feat: add https server implementation

Author: bliuchak

eslint.config.mjs

@@ -2,7 +2,7 @@ import apifyTypescriptConfig from '@apify/eslint-config/ts.js';
 
 // eslint-disable-next-line import/no-default-export
 export default [
-    { ignores: ['**/dist', 'test'] }, // Ignores need to happen first
+    { ignores: ['**/dist', 'test', 'examples'] }, // Ignores need to happen first
     ...apifyTypescriptConfig,
     {
         languageOptions: {

examples/https_proxy_server.ts

@@ -0,0 +1,92 @@
+import { Server, generateCertificate } from '../src';
+
+// This example demonstrates how to create an HTTPS proxy server with a self-signed certificate.
+// The HTTPS proxy server works identically to the HTTP version but with TLS encryption.
+
+(async () => {
+    // Generate a self-signed certificate for development/testing
+    // In production, you should use a proper certificate from a Certificate Authority
+    console.log('Generating self-signed certificate...');
+    const { key, cert } = generateCertificate({
+        commonName: 'localhost',
+        validityDays: 365,
+        organization: 'Development',
+    });
+
+    console.log('Certificate generated successfully!');
+
+    // Create an HTTPS proxy server
+    const server = new Server({
+        // Use HTTPS instead of HTTP
+        serverType: 'https',
+
+        // Provide the TLS certificate and private key
+        httpsOptions: {
+            key,
+            cert,
+        },
+
+        // Port where the server will listen
+        port: 8443,
+
+        // Enable verbose logging to see what's happening
+        verbose: true,
+
+        // Optional: Add authentication and upstream proxy configuration
+        prepareRequestFunction: ({ username, hostname, port }) => {
+            console.log(`Request to ${hostname}:${port} from user: ${username || 'anonymous'}`);
+
+            // Example: Require authentication
+            // if (!username || !password) {
+            //     return {
+            //         requestAuthentication: true,
+            //         failMsg: 'Proxy credentials required',
+            //     };
+            // }
+
+            // Example: Use upstream proxy
+            // return {
+            //     upstreamProxyUrl: 'http://upstream-proxy.example.com:8000',
+            // };
+
+            // Allow the request
+            return {};
+        },
+    });
+
+    // Start the server
+    await server.listen();
+
+    console.log('\n======================================');
+    console.log(`HTTPS Proxy server is running on port ${server.port}`);
+    console.log('======================================\n');
+
+    console.log('To test the HTTPS proxy server, you can use:');
+    console.log('\n1. With curl (ignoring self-signed certificate):');
+    console.log(`   curl --proxy-insecure -x https://localhost:${server.port} -k http://example.com\n`);
+
+    console.log('2. Configure your browser to use HTTPS proxy:');
+    console.log(`   - Proxy: localhost`);
+    console.log(`   - Port: ${server.port}`);
+    console.log(`   - Type: HTTPS`);
+    console.log('   - Note: Browser may warn about self-signed certificate\n');
+
+    console.log('3. With Node.js https agent:');
+    console.log('   const agent = new HttpsProxyAgent(');
+    console.log(`     'https://localhost:${server.port}',`);
+    console.log('     { rejectUnauthorized: false } // for self-signed cert');
+    console.log('   );\n');
+
+    console.log('Press Ctrl+C to stop the server...\n');
+
+    // Handle graceful shutdown
+    process.on('SIGINT', async () => {
+        console.log('\nShutting down server...');
+        await server.close(true);
+        console.log('Server closed.');
+        process.exit(0);
+    });
+
+    // Keep the server running
+    await new Promise(() => {});
+})();

src/index.ts

@@ -1,6 +1,7 @@
 export * from './request_error';
 export * from './server';
 export * from './utils/redact_url';
+export * from './utils/generate_certificate';
 export * from './anonymize_proxy';
 export * from './tcp_tunnel_tools';
 

src/server.ts

@@ -3,6 +3,7 @@ import { Buffer } from 'node:buffer';
 import type dns from 'node:dns';
 import { EventEmitter } from 'node:events';
 import http from 'node:http';
+import https from 'node:https';
 import type net from 'node:net';
 import { URL } from 'node:url';
 import util from 'node:util';
@@ -91,6 +92,25 @@ export type PrepareRequestFunctionResult = {
 type Promisable<T> = T | Promise<T>;
 export type PrepareRequestFunction = (opts: PrepareRequestFunctionOpts) => Promisable<undefined | PrepareRequestFunctionResult>;
 
