BREAKING_CHANGE(core): remove legacy forwarding module in favor of route-based system

- Removed the forwarding namespace export from main index - Removed TForwardingType and all forwarding handlers - Consolidated route helper functions into route-helpers.ts - All functionality is now available through the route-based system - Users must migrate from forwarding.* imports to direct route helper imports
fix(docs): update documentation to improve clarity
2025-07-21 18:44:59 +00:00 · 2025-07-21 12:23:22 +00:00 · 2025-07-21 08:52:07 +00:00
70 changed files with 1014 additions and 4566 deletions
--- a/certs/static-route/meta.json
+++ b/certs/static-route/meta.json
@@ -1,5 +1,5 @@
 {
-  "expiryDate": "2025-10-01T02:31:27.435Z",
-  "issueDate": "2025-07-03T02:31:27.435Z",
-  "savedAt": "2025-07-03T02:31:27.435Z"
+  "expiryDate": "2025-10-18T13:15:48.916Z",
+  "issueDate": "2025-07-20T13:15:48.916Z",
+  "savedAt": "2025-07-20T13:15:48.916Z"
 }
--- a/changelog.md
+++ b/changelog.md
@@ -1,5 +1,30 @@
 # Changelog

+## 2025-07-22 - 21.0.0 - BREAKING_CHANGE(forwarding)
+Remove legacy forwarding module
+
+- Removed the `forwarding` namespace export from main index
+- Removed TForwardingType and all forwarding handlers
+- Consolidated route helper functions into route-helpers.ts
+- All functionality is now available through the route-based system
+- MIGRATION: Replace `import { forwarding } from '@push.rocks/smartproxy'` with direct imports of route helpers
+
+## 2025-07-21 - 20.0.2 - fix(docs)
+Update documentation to improve clarity
+
+- Enhanced readme with clearer breaking change warning for v20.0.0
+- Fixed example email address from ssl@bleu.de to ssl@example.com
+- Added load balancing and failover features to feature list
+- Improved documentation structure and examples
+
+## 2025-07-20 - 20.0.1 - BREAKING_CHANGE(routing)
+Refactor route configuration to support multiple targets
+
+- Changed route action configuration from single `target` to `targets` array
+- Enables load balancing and failover capabilities with multiple upstream targets
+- Updated all test files to use new `targets` array syntax
+- Automatic certificate metadata refresh
+
 ## 2025-06-01 - 19.5.19 - fix(smartproxy)
 Fix connection handling and improve route matching edge cases

--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
  "name": "@push.rocks/smartproxy",
-  "version": "19.6.17",
+  "version": "21.0.0",
  "private": false,
  "description": "A powerful proxy package with unified route-based configuration for high traffic management. Features include SSL/TLS support, flexible routing patterns, WebSocket handling, advanced security options, and automatic ACME certificate management.",
  "main": "dist_ts/index.js",
@@ -51,7 +51,8 @@
    "assets/**/*",
    "cli.js",
    "npmextra.json",
-    "readme.md"
+    "readme.md",
+    "changelog.md"
  ],
  "browserslist": [
    "last 1 chrome versions"
--- a/readme.md
+++ b/readme.md
--- a/test/core/routing/test.path-matcher.ts
+++ b/test/core/routing/test.path-matcher.ts
@@ -32,14 +32,14 @@ tap.test('PathMatcher - wildcard matching', async () => {
  const result = PathMatcher.match('/api/*', '/api/users/123/profile');
  expect(result.matches).toEqual(true);
  expect(result.pathMatch).toEqual('/api');  // Normalized without trailing slash
-  expect(result.pathRemainder).toEqual('users/123/profile');
+  expect(result.pathRemainder).toEqual('/users/123/profile');
 });

 tap.test('PathMatcher - mixed parameters and wildcards', async () => {
  const result = PathMatcher.match('/api/:version/*', '/api/v1/users/123');
  expect(result.matches).toEqual(true);
  expect(result.params).toEqual({ version: 'v1' });
-  expect(result.pathRemainder).toEqual('users/123');
+  expect(result.pathRemainder).toEqual('/users/123');
 });

 tap.test('PathMatcher - trailing slash normalization', async () => {
--- a/test/core/utils/test.shared-security-manager.ts
+++ b/test/core/utils/test.shared-security-manager.ts
@@ -58,7 +58,7 @@ tap.test('Shared Security Manager', async () => {
      },
      action: {
        type: 'forward',
-        target: { host: 'target.com', port: 443 }
+        targets: [{ host: 'target.com', port: 443 }]
      },
      security: {
        ipAllowList: ['10.0.0.*', '192.168.1.*'],
@@ -113,7 +113,7 @@ tap.test('Shared Security Manager', async () => {
      },
      action: {
        type: 'forward',
-        target: { host: 'target.com', port: 443 }
+        targets: [{ host: 'target.com', port: 443 }]
      },
      security: {
        rateLimit: {
--- a/test/test.acme-route-creation.ts
+++ b/test/test.acme-route-creation.ts
@@ -59,7 +59,7 @@ tap.test('should create ACME challenge route', async (tools) => {
        },
        action: {
          type: 'forward' as const,
-          target: { host: 'localhost', port: 8080 }
+          targets: [{ host: 'localhost', port: 8080 }]
        }
      },
      challengeRoute
--- a/test/test.acme-timing-simple.ts
+++ b/test/test.acme-timing-simple.ts
@@ -18,7 +18,7 @@ tap.test('should defer certificate provisioning until ports are ready', async (t
      },
      action: {
        type: 'forward',
-        target: { host: 'localhost', port: 8181 },
+        targets: [{ host: 'localhost', port: 8181 }],
        tls: {
          mode: 'terminate',
          certificate: 'auto',
--- a/test/test.acme-timing.ts
+++ b/test/test.acme-timing.ts
@@ -30,7 +30,7 @@ tap.test('should defer certificate provisioning until after ports are listening'
      },
      action: {
        type: 'forward',
-        target: { host: 'localhost', port: 8181 },
+        targets: [{ host: 'localhost', port: 8181 }],
        tls: {
          mode: 'terminate',
          certificate: 'auto',
@@ -126,7 +126,7 @@ tap.test('should have ACME challenge route ready before certificate provisioning
      },
      action: {
        type: 'forward',
-        target: { host: 'localhost', port: 8181 },
+        targets: [{ host: 'localhost', port: 8181 }],
        tls: {
          mode: 'terminate',
          certificate: 'auto'
--- a/test/test.certificate-acme-update.ts
+++ b/test/test.certificate-acme-update.ts
@@ -16,10 +16,10 @@ tap.test('SmartCertManager should call getCertificateForDomain with wildcard opt
    },
    action: {
      type: 'forward',
-      target: {
+      targets: [{
        host: 'localhost',
        port: 8080
-      },
+      }],
      tls: {
        mode: 'terminate',
        certificate: 'auto',
--- a/test/test.certificate-provision.ts
+++ b/test/test.certificate-provision.ts
@@ -59,10 +59,10 @@ tap.test('SmartProxy should support custom certificate provision function', asyn
        },
        action: {
          type: 'forward',
-          target: {
+          targets: [{
            host: 'localhost',
            port: 8080
-          },
+          }],
          tls: {
            mode: 'terminate',
            certificate: 'auto'
@@ -109,10 +109,10 @@ tap.test('Custom certificate provision function should be called', async () => {
        },
        action: {
          type: 'forward',
-          target: {
+          targets: [{
            host: 'localhost',
            port: 8080
-          },
+          }],
          tls: {
            mode: 'terminate',
            certificate: 'auto'
@@ -172,10 +172,10 @@ tap.test('Should fallback to ACME when custom provision fails', async () => {
        },
        action: {
          type: 'forward',
-          target: {
+          targets: [{
            host: 'localhost',
            port: 8080
-          },
+          }],
          tls: {
            mode: 'terminate',
            certificate: 'auto'
@@ -231,10 +231,10 @@ tap.test('Should not fallback when certProvisionFallbackToAcme is false', async
        },
        action: {
          type: 'forward',
-          target: {
+          targets: [{
            host: 'localhost',
            port: 8080
-          },
+          }],
          tls: {
            mode: 'terminate',
            certificate: 'auto'
@@ -310,10 +310,10 @@ tap.test('Should return http01 for unknown domains', async () => {
        },
        action: {
          type: 'forward',
-          target: {
+          targets: [{
            host: 'localhost',
            port: 8080
-          },
+          }],
          tls: {
            mode: 'terminate',
            certificate: 'auto'
--- a/test/test.certificate-provisioning.ts
+++ b/test/test.certificate-provisioning.ts
@@ -7,7 +7,7 @@ const testProxy = new SmartProxy({
    match: { ports: 9443, domains: 'test.local' },
    action: {
      type: 'forward',
-      target: { host: 'localhost', port: 8080 },
+      targets: [{ host: 'localhost', port: 8080 }],
      tls: {
        mode: 'terminate',
        certificate: 'auto',
@@ -67,7 +67,7 @@ tap.test('should handle static certificates', async () => {
      match: { ports: 9444, domains: 'static.example.com' },
      action: {
        type: 'forward',
-        target: { host: 'localhost', port: 8080 },
+        targets: [{ host: 'localhost', port: 8080 }],
        tls: {
          mode: 'terminate',
          certificate: {
@@ -96,7 +96,7 @@ tap.test('should handle ACME challenge routes', async () => {
      match: { ports: 9445, domains: 'acme.local' },
      action: {
        type: 'forward',
-        target: { host: 'localhost', port: 8080 },
+        targets: [{ host: 'localhost', port: 8080 }],
        tls: {
          mode: 'terminate',
          certificate: 'auto',
@@ -112,7 +112,7 @@ tap.test('should handle ACME challenge routes', async () => {
      match: { ports: 9081, domains: 'acme.local' },
      action: {
        type: 'forward',
-        target: { host: 'localhost', port: 8080 }
+        targets: [{ host: 'localhost', port: 8080 }]
      }
    }],
    acme: {
@@ -167,7 +167,7 @@ tap.test('should renew certificates', async () => {
      match: { ports: 9446, domains: 'renew.local' },
      action: {
        type: 'forward',
-        target: { host: 'localhost', port: 8080 },
+        targets: [{ host: 'localhost', port: 8080 }],
        tls: {
          mode: 'terminate',
          certificate: 'auto',
--- a/test/test.certificate-simple.ts
+++ b/test/test.certificate-simple.ts
@@ -8,7 +8,7 @@ tap.test('should create SmartProxy with certificate routes', async () => {
      match: { ports: 8443, domains: 'test.example.com' },
      action: {
        type: 'forward',
-        target: { host: 'localhost', port: 8080 },
+        targets: [{ host: 'localhost', port: 8080 }],
        tls: {
          mode: 'terminate',
          certificate: 'auto',
--- a/test/test.cleanup-queue-bug.node.ts
+++ b/test/test.cleanup-queue-bug.node.ts
@@ -13,7 +13,7 @@ tap.test('cleanup queue bug - verify queue processing handles more than batch si
      match: { ports: 8588 },
      action: {
        type: 'forward',
-        target: { host: 'localhost', port: 9996 }
+        targets: [{ host: 'localhost', port: 9996 }]
      }
    }],
    enableDetailedLogging: false,
--- a/test/test.connect-disconnect-cleanup.node.ts
+++ b/test/test.connect-disconnect-cleanup.node.ts
@@ -18,10 +18,10 @@ tap.test('should handle clients that connect and immediately disconnect without
      match: { ports: 8560 },
      action: {
        type: 'forward',
-        target: {
+        targets: [{
          host: 'localhost',
          port: 9999  // Non-existent port
-        }
+        }]
      }
    }]
  });
@@ -173,10 +173,10 @@ tap.test('should handle clients that error during connection', async () => {
      match: { ports: 8561 },
      action: {
        type: 'forward',
-        target: {
+        targets: [{
          host: 'localhost',
          port: 9999
-        }
+        }]
      }
    }]
  });
--- a/test/test.connection-cleanup-comprehensive.node.ts
+++ b/test/test.connection-cleanup-comprehensive.node.ts
@@ -20,10 +20,10 @@ tap.test('comprehensive connection cleanup test - all scenarios', async () => {
        match: { ports: 8570 },
        action: {
          type: 'forward',
-          target: {
+          targets: [{
            host: 'localhost',
            port: 9999  // Non-existent port
-          }
+          }]
        }
      },
      {
@@ -31,10 +31,10 @@ tap.test('comprehensive connection cleanup test - all scenarios', async () => {
        match: { ports: 8571 },
        action: {
          type: 'forward',
-          target: {
+          targets: [{
            host: 'localhost',
            port: 9999  // Non-existent port
-          },
+          }],
          tls: {
            mode: 'passthrough'
          }
@@ -215,10 +215,10 @@ tap.test('comprehensive connection cleanup test - all scenarios', async () => {
      action: {
        type: 'forward',
        forwardingEngine: 'nftables',
-        target: {
+        targets: [{
          host: 'localhost',
          port: 9999
-        }
+        }]
      }
    }]
  });
--- a/test/test.connection-forwarding.ts
+++ b/test/test.connection-forwarding.ts
@@ -65,10 +65,10 @@ tap.test('should forward TCP connections correctly', async () => {
        },
        action: {
          type: 'forward',
-          target: {
+          targets: [{
            host: '127.0.0.1',
            port: 7001,
-          },
+          }],
        },
      },
    ],
@@ -118,10 +118,10 @@ tap.test('should handle TLS passthrough correctly', async () => {
          tls: {
            mode: 'passthrough',
          },
-          target: {
+          targets: [{
            host: '127.0.0.1',
            port: 7002,
-          },
+          }],
        },
      },
    ],
@@ -179,10 +179,10 @@ tap.test('should handle SNI-based forwarding', async () => {
          tls: {
            mode: 'passthrough',
          },
-          target: {
+          targets: [{
            host: '127.0.0.1',
            port: 7002,
-          },
+          }],
        },
      },
      {
@@ -197,10 +197,10 @@ tap.test('should handle SNI-based forwarding', async () => {
          tls: {
            mode: 'passthrough',
          },
-          target: {
+          targets: [{
            host: '127.0.0.1',
            port: 7002,
-          },
+          }],
        },
      },
    ],
--- a/test/test.connection-limits.node.ts
+++ b/test/test.connection-limits.node.ts
@@ -90,10 +90,10 @@ tap.test('Setup test environment', async () => {
      },
      action: {
        type: 'forward',
-        target: {
+        targets: [{
          host: 'localhost',
          port: TEST_SERVER_PORT
-        }
+        }]
      },
      security: {
        maxConnections: 5 // Low limit for testing
@@ -198,10 +198,10 @@ tap.test('HttpProxy per-IP validation', async () => {
      },
      action: {
        type: 'forward',
-        target: {
+        targets: [{
          host: 'localhost',
          port: TEST_SERVER_PORT
-        },
+        }],
        tls: {
          mode: 'terminate'
        }
--- a/test/test.fix-verification.ts
+++ b/test/test.fix-verification.ts
@@ -9,7 +9,7 @@ tap.test('should verify certificate manager callback is preserved on updateRoute
      match: { ports: [18443], domains: ['test.local'] },
      action: {
        type: 'forward',
-        target: { host: 'localhost', port: 3000 },
+        targets: [{ host: 'localhost', port: 3000 }],
        tls: {
          mode: 'terminate',
          certificate: 'auto',
@@ -63,7 +63,7 @@ tap.test('should verify certificate manager callback is preserved on updateRoute
    match: { ports: [18444], domains: ['test2.local'] },
    action: {
      type: 'forward',
-      target: { host: 'localhost', port: 3001 },
+      targets: [{ host: 'localhost', port: 3001 }],
      tls: {
        mode: 'terminate',
        certificate: 'auto',
--- a/test/test.forwarding-fix-verification.ts
+++ b/test/test.forwarding-fix-verification.ts
@@ -37,7 +37,7 @@ tap.test('regular forward route should work correctly', async () => {
      match: { ports: 7890 },
      action: {
        type: 'forward',
-        target: { host: 'localhost', port: 6789 }
+        targets: [{ host: 'localhost', port: 6789 }]
      }
    }]
  });
@@ -106,7 +106,7 @@ tap.skip.test('NFTables forward route should not terminate connections (requires
      action: {
        type: 'forward',
        forwardingEngine: 'nftables',
-        target: { host: 'localhost', port: 6789 }
+        targets: [{ host: 'localhost', port: 6789 }]
      }
    }]
  });
--- a/test/test.forwarding-regression.ts
+++ b/test/test.forwarding-regression.ts
@@ -39,10 +39,10 @@ tap.test('forward connections should not be immediately closed', async (t) => {
        },
        action: {
          type: 'forward',
-          target: {
+          targets: [{
            host: '127.0.0.1',
            port: 9090,
-          },
+          }],
        },
      },
    ],
--- a/test/test.forwarding.ts
+++ b/test/test.forwarding.ts
@@ -1,9 +1,6 @@
 import { tap, expect } from '@git.zone/tstest/tapbundle';
 import * as plugins from '../ts/plugins.js';
-import type { IForwardConfig, TForwardingType } from '../ts/forwarding/config/forwarding-types.js';

