npm - @serve.zone/remoteingress - Versions diffs - 4.17.0 → 4.17.2 - Mend

@serve.zone/remoteingress 4.17.0 → 4.17.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (16) hide show

package/.smartconfig.json +8 -1
package/dist_rust/remoteingress-bin_linux_amd64 +0 -0
package/dist_rust/remoteingress-bin_linux_arm64 +0 -0
package/dist_ts/00_commitinfo_data.js +1 -1
package/dist_ts/classes.remoteingressedge.d.ts +1 -0
package/dist_ts/classes.remoteingressedge.js +29 -12
package/dist_ts/classes.remoteingresshub.d.ts +1 -2
package/dist_ts/index.d.ts +1 -0
package/dist_ts/index.js +118 -1
package/license +21 -0
package/package.json +18 -17
package/readme.md +117 -391
package/ts/00_commitinfo_data.ts +1 -1
package/ts/classes.remoteingressedge.ts +30 -13
package/ts/classes.remoteingresshub.ts +1 -1
package/ts/index.ts +144 -0

package/ts/classes.remoteingressedge.ts CHANGED Viewed

@@ -57,6 +57,7 @@ export class RemoteIngressEdge extends EventEmitter {
   private restartAttempts = 0;
   private statusInterval: ReturnType<typeof setInterval> | undefined;
   private nft: InstanceType<typeof plugins.smartnftables.SmartNftables> | null = null;
+  private pendingFirewallConfig: IFirewallConfig | null = null;
   constructor() {
     super();
@@ -114,7 +115,9 @@ export class RemoteIngressEdge extends EventEmitter {
     });
     this.bridge.on('management:firewallConfigUpdated', (data: { firewallConfig: IFirewallConfig }) => {
       console.log(`[RemoteIngressEdge] Firewall config updated from hub`);
-      this.applyFirewallConfig(data.firewallConfig);
+      void this.applyFirewallConfig(data.firewallConfig).catch((err) => {
+        console.error(`[RemoteIngressEdge] Failed to apply firewall config: ${err}`);
+      });
       this.emit('firewallConfigUpdated', data);
     });
   }
@@ -122,14 +125,22 @@ export class RemoteIngressEdge extends EventEmitter {
   /**
    * Initialize the nftables manager. Fails gracefully if not running as root.
    */
-  private async initNft(): Promise<void> {
+  private async initNft(options: { reset?: boolean } = {}): Promise<void> {
     try {
       this.nft = new plugins.smartnftables.SmartNftables({
         tableName: 'remoteingress',
         dryRun: false,
       });
+      if (options.reset) {
+        await (this.nft as any).cleanup({ force: true });
+      }
       await this.nft.initialize();
       console.log('[RemoteIngressEdge] SmartNftables initialized');
+      if (this.pendingFirewallConfig) {
+        const pending = this.pendingFirewallConfig;
+        this.pendingFirewallConfig = null;
+        await this.applyFirewallConfig(pending);
+      }
     } catch (err) {
       console.warn(`[RemoteIngressEdge] Failed to initialize nftables (not root?): ${err}`);
       this.nft = null;
@@ -142,19 +153,22 @@ export class RemoteIngressEdge extends EventEmitter {
    */
   private async applyFirewallConfig(config: IFirewallConfig): Promise<void> {
     if (!this.nft) {
+      this.pendingFirewallConfig = config;
       return;
     }
     try {
       // Full cleanup and reinitialize to replace all rules atomically
-      await this.nft.cleanup();
+      await (this.nft as any).cleanup({ force: true });
       await this.nft.initialize();
       // Apply blocked IPs
       if (config.blockedIps && config.blockedIps.length > 0) {
-        for (const ip of config.blockedIps) {
-          await this.nft.firewall.blockIP(ip);
-        }
+        await (this.nft.firewall as any).blockIPSet('hub-blocklist', {
+          setName: 'blocked_ipv4',
+          ips: config.blockedIps,
+          comment: 'RemoteIngress hub blocklist',
+        });
         console.log(`[RemoteIngressEdge] Blocked ${config.blockedIps.length} IPs`);
       }
@@ -213,6 +227,10 @@ export class RemoteIngressEdge extends EventEmitter {
     this.savedConfig = edgeConfig;
     this.stopping = false;
+    // Clear any stale nftables state left by a prior process before the edge
+    // can accept hub config or bind public listener ports.
+    await this.initNft({ reset: true });
     const spawned = await this.bridge.spawn();
     if (!spawned) {
       throw new Error('Failed to spawn remoteingress-bin');
@@ -242,9 +260,6 @@ export class RemoteIngressEdge extends EventEmitter {
     this.restartAttempts = 0;
     this.restartBackoffMs = 1000;
-    // Initialize nftables (graceful degradation if not root)
-    await this.initNft();
     // Start periodic status logging
     this.statusInterval = setInterval(async () => {
       try {
@@ -272,7 +287,7 @@ export class RemoteIngressEdge extends EventEmitter {
     // Clean up nftables rules before stopping
     if (this.nft) {
       try {
-        await this.nft.cleanup();
+        await (this.nft as any).cleanup({ force: true });
       } catch (err) {
         console.warn(`[RemoteIngressEdge] nftables cleanup error: ${err}`);
       }
@@ -289,6 +304,7 @@ export class RemoteIngressEdge extends EventEmitter {
       this.started = false;
     }
     this.savedConfig = null;
+    this.pendingFirewallConfig = null;
     // Remove all listeners to prevent memory buildup
     this.bridge.removeAllListeners();
     this.removeAllListeners();
@@ -344,6 +360,10 @@ export class RemoteIngressEdge extends EventEmitter {
     this.restartAttempts++;
     try {
+      // Drop stale kernel rules before reconnecting. The hub will send the
+      // current full firewall snapshot during handshake/config refresh.
+      await this.initNft({ reset: true });
       const spawned = await this.bridge.spawn();
       if (!spawned) {
         console.error('[RemoteIngressEdge] Failed to respawn binary');
@@ -366,9 +386,6 @@ export class RemoteIngressEdge extends EventEmitter {
       this.restartAttempts = 0;
       this.restartBackoffMs = 1000;
-      // Re-initialize nftables (hub will re-push config via handshake)
-      await this.initNft();
       // Restart periodic status logging
       this.statusInterval = setInterval(async () => {
         try {

