@push.rocks/smartproxy 3.41.7 → 4.0.0

package/ts/classes.pp.portrangemanager.ts

@@ -0,0 +1,214 @@
+import type{ IPortProxySettings } from './classes.pp.interfaces.js';
+
+/**
+ * Manages port ranges and port-based configuration
+ */
+export class PortRangeManager {
+  constructor(private settings: IPortProxySettings) {}
+  
+  /**
+   * Get all ports that should be listened on
+   */
+  public getListeningPorts(): Set<number> {
+    const listeningPorts = new Set<number>();
+    
+    // Always include the main fromPort
+    listeningPorts.add(this.settings.fromPort);
+    
+    // Add ports from global port ranges if defined
+    if (this.settings.globalPortRanges && this.settings.globalPortRanges.length > 0) {
+      for (const range of this.settings.globalPortRanges) {
+        for (let port = range.from; port <= range.to; port++) {
+          listeningPorts.add(port);
+        }
+      }
+    }
+    
+    return listeningPorts;
+  }
+  
+  /**
+   * Check if a port should use NetworkProxy for forwarding
+   */
+  public shouldUseNetworkProxy(port: number): boolean {
+    return !!this.settings.useNetworkProxy && this.settings.useNetworkProxy.includes(port);
+  }
+  
+  /**
+   * Check if port should use global forwarding
+   */
+  public shouldUseGlobalForwarding(port: number): boolean {
+    return (
+      !!this.settings.forwardAllGlobalRanges &&
+      this.isPortInGlobalRanges(port)
+    );
+  }
+  
+  /**
+   * Check if a port is in global ranges
+   */
+  public isPortInGlobalRanges(port: number): boolean {
+    return (
+      this.settings.globalPortRanges &&
+      this.isPortInRanges(port, this.settings.globalPortRanges)
+    );
+  }
+  
+  /**
+   * Check if a port falls within the specified ranges
+   */
+  public isPortInRanges(port: number, ranges: Array<{ from: number; to: number }>): boolean {
+    return ranges.some((range) => port >= range.from && port <= range.to);
+  }
+  
+  /**
+   * Get forwarding port for a specific listening port
+   * This determines what port to connect to on the target
+   */
+  public getForwardingPort(listeningPort: number): number {
+    // If using global forwarding, forward to the original port
+    if (this.settings.forwardAllGlobalRanges && this.isPortInGlobalRanges(listeningPort)) {
+      return listeningPort;
+    }
+    
+    // Otherwise use the configured toPort
+    return this.settings.toPort;
+  }
+  
+  /**
+   * Find domain-specific port ranges that include a given port
+   */
+  public findDomainPortRange(port: number): { 
+    domainIndex: number, 
+    range: { from: number, to: number } 
+  } | undefined {
+    for (let i = 0; i < this.settings.domainConfigs.length; i++) {
+      const domain = this.settings.domainConfigs[i];
+      if (domain.portRanges) {
+        for (const range of domain.portRanges) {
+          if (port >= range.from && port <= range.to) {
+            return { domainIndex: i, range };
+          }
+        }
+      }
+    }
+    return undefined;
+  }
+  
+  /**
+   * Get a list of all configured ports
+   * This includes the fromPort, NetworkProxy ports, and ports from all ranges
+   */
+  public getAllConfiguredPorts(): number[] {
+    const ports = new Set<number>();
+    
+    // Add main listening port
+    ports.add(this.settings.fromPort);
+    
+    // Add NetworkProxy port if configured
+    if (this.settings.networkProxyPort) {
