@push.rocks/smartproxy 21.1.7 → 22.6.0

package/ts/proxies/smart-proxy/timeout-manager.ts

@@ -1,196 +0,0 @@
-import type { IConnectionRecord } from './models/interfaces.js';
-import type { SmartProxy } from './smart-proxy.js';
-
-/**
- * Manages timeouts and inactivity tracking for connections
- */
-export class TimeoutManager {
-  constructor(private smartProxy: SmartProxy) {}
-  
-  /**
-   * Ensure timeout values don't exceed Node.js max safe integer
-   */
-  public ensureSafeTimeout(timeout: number): number {
-    const MAX_SAFE_TIMEOUT = 2147483647; // Maximum safe value (2^31 - 1)
-    return Math.min(Math.floor(timeout), MAX_SAFE_TIMEOUT);
-  }
-  
-  /**
-   * Generate a slightly randomized timeout to prevent thundering herd
-   */
-  public randomizeTimeout(baseTimeout: number, variationPercent: number = 5): number {
-    const safeBaseTimeout = this.ensureSafeTimeout(baseTimeout);
-    const variation = safeBaseTimeout * (variationPercent / 100);
-    return this.ensureSafeTimeout(
-      safeBaseTimeout + Math.floor(Math.random() * variation * 2) - variation
-    );
-  }
-  
-  /**
-   * Update connection activity timestamp
-   */
-  public updateActivity(record: IConnectionRecord): void {
-    record.lastActivity = Date.now();
-
-    // Clear any inactivity warning
-    if (record.inactivityWarningIssued) {
-      record.inactivityWarningIssued = false;
-    }
-  }
-
-  /**
-   * Calculate effective inactivity timeout based on connection type
-   */
-  public getEffectiveInactivityTimeout(record: IConnectionRecord): number {
-    let effectiveTimeout = this.smartProxy.settings.inactivityTimeout || 14400000; // 4 hours default
-    
-    // For immortal keep-alive connections, use an extremely long timeout
-    if (record.hasKeepAlive && this.smartProxy.settings.keepAliveTreatment === 'immortal') {
-      return Number.MAX_SAFE_INTEGER;
-    }
-    
-    // For extended keep-alive connections, apply multiplier
-    if (record.hasKeepAlive && this.smartProxy.settings.keepAliveTreatment === 'extended') {
-      const multiplier = this.smartProxy.settings.keepAliveInactivityMultiplier || 6;
-      effectiveTimeout = effectiveTimeout * multiplier;
-    }
-    
-    return this.ensureSafeTimeout(effectiveTimeout);
-  }
-  
-  /**
-   * Calculate effective max lifetime based on connection type
-   */
-  public getEffectiveMaxLifetime(record: IConnectionRecord): number {
-    // Use route-specific timeout if available from the routeConfig
-    const baseTimeout = record.routeConfig?.action.advanced?.timeout ||
-                        this.smartProxy.settings.maxConnectionLifetime ||
-                        86400000; // 24 hours default
-    
-    // For immortal keep-alive connections, use an extremely long lifetime
-    if (record.hasKeepAlive && this.smartProxy.settings.keepAliveTreatment === 'immortal') {
-      return Number.MAX_SAFE_INTEGER;
-    }
-    
-    // For extended keep-alive connections, use the extended lifetime setting
-    if (record.hasKeepAlive && this.smartProxy.settings.keepAliveTreatment === 'extended') {
-      return this.ensureSafeTimeout(
-        this.smartProxy.settings.extendedKeepAliveLifetime || 7 * 24 * 60 * 60 * 1000 // 7 days default
-      );
-    }
-    
-    // Apply randomization if enabled
-    if (this.smartProxy.settings.enableRandomizedTimeouts) {
-      return this.randomizeTimeout(baseTimeout);
-    }
-    
-    return this.ensureSafeTimeout(baseTimeout);
-  }
-  
-  /**
-   * Setup connection timeout
-   * @returns The cleanup timer
-   */
-  public setupConnectionTimeout(
-    record: IConnectionRecord,
-    onTimeout: (record: IConnectionRecord, reason: string) => void
-  ): NodeJS.Timeout | null {
-    // Clear any existing timer
-    if (record.cleanupTimer) {
