@push.rocks/smartproxy 3.34.0 → 3.37.1

package/ts/classes.portproxy.ts

@@ -1,5 +1,6 @@
 import * as plugins from './plugins.js';
 import { NetworkProxy } from './classes.networkproxy.js';
+import { SniHandler } from './classes.snihandler.js';
 
 /** Domain configuration with per-domain allowed port ranges */
 export interface IDomainConfig {
@@ -56,9 +57,21 @@ export interface IPortProxySettings extends plugins.tls.TlsOptions {
   keepAliveInactivityMultiplier?: number; // Multiplier for inactivity timeout for keep-alive connections
   extendedKeepAliveLifetime?: number; // Extended lifetime for keep-alive connections (ms)
 
-  // New property for NetworkProxy integration
+  // NetworkProxy integration
   useNetworkProxy?: number[]; // Array of ports to forward to NetworkProxy
   networkProxyPort?: number; // Port where NetworkProxy is listening (default: 8443)
+  
+  // ACME certificate management options
+  acme?: {
+    enabled?: boolean;              // Whether to enable automatic certificate management
+    port?: number;                  // Port to listen on for ACME challenges (default: 80)
+    contactEmail?: string;          // Email for Let's Encrypt account 
+    useProduction?: boolean;        // Whether to use Let's Encrypt production (default: false for staging)
+    renewThresholdDays?: number;    // Days before expiry to renew certificates (default: 30)
+    autoRenew?: boolean;            // Whether to automatically renew certificates (default: true)
+    certificateStore?: string;      // Directory to store certificates (default: ./certs)
+    skipConfiguredCerts?: boolean;  // Skip domains that already have certificates configured
+  };
 }
 
 /**
@@ -105,192 +118,8 @@ interface IConnectionRecord {
   domainSwitches?: number; // Number of times the domain has been switched on this connection
 }
 