-// First, import the components directly to avoid issues with compiled modules
-import { ForwardingHandlerFactory } from '../ts/forwarding/factory/forwarding-factory.js';
 // Import route-based helpers
 import {
  createHttpRoute,
@@ -39,7 +36,7 @@ tap.test('Route Helpers - Create HTTP routes', async () => {
  const route = helpers.httpOnly('example.com', { host: 'localhost', port: 3000 });
  expect(route.action.type).toEqual('forward');
  expect(route.match.domains).toEqual('example.com');
-  expect(route.action.target).toEqual({ host: 'localhost', port: 3000 });
+  expect(route.action.targets?.[0]).toEqual({ host: 'localhost', port: 3000 });
 });

 tap.test('Route Helpers - Create HTTPS terminate to HTTP routes', async () => {
--- a/test/test.forwarding.unit.ts
+++ b/test/test.forwarding.unit.ts
@@ -1,53 +0,0 @@
-import { tap, expect } from '@git.zone/tstest/tapbundle';
-import * as plugins from '../ts/plugins.js';
-
-// First, import the components directly to avoid issues with compiled modules
-import { ForwardingHandlerFactory } from '../ts/forwarding/factory/forwarding-factory.js';
-// Import route-based helpers from the correct location
-import {
-  createHttpRoute,
-  createHttpsTerminateRoute,
-  createHttpsPassthroughRoute,
-  createHttpToHttpsRedirect,
-  createCompleteHttpsServer,
-  createLoadBalancerRoute
-} from '../ts/proxies/smart-proxy/utils/route-patterns.js';
-
-// Create helper functions for building forwarding configs
-const helpers = {
-  httpOnly: () => ({ type: 'http-only' as const }),
-  tlsTerminateToHttp: () => ({ type: 'https-terminate-to-http' as const }),
-  tlsTerminateToHttps: () => ({ type: 'https-terminate-to-https' as const }),
-  httpsPassthrough: () => ({ type: 'https-passthrough' as const })
-};
-
-tap.test('ForwardingHandlerFactory - apply defaults based on type', async () => {
-  // HTTP-only defaults
-  const httpConfig = {
-    type: 'http-only' as const,
-    target: { host: 'localhost', port: 3000 }
-  };
-  
-  const httpWithDefaults = ForwardingHandlerFactory['applyDefaults'](httpConfig);
-  
-  expect(httpWithDefaults.port).toEqual(80);
-  expect(httpWithDefaults.socket).toEqual('/tmp/forwarding-http-only-80.sock');
-  
-  // HTTPS passthrough defaults
-  const httpsPassthroughConfig = {
-    type: 'https-passthrough' as const,
-    target: { host: 'localhost', port: 443 }
-  };
-  
-  const httpsPassthroughWithDefaults = ForwardingHandlerFactory['applyDefaults'](httpsPassthroughConfig);
-  
-  expect(httpsPassthroughWithDefaults.port).toEqual(443);
-  expect(httpsPassthroughWithDefaults.socket).toEqual('/tmp/forwarding-https-passthrough-443.sock');
-});
-
-tap.test('ForwardingHandlerFactory - factory function for handlers', async () => {
-  // @todo Implement unit tests for ForwardingHandlerFactory
-  // These tests would need proper mocking of the handlers
-});
-
-export default tap.start();
--- a/test/test.http-fix-unit.ts
+++ b/test/test.http-fix-unit.ts
@@ -20,7 +20,7 @@ tap.test('should forward non-TLS connections on HttpProxy ports', async (tapTest
      match: { ports: testPort },
      action: {
        type: 'forward',
-        target: { host: 'localhost', port: 8181 }
+        targets: [{ host: 'localhost', port: 8181 }]
      }
    }]
  };
@@ -81,7 +81,7 @@ tap.test('should use direct connection for non-HttpProxy ports', async (tapTest)
      match: { ports: 8080 }, // Not in useHttpProxy
      action: {
        type: 'forward',
-        target: { host: 'localhost', port: 8181 }
+        targets: [{ host: 'localhost', port: 8181 }]
      }
    }]
  };
@@ -142,7 +142,7 @@ tap.test('should handle ACME HTTP-01 challenges on port 80 with HttpProxy', asyn
      },
      action: {
        type: 'forward',
-        target: { host: 'localhost', port: 8080 }
+        targets: [{ host: 'localhost', port: 8080 }]
      }
    }]
  };
--- a/test/test.http-fix-verification.ts
+++ b/test/test.http-fix-verification.ts
@@ -14,7 +14,7 @@ tap.test('should detect and forward non-TLS connections on useHttpProxy ports',
      match: { ports: 8080 },
      action: {
        type: 'forward',
-        target: { host: 'localhost', port: 8181 }
+        targets: [{ host: 'localhost', port: 8181 }]
      }
    }]
  };
@@ -140,7 +140,7 @@ tap.test('should handle TLS connections normally', async (tapTest) => {
      match: { ports: 443 },
      action: {
        type: 'forward',
-        target: { host: 'localhost', port: 8443 },
+        targets: [{ host: 'localhost', port: 8443 }],
        tls: { mode: 'terminate' }
      }
    }]
--- a/test/test.http-forwarding-fix.ts
+++ b/test/test.http-forwarding-fix.ts
@@ -17,7 +17,7 @@ tap.test('should detect and forward non-TLS connections on HttpProxy ports', asy
      match: { ports: 8081 },
      action: {
        type: 'forward',
-        target: { host: 'localhost', port: 8181 }
+        targets: [{ host: 'localhost', port: 8181 }]
      }
    }]
  });
@@ -120,7 +120,7 @@ tap.test('should properly detect non-TLS connections on HttpProxy ports', async
      },
      action: {
        type: 'forward',
-        target: { host: 'localhost', port: targetPort }
+        targets: [{ host: 'localhost', port: targetPort }]
      }
    }]
  });
--- a/test/test.http-port8080-forwarding.ts
+++ b/test/test.http-port8080-forwarding.ts
@@ -42,7 +42,7 @@ tap.test('should forward HTTP connections on port 8080', async (tapTest) => {
      },
      action: {
        type: 'forward',
-        target: { host: 'localhost', port: targetPort }
+        targets: [{ host: 'localhost', port: targetPort }]
      }
    }]
  });
@@ -131,7 +131,7 @@ tap.test('should handle basic HTTP request forwarding', async (tapTest) => {
      },
      action: {
        type: 'forward',
-        target: { host: 'localhost', port: targetPort }
+        targets: [{ host: 'localhost', port: targetPort }]
      }
    }]
  });
--- a/test/test.http-port8080-simple.ts
+++ b/test/test.http-port8080-simple.ts
@@ -67,7 +67,7 @@ tap.test('should handle ACME challenges on port 8080 with improved port binding
        },
        action: {
          type: 'forward',
-          target: { host: 'localhost', port: targetPort },
+          targets: [{ host: 'localhost', port: targetPort }],
          tls: {
            mode: 'terminate',
            certificate: 'auto'  // Use ACME for certificate
@@ -83,7 +83,7 @@ tap.test('should handle ACME challenges on port 8080 with improved port binding
        },
        action: {
          type: 'forward',
-          target: { host: 'localhost', port: targetPort }
+          targets: [{ host: 'localhost', port: targetPort }]
        }
      }
    ],
@@ -191,7 +191,7 @@ tap.test('should handle ACME challenges on port 8080 with improved port binding
        },
        action: {
          type: 'forward' as const,
-          target: { host: 'localhost', port: targetPort }
+          targets: [{ host: 'localhost', port: targetPort }]
        }
      }
    ];
--- a/test/test.httpproxy.function-targets.ts
+++ b/test/test.httpproxy.function-targets.ts
@@ -95,10 +95,10 @@ tap.test('should support static host/port routes', async () => {
      },
      action: {
        type: 'forward',
-        target: {
+        targets: [{
          host: 'localhost',
          port: serverPort
-        }
+        }]
      }
    }
  ];
@@ -135,13 +135,13 @@ tap.test('should support function-based host', async () => {
      },
      action: {
        type: 'forward',
-        target: {
+        targets: [{
          host: (context: IRouteContext) => {
            // Return localhost always in this test
            return 'localhost';
          },
          port: serverPort
-        }
+        }]
      }
    }
  ];
@@ -178,13 +178,13 @@ tap.test('should support function-based port', async () => {
      },
      action: {
        type: 'forward',
-        target: {
+        targets: [{
          host: 'localhost',
          port: (context: IRouteContext) => {
            // Return test server port
            return serverPort;
          }
-        }
+        }]
      }
    }
  ];
@@ -221,14 +221,14 @@ tap.test('should support function-based host AND port', async () => {
      },
      action: {
        type: 'forward',
-        target: {
+        targets: [{
          host: (context: IRouteContext) => {
            return 'localhost';
          },
          port: (context: IRouteContext) => {
            return serverPort;
          }
-        }
+        }]
      }
    }
  ];
@@ -265,7 +265,7 @@ tap.test('should support context-based routing with path', async () => {
      },
      action: {
        type: 'forward',
-        target: {
+        targets: [{
          host: (context: IRouteContext) => {
            // Use path to determine host
            if (context.path?.startsWith('/api')) {
@@ -275,7 +275,7 @@ tap.test('should support context-based routing with path', async () => {
            }
          },
          port: serverPort
-        }
+        }]
      }
    }
  ];
--- a/test/test.keepalive-support.node.ts
+++ b/test/test.keepalive-support.node.ts
@@ -40,7 +40,7 @@ tap.test('keepalive support - verify keepalive connections are properly handled'
      match: { ports: 8590 },
      action: {
        type: 'forward',
-        target: { host: 'localhost', port: 9998 }
+        targets: [{ host: 'localhost', port: 9998 }]
      }
    }],
    keepAlive: true,
@@ -117,7 +117,7 @@ tap.test('keepalive support - verify keepalive connections are properly handled'
      match: { ports: 8591 },
      action: {
        type: 'forward',
-        target: { host: 'localhost', port: 9998 }
+        targets: [{ host: 'localhost', port: 9998 }]
      }
    }],
    keepAlive: true,
@@ -178,7 +178,7 @@ tap.test('keepalive support - verify keepalive connections are properly handled'
      match: { ports: 8592 },
      action: {
        type: 'forward',
-        target: { host: 'localhost', port: 9998 }
+        targets: [{ host: 'localhost', port: 9998 }]
      }
    }],
    keepAlive: true,
--- a/test/test.long-lived-connections.ts
+++ b/test/test.long-lived-connections.ts
@@ -39,10 +39,10 @@ tap.test('setup test environment', async () => {
      },
      action: {
        type: 'forward',
-        target: {
+        targets: [{
          host: 'localhost',
          port: 9876
-        }
+        }]
        // No TLS configuration - just plain TCP forwarding
      }
    }],
--- a/test/test.metrics-new.ts
+++ b/test/test.metrics-new.ts
@@ -36,10 +36,10 @@ tap.test('should create SmartProxy instance with new metrics', async () => {
      },
      action: {
        type: 'forward',
-        target: {
+        targets: [{
          host: 'localhost',
          port: echoServerPort
-        },
+        }],
        tls: {
          mode: 'passthrough'
        }
--- a/test/test.nftables-forwarding.ts
+++ b/test/test.nftables-forwarding.ts
@@ -34,10 +34,10 @@ tap.skip.test('NFTables forwarding should not terminate connections (requires ro
        action: {
          type: 'forward',
          forwardingEngine: 'nftables',
-          target: {
+          targets: [{
            host: '127.0.0.1',
            port: 8001,
-          },
+          }],
        },
      },
      // Also add regular forwarding route for comparison
@@ -49,10 +49,10 @@ tap.skip.test('NFTables forwarding should not terminate connections (requires ro
        },
        action: {
          type: 'forward',
-          target: {
+          targets: [{
            host: '127.0.0.1',
            port: 8001,
-          },
+          }],
        },
      },
    ],
--- a/test/test.nftables-manager.ts
+++ b/test/test.nftables-manager.ts
@@ -42,10 +42,10 @@ const sampleRoute: IRouteConfig = {
  },
  action: {
    type: 'forward',
-    target: {
+    targets: [{
      host: 'localhost',
      port: 8000
-    },
+    }],
    forwardingEngine: 'nftables',
    nftables: {
      protocol: 'tcp',
@@ -115,10 +115,10 @@ tap.skip.test('NFTablesManager route updating test', async () => {
    ...sampleRoute,
    action: {
      ...sampleRoute.action,
-      target: {
+      targets: [{
        host: 'localhost',
        port: 9000 // Different port
-      },
+      }],
      nftables: {
        ...sampleRoute.action.nftables,
        protocol: 'all' // Different protocol
@@ -147,10 +147,10 @@ tap.skip.test('NFTablesManager route deprovisioning test', async () => {
    ...sampleRoute,
    action: {
      ...sampleRoute.action,
-      target: {
+      targets: [{
        host: 'localhost',
        port: 9000 // Different port from original test
-      },
+      }],
      nftables: {
        ...sampleRoute.action.nftables,
        protocol: 'all' // Different protocol from original test
--- a/test/test.nftables-status.ts
+++ b/test/test.nftables-status.ts
@@ -91,7 +91,7 @@ testFn('SmartProxy getNfTablesStatus functionality', async () => {
        match: { ports: 3004 },
        action: {
          type: 'forward',
-          target: { host: 'localhost', port: 3005 }
+          targets: [{ host: 'localhost', port: 3005 }]
        }
      }
    ]
--- a/test/test.port-forwarding-fix.ts
+++ b/test/test.port-forwarding-fix.ts
@@ -29,7 +29,7 @@ tap.test('port forwarding should not immediately close connections', async (tool
      match: { ports: 9999 },
      action: {
        type: 'forward',
-        target: { host: 'localhost', port: 8888 }
+        targets: [{ host: 'localhost', port: 8888 }]
      }
    }]
  });
@@ -63,7 +63,7 @@ tap.test('TLS passthrough should work correctly', async () => {
      action: {
        type: 'forward',
        tls: { mode: 'passthrough' },
-        target: { host: 'localhost', port: 443 }
+        targets: [{ host: 'localhost', port: 443 }]
      }
    }]
  });
--- a/test/test.port-mapping.ts
+++ b/test/test.port-mapping.ts
@@ -214,12 +214,12 @@ tap.test('should handle errors in port mapping functions', async () => {
    },
    action: {
      type: 'forward',
-      target: {
+      targets: [{
        host: 'localhost',
        port: () => {
          throw new Error('Test error in port mapping function');
        }
-      }
+      }]
    },
    name: 'Error Route'
  };
--- a/test/test.port80-management.node.ts
+++ b/test/test.port80-management.node.ts
@@ -21,7 +21,7 @@ tap.test('should not double-register port 80 when user route and ACME use same p
        },
        action: {
          type: 'forward' as const,
-          target: { host: 'localhost', port: 3000 }
+          targets: [{ host: 'localhost', port: 3000 }]
        }
      },
      {
@@ -31,7 +31,7 @@ tap.test('should not double-register port 80 when user route and ACME use same p
        },
        action: {
          type: 'forward' as const,
-          target: { host: 'localhost', port: 3001 },
+          targets: [{ host: 'localhost', port: 3001 }],
          tls: {
            mode: 'terminate' as const,
            certificate: 'auto' as const
@@ -153,7 +153,7 @@ tap.test('should handle ACME on different port than user routes', async (tools)
        },
        action: {
          type: 'forward' as const,
-          target: { host: 'localhost', port: 3000 }
+          targets: [{ host: 'localhost', port: 3000 }]
        }
      },
      {
@@ -163,7 +163,7 @@ tap.test('should handle ACME on different port than user routes', async (tools)
        },
        action: {
          type: 'forward' as const,
-          target: { host: 'localhost', port: 3001 },
+          targets: [{ host: 'localhost', port: 3001 }],
          tls: {
            mode: 'terminate' as const,
            certificate: 'auto' as const
--- a/test/test.proxy-chain-cleanup.node.ts
+++ b/test/test.proxy-chain-cleanup.node.ts
@@ -15,10 +15,10 @@ tap.test('setup two smartproxies in a chain configuration', async () => {
        },
        action: {
          type: 'forward',
-          target: {
+          targets: [{
            host: 'httpbin.org',
            port: 443
-          }
+          }]
        }
      }
    ],
@@ -45,10 +45,10 @@ tap.test('setup two smartproxies in a chain configuration', async () => {
        },
        action: {
          type: 'forward',
-          target: {
+          targets: [{
            host: 'localhost',
            port: 8002
-          },
+          }],
          sendProxyProtocol: true
        }
      }
--- a/test/test.proxy-chain-simple.node.ts
+++ b/test/test.proxy-chain-simple.node.ts
@@ -32,10 +32,10 @@ tap.test('simple proxy chain test - identify connection accumulation', async ()
      match: { ports: 8591 },
      action: {
        type: 'forward',
-        target: {
+        targets: [{
          host: 'localhost',
          port: 9998  // Backend that closes immediately
-        }
+        }]
      }
    }]
  });
@@ -50,10 +50,10 @@ tap.test('simple proxy chain test - identify connection accumulation', async ()
      match: { ports: 8590 },
      action: {
        type: 'forward',
-        target: {
+        targets: [{
          host: 'localhost',
          port: 8591  // Forward to proxy2
-        }
+        }]
      }
    }]
  });
--- a/test/test.proxy-chaining-accumulation.node.ts
+++ b/test/test.proxy-chaining-accumulation.node.ts
@@ -19,10 +19,10 @@ tap.test('should handle proxy chaining without connection accumulation', async (
      match: { ports: 8581 },
      action: {
        type: 'forward',
-        target: {
+        targets: [{
          host: 'localhost',
          port: 9999  // Non-existent backend
-        }
+        }]
      }
    }]
  });
@@ -37,10 +37,10 @@ tap.test('should handle proxy chaining without connection accumulation', async (
      match: { ports: 8580 },
      action: {
        type: 'forward',
-        target: {
+        targets: [{
          host: 'localhost',
          port: 8581  // Forward to proxy2
-        }
+        }]
      }
    }]
  });
@@ -270,10 +270,10 @@ tap.test('should handle proxy chain with HTTP traffic', async () => {
      match: { ports: 8583 },
      action: {
        type: 'forward',
-        target: {
+        targets: [{
          host: 'localhost',
          port: 9999  // Non-existent backend
-        }
+        }]
      }
    }]
  });
@@ -289,10 +289,10 @@ tap.test('should handle proxy chain with HTTP traffic', async () => {
      match: { ports: 8582 },
      action: {
        type: 'forward',
-        target: {
+        targets: [{
          host: 'localhost',
          port: 8583  // Forward to proxy2
-        }
+        }]
      }
    }]
  });
--- a/test/test.rapid-retry-cleanup.node.ts
+++ b/test/test.rapid-retry-cleanup.node.ts
@@ -19,10 +19,10 @@ tap.test('should handle rapid connection retries without leaking connections', a
      match: { ports: 8550 },
      action: {
        type: 'forward',
-        target: {
+        targets: [{
          host: 'localhost',
          port: 9999  // Non-existent port to force connection failures
-        }
+        }]
      }
    }]
  });
--- a/test/test.route-callback-simple.ts
+++ b/test/test.route-callback-simple.ts
@@ -17,7 +17,7 @@ tap.test('should set update routes callback on certificate manager', async () =>
      },
      action: {
        type: 'forward',
-        target: { host: 'localhost', port: 3000 },
+        targets: [{ host: 'localhost', port: 3000 }],
        tls: {
          mode: 'terminate',
          certificate: 'auto',
@@ -95,7 +95,7 @@ tap.test('should set update routes callback on certificate manager', async () =>
    },
    action: {
      type: 'forward',
-      target: { host: 'localhost', port: 3001 },
+      targets: [{ host: 'localhost', port: 3001 }],
      tls: {
        mode: 'terminate',
        certificate: 'auto',
--- a/test/test.route-security-integration.ts
+++ b/test/test.route-security-integration.ts
@@ -28,10 +28,10 @@ tap.test('route security should block connections from unauthorized IPs', async
    },
    action: {
      type: 'forward',
-      target: {
+      targets: [{
        host: '127.0.0.1',
        port: 9990
-      }
+      }]
    },
    security: {
      // Only allow a non-existent IP
@@ -142,10 +142,10 @@ tap.test('route security with block list should work', async () => {
    },
    action: {
      type: 'forward',
-      target: {
+      targets: [{
        host: '127.0.0.1',
        port: 9992
-      }
+      }]
    },
    security: {  // Security at route level, not action level
      ipBlockList: ['127.0.0.1', '::1', '::ffff:127.0.0.1']
@@ -234,10 +234,10 @@ tap.test('route without security should allow all connections', async () => {
    },
    action: {
      type: 'forward',
-      target: {
+      targets: [{
        host: '127.0.0.1',
        port: 9994
-      }
+      }]
    }
    // No security defined
  }];
--- a/test/test.route-security-unit.ts
+++ b/test/test.route-security-unit.ts
@@ -10,10 +10,10 @@ tap.test('route security should be correctly configured', async () => {
    },
    action: {
      type: 'forward' as const,
-      target: {
+      targets: [{
        host: '127.0.0.1',
        port: 8991
-      },
+      }],
      security: {
        ipAllowList: ['192.168.1.1'],
        ipBlockList: ['10.0.0.1']
--- a/test/test.route-security.ts
+++ b/test/test.route-security.ts
@@ -26,10 +26,10 @@ tap.test('route-specific security should be enforced', async () => {
    },
    action: {
      type: 'forward',
-      target: {
+      targets: [{
        host: '127.0.0.1',
        port: 8877
-      }
+      }]
    },
    security: {
      ipAllowList: ['127.0.0.1', '::1', '::ffff:127.0.0.1']
@@ -108,10 +108,10 @@ tap.test('route-specific IP block list should be enforced', async () => {
    },
    action: {
      type: 'forward',
-      target: {
+      targets: [{
        host: '127.0.0.1',
        port: 8879
-      }
+      }]
    },
    security: {
      ipAllowList: ['0.0.0.0/0', '::/0'],  // Allow all IPs
@@ -215,10 +215,10 @@ tap.test('routes without security should allow all connections', async () => {
    },
    action: {
      type: 'forward',
-      target: {
+      targets: [{
        host: '127.0.0.1',
        port: 8881
-      }
+      }]
      // No security section - should allow all
    }
  }];
--- a/test/test.route-update-callback.node.ts
+++ b/test/test.route-update-callback.node.ts
@@ -13,10 +13,10 @@ const createRoute = (id: number, domain: string, port: number = 8443) => ({
  },
  action: {
    type: 'forward' as const,
-    target: {
+    targets: [{
      host: 'localhost',
      port: 3000 + id
-    },
+    }],
    tls: {
      mode: 'terminate' as const,
      certificate: 'auto' as const,
@@ -209,10 +209,10 @@ tap.test('should handle route updates when cert manager is not initialized', asy
      },
      action: {
        type: 'forward' as const,
-        target: {
+        targets: [{
          host: 'localhost',
          port: 3000
-        }
+        }]
      }
    }]
  });
--- a/test/test.route-utils.ts
+++ b/test/test.route-utils.ts
@@ -47,7 +47,7 @@ import {
  addRateLimiting,
  addBasicAuth,
  addJwtAuth
-} from '../ts/proxies/smart-proxy/utils/route-patterns.js';
+} from '../ts/proxies/smart-proxy/utils/route-helpers.js';