+      ports.add(this.settings.networkProxyPort);
+    }
+    
+    // Add NetworkProxy ports
+    if (this.settings.useNetworkProxy) {
+      for (const port of this.settings.useNetworkProxy) {
+        ports.add(port);
+      }
+    }
+    
+    // Add ACME HTTP challenge port if enabled
+    if (this.settings.acme?.enabled && this.settings.acme.port) {
+      ports.add(this.settings.acme.port);
+    }
+    
+    // Add global port ranges
+    if (this.settings.globalPortRanges) {
+      for (const range of this.settings.globalPortRanges) {
+        for (let port = range.from; port <= range.to; port++) {
+          ports.add(port);
+        }
+      }
+    }
+    
+    // Add domain-specific port ranges
+    for (const domain of this.settings.domainConfigs) {
+      if (domain.portRanges) {
+        for (const range of domain.portRanges) {
+          for (let port = range.from; port <= range.to; port++) {
+            ports.add(port);
+          }
+        }
+      }
+      
+      // Add domain-specific NetworkProxy port if configured
+      if (domain.useNetworkProxy && domain.networkProxyPort) {
+        ports.add(domain.networkProxyPort);
+      }
+    }
+    
+    return Array.from(ports);
+  }
+  
+  /**
+   * Validate port configuration
+   * Returns array of warning messages
+   */
+  public validateConfiguration(): string[] {
+    const warnings: string[] = [];
+    
+    // Check for overlapping port ranges
+    const portMappings = new Map<number, string[]>();
+    
+    // Track global port ranges
+    if (this.settings.globalPortRanges) {
+      for (const range of this.settings.globalPortRanges) {
+        for (let port = range.from; port <= range.to; port++) {
+          if (!portMappings.has(port)) {
+            portMappings.set(port, []);
+          }
+          portMappings.get(port)!.push('Global Port Range');
+        }
+      }
+    }
+    
+    // Track domain-specific port ranges
+    for (const domain of this.settings.domainConfigs) {
+      if (domain.portRanges) {
+        for (const range of domain.portRanges) {
+          for (let port = range.from; port <= range.to; port++) {
+            if (!portMappings.has(port)) {
+              portMappings.set(port, []);
+            }
+            portMappings.get(port)!.push(`Domain: ${domain.domains.join(', ')}`);
+          }
+        }
+      }
+    }
+    
+    // Check for ports with multiple mappings
+    for (const [port, mappings] of portMappings.entries()) {
+      if (mappings.length > 1) {
+        warnings.push(`Port ${port} has multiple mappings: ${mappings.join(', ')}`);
+      }
+    }
+    
+    // Check if main ports are used elsewhere
+    if (portMappings.has(this.settings.fromPort) && portMappings.get(this.settings.fromPort)!.length > 0) {
+      warnings.push(`Main listening port ${this.settings.fromPort} is also used in port ranges`);
+    }
+    
+    if (this.settings.networkProxyPort && portMappings.has(this.settings.networkProxyPort)) {
+      warnings.push(`NetworkProxy port ${this.settings.networkProxyPort} is also used in port ranges`);
+    }
+    
+    // Check ACME port
+    if (this.settings.acme?.enabled && this.settings.acme.port) {
+      if (portMappings.has(this.settings.acme.port)) {
+        warnings.push(`ACME HTTP challenge port ${this.settings.acme.port} is also used in port ranges`);
+      }
+    }
+    
+    return warnings;
+  }
+}

