@push.rocks/smartproxy 22.4.2 → 23.0.0

package/ts/proxies/smart-proxy/route-orchestrator.ts

@@ -1,297 +0,0 @@
-import { logger } from '../../core/utils/logger.js';
-import type { IRouteConfig } from './models/route-types.js';
-import type { ILogger } from '../http-proxy/models/types.js';
-import { RouteValidator } from './utils/route-validator.js';
-import { Mutex } from './utils/mutex.js';
-import type { PortManager } from './port-manager.js';
-import type { SharedRouteManager as RouteManager } from '../../core/routing/route-manager.js';
-import type { HttpProxyBridge } from './http-proxy-bridge.js';
-import type { NFTablesManager } from './nftables-manager.js';
-import type { SmartCertManager } from './certificate-manager.js';
-
-/**
- * Orchestrates route updates and coordination between components
- * Extracted from SmartProxy to reduce class complexity
- */
-export class RouteOrchestrator {
-  private routeUpdateLock: Mutex;
-  private portManager: PortManager;
-  private routeManager: RouteManager;
-  private httpProxyBridge: HttpProxyBridge;
-  private nftablesManager: NFTablesManager;
-  private certManager: SmartCertManager | null = null;
-  private logger: ILogger;
-  
-  constructor(
-    portManager: PortManager,
-    routeManager: RouteManager,
-    httpProxyBridge: HttpProxyBridge,
-    nftablesManager: NFTablesManager,
-    certManager: SmartCertManager | null,
-    logger: ILogger
-  ) {
-    this.portManager = portManager;
-    this.routeManager = routeManager;
-    this.httpProxyBridge = httpProxyBridge;
-    this.nftablesManager = nftablesManager;
-    this.certManager = certManager;
-    this.logger = logger;
-    this.routeUpdateLock = new Mutex();
-  }
-  
-  /**
-   * Set or update certificate manager reference
-   */
-  public setCertManager(certManager: SmartCertManager | null): void {
-    this.certManager = certManager;
-  }
-  
-  /**
-   * Get certificate manager reference
-   */
-  public getCertManager(): SmartCertManager | null {
-    return this.certManager;
-  }
-  
-  /**
-   * Update routes with validation and coordination
-   */
-  public async updateRoutes(
-    oldRoutes: IRouteConfig[],
-    newRoutes: IRouteConfig[],
-    options: {
-      acmePort?: number;
-      acmeOptions?: any;
-      acmeState?: any;
-      globalChallengeRouteActive?: boolean;
-      createCertificateManager?: (
-        routes: IRouteConfig[],
-        certStore: string,
-        acmeOptions?: any,
-        initialState?: any
-      ) => Promise<SmartCertManager>;
-      verifyChallengeRouteRemoved?: () => Promise<void>;
-    } = {}
-  ): Promise<{
-    portUsageMap: Map<number, Set<string>>;
-    newChallengeRouteActive: boolean;
-    newCertManager?: SmartCertManager;
-  }> {
-    return this.routeUpdateLock.runExclusive(async () => {
-      // Validate route configurations
-      const validation = RouteValidator.validateRoutes(newRoutes);
-      if (!validation.valid) {
-        RouteValidator.logValidationErrors(validation.errors);
-        throw new Error(`Route validation failed: ${validation.errors.size} route(s) have errors`);
-      }
-      
-      // Track port usage before and after updates
-      const oldPortUsage = this.updatePortUsageMap(oldRoutes);
-      const newPortUsage = this.updatePortUsageMap(newRoutes);
-      
-      // Get the lists of currently listening ports and new ports needed
-      const currentPorts = new Set(this.portManager.getListeningPorts());
-      const newPortsSet = new Set(newPortUsage.keys());
-      
-      // Log the port usage for debugging
-      this.logger.debug(`Current listening ports: ${Array.from(currentPorts).join(', ')}`);
-      this.logger.debug(`Ports needed for new routes: ${Array.from(newPortsSet).join(', ')}`);
-      
-      // Find orphaned ports - ports that no longer have any routes