 import type {
  IRouteConfig,
--- a/test/test.router.ts
+++ b/test/test.router.ts
@@ -37,10 +37,10 @@ function createRouteConfig(
    },
    action: {
      type: 'forward',
-      target: {
+      targets: [{
        host: destinationIp,
        port: destinationPort
-      }
+      }]
    }
  };
 }
--- a/test/test.smartacme-integration.ts
+++ b/test/test.smartacme-integration.ts
@@ -15,10 +15,10 @@ tap.test('should create a SmartCertManager instance', async () => {
      },
      action: {
        type: 'forward',
-        target: { 
+        targets: [{ 
          host: 'localhost', 
          port: 3000 
-        },
+        }],
        tls: {
          mode: 'terminate',
          certificate: 'auto',
--- a/test/test.stuck-connection-cleanup.node.ts
+++ b/test/test.stuck-connection-cleanup.node.ts
@@ -30,7 +30,7 @@ tap.test('stuck connection cleanup - verify connections to hanging backends are
      match: { ports: 8589 },
      action: {
        type: 'forward',
-        target: { host: 'localhost', port: 9997 }
+        targets: [{ host: 'localhost', port: 9997 }]
      }
    }],
    keepAlive: true,
--- a/test/test.websocket-keepalive.node.ts
+++ b/test/test.websocket-keepalive.node.ts
@@ -17,7 +17,7 @@ tap.test('websocket keep-alive settings for SNI passthrough', async (tools) => {
        match: { ports: 8443, domains: 'test.local' },
        action: {
          type: 'forward',
-          target: { host: 'localhost', port: 9443 },
+          targets: [{ host: 'localhost', port: 9443 }],
          tls: { mode: 'passthrough' }
        }
      }
@@ -108,7 +108,7 @@ tap.test('long-lived connection survival test', async (tools) => {
        match: { ports: 8444 },
        action: {
          type: 'forward',
-          target: { host: 'localhost', port: 9444 }
+          targets: [{ host: 'localhost', port: 9444 }]
        }
      }
    ]
--- a/test/test.zombie-connection-cleanup.node.ts
+++ b/test/test.zombie-connection-cleanup.node.ts
@@ -52,10 +52,10 @@ tap.test('zombie connection cleanup - verify inactivity check detects and cleans
      match: { ports: 8591 },
      action: {
        type: 'forward',
-        target: {
+        targets: [{
          host: 'localhost',
          port: 9998
-        }
+        }]
      }
    }]
  });
@@ -71,10 +71,10 @@ tap.test('zombie connection cleanup - verify inactivity check detects and cleans
      match: { ports: 8590 },
      action: {
        type: 'forward',
-        target: {
+        targets: [{
          host: 'localhost',
          port: 8591
-        }
+        }]
      }
    }]
  });
--- a/ts/forwarding/config/forwarding-types.ts
+++ b/ts/forwarding/config/forwarding-types.ts
@@ -1,76 +0,0 @@
-import type * as plugins from '../../plugins.js';
-
-/**
- * The primary forwarding types supported by SmartProxy
- * Used for configuration compatibility
- */
-export type TForwardingType =
-  | 'http-only'                // HTTP forwarding only (no HTTPS)
-  | 'https-passthrough'        // Pass-through TLS traffic (SNI forwarding)
-  | 'https-terminate-to-http'  // Terminate TLS and forward to HTTP backend
-  | 'https-terminate-to-https'; // Terminate TLS and forward to HTTPS backend
-
-/**
- * Event types emitted by forwarding handlers
- */
-export enum ForwardingHandlerEvents {
-  CONNECTED = 'connected',
-  DISCONNECTED = 'disconnected',
-  ERROR = 'error',
-  DATA_FORWARDED = 'data-forwarded',
-  HTTP_REQUEST = 'http-request',
-  HTTP_RESPONSE = 'http-response',
-  CERTIFICATE_NEEDED = 'certificate-needed',
-  CERTIFICATE_LOADED = 'certificate-loaded'
-}
-
-/**
- * Base interface for forwarding handlers
- */
-export interface IForwardingHandler extends plugins.EventEmitter {
-  initialize(): Promise<void>;
-  handleConnection(socket: plugins.net.Socket): void;
-  handleHttpRequest(req: plugins.http.IncomingMessage, res: plugins.http.ServerResponse): void;
-}
-
-// Route-based helpers are now available directly from route-patterns.ts
-import {
-  createHttpRoute,
-  createHttpsTerminateRoute,
-  createHttpsPassthroughRoute,
-  createHttpToHttpsRedirect,
-  createCompleteHttpsServer,
-  createLoadBalancerRoute
-} from '../../proxies/smart-proxy/utils/route-patterns.js';
-
-export {
-  createHttpRoute,
-  createHttpsTerminateRoute,
-  createHttpsPassthroughRoute,
-  createHttpToHttpsRedirect,
-  createCompleteHttpsServer,
-  createLoadBalancerRoute
-};
-
-// Note: Legacy helper functions have been removed
-// Please use the route-based helpers instead:
-// - createHttpRoute
-// - createHttpsTerminateRoute
-// - createHttpsPassthroughRoute
-// - createHttpToHttpsRedirect
-import type { IRouteConfig } from '../../proxies/smart-proxy/models/route-types.js';
-
-// For backward compatibility, kept only the basic configuration interface
-export interface IForwardConfig {
-  type: TForwardingType;
-  target: {
-    host: string | string[];
-    port: number | 'preserve' | ((ctx: any) => number);
-  };
-  http?: any;
-  https?: any;
-  acme?: any;
-  security?: any;
-  advanced?: any;
-  [key: string]: any;
-}
--- a/ts/forwarding/config/index.ts
+++ b/ts/forwarding/config/index.ts
@@ -1,26 +0,0 @@
-/**
- * Forwarding configuration exports
- *
- * Note: The legacy domain-based configuration has been replaced by route-based configuration.
- * See /ts/proxies/smart-proxy/models/route-types.ts for the new route-based configuration.
- */
-
-export type { 
-  TForwardingType,
-  IForwardConfig,
-  IForwardingHandler
-} from './forwarding-types.js';
-
-export { 
-  ForwardingHandlerEvents
-} from './forwarding-types.js';
-
-// Import route helpers from route-patterns instead of deleted route-helpers
-export {
-  createHttpRoute,
-  createHttpsTerminateRoute,
-  createHttpsPassthroughRoute,
-  createHttpToHttpsRedirect,
-  createCompleteHttpsServer,
-  createLoadBalancerRoute
-} from '../../proxies/smart-proxy/utils/route-patterns.js';
--- a/ts/forwarding/factory/forwarding-factory.ts
+++ b/ts/forwarding/factory/forwarding-factory.ts
@@ -1,189 +0,0 @@
-import type { IForwardConfig } from '../config/forwarding-types.js';
-import { ForwardingHandler } from '../handlers/base-handler.js';
-import { HttpForwardingHandler } from '../handlers/http-handler.js';
-import { HttpsPassthroughHandler } from '../handlers/https-passthrough-handler.js';
-import { HttpsTerminateToHttpHandler } from '../handlers/https-terminate-to-http-handler.js';
-import { HttpsTerminateToHttpsHandler } from '../handlers/https-terminate-to-https-handler.js';
-
-/**
- * Factory for creating forwarding handlers based on the configuration type
- */
-export class ForwardingHandlerFactory {
-  /**
-   * Create a forwarding handler based on the configuration
-   * @param config The forwarding configuration
-   * @returns The appropriate forwarding handler
-   */
-  public static createHandler(config: IForwardConfig): ForwardingHandler {
-    // Create the appropriate handler based on the forwarding type
-    switch (config.type) {
-      case 'http-only':
-        return new HttpForwardingHandler(config);
-
-      case 'https-passthrough':
-        return new HttpsPassthroughHandler(config);
-
-      case 'https-terminate-to-http':
-        return new HttpsTerminateToHttpHandler(config);
-
-      case 'https-terminate-to-https':
-        return new HttpsTerminateToHttpsHandler(config);
-
-      default:
-        // Type system should prevent this, but just in case:
-        throw new Error(`Unknown forwarding type: ${(config as any).type}`);
-    }
-  }
-
-  /**
-   * Apply default values to a forwarding configuration based on its type
-   * @param config The original forwarding configuration
-   * @returns A configuration with defaults applied
-   */
-  public static applyDefaults(config: IForwardConfig): IForwardConfig {
-    // Create a deep copy of the configuration
-    const result: IForwardConfig = JSON.parse(JSON.stringify(config));
-    
-    // Apply defaults based on forwarding type
-    switch (config.type) {
-      case 'http-only':
-        // Set defaults for HTTP-only mode
-        result.http = {
-          enabled: true,
-          ...config.http
-        };
-        // Set default port and socket if not provided
-        if (!result.port) {
-          result.port = 80;
-        }
-        if (!result.socket) {
-          result.socket = `/tmp/forwarding-${config.type}-${result.port}.sock`;
-        }
-        break;
-        
-      case 'https-passthrough':
-        // Set defaults for HTTPS passthrough
-        result.https = {
-          forwardSni: true,
-          ...config.https
-        };
-        // SNI forwarding doesn't do HTTP
-        result.http = {
-          enabled: false,
-          ...config.http
-        };
-        // Set default port and socket if not provided
-        if (!result.port) {
-          result.port = 443;
-        }
-        if (!result.socket) {
-          result.socket = `/tmp/forwarding-${config.type}-${result.port}.sock`;
-        }
-        break;
-        
-      case 'https-terminate-to-http':
-        // Set defaults for HTTPS termination to HTTP
-        result.https = {
-          ...config.https
-        };
-        // Support HTTP access by default in this mode
-        result.http = {
-          enabled: true,
-          redirectToHttps: true,
-          ...config.http
-        };
-        // Enable ACME by default
-        result.acme = {
-          enabled: true,
-          maintenance: true,
-          ...config.acme
-        };
-        // Set default port and socket if not provided
-        if (!result.port) {
-          result.port = 443;
-        }
-        if (!result.socket) {
-          result.socket = `/tmp/forwarding-${config.type}-${result.port}.sock`;
-        }
-        break;
-        
-      case 'https-terminate-to-https':
-        // Similar to terminate-to-http but with different target handling
-        result.https = {
-          ...config.https
-        };
-        result.http = {
-          enabled: true,
-          redirectToHttps: true,
-          ...config.http
-        };
-        result.acme = {
-          enabled: true,
-          maintenance: true,
-          ...config.acme
-        };
-        // Set default port and socket if not provided
-        if (!result.port) {
-          result.port = 443;
-        }
-        if (!result.socket) {
-          result.socket = `/tmp/forwarding-${config.type}-${result.port}.sock`;
-        }
-        break;
-    }
-    
-    return result;
-  }
-  
-  /**
-   * Validate a forwarding configuration
-   * @param config The configuration to validate
-   * @throws Error if the configuration is invalid
-   */
-  public static validateConfig(config: IForwardConfig): void {
-    // Validate common properties
-    if (!config.target) {
-      throw new Error('Forwarding configuration must include a target');
-    }
-    
-    if (!config.target.host || (Array.isArray(config.target.host) && config.target.host.length === 0)) {
-      throw new Error('Target must include a host or array of hosts');
-    }
-    
-    // Validate port if it's a number
-    if (typeof config.target.port === 'number') {
-      if (config.target.port <= 0 || config.target.port > 65535) {
-        throw new Error('Target must include a valid port (1-65535)');
-      }
-    } else if (config.target.port !== 'preserve' && typeof config.target.port !== 'function') {
-      throw new Error('Target port must be a number, "preserve", or a function');
-    }
-    
-    // Type-specific validation
-    switch (config.type) {
-      case 'http-only':
-        // HTTP-only needs http.enabled to be true
-        if (config.http?.enabled === false) {
-          throw new Error('HTTP-only forwarding must have HTTP enabled');
-        }
-        break;
-        
-      case 'https-passthrough':
-        // HTTPS passthrough doesn't support HTTP
-        if (config.http?.enabled === true) {
-          throw new Error('HTTPS passthrough does not support HTTP');
-        }
-        
-        // HTTPS passthrough doesn't work with ACME
-        if (config.acme?.enabled === true) {
-          throw new Error('HTTPS passthrough does not support ACME');
-        }
-        break;
-        
-      case 'https-terminate-to-http':
-      case 'https-terminate-to-https':
-        // These modes support all options, nothing specific to validate
-        break;
-    }
-  }
-}
--- a/ts/forwarding/factory/index.ts
+++ b/ts/forwarding/factory/index.ts
@@ -1,5 +0,0 @@
-/**
- * Forwarding factory implementations
- */
-
-export { ForwardingHandlerFactory } from './forwarding-factory.js';
--- a/ts/forwarding/handlers/base-handler.ts
+++ b/ts/forwarding/handlers/base-handler.ts
@@ -1,155 +0,0 @@
-import * as plugins from '../../plugins.js';
-import type {
-  IForwardConfig,
-  IForwardingHandler
-} from '../config/forwarding-types.js';
-import { ForwardingHandlerEvents } from '../config/forwarding-types.js';
-
-/**
- * Base class for all forwarding handlers
- */
-export abstract class ForwardingHandler extends plugins.EventEmitter implements IForwardingHandler {
-  /**
-   * Create a new ForwardingHandler
-   * @param config The forwarding configuration
-   */
-  constructor(protected config: IForwardConfig) {
-    super();
-  }
-  
-  /**
-   * Initialize the handler
-   * Base implementation does nothing, subclasses should override as needed
-   */
-  public async initialize(): Promise<void> {
-    // Base implementation - no initialization needed
-  }
-
-  /**
-   * Handle a new socket connection
-   * @param socket The incoming socket connection
-   */
-  public abstract handleConnection(socket: plugins.net.Socket): void;
-  
-  /**
-   * Handle an HTTP request
-   * @param req The HTTP request
-   * @param res The HTTP response
-   */
-  public abstract handleHttpRequest(req: plugins.http.IncomingMessage, res: plugins.http.ServerResponse): void;
-  
-  /**
-   * Get a target from the configuration, supporting round-robin selection
-   * @param incomingPort Optional incoming port for 'preserve' mode
-   * @returns A resolved target object with host and port
-   */
-  protected getTargetFromConfig(incomingPort: number = 80): { host: string, port: number } {
-    const { target } = this.config;
-    
-    // Handle round-robin host selection
-    if (Array.isArray(target.host)) {
-      if (target.host.length === 0) {
-        throw new Error('No target hosts specified');
-      }
-      
-      // Simple round-robin selection
-      const randomIndex = Math.floor(Math.random() * target.host.length);
-      return {
-        host: target.host[randomIndex],
-        port: this.resolvePort(target.port, incomingPort)
-      };
-    }
-    
-    // Single host
-    return {
-      host: target.host,
-      port: this.resolvePort(target.port, incomingPort)
-    };
-  }
-  
-  /**
-   * Resolves a port value, handling 'preserve' and function ports
-   * @param port The port value to resolve
-   * @param incomingPort Optional incoming port to use for 'preserve' mode
-   */
-  protected resolvePort(
-    port: number | 'preserve' | ((ctx: any) => number), 
-    incomingPort: number = 80
-  ): number {
-    if (typeof port === 'function') {
-      try {
-        // Create a minimal context for the function that includes the incoming port
-        const ctx = { port: incomingPort };
-        return port(ctx);
-      } catch (err) {
-        console.error('Error resolving port function:', err);
-        return incomingPort; // Fall back to incoming port
-      }
-    } else if (port === 'preserve') {
-      return incomingPort; // Use the actual incoming port for 'preserve'
-    } else {
-      return port;
-    }
-  }
-
-  /**
-   * Redirect an HTTP request to HTTPS
-   * @param req The HTTP request
-   * @param res The HTTP response
-   */
-  protected redirectToHttps(req: plugins.http.IncomingMessage, res: plugins.http.ServerResponse): void {
-    const host = req.headers.host || '';
-    const path = req.url || '/';
-    const redirectUrl = `https://${host}${path}`;
-    
-    res.writeHead(301, {
-      'Location': redirectUrl,
-      'Cache-Control': 'no-cache'
-    });
-    res.end(`Redirecting to ${redirectUrl}`);
-    
-    this.emit(ForwardingHandlerEvents.HTTP_RESPONSE, {
-      statusCode: 301,
-      headers: { 'Location': redirectUrl },
-      size: 0
-    });
-  }
-  
-  /**
-   * Apply custom headers from configuration
-   * @param headers The original headers
-   * @param variables Variables to replace in the headers
-   * @returns The headers with custom values applied
-   */
-  protected applyCustomHeaders(
-    headers: Record<string, string | string[] | undefined>,
-    variables: Record<string, string>
-  ): Record<string, string | string[] | undefined> {
-    const customHeaders = this.config.advanced?.headers || {};
-    const result = { ...headers };
-    
-    // Apply custom headers with variable substitution
-    for (const [key, value] of Object.entries(customHeaders)) {
-      if (typeof value !== 'string') continue;
-
-      let processedValue = value;
-
-      // Replace variables in the header value
-      for (const [varName, varValue] of Object.entries(variables)) {
-        processedValue = processedValue.replace(`{${varName}}`, varValue);
-      }
-
-      result[key] = processedValue;
-    }
-    
-    return result;
-  }
-  
-  /**
-   * Get the timeout for this connection from configuration
-   * @returns Timeout in milliseconds
-   */
-  protected getTimeout(): number {
-    return this.config.advanced?.timeout || 60000; // Default: 60 seconds
