15.0.3

changelog.md

@@ -1,5 +1,22 @@
 # Changelog
 
+## 2025-05-10 - 15.0.0 - BREAKING CHANGE(documentation)
+Update readme documentation to comprehensively describe the new unified route-based configuration system in v14.0.0
+
+- Added detailed description of IRouteConfig, IRouteMatch, and IRouteAction interfaces
+- Improved explanation of port, domain, path, client IP, and TLS version matching features
+- Included examples of helper functions (createHttpRoute, createHttpsRoute, etc.) with usage of template variables
+- Enhanced migration guide from legacy configurations to the new match/action pattern
+- Updated examples and tests to reflect the new documentation structure
+
+## 2025-05-09 - 13.1.3 - fix(documentation)
+Update readme.md to provide a unified and comprehensive overview of SmartProxy, with reorganized sections, enhanced diagrams, and detailed usage examples for various proxy scenarios.
+
+- Reorganized key sections to clearly list Primary API, Helper Functions, Specialized Components, and Core Utilities.
+- Added detailed Quick Start examples covering API Gateway, automatic HTTPS, load balancing, wildcard subdomain support, and comprehensive proxy server setups.
+- Included updated architecture flow diagrams and explanations of Unified Forwarding System and ACME integration.
+- Improved clarity and consistency across documentation, with revised formatting and expanded descriptions.
+
 ## 2025-05-09 - 13.1.2 - fix(docs)
 Update readme to reflect updated interface and type naming conventions
 

package.json

@@ -1,8 +1,8 @@
 {
   "name": "@push.rocks/smartproxy",
-  "version": "13.1.2",
+  "version": "15.0.3",
   "private": false,
-  "description": "A powerful proxy package that effectively handles high traffic, with features such as SSL/TLS support, port proxying, WebSocket handling, dynamic routing with authentication options, and automatic ACME certificate management.",
+  "description": "A powerful proxy package with unified route-based configuration for high traffic management. Features include SSL/TLS support, flexible routing patterns, WebSocket handling, advanced security options, and automatic ACME certificate management.",
   "main": "dist_ts/index.js",
   "typings": "dist_ts/index.d.ts",
   "type": "module",

readme.plan.md

@@ -1,255 +1,316 @@
-# SmartProxy Interface & Type Naming Standardization Plan
+# SmartProxy Fully Unified Configuration Plan (Updated)
 
 ## Project Goal
-Standardize interface and type naming throughout the SmartProxy codebase to improve maintainability, readability, and developer experience by:
-1. Ensuring all interfaces are prefixed with "I"
-2. Ensuring all type aliases are prefixed with "T"
-3. Maintaining backward compatibility through type aliases
-4. Updating documentation to reflect naming conventions
+Redesign SmartProxy's configuration for a more elegant, unified, and comprehensible approach by:
+1. Creating a single, unified configuration model that covers both "where to listen" and "how to forward"
+2. Eliminating the confusion between domain configs and port forwarding
+3. Providing a clear, declarative API that makes the intent obvious
+4. Enhancing maintainability and extensibility for future features
+5. Completely removing legacy code to eliminate technical debt
 
-## Phase 2: Core Module Standardization
+## Current Issues
 
-- [ ] Update core module interfaces and types
-  - [ ] Rename interfaces in `ts/core/models/common-types.ts`
-    - [ ] `AcmeOptions` → `IAcmeOptions`
-    - [ ] `DomainOptions` → `IDomainOptions`
-    - [ ] Other common interfaces
-  - [ ] Add backward compatibility aliases
-  - [ ] Update imports throughout core module
+The current approach has several issues:
 
-- [ ] Update core utility type definitions
-  - [ ] Update `ts/core/utils/validation-utils.ts`
-  - [ ] Update `ts/core/utils/ip-utils.ts`
-  - [ ] Standardize event type definitions
+1. **Dual Configuration Systems**:
+   - Port configuration (`fromPort`, `toPort`, `globalPortRanges`) for "where to listen"
+   - Domain configuration (`domainConfigs`) for "how to forward"
+   - Unclear relationship between these two systems
 
-- [ ] Test core module changes
-  - [ ] Run unit tests for core modules
-  - [ ] Verify type compatibility
-  - [ ] Ensure backward compatibility
+2. **Mixed Concerns**:
+   - Port management is mixed with forwarding logic
+   - Domain routing is separated from port listening
+   - Security settings defined in multiple places
 
-## Phase 3: Certificate Module Standardization
+3. **Complex Logic**:
+   - PortRangeManager must coordinate with domain configuration
+   - Implicit rules for handling connections based on port and domain
 
-- [ ] Update certificate interfaces
-  - [ ] Rename interfaces in `ts/certificate/models/certificate-types.ts`
-    - [ ] `CertificateData` → `ICertificateData`
-    - [ ] `Certificates` → `ICertificates`
-    - [ ] `CertificateFailure` → `ICertificateFailure`
-    - [ ] `CertificateExpiring` → `ICertificateExpiring`
-    - [ ] `ForwardConfig` → `IForwardConfig`
-    - [ ] `DomainForwardConfig` → `IDomainForwardConfig`
-  - [ ] Update ACME challenge interfaces
-  - [ ] Standardize storage provider interfaces
+4. **Difficult to Understand and Configure**:
+   - Two separate configuration hierarchies that must work together
+   - Unclear which settings take precedence
 
-- [ ] Ensure certificate provider compatibility
-  - [ ] Update provider implementations
-  - [ ] Rename internal interfaces
-  - [ ] Maintain public API compatibility
+## Proposed Solution: Fully Unified Routing Configuration
 
-- [ ] Test certificate module
-  - [ ] Verify ACME functionality
-  - [ ] Test certificate provisioning
-  - [ ] Validate challenge handling
+Replace both port and domain configuration with a single, unified configuration:
 
-## Phase 4: Forwarding System Standardization
+```typescript
+// The core unified configuration interface
+interface IRouteConfig {
+  // What to match
+  match: {
+    // Listen on these ports (required)
+    ports: number | number[] | Array<{ from: number, to: number }>;
+    
+    // Optional domain patterns to match (default: all domains)
+    domains?: string | string[];
+    
+    // Advanced matching criteria
+    path?: string;           // Match specific paths
+    clientIp?: string[];     // Match specific client IPs
+    tlsVersion?: string[];   // Match specific TLS versions
+  };
+  
+  // What to do with matched traffic
+  action: {
+    // Basic routing
+    type: 'forward' | 'redirect' | 'block';
+    
+    // Target for forwarding
+    target?: {
+      host: string | string[];  // Support single host or round-robin
+      port: number;
+      preservePort?: boolean;   // Use incoming port as target port
+    };
+    
+    // TLS handling
+    tls?: {
+      mode: 'passthrough' | 'terminate' | 'terminate-and-reencrypt';
+      certificate?: 'auto' | {   // Auto = use ACME
+        key: string;
+        cert: string;
+      };
+    };
+    
+    // For redirects
+    redirect?: {
+      to: string;            // URL or template with {domain}, {port}, etc.
+      status: 301 | 302 | 307 | 308;
+    };
+    
+    // Security options
+    security?: {
+      allowedIps?: string[];
+      blockedIps?: string[];
+      maxConnections?: number;
+      authentication?: {
+        type: 'basic' | 'digest' | 'oauth';
+        // Auth-specific options
+      };
+    };
+    
+    // Advanced options
+    advanced?: {
+      timeout?: number;
+      headers?: Record<string, string>;
+      keepAlive?: boolean;
+      // etc.
+    };
+  };
+  
+  // Optional metadata
+  name?: string;             // Human-readable name for this route
+  description?: string;      // Description of the route's purpose
+  priority?: number;         // Controls matching order (higher = matched first)
+  tags?: string[];           // Arbitrary tags for categorization
+}
 
-- [ ] Update forwarding configuration interfaces
-  - [ ] Rename interfaces in `ts/forwarding/config/forwarding-types.ts`
-    - [ ] `TargetConfig` → `ITargetConfig`
-    - [ ] `HttpOptions` → `IHttpOptions`
-    - [ ] `HttpsOptions` → `IHttpsOptions`
-    - [ ] `AcmeForwardingOptions` → `IAcmeForwardingOptions`
-    - [ ] `SecurityOptions` → `ISecurityOptions`
-    - [ ] `AdvancedOptions` → `IAdvancedOptions`
-    - [ ] `ForwardConfig` → `IForwardConfig`
-  - [ ] Rename type definitions
-    - [ ] `ForwardingType` → `TForwardingType`
-  - [ ] Update domain configuration interfaces
+// Main SmartProxy options
+interface ISmartProxyOptions {
+  // The unified configuration array (required)
+  routes: IRouteConfig[];
+  
+  // Global/default settings
+  defaults?: {
+    target?: {
+      host: string;
+      port: number;
+    };
+    security?: {
+      // Global security defaults
+    };
+    tls?: {
+      // Global TLS defaults
+    };
+    // ...other defaults
+  };
+  
+  // Other global settings remain (acme, etc.)
+  acme?: IAcmeOptions;
+  
+  // Advanced settings remain as well
+  // ...
+}
+```
 
-- [ ] Standardize handler interfaces
-  - [ ] Update base handler interfaces
-  - [ ] Rename handler-specific interfaces
-  - [ ] Update factory interfaces
+## Revised Implementation Plan
 
-- [ ] Verify forwarding system functionality
-  - [ ] Test all forwarding types
-  - [ ] Verify configuration parsing
-  - [ ] Ensure backward compatibility
+### Phase 1: Core Design & Interface Definition
 
-## Phase 5: Proxy Implementation Standardization
+1. **Define New Core Interfaces**:
+   - Create `IRouteConfig` interface with `match` and `action` branches
+   - Define all sub-interfaces for matching and actions
+   - Create new `ISmartProxyOptions` to use `routes` array exclusively
+   - Define template variable system for dynamic values
 
-- [ ] Update SmartProxy interfaces
-  - [ ] Rename interfaces in `ts/proxies/smart-proxy/models/interfaces.ts`
-  - [ ] Update domain configuration interfaces
-  - [ ] Standardize manager interfaces
+2. **Create Helper Functions**:
+   - `createRoute()` - Basic route creation with reasonable defaults
+   - `createHttpRoute()`, `createHttpsRoute()`, `createRedirect()` - Common scenarios
+   - `createLoadBalancer()` - For multi-target setups
+   - `mergeSecurity()`, `mergeDefaults()` - For combining configs
 
-- [ ] Update NetworkProxy interfaces
-  - [ ] Rename in `ts/proxies/network-proxy/models/types.ts`
-    - [ ] `NetworkProxyOptions` → `INetworkProxyOptions`
-    - [ ] `CertificateEntry` → `ICertificateEntry`
-    - [ ] `ReverseProxyConfig` → `IReverseProxyConfig`
-    - [ ] `ConnectionEntry` → `IConnectionEntry`
-    - [ ] `WebSocketWithHeartbeat` → `IWebSocketWithHeartbeat`
-    - [ ] `Logger` → `ILogger`
-  - [ ] Update request handler interfaces
-  - [ ] Standardize connection interfaces
+3. **Design Router**:
+   - Decision tree for route matching algorithm
+   - Priority system for route ordering
+   - Optimized lookup strategy for fast routing
 
-- [ ] Update NfTablesProxy interfaces
-  - [ ] Rename interfaces in `ts/proxies/nftables-proxy/models/interfaces.ts`
-  - [ ] Update configuration interfaces
-  - [ ] Standardize firewall rule interfaces
+### Phase 2: Core Implementation
 
