@push.rocks/smartproxy 21.1.7 → 22.4.2

package/ts/proxies/smart-proxy/route-connection-handler.ts

@@ -69,6 +69,58 @@ export class RouteConnectionHandler {
     };
   }
 
+  /**
+   * Determines if SNI is required for routing decisions on this port.
+   *
+   * SNI is REQUIRED when:
+   * - Multiple routes exist on this port (need SNI to pick correct route)
+   * - Route has dynamic target function (needs ctx.domain)
+   * - Route has specific domain restriction (strict validation)
+   *
+   * SNI is NOT required when:
+   * - TLS termination mode (HttpProxy handles session resumption)
+   * - Single route with static target and no domain restriction (or wildcard)
+   */
+  private calculateSniRequirement(port: number): boolean {
+    const routesOnPort = this.smartProxy.routeManager.getRoutesForPort(port);
+
+    // No routes = no SNI requirement (will fail routing anyway)
+    if (routesOnPort.length === 0) return false;
+
+    // Check if any route terminates TLS - if so, SNI not required
+    // (HttpProxy handles session resumption internally)
+    const hasTermination = routesOnPort.some(route =>
+      route.action.tls?.mode === 'terminate' ||
+      route.action.tls?.mode === 'terminate-and-reencrypt'
+    );
+    if (hasTermination) return false;
+
+    // Multiple routes = need SNI to pick the correct route
+    if (routesOnPort.length > 1) return true;
+
+    // Single route - check if it needs SNI for validation or routing
+    const route = routesOnPort[0];
+
+    // Dynamic host selection requires SNI (function receives ctx.domain)
+    const hasDynamicTarget = route.action.targets?.some(t => typeof t.host === 'function');
+    if (hasDynamicTarget) return true;
+
+    // Specific domain restriction requires SNI for strict validation
+    const hasSpecificDomain = route.match.domains && !this.isWildcardOnly(route.match.domains);
+    if (hasSpecificDomain) return true;
+
+    // Single route, static target(s), no domain restriction = SNI not required
+    return false;
+  }
+
+  /**
+   * Check if domains config is wildcard-only (matches everything)
+   */
+  private isWildcardOnly(domains: string | string[]): boolean {
+    const domainList = Array.isArray(domains) ? domains : [domains];
+    return domainList.length === 1 && domainList[0] === '*';
+  }
+
   /**
    * Handle a new incoming connection
    */
@@ -78,7 +130,7 @@ export class RouteConnectionHandler {
 
     // Always wrap the socket to prepare for potential PROXY protocol
     const wrappedSocket = new WrappedSocket(socket);
-    
+
     // If this is from a trusted proxy, log it
     if (this.smartProxy.settings.proxyIPs?.includes(remoteIP)) {
       logger.log('debug', `Connection from trusted proxy ${remoteIP}, PROXY protocol parsing will be enabled`, {
@@ -87,31 +139,40 @@ export class RouteConnectionHandler {
       });
     }
 
-    // Validate IP against rate limits and connection limits
-    // Note: For wrapped sockets, this will use the underlying socket IP until PROXY protocol is parsed
-    const ipValidation = this.smartProxy.securityManager.validateIP(wrappedSocket.remoteAddress || '');
+    // Generate connection ID first for atomic IP validation and tracking
+    const connectionId = this.smartProxy.connectionManager.generateConnectionId();
+    const clientIP = wrappedSocket.remoteAddress || '';
+
+    // Atomically validate IP and track the connection to prevent race conditions
+    // This ensures concurrent connections from the same IP are properly limited
+    const ipValidation = this.smartProxy.securityManager.validateAndTrackIP(clientIP, connectionId);
     if (!ipValidation.allowed) {
       connectionLogDeduplicator.log(
         'ip-rejected',
         'warn',
-        `Connection rejected from ${wrappedSocket.remoteAddress}`,
-        { remoteIP: wrappedSocket.remoteAddress, reason: ipValidation.reason, component: 'route-handler' },
-        wrappedSocket.remoteAddress
+        `Connection rejected from ${clientIP}`,
+        { remoteIP: clientIP, reason: ipValidation.reason, component: 'route-handler' },
+        clientIP
       );
       cleanupSocket(wrappedSocket.socket, `rejected-${ipValidation.reason}`, { immediate: true });
       return;
     }
 