-      clearTimeout(record.cleanupTimer);
-    }
-    
-    // Skip timeout for immortal keep-alive connections
-    if (record.hasKeepAlive && this.smartProxy.settings.keepAliveTreatment === 'immortal') {
-      return null;
-    }
-    
-    // Calculate effective timeout
-    const effectiveLifetime = this.getEffectiveMaxLifetime(record);
-    
-    // Set up the timeout
-    const timer = setTimeout(() => {
-      // Call the provided callback
-      onTimeout(record, 'connection_timeout');
-    }, effectiveLifetime);
-    
-    // Make sure timeout doesn't keep the process alive
-    if (timer.unref) {
-      timer.unref();
-    }
-    
-    return timer;
-  }
-  
-  /**
-   * Check for inactivity on a connection
-   * @returns Object with check results
-   */
-  public checkInactivity(record: IConnectionRecord): {
-    isInactive: boolean;
-    shouldWarn: boolean;
-    inactivityTime: number;
-    effectiveTimeout: number;
-  } {
-    // Skip for connections with inactivity check disabled
-    if (this.smartProxy.settings.disableInactivityCheck) {
-      return {
-        isInactive: false,
-        shouldWarn: false,
-        inactivityTime: 0,
-        effectiveTimeout: 0
-      };
-    }
-    
-    // Skip for immortal keep-alive connections
-    if (record.hasKeepAlive && this.smartProxy.settings.keepAliveTreatment === 'immortal') {
-      return {
-        isInactive: false,
-        shouldWarn: false,
-        inactivityTime: 0,
-        effectiveTimeout: 0
-      };
-    }
-    
-    const now = Date.now();
-    const inactivityTime = now - record.lastActivity;
-    const effectiveTimeout = this.getEffectiveInactivityTimeout(record);
-    
-    // Check if inactive
-    const isInactive = inactivityTime > effectiveTimeout;
-    
-    // For keep-alive connections, we should warn first
-    const shouldWarn = record.hasKeepAlive && 
-                       isInactive && 
-                       !record.inactivityWarningIssued;
-    
-    return {
-      isInactive,
-      shouldWarn,
-      inactivityTime,
-      effectiveTimeout
-    };
-  }
-  
-  /**
-   * Apply socket timeout settings
-   */
-  public applySocketTimeouts(record: IConnectionRecord): void {
-    // Skip for immortal keep-alive connections
-    if (record.hasKeepAlive && this.smartProxy.settings.keepAliveTreatment === 'immortal') {
-      // Disable timeouts completely for immortal connections
-      record.incoming.setTimeout(0);
-      if (record.outgoing) {
-        record.outgoing.setTimeout(0);
-      }
-      return;
-    }
-    
-    // Apply normal timeouts
-    const timeout = this.ensureSafeTimeout(this.smartProxy.settings.socketTimeout || 3600000); // 1 hour default
-    record.incoming.setTimeout(timeout);
-    if (record.outgoing) {
-      record.outgoing.setTimeout(timeout);
-    }
-  }
-}

package/ts/proxies/smart-proxy/tls-manager.ts

@@ -1,207 +0,0 @@
-import * as plugins from '../../plugins.js';
-import { SniHandler } from '../../tls/sni/sni-handler.js';
-import { ProtocolDetector, TlsDetector } from '../../detection/index.js';
-import type { SmartProxy } from './smart-proxy.js';
-
-/**
- * Interface for connection information used for SNI extraction
- */
-interface IConnectionInfo {
-  sourceIp: string;
-  sourcePort: number;
-  destIp: string;
-  destPort: number;
-}
-
-/**
- * Manages TLS-related operations including SNI extraction and validation
- */
-export class TlsManager {
-  constructor(private smartProxy: SmartProxy) {}
-  
-  /**
-   * Check if a data chunk appears to be a TLS handshake
-   */
-  public isTlsHandshake(chunk: Buffer): boolean {
-    return SniHandler.isTlsHandshake(chunk);
-  }
-  
-  /**
-   * Check if a data chunk appears to be a TLS ClientHello
-   */