-      const orphanedPorts = this.findOrphanedPorts(oldPortUsage, newPortUsage);
-      
-      // Find new ports that need binding (only ports that we aren't already listening on)
-      const newBindingPorts = Array.from(newPortsSet).filter(p => !currentPorts.has(p));
-      
-      // Check for ACME challenge port to give it special handling
-      const acmePort = options.acmePort || 80;
-      const acmePortNeeded = newPortsSet.has(acmePort);
-      const acmePortListed = newBindingPorts.includes(acmePort);
-      
-      if (acmePortNeeded && acmePortListed) {
-        this.logger.info(`Adding ACME challenge port ${acmePort} to routes`);
-      }
-      
-      // Update NFTables routes
-      await this.updateNfTablesRoutes(oldRoutes, newRoutes);
-      
-      // Update routes in RouteManager
-      this.routeManager.updateRoutes(newRoutes);
-      
-      // Release orphaned ports first to free resources
-      if (orphanedPorts.length > 0) {
-        this.logger.info(`Releasing ${orphanedPorts.length} orphaned ports: ${orphanedPorts.join(', ')}`);
-        await this.portManager.removePorts(orphanedPorts);
-      }
-      
-      // Add new ports if needed
-      if (newBindingPorts.length > 0) {
-        this.logger.info(`Binding to ${newBindingPorts.length} new ports: ${newBindingPorts.join(', ')}`);
-        
-        // Handle port binding with improved error recovery
-        try {
-          await this.portManager.addPorts(newBindingPorts);
-        } catch (error) {
-          // Special handling for port binding errors
-          if ((error as any).code === 'EADDRINUSE') {
-            const port = (error as any).port || newBindingPorts[0];
-            const isAcmePort = port === acmePort;
-            
-            if (isAcmePort) {
-              this.logger.warn(`Could not bind to ACME challenge port ${port}. It may be in use by another application.`);
-              
-              // Re-throw with more helpful message
-              throw new Error(
-                `ACME challenge port ${port} is already in use by another application. ` +
-                `Configure a different port in settings.acme.port (e.g., 8080) or free up port ${port}.`
-              );
-            }
-          }
-          
-          // Re-throw the original error for other cases
-          throw error;
-        }
-      }
-      
-      // If HttpProxy is initialized, resync the configurations
-      if (this.httpProxyBridge.getHttpProxy()) {
-        await this.httpProxyBridge.syncRoutesToHttpProxy(newRoutes);
-      }
-      
-      // Update certificate manager if needed
-      let newCertManager: SmartCertManager | undefined;
-      let newChallengeRouteActive = options.globalChallengeRouteActive || false;
-      
-      if (this.certManager && options.createCertificateManager) {
-        const existingAcmeOptions = this.certManager.getAcmeOptions();
-        const existingState = this.certManager.getState();
-        
-        // Store global state before stopping
-        newChallengeRouteActive = existingState.challengeRouteActive;
-        
-        // Keep certificate manager routes in sync before stopping
-        this.certManager.setRoutes(newRoutes);
-        
-        await this.certManager.stop();
-        
-        // Verify the challenge route has been properly removed
-        if (options.verifyChallengeRouteRemoved) {
-          await options.verifyChallengeRouteRemoved();
-        }
-        
-        // Create new certificate manager with preserved state
-        newCertManager = await options.createCertificateManager(
-          newRoutes,
-          './certs',
-          existingAcmeOptions,
-          { challengeRouteActive: newChallengeRouteActive }
-        );
-        
-        this.certManager = newCertManager;
-      }
-      
-      return {
