      `Content-Length: ${finalMessage.length}`,
+      'Connection: close',
+      '',
+      finalMessage
+    ].join('\r\n');
+
+    socket.write(response);
+    socket.end();
+  },
+
+  /**
+   * HTTP redirect handler
+   * Uses the centralized detection module for HTTP parsing
+   */
+  httpRedirect: (locationTemplate: string, statusCode: number = 301) => (socket: plugins.net.Socket, context: IRouteContext) => {
+    const tracker = createSocketTracker(socket);
+    const connectionId = ProtocolDetector.createConnectionId({
+      socketId: context.connectionId || `${Date.now()}-${Math.random()}`
+    });
+
+    const handleData = async (data: Buffer) => {
+      // Use detection module for parsing
+      const detectionResult = await ProtocolDetector.detectWithConnectionTracking(
+        data,
+        connectionId,
+        { extractFullHeaders: false } // We only need method and path
+      );
+
+      if (detectionResult.protocol === 'http' && detectionResult.connectionInfo.path) {
+        const method = detectionResult.connectionInfo.method || 'GET';
+        const path = detectionResult.connectionInfo.path || '/';
+
+        const domain = context.domain || 'localhost';
+        const port = context.port;
+
+        let finalLocation = locationTemplate
+          .replace('{domain}', domain)
+          .replace('{port}', String(port))
+          .replace('{path}', path)
+          .replace('{clientIp}', context.clientIp);
+
+        const message = `Redirecting to ${finalLocation}`;
+        const response = [
+          `HTTP/1.1 ${statusCode} ${statusCode === 301 ? 'Moved Permanently' : 'Found'}`,
+          `Location: ${finalLocation}`,
+          'Content-Type: text/plain',
+          `Content-Length: ${message.length}`,
+          'Connection: close',
+          '',
+          message
+        ].join('\r\n');
+
+        socket.write(response);
+      } else {
+        // Not a valid HTTP request, close connection
+        socket.write('HTTP/1.1 400 Bad Request\r\nConnection: close\r\n\r\n');
+      }
+
+      socket.end();
+      // Clean up detection state
+      ProtocolDetector.cleanupConnections();
+      // Clean up all tracked resources
+      tracker.cleanup();
+    };
+
+    // Use tracker to manage the listener
+    socket.once('data', handleData);
+
+    tracker.addListener('error', (err) => {
+      tracker.safeDestroy(err);
+    });
+
+    tracker.addListener('close', () => {
+      tracker.cleanup();
+    });
+  },
+
+  /**
+   * HTTP server handler for ACME challenges and other HTTP needs
+   * Uses the centralized detection module for HTTP parsing
+   */
+  httpServer: (handler: (req: { method: string; url: string; headers: Record<string, string>; body?: string }, res: { status: (code: number) => void; header: (name: string, value: string) => void; send: (data: string) => void; end: () => void }) => void) => (socket: plugins.net.Socket, context: IRouteContext) => {
+    const tracker = createSocketTracker(socket);
+    let requestParsed = false;
+    let responseTimer: NodeJS.Timeout | null = null;
+    const connectionId = ProtocolDetector.createConnectionId({
+      socketId: context.connectionId || `${Date.now()}-${Math.random()}`
+    });
+
+    const processData = async (data: Buffer) => {
+      if (requestParsed) return; // Only handle the first request
+
+      // Use HttpDetector for parsing
+      const detectionResult = await ProtocolDetector.detectWithConnectionTracking(
+        data,
+        connectionId,
+        { extractFullHeaders: true }
+      );
+
+      if (detectionResult.protocol !== 'http' || !detectionResult.isComplete) {
+        // Not a complete HTTP request yet
+        return;
+      }
+
+      requestParsed = true;
+      // Remove data listener after parsing request
+      socket.removeListener('data', processData);
+      const connInfo = detectionResult.connectionInfo;
+
+      // Create request object from detection result
+      const req = {
+        method: connInfo.method || 'GET',
+        url: connInfo.path || '/',
+        headers: connInfo.headers || {},
+        body: detectionResult.remainingBuffer?.toString() || ''
+      };
+
+      // Create response object
+      let statusCode = 200;
+      const responseHeaders: Record<string, string> = {};
+      let ended = false;
+
+      const res = {
+        status: (code: number) => {
+          statusCode = code;
+        },
+        header: (name: string, value: string) => {
+          responseHeaders[name] = value;
+        },
+        send: (data: string) => {
+          if (ended) return;
+          ended = true;
+
+          // Clear response timer since we're sending now
+          if (responseTimer) {
+            clearTimeout(responseTimer);
+            responseTimer = null;
+          }
+
+          if (!responseHeaders['content-type']) {
+            responseHeaders['content-type'] = 'text/plain';
+          }
+          responseHeaders['content-length'] = String(data.length);
+          responseHeaders['connection'] = 'close';
+
+          const statusText = statusCode === 200 ? 'OK' :
+                           statusCode === 404 ? 'Not Found' :
+                           statusCode === 500 ? 'Internal Server Error' : 'Response';
+
+          let response = `HTTP/1.1 ${statusCode} ${statusText}\r\n`;
+          for (const [name, value] of Object.entries(responseHeaders)) {
+            response += `${name}: ${value}\r\n`;
+          }
+          response += '\r\n';
+          response += data;
+
+          socket.write(response);
+          socket.end();
+        },
+        end: () => {
+          if (ended) return;
+          ended = true;
+          socket.write('HTTP/1.1 200 OK\r\nContent-Length: 0\r\nConnection: close\r\n\r\n');
+          socket.end();
+        }
+      };
+
+      try {
+        handler(req, res);
+        // Ensure response is sent even if handler doesn't call send()
+        responseTimer = setTimeout(() => {
+          if (!ended) {
+            res.send('');
+          }
+          responseTimer = null;
+        }, 1000);
+        // Track and unref the timer
+        tracker.addTimer(responseTimer);
+      } catch (error) {
+        if (!ended) {
+          res.status(500);
+          res.send('Internal Server Error');
+        }
+        // Use safeDestroy for error cases
+        tracker.safeDestroy(error instanceof Error ? error : new Error('Handler error'));
+      }
+    };
+
+    // Use tracker to manage listeners
+    tracker.addListener('data', processData);
+
+    tracker.addListener('error', (err) => {
+      if (!requestParsed) {
+        tracker.safeDestroy(err);
+      }
+    });
+
+    tracker.addListener('close', () => {
+      // Clear any pending response timer
+      if (responseTimer) {
+        clearTimeout(responseTimer);
+        responseTimer = null;
+      }
+      // Clean up detection state
+      ProtocolDetector.cleanupConnections();
+      // Clean up all tracked resources
+      tracker.cleanup();
+    });
+  }
+};
+
+/**
+ * Create a socket handler route configuration
+ * @param domains Domain(s) to match
+ * @param ports Port(s) to listen on
+ * @param handler Socket handler function
+ * @param options Additional route options
+ * @returns Route configuration object
+ */
+export function createSocketHandlerRoute(
+  domains: string | string[],
+  ports: TPortRange,
+  handler: (socket: plugins.net.Socket) => void | Promise<void>,
+  options: {
+    name?: string;
+    priority?: number;
+    path?: string;
+  } = {}
+): IRouteConfig {
+  return {
+    name: options.name || 'socket-handler-route',
+    priority: options.priority !== undefined ? options.priority : 50,
+    match: {
+      domains,
+      ports,
+      ...(options.path && { path: options.path })
+    },
+    action: {
+      type: 'socket-handler',
+      socketHandler: handler
+    }
+  };
+}