-  public isClientHello(chunk: Buffer): boolean {
-    return SniHandler.isClientHello(chunk);
-  }
-  
-  /**
-   * Extract Server Name Indication (SNI) from TLS handshake
-   */
-  public extractSNI(
-    chunk: Buffer, 
-    connInfo: IConnectionInfo, 
-    previousDomain?: string
-  ): string | undefined {
-    // Use the SniHandler to process the TLS packet
-    return SniHandler.processTlsPacket(
-      chunk,
-      connInfo,
-      this.smartProxy.settings.enableTlsDebugLogging || false,
-      previousDomain
-    );
-  }
-  
-  /**
-   * Handle session resumption attempts
-   */
-  public handleSessionResumption(
-    chunk: Buffer, 
-    connectionId: string,
-    hasSNI: boolean
-  ): { shouldBlock: boolean; reason?: string } {
-    // Skip if session tickets are allowed
-    if (this.smartProxy.settings.allowSessionTicket !== false) {
-      return { shouldBlock: false };
-    }
-    
-    // Check for session resumption attempt
-    const resumptionInfo = SniHandler.hasSessionResumption(
-      chunk,
-      this.smartProxy.settings.enableTlsDebugLogging || false
-    );
-    
-    // If this is a resumption attempt without SNI, block it
-    if (resumptionInfo.isResumption && !hasSNI && !resumptionInfo.hasSNI) {
-      if (this.smartProxy.settings.enableTlsDebugLogging) {
-        console.log(
-          `[${connectionId}] Session resumption detected without SNI and allowSessionTicket=false. ` +
-          `Terminating connection to force new TLS handshake.`
-        );
-      }
-      return { 
-        shouldBlock: true, 
-        reason: 'session_ticket_blocked' 
-      };
-    }
-    
-    return { shouldBlock: false };
-  }
-  
-  /**
-   * Check for SNI mismatch during renegotiation
-   */
-  public checkRenegotiationSNI(
-    chunk: Buffer,
-    connInfo: IConnectionInfo,
-    expectedDomain: string,
-    connectionId: string
-  ): { hasMismatch: boolean; extractedSNI?: string } {
-    // Only process if this looks like a TLS ClientHello
-    if (!this.isClientHello(chunk)) {
-      return { hasMismatch: false };
-    }
-    
-    try {
-      // Extract SNI with renegotiation support
-      const newSNI = SniHandler.extractSNIWithResumptionSupport(
-        chunk,
-        connInfo,
-        this.smartProxy.settings.enableTlsDebugLogging || false
-      );
-
-      // Skip if no SNI was found
-      if (!newSNI) return { hasMismatch: false };
-
-      // Check for SNI mismatch
-      if (newSNI !== expectedDomain) {
-        if (this.smartProxy.settings.enableTlsDebugLogging) {
-          console.log(
-            `[${connectionId}] Renegotiation with different SNI: ${expectedDomain} -> ${newSNI}. ` +
-            `Terminating connection - SNI domain switching is not allowed.`
-          );
-        }
-        return { hasMismatch: true, extractedSNI: newSNI };
-      } else if (this.smartProxy.settings.enableTlsDebugLogging) {
-        console.log(
-          `[${connectionId}] Renegotiation detected with same SNI: ${newSNI}. Allowing.`
-        );
-      }
-    } catch (err) {
-      console.log(
-        `[${connectionId}] Error processing ClientHello: ${err}. Allowing connection to continue.`
-      );
-    }
-    
-    return { hasMismatch: false };
-  }
-  
-  /**
-   * Create a renegotiation handler function for a connection
-   */
-  public createRenegotiationHandler(
-    connectionId: string,
-    lockedDomain: string,
-    connInfo: IConnectionInfo,
-    onMismatch: (connectionId: string, reason: string) => void
-  ): (chunk: Buffer) => void {
-    return (chunk: Buffer) => {
-      const result = this.checkRenegotiationSNI(chunk, connInfo, lockedDomain, connectionId);
-      if (result.hasMismatch) {
-        onMismatch(connectionId, 'sni_mismatch');
-      }
-    };
-  }
-  
