@serve.zone/dcrouter 13.38.4 → 13.40.0

package/ts/opsserver/handlers/security.handler.ts

@@ -1,7 +1,6 @@
 import * as plugins from '../../plugins.js';
 import type { OpsServer } from '../classes.opsserver.js';
 import * as interfaces from '../../../ts_interfaces/index.js';
-import { MetricsManager } from '../../monitoring/index.js';
 import { requireOpsAuth } from '../helpers/auth.js';
 
 export class SecurityHandler {
@@ -46,18 +45,7 @@ export class SecurityHandler {
         'getActiveConnections',
         async (dataArg, toolsArg) => {
           await requireOpsAuth(this.opsServerRef, dataArg, { scope: 'stats:read' });
-          const connections = await this.getActiveConnections(dataArg.protocol, dataArg.state);
-          const connectionInfos: interfaces.data.IConnectionInfo[] = connections.map(conn => ({
-            id: conn.id,
-            remoteAddress: conn.source.ip,
-            localAddress: conn.destination.ip,
-            startTime: conn.startTime,
-            protocol: conn.type === 'http' ? 'https' : conn.type as any,
-            state: conn.status === 'active' ? 'connected' : conn.status as any,
-            bytesReceived: (conn as any)._throughputIn || 0,
-            bytesSent: (conn as any)._throughputOut || 0,
-            connectionCount: conn.bytesTransferred || 1,
-          }));
+          const connectionInfos = await this.getActiveConnections(dataArg.protocol, dataArg.state);
           const totalConnections = connectionInfos.reduce((sum, conn) => sum + (conn.connectionCount || 1), 0);
           
           const summary = {
@@ -362,106 +350,66 @@ export class SecurityHandler {
   private async getActiveConnections(
     protocol?: 'http' | 'https' | 'smtp' | 'smtps',
     state?: string
-  ): Promise<Array<{
-    id: string;
-    type: 'http' | 'smtp' | 'dns';
-    source: {
-      ip: string;
-      port: number;
-      country?: string;
-    };
-    destination: {
-      ip: string;
-      port: number;
-      service?: string;
-    };
-    startTime: number;
-    bytesTransferred: number;
-    status: 'active' | 'idle' | 'closing';
-  }>> {
-    const connections: Array<{
-      id: string;
-      type: 'http' | 'smtp' | 'dns';
-      source: {
-        ip: string;
-        port: number;
-        country?: string;
-      };
-      destination: {
-        ip: string;
-        port: number;
-        service?: string;
-      };
-      startTime: number;
-      bytesTransferred: number;
-      status: 'active' | 'idle' | 'closing';
-    }> = [];
-    
-    // Get connection info and network stats from MetricsManager if available
-    if (this.opsServerRef.dcRouterRef.metricsManager) {
-      const connectionInfo = await this.opsServerRef.dcRouterRef.metricsManager.getConnectionInfo();
-      const networkStats = await this.opsServerRef.dcRouterRef.metricsManager.getNetworkStats();
-      
-      // One aggregate row per IP with real throughput data
-      if (networkStats.connectionsByIP && networkStats.connectionsByIP.size > 0) {
-        let connIndex = 0;
-        const publicIp = this.opsServerRef.dcRouterRef.options.publicIp || 'server';
+  ): Promise<interfaces.data.IConnectionInfo[]> {
+    const metricsManager = this.opsServerRef.dcRouterRef.metricsManager;
+    if (!metricsManager) {
+      return [];
+    }
 