-- [ ] Test proxy implementations
-  - [ ] Verify SmartProxy functionality
-  - [ ] Test NetworkProxy with renamed interfaces
-  - [ ] Validate NfTablesProxy operations
+1. **Create RouteManager**:
+   - Build a new RouteManager to replace both PortRangeManager and DomainConfigManager
+   - Implement port and domain matching in one unified system
+   - Create efficient route lookup algorithms
 
-## Phase 6: HTTP & TLS Module Standardization
+2. **Implement New ConnectionHandler**:
+   - Create a new ConnectionHandler built from scratch for routes
+   - Implement the routing logic with the new match/action pattern
+   - Support template processing for headers and other dynamic values
 
-- [ ] Update HTTP interfaces
-  - [ ] Rename in `ts/http/port80/acme-interfaces.ts`
-    - [ ] `SmartAcmeCert` → `ISmartAcmeCert`
-    - [ ] `SmartAcmeOptions` → `ISmartAcmeOptions`
-    - [ ] `Http01Challenge` → `IHttp01Challenge`
-    - [ ] `SmartAcme` → `ISmartAcme`
-  - [ ] Standardize router interfaces
-  - [ ] Update port80 handler interfaces
-  - [ ] Update redirect interfaces
+3. **Implement New SmartProxy Core**:
+   - Create new SmartProxy implementation using routes exclusively
+   - Build network servers based on port specifications
+   - Manage TLS contexts and certificates
 
-- [ ] Update TLS/SNI interfaces
-  - [ ] Standardize SNI handler interfaces
-  - [ ] Update client hello parser types
-  - [ ] Rename TLS alert interfaces
+### Phase 3: Legacy Code Removal
 
-- [ ] Test HTTP & TLS functionality
-  - [ ] Verify router operation
-  - [ ] Test SNI extraction
-  - [ ] Validate redirect functionality
+1. **Identify Legacy Components**:
+   - Create an inventory of all files and components to be removed
+   - Document dependencies between legacy components
+   - Create a removal plan that minimizes disruption
 
-## Phase 7: Backward Compatibility Layer
+2. **Remove Legacy Components**:
+   - Remove PortRangeManager and related code
+   - Remove DomainConfigManager and related code
+   - Remove old ConnectionHandler implementation
+   - Remove other legacy components
 
-- [ ] Implement comprehensive type aliases
-  - [ ] Create aliases for all renamed interfaces
-  - [ ] Add deprecation notices via JSDoc
-  - [ ] Ensure all exports include both named versions
+3. **Clean Interface Adaptations**:
+   - Remove all legacy interfaces and types
+   - Update type exports to only expose route-based interfaces
+   - Remove any adapter or backward compatibility code
 
-- [ ] Update main entry point
-  - [ ] Update `ts/index.ts` with all exports
-  - [ ] Include both prefixed and non-prefixed names
-  - [ ] Organize exports by module
+### Phase 4: Updated Documentation & Examples
 
-- [ ] Add compatibility documentation
-  - [ ] Document renaming strategy
-  - [ ] Provide migration examples
-  - [ ] Create deprecation timeline
+1. **Update Core Documentation**:
+   - Rewrite README.md with a focus on route-based configuration exclusively
+   - Create interface reference documentation
+   - Document all template variables
 
-## Phase 8: Documentation & Examples
+2. **Create Example Library**:
+   - Common configuration patterns using the new API
+   - Complex use cases for advanced features
+   - Infrastructure-as-code examples
 
-- [ ] Update README and API documentation
-  - [ ] Update interface references in README.md
-  - [ ] Document naming convention in README.md
-  - [ ] Update API reference documentation
+3. **Add Validation Tools**:
+   - Configuration validator to check for issues
+   - Schema definitions for IDE autocomplete
+   - Runtime validation helpers
 
-- [ ] Update examples
-  - [ ] Modify example code to use new interface names
-  - [ ] Add compatibility notes
-  - [ ] Create migration examples
+### Phase 5: Testing
 
-- [ ] Add contributor guidelines
-  - [ ] Document naming conventions
-  - [ ] Add interface/type style guide
-  - [ ] Update PR templates
+1. **Unit Tests**:
+   - Test route matching logic
+   - Validate priority handling
+   - Test template processing
 
-## Phase 9: Testing & Validation
+2. **Integration Tests**:
+   - Verify full proxy flows with the new system
+   - Test complex routing scenarios
+   - Ensure all features work as expected
 
-- [ ] Run comprehensive test suite
-  - [ ] Run all unit tests
-  - [ ] Execute integration tests
-  - [ ] Verify example code
-
-- [ ] Build type declarations
-  - [ ] Generate TypeScript declaration files
-  - [ ] Verify exported types
-  - [ ] Validate documentation generation
-
-- [ ] Final compatibility check
-  - [ ] Verify import compatibility
-  - [ ] Test with existing dependent projects
-  - [ ] Validate backward compatibility claims
+3. **Performance Testing**:
+   - Benchmark routing performance
+   - Evaluate memory usage
+   - Test with large numbers of routes
 
 ## Implementation Strategy
 
-### Naming Pattern Rules
+### Code Organization
 
-1. **Interfaces**:
-   - All interfaces should be prefixed with "I"
-   - Example: `DomainConfig` → `IDomainConfig`
+1. **New Files**:
+   - `route-config.ts` - Core route interfaces
+   - `route-manager.ts` - Route matching and management
+   - `route-connection-handler.ts` - Connection handling with routes
+   - `route-smart-proxy.ts` - Main SmartProxy implementation
+   - `template-engine.ts` - For variable substitution
 
-2. **Type Aliases**:
-   - All type aliases should be prefixed with "T"
-   - Example: `ForwardingType` → `TForwardingType`
+2. **File Removal**:
+   - Remove `port-range-manager.ts`
+   - Remove `domain-config-manager.ts`
+   - Remove legacy interfaces and adapter code
+   - Remove backward compatibility shims
 
-3. **Enums**:
-   - Enums should be named in PascalCase without prefix
-   - Example: `CertificateSource`
+### Transition Strategy
 
-4. **Backward Compatibility**:
-   - No Backward compatibility. Remove old names.
+1. **Breaking Change Approach**:
+   - This will be a major version update with breaking changes
+   - No backward compatibility will be maintained
+   - Clear migration documentation will guide users to the new API
 
-### Module Implementation Order
+2. **Package Structure**:
+   - `@push.rocks/smartproxy` package will be updated to v14.0.0
+   - Legacy code fully removed, only route-based API exposed
+   - Support documentation provided for migration
 
-1. Core module
-2. Certificate module
-3. Forwarding module
-4. Proxy implementations
-5. HTTP & TLS modules
-6. Main exports and entry points
+3. **Migration Documentation**:
+   - Provide a migration guide with examples
+   - Show equivalent route configurations for common legacy patterns
+   - Offer code transformation helpers for complex setups
 
-### Testing Strategy
+## Benefits of the Clean Approach
 
-For each module:
-1. Rename interfaces and types
-2. Add backward compatibility aliases
-3. Update imports throughout the module
-4. Run tests to verify functionality
-5. Commit changes module by module
+1. **Reduced Complexity**:
+   - No overlapping or conflicting configuration systems
+   - No dual maintenance of backward compatibility code
+   - Simplified internal architecture
 
-## File-Specific Changes
+2. **Cleaner Code Base**:
+   - Removal of technical debt
+   - Better separation of concerns
+   - More maintainable codebase
 
-### Core Module Files
-- `ts/core/models/common-types.ts` - Primary interfaces
-- `ts/core/utils/validation-utils.ts` - Validation type definitions
-- `ts/core/utils/ip-utils.ts` - IP utility type definitions
-- `ts/core/utils/event-utils.ts` - Event type definitions 
+3. **Better User Experience**:
+   - Consistent, predictable API
+   - No confusing overlapping options
+   - Clear documentation of one approach, not two
 
-### Certificate Module Files
-- `ts/certificate/models/certificate-types.ts` - Certificate interfaces
-- `ts/certificate/acme/acme-factory.ts` - ACME factory types
-- `ts/certificate/providers/cert-provisioner.ts` - Provider interfaces
-- `ts/certificate/storage/file-storage.ts` - Storage interfaces
+4. **Future-Proof Design**:
+   - Easier to extend with new features
+   - Better performance without legacy overhead
+   - Cleaner foundation for future enhancements
 
-### Forwarding Module Files
-- `ts/forwarding/config/forwarding-types.ts` - Forwarding interfaces and types
-- `ts/forwarding/config/domain-config.ts` - Domain configuration
-- `ts/forwarding/factory/forwarding-factory.ts` - Factory interfaces
-- `ts/forwarding/handlers/*.ts` - Handler interfaces
+## Migration Support
 
-### Proxy Module Files
-- `ts/proxies/network-proxy/models/types.ts` - NetworkProxy interfaces
-- `ts/proxies/smart-proxy/models/interfaces.ts` - SmartProxy interfaces
-- `ts/proxies/nftables-proxy/models/interfaces.ts` - NfTables interfaces
-- `ts/proxies/smart-proxy/connection-manager.ts` - Connection types
+While we're removing backward compatibility from the codebase, we'll provide extensive migration support:
 
-### HTTP/TLS Module Files
-- `ts/http/models/http-types.ts` - HTTP module interfaces
-- `ts/http/port80/acme-interfaces.ts` - ACME interfaces
-- `ts/tls/sni/client-hello-parser.ts` - TLS parser types
-- `ts/tls/alerts/tls-alert.ts` - TLS alert interfaces
+1. **Migration Guide**:
+   - Detailed documentation on moving from legacy to route-based config
+   - Pattern-matching examples for all common use cases
+   - Troubleshooting guide for common migration issues
 
-## Success Criteria
+2. **Conversion Tool**:
+   - Provide a standalone one-time conversion tool
+   - Takes legacy configuration and outputs route-based equivalents
+   - Will not be included in the main package to avoid bloat
 
