@push.rocks/smartproxy 3.41.7 → 4.0.0

package/ts/classes.pp.timeoutmanager.ts

@@ -0,0 +1,190 @@
+import type { IConnectionRecord, IPortProxySettings } from './classes.pp.interfaces.js';
+
+/**
+ * Manages timeouts and inactivity tracking for connections
+ */
+export class TimeoutManager {
+  constructor(private settings: IPortProxySettings) {}
+  
+  /**
+   * Ensure timeout values don't exceed Node.js max safe integer
+   */
+  public ensureSafeTimeout(timeout: number): number {
+    const MAX_SAFE_TIMEOUT = 2147483647; // Maximum safe value (2^31 - 1)
+    return Math.min(Math.floor(timeout), MAX_SAFE_TIMEOUT);
+  }
+  
+  /**
+   * Generate a slightly randomized timeout to prevent thundering herd
+   */
+  public randomizeTimeout(baseTimeout: number, variationPercent: number = 5): number {
+    const safeBaseTimeout = this.ensureSafeTimeout(baseTimeout);
+    const variation = safeBaseTimeout * (variationPercent / 100);
+    return this.ensureSafeTimeout(
+      safeBaseTimeout + Math.floor(Math.random() * variation * 2) - variation
+    );
+  }
+  
+  /**
+   * Update connection activity timestamp
+   */
+  public updateActivity(record: IConnectionRecord): void {
+    record.lastActivity = Date.now();
+
+    // Clear any inactivity warning
+    if (record.inactivityWarningIssued) {
+      record.inactivityWarningIssued = false;
+    }
+  }
+  
+  /**
+   * Calculate effective inactivity timeout based on connection type
+   */
+  public getEffectiveInactivityTimeout(record: IConnectionRecord): number {
+    let effectiveTimeout = this.settings.inactivityTimeout || 14400000; // 4 hours default
+    
+    // For immortal keep-alive connections, use an extremely long timeout
+    if (record.hasKeepAlive && this.settings.keepAliveTreatment === 'immortal') {
+      return Number.MAX_SAFE_INTEGER;
+    }
+    
+    // For extended keep-alive connections, apply multiplier
+    if (record.hasKeepAlive && this.settings.keepAliveTreatment === 'extended') {
+      const multiplier = this.settings.keepAliveInactivityMultiplier || 6;
+      effectiveTimeout = effectiveTimeout * multiplier;
+    }
+    
+    return this.ensureSafeTimeout(effectiveTimeout);
+  }
+  
+  /**
+   * Calculate effective max lifetime based on connection type
+   */
+  public getEffectiveMaxLifetime(record: IConnectionRecord): number {
+    // Use domain-specific timeout if available
+    const baseTimeout = record.domainConfig?.connectionTimeout || 
+                        this.settings.maxConnectionLifetime || 
+                        86400000; // 24 hours default
+    
+    // For immortal keep-alive connections, use an extremely long lifetime
+    if (record.hasKeepAlive && this.settings.keepAliveTreatment === 'immortal') {
+      return Number.MAX_SAFE_INTEGER;
+    }
+    
+    // For extended keep-alive connections, use the extended lifetime setting
+    if (record.hasKeepAlive && this.settings.keepAliveTreatment === 'extended') {
+      return this.ensureSafeTimeout(
+        this.settings.extendedKeepAliveLifetime || 7 * 24 * 60 * 60 * 1000 // 7 days default
+      );
+    }
+    
+    // Apply randomization if enabled
+    if (this.settings.enableRandomizedTimeouts) {
+      return this.randomizeTimeout(baseTimeout);
+    }
+    
+    return this.ensureSafeTimeout(baseTimeout);
+  }
+  
+  /**
+   * Setup connection timeout
+   * @returns The cleanup timer
+   */
+  public setupConnectionTimeout(
+    record: IConnectionRecord, 
+    onTimeout: (record: IConnectionRecord, reason: string) => void
+  ): NodeJS.Timeout {
+    // Clear any existing timer
+    if (record.cleanupTimer) {
+      clearTimeout(record.cleanupTimer);
+    }
+    
+    // Calculate effective timeout
+    const effectiveLifetime = this.getEffectiveMaxLifetime(record);
+    
+    // Set up the timeout
+    const timer = setTimeout(() => {
+      // Call the provided callback
+      onTimeout(record, 'connection_timeout');
+    }, effectiveLifetime);
+    
+    // Make sure timeout doesn't keep the process alive
+    if (timer.unref) {
+      timer.unref();
+    }
+    
+    return timer;
+  }
+  
+  /**
+   * Check for inactivity on a connection
+   * @returns Object with check results
+   */
+  public checkInactivity(record: IConnectionRecord): {
+    isInactive: boolean;
+    shouldWarn: boolean;
+    inactivityTime: number;
+    effectiveTimeout: number;
+  } {
+    // Skip for connections with inactivity check disabled
+    if (this.settings.disableInactivityCheck) {
+      return {
+        isInactive: false,
+        shouldWarn: false,
+        inactivityTime: 0,
+        effectiveTimeout: 0
+      };
+    }
+    
+    // Skip for immortal keep-alive connections
+    if (record.hasKeepAlive && this.settings.keepAliveTreatment === 'immortal') {
+      return {
+        isInactive: false,
+        shouldWarn: false,
+        inactivityTime: 0,
+        effectiveTimeout: 0
+      };
+    }
+    
+    const now = Date.now();
+    const inactivityTime = now - record.lastActivity;
+    const effectiveTimeout = this.getEffectiveInactivityTimeout(record);
+    
+    // Check if inactive
+    const isInactive = inactivityTime > effectiveTimeout;
+    
+    // For keep-alive connections, we should warn first
+    const shouldWarn = record.hasKeepAlive && 
+                       isInactive && 
+                       !record.inactivityWarningIssued;
+    
+    return {
+      isInactive,
+      shouldWarn,
+      inactivityTime,
+      effectiveTimeout
+    };
+  }
+  
+  /**
+   * Apply socket timeout settings
+   */
+  public applySocketTimeouts(record: IConnectionRecord): void {
+    // Skip for immortal keep-alive connections
+    if (record.hasKeepAlive && this.settings.keepAliveTreatment === 'immortal') {
+      // Disable timeouts completely for immortal connections
+      record.incoming.setTimeout(0);
+      if (record.outgoing) {
+        record.outgoing.setTimeout(0);
+      }
+      return;
+    }
+    
+    // Apply normal timeouts
+    const timeout = this.ensureSafeTimeout(this.settings.socketTimeout || 3600000); // 1 hour default
+    record.incoming.setTimeout(timeout);
+    if (record.outgoing) {
+      record.outgoing.setTimeout(timeout);
+    }
+  }
+}