-        for (const [ip, count] of networkStats.connectionsByIP) {
-          const tp = networkStats.throughputByIP?.get(ip);
-          connections.push({
-            id: `ip-${connIndex++}`,
-            type: 'http',
-            source: {
-              ip: ip,
-              port: 0,
-            },
-            destination: {
-              ip: publicIp,
-              port: 443,
-              service: 'proxy',
-            },
-            startTime: 0,
-            bytesTransferred: count, // Store connection count here
-            status: 'active',
-            // Attach real throughput for the handler mapping
-            ...(tp ? { _throughputIn: tp.in, _throughputOut: tp.out } : {}),
-          } as any);
-        }
-      } else if (connectionInfo.length > 0) {
-        // Fallback to route-based connection info if no IP data available
-        connectionInfo.forEach((info, index) => {
-          connections.push({
-            id: `conn-${index}`,
-            type: 'http',
-            source: {
-              ip: 'unknown',
-              port: 0,
-            },
-            destination: {
-              ip: this.opsServerRef.dcRouterRef.options.publicIp || 'server',
-              port: 443,
-              service: info.source,
-            },
-            startTime: info.lastActivity.getTime(),
-            bytesTransferred: 0,
-            status: 'active',
-          });
-        });
+    const snapshots = await metricsManager.getActiveConnectionSnapshots({ limit: 10000 });
+    const connections = snapshots.map((snapshot): interfaces.data.IConnectionInfo => ({
+      id: String(snapshot.id),
+      remoteAddress: snapshot.sourcePort === null
+        ? snapshot.sourceIp
+        : `${snapshot.sourceIp}:${snapshot.sourcePort}`,
+      localAddress: snapshot.targetHost
+        ? `${snapshot.targetHost}:${snapshot.targetPort ?? snapshot.localPort}`
+        : `${this.opsServerRef.dcRouterRef.options.publicIp || 'server'}:${snapshot.localPort}`,
+      startTime: snapshot.startedAtMs,
+      protocol: this.mapSnapshotProtocol(snapshot),
+      state: this.mapSnapshotState(snapshot.state),
+      bytesReceived: snapshot.bytesIn,
+      bytesSent: snapshot.bytesOut,
+    }));
+
+    return connections.filter((connection) => {
+      if (protocol && connection.protocol !== protocol) {
+        return false;
+      }
+      if (state && connection.state !== state) {
+        return false;
       }
+      return true;
+    });
+  }
+
+  private mapSnapshotProtocol(
+    snapshot: plugins.smartproxy.IActiveConnectionSnapshot,
+  ): interfaces.data.IConnectionInfo['protocol'] {
+    if (snapshot.localPort === 465) {
+      return 'smtps';
     }
-    
-    // Filter by protocol if specified
-    if (protocol) {
-      return connections.filter(conn => {
-        if (protocol === 'https' || protocol === 'http') {
-          return conn.type === 'http';
-        }
-        return conn.type === protocol.replace('s', ''); // smtp/smtps -> smtp
-      });
+    if ([25, 587, 2525].includes(snapshot.localPort)) {
+      return 'smtp';
     }
-    
-    return connections;
+
+    switch (snapshot.protocol) {
+      case 'http':
+        return 'http';
+      case 'https':
+      case 'tls':
+      case 'tls-passthrough':
+      case 'tls-reencrypt':
+      case 'tls-socket-handler':
+      case 'quic':
+        return 'https';
+      default:
+        return snapshot.localPort === 80 ? 'http' : 'https';
+    }
+  }
+
+  private mapSnapshotState(state: string): interfaces.data.IConnectionInfo['state'] {
+    return state === 'closing' ? 'closing' : 'connected';
   }
   
   private async getRateLimitStatus(

package/ts/radius/classes.radius.server.ts

@@ -91,7 +91,6 @@ export class RadiusServer {
   private vlanManager: VlanManager;
   private accountingManager: AccountingManager;
   private config: IRadiusServerConfig;
-  private clientSecrets: Map<string, string> = new Map();
   private running: boolean = false;
 
   // Statistics
@@ -138,24 +137,18 @@ export class RadiusServer {
       await this.vlanManager.importMappings(this.config.vlanAssignment.mappings);
     }
 
-    // Build client secrets map
-    this.buildClientSecretsMap();
+    const cidrSecrets = this.buildClientSecretsMap();
 