-        portUsageMap: newPortUsage,
-        newChallengeRouteActive,
-        newCertManager
-      };
-    });
-  }
-  
-  /**
-   * Update port usage map based on the provided routes
-   */
-  public updatePortUsageMap(routes: IRouteConfig[]): Map<number, Set<string>> {
-    const portUsage = new Map<number, Set<string>>();
-    
-    for (const route of routes) {
-      // Get the ports for this route
-      const portsConfig = Array.isArray(route.match.ports) 
-        ? route.match.ports 
-        : [route.match.ports];
-      
-      // Expand port range objects to individual port numbers
-      const expandedPorts: number[] = [];
-      for (const portConfig of portsConfig) {
-        if (typeof portConfig === 'number') {
-          expandedPorts.push(portConfig);
-        } else if (typeof portConfig === 'object' && 'from' in portConfig && 'to' in portConfig) {
-          // Expand the port range
-          for (let p = portConfig.from; p <= portConfig.to; p++) {
-            expandedPorts.push(p);
-          }
-        }
-      }
-      
-      // Use route name if available, otherwise generate a unique ID
-      const routeName = route.name || `unnamed_${Math.random().toString(36).substring(2, 9)}`;
-      
-      // Add each port to the usage map
-      for (const port of expandedPorts) {
-        if (!portUsage.has(port)) {
-          portUsage.set(port, new Set());
-        }
-        portUsage.get(port)!.add(routeName);
-      }
-    }
-    
-    // Log port usage for debugging
-    for (const [port, routes] of portUsage.entries()) {
-      this.logger.debug(`Port ${port} is used by ${routes.size} routes: ${Array.from(routes).join(', ')}`);
-    }
-    
-    return portUsage;
-  }
-  
-  /**
-   * Find ports that have no routes in the new configuration
-   */
-  private findOrphanedPorts(oldUsage: Map<number, Set<string>>, newUsage: Map<number, Set<string>>): number[] {
-    const orphanedPorts: number[] = [];
-    
-    for (const [port, routes] of oldUsage.entries()) {
-      if (!newUsage.has(port) || newUsage.get(port)!.size === 0) {
-        orphanedPorts.push(port);
-      }
-    }
-    
-    return orphanedPorts;
-  }
-  
-  /**
-   * Update NFTables routes
-   */
-  private async updateNfTablesRoutes(oldRoutes: IRouteConfig[], newRoutes: IRouteConfig[]): Promise<void> {
-    // Get existing routes that use NFTables and update them
-    const oldNfTablesRoutes = oldRoutes.filter(
-      r => r.action.forwardingEngine === 'nftables'
-    );
-    
-    const newNfTablesRoutes = newRoutes.filter(
-      r => r.action.forwardingEngine === 'nftables'
-    );
-    
-    // Update existing NFTables routes
-    for (const oldRoute of oldNfTablesRoutes) {
-      const newRoute = newNfTablesRoutes.find(r => r.name === oldRoute.name);
-      
-      if (!newRoute) {
-        // Route was removed
-        await this.nftablesManager.deprovisionRoute(oldRoute);
-      } else {
-        // Route was updated
-        await this.nftablesManager.updateRoute(oldRoute, newRoute);
-      }
-    }
-    
-    // Add new NFTables routes
-    for (const newRoute of newNfTablesRoutes) {
-      const oldRoute = oldNfTablesRoutes.find(r => r.name === newRoute.name);
-      
-      if (!oldRoute) {
-        // New route
-        await this.nftablesManager.provisionRoute(newRoute);
-      }
-    }
-  }
-}

package/ts/proxies/smart-proxy/security-manager.ts

@@ -1,269 +0,0 @@
-import * as plugins from '../../plugins.js';
-import type { SmartProxy } from './smart-proxy.js';
-import { connectionLogDeduplicator } from '../../core/utils/log-deduplicator.js';
-import { isIPAuthorized, normalizeIP } from '../../core/utils/security-utils.js';
-
-/**
- * Handles security aspects like IP tracking, rate limiting, and authorization
- * for SmartProxy. This is a lightweight wrapper that uses shared utilities.