-/**
- * Extracts the SNI (Server Name Indication) from a TLS ClientHello packet.
- * Enhanced for robustness and detailed logging.
- * @param buffer - Buffer containing the TLS ClientHello.
- * @param enableLogging - Whether to enable detailed logging.
- * @returns The server name if found, otherwise undefined.
- */
-function extractSNI(buffer: Buffer, enableLogging: boolean = false): string | undefined {
-  try {
-    // Check if buffer is too small for TLS
-    if (buffer.length < 5) {
-      if (enableLogging) console.log('Buffer too small for TLS header');
-      return undefined;
-    }
-
-    // Check record type (has to be handshake - 22)
-    const recordType = buffer.readUInt8(0);
-    if (recordType !== 22) {
-      if (enableLogging) console.log(`Not a TLS handshake. Record type: ${recordType}`);
-      return undefined;
-    }
-
-    // Check TLS version (has to be 3.1 or higher)
-    const majorVersion = buffer.readUInt8(1);
-    const minorVersion = buffer.readUInt8(2);
-    if (enableLogging) console.log(`TLS Version: ${majorVersion}.${minorVersion}`);
-
-    // Check record length
-    const recordLength = buffer.readUInt16BE(3);
-    if (buffer.length < 5 + recordLength) {
-      if (enableLogging)
-        console.log(
-          `Buffer too small for TLS record. Expected: ${5 + recordLength}, Got: ${buffer.length}`
-        );
-      return undefined;
-    }
-
-    let offset = 5;
-    const handshakeType = buffer.readUInt8(offset);
-    if (handshakeType !== 1) {
-      if (enableLogging) console.log(`Not a ClientHello. Handshake type: ${handshakeType}`);
-      return undefined;
-    }
-
-    offset += 4; // Skip handshake header (type + length)
-
-    // Client version
-    const clientMajorVersion = buffer.readUInt8(offset);
-    const clientMinorVersion = buffer.readUInt8(offset + 1);
-    if (enableLogging) console.log(`Client Version: ${clientMajorVersion}.${clientMinorVersion}`);
-
-    offset += 2 + 32; // Skip client version and random
-
-    // Session ID
-    const sessionIDLength = buffer.readUInt8(offset);
-    if (enableLogging) console.log(`Session ID Length: ${sessionIDLength}`);
-    offset += 1 + sessionIDLength; // Skip session ID
-
-    // Cipher suites
-    if (offset + 2 > buffer.length) {
-      if (enableLogging) console.log('Buffer too small for cipher suites length');
-      return undefined;
-    }
-    const cipherSuitesLength = buffer.readUInt16BE(offset);
-    if (enableLogging) console.log(`Cipher Suites Length: ${cipherSuitesLength}`);
-    offset += 2 + cipherSuitesLength; // Skip cipher suites
-
-    // Compression methods
-    if (offset + 1 > buffer.length) {
-      if (enableLogging) console.log('Buffer too small for compression methods length');
-      return undefined;
-    }
-    const compressionMethodsLength = buffer.readUInt8(offset);
-    if (enableLogging) console.log(`Compression Methods Length: ${compressionMethodsLength}`);
-    offset += 1 + compressionMethodsLength; // Skip compression methods
-
-    // Extensions
-    if (offset + 2 > buffer.length) {
-      if (enableLogging) console.log('Buffer too small for extensions length');
-      return undefined;
-    }
-    const extensionsLength = buffer.readUInt16BE(offset);
-    if (enableLogging) console.log(`Extensions Length: ${extensionsLength}`);
-    offset += 2;
-    const extensionsEnd = offset + extensionsLength;
-
-    if (extensionsEnd > buffer.length) {
-      if (enableLogging)
-        console.log(
-          `Buffer too small for extensions. Expected end: ${extensionsEnd}, Buffer length: ${buffer.length}`
-        );
-      return undefined;
-    }
-
-    // Parse extensions
-    while (offset + 4 <= extensionsEnd) {
-      const extensionType = buffer.readUInt16BE(offset);
-      const extensionLength = buffer.readUInt16BE(offset + 2);
-
-      if (enableLogging)
-        console.log(`Extension Type: 0x${extensionType.toString(16)}, Length: ${extensionLength}`);
-
-      offset += 4;
-
-      if (extensionType === 0x0000) {
-        // SNI extension
-        if (offset + 2 > buffer.length) {
-          if (enableLogging) console.log('Buffer too small for SNI list length');
-          return undefined;
-        }
-
-        const sniListLength = buffer.readUInt16BE(offset);
-        if (enableLogging) console.log(`SNI List Length: ${sniListLength}`);
-        offset += 2;
-        const sniListEnd = offset + sniListLength;
-
-        if (sniListEnd > buffer.length) {
-          if (enableLogging)
-            console.log(
-              `Buffer too small for SNI list. Expected end: ${sniListEnd}, Buffer length: ${buffer.length}`
-            );
-          return undefined;
-        }
-
-        while (offset + 3 < sniListEnd) {
-          const nameType = buffer.readUInt8(offset++);
-          const nameLen = buffer.readUInt16BE(offset);
-          offset += 2;
-
-          if (enableLogging) console.log(`Name Type: ${nameType}, Name Length: ${nameLen}`);
-
-          if (nameType === 0) {
-            // host_name
-            if (offset + nameLen > buffer.length) {
-              if (enableLogging)
-                console.log(
-                  `Buffer too small for hostname. Expected: ${offset + nameLen}, Got: ${
-                    buffer.length
-                  }`
-                );
-              return undefined;
-            }
-
-            const serverName = buffer.toString('utf8', offset, offset + nameLen);
-            if (enableLogging) console.log(`Extracted SNI: ${serverName}`);
-            return serverName;
-          }
-
-          offset += nameLen;
-        }
-        break;
-      } else {
-        offset += extensionLength;
-      }
-    }
-
-    if (enableLogging) console.log('No SNI extension found');
-    return undefined;
-  } catch (err) {
-    console.log(`Error extracting SNI: ${err}`);
-    return undefined;
-  }
-}
-
-/**
- * Checks if a TLS record is a proper ClientHello message (more accurate than just checking record type)
- * @param buffer - Buffer containing the TLS record
- * @returns true if the buffer contains a proper ClientHello message
- */
-function isClientHello(buffer: Buffer): boolean {
-  try {
-    if (buffer.length < 9) return false; // Too small for a proper ClientHello
-
-    // Check record type (has to be handshake - 22)
-    if (buffer.readUInt8(0) !== 22) return false;
-
-    // After the TLS record header (5 bytes), check the handshake type (1 for ClientHello)
-    if (buffer.readUInt8(5) !== 1) return false;
-
-    // Basic checks passed, this appears to be a ClientHello
-    return true;
-  } catch (err) {
-    console.log(`Error checking for ClientHello: ${err}`);
-    return false;
-  }
-}
+// SNI functions are now imported from SniHandler class
+// No need for wrapper functions
 
