palaryn 0.1.0 → 0.3.2

package/src/proxy/forward-proxy.ts

@@ -0,0 +1,649 @@
+import * as http from 'http';
+import * as https from 'https';
+import * as net from 'net';
+import * as dns from 'dns';
+import { URL } from 'url';
+import { randomUUID } from 'crypto';
+import { Gateway, PreExecuteResult } from '../server/gateway';
+import { GatewayConfig, ProxyConfig } from '../types/config';
+import { ToolCall } from '../types/tool-call';
+import { parseProxyAuth } from '../middleware/auth';
+import { isPrivateIP } from '../executor/http-executor';
+import { logger } from '../server/logger';
+
+/** Maximum accumulated response body for post-DLP scanning (50 MB) */
+const MAX_ACCUMULATED_BYTES = 50 * 1024 * 1024;
+
+/** DNS lookup timeout in ms */
+const DNS_LOOKUP_TIMEOUT_MS = 5000;
+
+/** Maximum request body size in bytes (10 MB) — prevents OOM DoS */
+const MAX_REQUEST_BODY_BYTES = 10 * 1024 * 1024;
+
+/** Global counter for total bytes being accumulated across all active proxy responses */
+let globalAccumulatedBytes = 0;
+/** Maximum total bytes accumulated across all concurrent proxy responses (500 MB) */
+const MAX_GLOBAL_ACCUMULATED_BYTES = 500 * 1024 * 1024;
+
+/** Headers that must never be forwarded or logged */
+const SENSITIVE_HEADERS = new Set([
+  'proxy-authorization', 'proxy-connection',
+  'x-palaryn-workspace', 'x-palaryn-actor',
+  'authorization', 'cookie', 'x-api-key',
+]);
+
+/** Map HTTP method to tool capability */
+function methodToCapability(method: string): 'read' | 'write' | 'delete' | 'admin' {
+  switch (method.toUpperCase()) {
+    case 'GET':
+    case 'HEAD':
+    case 'OPTIONS':
+      return 'read';
+    case 'DELETE':
+      return 'delete';
+    default:
+      return 'write';
+  }
+}
+
+/** Check if a hostname matches a domain pattern (supports leading wildcard) */
+function matchesDomain(hostname: string, pattern: string): boolean {
+  // Strip null bytes and normalize to prevent injection attacks
+  const clean = hostname.replace(/\0/g, '').toLowerCase().trim();
+  const cleanPattern = pattern.replace(/\0/g, '').toLowerCase().trim();
+  if (!clean || !cleanPattern) return false;
+  if (cleanPattern === clean) return true;
+  if (cleanPattern.startsWith('*.')) {
+    const suffix = cleanPattern.slice(2);
+    return clean === suffix || clean.endsWith('.' + suffix);
+  }
+  return false;
+}
+
+/** Check if a hostname matches any passthrough domain */
+function isPassthrough(hostname: string, patterns: string[]): boolean {
+  return patterns.some(p => matchesDomain(hostname, p));
+}
+
+/**
+ * Validate resolved IP is not private (SSRF protection) with DNS timeout.
+ * Returns the first valid resolved IP address for DNS pinning — the caller
+ * should connect to this IP instead of the hostname to prevent DNS rebinding.