- */
-export class SecurityManager {
-  private connectionsByIP: Map<string, Set<string>> = new Map();
-  private connectionRateByIP: Map<string, number[]> = new Map();
-  private cleanupInterval: NodeJS.Timeout | null = null;
-
-  constructor(private smartProxy: SmartProxy) {
-    // Start periodic cleanup every 60 seconds
-    this.startPeriodicCleanup();
-  }
-
-  /**
-   * Get connections count by IP (checks normalized variants)
-   */
-  public getConnectionCountByIP(ip: string): number {
-    // Check all normalized variants of the IP
-    const variants = normalizeIP(ip);
-    for (const variant of variants) {
-      const connections = this.connectionsByIP.get(variant);
-      if (connections) {
-        return connections.size;
-      }
-    }
-    return 0;
-  }
-
-  /**
-   * Check and update connection rate for an IP
-   * @returns true if within rate limit, false if exceeding limit
-   */
-  public checkConnectionRate(ip: string): boolean {
-    const now = Date.now();
-    const minute = 60 * 1000;
-
-    // Find existing rate tracking (check normalized variants)
-    const variants = normalizeIP(ip);
-    let existingKey: string | null = null;
-    for (const variant of variants) {
-      if (this.connectionRateByIP.has(variant)) {
-        existingKey = variant;
-        break;
-      }
-    }
-
-    const key = existingKey || ip;
-
-    if (!this.connectionRateByIP.has(key)) {
-      this.connectionRateByIP.set(key, [now]);
-      return true;
-    }
-
-    // Get timestamps and filter out entries older than 1 minute
-    const timestamps = this.connectionRateByIP.get(key)!.filter((time) => now - time < minute);
-    timestamps.push(now);
-    this.connectionRateByIP.set(key, timestamps);
-
-    // Check if rate exceeds limit
-    return timestamps.length <= this.smartProxy.settings.connectionRateLimitPerMinute!;
-  }
-
-  /**
-   * Track connection by IP
-   */
-  public trackConnectionByIP(ip: string, connectionId: string): void {
-    // Check if any variant already exists
-    const variants = normalizeIP(ip);
-    let existingKey: string | null = null;
-
-    for (const variant of variants) {
-      if (this.connectionsByIP.has(variant)) {
-        existingKey = variant;
-        break;
-      }
-    }
-
-    const key = existingKey || ip;
-    if (!this.connectionsByIP.has(key)) {
-      this.connectionsByIP.set(key, new Set());
-    }
-    this.connectionsByIP.get(key)!.add(connectionId);
-  }
-
-  /**
-   * Remove connection tracking for an IP
-   */
-  public removeConnectionByIP(ip: string, connectionId: string): void {
-    // Check all variants to find where the connection is tracked
-    const variants = normalizeIP(ip);
-
-    for (const variant of variants) {
-      if (this.connectionsByIP.has(variant)) {
-        const connections = this.connectionsByIP.get(variant)!;
-        connections.delete(connectionId);
-        if (connections.size === 0) {
-          this.connectionsByIP.delete(variant);
-        }
-        break;
-      }
-    }
-  }
-
-  /**
-   * Check if an IP is authorized using security rules
-   *
-   * This method is used to determine if an IP is allowed to connect, based on security
-   * rules configured in the route configuration. The allowed and blocked IPs are
-   * typically derived from route.security.ipAllowList and ipBlockList.
-   *
-   * @param ip - The IP address to check
-   * @param allowedIPs - Array of allowed IP patterns from security.ipAllowList
-   * @param blockedIPs - Array of blocked IP patterns from security.ipBlockList
-   * @returns true if IP is authorized, false if blocked
-   */
-  public isIPAuthorized(ip: string, allowedIPs: string[], blockedIPs: string[] = []): boolean {
-    return isIPAuthorized(ip, allowedIPs, blockedIPs);
-  }
-  
-  /**
-   * Check if IP should be allowed considering connection rate and max connections
-   * @returns Object with result and reason
-   */
-  public validateIP(ip: string): { allowed: boolean; reason?: string } {
-    // Check connection count limit
-    if (
-      this.smartProxy.settings.maxConnectionsPerIP &&
-      this.getConnectionCountByIP(ip) >= this.smartProxy.settings.maxConnectionsPerIP
-    ) {
-      return {
-        allowed: false,
-        reason: `Maximum connections per IP (${this.smartProxy.settings.maxConnectionsPerIP}) exceeded`
-      };
-    }
-
-    // Check connection rate limit
-    if (
-      this.smartProxy.settings.connectionRateLimitPerMinute &&
-      !this.checkConnectionRate(ip)
-    ) {
-      return {
-        allowed: false,
-        reason: `Connection rate limit (${this.smartProxy.settings.connectionRateLimitPerMinute}/min) exceeded`
-      };
-    }
-
-    return { allowed: true };
-  }
-
-  /**
-   * Atomically validate an IP and track the connection if allowed.
-   * This prevents race conditions where concurrent connections could bypass per-IP limits.