-  }
-}
--- a/ts/forwarding/handlers/http-handler.ts
+++ b/ts/forwarding/handlers/http-handler.ts
@@ -1,163 +0,0 @@
-import * as plugins from '../../plugins.js';
-import { ForwardingHandler } from './base-handler.js';
-import type { IForwardConfig } from '../config/forwarding-types.js';
-import { ForwardingHandlerEvents } from '../config/forwarding-types.js';
-import { setupSocketHandlers } from '../../core/utils/socket-utils.js';
-
-/**
- * Handler for HTTP-only forwarding
- */
-export class HttpForwardingHandler extends ForwardingHandler {
-  /**
-   * Create a new HTTP forwarding handler
-   * @param config The forwarding configuration
-   */
-  constructor(config: IForwardConfig) {
-    super(config);
-
-    // Validate that this is an HTTP-only configuration
-    if (config.type !== 'http-only') {
-      throw new Error(`Invalid configuration type for HttpForwardingHandler: ${config.type}`);
-    }
-  }
-
-  /**
-   * Initialize the handler
-   * HTTP handler doesn't need special initialization
-   */
-  public async initialize(): Promise<void> {
-    // Basic initialization from parent class
-    await super.initialize();
-  }
-  
-  /**
-   * Handle a raw socket connection
-   * HTTP handler doesn't do much with raw sockets as it mainly processes
-   * parsed HTTP requests
-   */
-  public handleConnection(socket: plugins.net.Socket): void {
-    // For HTTP, we mainly handle parsed requests, but we can still set up
-    // some basic connection tracking
-    const remoteAddress = socket.remoteAddress || 'unknown';
-    const localPort = socket.localPort || 80;
-    
-    // Set up socket handlers with proper cleanup
-    const handleClose = (reason: string) => {
-      this.emit(ForwardingHandlerEvents.DISCONNECTED, {
-        remoteAddress,
-        reason
-      });
-    };
-    
-    // Use custom timeout handler that doesn't close the socket
-    setupSocketHandlers(socket, handleClose, () => {
-      // For HTTP, we can be more aggressive with timeouts since connections are shorter
-      // But still don't close immediately - let the connection finish naturally
-      console.warn(`HTTP socket timeout from ${remoteAddress}`);
-    }, 'http');
-    
-    socket.on('error', (error) => {
-      this.emit(ForwardingHandlerEvents.ERROR, {
-        remoteAddress,
-        error: error.message
-      });
-    });
-    
-    this.emit(ForwardingHandlerEvents.CONNECTED, {
-      remoteAddress,
-      localPort
-    });
-  }
-  
-  /**
-   * Handle an HTTP request
-   * @param req The HTTP request
-   * @param res The HTTP response
-   */
-  public handleHttpRequest(req: plugins.http.IncomingMessage, res: plugins.http.ServerResponse): void {
-    // Get the local port from the request (for 'preserve' port handling)
-    const localPort = req.socket.localPort || 80;
-    
-    // Get the target from configuration, passing the incoming port
-    const target = this.getTargetFromConfig(localPort);
-    
-    // Create a custom headers object with variables for substitution
-    const variables = {
-      clientIp: req.socket.remoteAddress || 'unknown'
-    };
-    
-    // Prepare headers, merging with any custom headers from config
-    const headers = this.applyCustomHeaders(req.headers, variables);
-    
-    // Create the proxy request options
-    const options = {
-      hostname: target.host,
-      port: target.port,
-      path: req.url,
-      method: req.method,
-      headers
-    };
-    
-    // Create the proxy request
-    const proxyReq = plugins.http.request(options, (proxyRes) => {
-      // Copy status code and headers from the proxied response
-      res.writeHead(proxyRes.statusCode || 500, proxyRes.headers);
-      
-      // Pipe the proxy response to the client response
-      proxyRes.pipe(res);
-      
-      // Track bytes for logging
-      let responseSize = 0;
-      proxyRes.on('data', (chunk) => {
-        responseSize += chunk.length;
-      });
-      
-      proxyRes.on('end', () => {
-        this.emit(ForwardingHandlerEvents.HTTP_RESPONSE, {
-          statusCode: proxyRes.statusCode,
-          headers: proxyRes.headers,
-          size: responseSize
-        });
-      });
-    });
-    
-    // Handle errors in the proxy request
-    proxyReq.on('error', (error) => {
-      this.emit(ForwardingHandlerEvents.ERROR, {
-        remoteAddress: req.socket.remoteAddress,
-        error: `Proxy request error: ${error.message}`
-      });
-      
-      // Send an error response if headers haven't been sent yet
-      if (!res.headersSent) {
-        res.writeHead(502, { 'Content-Type': 'text/plain' });
-        res.end(`Error forwarding request: ${error.message}`);
-      } else {
-        // Just end the response if headers have already been sent
-        res.end();
-      }
-    });
-    
-    // Track request details for logging
-    let requestSize = 0;
-    req.on('data', (chunk) => {
-      requestSize += chunk.length;
-    });
-    
-    // Log the request
-    this.emit(ForwardingHandlerEvents.HTTP_REQUEST, {
-      method: req.method,
-      url: req.url,
-      headers: req.headers,
-      remoteAddress: req.socket.remoteAddress,
-      target: `${target.host}:${target.port}`
-    });
-    
-    // Pipe the client request to the proxy request
-    if (req.readable) {
-      req.pipe(proxyReq);
-    } else {
-      proxyReq.end();
-    }
-  }
-}
--- a/ts/forwarding/handlers/https-passthrough-handler.ts
+++ b/ts/forwarding/handlers/https-passthrough-handler.ts
@@ -1,185 +0,0 @@
-import * as plugins from '../../plugins.js';
-import { ForwardingHandler } from './base-handler.js';
-import type { IForwardConfig } from '../config/forwarding-types.js';
-import { ForwardingHandlerEvents } from '../config/forwarding-types.js';
-import { createIndependentSocketHandlers, setupSocketHandlers, createSocketWithErrorHandler } from '../../core/utils/socket-utils.js';
-
-/**
- * Handler for HTTPS passthrough (SNI forwarding without termination)
- */
-export class HttpsPassthroughHandler extends ForwardingHandler {
-  /**
-   * Create a new HTTPS passthrough handler
-   * @param config The forwarding configuration
-   */
-  constructor(config: IForwardConfig) {
-    super(config);
-
-    // Validate that this is an HTTPS passthrough configuration
-    if (config.type !== 'https-passthrough') {
-      throw new Error(`Invalid configuration type for HttpsPassthroughHandler: ${config.type}`);
-    }
-  }
-
-  /**
-   * Initialize the handler
-   * HTTPS passthrough handler doesn't need special initialization
-   */
-  public async initialize(): Promise<void> {
-    // Basic initialization from parent class
-    await super.initialize();
-  }
-  
-  /**
-   * Handle a TLS/SSL socket connection by forwarding it without termination
-   * @param clientSocket The incoming socket from the client
-   */
-  public handleConnection(clientSocket: plugins.net.Socket): void {
-    // Get the target from configuration
-    const target = this.getTargetFromConfig();
-    
-    // Log the connection
-    const remoteAddress = clientSocket.remoteAddress || 'unknown';
-    const remotePort = clientSocket.remotePort || 0;
-    
-    this.emit(ForwardingHandlerEvents.CONNECTED, {
-      remoteAddress,
-      remotePort,
-      target: `${target.host}:${target.port}`
-    });
-    
-    // Track data transfer for logging
-    let bytesSent = 0;
-    let bytesReceived = 0;
-    let serverSocket: plugins.net.Socket | null = null;
-    let cleanupClient: ((reason: string) => Promise<void>) | null = null;
-    let cleanupServer: ((reason: string) => Promise<void>) | null = null;
-    
-    // Create a connection to the target server with immediate error handling
-    serverSocket = createSocketWithErrorHandler({
-      port: target.port,
-      host: target.host,
-      onError: async (error) => {
-        // Server connection failed - clean up client socket immediately
-        this.emit(ForwardingHandlerEvents.ERROR, {
-          error: error.message,
-          code: (error as any).code || 'UNKNOWN',
-          remoteAddress,
-          target: `${target.host}:${target.port}`
-        });
-        
-        // Clean up the client socket since we can't forward
-        if (!clientSocket.destroyed) {
-          clientSocket.destroy();
-        }
-        
-        this.emit(ForwardingHandlerEvents.DISCONNECTED, {
-          remoteAddress,
-          bytesSent: 0,
-          bytesReceived: 0,
-          reason: `server_connection_failed: ${error.message}`
-        });
-      },
-      onConnect: () => {
-        // Connection successful - set up forwarding handlers
-        const handlers = createIndependentSocketHandlers(
-          clientSocket,
-          serverSocket!,
-          (reason) => {
-            this.emit(ForwardingHandlerEvents.DISCONNECTED, {
-              remoteAddress,
-              bytesSent,
-              bytesReceived,
-              reason
-            });
-          }
-        );
-        
-        cleanupClient = handlers.cleanupClient;
-        cleanupServer = handlers.cleanupServer;
-        
-        // Setup handlers with custom timeout handling that doesn't close connections
-        const timeout = this.getTimeout();
-        
-        setupSocketHandlers(clientSocket, cleanupClient, (socket) => {
-          // Just reset timeout, don't close
-          socket.setTimeout(timeout);
-        }, 'client');
-        
-        setupSocketHandlers(serverSocket!, cleanupServer, (socket) => {
-          // Just reset timeout, don't close  
-          socket.setTimeout(timeout);
-        }, 'server');
-        
-        // Forward data from client to server
-        clientSocket.on('data', (data) => {
-          bytesSent += data.length;
-          
-          // Check if server socket is writable
-          if (serverSocket && serverSocket.writable) {
-            const flushed = serverSocket.write(data);
-            
-            // Handle backpressure
-            if (!flushed) {
-              clientSocket.pause();
-              serverSocket.once('drain', () => {
-                clientSocket.resume();
-              });
-            }
-          }
-          
-          this.emit(ForwardingHandlerEvents.DATA_FORWARDED, {
-            direction: 'outbound',
-            bytes: data.length,
-            total: bytesSent
-          });
-        });
-        
-        // Forward data from server to client
-        serverSocket!.on('data', (data) => {
-          bytesReceived += data.length;
-          
-          // Check if client socket is writable
-          if (clientSocket.writable) {
-            const flushed = clientSocket.write(data);
-            
-            // Handle backpressure
-            if (!flushed) {
-              serverSocket!.pause();
-              clientSocket.once('drain', () => {
-                serverSocket!.resume();
-              });
-            }
-          }
-          
-          this.emit(ForwardingHandlerEvents.DATA_FORWARDED, {
-            direction: 'inbound',
-            bytes: data.length,
-            total: bytesReceived
-          });
-        });
-        
-        // Set initial timeouts - they will be reset on each timeout event  
-        clientSocket.setTimeout(timeout);
-        serverSocket!.setTimeout(timeout);
-      }
-    });
-  }
-  
-  /**
-   * Handle an HTTP request - HTTPS passthrough doesn't support HTTP
-   * @param req The HTTP request
-   * @param res The HTTP response
-   */
-  public handleHttpRequest(_req: plugins.http.IncomingMessage, res: plugins.http.ServerResponse): void {
-    // HTTPS passthrough doesn't support HTTP requests
-    res.writeHead(404, { 'Content-Type': 'text/plain' });
-    res.end('HTTP not supported for this domain');
-    
-    this.emit(ForwardingHandlerEvents.HTTP_RESPONSE, {
-      statusCode: 404,
-      headers: { 'Content-Type': 'text/plain' },
-      size: 'HTTP not supported for this domain'.length
-    });
-  }
-}
--- a/ts/forwarding/handlers/https-terminate-to-http-handler.ts
+++ b/ts/forwarding/handlers/https-terminate-to-http-handler.ts
@@ -1,312 +0,0 @@
-import * as plugins from '../../plugins.js';
-import { ForwardingHandler } from './base-handler.js';
-import type { IForwardConfig } from '../config/forwarding-types.js';
-import { ForwardingHandlerEvents } from '../config/forwarding-types.js';
-import { setupSocketHandlers, createSocketWithErrorHandler, setupBidirectionalForwarding } from '../../core/utils/socket-utils.js';
-
-/**
- * Handler for HTTPS termination with HTTP backend
- */
-export class HttpsTerminateToHttpHandler extends ForwardingHandler {
-  private tlsServer: plugins.tls.Server | null = null;
-  private secureContext: plugins.tls.SecureContext | null = null;
-  
-  /**
-   * Create a new HTTPS termination with HTTP backend handler
-   * @param config The forwarding configuration
-   */
-  constructor(config: IForwardConfig) {
-    super(config);
-    
-    // Validate that this is an HTTPS terminate to HTTP configuration
-    if (config.type !== 'https-terminate-to-http') {
-      throw new Error(`Invalid configuration type for HttpsTerminateToHttpHandler: ${config.type}`);
-    }
-  }
-  
-  /**
-   * Initialize the handler, setting up TLS context
-   */
-  public async initialize(): Promise<void> {
-    // We need to load or create TLS certificates
-    if (this.config.https?.customCert) {
-      // Use custom certificate from configuration
-      this.secureContext = plugins.tls.createSecureContext({
-        key: this.config.https.customCert.key,
-        cert: this.config.https.customCert.cert
-      });
-      
-      this.emit(ForwardingHandlerEvents.CERTIFICATE_LOADED, {
-        source: 'config',
-        domain: this.config.target.host
-      });
-    } else if (this.config.acme?.enabled) {
-      // Request certificate through ACME if needed
-      this.emit(ForwardingHandlerEvents.CERTIFICATE_NEEDED, {
-        domain: Array.isArray(this.config.target.host) 
-          ? this.config.target.host[0] 
-          : this.config.target.host,
-        useProduction: this.config.acme.production || false
-      });
-      
-      // In a real implementation, we would wait for the certificate to be issued
-      // For now, we'll use a dummy context
-      this.secureContext = plugins.tls.createSecureContext({
-        key: '-----BEGIN PRIVATE KEY-----\nDummy key\n-----END PRIVATE KEY-----',
-        cert: '-----BEGIN CERTIFICATE-----\nDummy cert\n-----END CERTIFICATE-----'
-      });
-    } else {
-      throw new Error('HTTPS termination requires either a custom certificate or ACME enabled');
-    }
-  }
-  
-  /**
-   * Set the secure context for TLS termination
-   * Called when a certificate is available
-   * @param context The secure context
-   */
-  public setSecureContext(context: plugins.tls.SecureContext): void {
-    this.secureContext = context;
-  }
-  
-  /**
-   * Handle a TLS/SSL socket connection by terminating TLS and forwarding to HTTP backend
-   * @param clientSocket The incoming socket from the client
-   */
-  public handleConnection(clientSocket: plugins.net.Socket): void {
-    // Make sure we have a secure context
-    if (!this.secureContext) {
-      clientSocket.destroy(new Error('TLS secure context not initialized'));
-      return;
-    }
-    
-    const remoteAddress = clientSocket.remoteAddress || 'unknown';
-    const remotePort = clientSocket.remotePort || 0;
-    
-    // Create a TLS socket using our secure context
-    const tlsSocket = new plugins.tls.TLSSocket(clientSocket, {
-      secureContext: this.secureContext,
-      isServer: true,
-      server: this.tlsServer || undefined
-    });
-    
-    this.emit(ForwardingHandlerEvents.CONNECTED, {
-      remoteAddress,
-      remotePort,
-      tls: true
-    });
-    
-    // Variables to track connections
-    let backendSocket: plugins.net.Socket | null = null;
-    let dataBuffer = Buffer.alloc(0);
-    let connectionEstablished = false;
-    let forwardingSetup = false;
-    
-    // Set up initial error handling for TLS socket
-    const tlsCleanupHandler = (reason: string) => {
-      if (!forwardingSetup) {
-        // If forwarding not set up yet, emit disconnected and cleanup
-        this.emit(ForwardingHandlerEvents.DISCONNECTED, {
-          remoteAddress,
-          reason
-        });
-        dataBuffer = Buffer.alloc(0);
-        connectionEstablished = false;
-        
-        if (!tlsSocket.destroyed) {
-          tlsSocket.destroy();
-        }
-        if (backendSocket && !backendSocket.destroyed) {
-          backendSocket.destroy();
-        }
-      }
-      // If forwarding is setup, setupBidirectionalForwarding will handle cleanup
-    };
-    
-    setupSocketHandlers(tlsSocket, tlsCleanupHandler, undefined, 'tls');
-    
-    // Set timeout
-    const timeout = this.getTimeout();
-    tlsSocket.setTimeout(timeout);
-    
-    tlsSocket.on('timeout', () => {
-      this.emit(ForwardingHandlerEvents.ERROR, {
-        remoteAddress,
-        error: 'TLS connection timeout'
-      });
-      tlsCleanupHandler('timeout');
-    });
-    
-    // Handle TLS data
-    tlsSocket.on('data', (data) => {
-      // If backend connection already established, just forward the data
-      if (connectionEstablished && backendSocket && !backendSocket.destroyed) {
-        backendSocket.write(data);
-        return;
-      }
-      
-      // Append to buffer
-      dataBuffer = Buffer.concat([dataBuffer, data]);
-      