-  /**
-   * Analyze TLS connection for browser fingerprinting
-   * This helps identify browser vs non-browser connections
-   */
-  public analyzeClientHello(chunk: Buffer): { 
-    isBrowserConnection: boolean; 
-    isRenewal: boolean;
-    hasSNI: boolean;
-  } {
-    // Default result
-    const result = { 
-      isBrowserConnection: false, 
-      isRenewal: false,
-      hasSNI: false
-    };
-    
-    try {
-      // Check if it's a ClientHello
-      if (!this.isClientHello(chunk)) {
-        return result;
-      }
-      
-      // Check for session resumption
-      const resumptionInfo = SniHandler.hasSessionResumption(
-        chunk,
-        this.smartProxy.settings.enableTlsDebugLogging || false
-      );
-      
-      // Extract SNI
-      const sni = SniHandler.extractSNI(
-        chunk,
-        this.smartProxy.settings.enableTlsDebugLogging || false
-      );
-      
-      // Update result
-      result.isRenewal = resumptionInfo.isResumption;
-      result.hasSNI = !!sni;
-      
-      // Browsers typically:
-      // 1. Send SNI extension
-      // 2. Have a variety of extensions (ALPN, etc.)
-      // 3. Use standard cipher suites
-      // ...more complex heuristics could be implemented here
-      
-      // Simple heuristic: presence of SNI suggests browser
-      result.isBrowserConnection = !!sni; 
-      
-      return result;
-    } catch (err) {
-      console.log(`Error analyzing ClientHello: ${err}`);
-      return result;
-    }
-  }
-}

package/ts/proxies/smart-proxy/utils/route-validators.ts

@@ -1,283 +0,0 @@
-/**
- * Route Validators
- * 
- * This file provides utility functions for validating route configurations.
- * These validators help ensure that route configurations are valid and correctly structured.
- */
-
-import type { IRouteConfig, IRouteMatch, IRouteAction, TPortRange } from '../models/route-types.js';
-
-/**
- * Validates a port range or port number
- * @param port Port number, port range, or port function
- * @returns True if valid, false otherwise
- */
-export function isValidPort(port: any): boolean {
-  if (typeof port === 'number') {
-    return port > 0 && port < 65536; // Valid port range is 1-65535
-  } else if (Array.isArray(port)) {
-    return port.every(p =>
-      (typeof p === 'number' && p > 0 && p < 65536) ||
-      (typeof p === 'object' && 'from' in p && 'to' in p &&
-       p.from > 0 && p.from < 65536 && p.to > 0 && p.to < 65536)
-    );
-  } else if (typeof port === 'function') {
-    // For function-based ports, we can't validate the result at config time
-    // so we just check that it's a function
-    return true;
-  } else if (typeof port === 'object' && 'from' in port && 'to' in port) {
-    return port.from > 0 && port.from < 65536 && port.to > 0 && port.to < 65536;
-  }
-  return false;
-}
-
-/**
- * Validates a domain string
- * @param domain Domain string to validate
- * @returns True if valid, false otherwise
- */
-export function isValidDomain(domain: string): boolean {
-  // Basic domain validation regex - allows wildcards (*.example.com)
-  const domainRegex = /^(\*\.)?([a-zA-Z0-9]([a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])?\.)+[a-zA-Z]{2,}$/;
-  return domainRegex.test(domain);
-}
-
-/**
- * Validates a route match configuration
- * @param match Route match configuration to validate
- * @returns { valid: boolean, errors: string[] } Validation result
- */
-export function validateRouteMatch(match: IRouteMatch): { valid: boolean; errors: string[] } {
-  const errors: string[] = [];
-
-  // Validate ports
-  if (match.ports !== undefined) {
-    if (!isValidPort(match.ports)) {
-      errors.push('Invalid port number or port range in match.ports');
-    }
-  }
-
-  // Validate domains
