@push.rocks/smartproxy 3.4.3 → 3.5.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
|
@@ -3,7 +3,7 @@
|
|
|
3
3
|
*/
|
|
4
4
|
export const commitinfo = {
|
|
5
5
|
name: '@push.rocks/smartproxy',
|
|
6
|
-
version: '3.
|
|
6
|
+
version: '3.5.0',
|
|
7
7
|
description: 'a proxy for handling high workloads of proxying'
|
|
8
8
|
};
|
|
9
9
|
//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiMDBfY29tbWl0aW5mb19kYXRhLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vdHMvMDBfY29tbWl0aW5mb19kYXRhLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiJBQUFBOztHQUVHO0FBQ0gsTUFBTSxDQUFDLE1BQU0sVUFBVSxHQUFHO0lBQ3hCLElBQUksRUFBRSx3QkFBd0I7SUFDOUIsT0FBTyxFQUFFLE9BQU87SUFDaEIsV0FBVyxFQUFFLGlEQUFpRDtDQUMvRCxDQUFBIn0=
|
|
@@ -45,9 +45,8 @@ export class PortProxy {
|
|
|
45
45
|
console.log(`SNI request for domain: ${serverName}`);
|
|
46
46
|
const domainConfig = findMatchingDomain(serverName);
|
|
47
47
|
if (!domainConfig) {
|
|
48
|
-
|
|
49
|
-
|
|
50
|
-
return;
|
|
48
|
+
// Always allow SNI for default IPs, even if domain doesn't match
|
|
49
|
+
console.log(`SNI domain ${serverName} not found, will check IP during connection`);
|
|
51
50
|
}
|
|
52
51
|
// Create context with the provided TLS settings
|
|
53
52
|
const ctx = plugins.tls.createSecureContext(this.settings);
|
|
@@ -58,40 +57,44 @@ export class PortProxy {
|
|
|
58
57
|
const handleConnection = (from) => {
|
|
59
58
|
const remoteIP = from.remoteAddress || '';
|
|
60
59
|
let serverName = '';
|
|
60
|
+
// First check if this IP is in the default allowed list
|
|
61
|
+
const isDefaultAllowed = this.settings.defaultAllowedIPs && isAllowed(remoteIP, this.settings.defaultAllowedIPs);
|
|
61
62
|
if (this.settings.sniEnabled && from instanceof plugins.tls.TLSSocket) {
|
|
62
63
|
serverName = from.servername || '';
|
|
63
64
|
console.log(`TLS Connection from ${remoteIP} for domain: ${serverName}`);
|
|
64
65
|
}
|
|
65
|
-
//
|
|
66
|
-
if (
|
|
67
|
-
|
|
66
|
+
// If IP is in defaultAllowedIPs, allow the connection regardless of SNI
|
|
67
|
+
if (isDefaultAllowed) {
|
|
68
|
+
console.log(`Connection allowed: IP ${remoteIP} is in default allowed list`);
|
|
69
|
+
}
|
|
70
|
+
else if (this.settings.sniEnabled && serverName) {