-      // Very basic HTTP parsing - in a real implementation, use http-parser
-      if (dataBuffer.includes(Buffer.from('\r\n\r\n')) && !connectionEstablished) {
-        const target = this.getTargetFromConfig();
-        
-        // Create backend connection with immediate error handling
-        backendSocket = createSocketWithErrorHandler({
-          port: target.port,
-          host: target.host,
-          onError: (error) => {
-            this.emit(ForwardingHandlerEvents.ERROR, {
-              error: error.message,
-              code: (error as any).code || 'UNKNOWN',
-              remoteAddress,
-              target: `${target.host}:${target.port}`
-            });
-            
-            // Clean up the TLS socket since we can't forward
-            if (!tlsSocket.destroyed) {
-              tlsSocket.destroy();
-            }
-            
-            this.emit(ForwardingHandlerEvents.DISCONNECTED, {
-              remoteAddress,
-              reason: `backend_connection_failed: ${error.message}`
-            });
-          },
-          onConnect: () => {
-            connectionEstablished = true;
-            
-            // Send buffered data
-            if (dataBuffer.length > 0) {
-              backendSocket!.write(dataBuffer);
-              dataBuffer = Buffer.alloc(0);
-            }
-            
-            // Now set up bidirectional forwarding with proper cleanup
-            forwardingSetup = true;
-            setupBidirectionalForwarding(tlsSocket, backendSocket!, {
-              onCleanup: (reason) => {
-                this.emit(ForwardingHandlerEvents.DISCONNECTED, {
-                  remoteAddress,
-                  reason
-                });
-                dataBuffer = Buffer.alloc(0);
-                connectionEstablished = false;
-                forwardingSetup = false;
-              },
-              enableHalfOpen: false // Close both when one closes
-            });
-          }
-        });
-        
-        // Additional error logging for backend socket
-        backendSocket.on('error', (error) => {
-          if (!connectionEstablished) {
-            // Connection failed during setup
-            this.emit(ForwardingHandlerEvents.ERROR, {
-              remoteAddress,
-              error: `Target connection error: ${error.message}`
-            });
-          }
-          // If connected, setupBidirectionalForwarding handles cleanup
-        });
-      }
-    });
-  }
-  
-  /**
-   * Handle an HTTP request by forwarding to the HTTP backend
-   * @param req The HTTP request
-   * @param res The HTTP response
-   */
-  public handleHttpRequest(req: plugins.http.IncomingMessage, res: plugins.http.ServerResponse): void {
-    // Check if we should redirect to HTTPS
-    if (this.config.http?.redirectToHttps) {
-      this.redirectToHttps(req, res);
-      return;
-    }
-    
-    // Get the target from configuration
-    const target = this.getTargetFromConfig();
-    
-    // Create custom headers with variable substitution
-    const variables = {
-      clientIp: req.socket.remoteAddress || 'unknown'
-    };
-    
-    // Prepare headers, merging with any custom headers from config
-    const headers = this.applyCustomHeaders(req.headers, variables);
-    
-    // Create the proxy request options
-    const options = {
-      hostname: target.host,
-      port: target.port,
-      path: req.url,
-      method: req.method,
-      headers
-    };
-    
-    // Create the proxy request
-    const proxyReq = plugins.http.request(options, (proxyRes) => {
-      // Copy status code and headers from the proxied response
-      res.writeHead(proxyRes.statusCode || 500, proxyRes.headers);
-      
-      // Pipe the proxy response to the client response
-      proxyRes.pipe(res);
-      
-      // Track response size for logging
-      let responseSize = 0;
-      proxyRes.on('data', (chunk) => {
-        responseSize += chunk.length;
-      });
-      
-      proxyRes.on('end', () => {
-        this.emit(ForwardingHandlerEvents.HTTP_RESPONSE, {
-          statusCode: proxyRes.statusCode,
-          headers: proxyRes.headers,
-          size: responseSize
-        });
-      });
-    });
-    
-    // Handle errors in the proxy request
-    proxyReq.on('error', (error) => {
-      this.emit(ForwardingHandlerEvents.ERROR, {
-        remoteAddress: req.socket.remoteAddress,
-        error: `Proxy request error: ${error.message}`
-      });
-      
-      // Send an error response if headers haven't been sent yet
-      if (!res.headersSent) {
-        res.writeHead(502, { 'Content-Type': 'text/plain' });
-        res.end(`Error forwarding request: ${error.message}`);
-      } else {
-        // Just end the response if headers have already been sent
-        res.end();
-      }
-    });
-    
-    // Track request details for logging
-    let requestSize = 0;
-    req.on('data', (chunk) => {
-      requestSize += chunk.length;
-    });
-    
-    // Log the request
-    this.emit(ForwardingHandlerEvents.HTTP_REQUEST, {
-      method: req.method,
-      url: req.url,
-      headers: req.headers,
-      remoteAddress: req.socket.remoteAddress,
-      target: `${target.host}:${target.port}`
-    });
-    
-    // Pipe the client request to the proxy request
-    if (req.readable) {
-      req.pipe(proxyReq);
-    } else {
-      proxyReq.end();
-    }
-  }
-}
--- a/ts/forwarding/handlers/https-terminate-to-https-handler.ts
+++ b/ts/forwarding/handlers/https-terminate-to-https-handler.ts
@@ -1,297 +0,0 @@
-import * as plugins from '../../plugins.js';
-import { ForwardingHandler } from './base-handler.js';
-import type { IForwardConfig } from '../config/forwarding-types.js';
-import { ForwardingHandlerEvents } from '../config/forwarding-types.js';
-import { setupSocketHandlers, createSocketWithErrorHandler, setupBidirectionalForwarding } from '../../core/utils/socket-utils.js';
-
-/**
- * Handler for HTTPS termination with HTTPS backend
- */
-export class HttpsTerminateToHttpsHandler extends ForwardingHandler {
-  private secureContext: plugins.tls.SecureContext | null = null;
-  
-  /**
-   * Create a new HTTPS termination with HTTPS backend handler
-   * @param config The forwarding configuration
-   */
-  constructor(config: IForwardConfig) {
-    super(config);
-    
-    // Validate that this is an HTTPS terminate to HTTPS configuration
-    if (config.type !== 'https-terminate-to-https') {
-      throw new Error(`Invalid configuration type for HttpsTerminateToHttpsHandler: ${config.type}`);
-    }
-  }
-  
-  /**
-   * Initialize the handler, setting up TLS context
-   */
-  public async initialize(): Promise<void> {
-    // We need to load or create TLS certificates for termination
-    if (this.config.https?.customCert) {
-      // Use custom certificate from configuration
-      this.secureContext = plugins.tls.createSecureContext({
-        key: this.config.https.customCert.key,
-        cert: this.config.https.customCert.cert
-      });
-      
-      this.emit(ForwardingHandlerEvents.CERTIFICATE_LOADED, {
-        source: 'config',
-        domain: this.config.target.host
-      });
-    } else if (this.config.acme?.enabled) {
-      // Request certificate through ACME if needed
-      this.emit(ForwardingHandlerEvents.CERTIFICATE_NEEDED, {
-        domain: Array.isArray(this.config.target.host) 
-          ? this.config.target.host[0] 
-          : this.config.target.host,
-        useProduction: this.config.acme.production || false
-      });
-      
-      // In a real implementation, we would wait for the certificate to be issued
-      // For now, we'll use a dummy context
-      this.secureContext = plugins.tls.createSecureContext({
-        key: '-----BEGIN PRIVATE KEY-----\nDummy key\n-----END PRIVATE KEY-----',
-        cert: '-----BEGIN CERTIFICATE-----\nDummy cert\n-----END CERTIFICATE-----'
-      });
-    } else {
-      throw new Error('HTTPS termination requires either a custom certificate or ACME enabled');
-    }
-  }
-  
-  /**
-   * Set the secure context for TLS termination
-   * Called when a certificate is available
-   * @param context The secure context
-   */
-  public setSecureContext(context: plugins.tls.SecureContext): void {
-    this.secureContext = context;
-  }
-  
-  /**
-   * Handle a TLS/SSL socket connection by terminating TLS and creating a new TLS connection to backend
-   * @param clientSocket The incoming socket from the client
-   */
-  public handleConnection(clientSocket: plugins.net.Socket): void {
-    // Make sure we have a secure context
-    if (!this.secureContext) {
-      clientSocket.destroy(new Error('TLS secure context not initialized'));
-      return;
-    }
-    
-    const remoteAddress = clientSocket.remoteAddress || 'unknown';
-    const remotePort = clientSocket.remotePort || 0;
-    
-    // Create a TLS socket using our secure context
-    const tlsSocket = new plugins.tls.TLSSocket(clientSocket, {
-      secureContext: this.secureContext,
-      isServer: true
-    });
-    
-    this.emit(ForwardingHandlerEvents.CONNECTED, {
-      remoteAddress,
-      remotePort,
-      tls: true
-    });
-    
-    // Variable to track backend socket
-    let backendSocket: plugins.tls.TLSSocket | null = null;
-    let isConnectedToBackend = false;
-    
-    // Set up initial error handling for TLS socket
-    const tlsCleanupHandler = (reason: string) => {
-      if (!isConnectedToBackend) {
-        // If backend not connected yet, just emit disconnected event
-        this.emit(ForwardingHandlerEvents.DISCONNECTED, {
-          remoteAddress,
-          reason
-        });
-        
-        // Cleanup TLS socket if needed
-        if (!tlsSocket.destroyed) {
-          tlsSocket.destroy();
-        }
-      }
-      // If connected to backend, setupBidirectionalForwarding will handle cleanup
-    };
-    
-    setupSocketHandlers(tlsSocket, tlsCleanupHandler, undefined, 'tls');
-    
-    // Set timeout
-    const timeout = this.getTimeout();
-    tlsSocket.setTimeout(timeout);
-    
-    tlsSocket.on('timeout', () => {
-      this.emit(ForwardingHandlerEvents.ERROR, {
-        remoteAddress,
-        error: 'TLS connection timeout'
-      });
-      tlsCleanupHandler('timeout');
-    });
-    
-    // Get the target from configuration
-    const target = this.getTargetFromConfig();
-    
-    // Set up the connection to the HTTPS backend
-    const connectToBackend = () => {
-      backendSocket = plugins.tls.connect({
-        host: target.host,
-        port: target.port,
-        // In a real implementation, we would configure TLS options
-        rejectUnauthorized: false // For testing only, never use in production
-      }, () => {
-        isConnectedToBackend = true;
-        
-        this.emit(ForwardingHandlerEvents.DATA_FORWARDED, {
-          direction: 'outbound',
-          target: `${target.host}:${target.port}`,
-          tls: true
-        });
-        
-        // Set up bidirectional forwarding with proper cleanup
-        setupBidirectionalForwarding(tlsSocket, backendSocket!, {
-          onCleanup: (reason) => {
-            this.emit(ForwardingHandlerEvents.DISCONNECTED, {
-              remoteAddress,
-              reason
-            });
-          },
-          enableHalfOpen: false // Close both when one closes
-        });
-        
-        // Set timeout for backend socket
-        backendSocket!.setTimeout(timeout);
-        
-        backendSocket!.on('timeout', () => {
-          this.emit(ForwardingHandlerEvents.ERROR, {
-            remoteAddress,
-            error: 'Backend connection timeout'
-          });
-          // Let setupBidirectionalForwarding handle the cleanup
-        });
-      });
-      
-      // Handle backend connection errors
-      backendSocket.on('error', (error) => {
-        this.emit(ForwardingHandlerEvents.ERROR, {
-          remoteAddress,
-          error: `Backend connection error: ${error.message}`
-        });
-        
-        if (!isConnectedToBackend) {
-          // Connection failed, clean up TLS socket
-          if (!tlsSocket.destroyed) {
-            tlsSocket.destroy();
-          }
-          this.emit(ForwardingHandlerEvents.DISCONNECTED, {
-            remoteAddress,
-            reason: `backend_connection_failed: ${error.message}`
-          });
-        }
-        // If connected, let setupBidirectionalForwarding handle cleanup
-      });
-    };
-    
-    // Wait for the TLS handshake to complete before connecting to backend
-    tlsSocket.on('secure', () => {
-      connectToBackend();
-    });
-  }
-  
-  /**
-   * Handle an HTTP request by forwarding to the HTTPS backend
-   * @param req The HTTP request
-   * @param res The HTTP response
-   */
-  public handleHttpRequest(req: plugins.http.IncomingMessage, res: plugins.http.ServerResponse): void {
-    // Check if we should redirect to HTTPS
-    if (this.config.http?.redirectToHttps) {
-      this.redirectToHttps(req, res);
-      return;
-    }
-    
-    // Get the target from configuration
-    const target = this.getTargetFromConfig();
-    
-    // Create custom headers with variable substitution
-    const variables = {
-      clientIp: req.socket.remoteAddress || 'unknown'
-    };
-    
-    // Prepare headers, merging with any custom headers from config
-    const headers = this.applyCustomHeaders(req.headers, variables);
-    
-    // Create the proxy request options
-    const options = {
-      hostname: target.host,
-      port: target.port,
-      path: req.url,
-      method: req.method,
-      headers,
-      // In a real implementation, we would configure TLS options
-      rejectUnauthorized: false // For testing only, never use in production
-    };
-    
-    // Create the proxy request using HTTPS
-    const proxyReq = plugins.https.request(options, (proxyRes) => {
-      // Copy status code and headers from the proxied response
-      res.writeHead(proxyRes.statusCode || 500, proxyRes.headers);
-      
-      // Pipe the proxy response to the client response
-      proxyRes.pipe(res);
-      
-      // Track response size for logging
-      let responseSize = 0;
-      proxyRes.on('data', (chunk) => {
-        responseSize += chunk.length;
-      });
-      
-      proxyRes.on('end', () => {
-        this.emit(ForwardingHandlerEvents.HTTP_RESPONSE, {
-          statusCode: proxyRes.statusCode,
-          headers: proxyRes.headers,
-          size: responseSize
-        });
-      });
-    });
-    
-    // Handle errors in the proxy request
-    proxyReq.on('error', (error) => {
-      this.emit(ForwardingHandlerEvents.ERROR, {
-        remoteAddress: req.socket.remoteAddress,
-        error: `Proxy request error: ${error.message}`
-      });
-      
-      // Send an error response if headers haven't been sent yet
-      if (!res.headersSent) {
-        res.writeHead(502, { 'Content-Type': 'text/plain' });
-        res.end(`Error forwarding request: ${error.message}`);
-      } else {
-        // Just end the response if headers have already been sent
-        res.end();
-      }
-    });
-    
-    // Track request details for logging
-    let requestSize = 0;
-    req.on('data', (chunk) => {
-      requestSize += chunk.length;
-    });
-    
-    // Log the request
-    this.emit(ForwardingHandlerEvents.HTTP_REQUEST, {
-      method: req.method,
-      url: req.url,
-      headers: req.headers,
-      remoteAddress: req.socket.remoteAddress,
-      target: `${target.host}:${target.port}`
-    });
-    
-    // Pipe the client request to the proxy request
-    if (req.readable) {
-      req.pipe(proxyReq);
-    } else {
-      proxyReq.end();
-    }
-  }
-}
--- a/ts/forwarding/handlers/index.ts
+++ b/ts/forwarding/handlers/index.ts
@@ -1,9 +0,0 @@
-/**
- * Forwarding handler implementations
- */
-
-export { ForwardingHandler } from './base-handler.js';
-export { HttpForwardingHandler } from './http-handler.js';
-export { HttpsPassthroughHandler } from './https-passthrough-handler.js';
-export { HttpsTerminateToHttpHandler } from './https-terminate-to-http-handler.js';
-export { HttpsTerminateToHttpsHandler } from './https-terminate-to-https-handler.js';
--- a/ts/forwarding/index.ts
+++ b/ts/forwarding/index.ts
@@ -1,35 +0,0 @@
-/**
- * Forwarding system module
- * Provides a flexible and type-safe way to configure and manage various forwarding strategies
- */
-
-// Export handlers
-export { ForwardingHandler } from './handlers/base-handler.js';
-export * from './handlers/http-handler.js';
-export * from './handlers/https-passthrough-handler.js';
-export * from './handlers/https-terminate-to-http-handler.js';
-export * from './handlers/https-terminate-to-https-handler.js';
-
-// Export factory
-export * from './factory/forwarding-factory.js';
-
-// Export types - these include TForwardingType and IForwardConfig
-export type { 
-  TForwardingType,
-  IForwardConfig,
-  IForwardingHandler
-} from './config/forwarding-types.js';
-
-export { 
-  ForwardingHandlerEvents
-} from './config/forwarding-types.js';
-
-// Export route helpers directly from route-patterns
-export {
-  createHttpRoute,
-  createHttpsTerminateRoute,
-  createHttpsPassthroughRoute,
-  createHttpToHttpsRedirect,
-  createCompleteHttpsServer,
-  createLoadBalancerRoute
-} from '../proxies/smart-proxy/utils/route-patterns.js';
--- a/ts/index.ts
+++ b/ts/index.ts
@@ -32,7 +32,6 @@ export * from './core/models/common-types.js';
 export type { IAcmeOptions } from './proxies/smart-proxy/models/interfaces.js';

