feat: add intrinsic support for SOCKS proxies (#1966)

* Socks proxy support for TCP and TLS connections.

* Documentation.

* Ignore socks for UNIX domain sockets.

* Avoid bundling dead code.

* Naming.

* Update readme.

* Update lock file.

* Simplify.

Co-authored-by: Daniel Lando <daniel.sorridi@gmail.com>

* Trade duplexify against home-grown wrapper.

* Paranoia, linter.

* Minor cleanup.

* Tests.

* Use a fixed port for the tests.

* It seems TCP RST causes the remote to close without EOF on Linux -> test is useless on Linux.

* Switch back to dynamic port allocation.

---------

Co-authored-by: Daniel Lando <daniel.sorridi@gmail.com>

Author: DirtyHairy

README.md

@@ -429,6 +429,8 @@ The arguments are:
     CONNACK is received
   - `username`: the username required by your broker, if any
   - `password`: the password required by your broker, if any
+  - `socksProxy`: establish TCP and TLS connections via a socks proxy (URL, supported protocols are `socks5://`, `socks5h://`, `socks4://`, `socks4a://`)
+  - `socksTimeout`: timeout for connecting to the socks proxy
   - `incomingStore`: a [Store](#store) for the incoming packets
   - `outgoingStore`: a [Store](#store) for the outgoing packets
   - `queueQoSZero`: if connection is broken, queue outgoing QoS zero messages (default `true`)
@@ -486,6 +488,8 @@ The arguments are:
   - `forceNativeWebSocket`: set to true if you're having detection issues (i.e. the `ws does not work in the browser` exception) to force the use of native WebSocket. It is important to note that if set to true for the first client created, then all the clients will use native WebSocket. And conversely, if not set or set to false, all will use the detection result.
   - `unixSocket`: if you want to connect to a unix socket, set this to true
 
+Instead of setting `socksProxy` you can also supple the same parameter via the environment variable `MQTTJS_SOCKS_PROXY`.
+
 In case mqtts (mqtt over tls) is required, the `options` object is passed through to [`tls.connect()`](http://nodejs.org/api/tls.html#tls_tls_connect_options_callback). If using a **self-signed certificate**, set `rejectUnauthorized: false`. However, be cautious as this exposes you to potential man in the middle attacks and isn't recommended for production.
 
 For those supporting multiple TLS protocols on a single port, like MQTTS and MQTT over WSS, utilize the `ALPNProtocols` option. This lets you define the Application Layer Protocol Negotiation (ALPN) protocol. You can set `ALPNProtocols` as a string array, Buffer, or Uint8Array based on your setup.

esbuild.js

@@ -44,6 +44,26 @@ const options = {
                 )
             }
         },
+        {
+            name: 'resolve-socks',
+            setup(build) {
+                // socks is not supported in the browser and adds several 100kb to the build, so stub it
+                build.onResolve({ filter: /socks$/ }, args => {
+                    return {
+                        path: args.path,
+                        namespace: 'socks-stub'
+                    }
+                })
+
+                build.onLoad({ filter: /.*/, namespace: 'socks-stub' }, args => {
+                    return {
+                        contents: 'module.exports = {}',
+                        loader: 'js'
+                    }
+                }
+                )
+            }
+        },
     ],
 }
 

package-lock.json

@@ -124,6 +124,7 @@
     "readable-stream": "^4.7.0",
     "reinterval": "^1.1.0",
     "rfdc": "^1.4.1",
+    "socks": "^2.8.3",
     "split2": "^4.2.0",
     "worker-timers": "^7.1.8",
     "ws": "^8.18.0"

package.json

@@ -140,6 +140,10 @@ export interface IClientOptions extends ISecureClientOptions {
 	query?: Record<string, string>
 	/** Auth string in the format <username>:<password> */
 	auth?: string
+	/** Optional SOCKS proxy to use for TCP / TLS connections , i.e. socks5://localhost:1333, socks4://localhost:1333, socks5h://localhost:1333 . Default is socks5h. */
+	socksProxy?: string
+	/** Timeout for establishing a socks connection */
+	socksTimeout?: number
 	/** Custom ack handler */
 	customHandleAcks?: AckHandler
 	/** Broker port */

src/lib/client.ts

@@ -104,6 +104,15 @@ function connect(
 		opts.clientId = opts.query.clientId
 	}
 
+	if (isBrowser || opts.unixSocket) {
+		opts.socksProxy = undefined
+	} else if (
+		opts.socksProxy === undefined &&
+		typeof process !== 'undefined'
+	) {
+		opts.socksProxy = process.env['MQTTJS_SOCKS_PROXY']
+	}
+
 	if (opts.cert && opts.key) {
 		if (opts.protocol) {
 			if (['mqtts', 'wss', 'wxs', 'alis'].indexOf(opts.protocol) === -1) {