package/ts/classes.pp.securitymanager.ts

@@ -0,0 +1,147 @@
+import * as plugins from './plugins.js';
+import type { IPortProxySettings } from './classes.pp.interfaces.js';
+
+/**
+ * Handles security aspects like IP tracking, rate limiting, and authorization
+ */
+export class SecurityManager {
+  private connectionsByIP: Map<string, Set<string>> = new Map();
+  private connectionRateByIP: Map<string, number[]> = new Map();
+  
+  constructor(private settings: IPortProxySettings) {}
+  
+  /**
+   * Get connections count by IP
+   */
+  public getConnectionCountByIP(ip: string): number {
+    return this.connectionsByIP.get(ip)?.size || 0;
+  }
+  
+  /**
+   * Check and update connection rate for an IP
+   * @returns true if within rate limit, false if exceeding limit
+   */
+  public checkConnectionRate(ip: string): boolean {
+    const now = Date.now();
+    const minute = 60 * 1000;
+
+    if (!this.connectionRateByIP.has(ip)) {
+      this.connectionRateByIP.set(ip, [now]);
+      return true;
+    }
+
+    // Get timestamps and filter out entries older than 1 minute
+    const timestamps = this.connectionRateByIP.get(ip)!.filter((time) => now - time < minute);
+    timestamps.push(now);
+    this.connectionRateByIP.set(ip, timestamps);
+
+    // Check if rate exceeds limit
+    return timestamps.length <= this.settings.connectionRateLimitPerMinute!;
+  }
+  
+  /**
+   * Track connection by IP
+   */
+  public trackConnectionByIP(ip: string, connectionId: string): void {
+    if (!this.connectionsByIP.has(ip)) {
+      this.connectionsByIP.set(ip, new Set());
+    }
+    this.connectionsByIP.get(ip)!.add(connectionId);
+  }
+  
+  /**
+   * Remove connection tracking for an IP
+   */
+  public removeConnectionByIP(ip: string, connectionId: string): void {
+    if (this.connectionsByIP.has(ip)) {
+      const connections = this.connectionsByIP.get(ip)!;
+      connections.delete(connectionId);
+      if (connections.size === 0) {
+        this.connectionsByIP.delete(ip);
+      }
+    }
+  }
+  
+  /**
+   * Check if an IP is allowed using glob patterns
+   */
+  public isIPAuthorized(ip: string, allowedIPs: string[], blockedIPs: string[] = []): boolean {
+    // Skip IP validation if allowedIPs is empty
+    if (!ip || (allowedIPs.length === 0 && blockedIPs.length === 0)) {
+      return true;
+    }
+    
+    // First check if IP is blocked
+    if (blockedIPs.length > 0 && this.isGlobIPMatch(ip, blockedIPs)) {
+      return false;
+    }
+    
+    // Then check if IP is allowed
+    return this.isGlobIPMatch(ip, allowedIPs);
+  }
+  
+  /**
+   * Check if the IP matches any of the glob patterns
+   */
+  private isGlobIPMatch(ip: string, patterns: string[]): boolean {
+    if (!ip || !patterns || patterns.length === 0) return false;
+
+    const normalizeIP = (ip: string): string[] => {
+      if (!ip) return [];
+      if (ip.startsWith('::ffff:')) {
+        const ipv4 = ip.slice(7);
+        return [ip, ipv4];
+      }
+      if (/^\d{1,3}(\.\d{1,3}){3}$/.test(ip)) {
+        return [ip, `::ffff:${ip}`];
+      }
+      return [ip];
+    };
+
+    const normalizedIPVariants = normalizeIP(ip);
+    if (normalizedIPVariants.length === 0) return false;
+
+    const expandedPatterns = patterns.flatMap(normalizeIP);
+    return normalizedIPVariants.some((ipVariant) =>
+      expandedPatterns.some((pattern) => plugins.minimatch(ipVariant, pattern))
+    );
+  }
+  
+  /**
+   * Check if IP should be allowed considering connection rate and max connections
+   * @returns Object with result and reason
+   */
+  public validateIP(ip: string): { allowed: boolean; reason?: string } {
+    // Check connection count limit
+    if (
+      this.settings.maxConnectionsPerIP &&
+      this.getConnectionCountByIP(ip) >= this.settings.maxConnectionsPerIP
+    ) {
+      return {
+        allowed: false,
+        reason: `Maximum connections per IP (${this.settings.maxConnectionsPerIP}) exceeded`
+      };
+    }
+
+    // Check connection rate limit
+    if (
+      this.settings.connectionRateLimitPerMinute && 
+      !this.checkConnectionRate(ip)
+    ) {
+      return {
+        allowed: false,
+        reason: `Connection rate limit (${this.settings.connectionRateLimitPerMinute}/min) exceeded`
+      };
+    }
+    
+    return { allowed: true };
+  }
+  
+  /**
+   * Clears all IP tracking data (for shutdown)
+   */
+  public clearIPTracking(): void {
+    this.connectionsByIP.clear();
+    this.connectionRateByIP.clear();
+  }
+}

package/ts/{classes.snihandler.ts → classes.pp.snihandler.ts}

@@ -22,114 +22,6 @@ export class SniHandler {
   private static fragmentedBuffers: Map<string, Buffer> = new Map();
   private static fragmentTimeout: number = 1000; // ms to wait for fragments before cleanup
 