package/ts/classes.remoteingresshub.ts CHANGED Viewed

@@ -135,7 +135,7 @@ export interface IUdpStatus {
   droppedDatagrams: number;
 }
-type TAllowedEdge = { id: string; secret: string; listenPorts?: number[]; listenPortsUdp?: number[]; stunIntervalSecs?: number; firewallConfig?: IFirewallConfig; performance?: IPerformanceConfig };
+export type TAllowedEdge = { id: string; secret: string; listenPorts?: number[]; listenPortsUdp?: number[]; stunIntervalSecs?: number; firewallConfig?: IFirewallConfig; performance?: IPerformanceConfig };
 const MAX_RESTART_ATTEMPTS = 10;
 const MAX_RESTART_BACKOFF_MS = 30_000;

package/ts/index.ts CHANGED Viewed

@@ -1,3 +1,147 @@
+import { RemoteIngressEdge } from './classes.remoteingressedge.js';
+import { RemoteIngressHub, type IHubConfig, type TAllowedEdge } from './classes.remoteingresshub.js';
 export * from './classes.remoteingresshub.js';
 export * from './classes.remoteingressedge.js';
 export * from './classes.token.js';
+const usage = `remoteingress
+Usage:
+  remoteingress hub [--tunnel-port 8443] [--target-host 127.0.0.1]
+  remoteingress edge --token <connection-token>
+  remoteingress edge --hub-host <host> --edge-id <id> --secret <secret> [--hub-port 8443]
+Environment:
+  REMOTEINGRESS_MODE=hub|edge
+  REMOTEINGRESS_TOKEN=<connection-token>
+  REMOTEINGRESS_HUB_HOST=<host>
+  REMOTEINGRESS_HUB_PORT=8443
+  REMOTEINGRESS_EDGE_ID=<id>
+  REMOTEINGRESS_SECRET=<secret>
+  REMOTEINGRESS_TARGET_HOST=127.0.0.1
+  REMOTEINGRESS_ALLOWED_EDGES_JSON='[{"id":"edge-1","secret":"secret","listenPorts":[80,443]}]'
+`;
+const readArg = (args: string[], name: string): string | undefined => {
+  const prefix = `--${name}=`;
+  const inlineValue = args.find((arg) => arg.startsWith(prefix));
+  if (inlineValue) {
+    return inlineValue.slice(prefix.length);
+  }
+  const index = args.indexOf(`--${name}`);
+  if (index >= 0) {
+    return args[index + 1];
+  }
+  return undefined;
+};
+const readNumber = (value: string | undefined, fallback: number): number => {
+  if (!value) {
+    return fallback;
+  }
+  const parsed = Number(value);
+  if (!Number.isInteger(parsed) || parsed < 1 || parsed > 65535) {
+    throw new Error(`Invalid port: ${value}`);
+  }
+  return parsed;
+};
+const readJson = <T>(value: string | undefined, fallback: T): T => {
+  if (!value) {
+    return fallback;
+  }
+  return JSON.parse(value) as T;
+};
+const waitForever = async (stop: () => Promise<void>) => {
+  let stopping = false;
+  const handleStop = async () => {
+    if (stopping) {
+      return;
+    }
+    stopping = true;
+    await stop();
+    process.exit(0);
+  };