-  if (match.domains !== undefined) {
-    if (typeof match.domains === 'string') {
-      if (!isValidDomain(match.domains)) {
-        errors.push(`Invalid domain format: ${match.domains}`);
-      }
-    } else if (Array.isArray(match.domains)) {
-      for (const domain of match.domains) {
-        if (!isValidDomain(domain)) {
-          errors.push(`Invalid domain format: ${domain}`);
-        }
-      }
-    } else {
-      errors.push('Domains must be a string or an array of strings');
-    }
-  }
-
-  // Validate path
-  if (match.path !== undefined) {
-    if (typeof match.path !== 'string' || !match.path.startsWith('/')) {
-      errors.push('Path must be a string starting with /');
-    }
-  }
-
-  return {
-    valid: errors.length === 0,
-    errors
-  };
-}
-
-/**
- * Validates a route action configuration
- * @param action Route action configuration to validate
- * @returns { valid: boolean, errors: string[] } Validation result
- */
-export function validateRouteAction(action: IRouteAction): { valid: boolean; errors: string[] } {
-  const errors: string[] = [];
-
-  // Validate action type
-  if (!action.type) {
-    errors.push('Action type is required');
-  } else if (!['forward', 'socket-handler'].includes(action.type)) {
-    errors.push(`Invalid action type: ${action.type}`);
-  }
-
-  // Validate targets for 'forward' action
-  if (action.type === 'forward') {
-    if (!action.targets || !Array.isArray(action.targets) || action.targets.length === 0) {
-      errors.push('Targets array is required for forward action');
-    } else {
-      // Validate each target
-      action.targets.forEach((target, index) => {
-        // Validate target host
-        if (!target.host) {
-          errors.push(`Target[${index}] host is required`);
-        } else if (typeof target.host !== 'string' &&
-                  !Array.isArray(target.host) &&
-                  typeof target.host !== 'function') {
-          errors.push(`Target[${index}] host must be a string, array of strings, or function`);
-        }
-
-        // Validate target port
-        if (target.port === undefined) {
-          errors.push(`Target[${index}] port is required`);
-        } else if (typeof target.port !== 'number' &&
-                  typeof target.port !== 'function' &&
-                  target.port !== 'preserve') {
-          errors.push(`Target[${index}] port must be a number, 'preserve', or a function`);
-        } else if (typeof target.port === 'number' && !isValidPort(target.port)) {
-          errors.push(`Target[${index}] port must be between 1 and 65535`);
-        }
-        
-        // Validate match criteria if present
-        if (target.match) {
-          if (target.match.ports && !Array.isArray(target.match.ports)) {
-            errors.push(`Target[${index}] match.ports must be an array`);
-          }
-          if (target.match.method && !Array.isArray(target.match.method)) {
-            errors.push(`Target[${index}] match.method must be an array`);
-          }
-        }
-      });
-    }
-
-    // Validate TLS options for forward actions
-    if (action.tls) {
-      if (!['passthrough', 'terminate', 'terminate-and-reencrypt'].includes(action.tls.mode)) {
-        errors.push(`Invalid TLS mode: ${action.tls.mode}`);
-      }
-
-      // For termination modes, validate certificate
-      if (['terminate', 'terminate-and-reencrypt'].includes(action.tls.mode)) {
-        if (action.tls.certificate !== 'auto' && 
-            (!action.tls.certificate || !action.tls.certificate.key || !action.tls.certificate.cert)) {
-          errors.push('Certificate must be "auto" or an object with key and cert properties');
-        }
-      }
-    }
-  }
-
-  // Validate socket handler for 'socket-handler' action