-- All interfaces are prefixed with "I"
-- All type aliases are prefixed with "T"
-- All tests pass with new naming conventions
-- Documentation is updated with new naming conventions
-- Backward compatibility is maintained through type aliases
-- Declaration files correctly export both naming conventions
+3. **Version Policy**:
+   - Maintain the legacy version (13.x) for security updates
+   - Make the route-based version a clear major version change (14.0.0)
+   - Clearly communicate the breaking changes
+
+## Timeline and Versioning
+
+1. **Development**:
+   - Develop route-based implementation in a separate branch
+   - Complete full test coverage of new implementation
+   - Ensure documentation is complete
+
+2. **Release**:
+   - Release as version 14.0.0
+   - Clearly mark as breaking change
+   - Provide migration guide at release time
+
+3. **Support**:
+   - Offer extended support for migration questions
+   - Consider maintaining security updates for v13.x for 6 months
+   - Focus active development on route-based version only

test/test.route-config.ts

@@ -0,0 +1,181 @@
+/**
+ * Tests for the new route-based configuration system
+ */
+import { expect, tap } from '@push.rocks/tapbundle';
+
+// Import from core modules
+import {
+  SmartProxy,
+  createHttpRoute,
+  createHttpsRoute,
+  createPassthroughRoute,
+  createRedirectRoute,
+  createHttpToHttpsRedirect,
+  createHttpsServer,
+  createLoadBalancerRoute
+} from '../ts/proxies/smart-proxy/index.js';
+
+// Import test helpers
+import { loadTestCertificates } from './helpers/certificates.js';
+
+tap.test('Routes: Should create basic HTTP route', async () => {
+  // Create a simple HTTP route
+  const httpRoute = createHttpRoute({
+    ports: 8080,
+    domains: 'example.com',
+    target: {
+      host: 'localhost',
+      port: 3000
+    },
+    name: 'Basic HTTP Route'
+  });
+
+  // Validate the route configuration
+  expect(httpRoute.match.ports).toEqual(8080);
+  expect(httpRoute.match.domains).toEqual('example.com');
+  expect(httpRoute.action.type).toEqual('forward');
+  expect(httpRoute.action.target?.host).toEqual('localhost');
+  expect(httpRoute.action.target?.port).toEqual(3000);
+  expect(httpRoute.name).toEqual('Basic HTTP Route');
+});
+
+tap.test('Routes: Should create HTTPS route with TLS termination', async () => {
+  // Create an HTTPS route with TLS termination
+  const httpsRoute = createHttpsRoute({
+    domains: 'secure.example.com',
+    target: {
+      host: 'localhost',
+      port: 8080
+    },
+    certificate: 'auto',
+    name: 'HTTPS Route'
+  });
+
+  // Validate the route configuration
+  expect(httpsRoute.match.ports).toEqual(443); // Default HTTPS port
+  expect(httpsRoute.match.domains).toEqual('secure.example.com');
+  expect(httpsRoute.action.type).toEqual('forward');
+  expect(httpsRoute.action.tls?.mode).toEqual('terminate');
+  expect(httpsRoute.action.tls?.certificate).toEqual('auto');
+  expect(httpsRoute.action.target?.host).toEqual('localhost');
+  expect(httpsRoute.action.target?.port).toEqual(8080);
+  expect(httpsRoute.name).toEqual('HTTPS Route');
+});
+
+tap.test('Routes: Should create HTTP to HTTPS redirect', async () => {
+  // Create an HTTP to HTTPS redirect
+  const redirectRoute = createHttpToHttpsRedirect({
+    domains: 'example.com',
+    statusCode: 301
+  });
+
+  // Validate the route configuration
+  expect(redirectRoute.match.ports).toEqual(80);
+  expect(redirectRoute.match.domains).toEqual('example.com');
+  expect(redirectRoute.action.type).toEqual('redirect');
+  expect(redirectRoute.action.redirect?.to).toEqual('https://{domain}{path}');
+  expect(redirectRoute.action.redirect?.status).toEqual(301);
+});
+
+tap.test('Routes: Should create complete HTTPS server with redirects', async () => {
+  // Create a complete HTTPS server setup
+  const routes = createHttpsServer({
+    domains: 'example.com',
+    target: {
+      host: 'localhost',
+      port: 8080
+    },
+    certificate: 'auto',
+    addHttpRedirect: true
+  });
+
+  // Validate that we got two routes (HTTPS route and HTTP redirect)
+  expect(routes.length).toEqual(2);
+
+  // Validate HTTPS route
+  const httpsRoute = routes[0];
+  expect(httpsRoute.match.ports).toEqual(443);
+  expect(httpsRoute.match.domains).toEqual('example.com');
+  expect(httpsRoute.action.type).toEqual('forward');
+  expect(httpsRoute.action.tls?.mode).toEqual('terminate');
+
+  // Validate HTTP redirect route
+  const redirectRoute = routes[1];
+  expect(redirectRoute.match.ports).toEqual(80);
+  expect(redirectRoute.action.type).toEqual('redirect');
+  expect(redirectRoute.action.redirect?.to).toEqual('https://{domain}{path}');
+});
+
+tap.test('Routes: Should create load balancer route', async () => {
+  // Create a load balancer route
+  const lbRoute = createLoadBalancerRoute({
+    domains: 'app.example.com',
+    targets: ['10.0.0.1', '10.0.0.2', '10.0.0.3'],
+    targetPort: 8080,
+    tlsMode: 'terminate',
+    certificate: 'auto',
+    name: 'Load Balanced Route'
+  });
+
+  // Validate the route configuration
+  expect(lbRoute.match.domains).toEqual('app.example.com');
+  expect(lbRoute.action.type).toEqual('forward');
+  expect(Array.isArray(lbRoute.action.target?.host)).toBeTrue();
+  expect((lbRoute.action.target?.host as string[]).length).toEqual(3);
+  expect((lbRoute.action.target?.host as string[])[0]).toEqual('10.0.0.1');
+  expect(lbRoute.action.target?.port).toEqual(8080);
+  expect(lbRoute.action.tls?.mode).toEqual('terminate');
+});
+
+tap.test('SmartProxy: Should create instance with route-based config', async () => {
+  // Create TLS certificates for testing
+  const certs = loadTestCertificates();
+
+  // Create a SmartProxy instance with route-based configuration
+  const proxy = new SmartProxy({
+    routes: [
+      createHttpRoute({
+        ports: 8080,
+        domains: 'example.com',
+        target: {
+          host: 'localhost',
+          port: 3000
+        },
+        name: 'HTTP Route'
+      }),
+      createHttpsRoute({
+        domains: 'secure.example.com',
+        target: {
+          host: 'localhost',
+          port: 8443
+        },
+        certificate: {
+          key: certs.privateKey,
+          cert: certs.publicKey
+        },
+        name: 'HTTPS Route'
+      })
+    ],
+    defaults: {
+      target: {
+        host: 'localhost',
+        port: 8080
+      },
+      security: {
+        allowedIPs: ['127.0.0.1', '192.168.0.*'],
+        maxConnections: 100
+      }
+    },
+    // Additional settings
+    initialDataTimeout: 10000,
+    inactivityTimeout: 300000,
+    enableDetailedLogging: true
+  });
+
+  // Simply verify the instance was created successfully
+  expect(typeof proxy).toEqual('object');
+  expect(typeof proxy.start).toEqual('function');
+  expect(typeof proxy.stop).toEqual('function');
+});
+
+export default tap.start();

test/test.smartproxy.ts

@@ -66,13 +66,25 @@ function createTestClient(port: number, data: string): Promise<string> {
 tap.test('setup port proxy test environment', async () => {
   testServer = await createTestServer(TEST_SERVER_PORT);
   smartProxy = new SmartProxy({
-    fromPort: PROXY_PORT,
-    toPort: TEST_SERVER_PORT,
-    targetIP: 'localhost',
-    domainConfigs: [],
-    sniEnabled: false,
-    defaultAllowedIPs: ['127.0.0.1'],
-    globalPortRanges: []
+    routes: [
+      {
+        match: {
+          ports: PROXY_PORT
+        },
+        action: {
+          type: 'forward',
+          target: {
+            host: 'localhost',
+            port: TEST_SERVER_PORT
+          }
+        }
+      }
+    ],
+    defaults: {
+      security: {
+        allowedIPs: ['127.0.0.1']
+      }
+    }
   });
   allProxies.push(smartProxy); // Track this proxy
 });
@@ -92,13 +104,25 @@ tap.test('should forward TCP connections and data to localhost', async () => {
 // Test proxy with a custom target host.
 tap.test('should forward TCP connections to custom host', async () => {
   const customHostProxy = new SmartProxy({
-    fromPort: PROXY_PORT + 1,
-    toPort: TEST_SERVER_PORT,
-    targetIP: '127.0.0.1',
-    domainConfigs: [],
-    sniEnabled: false,
-    defaultAllowedIPs: ['127.0.0.1'],
-    globalPortRanges: []
+    routes: [
+      {
+        match: {
+          ports: PROXY_PORT + 1
+        },
+        action: {
+          type: 'forward',
+          target: {
+            host: '127.0.0.1',
+            port: TEST_SERVER_PORT
+          }
+        }
+      }
+    ],
+    defaults: {
+      security: {
+        allowedIPs: ['127.0.0.1']
+      }
+    }
   });
   allProxies.push(customHostProxy); // Track this proxy
   
@@ -125,14 +149,25 @@ tap.test('should forward connections to custom IP', async () => {
   // We're simulating routing to a different IP by using a different port
   // This tests the core functionality without requiring multiple IPs
   const domainProxy = new SmartProxy({
-    fromPort: forcedProxyPort,  // 4003 - Listen on this port
-    toPort: targetServerPort,   // 4200 - Forward to this port
-    targetIP: '127.0.0.1',      // Always use localhost (works in Docker)
-    domainConfigs: [],          // No domain configs to confuse things
-    sniEnabled: false,
-    defaultAllowedIPs: ['127.0.0.1', '::ffff:127.0.0.1'], // Allow localhost
-    // We'll test the functionality WITHOUT port ranges this time
-    globalPortRanges: []
+    routes: [
+      {
+        match: {
+          ports: forcedProxyPort
+        },
+        action: {
+          type: 'forward',
+          target: {
+            host: '127.0.0.1',
+            port: targetServerPort
+          }
+        }
+      }
+    ],
+    defaults: {
+      security: {
+        allowedIPs: ['127.0.0.1', '::ffff:127.0.0.1']
+      }
+    }
   });
   allProxies.push(domainProxy); // Track this proxy
 
@@ -208,22 +243,46 @@ tap.test('should stop port proxy', async () => {
 tap.test('should support optional source IP preservation in chained proxies', async () => {
   // Chained proxies without IP preservation.
   const firstProxyDefault = new SmartProxy({
-    fromPort: PROXY_PORT + 4,
-    toPort: PROXY_PORT + 5,
-    targetIP: 'localhost',
-    domainConfigs: [],
-    sniEnabled: false,
-    defaultAllowedIPs: ['127.0.0.1', '::ffff:127.0.0.1'],
-    globalPortRanges: []
+    routes: [
+      {
+        match: {
+          ports: PROXY_PORT + 4
+        },
+        action: {
+          type: 'forward',
+          target: {
+            host: 'localhost',
+            port: PROXY_PORT + 5
+          }
+        }
+      }
+    ],
+    defaults: {
+      security: {
+        allowedIPs: ['127.0.0.1', '::ffff:127.0.0.1']
+      }
+    }
   });
   const secondProxyDefault = new SmartProxy({
-    fromPort: PROXY_PORT + 5,
-    toPort: TEST_SERVER_PORT,
-    targetIP: 'localhost',
-    domainConfigs: [],
-    sniEnabled: false,
-    defaultAllowedIPs: ['127.0.0.1', '::ffff:127.0.0.1'],
-    globalPortRanges: []
+    routes: [
+      {
+        match: {
+          ports: PROXY_PORT + 5
+        },
+        action: {
+          type: 'forward',
+          target: {
+            host: 'localhost',
+            port: TEST_SERVER_PORT
+          }
+        }
+      }
+    ],
+    defaults: {
+      security: {
+        allowedIPs: ['127.0.0.1', '::ffff:127.0.0.1']
+      }
+    }
   });
   
   allProxies.push(firstProxyDefault, secondProxyDefault); // Track these proxies
@@ -243,24 +302,50 @@ tap.test('should support optional source IP preservation in chained proxies', as
 