     // Create the RADIUS server
     this.radiusServer = new plugins.smartradius.RadiusServer({
       authPort: this.config.authPort,
       acctPort: this.config.acctPort,
       bindAddress: this.config.bindAddress,
-      defaultSecret: this.getDefaultSecret(),
+      cidrSecrets,
       authenticationHandler: this.handleAuthentication.bind(this),
       accountingHandler: this.handleAccounting.bind(this),
     });
 
-    // Configure per-client secrets
-    for (const [ip, secret] of this.clientSecrets) {
-      this.radiusServer.setClientSecret(ip, secret);
-    }
-
     // Start the server
     await this.radiusServer.start();
 
@@ -189,19 +182,22 @@ export class RadiusServer {
   /**
    * Handle authentication request
    */
-  private async handleAuthentication(request: any): Promise<any> {
+  private async handleAuthentication(
+    request: plugins.smartradius.IAuthenticationRequest,
+  ): Promise<plugins.smartradius.IAuthenticationResponse> {
     this.stats.authRequests++;
 
     const authData: IAuthRequestData = {
-      username: request.attributes?.UserName || '',
-      password: request.attributes?.UserPassword,
-      nasIpAddress: request.attributes?.NasIpAddress || request.source?.address || '',
-      nasPort: request.attributes?.NasPort,
-      nasPortType: request.attributes?.NasPortType,
-      nasIdentifier: request.attributes?.NasIdentifier,
-      calledStationId: request.attributes?.CalledStationId,
-      callingStationId: request.attributes?.CallingStationId,
-      serviceType: request.attributes?.ServiceType,
+      username: request.username || '',
+      password: request.password,
+      nasIpAddress: request.nasIpAddress || request.clientAddress || '',
+      nasPort: request.nasPort,
+      nasPortType: request.nasPortType !== undefined ? String(request.nasPortType) : undefined,
+      nasIdentifier: request.nasIdentifier,
+      calledStationId: request.calledStationId,
+      callingStationId: request.callingStationId,
+      serviceType: request.serviceType !== undefined ? String(request.serviceType) : undefined,
+      framedMtu: request.framedMtu,
     };
 
     logger.log('debug', `RADIUS Auth Request: user=${authData.username}, NAS=${authData.nasIpAddress}`);
@@ -215,15 +211,15 @@ export class RadiusServer {
       logger.log('info', `RADIUS Auth Accept: user=${authData.username}, VLAN=${result.vlanId}`);
 
       // Build response with VLAN attributes
-      const response: any = {
+      const response: plugins.smartradius.IAuthenticationResponse = {
         code: plugins.smartradius.ERadiusCode.AccessAccept,
         replyMessage: result.replyMessage,
       };
 
       // Add VLAN attributes if assigned
       if (result.vlanId !== undefined) {
-        response.tunnelType = 13; // VLAN
-        response.tunnelMediumType = 6; // IEEE 802
+        response.tunnelType = plugins.smartradius.ETunnelType.Vlan;
+        response.tunnelMediumType = plugins.smartradius.ETunnelMediumType.Ieee802;
         response.tunnelPrivateGroupId = String(result.vlanId);
       }
 
@@ -257,34 +253,37 @@ export class RadiusServer {
   /**
    * Handle accounting request
    */
-  private async handleAccounting(request: any): Promise<any> {
+  private async handleAccounting(
+    request: plugins.smartradius.IAccountingRequest,
+  ): Promise<plugins.smartradius.IAccountingResponse> {
     this.stats.accountingRequests++;
 
     if (!this.config.accounting?.enabled) {
       // Still respond even if not tracking
-      return { code: plugins.smartradius.ERadiusCode.AccountingResponse };
+      return { success: true };
     }
 