package/ts/classes.pp.tlsmanager.ts

@@ -0,0 +1,206 @@
+import * as plugins from './plugins.js';
+import type { IPortProxySettings } from './classes.pp.interfaces.js';
+import { SniHandler } from './classes.pp.snihandler.js';
+
+/**
+ * Interface for connection information used for SNI extraction
+ */
+interface IConnectionInfo {
+  sourceIp: string;
+  sourcePort: number;
+  destIp: string;
+  destPort: number;
+}
+
+/**
+ * Manages TLS-related operations including SNI extraction and validation
+ */
+export class TlsManager {
+  constructor(private settings: IPortProxySettings) {}
+  
+  /**
+   * Check if a data chunk appears to be a TLS handshake
+   */
+  public isTlsHandshake(chunk: Buffer): boolean {
+    return SniHandler.isTlsHandshake(chunk);
+  }
+  
+  /**
+   * Check if a data chunk appears to be a TLS ClientHello
+   */
+  public isClientHello(chunk: Buffer): boolean {
+    return SniHandler.isClientHello(chunk);
+  }
+  
+  /**
+   * Extract Server Name Indication (SNI) from TLS handshake
+   */
+  public extractSNI(
+    chunk: Buffer, 
+    connInfo: IConnectionInfo, 
+    previousDomain?: string
+  ): string | undefined {
+    // Use the SniHandler to process the TLS packet
+    return SniHandler.processTlsPacket(
+      chunk,
+      connInfo,
+      this.settings.enableTlsDebugLogging || false,
+      previousDomain
+    );
+  }
+  
+  /**
+   * Handle session resumption attempts
+   */
+  public handleSessionResumption(
+    chunk: Buffer, 
+    connectionId: string,
+    hasSNI: boolean
+  ): { shouldBlock: boolean; reason?: string } {
+    // Skip if session tickets are allowed
+    if (this.settings.allowSessionTicket !== false) {
+      return { shouldBlock: false };
+    }
+    
+    // Check for session resumption attempt
+    const resumptionInfo = SniHandler.hasSessionResumption(
+      chunk,
+      this.settings.enableTlsDebugLogging || false
+    );
+    
+    // If this is a resumption attempt without SNI, block it
+    if (resumptionInfo.isResumption && !hasSNI && !resumptionInfo.hasSNI) {
+      if (this.settings.enableTlsDebugLogging) {
+        console.log(
+          `[${connectionId}] Session resumption detected without SNI and allowSessionTicket=false. ` +
+          `Terminating connection to force new TLS handshake.`
+        );
+      }
+      return { 
+        shouldBlock: true, 
+        reason: 'session_ticket_blocked' 
+      };
+    }
+    
+    return { shouldBlock: false };
+  }
+  
+  /**
+   * Check for SNI mismatch during renegotiation
+   */
+  public checkRenegotiationSNI(
+    chunk: Buffer,
+    connInfo: IConnectionInfo,
+    expectedDomain: string,
+    connectionId: string
+  ): { hasMismatch: boolean; extractedSNI?: string } {
+    // Only process if this looks like a TLS ClientHello
+    if (!this.isClientHello(chunk)) {
+      return { hasMismatch: false };
+    }
+    
+    try {
+      // Extract SNI with renegotiation support
+      const newSNI = SniHandler.extractSNIWithResumptionSupport(
+        chunk,
+        connInfo,
+        this.settings.enableTlsDebugLogging || false
+      );
+
+      // Skip if no SNI was found
+      if (!newSNI) return { hasMismatch: false };
+