|
|
71
|
+
// For SNI connections that aren't in default list, check domain-specific rules
|
|
72
|
+
const domainConfig = findMatchingDomain(serverName);
|
|
68
73
|
if (!domainConfig) {
|
|
69
|
-
|
|
70
|
-
|
|
71
|
-
|
|
72
|
-
from.end();
|
|
73
|
-
return;
|
|
74
|
-
}
|
|
74
|
+
console.log(`Connection rejected: No matching domain config for ${serverName} from IP ${remoteIP}`);
|
|
75
|
+
from.end();
|
|
76
|
+
return;
|
|
75
77
|
}
|
|
76
|
-
|
|
77
|
-
|
|
78
|
-
|
|
79
|
-
|
|
80
|
-
from.end();
|
|
81
|
-
return;
|
|
82
|
-
}
|
|
78
|
+
if (!isAllowed(remoteIP, domainConfig.allowedIPs)) {
|
|
79
|
+
console.log(`Connection rejected: IP ${remoteIP} not allowed for domain ${serverName}`);
|
|
80
|
+
from.end();
|
|
81
|
+
return;
|
|
83
82
|
}
|
|
84
83
|
}
|
|
85
|
-
else
|
|
84
|
+
else {
|
|
85
|
+
// Non-SNI connection and not in default list
|
|
86
86
|
console.log(`Connection rejected: IP ${remoteIP} not allowed for non-SNI connection`);
|
|
87
87
|
from.end();
|
|
88
88
|
return;
|
|
89
89
|
}
|
|
90
|
+
// Determine target host - use domain-specific targetIP if available
|
|
91
|
+
const domainConfig = serverName ? findMatchingDomain(serverName) : undefined;
|
|
92
|
+
const targetHost = domainConfig?.targetIP || this.settings.toHost;
|
|
90
93
|
const to = plugins.net.createConnection({
|
|
91
|
-
host:
|
|
94
|
+
host: targetHost,
|
|
92
95
|
port: this.settings.toPort,
|
|
93
96
|
});
|
|
94
|
-
console.log(`Connection established: ${remoteIP} -> ${
|
|
97
|
+
console.log(`Connection established: ${remoteIP} -> ${targetHost}:${this.settings.toPort}${serverName ? ` (SNI: ${serverName})` : ''}`);
|
|
95
98
|
from.setTimeout(120000);
|
|
96
99
|
from.pipe(to);
|
|
97
100
|
to.pipe(from);
|
|
@@ -140,4 +143,4 @@ export class PortProxy {
|
|
|
140
143
|
await done.promise;
|
|
141
144
|
}
|
|
142
145
|
}
|
|
143
|
-
//# sourceMappingURL=data:application/json;base64,
|
|
146
|
+