     // Create a new connection record with the wrapped socket
-    const record = this.smartProxy.connectionManager.createConnection(wrappedSocket);
+    // Skip IP tracking since we already did it atomically above
+    const record = this.smartProxy.connectionManager.createConnection(wrappedSocket, {
+      connectionId,
+      skipIpTracking: true
+    });
     if (!record) {
-      // Connection was rejected due to limit - socket already destroyed by connection manager
+      // Connection was rejected due to global limit - clean up the IP tracking we did
+      this.smartProxy.securityManager.removeConnectionByIP(clientIP, connectionId);
       return;
     }
     
     // Emit new connection event
     this.newConnectionSubject.next(record);
-    const connectionId = record.id;
+    // Note: connectionId was already generated above for atomic IP tracking
 
     // Apply socket optimizations (apply to underlying socket)
     const underlyingSocket = wrappedSocket.socket;
@@ -184,14 +245,19 @@ export class RouteConnectionHandler {
     const needsTlsHandling = allRoutes.some(route => {
       // Check if route matches this port
       const matchesPort = this.smartProxy.routeManager.getRoutesForPort(localPort).includes(route);
-      
-      return matchesPort && 
-             route.action.type === 'forward' && 
-             route.action.tls && 
-             (route.action.tls.mode === 'terminate' || 
+
+      return matchesPort &&
+             route.action.type === 'forward' &&
+             route.action.tls &&
+             (route.action.tls.mode === 'terminate' ||
               route.action.tls.mode === 'passthrough');
     });
 
+    // Smart SNI requirement calculation
+    // Determines if we need SNI for routing decisions on this port
+    const needsSniForRouting = this.calculateSniRequirement(localPort);
+    const allowSessionTicket = !needsSniForRouting;
+
     // If no routes require TLS handling and it's not port 443, route immediately
     if (!needsTlsHandling && localPort !== 443) {
       // Extract underlying socket for socket-utils functions
@@ -345,7 +411,7 @@ export class RouteConnectionHandler {
         record.lockedDomain = serverName;
 
         // Check if we should reject connections without SNI
-        if (!serverName && this.smartProxy.settings.allowSessionTicket === false) {
+        if (!serverName && allowSessionTicket === false) {
           logger.log('warn', `No SNI detected in TLS ClientHello for connection ${record.id}; sending TLS alert`, {
             connectionId: record.id,
             component: 'route-handler'
@@ -1424,6 +1490,12 @@ export class RouteConnectionHandler {
             );
           }
 
+          // Record the initial chunk bytes for metrics
+          record.bytesReceived += combinedData.length;
+          if (this.smartProxy.metricsCollector) {
+            this.smartProxy.metricsCollector.recordBytes(record.id, combinedData.length, 0);
+          }
+
           // Write pending data immediately
           targetSocket.write(combinedData, (err) => {
             if (err) {

package/ts/proxies/smart-proxy/security-manager.ts

@@ -1,10 +1,11 @@
 import * as plugins from '../../plugins.js';
 import type { SmartProxy } from './smart-proxy.js';
-import { logger } from '../../core/utils/logger.js';
 import { connectionLogDeduplicator } from '../../core/utils/log-deduplicator.js';
+import { isIPAuthorized, normalizeIP } from '../../core/utils/security-utils.js';
 
 /**
  * Handles security aspects like IP tracking, rate limiting, and authorization
+ * for SmartProxy. This is a lightweight wrapper that uses shared utilities.
  */
 export class SecurityManager {
   private connectionsByIP: Map<string, Set<string>> = new Map();
@@ -15,14 +16,22 @@ export class SecurityManager {
     // Start periodic cleanup every 60 seconds
     this.startPeriodicCleanup();
   }
-  
+
   /**
-   * Get connections count by IP
+   * Get connections count by IP (checks normalized variants)
    */
   public getConnectionCountByIP(ip: string): number {
-    return this.connectionsByIP.get(ip)?.size || 0;
+    // Check all normalized variants of the IP
+    const variants = normalizeIP(ip);
+    for (const variant of variants) {
+      const connections = this.connectionsByIP.get(variant);
+      if (connections) {
+        return connections.size;
+      }
+    }
+    return 0;
   }
-  
+
   /**
    * Check and update connection rate for an IP
    * @returns true if within rate limit, false if exceeding limit
@@ -31,43 +40,73 @@ export class SecurityManager {
     const now = Date.now();
     const minute = 60 * 1000;
 