-  if (action.type === 'socket-handler') {
-    if (!action.socketHandler) {
-      errors.push('Socket handler function is required for socket-handler action');
-    } else if (typeof action.socketHandler !== 'function') {
-      errors.push('Socket handler must be a function');
-    }
-  }
-
-  return {
-    valid: errors.length === 0,
-    errors
-  };
-}
-
-/**
- * Validates a complete route configuration
- * @param route Route configuration to validate
- * @returns { valid: boolean, errors: string[] } Validation result
- */
-export function validateRouteConfig(route: IRouteConfig): { valid: boolean; errors: string[] } {
-  const errors: string[] = [];
-
-  // Check for required properties
-  if (!route.match) {
-    errors.push('Route match configuration is required');
-  }
-
-  if (!route.action) {
-    errors.push('Route action configuration is required');
-  }
-
-  // Validate match configuration
-  if (route.match) {
-    const matchValidation = validateRouteMatch(route.match);
-    if (!matchValidation.valid) {
-      errors.push(...matchValidation.errors.map(err => `Match: ${err}`));
-    }
-  }
-
-  // Validate action configuration
-  if (route.action) {
-    const actionValidation = validateRouteAction(route.action);
-    if (!actionValidation.valid) {
-      errors.push(...actionValidation.errors.map(err => `Action: ${err}`));
-    }
-  }
-
-  // Ensure the route has a unique identifier
-  if (!route.id && !route.name) {
-    errors.push('Route should have either an id or a name for identification');
-  }
-
-  return {
-    valid: errors.length === 0,
-    errors
-  };
-}
-
-/**
- * Validate an array of route configurations
- * @param routes Array of route configurations to validate
- * @returns { valid: boolean, errors: { index: number, errors: string[] }[] } Validation result
- */
-export function validateRoutes(routes: IRouteConfig[]): { 
-  valid: boolean; 
-  errors: { index: number; errors: string[] }[] 
-} {
-  const results: { index: number; errors: string[] }[] = [];
-
-  routes.forEach((route, index) => {
-    const validation = validateRouteConfig(route);
-    if (!validation.valid) {
-      results.push({
-        index,
-        errors: validation.errors
-      });
-    }
-  });
-
-  return {
-    valid: results.length === 0,
-    errors: results
-  };
-}
-
-/**
- * Check if a route configuration has the required properties for a specific action type
- * @param route Route configuration to check
- * @param actionType Expected action type
- * @returns True if the route has the necessary properties, false otherwise
- */
-export function hasRequiredPropertiesForAction(route: IRouteConfig, actionType: string): boolean {
-  if (!route.action || route.action.type !== actionType) {
-    return false;
-  }
-
-  switch (actionType) {
-    case 'forward':
-      return !!route.action.targets && 
-             Array.isArray(route.action.targets) && 
-             route.action.targets.length > 0 &&
-             route.action.targets.every(t => t.host && t.port !== undefined);
-    case 'socket-handler':
-      return !!route.action.socketHandler && typeof route.action.socketHandler === 'function';
-    default:
-      return false;
-  }
-}
-
-/**
- * Throws an error if the route config is invalid, returns the config if valid
- * Useful for immediate validation when creating routes
- * @param route Route configuration to validate
- * @returns The validated route configuration
- * @throws Error if the route configuration is invalid
- */
-export function assertValidRoute(route: IRouteConfig): IRouteConfig {
-  const validation = validateRouteConfig(route);
-  if (!validation.valid) {
-    throw new Error(`Invalid route configuration: ${validation.errors.join(', ')}`);
-  }
-  return route;
-}