+interface ServerOptionsBase {
+    port?: number;
+    host?: string;
+    prepareRequestFunction?: PrepareRequestFunction;
+    verbose?: boolean;
+    authRealm?: unknown;
+}
+
+interface HttpServerOptions extends ServerOptionsBase {
+    serverType?: 'http';
+}
+
+interface HttpsServerOptions extends ServerOptionsBase {
+    serverType: 'https';
+    httpsOptions: https.ServerOptions;
+}
+
+export type ServerOptions = HttpServerOptions | HttpsServerOptions;
+
 /**
  * Represents the proxy server.
  * It emits the 'requestFailed' event on unexpected request errors, with the following parameter `{ error, request }`.
@@ -107,7 +127,9 @@ export class Server extends EventEmitter {
 
     verbose: boolean;
 
-    server: http.Server;
+    server: http.Server | https.Server;
+
+    serverType: 'http' | 'https';
 
     lastHandlerId: number;
 
@@ -119,6 +141,9 @@ export class Server extends EventEmitter {
      * Initializes a new instance of Server class.
      * @param options
      * @param [options.port] Port where the server will listen. By default 8000.
+     * @param [options.serverType] Type of server to create: 'http' or 'https'. By default 'http'.
+     * @param [options.httpsOptions] HTTPS server options (required when serverType is 'https').
+     * Accepts standard Node.js https.ServerOptions including key, cert, ca, passphrase, etc.
      * @param [options.prepareRequestFunction] Custom function to authenticate proxy requests,
      * provide URL to upstream proxy or potentially provide a function that generates a custom response to HTTP requests.
      * It accepts a single parameter which is an object:
@@ -149,13 +174,7 @@ export class Server extends EventEmitter {
      * @param [options.authRealm] Realm used in the Proxy-Authenticate header and also in the 'Server' HTTP header. By default it's `ProxyChain`.
      * @param [options.verbose] If true, the server will output logs
      */
-    constructor(options: {
-        port?: number,
-        host?: string,
-        prepareRequestFunction?: PrepareRequestFunction,
-        verbose?: boolean,
-        authRealm?: unknown,
-    } = {}) {
+    constructor(options: ServerOptions = {}) {
         super();
 
         if (options.port === undefined || options.port === null) {
@@ -169,12 +188,30 @@ export class Server extends EventEmitter {
         this.authRealm = options.authRealm || DEFAULT_AUTH_REALM;
         this.verbose = !!options.verbose;
 
-        this.server = http.createServer();
+        // Create server based on type
+        if (options.serverType === 'https') {
+            if (!options.httpsOptions) {
+                throw new Error('httpsOptions is required when serverType is "https"');
+            }
+            this.server = https.createServer(options.httpsOptions);
+            this.serverType = 'https';
+        } else {
+            this.server = http.createServer();
+            this.serverType = 'http';
+        }
+
+        // Attach event handlers (same for both HTTP and HTTPS)
         this.server.on('clientError', this.onClientError.bind(this));
         this.server.on('request', this.onRequest.bind(this));
         this.server.on('connect', this.onConnect.bind(this));
         this.server.on('connection', this.onConnection.bind(this));
 
+        // For HTTPS servers, also listen to secureConnection for proper TLS socket handling
+        // This ensures connection tracking works correctly with TLS sockets
+        if (this.serverType === 'https') {
+            this.server.on('secureConnection', this.onConnection.bind(this));
+        }
+
         this.lastHandlerId = 0;
         this.stats = {
             httpRequestCount: 0,
@@ -615,9 +652,11 @@ export class Server extends EventEmitter {
 
         const targetStats = getTargetStats(socket);
 