+  process.once('SIGINT', () => void handleStop());
+  process.once('SIGTERM', () => void handleStop());
+  await new Promise(() => {});
+};
+export const runCli = async () => {
+  const args = process.argv.slice(2);
+  if (args.includes('--help') || args.includes('-h')) {
+    console.log(usage);
+    return;
+  }
+  const positionalMode = args[0]?.startsWith('--') ? undefined : args[0];
+  const mode = readArg(args, 'mode') ?? positionalMode ?? process.env.REMOTEINGRESS_MODE;
+  if (mode === 'hub') {
+    const hub = new RemoteIngressHub();
+    const config: IHubConfig = {
+      tunnelPort: readNumber(readArg(args, 'tunnel-port') ?? process.env.REMOTEINGRESS_TUNNEL_PORT, 8443),
+      targetHost: readArg(args, 'target-host') ?? process.env.REMOTEINGRESS_TARGET_HOST ?? '127.0.0.1',
+      tls: {
+        certPem: readArg(args, 'tls-cert-pem') ?? process.env.REMOTEINGRESS_TLS_CERT_PEM,
+        keyPem: readArg(args, 'tls-key-pem') ?? process.env.REMOTEINGRESS_TLS_KEY_PEM,
+      },
+      performance: readJson(readArg(args, 'performance-json') ?? process.env.REMOTEINGRESS_PERFORMANCE_JSON, undefined),
+    };
+    await hub.start(config);
+    const allowedEdges = readJson<TAllowedEdge[]>(
+      readArg(args, 'allowed-edges-json') ?? process.env.REMOTEINGRESS_ALLOWED_EDGES_JSON,
+      [],
+    );
+    if (allowedEdges.length > 0) {
+      await hub.updateAllowedEdges(allowedEdges);
+    }
+    console.log(`RemoteIngress hub listening on ${config.tunnelPort}`);
+    await waitForever(() => hub.stop());
+    return;
+  }
+  if (mode === 'edge') {
+    const edge = new RemoteIngressEdge();
+    const token = readArg(args, 'token') ?? process.env.REMOTEINGRESS_TOKEN;
+    if (token) {
+      await edge.start({ token });
+    } else {
+      const hubHost = readArg(args, 'hub-host') ?? process.env.REMOTEINGRESS_HUB_HOST;
+      const edgeId = readArg(args, 'edge-id') ?? process.env.REMOTEINGRESS_EDGE_ID;
+      const secret = readArg(args, 'secret') ?? process.env.REMOTEINGRESS_SECRET;
+      if (!hubHost || !edgeId || !secret) {
+        throw new Error('Edge mode requires --token or --hub-host, --edge-id, and --secret');
+      }
+      await edge.start({
+        hubHost,
+        hubPort: readNumber(readArg(args, 'hub-port') ?? process.env.REMOTEINGRESS_HUB_PORT, 8443),
+        edgeId,
+        secret,
+        bindAddress: readArg(args, 'bind-address') ?? process.env.REMOTEINGRESS_BIND_ADDRESS,
+        transportMode: readArg(args, 'transport-mode') as any,
+      });
+    }
+    console.log('RemoteIngress edge started');
+    await waitForever(() => edge.stop());
+    return;
+  }
+  console.log(usage);
+};