feat(readme): Updated README with enhanced TLS handling, connection management, and troubleshooting sections.

changelog.md

@@ -1,5 +1,13 @@
 # Changelog
 
+## 2025-03-05 - 3.26.0 - feat(readme)
+Updated README with enhanced TLS handling, connection management, and troubleshooting sections.
+
+- Added details on enhanced TLS handling and browser compatibility improvements.
+- Included advanced connection management features like random timeout prevention.
+- Provided comprehensive troubleshooting tips for browser certificate errors and connection stability.
+- Clarified default configuration options and optimization settings for PortProxy.
+
 ## 2025-03-05 - 3.25.4 - fix(portproxy)
 Improve connection timeouts and detailed logging for PortProxy
 

readme.md

@@ -193,12 +193,14 @@ sequenceDiagram
 - **HTTPS Reverse Proxy** - Route traffic to backend services based on hostname with TLS termination
 - **WebSocket Support** - Full WebSocket proxying with heartbeat monitoring
 - **TCP Port Forwarding** - Advanced port forwarding with SNI inspection and domain-based routing
+- **Enhanced TLS Handling** - Robust TLS handshake processing with improved certificate error handling
 - **HTTP to HTTPS Redirection** - Automatically redirect HTTP requests to HTTPS
 - **Let's Encrypt Integration** - Automatic certificate management using ACME protocol
 - **IP Filtering** - Control access with IP allow/block lists using glob patterns
 - **IPTables Integration** - Direct manipulation of iptables for low-level port forwarding
 - **Basic Authentication** - Support for basic auth on proxied routes
-- **Connection Management** - Intelligent connection tracking and cleanup
+- **Connection Management** - Intelligent connection tracking and cleanup with configurable timeouts
+- **Browser Compatibility** - Optimized for modern browsers with fixes for common TLS handshake issues
 
 ## Installation
 
@@ -275,18 +277,38 @@ const portProxy = new PortProxy({
   toPort: 8443,
   targetIP: 'localhost', // Default target host
   sniEnabled: true,      // Enable SNI inspection
+  
+  // Enhanced reliability settings
+  initialDataTimeout: 60000,        // 60 seconds for initial TLS handshake
+  socketTimeout: 3600000,           // 1 hour socket timeout
+  maxConnectionLifetime: 3600000,   // 1 hour connection lifetime
+  inactivityTimeout: 3600000,       // 1 hour inactivity timeout
+  maxPendingDataSize: 10 * 1024 * 1024, // 10MB buffer for large TLS handshakes
+  
+  // Browser compatibility enhancement
+  enableTlsDebugLogging: false,     // Enable for troubleshooting TLS issues
+  
+  // Port and IP configuration
   globalPortRanges: [{ from: 443, to: 443 }],
   defaultAllowedIPs: ['*'], // Allow all IPs by default
+  
+  // Socket optimizations for better connection stability
+  noDelay: true,                    // Disable Nagle's algorithm
+  keepAlive: true,                  // Enable TCP keepalive
+  enableKeepAliveProbes: true,      // Enhanced keepalive for stability
+  
+  // Domain-specific routing configuration
   domainConfigs: [
     {
       domains: ['example.com', '*.example.com'], // Glob patterns for matching domains
       allowedIPs: ['192.168.1.*'],               // Restrict access by IP
       blockedIPs: ['192.168.1.100'],             // Block specific IPs
       targetIPs: ['10.0.0.1', '10.0.0.2'],       // Round-robin between multiple targets
-      portRanges: [{ from: 443, to: 443 }]
+      portRanges: [{ from: 443, to: 443 }],
+      connectionTimeout: 7200000                 // Domain-specific timeout (2 hours)
     }
   ],
-  maxConnectionLifetime: 3600000, // 1 hour in milliseconds
+  
   preserveSourceIP: true
 });
 
@@ -334,7 +356,7 @@ acmeHandler.addDomain('api.example.com');
 ### PortProxy Settings
 