   // Chained proxies with IP preservation.
   const firstProxyPreserved = new SmartProxy({
-    fromPort: PROXY_PORT + 6,
-    toPort: PROXY_PORT + 7,
-    targetIP: 'localhost',
-    domainConfigs: [],
-    sniEnabled: false,
-    defaultAllowedIPs: ['127.0.0.1'],
-    preserveSourceIP: true,
-    globalPortRanges: []
+    routes: [
+      {
+        match: {
+          ports: PROXY_PORT + 6
+        },
+        action: {
+          type: 'forward',
+          target: {
+            host: 'localhost',
+            port: PROXY_PORT + 7
+          }
+        }
+      }
+    ],
+    defaults: {
+      security: {
+        allowedIPs: ['127.0.0.1']
+      },
+      preserveSourceIP: true
+    },
+    preserveSourceIP: true
   });
   const secondProxyPreserved = new SmartProxy({
-    fromPort: PROXY_PORT + 7,
-    toPort: TEST_SERVER_PORT,
-    targetIP: 'localhost',
-    domainConfigs: [],
-    sniEnabled: false,
-    defaultAllowedIPs: ['127.0.0.1'],
-    preserveSourceIP: true,
-    globalPortRanges: []
+    routes: [
+      {
+        match: {
+          ports: PROXY_PORT + 7
+        },
+        action: {
+          type: 'forward',
+          target: {
+            host: 'localhost',
+            port: TEST_SERVER_PORT
+          }
+        }
+      }
+    ],
+    defaults: {
+      security: {
+        allowedIPs: ['127.0.0.1']
+      },
+      preserveSourceIP: true
+    },
+    preserveSourceIP: true
   });
   
   allProxies.push(firstProxyPreserved, secondProxyPreserved); // Track these proxies

ts/00_commitinfo_data.ts

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@push.rocks/smartproxy',
-  version: '13.1.2',
-  description: 'A powerful proxy package that effectively handles high traffic, with features such as SSL/TLS support, port proxying, WebSocket handling, dynamic routing with authentication options, and automatic ACME certificate management.'
+  version: '15.0.0',
+  description: 'A powerful proxy package with unified route-based configuration for high traffic management. Features include SSL/TLS support, flexible routing patterns, WebSocket handling, advanced security options, and automatic ACME certificate management.'
 }

ts/proxies/smart-proxy/domain-config-manager.ts

@@ -3,6 +3,8 @@ import type { IDomainConfig, ISmartProxyOptions } from './models/interfaces.js';
 import type { TForwardingType, IForwardConfig } from '../../forwarding/config/forwarding-types.js';
 import type { ForwardingHandler } from '../../forwarding/handlers/base-handler.js';
 import { ForwardingHandlerFactory } from '../../forwarding/factory/forwarding-factory.js';
+import type { IRouteConfig } from './models/route-types.js';
+import { RouteManager } from './route-manager.js';
 
 /**
  * Manages domain configurations and target selection
@@ -14,13 +16,112 @@ export class DomainConfigManager {
   // Cache forwarding handlers for each domain config
   private forwardingHandlers: Map<IDomainConfig, ForwardingHandler> = new Map();
 
-  constructor(private settings: ISmartProxyOptions) {}
-  
+  // Store derived domain configs from routes
+  private derivedDomainConfigs: IDomainConfig[] = [];
+
+  // Reference to RouteManager for route-based configuration
+  private routeManager?: RouteManager;
+
+  constructor(private settings: ISmartProxyOptions) {
+    // Initialize with derived domain configs if using route-based configuration
+    if (settings.routes && !settings.domainConfigs) {
+      this.generateDomainConfigsFromRoutes();
+    }
+  }
+
+  /**
+   * Set the route manager reference for route-based queries
+   */
+  public setRouteManager(routeManager: RouteManager): void {
+    this.routeManager = routeManager;
+
+    // Regenerate domain configs from routes if needed
+    if (this.settings.routes && (!this.settings.domainConfigs || this.settings.domainConfigs.length === 0)) {
+      this.generateDomainConfigsFromRoutes();
+    }
+  }
+
+  /**
+   * Generate domain configs from routes
+   */
+  public generateDomainConfigsFromRoutes(): void {
+    this.derivedDomainConfigs = [];
+
+    if (!this.settings.routes) return;
+
+    for (const route of this.settings.routes) {
+      if (route.action.type !== 'forward' || !route.match.domains) continue;
+
+      // Convert route to domain config
+      const domainConfig = this.routeToDomainConfig(route);
+      if (domainConfig) {
+        this.derivedDomainConfigs.push(domainConfig);
+      }
+    }
+  }
+
+  /**
+   * Convert a route to a domain config
+   */
+  private routeToDomainConfig(route: IRouteConfig): IDomainConfig | null {
+    if (route.action.type !== 'forward' || !route.action.target) return null;
+
+    // Get domains from route
+    const domains = Array.isArray(route.match.domains) ?
+      route.match.domains :
+      (route.match.domains ? [route.match.domains] : []);
+
+    if (domains.length === 0) return null;
+
+    // Determine forwarding type based on TLS mode
+    let forwardingType: TForwardingType = 'http-only';
+    if (route.action.tls) {
+      switch (route.action.tls.mode) {
+        case 'passthrough':
+          forwardingType = 'https-passthrough';
+          break;
+        case 'terminate':
+          forwardingType = 'https-terminate-to-http';
+          break;
+        case 'terminate-and-reencrypt':
+          forwardingType = 'https-terminate-to-https';
+          break;
+      }
+    }
+
+    // Create domain config
+    return {
+      domains,
+      forwarding: {
+        type: forwardingType,
+        target: {
+          host: route.action.target.host,
+          port: route.action.target.port
+        },
+        security: route.action.security ? {
+          allowedIps: route.action.security.allowedIps,
+          blockedIps: route.action.security.blockedIps,
+          maxConnections: route.action.security.maxConnections
+        } : undefined,
+        https: route.action.tls && route.action.tls.certificate !== 'auto' ? {
+          customCert: route.action.tls.certificate
+        } : undefined,
+        advanced: route.action.advanced
+      }
+    };
+  }
+
   /**
    * Updates the domain configurations
    */
   public updateDomainConfigs(newDomainConfigs: IDomainConfig[]): void {
-    this.settings.domainConfigs = newDomainConfigs;
+    // If we're using domainConfigs property, update it
+    if (this.settings.domainConfigs) {
+      this.settings.domainConfigs = newDomainConfigs;
+    } else {
+      // Otherwise update our derived configs
+      this.derivedDomainConfigs = newDomainConfigs;
+    }
 
     // Reset target indices for removed configs
     const currentConfigSet = new Set(newDomainConfigs);
@@ -60,7 +161,8 @@ export class DomainConfigManager {
    * Get all domain configurations
    */
   public getDomainConfigs(): IDomainConfig[] {
-    return this.settings.domainConfigs;
+    // Use domainConfigs from settings if available, otherwise use derived configs
+    return this.settings.domainConfigs || this.derivedDomainConfigs;
   }
 
   /**
@@ -69,23 +171,64 @@ export class DomainConfigManager {
   public findDomainConfig(serverName: string): IDomainConfig | undefined {
     if (!serverName) return undefined;
 
-    return this.settings.domainConfigs.find((config) =>
-      config.domains.some((d) => plugins.minimatch(serverName, d))
-    );
+    // Get domain configs from the appropriate source
+    const domainConfigs = this.getDomainConfigs();
+
+    // Check for direct match
+    for (const config of domainConfigs) {
+      if (config.domains.some(d => plugins.minimatch(serverName, d))) {
+        return config;
+      }
+    }
+
+    // No match found
+    return undefined;
   }
 
   /**
    * Find domain config for a specific port
    */
   public findDomainConfigForPort(port: number): IDomainConfig | undefined {
-    return this.settings.domainConfigs.find(
-      (domain) => {
-        const portRanges = domain.forwarding?.advanced?.portRanges;
-        return portRanges &&
-               portRanges.length > 0 &&
-               this.isPortInRanges(port, portRanges);
+    // Get domain configs from the appropriate source
+    const domainConfigs = this.getDomainConfigs();
+
+    // Check if any domain config has a matching port range
+    for (const domain of domainConfigs) {
+      const portRanges = domain.forwarding?.advanced?.portRanges;
+      if (portRanges && portRanges.length > 0 && this.isPortInRanges(port, portRanges)) {
+        return domain;
       }
-    );
+    }
+
+    // If we're in route-based mode, also check routes for this port
+    if (this.settings.routes && (!this.settings.domainConfigs || this.settings.domainConfigs.length === 0)) {
+      const routesForPort = this.settings.routes.filter(route => {
+        // Check if this port is in the route's ports
+        if (typeof route.match.ports === 'number') {
+          return route.match.ports === port;
+        } else if (Array.isArray(route.match.ports)) {
+          return route.match.ports.some(p => {
+            if (typeof p === 'number') {
+              return p === port;
+            } else if (p.from && p.to) {
+              return port >= p.from && port <= p.to;
+            }
+            return false;
+          });
+        }
+        return false;
+      });
+
+      // If we found any routes for this port, convert the first one to a domain config
+      if (routesForPort.length > 0 && routesForPort[0].action.type === 'forward') {
+        const domainConfig = this.routeToDomainConfig(routesForPort[0]);
+        if (domainConfig) {
+          return domainConfig;
+        }
+      }
+    }
+
+    return undefined;
   }
   
   /**

ts/proxies/smart-proxy/index.ts

@@ -1,5 +1,7 @@
 /**
  * SmartProxy implementation
+ *
+ * Version 14.0.0: Unified Route-Based Configuration API
  */
 // Re-export models
 export * from './models/index.js';
@@ -7,12 +9,26 @@ export * from './models/index.js';
 // Export the main SmartProxy class
 export { SmartProxy } from './smart-proxy.js';
 
-// Export supporting classes
+// Export core supporting classes
 export { ConnectionManager } from './connection-manager.js';
 export { SecurityManager } from './security-manager.js';
-export { DomainConfigManager } from './domain-config-manager.js';
 export { TimeoutManager } from './timeout-manager.js';
 export { TlsManager } from './tls-manager.js';
 export { NetworkProxyBridge } from './network-proxy-bridge.js';
-export { PortRangeManager } from './port-range-manager.js';
-export { ConnectionHandler } from './connection-handler.js';
+
+// Export route-based components
+export { RouteManager } from './route-manager.js';
+export { RouteConnectionHandler } from './route-connection-handler.js';
+
+// Export route helpers for configuration
+export {
+  createRoute,
+  createHttpRoute,
+  createHttpsRoute,
+  createPassthroughRoute,
+  createRedirectRoute,
+  createHttpToHttpsRedirect,
+  createBlockRoute,
+  createLoadBalancerRoute,
+  createHttpsServer
+} from './route-helpers.js';

ts/proxies/smart-proxy/models/index.ts

@@ -2,3 +2,7 @@
  * SmartProxy models
  */
 export * from './interfaces.js';
+export * from './route-types.js';
+
+// Re-export IRoutedSmartProxyOptions explicitly to avoid ambiguity
+export type { ISmartProxyOptions as IRoutedSmartProxyOptions } from './interfaces.js';

ts/proxies/smart-proxy/models/interfaces.ts

@@ -1,5 +1,7 @@
 import * as plugins from '../../../plugins.js';
-import type { IForwardConfig } from '../../../forwarding/config/forwarding-types.js';
+import type { IAcmeOptions } from '../../../certificate/models/certificate-types.js';
+import type { IRouteConfig } from './route-types.js';
+import type { TForwardingType } from '../../../forwarding/config/forwarding-types.js';
 
 /**
  * Provision object for static or HTTP-01 certificate
@@ -7,27 +9,49 @@ import type { IForwardConfig } from '../../../forwarding/config/forwarding-types
 export type TSmartProxyCertProvisionObject = plugins.tsclass.network.ICert | 'http01';
 