-   *
-   * @param ip - The IP address to validate
-   * @param connectionId - The connection ID to track if validation passes
-   * @returns Object with validation result and reason
-   */
-  public validateAndTrackIP(ip: string, connectionId: string): { allowed: boolean; reason?: string } {
-    // Check connection count limit BEFORE tracking
-    if (
-      this.smartProxy.settings.maxConnectionsPerIP &&
-      this.getConnectionCountByIP(ip) >= this.smartProxy.settings.maxConnectionsPerIP
-    ) {
-      return {
-        allowed: false,
-        reason: `Maximum connections per IP (${this.smartProxy.settings.maxConnectionsPerIP}) exceeded`
-      };
-    }
-
-    // Check connection rate limit
-    if (
-      this.smartProxy.settings.connectionRateLimitPerMinute &&
-      !this.checkConnectionRate(ip)
-    ) {
-      return {
-        allowed: false,
-        reason: `Connection rate limit (${this.smartProxy.settings.connectionRateLimitPerMinute}/min) exceeded`
-      };
-    }
-
-    // Validation passed - immediately track to prevent race conditions
-    this.trackConnectionByIP(ip, connectionId);
-
-    return { allowed: true };
-  }
-  
-  /**
-   * Clears all IP tracking data (for shutdown)
-   */
-  public clearIPTracking(): void {
-    if (this.cleanupInterval) {
-      clearInterval(this.cleanupInterval);
-      this.cleanupInterval = null;
-    }
-    this.connectionsByIP.clear();
-    this.connectionRateByIP.clear();
-  }
-  
-  /**
-   * Start periodic cleanup of expired data
-   */
-  private startPeriodicCleanup(): void {
-    this.cleanupInterval = setInterval(() => {
-      this.performCleanup();
-    }, 60000); // Run every minute
-    
-    // Unref the timer so it doesn't keep the process alive
-    if (this.cleanupInterval.unref) {
-      this.cleanupInterval.unref();
-    }
-  }
-  
-  /**
-   * Perform cleanup of expired rate limits and empty IP entries
-   */
-  private performCleanup(): void {
-    const now = Date.now();
-    const minute = 60 * 1000;
-    let cleanedRateLimits = 0;
-    let cleanedIPs = 0;
-    
-    // Clean up expired rate limit timestamps
-    for (const [ip, timestamps] of this.connectionRateByIP.entries()) {
-      const validTimestamps = timestamps.filter(time => now - time < minute);
-      
-      if (validTimestamps.length === 0) {
-        // No valid timestamps, remove the IP entry
-        this.connectionRateByIP.delete(ip);
-        cleanedRateLimits++;
-      } else if (validTimestamps.length < timestamps.length) {
-        // Some timestamps expired, update with valid ones
-        this.connectionRateByIP.set(ip, validTimestamps);
-      }
-    }
-    
-    // Clean up IPs with no active connections
-    for (const [ip, connections] of this.connectionsByIP.entries()) {
-      if (connections.size === 0) {
-        this.connectionsByIP.delete(ip);
-        cleanedIPs++;
-      }
-    }
-    
-    // Log cleanup stats if anything was cleaned
-    if (cleanedRateLimits > 0 || cleanedIPs > 0) {
-      if (this.smartProxy.settings.enableDetailedLogging) {
-        connectionLogDeduplicator.log(
-          'ip-cleanup',
-          'debug',
-          'IP tracking cleanup completed',
-          {
-            cleanedRateLimits,
-            cleanedIPs,
-            remainingIPs: this.connectionsByIP.size,
-            remainingRateLimits: this.connectionRateByIP.size,
-            component: 'security-manager'
-          },
-          'periodic-cleanup'
-        );
-      }
-    }
-  }
-}

package/ts/proxies/smart-proxy/throughput-tracker.ts

@@ -1,138 +0,0 @@
-import type { IThroughputSample, IThroughputData, IThroughputHistoryPoint } from './models/metrics-types.js';
-
-/**
- * Tracks throughput data using time-series sampling
- */
-export class ThroughputTracker {
-  private samples: IThroughputSample[] = [];
-  private readonly maxSamples: number;
-  private accumulatedBytesIn: number = 0;
-  private accumulatedBytesOut: number = 0;