+      // Check for SNI mismatch
+      if (newSNI !== expectedDomain) {
+        if (this.settings.enableTlsDebugLogging) {
+          console.log(
+            `[${connectionId}] Renegotiation with different SNI: ${expectedDomain} -> ${newSNI}. ` +
+            `Terminating connection - SNI domain switching is not allowed.`
+          );
+        }
+        return { hasMismatch: true, extractedSNI: newSNI };
+      } else if (this.settings.enableTlsDebugLogging) {
+        console.log(
+          `[${connectionId}] Renegotiation detected with same SNI: ${newSNI}. Allowing.`
+        );
+      }
+    } catch (err) {
+      console.log(
+        `[${connectionId}] Error processing ClientHello: ${err}. Allowing connection to continue.`
+      );
+    }
+    
+    return { hasMismatch: false };
+  }
+  
+  /**
+   * Create a renegotiation handler function for a connection
+   */
+  public createRenegotiationHandler(
+    connectionId: string,
+    lockedDomain: string,
+    connInfo: IConnectionInfo,
+    onMismatch: (connectionId: string, reason: string) => void
+  ): (chunk: Buffer) => void {
+    return (chunk: Buffer) => {
+      const result = this.checkRenegotiationSNI(chunk, connInfo, lockedDomain, connectionId);
+      if (result.hasMismatch) {
+        onMismatch(connectionId, 'sni_mismatch');
+      }
+    };
+  }
+  
+  /**
+   * Analyze TLS connection for browser fingerprinting
+   * This helps identify browser vs non-browser connections
+   */
+  public analyzeClientHello(chunk: Buffer): { 
+    isBrowserConnection: boolean; 
+    isRenewal: boolean;
+    hasSNI: boolean;
+  } {
+    // Default result
+    const result = { 
+      isBrowserConnection: false, 
+      isRenewal: false,
+      hasSNI: false
+    };
+    
+    try {
+      // Check if it's a ClientHello
+      if (!this.isClientHello(chunk)) {
+        return result;
+      }
+      
+      // Check for session resumption
+      const resumptionInfo = SniHandler.hasSessionResumption(
+        chunk,
+        this.settings.enableTlsDebugLogging || false
+      );
+      
+      // Extract SNI
+      const sni = SniHandler.extractSNI(
+        chunk,
+        this.settings.enableTlsDebugLogging || false
+      );
+      
+      // Update result
+      result.isRenewal = resumptionInfo.isResumption;
+      result.hasSNI = !!sni;
+      
+      // Browsers typically:
+      // 1. Send SNI extension
+      // 2. Have a variety of extensions (ALPN, etc.)
+      // 3. Use standard cipher suites
+      // ...more complex heuristics could be implemented here
+      
+      // Simple heuristic: presence of SNI suggests browser
+      result.isBrowserConnection = !!sni; 
+      
+      return result;
+    } catch (err) {
+      console.log(`Error analyzing ClientHello: ${err}`);
+      return result;
+    }
+  }
+}

package/ts/index.ts

@@ -1,6 +1,6 @@
 export * from './classes.iptablesproxy.js';
 export * from './classes.networkproxy.js';
-export * from './classes.portproxy.js';
+export * from './classes.pp.portproxy.js';
 export * from './classes.port80handler.js';
 export * from './classes.sslredirect.js';
-export * from './classes.snihandler.js';
+export * from './classes.pp.snihandler.js';