 /**
- * Domain configuration with forwarding configuration
+ * Alias for backward compatibility with code that uses IRoutedSmartProxyOptions
  */
-export interface IDomainConfig {
-  domains: string[]; // Glob patterns for domain(s)
-  forwarding: IForwardConfig; // Unified forwarding configuration
+export type IRoutedSmartProxyOptions = ISmartProxyOptions;
+
+/**
+ * Helper functions for type checking configuration types
+ */
+export function isLegacyOptions(options: any): boolean {
+  // Legacy options are no longer supported
+  return false;
+}
+
+export function isRoutedOptions(options: any): boolean {
+  // All configurations are now route-based
+  return true;
 }
 
 /**
- * Configuration options for the SmartProxy
+ * SmartProxy configuration options
  */
-import type { IAcmeOptions } from '../../../certificate/models/certificate-types.js';
 export interface ISmartProxyOptions {
-  fromPort: number;
-  toPort: number;
-  targetIP?: string; // Global target host to proxy to, defaults to 'localhost'
-  domainConfigs: IDomainConfig[];
-  sniEnabled?: boolean;
-  defaultAllowedIPs?: string[];
-  defaultBlockedIPs?: string[];
+  // The unified configuration array (required)
+  routes: IRouteConfig[];
+
+  // Port range configuration
+  globalPortRanges?: Array<{ from: number; to: number }>;
+  forwardAllGlobalRanges?: boolean;
   preserveSourceIP?: boolean;
 
+  // Global/default settings
+  defaults?: {
+    target?: {
+      host: string; // Default host to use when not specified in routes
+      port: number; // Default port to use when not specified in routes
+    };
+    security?: {
+      allowedIps?: string[]; // Default allowed IPs
+      blockedIps?: string[]; // Default blocked IPs
+      maxConnections?: number; // Default max connections
+    };
+    preserveSourceIP?: boolean; // Default source IP preservation
+  };
+
   // TLS options
   pfx?: Buffer;
   key?: string | Buffer | Array<Buffer | string>;
@@ -50,8 +74,6 @@ export interface ISmartProxyOptions {
   inactivityTimeout?: number; // Inactivity timeout (ms), default: 14400000 (4h)
 
   gracefulShutdownTimeout?: number; // (ms) maximum time to wait for connections to close during shutdown
-  globalPortRanges: Array<{ from: number; to: number }>; // Global allowed port ranges
-  forwardAllGlobalRanges?: boolean; // When true, forwards all connections on global port ranges to the global targetIP
 
   // Socket optimization settings
   noDelay?: boolean; // Disable Nagle's algorithm (default: true)
@@ -116,7 +138,7 @@ export interface IConnectionRecord {
   isTLS: boolean; // Whether this connection is a TLS connection
   tlsHandshakeComplete: boolean; // Whether the TLS handshake is complete
   hasReceivedInitialData: boolean; // Whether initial data has been received
-  domainConfig?: IDomainConfig; // Associated domain config for this connection
+  routeConfig?: IRouteConfig; // Associated route config for this connection
 
   // Keep-alive tracking
   hasKeepAlive: boolean; // Whether keep-alive is enabled for this connection

ts/proxies/smart-proxy/models/route-types.ts

@@ -0,0 +1,184 @@
+import * as plugins from '../../../plugins.js';
+import type { IAcmeOptions } from '../../../certificate/models/certificate-types.js';
+import type { TForwardingType } from '../../../forwarding/config/forwarding-types.js';
+
+/**
+ * Supported action types for route configurations
+ */
+export type TRouteActionType = 'forward' | 'redirect' | 'block';
+
+/**
+ * TLS handling modes for route configurations
+ */
+export type TTlsMode = 'passthrough' | 'terminate' | 'terminate-and-reencrypt';
+
+/**
+ * Port range specification format
+ */
+export type TPortRange = number | number[] | Array<{ from: number; to: number }>;
+
+/**
+ * Route match criteria for incoming requests
+ */
+export interface IRouteMatch {
+  // Listen on these ports (required)
+  ports: TPortRange;
+  
+  // Optional domain patterns to match (default: all domains)
+  domains?: string | string[];
+  
+  // Advanced matching criteria
+  path?: string;           // Match specific paths
+  clientIp?: string[];     // Match specific client IPs
+  tlsVersion?: string[];   // Match specific TLS versions
+}
+
+/**
+ * Target configuration for forwarding
+ */
+export interface IRouteTarget {
+  host: string | string[];  // Support single host or round-robin
+  port: number;
+  preservePort?: boolean;   // Use incoming port as target port
+}
+
+/**
+ * TLS configuration for route actions
+ */
+export interface IRouteTls {
+  mode: TTlsMode;
+  certificate?: 'auto' | {   // Auto = use ACME
+    key: string;
+    cert: string;
+  };
+}
+
+/**
+ * Redirect configuration for route actions
+ */
+export interface IRouteRedirect {
+  to: string;            // URL or template with {domain}, {port}, etc.
+  status: 301 | 302 | 307 | 308;
+}
+
+/**
+ * Security options for route actions
+ */
+export interface IRouteSecurity {
+  allowedIps?: string[];
+  blockedIps?: string[];
+  maxConnections?: number;
+  authentication?: {
+    type: 'basic' | 'digest' | 'oauth';
+    // Auth-specific options would go here
+  };
+}
+
+/**
+ * Advanced options for route actions
+ */
+export interface IRouteAdvanced {
+  timeout?: number;
+  headers?: Record<string, string>;
+  keepAlive?: boolean;
+  // Additional advanced options would go here
+}
+
+/**
+ * Action configuration for route handling
+ */
+export interface IRouteAction {
+  // Basic routing
+  type: TRouteActionType;
+  
+  // Target for forwarding
+  target?: IRouteTarget;
+  
+  // TLS handling
+  tls?: IRouteTls;
+  
+  // For redirects
+  redirect?: IRouteRedirect;
+  
+  // Security options
+  security?: IRouteSecurity;
+  
+  // Advanced options
+  advanced?: IRouteAdvanced;
+}
+
+/**
+ * The core unified configuration interface
+ */
+export interface IRouteConfig {
+  // What to match
+  match: IRouteMatch;
+  
+  // What to do with matched traffic
+  action: IRouteAction;
+  
+  // Optional metadata
+  name?: string;             // Human-readable name for this route
+  description?: string;      // Description of the route's purpose
+  priority?: number;         // Controls matching order (higher = matched first)
+  tags?: string[];           // Arbitrary tags for categorization
+}
+
+/**
+ * Unified SmartProxy options with routes-based configuration
+ */
+export interface IRoutedSmartProxyOptions {
+  // The unified configuration array (required)
+  routes: IRouteConfig[];
+  
+  // Global/default settings
+  defaults?: {
+    target?: {
+      host: string;
+      port: number;
+    };
+    security?: IRouteSecurity;
+    tls?: IRouteTls;
+    // ...other defaults
+  };
+  
+  // Other global settings remain (acme, etc.)
+  acme?: IAcmeOptions;
+  
+  // Connection timeouts and other global settings
+  initialDataTimeout?: number;
+  socketTimeout?: number;
+  inactivityCheckInterval?: number;
+  maxConnectionLifetime?: number;
+  inactivityTimeout?: number;
+  gracefulShutdownTimeout?: number;
+  
+  // Socket optimization settings
+  noDelay?: boolean;
+  keepAlive?: boolean;
+  keepAliveInitialDelay?: number;
+  maxPendingDataSize?: number;
+  
+  // Enhanced features
+  disableInactivityCheck?: boolean;
+  enableKeepAliveProbes?: boolean;
+  enableDetailedLogging?: boolean;
+  enableTlsDebugLogging?: boolean;
+  enableRandomizedTimeouts?: boolean;
+  allowSessionTicket?: boolean;
+  
+  // Rate limiting and security
+  maxConnectionsPerIP?: number;
+  connectionRateLimitPerMinute?: number;
+  
+  // Enhanced keep-alive settings
+  keepAliveTreatment?: 'standard' | 'extended' | 'immortal';
+  keepAliveInactivityMultiplier?: number;
+  extendedKeepAliveLifetime?: number;
+  
+  /**
+   * Optional certificate provider callback. Return 'http01' to use HTTP-01 challenges,
+   * or a static certificate object for immediate provisioning.
+   */
+  certProvisionFunction?: (domain: string) => Promise<any>;
+}

ts/proxies/smart-proxy/network-proxy-bridge.ts

@@ -4,10 +4,19 @@ import { Port80Handler } from '../../http/port80/port80-handler.js';
 import { Port80HandlerEvents } from '../../core/models/common-types.js';
 import { subscribeToPort80Handler } from '../../core/utils/event-utils.js';
 import type { ICertificateData } from '../../certificate/models/certificate-types.js';
-import type { IConnectionRecord, ISmartProxyOptions, IDomainConfig } from './models/interfaces.js';
+import type { IConnectionRecord, ISmartProxyOptions } from './models/interfaces.js';
+import type { IRouteConfig } from './models/route-types.js';
 
 /**
  * Manages NetworkProxy integration for TLS termination
+ *
+ * NetworkProxyBridge connects SmartProxy with NetworkProxy to handle TLS termination.
+ * It converts route configurations to NetworkProxy configuration format and manages
+ * certificate provisioning through Port80Handler when ACME is enabled.
+ *
+ * It is used by SmartProxy for routes that have:
+ * - TLS mode of 'terminate' or 'terminate-and-reencrypt'
+ * - Certificate set to 'auto' or custom certificate
  */
 export class NetworkProxyBridge {
   private networkProxy: NetworkProxy | null = null;
@@ -58,8 +67,8 @@ export class NetworkProxyBridge {
         this.networkProxy.setExternalPort80Handler(this.port80Handler);
       }
 
-      // Convert and apply domain configurations to NetworkProxy
-      await this.syncDomainConfigsToNetworkProxy();
+      // Apply route configurations to NetworkProxy
+      await this.syncRoutesToNetworkProxy(this.settings.routes || []);
     }
   }
   
@@ -249,9 +258,19 @@ export class NetworkProxyBridge {
   }
   
   /**
-   * Synchronizes domain configurations to NetworkProxy
+   * Synchronizes routes to NetworkProxy
+   *
+   * This method converts route configurations to NetworkProxy format and updates
+   * the NetworkProxy with the converted configurations. It handles:
+   *
+   * - Extracting domain, target, and certificate information from routes
+   * - Converting TLS mode settings to NetworkProxy configuration
+   * - Applying security and advanced settings
+   * - Registering domains for ACME certificate provisioning when needed
+   *
+   * @param routes The route configurations to sync to NetworkProxy
    */
-  public async syncDomainConfigsToNetworkProxy(): Promise<void> {
+  public async syncRoutesToNetworkProxy(routes: IRouteConfig[]): Promise<void> {
     if (!this.networkProxy) {
       console.log('Cannot sync configurations - NetworkProxy not initialized');
       return;
@@ -282,38 +301,112 @@ export class NetworkProxyBridge {
         };
       }
 
-      // Convert domain configs to NetworkProxy configs
-      const proxyConfigs = this.networkProxy.convertSmartProxyConfigs(
-        this.settings.domainConfigs,
-        certPair
-      );
+      // Convert routes to NetworkProxy configs
+      const proxyConfigs = this.convertRoutesToNetworkProxyConfigs(routes, certPair);
 