+ */
+export function validateResolvedIP(hostname: string): Promise<string> {
+  if (net.isIP(hostname)) {
+    if (isPrivateIP(hostname)) {
+      return Promise.reject(new Error(`SSRF blocked: IP ${hostname} is a private/reserved address`));
+    }
+    return Promise.resolve(hostname);
+  }
+
+  const dnsPromise = new Promise<string>((resolve, reject) => {
+    dns.lookup(hostname, { all: true }, (err, addresses) => {
+      if (err) return reject(err);
+      if (!addresses || addresses.length === 0) {
+        return reject(new Error(`DNS lookup failed: no addresses found for "${hostname}"`));
+      }
+      for (const addr of addresses) {
+        if (isPrivateIP(addr.address)) {
+          return reject(
+            new Error(`SSRF blocked: hostname "${hostname}" resolved to private IP ${addr.address}`)
+          );
+        }
+      }
+      // Return the first resolved IP for DNS pinning
+      resolve(addresses[0].address);
+    });
+  });
+
+  const timeoutPromise = new Promise<never>((_, reject) => {
+    setTimeout(() => reject(new Error(`DNS lookup timeout for "${hostname}" after ${DNS_LOOKUP_TIMEOUT_MS}ms`)), DNS_LOOKUP_TIMEOUT_MS);
+  });
+
+  return Promise.race([dnsPromise, timeoutPromise]);
+}
+
+/** Strip sensitive headers from a headers record */
+function stripSensitiveHeaders(headers: Record<string, string>): Record<string, string> {
+  const result: Record<string, string> = {};
+  for (const [key, value] of Object.entries(headers)) {
+    if (!SENSITIVE_HEADERS.has(key.toLowerCase())) {
+      result[key] = value;
+    }
+  }
+  return result;
+}
+
+/** Build a synthetic ToolCall from an incoming proxy request */
+export function buildToolCallFromProxy(
+  method: string,
+  targetUrl: string,
+  headers: Record<string, string>,
+  body: string | undefined,
+  workspaceId: string,
+  actorId: string,
+): ToolCall {
+  const parsedUrl = new URL(targetUrl);
+  const toolName = `http.${method.toLowerCase()}`;
+
+  // Remove sensitive headers before forwarding
+  const forwardHeaders = stripSensitiveHeaders(headers);
+
+  // Parse body if it looks like JSON
+  let parsedBody: unknown = body;
+  if (body && typeof body === 'string') {
+    try {
+      parsedBody = JSON.parse(body);
+    } catch (_e) {
+      /* Not valid JSON — keep body as raw string */
+    }
+  }
+
+  return {
+    tool_call_id: randomUUID(),
+    task_id: randomUUID(),
+    workspace_id: workspaceId,
+    actor: {
+      type: 'agent',
+      id: actorId,
+    },
+    source: {
+      platform: 'forward_proxy',
+    },
+    tool: {
+      name: toolName,
+      capability: methodToCapability(method),
+    },
+    args: {
+      method: method.toUpperCase(),
+      url: targetUrl,
+      headers: forwardHeaders,
+      body: parsedBody,
+    },
+    context: {
+      purpose: 'Proxied HTTP request',
+      labels: ['proxy', parsedUrl.hostname],
+    },
+  };
+}
+
+/** Forward the request to the target and pipe the response back.
+ *  When pinnedIP is provided (from SSRF DNS validation), the TCP connection
+ *  goes to that IP while the Host header and TLS SNI use the original hostname,
+ *  preventing DNS rebinding attacks.
+ */
+function forwardRequest(
+  method: string,
+  targetUrl: string,
+  headers: Record<string, string>,
+  body: string | undefined,
+  clientRes: http.ServerResponse,
+  gateway: Gateway,
+  toolCall: ToolCall,
+  pre: PreExecuteResult,
+  timeoutMs: number,
+  pinnedIP?: string,
+): void {
+  const parsedUrl = new URL(targetUrl);
+  const isHttps = parsedUrl.protocol === 'https:';
+  const transport = isHttps ? https : http;
+
+  // Strip sensitive headers, then set host
+  const forwardHeaders = stripSensitiveHeaders(headers);
+  forwardHeaders['host'] = parsedUrl.host;
+
+  const requestOptions: http.RequestOptions & { servername?: string } = {
+    // Use pinned IP for the actual connection to prevent DNS rebinding
+    hostname: pinnedIP || parsedUrl.hostname,
+    port: parsedUrl.port || (isHttps ? 443 : 80),
+    path: parsedUrl.pathname + parsedUrl.search,
+    method: method.toUpperCase(),
+    headers: forwardHeaders,
+    timeout: timeoutMs,
+  };
+