-    const statusType = request.attributes?.AcctStatusType;
-    const sessionId = request.attributes?.AcctSessionId || '';
+    const statusType = request.statusType;
+    const sessionId = request.sessionId || '';
 
     const accountingData = {
       sessionId,
-      username: request.attributes?.UserName || '',
-      macAddress: request.attributes?.CallingStationId,
-      nasIpAddress: request.attributes?.NasIpAddress || request.source?.address || '',
-      nasPort: request.attributes?.NasPort,
-      nasPortType: request.attributes?.NasPortType,
-      nasIdentifier: request.attributes?.NasIdentifier,
-      calledStationId: request.attributes?.CalledStationId,
-      callingStationId: request.attributes?.CallingStationId,
-      inputOctets: request.attributes?.AcctInputOctets,
-      outputOctets: request.attributes?.AcctOutputOctets,
-      inputPackets: request.attributes?.AcctInputPackets,
-      outputPackets: request.attributes?.AcctOutputPackets,
-      sessionTime: request.attributes?.AcctSessionTime,
-      terminateCause: request.attributes?.AcctTerminateCause,
-      serviceType: request.attributes?.ServiceType,
+      username: request.username || '',
+      macAddress: request.callingStationId,
+      nasIpAddress: request.nasIpAddress || request.clientAddress || '',
+      nasPort: request.nasPort,
+      nasPortType: request.nasPortType !== undefined ? String(request.nasPortType) : undefined,
+      nasIdentifier: request.nasIdentifier,
+      calledStationId: request.calledStationId,
+      callingStationId: request.callingStationId,
+      inputOctets: request.inputOctets,
+      outputOctets: request.outputOctets,
+      inputPackets: request.inputPackets,
+      outputPackets: request.outputPackets,
+      sessionTime: request.sessionTime,
+      terminateCause: request.terminateCause !== undefined ? String(request.terminateCause) : undefined,
+      framedIpAddress: request.framedIpAddress,
+      serviceType: request.serviceType !== undefined ? String(request.serviceType) : undefined,
     };
 
     try {
@@ -311,7 +310,7 @@ export class RadiusServer {
       logger.log('error', `RADIUS accounting error: ${(error as Error).message}`);
     }
 
-    return { code: plugins.smartradius.ERadiusCode.AccountingResponse };
+    return { success: true };
   }
 
   /**
@@ -391,37 +390,18 @@ export class RadiusServer {
   /**
    * Build client secrets map from configuration
    */
-  private buildClientSecretsMap(): void {
-    this.clientSecrets.clear();
+  private buildClientSecretsMap(): Record<string, string> {
+    const cidrSecrets: Record<string, string> = {};
 
     for (const client of this.config.clients) {
       if (!client.enabled) {
         continue;
       }
 
-      // Handle CIDR ranges
-      if (client.ipRange.includes('/')) {
-        // For CIDR ranges, we'll use the network address as key
-        // In practice, smartradius may handle this differently
-        const [network] = client.ipRange.split('/');
-        this.clientSecrets.set(network, client.secret);
-      } else {
-        this.clientSecrets.set(client.ipRange, client.secret);
-      }
+      cidrSecrets[client.ipRange] = client.secret;
     }
-  }
 
-  /**
-   * Get default secret for unknown clients
-   */
-  private getDefaultSecret(): string {
-    // Use first enabled client's secret as default, or a random one
-    for (const client of this.config.clients) {
-      if (client.enabled) {
-        return client.secret;
-      }
-    }
-    return plugins.crypto.randomBytes(16).toString('hex');
+    return cidrSecrets;
   }
 
   /**
@@ -430,21 +410,19 @@ export class RadiusServer {
   async addClient(client: IRadiusClient): Promise<void> {
     // Check if client already exists
     const existingIndex = this.config.clients.findIndex(c => c.name === client.name);
+    const previousClient = existingIndex >= 0 ? this.config.clients[existingIndex] : undefined;
     if (existingIndex >= 0) {
       this.config.clients[existingIndex] = client;
     } else {
       this.config.clients.push(client);
     }
 
-    // Update client secrets if running
-    if (this.running && this.radiusServer && client.enabled) {
-      if (client.ipRange.includes('/')) {
-        const [network] = client.ipRange.split('/');
-        this.radiusServer.setClientSecret(network, client.secret);
-        this.clientSecrets.set(network, client.secret);
-      } else {
-        this.radiusServer.setClientSecret(client.ipRange, client.secret);
-        this.clientSecrets.set(client.ipRange, client.secret);
+    if (this.running && this.radiusServer) {
+      if (previousClient) {
+        this.radiusServer.removeNetworkSecret(previousClient.ipRange);
+      }
+      if (client.enabled) {
+        this.radiusServer.setNetworkSecret(client.ipRange, client.secret);
       }
     }
 
@@ -460,12 +438,8 @@ export class RadiusServer {
       const client = this.config.clients[index];
       this.config.clients.splice(index, 1);
 
-      // Remove from secrets map
-      if (client.ipRange.includes('/')) {
-        const [network] = client.ipRange.split('/');
-        this.clientSecrets.delete(network);
-      } else {
-        this.clientSecrets.delete(client.ipRange);
+      if (this.radiusServer) {
+        this.radiusServer.removeNetworkSecret(client.ipRange);
       }
 
       logger.log('info', `RADIUS client removed: ${name}`);

package/ts/remoteingress/classes.remoteingress-manager.ts

@@ -1,29 +1,13 @@
 import * as plugins from '../plugins.js';
-import type { IRemoteIngress, IDcRouterRouteConfig } from '../../ts_interfaces/data/remoteingress.js';
+import type { IRemoteIngress, IRemoteIngressPerformanceConfig, IDcRouterRouteConfig } from '../../ts_interfaces/data/remoteingress.js';
 import { RemoteIngressEdgeDoc } from '../db/index.js';
 
 interface IRemoteIngressFirewallConfig {
   blockedIps?: string[];
 }
 
-/**
- * Flatten a port range (number | number[] | Array<{from, to}>) to a sorted unique number array.
- */
-function extractPorts(portRange: number | Array<number | { from: number; to: number }>): number[] {
-  const ports = new Set<number>();
-  if (typeof portRange === 'number') {
-    ports.add(portRange);
-  } else if (Array.isArray(portRange)) {
-    for (const entry of portRange) {
-      if (typeof entry === 'number') {
-        ports.add(entry);
-      } else if (typeof entry === 'object' && 'from' in entry && 'to' in entry) {
-        for (let p = entry.from; p <= entry.to; p++) {
-          ports.add(p);
-        }
-      }
-    }
-  }
+function extractPorts(portRange: plugins.smartproxy.IRouteConfig['match']['ports']): number[] {
+  const ports = new Set<number>(plugins.smartproxy.expandPortRange(portRange) as number[]);
   return [...ports].sort((a, b) => a - b);
 }
 
@@ -59,6 +43,7 @@ export class RemoteIngressManager {
         listenPortsUdp: doc.listenPortsUdp,
         enabled: doc.enabled,
         autoDerivePorts: doc.autoDerivePorts,
+        performance: doc.performance,
         tags: doc.tags,
         createdAt: doc.createdAt,
         updatedAt: doc.updatedAt,
@@ -189,6 +174,7 @@ export class RemoteIngressManager {
     listenPorts: number[] = [],
     tags?: string[],
     autoDerivePorts: boolean = true,
+    performance?: IRemoteIngressPerformanceConfig,
   ): Promise<IRemoteIngress> {
     const id = plugins.uuid.v4();
     const secret = plugins.crypto.randomBytes(32).toString('hex');
@@ -201,6 +187,7 @@ export class RemoteIngressManager {
       listenPorts,
       enabled: true,
       autoDerivePorts,
+      performance,
       tags: tags || [],
       createdAt: now,
       updatedAt: now,
@@ -237,6 +224,7 @@ export class RemoteIngressManager {
       listenPorts?: number[];
       autoDerivePorts?: boolean;
       enabled?: boolean;
+      performance?: IRemoteIngressPerformanceConfig;
       tags?: string[];
     },
   ): Promise<IRemoteIngress | null> {
@@ -249,6 +237,7 @@ export class RemoteIngressManager {
     if (updates.listenPorts !== undefined) edge.listenPorts = updates.listenPorts;
     if (updates.autoDerivePorts !== undefined) edge.autoDerivePorts = updates.autoDerivePorts;
     if (updates.enabled !== undefined) edge.enabled = updates.enabled;
+    if (updates.performance !== undefined) edge.performance = updates.performance;
     if (updates.tags !== undefined) edge.tags = updates.tags;
     edge.updatedAt = Date.now();
 