-    if (!this.connectionRateByIP.has(ip)) {
-      this.connectionRateByIP.set(ip, [now]);
+    // Find existing rate tracking (check normalized variants)
+    const variants = normalizeIP(ip);
+    let existingKey: string | null = null;
+    for (const variant of variants) {
+      if (this.connectionRateByIP.has(variant)) {
+        existingKey = variant;
+        break;
+      }
+    }
+
+    const key = existingKey || ip;
+
+    if (!this.connectionRateByIP.has(key)) {
+      this.connectionRateByIP.set(key, [now]);
       return true;
     }
 
     // Get timestamps and filter out entries older than 1 minute
-    const timestamps = this.connectionRateByIP.get(ip)!.filter((time) => now - time < minute);
+    const timestamps = this.connectionRateByIP.get(key)!.filter((time) => now - time < minute);
     timestamps.push(now);
-    this.connectionRateByIP.set(ip, timestamps);
+    this.connectionRateByIP.set(key, timestamps);
 
     // Check if rate exceeds limit
     return timestamps.length <= this.smartProxy.settings.connectionRateLimitPerMinute!;
   }
-  
+
   /**
    * Track connection by IP
    */
   public trackConnectionByIP(ip: string, connectionId: string): void {
-    if (!this.connectionsByIP.has(ip)) {
-      this.connectionsByIP.set(ip, new Set());
+    // Check if any variant already exists
+    const variants = normalizeIP(ip);
+    let existingKey: string | null = null;
+
+    for (const variant of variants) {
+      if (this.connectionsByIP.has(variant)) {
+        existingKey = variant;
+        break;
+      }
     }
-    this.connectionsByIP.get(ip)!.add(connectionId);
+
+    const key = existingKey || ip;
+    if (!this.connectionsByIP.has(key)) {
+      this.connectionsByIP.set(key, new Set());
+    }
+    this.connectionsByIP.get(key)!.add(connectionId);
   }
-  
+
   /**
    * Remove connection tracking for an IP
    */
   public removeConnectionByIP(ip: string, connectionId: string): void {
-    if (this.connectionsByIP.has(ip)) {
-      const connections = this.connectionsByIP.get(ip)!;
-      connections.delete(connectionId);
-      if (connections.size === 0) {
-        this.connectionsByIP.delete(ip);
+    // Check all variants to find where the connection is tracked
+    const variants = normalizeIP(ip);
+
+    for (const variant of variants) {
+      if (this.connectionsByIP.has(variant)) {
+        const connections = this.connectionsByIP.get(variant)!;
+        connections.delete(connectionId);
+        if (connections.size === 0) {
+          this.connectionsByIP.delete(variant);
+        }
+        break;
       }
     }
   }
-  
+
   /**
    * Check if an IP is authorized using security rules
    *
@@ -81,79 +120,49 @@ export class SecurityManager {
    * @returns true if IP is authorized, false if blocked
    */
   public isIPAuthorized(ip: string, allowedIPs: string[], blockedIPs: string[] = []): boolean {
-    // Skip IP validation if allowedIPs is empty
-    if (!ip || (allowedIPs.length === 0 && blockedIPs.length === 0)) {
-      return true;
-    }
-
-    // First check if IP is blocked - blocked IPs take precedence
-    if (blockedIPs.length > 0 && this.isGlobIPMatch(ip, blockedIPs)) {
-      return false;
-    }
-
-    // Then check if IP is allowed
-    return this.isGlobIPMatch(ip, allowedIPs);
+    return isIPAuthorized(ip, allowedIPs, blockedIPs);
   }
   