-      // Log ACME-eligible domains
-      const acmeEnabled = !!this.settings.acme?.enabled;
-      if (acmeEnabled) {
-        const acmeEligibleDomains = proxyConfigs
-          .filter((config) => !config.hostName.includes('*')) // Exclude wildcards
-          .map((config) => config.hostName);
-
-        if (acmeEligibleDomains.length > 0) {
-          console.log(`Domains eligible for ACME certificates: ${acmeEligibleDomains.join(', ')}`);
-          
-          // Register these domains with Port80Handler if available
-          if (this.port80Handler) {
-            this.registerDomainsWithPort80Handler(acmeEligibleDomains);
-          }
-        } else {
-          console.log('No domains eligible for ACME certificates found in configuration');
-        }
-      }
-
-      // Update NetworkProxy with the converted configs
+      // Update the proxy configs
       await this.networkProxy.updateProxyConfigs(proxyConfigs);
-      console.log(`Successfully synchronized ${proxyConfigs.length} domain configurations to NetworkProxy`);
+      console.log(`Synced ${proxyConfigs.length} configurations to NetworkProxy`);
     } catch (err) {
-      console.log(`Failed to sync configurations: ${err}`);
+      console.log(`Error syncing routes to NetworkProxy: ${err}`);
     }
   }
+
+  /**
+   * Convert routes to NetworkProxy configuration format
+   *
+   * This method transforms route-based configuration to NetworkProxy's configuration format.
+   * It processes each route and creates appropriate NetworkProxy configs for domains
+   * that require TLS termination.
+   *
+   * @param routes Array of route configurations to convert
+   * @param defaultCertPair Default certificate to use if no custom certificate is specified
+   * @returns Array of NetworkProxy configurations
+   */
+  public convertRoutesToNetworkProxyConfigs(
+    routes: IRouteConfig[],
+    defaultCertPair: { key: string; cert: string }
+  ): plugins.tsclass.network.IReverseProxyConfig[] {
+    const configs: plugins.tsclass.network.IReverseProxyConfig[] = [];
+
+    for (const route of routes) {
+      // Skip routes without domains
+      if (!route.match.domains) continue;
+
+      // Skip non-forward routes
+      if (route.action.type !== 'forward') continue;
+
+      // Skip routes without TLS configuration
+      if (!route.action.tls || !route.action.target) continue;
+
+      // Get domains from route
+      const domains = Array.isArray(route.match.domains)
+        ? route.match.domains
+        : [route.match.domains];
+
+      // Create a config for each domain
+      for (const domain of domains) {
+        // Determine if this route requires TLS termination
+        const needsTermination = route.action.tls.mode === 'terminate' ||
+                                route.action.tls.mode === 'terminate-and-reencrypt';
+
+        // Skip passthrough domains for NetworkProxy
+        if (route.action.tls.mode === 'passthrough') continue;
+
+        // Get certificate
+        let certKey = defaultCertPair.key;
+        let certCert = defaultCertPair.cert;
+
+        // Use custom certificate if specified
+        if (route.action.tls.certificate !== 'auto' && typeof route.action.tls.certificate === 'object') {
+          certKey = route.action.tls.certificate.key;
+          certCert = route.action.tls.certificate.cert;
+        }
+
+        // Determine target hosts and ports
+        const targetHosts = Array.isArray(route.action.target.host)
+          ? route.action.target.host
+          : [route.action.target.host];
+
+        const targetPort = route.action.target.port;
+
+        // Create NetworkProxy config
+        const config: plugins.tsclass.network.IReverseProxyConfig = {
+          hostName: domain,
+          privateKey: certKey,
+          publicKey: certCert,
+          destinationIps: targetHosts,
+          destinationPorts: [targetPort],
+          proxyConfig: {
+            targetIsTls: route.action.tls.mode === 'terminate-and-reencrypt',
+            allowHTTP1: true,
+            // Apply any other NetworkProxy-specific settings
+            ...(route.action.advanced ? {
+              preserveHost: true,
+              timeout: route.action.advanced.timeout,
+              headers: route.action.advanced.headers
+            } : {})
+          }
+        };
+
+        configs.push(config);
+      }
+    }
+
+    return configs;
+  }
+
+  /**
+   * @deprecated This method is deprecated and will be removed in a future version.
+   * Use syncRoutesToNetworkProxy() instead.
+   *
+   * This legacy method exists only for backward compatibility and
+   * simply forwards to syncRoutesToNetworkProxy().
+   */
+  public async syncDomainConfigsToNetworkProxy(): Promise<void> {
+    console.log('Method syncDomainConfigsToNetworkProxy is deprecated. Use syncRoutesToNetworkProxy instead.');
+    await this.syncRoutesToNetworkProxy(this.settings.routes || []);
+  }
   