 // Helper: Check if a port falls within any of the given port ranges
 const isPortInRanges = (port: number, ranges: Array<{ from: number; to: number }>): boolean => {
@@ -334,10 +163,7 @@ const generateConnectionId = (): string => {
   return Math.random().toString(36).substring(2, 15) + Math.random().toString(36).substring(2, 15);
 };
 
-// Helper: Check if a buffer contains a TLS handshake
-const isTlsHandshake = (buffer: Buffer): boolean => {
-  return buffer.length > 0 && buffer[0] === 22; // ContentType.handshake
-};
+// SNI functions are now imported from SniHandler class
 
 // Helper: Ensure timeout values don't exceed Node.js max safe integer
 const ensureSafeTimeout = (timeout: number): number => {
@@ -418,6 +244,18 @@ export class PortProxy {
       
       // NetworkProxy settings
       networkProxyPort: settingsArg.networkProxyPort || 8443, // Default NetworkProxy port
+      
+      // ACME certificate settings with reasonable defaults
+      acme: settingsArg.acme || {
+        enabled: false,
+        port: 80,
+        contactEmail: 'admin@example.com',
+        useProduction: false,
+        renewThresholdDays: 30,
+        autoRenew: true,
+        certificateStore: './certs',
+        skipConfiguredCerts: false
+      }
     };
 
     // Initialize NetworkProxy if enabled
@@ -429,15 +267,182 @@ export class PortProxy {
   /**
    * Initialize NetworkProxy instance
    */
-  private initializeNetworkProxy(): void {
+  private async initializeNetworkProxy(): Promise<void> {
     if (!this.networkProxy) {
-      this.networkProxy = new NetworkProxy({
+      // Configure NetworkProxy options based on PortProxy settings
+      const networkProxyOptions: any = {
         port: this.settings.networkProxyPort!,
         portProxyIntegration: true,
         logLevel: this.settings.enableDetailedLogging ? 'debug' : 'info'
-      });
+      };
+      
+      // Add ACME settings if configured
+      if (this.settings.acme) {
+        networkProxyOptions.acme = { ...this.settings.acme };
+      }
+      
+      this.networkProxy = new NetworkProxy(networkProxyOptions);
       