+  // When using a pinned IP with HTTPS, set servername for correct TLS SNI
+  if (pinnedIP && isHttps) {
+    requestOptions.servername = parsedUrl.hostname;
+  }
+
+  // Pin DNS resolution to the pre-validated IP to prevent TOCTOU rebinding
+  if (pinnedIP) {
+    const family = pinnedIP.includes(':') ? 6 : 4;
+    const agent = new (isHttps ? https : http).Agent({
+      lookup: (_hostname: string, _options: any, callback: Function) => {
+        callback(null, pinnedIP, family);
+      },
+    } as any);
+    requestOptions.agent = agent;
+  }
+
+  const proxyReq = transport.request(requestOptions, (upstreamRes) => {
+    const httpStatus = upstreamRes.statusCode || 502;
+
+    // Collect response headers
+    const responseHeaders: Record<string, string> = {};
+    for (const [key, value] of Object.entries(upstreamRes.headers)) {
+      if (value) responseHeaders[key] = Array.isArray(value) ? value.join(', ') : value;
+    }
+
+    // Remove hop-by-hop headers
+    delete responseHeaders['transfer-encoding'];
+    delete responseHeaders['connection'];
+    delete responseHeaders['keep-alive'];
+    delete responseHeaders['proxy-authenticate'];
+    delete responseHeaders['proxy-authorization'];
+    delete responseHeaders['upgrade'];
+
+    // Write status and headers to client
+    clientRes.writeHead(httpStatus, responseHeaders);
+
+    // Accumulate response body for post-DLP
+    let accumulated = '';
+    let accumulatedBytes = 0;
+    let truncated = false;
+
+    upstreamRes.on('data', (chunk: Buffer) => {
+      clientRes.write(chunk);
+      accumulatedBytes += chunk.length;
+      globalAccumulatedBytes += chunk.length;
+      if (accumulatedBytes <= MAX_ACCUMULATED_BYTES && globalAccumulatedBytes <= MAX_GLOBAL_ACCUMULATED_BYTES) {
+        accumulated += chunk.toString();
+      } else if (!truncated) {
+        truncated = true;
+        const reason = globalAccumulatedBytes > MAX_GLOBAL_ACCUMULATED_BYTES
+          ? `global accumulated bytes (${MAX_GLOBAL_ACCUMULATED_BYTES})`
+          : `per-request limit (${MAX_ACCUMULATED_BYTES})`;
+        logger.warn(`Response body truncated at ${reason} bytes for DLP scan`, { component: 'forward-proxy', target: targetUrl });
+      }
+    });
+
+    upstreamRes.on('end', () => {
+      clientRes.end();
+      globalAccumulatedBytes = Math.max(0, globalAccumulatedBytes - accumulatedBytes);
+
+      // Run post-execute pipeline in background (DLP scan, budget recording, audit)
+      gateway.postExecute(toolCall, {
+        http_status: httpStatus,
+        body: accumulated,
+        headers: responseHeaders,
+      }, pre).catch(err => {
+        logger.error('postExecute failed', { component: 'forward-proxy', error: err instanceof Error ? err.message : String(err) });
+      });
+    });
+
+    upstreamRes.on('error', (err) => {
+      // Release accumulated bytes to prevent counter leak on error
+      globalAccumulatedBytes = Math.max(0, globalAccumulatedBytes - accumulatedBytes);
+      if (!clientRes.headersSent) {
+        clientRes.writeHead(502, { 'Content-Type': 'application/json' });
+      }
+      clientRes.end(JSON.stringify({ error: `Upstream error: ${err.message}` }));
+    });
+  });
+
+  proxyReq.on('error', (err) => {
+    if (!clientRes.headersSent) {
+      clientRes.writeHead(502, { 'Content-Type': 'application/json' });
+    }
+    clientRes.end(JSON.stringify({ error: `Proxy connection failed: ${err.message}` }));
+  });
+
+  proxyReq.on('timeout', () => {
+    proxyReq.destroy();
+    if (!clientRes.headersSent) {
+      clientRes.writeHead(504, { 'Content-Type': 'application/json' });
+    }
+    clientRes.end(JSON.stringify({ error: `Upstream request timeout after ${timeoutMs}ms` }));
+  });
+
+  // Handle client disconnect
+  clientRes.on('close', () => {
+    if (!proxyReq.destroyed) {
+      proxyReq.destroy();
+    }
+  });
+
+  if (body) {
+    proxyReq.write(body);
+  }
+  proxyReq.end();
+}
+
+/**
+ * Handle a CONNECT tunnel request (HTTPS).
+ * Phase 1: Domain-level policy only — no content inspection.
+ * Builds a synthetic ToolCall for policy evaluation, then either
+ * establishes a TCP tunnel or returns 403.