 | Option                    | Description                                            | Default     |
-|--------------------------|--------------------------------------------------------|-------------|
+|---------------------------|--------------------------------------------------------|-------------|
 | `fromPort`                | Port to listen on                                      | -           |
 | `toPort`                  | Destination port to forward to                         | -           |
 | `targetIP`                | Default destination IP if not specified in domainConfig | 'localhost' |
@@ -342,10 +364,22 @@ acmeHandler.addDomain('api.example.com');
 | `defaultAllowedIPs`       | IP patterns allowed by default                         | -           |
 | `defaultBlockedIPs`       | IP patterns blocked by default                         | -           |
 | `preserveSourceIP`        | Preserve the original client IP                        | false       |
-| `maxConnectionLifetime`  | Maximum time in ms to keep a connection open           | 600000      |
+| `maxConnectionLifetime`   | Maximum time in ms to keep a connection open           | 3600000     |
+| `initialDataTimeout`      | Timeout for initial data/handshake in ms               | 60000       |
+| `socketTimeout`           | Socket inactivity timeout in ms                        | 3600000     |
+| `inactivityTimeout`       | Connection inactivity check timeout in ms              | 3600000     |
+| `inactivityCheckInterval` | How often to check for inactive connections in ms      | 60000       |
+| `maxPendingDataSize`      | Maximum bytes to buffer during connection setup        | 10485760    |
 | `globalPortRanges`        | Array of port ranges to listen on                      | -           |
 | `forwardAllGlobalRanges`  | Forward all global range connections to targetIP       | false       |
-| `gracefulShutdownTimeout`| Time in ms to wait during shutdown                     | 30000       |
+| `gracefulShutdownTimeout` | Time in ms to wait during shutdown                     | 30000       |
+| `noDelay`                 | Disable Nagle's algorithm                              | true        |
+| `keepAlive`               | Enable TCP keepalive                                   | true        |
+| `keepAliveInitialDelay`   | Initial delay before sending keepalive probes in ms    | 30000       |
+| `enableKeepAliveProbes`   | Enable enhanced TCP keep-alive probes                  | false       |
+| `enableTlsDebugLogging`   | Enable detailed TLS handshake debugging                | false       |
+| `enableDetailedLogging`   | Enable detailed connection logging                     | false       |
+| `enableRandomizedTimeouts`| Randomize timeouts slightly to prevent thundering herd | true        |
 
 ### IPTablesProxy Settings
 
@@ -359,14 +393,37 @@ acmeHandler.addDomain('api.example.com');
 
 ## Advanced Features
 
+### TLS Handshake Optimization
+
+The enhanced `PortProxy` implementation includes significant improvements for TLS handshake handling:
+
+- Robust SNI extraction with improved error handling
+- Increased buffer size for complex TLS handshakes (10MB)
+- Longer initial handshake timeout (60 seconds)
+- Detection and tracking of TLS connection states
+- Optional detailed TLS debug logging for troubleshooting
+- Browser compatibility fixes for Chrome certificate errors
+
+```typescript
+// Example configuration to solve Chrome certificate errors
+const portProxy = new PortProxy({
+  // ... other settings
+  initialDataTimeout: 60000,            // Give browser more time for handshake
+  maxPendingDataSize: 10 * 1024 * 1024, // Larger buffer for complex handshakes
+  enableTlsDebugLogging: true,          // Enable when troubleshooting
+});
+```
+
 ### Connection Management and Monitoring
 
 The `PortProxy` class includes built-in connection tracking and monitoring:
 
-- Automatic cleanup of idle connections
+- Automatic cleanup of idle connections with configurable timeouts
 - Timeouts for connections that exceed maximum lifetime
 - Detailed logging of connection states
 - Termination statistics
+- Randomized timeouts to prevent "thundering herd" problems
+- Per-domain timeout configuration
 
 ### WebSocket Support
 
@@ -385,6 +442,39 @@ The `PortProxy` class can inspect the SNI (Server Name Indication) field in TLS
 - Domain-specific allowed IP ranges
 - Protection against SNI renegotiation attacks
 
+## Troubleshooting
+
+### Browser Certificate Errors
+
+If you experience certificate errors in browsers, especially in Chrome, try these solutions:
+
+1. **Increase Initial Data Timeout**: Set `initialDataTimeout` to 60 seconds or higher
+2. **Increase Buffer Size**: Set `maxPendingDataSize` to 10MB or higher
+3. **Enable TLS Debug Logging**: Set `enableTlsDebugLogging: true` to troubleshoot handshake issues
+4. **Enable Keep-Alive Probes**: Set `enableKeepAliveProbes: true` for better connection stability
+5. **Check Certificate Chain**: Ensure your certificate chain is complete and in the correct order
+
+```typescript
+// Configuration to fix Chrome certificate errors
+const portProxy = new PortProxy({
+  // ... other settings
+  initialDataTimeout: 60000,
+  maxPendingDataSize: 10 * 1024 * 1024,
+  enableTlsDebugLogging: true,
+  enableKeepAliveProbes: true
+});
+```
+
+### Connection Stability
+
+For improved connection stability in high-traffic environments:
+
+1. **Set Appropriate Timeouts**: Use longer timeouts for long-lived connections
+2. **Use Domain-Specific Timeouts**: Configure per-domain timeouts for different types of services
+3. **Enable TCP Keep-Alive**: Ensure `keepAlive` is set to `true`
+4. **Monitor Connection Statistics**: Enable detailed logging to track termination reasons
+5. **Fine-tune Inactivity Checks**: Adjust `inactivityCheckInterval` based on your traffic patterns
+
 ## License and Legal Information
 
 This repository contains open-source code that is licensed under the MIT License. A copy of the MIT License can be found in the [license](license) file within this repository. 

ts/00_commitinfo_data.ts

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@push.rocks/smartproxy',
-  version: '3.25.4',
+  version: '3.26.0',
   description: 'A powerful proxy package that effectively handles high traffic, with features such as SSL/TLS support, port proxying, WebSocket handling, and dynamic routing with authentication options.'
 }