-  private lastSampleTime: number = 0;
-  
-  constructor(retentionSeconds: number = 3600) {
-    // Keep samples for the retention period at 1 sample per second
-    this.maxSamples = retentionSeconds;
-  }
-  
-  /**
-   * Record bytes transferred (called on every data transfer)
-   */
-  public recordBytes(bytesIn: number, bytesOut: number): void {
-    this.accumulatedBytesIn += bytesIn;
-    this.accumulatedBytesOut += bytesOut;
-  }
-  
-  /**
-   * Take a sample of accumulated bytes (called every second)
-   */
-  public takeSample(): void {
-    const now = Date.now();
-    
-    // Record accumulated bytes since last sample
-    this.samples.push({
-      timestamp: now,
-      bytesIn: this.accumulatedBytesIn,
-      bytesOut: this.accumulatedBytesOut
-    });
-    
-    // Reset accumulators
-    this.accumulatedBytesIn = 0;
-    this.accumulatedBytesOut = 0;
-    this.lastSampleTime = now;
-    
-    // Maintain circular buffer - remove oldest samples
-    if (this.samples.length > this.maxSamples) {
-      this.samples.shift();
-    }
-  }
-  
-  /**
-   * Get throughput rate over specified window (bytes per second)
-   */
-  public getRate(windowSeconds: number): IThroughputData {
-    if (this.samples.length === 0) {
-      return { in: 0, out: 0 };
-    }
-    
-    const now = Date.now();
-    const windowStart = now - (windowSeconds * 1000);
-    
-    // Find samples within the window
-    const relevantSamples = this.samples.filter(s => s.timestamp > windowStart);
-    
-    if (relevantSamples.length === 0) {
-      return { in: 0, out: 0 };
-    }
-    
-    // Calculate total bytes in window
-    const totalBytesIn = relevantSamples.reduce((sum, s) => sum + s.bytesIn, 0);
-    const totalBytesOut = relevantSamples.reduce((sum, s) => sum + s.bytesOut, 0);
-    
-    // Use actual number of seconds covered by samples for accurate rate
-    const oldestSampleTime = relevantSamples[0].timestamp;
-    const newestSampleTime = relevantSamples[relevantSamples.length - 1].timestamp;
-    const actualSeconds = Math.max(1, (newestSampleTime - oldestSampleTime) / 1000 + 1);
-    
-    return {
-      in: Math.round(totalBytesIn / actualSeconds),
-      out: Math.round(totalBytesOut / actualSeconds)
-    };
-  }
-  
-  /**
-   * Get throughput history for specified duration
-   */
-  public getHistory(durationSeconds: number): IThroughputHistoryPoint[] {
-    const now = Date.now();
-    const startTime = now - (durationSeconds * 1000);
-    
-    // Filter samples within duration
-    const relevantSamples = this.samples.filter(s => s.timestamp > startTime);
-    
-    // Convert to history points with per-second rates
-    const history: IThroughputHistoryPoint[] = [];
-    
-    for (let i = 0; i < relevantSamples.length; i++) {
-      const sample = relevantSamples[i];
-      
-      // For the first sample or samples after gaps, we can't calculate rate
-      if (i === 0 || sample.timestamp - relevantSamples[i - 1].timestamp > 2000) {
-        history.push({
-          timestamp: sample.timestamp,
-          in: sample.bytesIn,
-          out: sample.bytesOut
-        });
-      } else {
-        // Calculate rate based on time since previous sample
-        const prevSample = relevantSamples[i - 1];
-        const timeDelta = (sample.timestamp - prevSample.timestamp) / 1000;
-        
-        history.push({
-          timestamp: sample.timestamp,
-          in: Math.round(sample.bytesIn / timeDelta),
-          out: Math.round(sample.bytesOut / timeDelta)
-        });
-      }
-    }
-    
-    return history;
-  }
-  
-  /**
-   * Clear all samples
-   */
-  public clear(): void {
-    this.samples = [];
-    this.accumulatedBytesIn = 0;
-    this.accumulatedBytesOut = 0;
-    this.lastSampleTime = 0;
-  }
-  
-  /**
-   * Get sample count for debugging
-   */
-  public getSampleCount(): number {
-    return this.samples.length;
-  }
-}