+        // For TLS sockets, bytesRead/bytesWritten might not be immediately available
+        // Use nullish coalescing to ensure we always have valid numeric values
         const result = {
-            srcTxBytes: socket.bytesWritten,
-            srcRxBytes: socket.bytesRead,
+            srcTxBytes: socket.bytesWritten ?? 0,
+            srcRxBytes: socket.bytesRead ?? 0,
             trgTxBytes: targetStats.bytesWritten,
             trgRxBytes: targetStats.bytesRead,
         };

src/utils/generate_certificate.ts

@@ -0,0 +1,123 @@
+import { execSync } from 'node:child_process';
+import { mkdtempSync, readFileSync, rmSync } from 'node:fs';
+import { tmpdir } from 'node:os';
+import { join } from 'node:path';
+
+export interface GenerateCertificateOptions {
+    /**
+     * Common Name for the certificate (e.g., 'localhost', '*.example.com')
+     * @default 'localhost'
+     */
+    commonName?: string;
+
+    /**
+     * Number of days the certificate is valid for
+     * @default 365
+     */
+    validityDays?: number;
+
+    /**
+     * Key size in bits
+     * @default 2048
+     */
+    keySize?: number;
+
+    /**
+     * Organization name
+     * @default 'Development'
+     */
+    organization?: string;
+
+    /**
+     * Country code (2 letters)
+     * @default 'US'
+     */
+    countryCode?: string;
+}
+
+export interface GeneratedCertificate {
+    /**
+     * Private key in PEM format
+     */
+    key: string;
+
+    /**
+     * Certificate in PEM format
+     */
+    cert: string;
+}
+
+/**
+ * Generates a self-signed certificate for development/testing purposes.
+ * Requires OpenSSL to be installed on the system.
+ *
+ * @param options - Configuration options for certificate generation
+ * @returns Object containing the private key and certificate in PEM format
+ * @throws Error if OpenSSL is not available or certificate generation fails
+ *
+ * @example
+ * ```typescript
+ * import { generateCertificate, Server } from 'proxy-chain';
+ *
+ * // Generate a self-signed certificate
+ * const { key, cert } = generateCertificate({
+ *     commonName: 'localhost',
+ *     validityDays: 365,
+ * });
+ *
+ * // Create HTTPS proxy server
+ * const server = new Server({
+ *     port: 8443,
+ *     serverType: 'https',
+ *     httpsOptions: { key, cert },
+ * });
+ * ```
+ */
+export function generateCertificate(options: GenerateCertificateOptions = {}): GeneratedCertificate {
+    const {
+        commonName = 'localhost',
+        validityDays = 365,
+        keySize = 2048,
+        organization = 'Development',
+        countryCode = 'US',
+    } = options;
+
+    // Check if OpenSSL is available
+    try {
+        execSync('openssl version', { stdio: 'pipe' });
+    } catch {
+        throw new Error(
+            'OpenSSL is not available. Please install OpenSSL to generate certificates.\n'
+            + 'macOS: brew install openssl\n'
+            + 'Ubuntu/Debian: apt-get install openssl\n'
+            + 'Windows: https://slproweb.com/products/Win32OpenSSL.html',
+        );
+    }
+
+    // Create temporary directory for certificate generation
+    const tempDir = mkdtempSync(join(tmpdir(), 'proxy-chain-cert-'));
+
+    try {
+        const keyPath = join(tempDir, 'key.pem');
+        const certPath = join(tempDir, 'cert.pem');
+
+        // Build subject string
+        const subject = `/C=${countryCode}/O=${organization}/CN=${commonName}`;
+
+        // Generate private key and certificate in one command
+        const command = `openssl req -x509 -newkey rsa:${keySize} -nodes -keyout "${keyPath}" -out "${certPath}" -days ${validityDays} -subj "${subject}"`;
+
+        execSync(command, { stdio: 'pipe' });
+
+        // Read generated files
+        const key = readFileSync(keyPath, 'utf8');
+        const cert = readFileSync(certPath, 'utf8');
+
+        return { key, cert };
+    } catch (error) {
+        throw new Error(`Failed to generate certificate: ${(error as Error).message}`);
+    } finally {
+        // Clean up temporary directory
+        rmSync(tempDir, { recursive: true, force: true });
+    }
+}