+ */
+async function handleConnect(
+  req: http.IncomingMessage,
+  socket: net.Socket,
+  head: Buffer,
+  gateway: Gateway,
+  config: GatewayConfig,
+  proxyConfig: ProxyConfig,
+): Promise<void> {
+  const target = req.url || '';
+  const [hostname, portStr] = target.split(':');
+  const port = parseInt(portStr, 10) || 443;
+
+  // Auth
+  const headers: Record<string, string> = {};
+  for (const [key, value] of Object.entries(req.headers)) {
+    if (typeof value === 'string') headers[key] = value;
+  }
+
+  const auth = parseProxyAuth(headers, proxyConfig, config.auth);
+  if (!auth.authenticated) {
+    socket.write('HTTP/1.1 407 Proxy Authentication Required\r\n');
+    socket.write('Proxy-Authenticate: Basic realm="Palaryn Proxy"\r\n');
+    socket.write('Content-Type: application/json\r\n\r\n');
+    socket.write(JSON.stringify({ error: auth.error }));
+    socket.end();
+    return;
+  }
+
+  // Passthrough domains skip policy entirely
+  if (proxyConfig.passthrough_domains && isPassthrough(hostname, proxyConfig.passthrough_domains)) {
+    return establishTunnel(hostname, port, socket, head);
+  }
+
+  // Build a synthetic ToolCall for domain-level policy evaluation
+  const toolCall = buildToolCallFromProxy(
+    'CONNECT',
+    `https://${hostname}:${port}`,
+    headers,
+    undefined,
+    auth.workspace_id!,
+    auth.actor_id!,
+  );
+
+  // Run pre-execute pipeline (policy, rate limit, etc.)
+  try {
+    const pre = await gateway.preExecute(toolCall);
+    if (!pre.allowed) {
+      const reason = pre.result?.error || pre.result?.policy?.reasons?.join(', ') || 'Blocked by policy';
+      socket.write('HTTP/1.1 403 Forbidden\r\n');
+      socket.write('Content-Type: application/json\r\n\r\n');
+      socket.write(JSON.stringify({ error: reason }));
+      socket.end();
+      return;
+    }
+  } catch (err) {
+    const message = err instanceof Error ? err.message : 'Policy evaluation failed';
+    socket.write('HTTP/1.1 500 Internal Server Error\r\n');
+    socket.write('Content-Type: application/json\r\n\r\n');
+    socket.write(JSON.stringify({ error: message }));
+    socket.end();
+    return;
+  }
+
+  // SSRF protection with DNS pinning
+  let connectHost = hostname;
+  if (proxyConfig.ssrf_protection !== false) {
+    try {
+      connectHost = await validateResolvedIP(hostname);
+    } catch (err) {
+      const message = err instanceof Error ? err.message : 'SSRF blocked';
+      socket.write('HTTP/1.1 403 Forbidden\r\n');
+      socket.write('Content-Type: application/json\r\n\r\n');
+      socket.write(JSON.stringify({ error: message }));
+      socket.end();
+      return;
+    }
+  }
+
+  return establishTunnel(connectHost, port, socket, head);
+}
+
+/** Establish a raw TCP tunnel for CONNECT requests */
+function establishTunnel(
+  hostname: string,
+  port: number,
+  clientSocket: net.Socket,
+  head: Buffer,
+): Promise<void> {
+  return new Promise((resolve, reject) => {
+    const upstream = net.connect(port, hostname, () => {
+      clientSocket.write('HTTP/1.1 200 Connection Established\r\n\r\n');
+      if (head.length > 0) {
+        upstream.write(head);
+      }
+      upstream.pipe(clientSocket);
+      clientSocket.pipe(upstream);
+      resolve();
+    });
+
+    upstream.on('error', (err) => {
+      clientSocket.write('HTTP/1.1 502 Bad Gateway\r\n\r\n');
+      clientSocket.end();
+      resolve(); // Don't reject — just close the tunnel
+    });
+
+    clientSocket.on('error', () => {
+      upstream.destroy();
+      resolve();
+    });
+
+    // Timeout for tunnel establishment
+    upstream.setTimeout(30000, () => {
+      upstream.destroy();
+      clientSocket.write('HTTP/1.1 504 Gateway Timeout\r\n\r\n');
+      clientSocket.end();
+      resolve();
+    });
+  });
+}
+
+export interface ForwardProxyServer {
+  server: http.Server;
+  listen: (port: number, callback?: () => void) => http.Server;
+  close: (callback?: (err?: Error) => void) => http.Server;
+}
+
+/**
+ * Create a forward HTTP proxy server that routes all requests through
+ * the Palaryn gateway pipeline (policy, DLP, budget, audit).