//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoic21hcnRwcm94eS5wb3J0cHJveHkuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi90cy9zbWFydHByb3h5LnBvcnRwcm94eS50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiQUFBQSxPQUFPLEtBQUssT0FBTyxNQUFNLHlCQUF5QixDQUFDO0FBcUJuRCxNQUFNLE9BQU8sU0FBUztJQUlwQixZQUFZLFFBQXVCO1FBQ2pDLElBQUksQ0FBQyxRQUFRLEdBQUc7WUFDZCxHQUFHLFFBQVE7WUFDWCxNQUFNLEVBQUUsUUFBUSxDQUFDLE1BQU0sSUFBSSxXQUFXO1NBQ3ZDLENBQUM7SUFDSixDQUFDO0lBRU0sS0FBSyxDQUFDLEtBQUs7UUFDaEIsTUFBTSxjQUFjLEdBQUcsQ0FBQyxJQUF3QixFQUFFLEVBQXNCLEVBQUUsRUFBRTtZQUMxRSxJQUFJLENBQUMsR0FBRyxFQUFFLENBQUM7WUFDWCxFQUFFLENBQUMsR0FBRyxFQUFFLENBQUM7WUFDVCxJQUFJLENBQUMsa0JBQWtCLEVBQUUsQ0FBQztZQUMxQixFQUFFLENBQUMsa0JBQWtCLEVBQUUsQ0FBQztZQUN4QixJQUFJLENBQUMsTUFBTSxFQUFFLENBQUM7WUFDZCxFQUFFLENBQUMsTUFBTSxFQUFFLENBQUM7WUFDWixJQUFJLENBQUMsT0FBTyxFQUFFLENBQUM7WUFDZixFQUFFLENBQUMsT0FBTyxFQUFFLENBQUM7UUFDZixDQUFDLENBQUM7UUFDRixNQUFNLFdBQVcsR0FBRyxDQUFDLEVBQVUsRUFBWSxFQUFFO1lBQzNDLG9DQUFvQztZQUNwQyxJQUFJLEVBQUUsQ0FBQyxVQUFVLENBQUMsU0FBUyxDQUFDLEVBQUUsQ0FBQztnQkFDN0IsTUFBTSxJQUFJLEdBQUcsRUFBRSxDQUFDLEtBQUssQ0FBQyxDQUFDLENBQUMsQ0FBQyxDQUFDLDBCQUEwQjtnQkFDcEQsT0FBTyxDQUFDLEVBQUUsRUFBRSxJQUFJLENBQUMsQ0FBQztZQUNwQixDQUFDO1lBQ0QsMkRBQTJEO1lBQzNELElBQUksRUFBRSxDQUFDLEtBQUssQ0FBQyx5QkFBeUIsQ0FBQyxFQUFFLENBQUM7Z0JBQ3hDLE9BQU8sQ0FBQyxFQUFFLEVBQUUsVUFBVSxFQUFFLEVBQUUsQ0FBQyxDQUFDO1lBQzlCLENBQUM7WUFDRCxPQUFPLENBQUMsRUFBRSxDQUFDLENBQUM7UUFDZCxDQUFDLENBQUM7UUFFRixNQUFNLFNBQVMsR0FBRyxDQUFDLEtBQWEsRUFBRSxRQUFrQixFQUFXLEVBQUU7WUFDL0QseURBQXlEO1lBQ3pELE1BQU0sZ0JBQWdCLEdBQUcsUUFBUSxDQUFDLE9BQU8sQ0FBQyxXQUFXLENBQUMsQ0FBQztZQUN2RCw4REFBOEQ7WUFDOUQsT0FBTyxXQUFXLENBQUMsS0FBSyxDQUFDLENBQUMsSUFBSSxDQUFDLEVBQUUsQ0FBQyxFQUFFLENBQ2xDLGdCQUFnQixDQUFDLElBQUksQ0FBQyxPQUFPLENBQUMsRUFBRSxDQUFDLE9BQU8sQ0FBQyxTQUFTLENBQUMsRUFBRSxFQUFFLE9BQU8sQ0FBQyxDQUFDLENBQ2pFLENBQUM7UUFDSixDQUFDLENBQUM7UUFFRixNQUFNLGtCQUFrQixHQUFHLENBQUMsVUFBa0IsRUFBNEIsRUFBRTtZQUMxRSxPQUFPLElBQUksQ0FBQyxRQUFRLENBQUMsT0FBTyxDQUFDLElBQUksQ0FBQyxNQUFNLENBQUMsRUFBRSxDQUFDLE9BQU8sQ0FBQyxTQUFTLENBQUMsVUFBVSxFQUFFLE1BQU0sQ0FBQyxNQUFNLENBQUMsQ0FBQyxDQUFDO1FBQzVGLENBQUMsQ0FBQztRQUVGLE1BQU0sTUFBTSxHQUFHLElBQUksQ0FBQyxRQUFRLENBQUMsVUFBVTtZQUNyQyxDQUFDLENBQUMsT0FBTyxDQUFDLEdBQUcsQ0FBQyxZQUFZLENBQUM7Z0JBQ3ZCLEdBQUcsSUFBSSxDQUFDLFFBQVE7Z0JBQ2hCLFdBQVcsRUFBRSxDQUFDLFVBQWtCLEVBQUUsRUFBZ0UsRUFBRSxFQUFFO29CQUNwRyxPQUFPLENBQUMsR0FBRyxDQUFDLDJCQUEyQixVQUFVLEVBQUUsQ0FBQyxDQUFDO29CQUNyRCxNQUFNLFlBQVksR0FBRyxrQkFBa0IsQ0FBQyxVQUFVLENBQUMsQ0FBQztvQkFDcEQsSUFBSSxDQUFDLFlBQVksRUFBRSxDQUFDO3dCQUNsQixpRUFBaUU7d0JBQ2pFLE9BQU8sQ0FBQyxHQUFHLENBQUMsY0FBYyxVQUFVLDZDQUE2QyxDQUFDLENBQUM7b0JBQ3JGLENBQUM7b0JBQ0QsZ0RBQWdEO29CQUNoRCxNQUFNLEdBQUcsR0FBRyxPQUFPLENBQUMsR0FBRyxDQUFDLG1CQUFtQixDQUFDLElBQUksQ0FBQyxRQUFRLENBQUMsQ0FBQztvQkFDM0QsRUFBRSxDQUFDLElBQUksRUFBRSxHQUFHLENBQUMsQ0FBQztnQkFDaEIsQ0FBQzthQUNGLENBQUM7WUFDSixDQUFDLENBQUMsT0FBTyxDQUFDLEdBQUcsQ0FBQyxZQUFZLEVBQUUsQ0FBQztRQUUvQixNQUFNLGdCQUFnQixHQUFHLENBQUMsSUFBZ0QsRUFBRSxFQUFFO1lBQzVFLE1BQU0sUUFBUSxHQUFHLElBQUksQ0FBQyxhQUFhLElBQUksRUFBRSxDQUFDO1lBQzFDLElBQUksVUFBVSxHQUFHLEVBQUUsQ0FBQztZQUVwQix3REFBd0Q7WUFDeEQsTUFBTSxnQkFBZ0IsR0FBRyxJQUFJLENBQUMsUUFBUSxDQUFDLGlCQUFpQixJQUFJLFNBQVMsQ0FBQyxRQUFRLEVBQUUsSUFBSSxDQUFDLFFBQVEsQ0FBQyxpQkFBaUIsQ0FBQyxDQUFDO1lBRWpILElBQUksSUFBSSxDQUFDLFFBQVEsQ0FBQyxVQUFVLElBQUksSUFBSSxZQUFZLE9BQU8sQ0FBQyxHQUFHLENBQUMsU0FBUyxFQUFFLENBQUM7Z0JBQ3RFLFVBQVUsR0FBSSxJQUFZLENBQUMsVUFBVSxJQUFJLEVBQUUsQ0FBQztnQkFDNUMsT0FBTyxDQUFDLEdBQUcsQ0FBQyx1QkFBdUIsUUFBUSxnQkFBZ0IsVUFBVSxFQUFFLENBQUMsQ0FBQztZQUMzRSxDQUFDO1lBRUQsd0VBQXdFO1lBQ3hFLElBQUksZ0JBQWdCLEVBQUUsQ0FBQztnQkFDckIsT0FBTyxDQUFDLEdBQUcsQ0FBQywwQkFBMEIsUUFBUSw2QkFBNkIsQ0FBQyxDQUFDO1lBQy9FLENBQUM7aUJBQU0sSUFBSSxJQUFJLENBQUMsUUFBUSxDQUFDLFVBQVUsSUFBSSxVQUFVLEVBQUUsQ0FBQztnQkFDbEQsK0VBQStFO2dCQUMvRSxNQUFNLFlBQVksR0FBRyxrQkFBa0IsQ0FBQyxVQUFVLENBQUMsQ0FBQztnQkFDcEQsSUFBSSxDQUFDLFlBQVksRUFBRSxDQUFDO29CQUNsQixPQUFPLENBQUMsR0FBRyxDQUFDLHNEQUFzRCxVQUFVLFlBQVksUUFBUSxFQUFFLENBQUMsQ0FBQztvQkFDcEcsSUFBSSxDQUFDLEdBQUcsRUFBRSxDQUFDO29CQUNYLE9BQU87Z0JBQ1QsQ0FBQztnQkFDRCxJQUFJLENBQUMsU0FBUyxDQUFDLFFBQVEsRUFBRSxZQUFZLENBQUMsVUFBVSxDQUFDLEVBQUUsQ0FBQztvQkFDbEQsT0FBTyxDQUFDLEdBQUcsQ0FBQywyQkFBMkIsUUFBUSwyQkFBMkIsVUFBVSxFQUFFLENBQUMsQ0FBQztvQkFDeEYsSUFBSSxDQUFDLEdBQUcsRUFBRSxDQUFDO29CQUNYLE9BQU87Z0JBQ1QsQ0FBQztZQUNILENBQUM7aUJBQU0sQ0FBQztnQkFDTiw2Q0FBNkM7Z0JBQzdDLE9BQU8sQ0FBQyxHQUFHLENBQUMsMkJBQTJCLFFBQVEscUNBQXFDLENBQUMsQ0FBQztnQkFDdEYsSUFBSSxDQUFDLEdBQUcsRUFBRSxDQUFDO2dCQUNYLE9BQU87WUFDVCxDQUFDO1lBRUQsb0VBQW9FO1lBQ3BFLE1BQU0sWUFBWSxHQUFHLFVBQVUsQ0FBQyxDQUFDLENBQUMsa0JBQWtCLENBQUMsVUFBVSxDQUFDLENBQUMsQ0FBQyxDQUFDLFNBQVMsQ0FBQztZQUM3RSxNQUFNLFVBQVUsR0FBRyxZQUFZLEVBQUUsUUFBUSxJQUFJLElBQUksQ0FBQyxRQUFRLENBQUMsTUFBTyxDQUFDO1lBRW5FLE1BQU0sRUFBRSxHQUFHLE9BQU8sQ0FBQyxHQUFHLENBQUMsZ0JBQWdCLENBQUM7Z0JBQ3RDLElBQUksRUFBRSxVQUFVO2dCQUNoQixJQUFJLEVBQUUsSUFBSSxDQUFDLFFBQVEsQ0FBQyxNQUFNO2FBQzNCLENBQUMsQ0FBQztZQUNILE9BQU8sQ0FBQyxHQUFHLENBQUMsMkJBQTJCLFFBQVEsT0FBTyxVQUFVLElBQUksSUFBSSxDQUFDLFFBQVEsQ0FBQyxNQUFNLEdBQUcsVUFBVSxDQUFDLENBQUMsQ0FBQyxVQUFVLFVBQVUsR0FBRyxDQUFDLENBQUMsQ0FBQyxFQUFFLEVBQUUsQ0FBQyxDQUFDO1lBQ3hJLElBQUksQ0FBQyxVQUFVLENBQUMsTUFBTSxDQUFDLENBQUM7WUFDeEIsSUFBSSxDQUFDLElBQUksQ0FBQyxFQUFFLENBQUMsQ0FBQztZQUNkLEVBQUUsQ0FBQyxJQUFJLENBQUMsSUFBSSxDQUFDLENBQUM7WUFDZCxJQUFJLENBQUMsRUFBRSxDQUFDLE9BQU8sRUFBRSxHQUFHLEVBQUU7Z0JBQ3BCLGNBQWMsQ0FBQyxJQUFJLEVBQUUsRUFBRSxDQUFDLENBQUM7WUFDM0IsQ0FBQyxDQUFDLENBQUM7WUFDSCxFQUFFLENBQUMsRUFBRSxDQUFDLE9BQU8sRUFBRSxHQUFHLEVBQUU7Z0JBQ2xCLGNBQWMsQ0FBQyxJQUFJLEVBQUUsRUFBRSxDQUFDLENBQUM7WUFDM0IsQ0FBQyxDQUFDLENBQUM7WUFDSCxJQUFJLENBQUMsRUFBRSxDQUFDLE9BQU8sRUFBRSxHQUFHLEVBQUU7Z0JBQ3BCLGNBQWMsQ0FBQyxJQUFJLEVBQUUsRUFBRSxDQUFDLENBQUM7WUFDM0IsQ0FBQyxDQUFDLENBQUM7WUFDSCxFQUFFLENBQUMsRUFBRSxDQUFDLE9BQU8sRUFBRSxHQUFHLEVBQUU7Z0JBQ2xCLGNBQWMsQ0FBQyxJQUFJLEVBQUUsRUFBRSxDQUFDLENBQUM7WUFDM0IsQ0FBQyxDQUFDLENBQUM7WUFDSCxJQUFJLENBQUMsRUFBRSxDQUFDLFNBQVMsRUFBRSxHQUFHLEVBQUU7Z0JBQ3RCLGNBQWMsQ0FBQyxJQUFJLEVBQUUsRUFBRSxDQUFDLENBQUM7WUFDM0IsQ0FBQyxDQUFDLENBQUM7WUFDSCxFQUFFLENBQUMsRUFBRSxDQUFDLFNBQVMsRUFBRSxHQUFHLEVBQUU7Z0JBQ3BCLGNBQWMsQ0FBQyxJQUFJLEVBQUUsRUFBRSxDQUFDLENBQUM7WUFDM0IsQ0FBQyxDQUFDLENBQUM7WUFDSCxJQUFJLENBQUMsRUFBRSxDQUFDLEtBQUssRUFBRSxHQUFHLEVBQUU7Z0JBQ2xCLGNBQWMsQ0FBQyxJQUFJLEVBQUUsRUFBRSxDQUFDLENBQUM7WUFDM0IsQ0FBQyxDQUFDLENBQUM7WUFDSCxFQUFFLENBQUMsRUFBRSxDQUFDLEtBQUssRUFBRSxHQUFHLEVBQUU7Z0JBQ2hCLGNBQWMsQ0FBQyxJQUFJLEVBQUUsRUFBRSxDQUFDLENBQUM7WUFDM0IsQ0FBQyxDQUFDLENBQUM7UUFDTCxDQUFDLENBQUM7UUFFRixJQUFJLENBQUMsU0FBUyxHQUFHLE1BQU07YUFDcEIsRUFBRSxDQUFDLFlBQVksRUFBRSxnQkFBZ0IsQ0FBQzthQUNsQyxFQUFFLENBQUMsa0JBQWtCLEVBQUUsZ0JBQWdCLENBQUM7YUFDeEMsRUFBRSxDQUFDLGdCQUFnQixFQUFFLENBQUMsR0FBRyxFQUFFLFNBQVMsRUFBRSxFQUFFO1lBQ3ZDLE9BQU8sQ0FBQyxHQUFHLENBQUMscUJBQXFCLEdBQUcsQ0FBQyxPQUFPLEVBQUUsQ0FBQyxDQUFDO1FBQ2xELENBQUMsQ0FBQzthQUNELEVBQUUsQ0FBQyxPQUFPLEVBQUUsQ0FBQyxHQUFHLEVBQUUsRUFBRTtZQUNuQixPQUFPLENBQUMsR0FBRyxDQUFDLGlCQUFpQixHQUFHLENBQUMsT0FBTyxFQUFFLENBQUMsQ0FBQztRQUM5QyxDQUFDLENBQUM7YUFDRCxNQUFNLENBQUMsSUFBSSxDQUFDLFFBQVEsQ0FBQyxRQUFRLENBQUMsQ0FBQztRQUNsQyxPQUFPLENBQUMsR0FBRyxDQUFDLDBDQUEwQyxJQUFJLENBQUMsUUFBUSxDQUFDLFFBQVEsR0FBRyxJQUFJLENBQUMsUUFBUSxDQUFDLFVBQVUsQ0FBQyxDQUFDLENBQUMsZ0JBQWdCLENBQUMsQ0FBQyxDQUFDLEVBQUUsRUFBRSxDQUFDLENBQUM7SUFDckksQ0FBQztJQUVNLEtBQUssQ0FBQyxJQUFJO1FBQ2YsTUFBTSxJQUFJLEdBQUcsT0FBTyxDQUFDLFlBQVksQ0FBQyxLQUFLLEVBQUUsQ0FBQztRQUMxQyxJQUFJLENBQUMsU0FBUyxDQUFDLEtBQUssQ0FBQyxHQUFHLEVBQUU7WUFDeEIsSUFBSSxDQUFDLE9BQU8sRUFBRSxDQUFDO1FBQ2pCLENBQUMsQ0FBQyxDQUFDO1FBQ0gsTUFBTSxJQUFJLENBQUMsT0FBTyxDQUFDO0lBQ3JCLENBQUM7Q0FDRiJ9
|
package/package.json
CHANGED
package/ts/00_commitinfo_data.ts
CHANGED
|
@@ -4,6 +4,7 @@ import * as plugins from './smartproxy.plugins.js';
|
|
|
4
4
|
export interface DomainConfig {
|
|
5
5
|
domain: string; // glob pattern for domain
|
|
6
6
|
allowedIPs: string[]; // glob patterns for IPs allowed to access this domain
|
|
7
|
+
targetIP?: string; // Optional target IP for this domain
|
|
7
8
|
}
|
|
8
9
|
|
|
9
10
|
export interface ProxySettings extends plugins.tls.TlsOptions {
|
|
@@ -73,9 +74,8 @@ export class PortProxy {
|
|
|
73
74
|
console.log(`SNI request for domain: ${serverName}`);
|
|
74
75
|
const domainConfig = findMatchingDomain(serverName);
|
|
75
76
|
if (!domainConfig) {
|
|
76
|
-
|
|
77
|
-
|
|
78
|
-
return;
|
|
77
|
+
// Always allow SNI for default IPs, even if domain doesn't match
|
|
78
|
+
console.log(`SNI domain ${serverName} not found, will check IP during connection`);
|
|
79
79
|
}
|
|
80
80
|
// Create context with the provided TLS settings
|
|
81
81
|
const ctx = plugins.tls.createSecureContext(this.settings);
|
|
@@ -88,41 +88,46 @@ export class PortProxy {
|
|
|
88
88
|
const remoteIP = from.remoteAddress || '';
|
|
89
89
|
let serverName = '';
|
|
90
90
|
|
|
91
|
+
// First check if this IP is in the default allowed list
|
|
92
|
+
const isDefaultAllowed = this.settings.defaultAllowedIPs && isAllowed(remoteIP, this.settings.defaultAllowedIPs);
|
|
93
|
+
|
|
91
94
|
if (this.settings.sniEnabled && from instanceof plugins.tls.TLSSocket) {
|
|
92
95
|
serverName = (from as any).servername || '';
|
|
93
96
|
console.log(`TLS Connection from ${remoteIP} for domain: ${serverName}`);
|
|
94
97
|
}
|
|
95
98
|
|
|
96
|
-
//
|
|
97
|
-
if (
|
|