   /**
-   * Check if the IP matches any of the glob patterns from security configuration
-   *
-   * This method checks IP addresses against glob patterns and handles IPv4/IPv6 normalization.
-   * It's used to implement IP filtering based on the route.security configuration.
-   *
-   * @param ip - The IP address to check
-   * @param patterns - Array of glob patterns from security.ipAllowList or ipBlockList
-   * @returns true if IP matches any pattern, false otherwise
+   * Check if IP should be allowed considering connection rate and max connections
+   * @returns Object with result and reason
    */
-  private isGlobIPMatch(ip: string, patterns: string[]): boolean {
-    if (!ip || !patterns || patterns.length === 0) return false;
-
-    // Handle IPv4/IPv6 normalization for proper matching
-    const normalizeIP = (ip: string): string[] => {
-      if (!ip) return [];
-      // Handle IPv4-mapped IPv6 addresses (::ffff:127.0.0.1)
-      if (ip.startsWith('::ffff:')) {
-        const ipv4 = ip.slice(7);
-        return [ip, ipv4];
-      }
-      // Handle IPv4 addresses by also checking IPv4-mapped form
-      if (/^\d{1,3}(\.\d{1,3}){3}$/.test(ip)) {
-        return [ip, `::ffff:${ip}`];
-      }
-      return [ip];
-    };
-
-    // Normalize the IP being checked
-    const normalizedIPVariants = normalizeIP(ip);
-    if (normalizedIPVariants.length === 0) return false;
+  public validateIP(ip: string): { allowed: boolean; reason?: string } {
+    // Check connection count limit
+    if (
+      this.smartProxy.settings.maxConnectionsPerIP &&
+      this.getConnectionCountByIP(ip) >= this.smartProxy.settings.maxConnectionsPerIP
+    ) {
+      return {
+        allowed: false,
+        reason: `Maximum connections per IP (${this.smartProxy.settings.maxConnectionsPerIP}) exceeded`
+      };
+    }
 
-    // Expand shorthand patterns and normalize IPs for consistent comparison
-    const expandShorthand = (pattern: string): string => {
-      // Expand shorthand IP patterns like '192.168.*' to '192.168.*.*'
-      if (pattern.includes('*') && !pattern.includes(':')) {
-        const parts = pattern.split('.');
-        while (parts.length < 4) {
-          parts.push('*');
-        }
-        return parts.join('.');
-      }
-      return pattern;
-    };
-    
-    const expandedPatterns = patterns.map(expandShorthand).flatMap(normalizeIP);
+    // Check connection rate limit
+    if (
+      this.smartProxy.settings.connectionRateLimitPerMinute &&
+      !this.checkConnectionRate(ip)
+    ) {
+      return {
+        allowed: false,
+        reason: `Connection rate limit (${this.smartProxy.settings.connectionRateLimitPerMinute}/min) exceeded`
+      };
+    }
 
-    // Check for any match between normalized IP variants and patterns
-    return normalizedIPVariants.some((ipVariant) =>
-      expandedPatterns.some((pattern) => plugins.minimatch(ipVariant, pattern))
-    );
+    return { allowed: true };
   }
-  
+
   /**
-   * Check if IP should be allowed considering connection rate and max connections
-   * @returns Object with result and reason
+   * Atomically validate an IP and track the connection if allowed.
+   * This prevents race conditions where concurrent connections could bypass per-IP limits.
+   *
+   * @param ip - The IP address to validate
+   * @param connectionId - The connection ID to track if validation passes
+   * @returns Object with validation result and reason
    */
-  public validateIP(ip: string): { allowed: boolean; reason?: string } {
-    // Check connection count limit
+  public validateAndTrackIP(ip: string, connectionId: string): { allowed: boolean; reason?: string } {
+    // Check connection count limit BEFORE tracking
     if (
       this.smartProxy.settings.maxConnectionsPerIP &&
       this.getConnectionCountByIP(ip) >= this.smartProxy.settings.maxConnectionsPerIP
@@ -166,7 +175,7 @@ export class SecurityManager {
 