       console.log(`Initialized NetworkProxy on port ${this.settings.networkProxyPort}`);
+      
+      // Convert and apply domain configurations to NetworkProxy
+      await this.syncDomainConfigsToNetworkProxy();
+    }
+  }
+  
+  /**
+   * Updates the domain configurations for the proxy
+   * @param newDomainConfigs The new domain configurations
+   */
+  public async updateDomainConfigs(newDomainConfigs: IDomainConfig[]): Promise<void> {
+    console.log(`Updating domain configurations (${newDomainConfigs.length} configs)`);
+    this.settings.domainConfigs = newDomainConfigs;
+    
+    // If NetworkProxy is initialized, resync the configurations
+    if (this.networkProxy) {
+      await this.syncDomainConfigsToNetworkProxy();
+    }
+  }
+  
+  /**
+   * Updates the ACME certificate settings
+   * @param acmeSettings New ACME settings
+   */
+  public async updateAcmeSettings(acmeSettings: IPortProxySettings['acme']): Promise<void> {
+    console.log('Updating ACME certificate settings');
+    
+    // Update settings
+    this.settings.acme = {
+      ...this.settings.acme,
+      ...acmeSettings
+    };
+    
+    // If NetworkProxy is initialized, update its ACME settings
+    if (this.networkProxy) {
+      try {
+        // Recreate NetworkProxy with new settings if ACME enabled state has changed
+        if (this.settings.acme.enabled !== acmeSettings.enabled) {
+          console.log(`ACME enabled state changed to: ${acmeSettings.enabled}`);
+          
+          // Stop the current NetworkProxy
+          await this.networkProxy.stop();
+          this.networkProxy = null;
+          
+          // Reinitialize with new settings
+          await this.initializeNetworkProxy();
+          
+          // Use start() to make sure ACME gets initialized if newly enabled
+          await this.networkProxy.start();
+        } else {
+          // Update existing NetworkProxy with new settings
+          // Note: Some settings may require a restart to take effect
+          console.log('Updating ACME settings in NetworkProxy');
+          
+          // For certificate renewals, we might want to trigger checks with the new settings
+          if (acmeSettings.renewThresholdDays) {
+            console.log(`Setting new renewal threshold to ${acmeSettings.renewThresholdDays} days`);
+            // This is implementation-dependent but gives an example
+            if (this.networkProxy.options.acme) {
+              this.networkProxy.options.acme.renewThresholdDays = acmeSettings.renewThresholdDays;
+            }
+          }
+        }
+      } catch (err) {
+        console.log(`Error updating ACME settings: ${err}`);
+      }
+    }
+  }
+  
+  /**
+   * Synchronizes PortProxy domain configurations to NetworkProxy
+   * This allows domains configured in PortProxy to be used by NetworkProxy
+   */
+  private async syncDomainConfigsToNetworkProxy(): Promise<void> {
+    if (!this.networkProxy) {
+      console.log('Cannot sync configurations - NetworkProxy not initialized');
+      return;
+    }
+    
+    try {
+      // Get SSL certificates from assets
+      // Import fs directly since it's not in plugins
+      const fs = await import('fs');
+      
+      let certPair;
+      try {
+        certPair = {
+          key: fs.readFileSync('assets/certs/key.pem', 'utf8'),
+          cert: fs.readFileSync('assets/certs/cert.pem', 'utf8')
+        };
+      } catch (certError) {
+        console.log(`Warning: Could not read default certificates: ${certError}`);
+        console.log('Using empty certificate placeholders - ACME will generate proper certificates if enabled');
+        
+        // Use empty placeholders - NetworkProxy will use its internal defaults
+        // or ACME will generate proper ones if enabled
+        certPair = {
+          key: '',
+          cert: ''
+        };
+      }
+      
+      // Convert domain configs to NetworkProxy configs
+      const proxyConfigs = this.networkProxy.convertPortProxyConfigs(
+        this.settings.domainConfigs,
+        certPair
+      );
+      
+      // Log ACME-eligible domains if ACME is enabled
+      if (this.settings.acme?.enabled) {
+        const acmeEligibleDomains = proxyConfigs
+          .filter(config => !config.hostName.includes('*')) // Exclude wildcards
+          .map(config => config.hostName);
+          
+        if (acmeEligibleDomains.length > 0) {
+          console.log(`Domains eligible for ACME certificates: ${acmeEligibleDomains.join(', ')}`);
+        } else {
+          console.log('No domains eligible for ACME certificates found in configuration');
+        }
+      }
+      
+      // Update NetworkProxy with the converted configs
+      this.networkProxy.updateProxyConfigs(proxyConfigs).then(() => {
+        console.log(`Successfully synchronized ${proxyConfigs.length} domain configurations to NetworkProxy`);
+      }).catch(err => {
+        console.log(`Error synchronizing configurations: ${err.message}`);
+      });
+    } catch (err) {
+      console.log(`Failed to sync configurations: ${err}`);
+    }
+  }
+  
+  /**
+   * Requests a certificate for a specific domain
+   * @param domain The domain to request a certificate for
+   * @returns Promise that resolves to true if the request was successful, false otherwise
+   */
+  public async requestCertificate(domain: string): Promise<boolean> {
+    if (!this.networkProxy) {
+      console.log('Cannot request certificate - NetworkProxy not initialized');
+      return false;
+    }
+    
+    if (!this.settings.acme?.enabled) {
+      console.log('Cannot request certificate - ACME is not enabled');
+      return false;
+    }
+    
+    try {
+      const result = await this.networkProxy.requestCertificate(domain);
+      if (result) {
+        console.log(`Certificate request for ${domain} submitted successfully`);
+      } else {
+        console.log(`Certificate request for ${domain} failed`);
+      }
+      return result;
+    } catch (err) {
+      console.log(`Error requesting certificate: ${err}`);
+      return false;
     }
   }
 
@@ -570,7 +575,7 @@ export class PortProxy {
       record.bytesReceived += chunk.length;
 
       // Check for TLS handshake
-      if (!record.isTLS && isTlsHandshake(chunk)) {
+      if (!record.isTLS && SniHandler.isTlsHandshake(chunk)) {
         record.isTLS = true;
 
         if (this.settings.enableTlsDebugLogging) {
@@ -858,10 +863,10 @@ export class PortProxy {
         // Define a handler for checking renegotiation with improved detection
         const renegotiationHandler = (renegChunk: Buffer) => {
           // Only process if this looks like a TLS ClientHello
-          if (isClientHello(renegChunk)) {
+          if (SniHandler.isClientHello(renegChunk)) {
             try {
               // Extract SNI from ClientHello
-              const newSNI = extractSNI(renegChunk, this.settings.enableTlsDebugLogging);
+              const newSNI = SniHandler.extractSNIWithResumptionSupport(renegChunk, this.settings.enableTlsDebugLogging);
 