98
|
-
|
|
99
|
-
|
|
99
|
+
// If IP is in defaultAllowedIPs, allow the connection regardless of SNI
|
|
100
|
+
if (isDefaultAllowed) {
|
|
101
|
+
console.log(`Connection allowed: IP ${remoteIP} is in default allowed list`);
|
|
102
|
+
} else if (this.settings.sniEnabled && serverName) {
|
|
103
|
+
// For SNI connections that aren't in default list, check domain-specific rules
|
|
104
|
+
const domainConfig = findMatchingDomain(serverName);
|
|
100
105
|
if (!domainConfig) {
|
|
101
|
-
|
|
102
|
-
|
|
103
|
-
|
|
104
|
-
|
|
105
|
-
|
|
106
|
-
}
|
|
107
|
-
|
|
108
|
-
|
|
109
|
-
if (!isAllowed(remoteIP, domainConfig.allowedIPs)) {
|
|
110
|
-
console.log(`Connection rejected: IP ${remoteIP} not allowed for domain ${serverName}`);
|
|
111
|
-
from.end();
|
|
112
|
-
return;
|
|
113
|
-
}
|
|
106
|
+
console.log(`Connection rejected: No matching domain config for ${serverName} from IP ${remoteIP}`);
|
|
107
|
+
from.end();
|
|
108
|
+
return;
|
|
109
|
+
}
|
|
110
|
+
if (!isAllowed(remoteIP, domainConfig.allowedIPs)) {
|
|
111
|
+
console.log(`Connection rejected: IP ${remoteIP} not allowed for domain ${serverName}`);
|
|
112
|
+
from.end();
|
|
113
|
+
return;
|
|
114
114
|
}
|
|
115
|
-
} else
|
|
115
|
+
} else {
|
|
116
|
+
// Non-SNI connection and not in default list
|
|
116
117
|
console.log(`Connection rejected: IP ${remoteIP} not allowed for non-SNI connection`);
|
|
117
118
|
from.end();
|
|
118
119
|
return;
|
|
119
120
|
}
|
|
120
121
|
|
|
122
|
+
// Determine target host - use domain-specific targetIP if available
|
|
123
|
+
const domainConfig = serverName ? findMatchingDomain(serverName) : undefined;
|
|
124
|
+
const targetHost = domainConfig?.targetIP || this.settings.toHost!;
|
|
125
|
+
|
|
121
126
|
const to = plugins.net.createConnection({
|
|
122
|
-
host:
|
|
127
|
+
host: targetHost,
|
|
123
128
|
port: this.settings.toPort,
|
|
124
129
|
});
|
|
125
|
-
console.log(`Connection established: ${remoteIP} -> ${
|
|
130
|
+
console.log(`Connection established: ${remoteIP} -> ${targetHost}:${this.settings.toPort}${serverName ? ` (SNI: ${serverName})` : ''}`);
|
|
126
131
|
from.setTimeout(120000);
|
|
127
132
|
from.pipe(to);
|
|
128
133
|
to.pipe(from);
|