   /**
    * Request a certificate for a specific domain

ts/proxies/smart-proxy/route-connection-handler.ts

@@ -0,0 +1,967 @@
+import * as plugins from '../../plugins.js';
+import type {
+  IConnectionRecord,
+  ISmartProxyOptions
+} from './models/interfaces.js';
+import {
+  isRoutedOptions
+} from './models/interfaces.js';
+import type {
+  IRouteConfig,
+  IRouteAction
+} from './models/route-types.js';
+import { ConnectionManager } from './connection-manager.js';
+import { SecurityManager } from './security-manager.js';
+import { TlsManager } from './tls-manager.js';
+import { NetworkProxyBridge } from './network-proxy-bridge.js';
+import { TimeoutManager } from './timeout-manager.js';
+import { RouteManager } from './route-manager.js';
+import type { ForwardingHandler } from '../../forwarding/handlers/base-handler.js';
+
+/**
+ * Handles new connection processing and setup logic with support for route-based configuration
+ */
+export class RouteConnectionHandler {
+  private settings: ISmartProxyOptions;
+
+  constructor(
+    settings: ISmartProxyOptions,
+    private connectionManager: ConnectionManager,
+    private securityManager: SecurityManager,
+    private tlsManager: TlsManager,
+    private networkProxyBridge: NetworkProxyBridge,
+    private timeoutManager: TimeoutManager,
+    private routeManager: RouteManager
+  ) {
+    this.settings = settings;
+  }
+
+  /**
+   * Handle a new incoming connection
+   */
+  public handleConnection(socket: plugins.net.Socket): void {
+    const remoteIP = socket.remoteAddress || '';
+    const localPort = socket.localPort || 0;
+
+    // Validate IP against rate limits and connection limits
+    const ipValidation = this.securityManager.validateIP(remoteIP);
+    if (!ipValidation.allowed) {
+      console.log(`Connection rejected from ${remoteIP}: ${ipValidation.reason}`);
+      socket.end();
+      socket.destroy();
+      return;
+    }
+
+    // Create a new connection record
+    const record = this.connectionManager.createConnection(socket);
+    const connectionId = record.id;
+
+    // Apply socket optimizations
+    socket.setNoDelay(this.settings.noDelay);
+
+    // Apply keep-alive settings if enabled
+    if (this.settings.keepAlive) {
+      socket.setKeepAlive(true, this.settings.keepAliveInitialDelay);
+      record.hasKeepAlive = true;
+
+      // Apply enhanced TCP keep-alive options if enabled
+      if (this.settings.enableKeepAliveProbes) {
+        try {
+          // These are platform-specific and may not be available
+          if ('setKeepAliveProbes' in socket) {
+            (socket as any).setKeepAliveProbes(10);
+          }
+          if ('setKeepAliveInterval' in socket) {
+            (socket as any).setKeepAliveInterval(1000);
+          }
+        } catch (err) {
+          // Ignore errors - these are optional enhancements
+          if (this.settings.enableDetailedLogging) {
+            console.log(`[${connectionId}] Enhanced TCP keep-alive settings not supported: ${err}`);
+          }
+        }
+      }
+    }
+
+    if (this.settings.enableDetailedLogging) {
+      console.log(
+        `[${connectionId}] New connection from ${remoteIP} on port ${localPort}. ` +
+          `Keep-Alive: ${record.hasKeepAlive ? 'Enabled' : 'Disabled'}. ` +
+          `Active connections: ${this.connectionManager.getConnectionCount()}`
+      );
+    } else {
+      console.log(
+        `New connection from ${remoteIP} on port ${localPort}. Active connections: ${this.connectionManager.getConnectionCount()}`
+      );
+    }
+
+    // Start TLS SNI handling
+    this.handleTlsConnection(socket, record);
+  }
+
+  /**
+   * Handle a connection and wait for TLS handshake for SNI extraction if needed
+   */
+  private handleTlsConnection(socket: plugins.net.Socket, record: IConnectionRecord): void {
+    const connectionId = record.id;
+    const localPort = record.localPort;
+    let initialDataReceived = false;
+
+    // Set an initial timeout for handshake data
+    let initialTimeout: NodeJS.Timeout | null = setTimeout(() => {
+      if (!initialDataReceived) {
+        console.log(
+          `[${connectionId}] Initial data warning (${this.settings.initialDataTimeout}ms) for connection from ${record.remoteIP}`
+        );
+
+        // Add a grace period
+        setTimeout(() => {
+          if (!initialDataReceived) {
+            console.log(`[${connectionId}] Final initial data timeout after grace period`);
+            if (record.incomingTerminationReason === null) {
+              record.incomingTerminationReason = 'initial_timeout';
+              this.connectionManager.incrementTerminationStat('incoming', 'initial_timeout');
+            }
+            socket.end();
+            this.connectionManager.cleanupConnection(record, 'initial_timeout');
+          }
+        }, 30000);
+      }
+    }, this.settings.initialDataTimeout!);
+
+    // Make sure timeout doesn't keep the process alive
+    if (initialTimeout.unref) {
+      initialTimeout.unref();
+    }
+
+    // Set up error handler
+    socket.on('error', this.connectionManager.handleError('incoming', record));
+
+    // First data handler to capture initial TLS handshake
+    socket.once('data', (chunk: Buffer) => {
+      // Clear the initial timeout since we've received data
+      if (initialTimeout) {
+        clearTimeout(initialTimeout);
+        initialTimeout = null;
+      }
+
+      initialDataReceived = true;
+      record.hasReceivedInitialData = true;
+
+      // Block non-TLS connections on port 443
+      if (!this.tlsManager.isTlsHandshake(chunk) && localPort === 443) {
+        console.log(
+          `[${connectionId}] Non-TLS connection detected on port 443. ` +
+            `Terminating connection - only TLS traffic is allowed on standard HTTPS port.`
+        );
+        if (record.incomingTerminationReason === null) {
+          record.incomingTerminationReason = 'non_tls_blocked';
+          this.connectionManager.incrementTerminationStat('incoming', 'non_tls_blocked');
+        }
+        socket.end();
+        this.connectionManager.cleanupConnection(record, 'non_tls_blocked');
+        return;
+      }
+
+      // Check if this looks like a TLS handshake
+      let serverName = '';
+      if (this.tlsManager.isTlsHandshake(chunk)) {
+        record.isTLS = true;
+
+        // Check for ClientHello to extract SNI
+        if (this.tlsManager.isClientHello(chunk)) {
+          // Create connection info for SNI extraction
+          const connInfo = {
+            sourceIp: record.remoteIP,
+            sourcePort: socket.remotePort || 0,
+            destIp: socket.localAddress || '',
+            destPort: socket.localPort || 0,
+          };
+
+          // Extract SNI
+          serverName = this.tlsManager.extractSNI(chunk, connInfo) || '';
+
+          // Lock the connection to the negotiated SNI
+          record.lockedDomain = serverName;
+
+          // Check if we should reject connections without SNI
+          if (!serverName && this.settings.allowSessionTicket === false) {
+            console.log(`[${connectionId}] No SNI detected in TLS ClientHello; sending TLS alert.`);
+            if (record.incomingTerminationReason === null) {
+              record.incomingTerminationReason = 'session_ticket_blocked_no_sni';
+              this.connectionManager.incrementTerminationStat('incoming', 'session_ticket_blocked_no_sni');
+            }
+            const alert = Buffer.from([0x15, 0x03, 0x03, 0x00, 0x02, 0x01, 0x70]);
+            try { 
+              socket.cork(); 
+              socket.write(alert); 
+              socket.uncork(); 
+              socket.end(); 
+            } catch { 
+              socket.end(); 
+            }
+            this.connectionManager.cleanupConnection(record, 'session_ticket_blocked_no_sni');
+            return;
+          }
+
+          if (this.settings.enableDetailedLogging) {
+            console.log(`[${connectionId}] TLS connection with SNI: ${serverName || '(empty)'}`);
+          }
+        }
+      }
+
+      // Find the appropriate route for this connection
+      this.routeConnection(socket, record, serverName, chunk);
+    });
+  }
+
+  /**
+   * Route the connection based on match criteria
+   */
+  private routeConnection(
+    socket: plugins.net.Socket, 
+    record: IConnectionRecord,
+    serverName: string,
+    initialChunk?: Buffer
+  ): void {
+    const connectionId = record.id;
+    const localPort = record.localPort;
+    const remoteIP = record.remoteIP;
+
+    // Find matching route
+    const routeMatch = this.routeManager.findMatchingRoute({
+      port: localPort,
+      domain: serverName,
+      clientIp: remoteIP,
+      path: undefined, // We don't have path info at this point
+      tlsVersion: undefined // We don't extract TLS version yet
+    });
+
+    if (!routeMatch) {
+      console.log(`[${connectionId}] No route found for ${serverName || 'connection'} on port ${localPort}`);
+
+      // No matching route, use default/fallback handling
+      console.log(`[${connectionId}] Using default route handling for connection`);
+
+      // Check default security settings
+      const defaultSecuritySettings = this.settings.defaults?.security;
+      if (defaultSecuritySettings) {
+        if (defaultSecuritySettings.allowedIps && defaultSecuritySettings.allowedIps.length > 0) {
+          const isAllowed = this.securityManager.isIPAuthorized(
+            remoteIP,
+            defaultSecuritySettings.allowedIps,
+            defaultSecuritySettings.blockedIps || []
+          );
+
+          if (!isAllowed) {
+            console.log(`[${connectionId}] IP ${remoteIP} not in default allowed list`);
+            socket.end();
+            this.connectionManager.cleanupConnection(record, 'ip_blocked');
+            return;
+          }
+        }
+      }
+      
+      // Setup direct connection with default settings
+      if (this.settings.defaults?.target) {
+        // Use defaults from configuration
+        const targetHost = this.settings.defaults.target.host;
+        const targetPort = this.settings.defaults.target.port;
+
+        return this.setupDirectConnection(
+          socket,
+          record,
+          undefined,
+          serverName,
+          initialChunk,
+          undefined,
+          targetHost,
+          targetPort
+        );
+      } else {
+        // No default target available, terminate the connection
+        console.log(`[${connectionId}] No default target configured. Closing connection.`);
+        socket.end();
+        this.connectionManager.cleanupConnection(record, 'no_default_target');
+        return;
+      }
+    }
+    
+    // A matching route was found
+    const route = routeMatch.route;
+    
+    if (this.settings.enableDetailedLogging) {
+      console.log(
+        `[${connectionId}] Route matched: "${route.name || 'unnamed'}" for ${serverName || 'connection'} on port ${localPort}`
+      );
+    }
+    
+    // Handle the route based on its action type
+    switch (route.action.type) {
+      case 'forward':
+        return this.handleForwardAction(socket, record, route, initialChunk);
+      
+      case 'redirect':
+        return this.handleRedirectAction(socket, record, route);
+      
+      case 'block':
+        return this.handleBlockAction(socket, record, route);
+      
+      default:
+        console.log(`[${connectionId}] Unknown action type: ${(route.action as any).type}`);
+        socket.end();
+        this.connectionManager.cleanupConnection(record, 'unknown_action');
+    }
+  }
+  
+  /**
+   * Handle a forward action for a route
+   */
+  private handleForwardAction(
+    socket: plugins.net.Socket,
+    record: IConnectionRecord,
+    route: IRouteConfig,
+    initialChunk?: Buffer
+  ): void {
+    const connectionId = record.id;
+    const action = route.action;
+    
+    // We should have a target configuration for forwarding
+    if (!action.target) {
+      console.log(`[${connectionId}] Forward action missing target configuration`);
+      socket.end();
+      this.connectionManager.cleanupConnection(record, 'missing_target');
+      return;
+    }
+    
+    // Determine if this needs TLS handling
+    if (action.tls) {
+      switch (action.tls.mode) {
+        case 'passthrough':
+          // For TLS passthrough, just forward directly
+          if (this.settings.enableDetailedLogging) {
+            console.log(`[${connectionId}] Using TLS passthrough to ${action.target.host}`);
+          }
+          
+          // Allow for array of hosts
+          const targetHost = Array.isArray(action.target.host) 
+            ? action.target.host[Math.floor(Math.random() * action.target.host.length)]
+            : action.target.host;
+          
+          // Determine target port - either target port or preserve incoming port
+          const targetPort = action.target.preservePort ? record.localPort : action.target.port;
+          
+          return this.setupDirectConnection(
+            socket,
+            record,
+            undefined,
+            record.lockedDomain,
+            initialChunk,
+            undefined,
+            targetHost,
+            targetPort
+          );
+          
+        case 'terminate':
+        case 'terminate-and-reencrypt':
+          // For TLS termination, use NetworkProxy
+          if (this.networkProxyBridge.getNetworkProxy()) {
+            if (this.settings.enableDetailedLogging) {
+              console.log(
+                `[${connectionId}] Using NetworkProxy for TLS termination to ${action.target.host}`
+              );
+            }
+            
+            // If we have an initial chunk with TLS data, start processing it
+            if (initialChunk && record.isTLS) {
+              return this.networkProxyBridge.forwardToNetworkProxy(
+                connectionId,
+                socket,
+                record,
+                initialChunk,
+                this.settings.networkProxyPort,
+                (reason) => this.connectionManager.initiateCleanupOnce(record, reason)
+              );
+            }
+            
+            // This shouldn't normally happen - we should have TLS data at this point
+            console.log(`[${connectionId}] TLS termination route without TLS data`);
+            socket.end();
+            this.connectionManager.cleanupConnection(record, 'tls_error');
+            return;
+          } else {
+            console.log(`[${connectionId}] NetworkProxy not available for TLS termination`);
+            socket.end();
+            this.connectionManager.cleanupConnection(record, 'no_network_proxy');
+            return;
+          }
+      }
+    } else {
+      // No TLS settings - basic forwarding
+      if (this.settings.enableDetailedLogging) {
+        console.log(`[${connectionId}] Using basic forwarding to ${action.target.host}:${action.target.port}`);
+      }
+      
+      // Allow for array of hosts
+      const targetHost = Array.isArray(action.target.host) 
+        ? action.target.host[Math.floor(Math.random() * action.target.host.length)]
+        : action.target.host;
+      
+      // Determine target port - either target port or preserve incoming port
+      const targetPort = action.target.preservePort ? record.localPort : action.target.port;
+      
+      return this.setupDirectConnection(
+        socket,
+        record,
+        undefined,
+        record.lockedDomain,
+        initialChunk,
+        undefined,
+        targetHost,
+        targetPort
+      );
+    }
+  }
+  
+  /**
+   * Handle a redirect action for a route
+   */
+  private handleRedirectAction(
+    socket: plugins.net.Socket,
+    record: IConnectionRecord,
+    route: IRouteConfig
+  ): void {