 // Modular exports for new architecture
-export * as forwarding from './forwarding/index.js';
 // Certificate module has been removed - use SmartCertManager instead
 export * as tls from './tls/index.js';
 export * as routing from './routing/index.js';
--- a/ts/proxies/smart-proxy/models/interfaces.ts
+++ b/ts/proxies/smart-proxy/models/interfaces.ts
@@ -16,7 +16,6 @@ export interface IAcmeOptions {
  routeForwards?: any[];
 }
 import type { IRouteConfig } from './route-types.js';
-import type { TForwardingType } from '../../../forwarding/config/forwarding-types.js';

 /**
 * Provision object for static or HTTP-01 certificate
--- a/ts/proxies/smart-proxy/models/route-types.ts
+++ b/ts/proxies/smart-proxy/models/route-types.ts
@@ -1,6 +1,5 @@
 import * as plugins from '../../../plugins.js';
 // Certificate types removed - use local definition
-import type { TForwardingType } from '../../../forwarding/config/forwarding-types.js';
 import type { PortRange } from '../../../proxies/nftables-proxy/models/interfaces.js';
 import type { IRouteContext } from '../../../core/models/route-context.js';

--- a/ts/proxies/smart-proxy/utils/index.ts
+++ b/ts/proxies/smart-proxy/utils/index.ts
@@ -14,23 +14,12 @@ export * from './route-validators.js';
 // Export route utilities for route operations
 export * from './route-utils.js';