               // Skip if no SNI was found
               if (!newSNI) return;
@@ -1278,10 +1283,27 @@ export class PortProxy {
       return;
     }
 
+    // Initialize NetworkProxy if needed (useNetworkProxy is set but networkProxy isn't initialized)
+    if (this.settings.useNetworkProxy && this.settings.useNetworkProxy.length > 0 && !this.networkProxy) {
+      await this.initializeNetworkProxy();
+    }
+
     // Start NetworkProxy if configured
     if (this.networkProxy) {
       await this.networkProxy.start();
       console.log(`NetworkProxy started on port ${this.settings.networkProxyPort}`);
+      
+      // Log ACME status
+      if (this.settings.acme?.enabled) {
+        console.log(`ACME certificate management is enabled (${this.settings.acme.useProduction ? 'Production' : 'Staging'} mode)`);
+        console.log(`ACME HTTP challenge server on port ${this.settings.acme.port}`);
+        
+        // Register domains for ACME certificates if enabled
+        if (this.networkProxy.options.acme?.enabled) {
+          console.log('Registering domains with ACME certificate manager...');
+          // The NetworkProxy will handle this internally via registerDomainsWithAcmeManager()
+        }
+      }
     }
 
     // Define a unified connection handler for all listening ports.
@@ -1436,7 +1458,7 @@ export class PortProxy {
           connectionRecord.hasReceivedInitialData = true;
 
           // Check if this looks like a TLS handshake
-          if (isTlsHandshake(chunk)) {
+          if (SniHandler.isTlsHandshake(chunk)) {
             connectionRecord.isTLS = true;
             
             // Forward directly to NetworkProxy without SNI processing
@@ -1498,7 +1520,7 @@ export class PortProxy {
           this.updateActivity(connectionRecord);
 
           // Check for TLS handshake if this is the first chunk
-          if (!connectionRecord.isTLS && isTlsHandshake(chunk)) {
+          if (!connectionRecord.isTLS && SniHandler.isTlsHandshake(chunk)) {
             connectionRecord.isTLS = true;
 
             if (this.settings.enableTlsDebugLogging) {
@@ -1506,7 +1528,7 @@ export class PortProxy {
                 `[${connectionId}] TLS handshake detected from ${remoteIP}, ${chunk.length} bytes`
               );
               // Try to extract SNI and log detailed debug info
-              extractSNI(chunk, true);
+              SniHandler.extractSNIWithResumptionSupport(chunk, true);
             }
           }
         });
@@ -1535,7 +1557,7 @@ export class PortProxy {
           connectionRecord.hasReceivedInitialData = true;
 
           // Check if this looks like a TLS handshake
-          const isTlsHandshakeDetected = initialChunk && isTlsHandshake(initialChunk);
+          const isTlsHandshakeDetected = initialChunk && SniHandler.isTlsHandshake(initialChunk);
           if (isTlsHandshakeDetected) {
             connectionRecord.isTLS = true;
 
@@ -1704,7 +1726,7 @@ export class PortProxy {
             // Try to extract SNI
             let serverName = '';
 
-            if (isTlsHandshake(chunk)) {
+            if (SniHandler.isTlsHandshake(chunk)) {
               connectionRecord.isTLS = true;
 
               if (this.settings.enableTlsDebugLogging) {
@@ -1713,7 +1735,7 @@ export class PortProxy {
                 );
               }
 
-              serverName = extractSNI(chunk, this.settings.enableTlsDebugLogging) || '';
+              serverName = SniHandler.extractSNIWithResumptionSupport(chunk, this.settings.enableTlsDebugLogging) || '';
             }
 
             // Lock the connection to the negotiated SNI.
@@ -2036,11 +2058,17 @@ export class PortProxy {
       }
     }
 
-    // Stop NetworkProxy if it was started
+    // Stop NetworkProxy if it was started (which also stops ACME manager)
     if (this.networkProxy) {
       try {
+        console.log('Stopping NetworkProxy...');
         await this.networkProxy.stop();
         console.log('NetworkProxy stopped successfully');
+        
+        // Log ACME shutdown if it was enabled
+        if (this.settings.acme?.enabled) {
+          console.log('ACME certificate manager stopped');
+        }
       } catch (err) {
         console.log(`Error stopping NetworkProxy: ${err}`);
       }