@@ -317,17 +306,19 @@ export class RemoteIngressManager {
    * Get the list of allowed edges (enabled only) for the Rust hub.
    * Includes listenPortsUdp when routes with transport 'udp' or 'all' are present.
    */
-  public getAllowedEdges(): Array<{ id: string; secret: string; listenPorts: number[]; listenPortsUdp?: number[]; firewallConfig?: IRemoteIngressFirewallConfig }> {
-    const result: Array<{ id: string; secret: string; listenPorts: number[]; listenPortsUdp?: number[]; firewallConfig?: IRemoteIngressFirewallConfig }> = [];
+  public getAllowedEdges(): Array<{ id: string; secret: string; listenPorts: number[]; listenPortsUdp?: number[]; firewallConfig?: IRemoteIngressFirewallConfig; performance?: IRemoteIngressPerformanceConfig }> {
+    const result: Array<{ id: string; secret: string; listenPorts: number[]; listenPortsUdp?: number[]; firewallConfig?: IRemoteIngressFirewallConfig; performance?: IRemoteIngressPerformanceConfig }> = [];
     for (const edge of this.edges.values()) {
       if (edge.enabled) {
         const listenPortsUdp = this.getEffectiveListenPortsUdp(edge);
+        const performance = edge.performance && Object.keys(edge.performance).length > 0 ? edge.performance : undefined;
         result.push({
           id: edge.id,
           secret: edge.secret,
           listenPorts: this.getEffectiveListenPorts(edge),
           ...(listenPortsUdp.length > 0 ? { listenPortsUdp } : {}),
           ...(this.firewallConfig ? { firewallConfig: this.firewallConfig } : {}),
+          ...(performance ? { performance } : {}),
         });
       }
     }

package/ts_web/00_commitinfo_data.ts

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@serve.zone/dcrouter',
-  version: '13.38.4',
+  version: '13.40.0',
   description: 'A multifaceted routing service handling mail and SMS delivery functions.'
 }

package/ts_web/appstate.ts

@@ -1120,6 +1120,7 @@ export const createRemoteIngressAction = remoteIngressStatePart.createAction<{
   name: string;
   listenPorts?: number[];
   autoDerivePorts?: boolean;
+  performance?: interfaces.data.IRemoteIngressPerformanceConfig;
   tags?: string[];
 }>(async (statePartArg, dataArg, actionContext): Promise<IRemoteIngressState> => {
   const context = getActionContext();
@@ -1135,6 +1136,7 @@ export const createRemoteIngressAction = remoteIngressStatePart.createAction<{
       name: dataArg.name,
       listenPorts: dataArg.listenPorts,
       autoDerivePorts: dataArg.autoDerivePorts,
+      performance: dataArg.performance,
       tags: dataArg.tags,
     });
 
@@ -1187,6 +1189,7 @@ export const updateRemoteIngressAction = remoteIngressStatePart.createAction<{
   name?: string;
   listenPorts?: number[];
   autoDerivePorts?: boolean;
+  performance?: interfaces.data.IRemoteIngressPerformanceConfig;
   tags?: string[];
 }>(async (statePartArg, dataArg, actionContext): Promise<IRemoteIngressState> => {
   const context = getActionContext();
@@ -1203,6 +1206,7 @@ export const updateRemoteIngressAction = remoteIngressStatePart.createAction<{
       name: dataArg.name,
       listenPorts: dataArg.listenPorts,
       autoDerivePorts: dataArg.autoDerivePorts,
+      performance: dataArg.performance,
       tags: dataArg.tags,
     });