-// Export route patterns with renamed exports to avoid conflicts
-import {
-  createWebSocketRoute as createWebSocketPatternRoute,
-  createLoadBalancerRoute as createLoadBalancerPatternRoute,
-  createApiGatewayRoute,
-  addRateLimiting,
-  addBasicAuth,
-  addJwtAuth
-} from './route-patterns.js';
-
+// Export additional functions from route-helpers that weren't already exported
 export {
-  createWebSocketPatternRoute,
-  createLoadBalancerPatternRoute,
  createApiGatewayRoute,
  addRateLimiting,
  addBasicAuth,
  addJwtAuth
-};
+} from './route-helpers.js';

 // Migration utilities have been removed as they are no longer needed
--- a/ts/proxies/smart-proxy/utils/route-helpers.ts
+++ b/ts/proxies/smart-proxy/utils/route-helpers.ts
@@ -20,6 +20,7 @@

 import * as plugins from '../../../plugins.js';
 import type { IRouteConfig, IRouteMatch, IRouteAction, IRouteTarget, TPortRange, IRouteContext } from '../models/route-types.js';
+import { mergeRouteConfigs } from './route-utils.js';

 /**
 * Create an HTTP-only route configuration
@@ -211,26 +212,62 @@ export function createCompleteHttpsServer(
 /**
 * Create a load balancer route (round-robin between multiple backend hosts)
 * @param domains Domain(s) to match
- * @param hosts Array of backend hosts to load balance between
- * @param port Backend port
- * @param options Additional route options
+ * @param backendsOrHosts Array of backend servers OR array of host strings (legacy)
+ * @param portOrOptions Port number (legacy) OR options object
+ * @param options Additional route options (legacy)
 * @returns Route configuration object
 */
 export function createLoadBalancerRoute(
  domains: string | string[],
-  hosts: string[],
-  port: number,
-  options: {
+  backendsOrHosts: Array<{ host: string; port: number }> | string[],
+  portOrOptions?: number | {
+    tls?: {
+      mode: 'passthrough' | 'terminate' | 'terminate-and-reencrypt';
+      certificate?: 'auto' | { key: string; cert: string };
+    };
+    useTls?: boolean;
+    certificate?: 'auto' | { key: string; cert: string };
+    algorithm?: 'round-robin' | 'least-connections' | 'ip-hash';
+    healthCheck?: {
+      path: string;
+      interval: number;
+      timeout: number;
+      unhealthyThreshold: number;
+      healthyThreshold: number;
+    };
+    [key: string]: any;
+  },
+  options?: {
    tls?: {
      mode: 'passthrough' | 'terminate' | 'terminate-and-reencrypt';
      certificate?: 'auto' | { key: string; cert: string };
    };
    [key: string]: any;
-  } = {}
+  }
 ): IRouteConfig {
+  // Handle legacy signature: (domains, hosts[], port, options)
+  let backends: Array<{ host: string; port: number }>;
+  let finalOptions: any;
+  
+  if (Array.isArray(backendsOrHosts) && backendsOrHosts.length > 0 && typeof backendsOrHosts[0] === 'string') {
+    // Legacy signature
+    const hosts = backendsOrHosts as string[];
+    const port = portOrOptions as number;
+    backends = hosts.map(host => ({ host, port }));
+    finalOptions = options || {};
+  } else {
+    // New signature
+    backends = backendsOrHosts as Array<{ host: string; port: number }>;
+    finalOptions = (portOrOptions as any) || {};
+  }
+  
+  // Extract hosts and ensure all backends use the same port
+  const port = backends[0].port;
+  const hosts = backends.map(backend => backend.host);
+  
  // Create route match
  const match: IRouteMatch = {
-    ports: options.match?.ports || (options.tls ? 443 : 80),
+    ports: finalOptions.match?.ports || (finalOptions.tls || finalOptions.useTls ? 443 : 80),
    domains
  };

@@ -247,10 +284,18 @@ export function createLoadBalancerRoute(
  };

  // Add TLS configuration if provided
-  if (options.tls) {
+  if (finalOptions.tls || finalOptions.useTls) {
    action.tls = {
-      mode: options.tls.mode,
-      certificate: options.tls.certificate || 'auto'
+      mode: finalOptions.tls?.mode || 'terminate',
+      certificate: finalOptions.tls?.certificate || finalOptions.certificate || 'auto'
+    };
+  }
+
+  // Add load balancing options
+  if (finalOptions.algorithm || finalOptions.healthCheck) {
+    action.loadBalancing = {
+      algorithm: finalOptions.algorithm || 'round-robin',
+      healthCheck: finalOptions.healthCheck
    };
  }

@@ -258,8 +303,8 @@ export function createLoadBalancerRoute(
  return {
    match,
    action,
-    name: options.name || `Load Balancer for ${Array.isArray(domains) ? domains.join(', ') : domains}`,
-    ...options
+    name: finalOptions.name || `Load Balancer for ${Array.isArray(domains) ? domains.join(', ') : domains}`,
+    ...finalOptions
  };
 }

@@ -339,16 +384,26 @@ export function createApiRoute(
 /**
 * Create a WebSocket route configuration
 * @param domains Domain(s) to match
- * @param wsPath WebSocket path (e.g., "/ws")
- * @param target Target WebSocket server host and port
- * @param options Additional route options
+ * @param targetOrPath Target server OR WebSocket path (legacy)
+ * @param targetOrOptions Target server (legacy) OR options
+ * @param options Additional route options (legacy)
 * @returns Route configuration object
 */
 export function createWebSocketRoute(
  domains: string | string[],
-  wsPath: string,
-  target: { host: string | string[]; port: number },
-  options: {
+  targetOrPath: { host: string | string[]; port: number } | string,
+  targetOrOptions?: { host: string | string[]; port: number } | {
+    useTls?: boolean;
+    certificate?: 'auto' | { key: string; cert: string };
+    path?: string;
+    httpPort?: number | number[];
+    httpsPort?: number | number[];
+    pingInterval?: number;
+    pingTimeout?: number;
+    name?: string;
+    [key: string]: any;
+  },
+  options?: {
    useTls?: boolean;
    certificate?: 'auto' | { key: string; cert: string };
    httpPort?: number | number[];
@@ -357,16 +412,33 @@ export function createWebSocketRoute(
    pingTimeout?: number;
    name?: string;
    [key: string]: any;
-  } = {}
+  }
 ): IRouteConfig {
+  // Handle different signatures
+  let target: { host: string | string[]; port: number };
+  let wsPath: string;
+  let finalOptions: any;
+  
+  if (typeof targetOrPath === 'string') {
+    // Legacy signature: (domains, path, target, options)
+    wsPath = targetOrPath;
+    target = targetOrOptions as { host: string | string[]; port: number };
+    finalOptions = options || {};
+  } else {
+    // New signature: (domains, target, options)
+    target = targetOrPath;
+    finalOptions = (targetOrOptions as any) || {};
+    wsPath = finalOptions.path || '/ws';
+  }
+  
  // Normalize WebSocket path
  const normalizedPath = wsPath.startsWith('/') ? wsPath : `/${wsPath}`;

  // Create route match
  const match: IRouteMatch = {
-    ports: options.useTls
-      ? (options.httpsPort || 443)
-      : (options.httpPort || 80),
+    ports: finalOptions.useTls
+      ? (finalOptions.httpsPort || 443)
+      : (finalOptions.httpPort || 80),
    domains,
    path: normalizedPath
  };
@@ -377,16 +449,16 @@ export function createWebSocketRoute(
    targets: [target],
    websocket: {
      enabled: true,
-      pingInterval: options.pingInterval || 30000, // 30 seconds
-      pingTimeout: options.pingTimeout || 5000    // 5 seconds
+      pingInterval: finalOptions.pingInterval || 30000, // 30 seconds
+      pingTimeout: finalOptions.pingTimeout || 5000    // 5 seconds
    }
  };

  // Add TLS configuration if using HTTPS
-  if (options.useTls) {
+  if (finalOptions.useTls) {
    action.tls = {
      mode: 'terminate',
-      certificate: options.certificate || 'auto'
+      certificate: finalOptions.certificate || 'auto'
    };
  }

@@ -394,9 +466,9 @@ export function createWebSocketRoute(
  return {
    match,
    action,
-    name: options.name || `WebSocket Route ${normalizedPath} for ${Array.isArray(domains) ? domains.join(', ') : domains}`,
-    priority: options.priority || 100, // Higher priority for WebSocket routes
-    ...options
+    name: finalOptions.name || `WebSocket Route ${normalizedPath} for ${Array.isArray(domains) ? domains.join(', ') : domains}`,
+    priority: finalOptions.priority || 100, // Higher priority for WebSocket routes
+    ...finalOptions
  };
 }