     // Check connection rate limit
     if (
-      this.smartProxy.settings.connectionRateLimitPerMinute && 
+      this.smartProxy.settings.connectionRateLimitPerMinute &&
       !this.checkConnectionRate(ip)
     ) {
       return {
@@ -174,7 +183,10 @@ export class SecurityManager {
         reason: `Connection rate limit (${this.smartProxy.settings.connectionRateLimitPerMinute}/min) exceeded`
       };
     }
-    
+
+    // Validation passed - immediately track to prevent race conditions
+    this.trackConnectionByIP(ip, connectionId);
+
     return { allowed: true };
   }
   

package/ts/proxies/smart-proxy/smart-proxy.ts

@@ -137,8 +137,6 @@ export class SmartProxy extends plugins.EventEmitter {
       enableDetailedLogging: settingsArg.enableDetailedLogging || false,
       enableTlsDebugLogging: settingsArg.enableTlsDebugLogging || false,
       enableRandomizedTimeouts: settingsArg.enableRandomizedTimeouts || false,
-      allowSessionTicket:
-        settingsArg.allowSessionTicket !== undefined ? settingsArg.allowSessionTicket : true,
       maxConnectionsPerIP: settingsArg.maxConnectionsPerIP || 100,
       connectionRateLimitPerMinute: settingsArg.connectionRateLimitPerMinute || 300,
       keepAliveTreatment: settingsArg.keepAliveTreatment || 'extended',

package/ts/proxies/smart-proxy/tls-manager.ts

@@ -50,43 +50,7 @@ export class TlsManager {
     );
   }
   
-  /**
-   * Handle session resumption attempts
-   */
-  public handleSessionResumption(
-    chunk: Buffer, 
-    connectionId: string,
-    hasSNI: boolean
-  ): { shouldBlock: boolean; reason?: string } {
-    // Skip if session tickets are allowed
-    if (this.smartProxy.settings.allowSessionTicket !== false) {
-      return { shouldBlock: false };
-    }
-    
-    // Check for session resumption attempt
-    const resumptionInfo = SniHandler.hasSessionResumption(
-      chunk,
-      this.smartProxy.settings.enableTlsDebugLogging || false
-    );
-    
-    // If this is a resumption attempt without SNI, block it
-    if (resumptionInfo.isResumption && !hasSNI && !resumptionInfo.hasSNI) {
-      if (this.smartProxy.settings.enableTlsDebugLogging) {
-        console.log(
-          `[${connectionId}] Session resumption detected without SNI and allowSessionTicket=false. ` +
-          `Terminating connection to force new TLS handshake.`
-        );
-      }
-      return { 
-        shouldBlock: true, 
-        reason: 'session_ticket_blocked' 
-      };
-    }
-    
-    return { shouldBlock: false };
-  }
-  
-  /**
+/**
    * Check for SNI mismatch during renegotiation
    */
   public checkRenegotiationSNI(

package/ts/proxies/smart-proxy/utils/index.ts

@@ -8,8 +8,8 @@
 // Export route helpers for creating route configurations
 export * from './route-helpers.js';
 
-// Export route validators for validating route configurations
-export * from './route-validators.js';
+// Export route validator (class-based and functional API)
+export * from './route-validator.js';
 
 // Export route utilities for route operations
 export * from './route-utils.js';
@@ -20,6 +20,4 @@ export {
   addRateLimiting,
   addBasicAuth,
   addJwtAuth
-} from './route-helpers.js';
-
-// Migration utilities have been removed as they are no longer needed
+} from './route-helpers.js';