+ *
+ * Usage:
+ *   const proxy = createForwardProxy(gateway, config);
+ *   proxy.listen(3128);
+ *
+ * Clients configure:
+ *   HTTP_PROXY=http://workspace:apikey@localhost:3128
+ */
+export function createForwardProxy(
+  gateway: Gateway,
+  config: GatewayConfig,
+): ForwardProxyServer {
+  const proxyConfig = config.proxy || {
+    enabled: true,
+    port: 3128,
+    require_auth: true,
+  };
+
+  const timeoutMs = config.executor?.http?.timeout_ms || 15000;
+  const ssrfEnabled = proxyConfig.ssrf_protection !== false; // default: true
+
+  const server = http.createServer(async (req, res) => {
+    try {
+      // Proxy requests have absolute URLs: GET http://example.com/path HTTP/1.1
+      const targetUrl = req.url || '';
+
+      // Non-proxy requests (relative URL) get a 400
+      if (!targetUrl.startsWith('http://') && !targetUrl.startsWith('https://')) {
+        res.writeHead(400, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify({
+          error: 'Not a proxy request. Use this server as an HTTP proxy (HTTP_PROXY env var).',
+        }));
+        return;
+      }
+
+      const method = (req.method || 'GET').toUpperCase();
+      const parsedUrl = new URL(targetUrl);
+
+      // Extract headers as flat record
+      const headers: Record<string, string> = {};
+      for (const [key, value] of Object.entries(req.headers)) {
+        if (typeof value === 'string') headers[key] = value;
+        else if (Array.isArray(value)) headers[key] = value.join(', ');
+      }
+
+      // Auth
+      const auth = parseProxyAuth(headers, proxyConfig, config.auth);
+      if (!auth.authenticated) {
+        res.writeHead(407, {
+          'Content-Type': 'application/json',
+          'Proxy-Authenticate': 'Basic realm="Palaryn Proxy"',
+        });
+        res.end(JSON.stringify({ error: auth.error }));
+        return;
+      }
+
+      // Passthrough domains skip policy eval and DLP, but still run rate limiting and audit
+      if (proxyConfig.passthrough_domains && isPassthrough(parsedUrl.hostname, proxyConfig.passthrough_domains)) {
+        const bodyChunks: Buffer[] = [];
+        let requestBodyBytes = 0;
+        let bodyAborted = false;
+        req.on('data', (chunk: Buffer) => {
+          if (bodyAborted) return;
+          requestBodyBytes += chunk.length;
+          if (requestBodyBytes > MAX_REQUEST_BODY_BYTES) {
+            bodyAborted = true;
+            req.destroy();
+            res.writeHead(413, { 'Content-Type': 'application/json' });
+            res.end(JSON.stringify({ error: 'Request body too large', error_code: 'VALIDATION_FAILED' }));
+            return;
+          }
+          bodyChunks.push(chunk);
+        });
+        req.on('end', async () => {
+          if (bodyAborted) return;
+          const body = bodyChunks.length > 0 ? Buffer.concat(bodyChunks).toString() : undefined;
+          const toolCall = buildToolCallFromProxy(method, targetUrl, headers, body, auth.workspace_id!, auth.actor_id!);
+
+          // Rate limit check even for passthrough domains
+          const rateLimiter = gateway.getRateLimiter();
+          const rateLimitResult = rateLimiter.check(toolCall);
+          if (!rateLimitResult.allowed) {
+            res.writeHead(429, { 'Content-Type': 'application/json' });
+            res.end(JSON.stringify({
+              error: `Rate limit exceeded (${rateLimitResult.blocked_by}): ${rateLimitResult.current}/${rateLimitResult.limit} requests in window`,
+              error_code: 'RATE_LIMIT_EXCEEDED',
+            }));
+            return;
+          }
+
+          // Audit logging for passthrough domains
+          const auditLogger = gateway.getAuditLogger();
+          auditLogger.logToolCallReceived(toolCall);
+
+          const pre: PreExecuteResult = { allowed: true, stepTimings: {}, startTime: Date.now() };
+          forwardRequest(method, targetUrl, headers, body, res, gateway, toolCall, pre, timeoutMs);
+        });
+        return;
+      }
+
+      // Read request body with size limit
+      const bodyChunks: Buffer[] = [];