@@ -1030,3 +1102,152 @@ export const SocketHandlers = {
    });
  }
 };
+
+/**
+ * Create an API Gateway route pattern
+ * @param domains Domain(s) to match
+ * @param apiBasePath Base path for API endpoints (e.g., '/api')
+ * @param target Target host and port
+ * @param options Additional route options
+ * @returns API route configuration
+ */
+export function createApiGatewayRoute(
+  domains: string | string[],
+  apiBasePath: string,
+  target: { host: string | string[]; port: number },
+  options: {
+    useTls?: boolean;
+    certificate?: 'auto' | { key: string; cert: string };
+    addCorsHeaders?: boolean;
+    [key: string]: any;
+  } = {}
+): IRouteConfig {
+  // Normalize apiBasePath to ensure it starts with / and doesn't end with /
+  const normalizedPath = apiBasePath.startsWith('/') 
+    ? apiBasePath 
+    : `/${apiBasePath}`;
+  
+  // Add wildcard to path to match all API endpoints
+  const apiPath = normalizedPath.endsWith('/') 
+    ? `${normalizedPath}*` 
+    : `${normalizedPath}/*`;
+  
+  // Create base route
+  const baseRoute = options.useTls
+    ? createHttpsTerminateRoute(domains, target, {
+        certificate: options.certificate || 'auto'
+      })
+    : createHttpRoute(domains, target);
+  
+  // Add API-specific configurations
+  const apiRoute: Partial<IRouteConfig> = {
+    match: {
+      ...baseRoute.match,
+      path: apiPath
+    },
+    name: options.name || `API Gateway: ${apiPath} -> ${Array.isArray(target.host) ? target.host.join(', ') : target.host}:${target.port}`,
+    priority: options.priority || 100 // Higher priority for specific path matching
+  };
+  
+  // Add CORS headers if requested
+  if (options.addCorsHeaders) {
+    apiRoute.headers = {
+      response: {
+        'Access-Control-Allow-Origin': '*',
+        'Access-Control-Allow-Methods': 'GET, POST, PUT, DELETE, OPTIONS',
+        'Access-Control-Allow-Headers': 'Content-Type, Authorization',
+        'Access-Control-Max-Age': '86400'
+      }
+    };
+  }
+  
+  return mergeRouteConfigs(baseRoute, apiRoute);
+}
+
+/**
+ * Create a rate limiting route pattern
+ * @param baseRoute Base route to add rate limiting to
+ * @param rateLimit Rate limiting configuration
+ * @returns Route with rate limiting
+ */
+export function addRateLimiting(
+  baseRoute: IRouteConfig,
+  rateLimit: {
+    maxRequests: number;
+    window: number; // Time window in seconds
+    keyBy?: 'ip' | 'path' | 'header';
+    headerName?: string; // Required if keyBy is 'header'
+    errorMessage?: string;
+  }
+): IRouteConfig {
+  return mergeRouteConfigs(baseRoute, {
+    security: {
+      rateLimit: {
+        enabled: true,
+        maxRequests: rateLimit.maxRequests,
+        window: rateLimit.window,
+        keyBy: rateLimit.keyBy || 'ip',
+        headerName: rateLimit.headerName,
+        errorMessage: rateLimit.errorMessage || 'Rate limit exceeded. Please try again later.'
+      }
+    }
+  });
+}
+
+/**
+ * Create a basic authentication route pattern
+ * @param baseRoute Base route to add authentication to
+ * @param auth Authentication configuration
+ * @returns Route with basic authentication
+ */
+export function addBasicAuth(
+  baseRoute: IRouteConfig,
+  auth: {
+    users: Array<{ username: string; password: string }>;
+    realm?: string;
+    excludePaths?: string[];
+  }
+): IRouteConfig {
+  return mergeRouteConfigs(baseRoute, {
+    security: {
+      basicAuth: {
+        enabled: true,
+        users: auth.users,
+        realm: auth.realm || 'Restricted Area',
+        excludePaths: auth.excludePaths || []
+      }
+    }
+  });
+}
+
+/**
+ * Create a JWT authentication route pattern
+ * @param baseRoute Base route to add JWT authentication to
+ * @param jwt JWT authentication configuration
+ * @returns Route with JWT authentication
+ */
+export function addJwtAuth(
+  baseRoute: IRouteConfig,
+  jwt: {
+    secret: string;
+    algorithm?: string;
+    issuer?: string;
+    audience?: string;
+    expiresIn?: number; // Time in seconds
+    excludePaths?: string[];
+  }
+): IRouteConfig {
+  return mergeRouteConfigs(baseRoute, {
+    security: {
+      jwtAuth: {
+        enabled: true,
+        secret: jwt.secret,
+        algorithm: jwt.algorithm || 'HS256',
+        issuer: jwt.issuer,
+        audience: jwt.audience,
+        expiresIn: jwt.expiresIn,
+        excludePaths: jwt.excludePaths || []
+      }
+    }
+  });
+}
--- a/ts/proxies/smart-proxy/utils/route-patterns.ts
+++ b/ts/proxies/smart-proxy/utils/route-patterns.ts
@@ -1,403 +0,0 @@
-/**
- * Route Patterns
- * 
- * This file provides pre-defined route patterns for common use cases.
- * These patterns can be used as templates for creating route configurations.
- */
-
-import type { IRouteConfig, IRouteMatch, IRouteAction, IRouteTarget } from '../models/route-types.js';
-import { mergeRouteConfigs } from './route-utils.js';
-import { SocketHandlers } from './route-helpers.js';
-
-/**
- * Create a basic HTTP route configuration
- */
-export function createHttpRoute(
-  domains: string | string[],
-  target: { host: string | string[]; port: number | 'preserve' | ((ctx: any) => number) },
-  options: Partial<IRouteConfig> = {}
-): IRouteConfig {
-  const route: IRouteConfig = {
-    match: {
-      domains,
-      ports: 80
-    },
-    action: {
-      type: 'forward',
-      targets: [{
-        host: target.host,
-        port: target.port
-      }]
-    },
-    name: options.name || `HTTP: ${Array.isArray(domains) ? domains.join(', ') : domains}`
-  };
-
-  return mergeRouteConfigs(route, options);
-}
-
-/**
- * Create an HTTPS route with TLS termination
- */
-export function createHttpsTerminateRoute(
-  domains: string | string[],
-  target: { host: string | string[]; port: number | 'preserve' | ((ctx: any) => number) },
-  options: Partial<IRouteConfig> & {
-    certificate?: 'auto' | { key: string; cert: string };
-    reencrypt?: boolean;
-  } = {}
-): IRouteConfig {
-  const route: IRouteConfig = {
-    match: {
-      domains,
-      ports: 443
-    },
-    action: {
-      type: 'forward',
-      targets: [{
-        host: target.host,
-        port: target.port
-      }],
-      tls: {
-        mode: options.reencrypt ? 'terminate-and-reencrypt' : 'terminate',
-        certificate: options.certificate || 'auto'
-      }
-    },
-    name: options.name || `HTTPS (terminate): ${Array.isArray(domains) ? domains.join(', ') : domains}`
-  };
-
-  return mergeRouteConfigs(route, options);
-}
-
-/**
- * Create an HTTPS route with TLS passthrough
- */
-export function createHttpsPassthroughRoute(
-  domains: string | string[],
-  target: { host: string | string[]; port: number | 'preserve' | ((ctx: any) => number) },
-  options: Partial<IRouteConfig> = {}
-): IRouteConfig {
-  const route: IRouteConfig = {
-    match: {
-      domains,
-      ports: 443
-    },
-    action: {
-      type: 'forward',
-      targets: [{
-        host: target.host,
-        port: target.port
-      }],
-      tls: {
-        mode: 'passthrough'
-      }
-    },
-    name: options.name || `HTTPS (passthrough): ${Array.isArray(domains) ? domains.join(', ') : domains}`
-  };
-
-  return mergeRouteConfigs(route, options);
-}
-
-/**
- * Create an HTTP to HTTPS redirect route
- */
-export function createHttpToHttpsRedirect(
-  domains: string | string[],
-  options: Partial<IRouteConfig> & {
-    redirectCode?: 301 | 302 | 307 | 308;
-    preservePath?: boolean;
-  } = {}
-): IRouteConfig {
-  const route: IRouteConfig = {
-    match: {
-      domains,
-      ports: 80
-    },
-    action: {
-      type: 'socket-handler',
-      socketHandler: SocketHandlers.httpRedirect(
-        options.preservePath ? 'https://{domain}{path}' : 'https://{domain}',
-        options.redirectCode || 301
-      )
-    },
-    name: options.name || `HTTP to HTTPS redirect: ${Array.isArray(domains) ? domains.join(', ') : domains}`
-  };
-
-  return mergeRouteConfigs(route, options);
-}
-
-/**
- * Create a complete HTTPS server with redirect from HTTP
- */
-export function createCompleteHttpsServer(
-  domains: string | string[],
-  target: { host: string | string[]; port: number | 'preserve' | ((ctx: any) => number) },
-  options: Partial<IRouteConfig> & {
-    certificate?: 'auto' | { key: string; cert: string };
-    tlsMode?: 'terminate' | 'passthrough' | 'terminate-and-reencrypt';
-    redirectCode?: 301 | 302 | 307 | 308;
-  } = {}
-): IRouteConfig[] {
-  // Create the TLS route based on the selected mode
-  const tlsRoute = options.tlsMode === 'passthrough' 
-    ? createHttpsPassthroughRoute(domains, target, options)
-    : createHttpsTerminateRoute(domains, target, {
-        ...options,
-        reencrypt: options.tlsMode === 'terminate-and-reencrypt'
-      });
-  
-  // Create the HTTP to HTTPS redirect route
-  const redirectRoute = createHttpToHttpsRedirect(domains, {
-    redirectCode: options.redirectCode,
-    preservePath: true
-  });
-  
-  return [tlsRoute, redirectRoute];
-}
-
-/**
- * Create an API Gateway route pattern
- * @param domains Domain(s) to match
- * @param apiBasePath Base path for API endpoints (e.g., '/api')
- * @param target Target host and port
- * @param options Additional route options
- * @returns API route configuration
- */
-export function createApiGatewayRoute(
-  domains: string | string[],
-  apiBasePath: string,
-  target: { host: string | string[]; port: number },
-  options: {
-    useTls?: boolean;
-    certificate?: 'auto' | { key: string; cert: string };
-    addCorsHeaders?: boolean;
-    [key: string]: any;
-  } = {}
-): IRouteConfig {
-  // Normalize apiBasePath to ensure it starts with / and doesn't end with /
-  const normalizedPath = apiBasePath.startsWith('/') 
-    ? apiBasePath 
-    : `/${apiBasePath}`;
-  
-  // Add wildcard to path to match all API endpoints
-  const apiPath = normalizedPath.endsWith('/') 
-    ? `${normalizedPath}*` 
-    : `${normalizedPath}/*`;
-  
-  // Create base route
-  const baseRoute = options.useTls
-    ? createHttpsTerminateRoute(domains, target, {
-        certificate: options.certificate || 'auto'
-      })
-    : createHttpRoute(domains, target);
-  
-  // Add API-specific configurations
-  const apiRoute: Partial<IRouteConfig> = {
-    match: {
-      ...baseRoute.match,
-      path: apiPath
-    },
-    name: options.name || `API Gateway: ${apiPath} -> ${Array.isArray(target.host) ? target.host.join(', ') : target.host}:${target.port}`,
-    priority: options.priority || 100 // Higher priority for specific path matching
-  };
-  
-  // Add CORS headers if requested
-  if (options.addCorsHeaders) {
-    apiRoute.headers = {
-      response: {
-        'Access-Control-Allow-Origin': '*',
-        'Access-Control-Allow-Methods': 'GET, POST, PUT, DELETE, OPTIONS',
-        'Access-Control-Allow-Headers': 'Content-Type, Authorization',
-        'Access-Control-Max-Age': '86400'
-      }
-    };
-  }
-  
-  return mergeRouteConfigs(baseRoute, apiRoute);
-}
-
-/**
- * Create a WebSocket route pattern
- * @param domains Domain(s) to match
- * @param target WebSocket server host and port
- * @param options Additional route options
- * @returns WebSocket route configuration
- */
-export function createWebSocketRoute(
-  domains: string | string[],
-  target: { host: string | string[]; port: number },
-  options: {
-    useTls?: boolean;
-    certificate?: 'auto' | { key: string; cert: string };
-    path?: string;
-    [key: string]: any;
-  } = {}
-): IRouteConfig {
-  // Create base route
-  const baseRoute = options.useTls
-    ? createHttpsTerminateRoute(domains, target, {
-        certificate: options.certificate || 'auto'
-      })
-    : createHttpRoute(domains, target);
-  
-  // Add WebSocket-specific configurations
-  const wsRoute: Partial<IRouteConfig> = {
-    match: {
-      ...baseRoute.match,
-      path: options.path || '/ws',
-      headers: {
-        'Upgrade': 'websocket'
-      }
-    },
-    action: {
-      ...baseRoute.action,
-      websocket: {
-        enabled: true,
-        pingInterval: options.pingInterval || 30000, // 30 seconds
-        pingTimeout: options.pingTimeout || 5000    // 5 seconds
-      }
-    },
-    name: options.name || `WebSocket: ${Array.isArray(domains) ? domains.join(', ') : domains} -> ${Array.isArray(target.host) ? target.host.join(', ') : target.host}:${target.port}`,
-    priority: options.priority || 100 // Higher priority for WebSocket routes
-  };
-  
-  return mergeRouteConfigs(baseRoute, wsRoute);
-}
-
-/**
- * Create a load balancer route pattern
- * @param domains Domain(s) to match
- * @param backends Array of backend servers
- * @param options Additional route options
- * @returns Load balancer route configuration
- */
-export function createLoadBalancerRoute(
-  domains: string | string[],
-  backends: Array<{ host: string; port: number }>,
-  options: {
-    useTls?: boolean;
-    certificate?: 'auto' | { key: string; cert: string };
-    algorithm?: 'round-robin' | 'least-connections' | 'ip-hash';
-    healthCheck?: {
-      path: string;
-      interval: number;
-      timeout: number;
-      unhealthyThreshold: number;
-      healthyThreshold: number;
-    };
-    [key: string]: any;
-  } = {}
-): IRouteConfig {
-  // Extract hosts and ensure all backends use the same port
-  const port = backends[0].port;
-  const hosts = backends.map(backend => backend.host);
-  
-  // Create route with multiple hosts for load balancing
-  const baseRoute = options.useTls
-    ? createHttpsTerminateRoute(domains, { host: hosts, port }, {
-        certificate: options.certificate || 'auto'
-      })
-    : createHttpRoute(domains, { host: hosts, port });
-  
-  // Add load balancing specific configurations
-  const lbRoute: Partial<IRouteConfig> = {
-    action: {
-      ...baseRoute.action,
-      loadBalancing: {
-        algorithm: options.algorithm || 'round-robin',
-        healthCheck: options.healthCheck
-      }
-    },
-    name: options.name || `Load Balancer: ${Array.isArray(domains) ? domains.join(', ') : domains}`,
-    priority: options.priority || 50
-  };
-  
-  return mergeRouteConfigs(baseRoute, lbRoute);
-}
-
-/**
- * Create a rate limiting route pattern
- * @param baseRoute Base route to add rate limiting to
- * @param rateLimit Rate limiting configuration
- * @returns Route with rate limiting
- */
-export function addRateLimiting(
-  baseRoute: IRouteConfig,
-  rateLimit: {
-    maxRequests: number;
-    window: number; // Time window in seconds
-    keyBy?: 'ip' | 'path' | 'header';
-    headerName?: string; // Required if keyBy is 'header'
-    errorMessage?: string;
-  }
-): IRouteConfig {
-  return mergeRouteConfigs(baseRoute, {
-    security: {
-      rateLimit: {
-        enabled: true,
-        maxRequests: rateLimit.maxRequests,
-        window: rateLimit.window,
-        keyBy: rateLimit.keyBy || 'ip',
-        headerName: rateLimit.headerName,
-        errorMessage: rateLimit.errorMessage || 'Rate limit exceeded. Please try again later.'
-      }
-    }
-  });
-}
-
-/**
- * Create a basic authentication route pattern
- * @param baseRoute Base route to add authentication to
- * @param auth Authentication configuration
- * @returns Route with basic authentication
- */
-export function addBasicAuth(
-  baseRoute: IRouteConfig,
-  auth: {
-    users: Array<{ username: string; password: string }>;
-    realm?: string;
-    excludePaths?: string[];
-  }
-): IRouteConfig {
-  return mergeRouteConfigs(baseRoute, {
-    security: {
-      basicAuth: {
-        enabled: true,
-        users: auth.users,
-        realm: auth.realm || 'Restricted Area',
-        excludePaths: auth.excludePaths || []
-      }
-    }
-  });
-}
-
-/**
- * Create a JWT authentication route pattern
- * @param baseRoute Base route to add JWT authentication to
- * @param jwt JWT authentication configuration
- * @returns Route with JWT authentication
- */
-export function addJwtAuth(
-  baseRoute: IRouteConfig,
-  jwt: {
-    secret: string;
-    algorithm?: string;
-    issuer?: string;
-    audience?: string;
-    expiresIn?: number; // Time in seconds
-    excludePaths?: string[];
-  }
-): IRouteConfig {
-  return mergeRouteConfigs(baseRoute, {
-    security: {
-      jwtAuth: {
-        enabled: true,
-        secret: jwt.secret,
-        algorithm: jwt.algorithm || 'HS256',
-        issuer: jwt.issuer,
-        audience: jwt.audience,
-        expiresIn: jwt.expiresIn,
-        excludePaths: jwt.excludePaths || []
-      }
-    }
-  });
-}
Author	SHA1	Message	Date
Juergen Kunz	c84947068c	BREAKING_CHANGE(core): remove legacy forwarding module in favor of route-based system Some checks failed Default (tags) / security (push) Successful in 50s Details Default (tags) / test (push) Failing after 30m40s Details Default (tags) / release (push) Has been skipped Details Default (tags) / metadata (push) Has been skipped Details - Removed the forwarding namespace export from main index - Removed TForwardingType and all forwarding handlers - Consolidated route helper functions into route-helpers.ts - All functionality is now available through the route-based system - Users must migrate from forwarding.* imports to direct route helper imports	2025-07-21 18:44:59 +00:00
Juergen Kunz	26f7431111	fix(docs): update documentation to improve clarity Some checks failed Default (tags) / security (push) Successful in 51s Details Default (tags) / test (push) Failing after 31m10s Details Default (tags) / release (push) Has been skipped Details Default (tags) / metadata (push) Has been skipped Details	2025-07-21 12:23:22 +00:00
Juergen Kunz	aa6ddbc4a6	BREAKING_CHANGE(routing): refactor route configuration to support multiple targets Some checks failed Default (tags) / security (push) Successful in 53s Details Default (tags) / test (push) Failing after 31m2s Details Default (tags) / release (push) Has been skipped Details Default (tags) / metadata (push) Has been skipped Details	2025-07-21 08:52:07 +00:00