package/ts/proxies/smart-proxy/utils/route-helpers/api-helpers.ts

@@ -0,0 +1,144 @@
+/**
+ * API Route Helper Functions
+ *
+ * This module provides utility functions for creating API route configurations.
+ */
+
+import type { IRouteConfig, IRouteMatch, IRouteAction } from '../../models/route-types.js';
+import { mergeRouteConfigs } from '../route-utils.js';
+import { createHttpRoute } from './http-helpers.js';
+import { createHttpsTerminateRoute } from './https-helpers.js';
+
+/**
+ * Create an API route configuration
+ * @param domains Domain(s) to match
+ * @param apiPath API base path (e.g., "/api")
+ * @param target Target host and port
+ * @param options Additional route options
+ * @returns Route configuration object
+ */
+export function createApiRoute(
+  domains: string | string[],
+  apiPath: string,
+  target: { host: string | string[]; port: number },
+  options: {
+    useTls?: boolean;
+    certificate?: 'auto' | { key: string; cert: string };
+    addCorsHeaders?: boolean;
+    httpPort?: number | number[];
+    httpsPort?: number | number[];
+    name?: string;
+    [key: string]: any;
+  } = {}
+): IRouteConfig {
+  // Normalize API path
+  const normalizedPath = apiPath.startsWith('/') ? apiPath : `/${apiPath}`;
+  const pathWithWildcard = normalizedPath.endsWith('/')
+    ? `${normalizedPath}*`
+    : `${normalizedPath}/*`;
+
+  // Create route match
+  const match: IRouteMatch = {
+    ports: options.useTls
+      ? (options.httpsPort || 443)
+      : (options.httpPort || 80),
+    domains,
+    path: pathWithWildcard
+  };
+
+  // Create route action
+  const action: IRouteAction = {
+    type: 'forward',
+    targets: [target]
+  };
+
+  // Add TLS configuration if using HTTPS
+  if (options.useTls) {
+    action.tls = {
+      mode: 'terminate',
+      certificate: options.certificate || 'auto'
+    };
+  }
+
+  // Add CORS headers if requested
+  const headers: Record<string, Record<string, string>> = {};
+  if (options.addCorsHeaders) {
+    headers.response = {
+      'Access-Control-Allow-Origin': '*',
+      'Access-Control-Allow-Methods': 'GET, POST, PUT, DELETE, OPTIONS',
+      'Access-Control-Allow-Headers': 'Content-Type, Authorization',
+      'Access-Control-Max-Age': '86400'
+    };
+  }
+
+  // Create the route config
+  return {
+    match,
+    action,
+    headers: Object.keys(headers).length > 0 ? headers : undefined,
+    name: options.name || `API Route ${normalizedPath} for ${Array.isArray(domains) ? domains.join(', ') : domains}`,
+    priority: options.priority || 100, // Higher priority for specific path matches
+    ...options
+  };
+}
+
+/**
+ * Create an API Gateway route pattern
+ * @param domains Domain(s) to match
+ * @param apiBasePath Base path for API endpoints (e.g., '/api')
+ * @param target Target host and port
+ * @param options Additional route options
+ * @returns API route configuration
+ */
+export function createApiGatewayRoute(
+  domains: string | string[],
+  apiBasePath: string,
+  target: { host: string | string[]; port: number },
+  options: {
+    useTls?: boolean;
+    certificate?: 'auto' | { key: string; cert: string };
+    addCorsHeaders?: boolean;
+    [key: string]: any;
+  } = {}
+): IRouteConfig {
+  // Normalize apiBasePath to ensure it starts with / and doesn't end with /
+  const normalizedPath = apiBasePath.startsWith('/')
+    ? apiBasePath
+    : `/${apiBasePath}`;
+
+  // Add wildcard to path to match all API endpoints
+  const apiPath = normalizedPath.endsWith('/')
+    ? `${normalizedPath}*`
+    : `${normalizedPath}/*`;
+
+  // Create base route
+  const baseRoute = options.useTls
+    ? createHttpsTerminateRoute(domains, target, {
+        certificate: options.certificate || 'auto'
+      })
+    : createHttpRoute(domains, target);
+
+  // Add API-specific configurations
+  const apiRoute: Partial<IRouteConfig> = {
+    match: {
+      ...baseRoute.match,
+      path: apiPath
+    },
+    name: options.name || `API Gateway: ${apiPath} -> ${Array.isArray(target.host) ? target.host.join(', ') : target.host}:${target.port}`,
+    priority: options.priority || 100 // Higher priority for specific path matching
+  };
+
+  // Add CORS headers if requested
+  if (options.addCorsHeaders) {
+    apiRoute.headers = {
+      response: {
+        'Access-Control-Allow-Origin': '*',
+        'Access-Control-Allow-Methods': 'GET, POST, PUT, DELETE, OPTIONS',
+        'Access-Control-Allow-Headers': 'Content-Type, Authorization',
+        'Access-Control-Max-Age': '86400'
+      }
+    };
+  }
+
+  return mergeRouteConfigs(baseRoute, apiRoute);
+}