+      let requestBodyBytes = 0;
+      let bodyAborted = false;
+      req.on('data', (chunk: Buffer) => {
+        if (bodyAborted) return;
+        requestBodyBytes += chunk.length;
+        if (requestBodyBytes > MAX_REQUEST_BODY_BYTES) {
+          bodyAborted = true;
+          req.destroy();
+          res.writeHead(413, { 'Content-Type': 'application/json' });
+          res.end(JSON.stringify({ error: 'Request body too large', error_code: 'VALIDATION_FAILED' }));
+          return;
+        }
+        bodyChunks.push(chunk);
+      });
+      req.on('end', async () => {
+        if (bodyAborted) return;
+        const body = bodyChunks.length > 0 ? Buffer.concat(bodyChunks).toString() : undefined;
+
+        // Build synthetic ToolCall
+        const toolCall = buildToolCallFromProxy(
+          method,
+          targetUrl,
+          headers,
+          body,
+          auth.workspace_id!,
+          auth.actor_id!,
+        );
+
+        // SSRF protection with DNS pinning
+        let pinnedIP: string | undefined;
+        if (ssrfEnabled) {
+          try {
+            pinnedIP = await validateResolvedIP(parsedUrl.hostname);
+          } catch (err) {
+            const message = err instanceof Error ? err.message : 'SSRF blocked';
+            res.writeHead(403, { 'Content-Type': 'application/json' });
+            res.end(JSON.stringify({ error: message }));
+            return;
+          }
+        }
+
+        // Run pre-execute pipeline (rate limit, anomaly, policy, DLP, budget)
+        try {
+          const pre = await gateway.preExecute(toolCall);
+
+          if (!pre.allowed) {
+            const status = pre.result?.status === 'needs_approval' ? 202 : 403;
+            res.writeHead(status, { 'Content-Type': 'application/json' });
+            res.end(JSON.stringify(pre.result));
+            return;
+          }
+
+          // Forward the request to the target
+          // Use the processed tool call args (may have been transformed by policy)
+          const forwardBody = pre.processedToolCall
+            ? (typeof pre.processedToolCall.args.body === 'string'
+              ? pre.processedToolCall.args.body
+              : pre.processedToolCall.args.body ? JSON.stringify(pre.processedToolCall.args.body) : body)
+            : body;
+          const forwardHeaders = pre.processedToolCall?.args.headers as Record<string, string> || headers;
+
+          forwardRequest(method, targetUrl, forwardHeaders, forwardBody, res, gateway, toolCall, pre, timeoutMs, pinnedIP);
+
+        } catch (err) {
+          const message = err instanceof Error ? err.message : 'Internal proxy error';
+          if (!res.headersSent) {
+            res.writeHead(500, { 'Content-Type': 'application/json' });
+            res.end(JSON.stringify({ error: message }));
+          }
+        }
+      });
+
+    } catch (err) {
+      const message = err instanceof Error ? err.message : 'Internal proxy error';
+      if (!res.headersSent) {
+        res.writeHead(500, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify({ error: message }));
+      }
+    }
+  });
+
+  // Handle CONNECT method for HTTPS tunneling
+  server.on('connect', (req: http.IncomingMessage, socket: net.Socket, head: Buffer) => {
+    handleConnect(req, socket, head, gateway, config, proxyConfig).catch(err => {
+      logger.error('CONNECT handler error', { component: 'forward-proxy', error: err instanceof Error ? err.message : String(err) });
+      try {
+        socket.write('HTTP/1.1 500 Internal Server Error\r\n\r\n');
+        socket.end();
+      } catch (e) {
+        /* Socket already closed — expected when client disconnects */
+      }
+    });
+  });
+
+  return {
+    server,
+    listen: (port: number, callback?: () => void) => server.listen(port, callback),
+    close: (callback?: (err?: Error) => void) => server.close(callback),
+  };
+}

package/src/proxy/index.ts

@@ -0,0 +1 @@
+export { createForwardProxy, buildToolCallFromProxy, validateResolvedIP, ForwardProxyServer } from './forward-proxy';