-  // Session tracking for tab reactivation scenarios
-  private static sessionCache: Map<
-    string,
-    {
-      sni: string;
-      timestamp: number;
-      clientRandom?: Buffer;
-    }
-  > = new Map();
-
-  // Longer timeout for session cache (24 hours by default)
-  private static sessionCacheTimeout: number = 24 * 60 * 60 * 1000; // 24 hours in milliseconds
-
-  // Cleanup interval for session cache (run every hour)
-  private static sessionCleanupInterval: NodeJS.Timeout | null = null;
-
-  /**
-   * Initialize the session cache cleanup mechanism.
-   * This should be called during application startup.
-   */
-  public static initSessionCacheCleanup(): void {
-    if (this.sessionCleanupInterval === null) {
-      this.sessionCleanupInterval = setInterval(() => {
-        this.cleanupSessionCache();
-      }, 60 * 60 * 1000); // Run every hour
-    }
-  }
-
-  /**
-   * Clean up expired entries from the session cache
-   */
-  private static cleanupSessionCache(): void {
-    const now = Date.now();
-    const expiredKeys: string[] = [];
-
-    this.sessionCache.forEach((session, key) => {
-      if (now - session.timestamp > this.sessionCacheTimeout) {
-        expiredKeys.push(key);
-      }
-    });
-
-    expiredKeys.forEach((key) => {
-      this.sessionCache.delete(key);
-    });
-  }
-
-  /**
-   * Create a client identity key for session tracking
-   * Uses source IP and optional client random for uniqueness
-   *
-   * @param sourceIp - Client IP address
-   * @param clientRandom - Optional TLS client random value
-   * @returns A string key for the session cache
-   */
-  private static createClientKey(sourceIp: string, clientRandom?: Buffer): string {
-    if (clientRandom) {
-      // If we have the client random, use it for more precise tracking
-      return `${sourceIp}:${clientRandom.toString('hex')}`;
-    }
-    // Fall back to just IP-based tracking
-    return sourceIp;
-  }
-
-  /**
-   * Store SNI information in the session cache
-   *
-   * @param sourceIp - Client IP address
-   * @param sni - The extracted SNI value
-   * @param clientRandom - Optional TLS client random value
-   */
-  private static cacheSession(sourceIp: string, sni: string, clientRandom?: Buffer): void {
-    const key = this.createClientKey(sourceIp, clientRandom);
-    this.sessionCache.set(key, {
-      sni,
-      timestamp: Date.now(),
-      clientRandom,
-    });
-  }
-
-  /**
-   * Retrieve SNI information from the session cache
-   *
-   * @param sourceIp - Client IP address
-   * @param clientRandom - Optional TLS client random value
-   * @returns The cached SNI or undefined if not found
-   */
-  private static getCachedSession(sourceIp: string, clientRandom?: Buffer): string | undefined {
-    // Try with client random first for precision
-    if (clientRandom) {
-      const preciseKey = this.createClientKey(sourceIp, clientRandom);
-      const preciseSession = this.sessionCache.get(preciseKey);
-      if (preciseSession) {
-        return preciseSession.sni;
-      }
-    }
-
-    // Fall back to IP-only lookup
-    const ipKey = this.createClientKey(sourceIp);
-    const session = this.sessionCache.get(ipKey);
-    if (session) {
-      // Update the timestamp to keep the session alive
-      session.timestamp = Date.now();
-      return session.sni;
-    }
-
-    return undefined;
-  }
-
   /**
    * Extract the client random value from a ClientHello message
    *
@@ -1172,7 +1064,6 @@ export class SniHandler {
    * 4. Fragmented ClientHello messages
    * 5. TLS 1.3 Early Data (0-RTT)
    * 6. Chrome's connection racing behaviors
-   * 7. Tab reactivation patterns with session cache
    *
    * @param buffer - The buffer containing the TLS ClientHello message
    * @param connectionInfo - Optional connection information for fragment handling
@@ -1235,19 +1126,10 @@ export class SniHandler {
     const standardSni = this.extractSNI(processBuffer, enableLogging);
     if (standardSni) {
       log(`Found standard SNI: ${standardSni}`);
-
-      // If we extracted a standard SNI, cache it for future use
-      if (connectionInfo?.sourceIp) {
-        const clientRandom = this.extractClientRandom(processBuffer);
-        this.cacheSession(connectionInfo.sourceIp, standardSni, clientRandom);
-        log(`Cached SNI for future reference: ${standardSni}`);
-      }
-
       return standardSni;
     }
 
     // Check for session resumption when standard SNI extraction fails
-    // This may help in chained proxy scenarios
     if (this.isClientHello(processBuffer)) {
       const resumptionInfo = this.hasSessionResumption(processBuffer, enableLogging);
 
@@ -1258,31 +1140,11 @@ export class SniHandler {
         const pskSni = this.extractSNIFromPSKExtension(processBuffer, enableLogging);
         if (pskSni) {
           log(`Extracted SNI from PSK extension: ${pskSni}`);
-
-          // Cache this SNI
-          if (connectionInfo?.sourceIp) {
-            const clientRandom = this.extractClientRandom(processBuffer);
-            this.cacheSession(connectionInfo.sourceIp, pskSni, clientRandom);
-          }
-
           return pskSni;
         }
-
-        // If session resumption has SNI in a non-standard location,
-        // we need to apply heuristics
-        if (connectionInfo?.sourceIp) {
-          const cachedSni = this.getCachedSession(connectionInfo.sourceIp);
-          if (cachedSni) {
-            log(`Using cached SNI for session resumption: ${cachedSni}`);
-            return cachedSni;
-          }
-        }
       }
     }
 
-    // Try tab reactivation and other recovery methods...
-    // (existing code remains unchanged)
-
     // Log detailed info about the ClientHello when SNI extraction fails
     if (this.isClientHello(processBuffer) && enableLogging) {
       log(`SNI extraction failed for ClientHello. Buffer details:`);
@@ -1303,7 +1165,6 @@ export class SniHandler {
       }
     }
 
-    // Existing code for fallback methods continues...
     return undefined;
   }
 
@@ -1313,7 +1174,7 @@ export class SniHandler {
    *
    * The method uses connection tracking to handle fragmented ClientHello
    * messages and various TLS 1.3 behaviors, including Chrome's connection
-   * racing patterns and tab reactivation behaviors.
+   * racing patterns.
    *
    * @param buffer - The buffer containing TLS data
    * @param connectionInfo - Connection metadata (IPs and ports)
@@ -1321,7 +1182,6 @@ export class SniHandler {
    * @param cachedSni - Optional cached SNI from previous connections (for racing detection)
    * @returns The extracted server name or undefined if not found or more data needed
    */
-
   public static processTlsPacket(
     buffer: Buffer,
     connectionInfo: {
@@ -1363,13 +1223,6 @@ export class SniHandler {
         return cachedSni;
       }
 
-      // Otherwise check our session cache
-      const sessionCachedSni = this.getCachedSession(connectionInfo.sourceIp);
-      if (sessionCachedSni) {
-        log(`Using session-cached SNI for application data: ${sessionCachedSni}`);
-        return sessionCachedSni;
-      }
-
       log('Application data packet without cached SNI, cannot determine hostname');
       return undefined;
     }
@@ -1385,9 +1238,6 @@ export class SniHandler {
         const standardSni = this.extractSNI(buffer, enableLogging);
         if (standardSni) {
           log(`Found standard SNI in session resumption: ${standardSni}`);
-
-          // Cache this SNI
-          this.cacheSession(connectionInfo.sourceIp, standardSni);
           return standardSni;
         }
 
@@ -1396,7 +1246,6 @@ export class SniHandler {
         const pskSni = this.extractSNIFromPSKExtension(buffer, enableLogging);
         if (pskSni) {
           log(`Extracted SNI from PSK extension: ${pskSni}`);
-          this.cacheSession(connectionInfo.sourceIp, pskSni);
           return pskSni;
         }
 
@@ -1430,13 +1279,6 @@ export class SniHandler {
           }
         }
 
-        // If we still don't have SNI, check for cached sessions
-        const cachedSni = this.getCachedSession(connectionInfo.sourceIp);
-        if (cachedSni) {
-          log(`Using cached SNI for session resumption: ${cachedSni}`);
-          return cachedSni;
-        }
-
         log(`Session resumption without extractable SNI`);
         // If allowSessionTicket=false, should be rejected by caller
       }
@@ -1451,19 +1293,10 @@ export class SniHandler {
     }
 
     // If we couldn't extract an SNI, check if this is a valid ClientHello
-    // If it is, but we couldn't get an SNI, it might be a fragment or
-    // a connection race situation
     if (this.isClientHello(buffer)) {
-      // Check if we have a cached session for this IP
-      const sessionCachedSni = this.getCachedSession(connectionInfo.sourceIp);
-      if (sessionCachedSni) {
-        log(`Using session cache for ClientHello without SNI: ${sessionCachedSni}`);
-        return sessionCachedSni;
-      }
-
       log('Valid ClientHello detected, but no SNI extracted - might need more data');
     }
 
     return undefined;
   }
-}
+}