+    const connectionId = record.id;
+    const action = route.action;
+    
+    // We should have a redirect configuration
+    if (!action.redirect) {
+      console.log(`[${connectionId}] Redirect action missing redirect configuration`);
+      socket.end();
+      this.connectionManager.cleanupConnection(record, 'missing_redirect');
+      return;
+    }
+    
+    // For TLS connections, we can't do redirects at the TCP level
+    if (record.isTLS) {
+      console.log(`[${connectionId}] Cannot redirect TLS connection at TCP level`);
+      socket.end();
+      this.connectionManager.cleanupConnection(record, 'tls_redirect_error');
+      return;
+    }
+    
+    // Wait for the first HTTP request to perform the redirect
+    const dataListeners: ((chunk: Buffer) => void)[] = [];
+    
+    const httpDataHandler = (chunk: Buffer) => {
+      // Remove all data listeners to avoid duplicated processing
+      for (const listener of dataListeners) {
+        socket.removeListener('data', listener);
+      }
+      
+      // Parse HTTP request to get path
+      try {
+        const headersEnd = chunk.indexOf('\r\n\r\n');
+        if (headersEnd === -1) {
+          // Not a complete HTTP request, need more data
+          socket.once('data', httpDataHandler);
+          dataListeners.push(httpDataHandler);
+          return;
+        }
+        
+        const httpHeaders = chunk.slice(0, headersEnd).toString();
+        const requestLine = httpHeaders.split('\r\n')[0];
+        const [method, path] = requestLine.split(' ');
+        
+        // Extract Host header
+        const hostMatch = httpHeaders.match(/Host: (.+?)(\r\n|\r|\n|$)/i);
+        const host = hostMatch ? hostMatch[1].trim() : record.lockedDomain || '';
+        
+        // Process the redirect URL with template variables
+        let redirectUrl = action.redirect.to;
+        redirectUrl = redirectUrl.replace(/\{domain\}/g, host);
+        redirectUrl = redirectUrl.replace(/\{path\}/g, path || '');
+        redirectUrl = redirectUrl.replace(/\{port\}/g, record.localPort.toString());
+        
+        // Prepare the HTTP redirect response
+        const redirectResponse = [
+          `HTTP/1.1 ${action.redirect.status} Moved`,
+          `Location: ${redirectUrl}`,
+          'Connection: close',
+          'Content-Length: 0',
+          '',
+          ''
+        ].join('\r\n');
+        
+        if (this.settings.enableDetailedLogging) {
+          console.log(`[${connectionId}] Redirecting to ${redirectUrl} with status ${action.redirect.status}`);
+        }
+        
+        // Send the redirect response
+        socket.end(redirectResponse);
+        this.connectionManager.initiateCleanupOnce(record, 'redirect_complete');
+      } catch (err) {
+        console.log(`[${connectionId}] Error processing HTTP redirect: ${err}`);
+        socket.end();
+        this.connectionManager.initiateCleanupOnce(record, 'redirect_error');
+      }
+    };
+    
+    // Setup the HTTP data handler
+    socket.once('data', httpDataHandler);
+    dataListeners.push(httpDataHandler);
+  }
+  
+  /**
+   * Handle a block action for a route
+   */
+  private handleBlockAction(
+    socket: plugins.net.Socket,
+    record: IConnectionRecord,
+    route: IRouteConfig
+  ): void {
+    const connectionId = record.id;
+    
+    if (this.settings.enableDetailedLogging) {
+      console.log(`[${connectionId}] Blocking connection based on route "${route.name || 'unnamed'}"`);
+    }
+    
+    // Simply close the connection
+    socket.end();
+    this.connectionManager.initiateCleanupOnce(record, 'route_blocked');
+  }
+  
+  /**
+   * Legacy connection handling has been removed in favor of pure route-based approach
+   */
+  
+  /**
+   * Sets up a direct connection to the target
+   */
+  private setupDirectConnection(
+    socket: plugins.net.Socket,
+    record: IConnectionRecord,
+    _unused?: any, // kept for backward compatibility
+    serverName?: string,
+    initialChunk?: Buffer,
+    overridePort?: number,
+    targetHost?: string,
+    targetPort?: number
+  ): void {
+    const connectionId = record.id;
+
+    // Determine target host and port if not provided
+    const finalTargetHost = targetHost ||
+      (this.settings.defaults?.target?.host || 'localhost');
+
+    // Determine target port
+    const finalTargetPort = targetPort ||
+      (overridePort !== undefined ? overridePort :
+       (this.settings.defaults?.target?.port || 443));
+
+    // Setup connection options
+    const connectionOptions: plugins.net.NetConnectOpts = {
+      host: finalTargetHost,
+      port: finalTargetPort,
+    };
+
+    // Preserve source IP if configured
+    if (this.settings.defaults?.preserveSourceIP || this.settings.preserveSourceIP) {
+      connectionOptions.localAddress = record.remoteIP.replace('::ffff:', '');
+    }
+    
+    // Create a safe queue for incoming data
+    const dataQueue: Buffer[] = [];
+    let queueSize = 0;
+    let processingQueue = false;
+    let drainPending = false;
+    let pipingEstablished = false;
+    
+    // Pause the incoming socket to prevent buffer overflows
+    socket.pause();
+    
+    // Function to safely process the data queue without losing events
+    const processDataQueue = () => {
+      if (processingQueue || dataQueue.length === 0 || pipingEstablished) return;
+      
+      processingQueue = true;
+      
+      try {
+        // Process all queued chunks with the current active handler
+        while (dataQueue.length > 0) {
+          const chunk = dataQueue.shift()!;
+          queueSize -= chunk.length;
+          
+          // Once piping is established, we shouldn't get here,
+          // but just in case, pass to the outgoing socket directly
+          if (pipingEstablished && record.outgoing) {
+            record.outgoing.write(chunk);
+            continue;
+          }
+          
+          // Track bytes received
+          record.bytesReceived += chunk.length;
+          
+          // Check for TLS handshake
+          if (!record.isTLS && this.tlsManager.isTlsHandshake(chunk)) {
+            record.isTLS = true;
+            
+            if (this.settings.enableTlsDebugLogging) {
+              console.log(
+                `[${connectionId}] TLS handshake detected in tempDataHandler, ${chunk.length} bytes`
+              );
+            }
+          }
+          
+          // Check if adding this chunk would exceed the buffer limit
+          const newSize = record.pendingDataSize + chunk.length;
+          
+          if (this.settings.maxPendingDataSize && newSize > this.settings.maxPendingDataSize) {
+            console.log(
+              `[${connectionId}] Buffer limit exceeded for connection from ${record.remoteIP}: ${newSize} bytes > ${this.settings.maxPendingDataSize} bytes`
+            );
+            socket.end(); // Gracefully close the socket
+            this.connectionManager.initiateCleanupOnce(record, 'buffer_limit_exceeded');
+            return;
+          }
+          
+          // Buffer the chunk and update the size counter
+          record.pendingData.push(Buffer.from(chunk));
+          record.pendingDataSize = newSize;
+          this.timeoutManager.updateActivity(record);
+        }
+      } finally {
+        processingQueue = false;
+        
+        // If there's a pending drain and we've processed everything,
+        // signal we're ready for more data if we haven't established piping yet
+        if (drainPending && dataQueue.length === 0 && !pipingEstablished) {
+          drainPending = false;
+          socket.resume();
+        }
+      }
+    };
+    
+    // Unified data handler that safely queues incoming data
+    const safeDataHandler = (chunk: Buffer) => {
+      // If piping is already established, just let the pipe handle it
+      if (pipingEstablished) return;
+      
+      // Add to our queue for orderly processing
+      dataQueue.push(Buffer.from(chunk)); // Make a copy to be safe
+      queueSize += chunk.length;
+      
+      // If queue is getting large, pause socket until we catch up
+      if (this.settings.maxPendingDataSize && queueSize > this.settings.maxPendingDataSize * 0.8) {
+        socket.pause();
+        drainPending = true;
+      }
+      
+      // Process the queue
+      processDataQueue();
+    };
+    
+    // Add our safe data handler
+    socket.on('data', safeDataHandler);
+    
+    // Add initial chunk to pending data if present
+    if (initialChunk) {
+      record.bytesReceived += initialChunk.length;
+      record.pendingData.push(Buffer.from(initialChunk));
+      record.pendingDataSize = initialChunk.length;
+    }
+    
+    // Create the target socket but don't set up piping immediately
+    const targetSocket = plugins.net.connect(connectionOptions);
+    record.outgoing = targetSocket;
+    record.outgoingStartTime = Date.now();
+    
+    // Apply socket optimizations
+    targetSocket.setNoDelay(this.settings.noDelay);
+    
+    // Apply keep-alive settings to the outgoing connection as well
+    if (this.settings.keepAlive) {
+      targetSocket.setKeepAlive(true, this.settings.keepAliveInitialDelay);
+      
+      // Apply enhanced TCP keep-alive options if enabled
+      if (this.settings.enableKeepAliveProbes) {
+        try {
+          if ('setKeepAliveProbes' in targetSocket) {
+            (targetSocket as any).setKeepAliveProbes(10);
+          }
+          if ('setKeepAliveInterval' in targetSocket) {
+            (targetSocket as any).setKeepAliveInterval(1000);
+          }
+        } catch (err) {
+          // Ignore errors - these are optional enhancements
+          if (this.settings.enableDetailedLogging) {
+            console.log(
+              `[${connectionId}] Enhanced TCP keep-alive not supported for outgoing socket: ${err}`
+            );
+          }
+        }
+      }
+    }
+    
+    // Setup specific error handler for connection phase
+    targetSocket.once('error', (err) => {
+      // This handler runs only once during the initial connection phase
+      const code = (err as any).code;
+      console.log(
+        `[${connectionId}] Connection setup error to ${finalTargetHost}:${connectionOptions.port}: ${err.message} (${code})`
+      );
+      
+      // Resume the incoming socket to prevent it from hanging
+      socket.resume();
+      
+      if (code === 'ECONNREFUSED') {
+        console.log(
+          `[${connectionId}] Target ${finalTargetHost}:${connectionOptions.port} refused connection`
+        );
+      } else if (code === 'ETIMEDOUT') {
+        console.log(
+          `[${connectionId}] Connection to ${finalTargetHost}:${connectionOptions.port} timed out`
+        );
+      } else if (code === 'ECONNRESET') {
+        console.log(
+          `[${connectionId}] Connection to ${finalTargetHost}:${connectionOptions.port} was reset`
+        );
+      } else if (code === 'EHOSTUNREACH') {
+        console.log(`[${connectionId}] Host ${finalTargetHost} is unreachable`);
+      }
+      
+      // Clear any existing error handler after connection phase
+      targetSocket.removeAllListeners('error');
+      
+      // Re-add the normal error handler for established connections
+      targetSocket.on('error', this.connectionManager.handleError('outgoing', record));
+      
+      if (record.outgoingTerminationReason === null) {
+        record.outgoingTerminationReason = 'connection_failed';
+        this.connectionManager.incrementTerminationStat('outgoing', 'connection_failed');
+      }
+      
+      // If we have a forwarding handler for this domain, let it handle the error
+      if (domainConfig) {
+        try {
+          const forwardingHandler = this.domainConfigManager.getForwardingHandler(domainConfig);
+          forwardingHandler.emit('connection_error', {
+            socket,
+            error: err,
+            connectionId
+          });
+        } catch (handlerErr) {
+          // If getting the handler fails, just log and continue with normal cleanup
+          console.log(`Error getting forwarding handler for error handling: ${handlerErr}`);
+        }
+      }
+      
+      // Clean up the connection
+      this.connectionManager.initiateCleanupOnce(record, `connection_failed_${code}`);
+    });
+    
+    // Setup close handler
+    targetSocket.on('close', this.connectionManager.handleClose('outgoing', record));
+    socket.on('close', this.connectionManager.handleClose('incoming', record));
+    
+    // Handle timeouts with keep-alive awareness
+    socket.on('timeout', () => {
+      // For keep-alive connections, just log a warning instead of closing
+      if (record.hasKeepAlive) {
+        console.log(
+          `[${connectionId}] Timeout event on incoming keep-alive connection from ${
+            record.remoteIP
+          } after ${plugins.prettyMs(
+            this.settings.socketTimeout || 3600000
+          )}. Connection preserved.`
+        );
+        return;
+      }
+      
+      // For non-keep-alive connections, proceed with normal cleanup
+      console.log(
+        `[${connectionId}] Timeout on incoming side from ${
+          record.remoteIP
+        } after ${plugins.prettyMs(this.settings.socketTimeout || 3600000)}`
+      );
+      if (record.incomingTerminationReason === null) {
+        record.incomingTerminationReason = 'timeout';
+        this.connectionManager.incrementTerminationStat('incoming', 'timeout');
+      }
+      this.connectionManager.initiateCleanupOnce(record, 'timeout_incoming');
+    });
+    
+    targetSocket.on('timeout', () => {
+      // For keep-alive connections, just log a warning instead of closing
+      if (record.hasKeepAlive) {
+        console.log(
+          `[${connectionId}] Timeout event on outgoing keep-alive connection from ${
+            record.remoteIP
+          } after ${plugins.prettyMs(
+            this.settings.socketTimeout || 3600000
+          )}. Connection preserved.`
+        );
+        return;
+      }
+      
+      // For non-keep-alive connections, proceed with normal cleanup
+      console.log(
+        `[${connectionId}] Timeout on outgoing side from ${
+          record.remoteIP
+        } after ${plugins.prettyMs(this.settings.socketTimeout || 3600000)}`
+      );
+      if (record.outgoingTerminationReason === null) {
+        record.outgoingTerminationReason = 'timeout';
+        this.connectionManager.incrementTerminationStat('outgoing', 'timeout');
+      }
+      this.connectionManager.initiateCleanupOnce(record, 'timeout_outgoing');
+    });
+    
+    // Apply socket timeouts
+    this.timeoutManager.applySocketTimeouts(record);
+    
+    // Track outgoing data for bytes counting
+    targetSocket.on('data', (chunk: Buffer) => {
+      record.bytesSent += chunk.length;
+      this.timeoutManager.updateActivity(record);
+    });
+    
+    // Wait for the outgoing connection to be ready before setting up piping
+    targetSocket.once('connect', () => {
+      // Clear the initial connection error handler
+      targetSocket.removeAllListeners('error');
+      
+      // Add the normal error handler for established connections
+      targetSocket.on('error', this.connectionManager.handleError('outgoing', record));
+      
+      // Process any remaining data in the queue before switching to piping
+      processDataQueue();
+      
+      // Set up piping immediately
+      pipingEstablished = true;
+      
+      // Flush all pending data to target
+      if (record.pendingData.length > 0) {
+        const combinedData = Buffer.concat(record.pendingData);
+        
+        if (this.settings.enableDetailedLogging) {
+          console.log(
+            `[${connectionId}] Forwarding ${combinedData.length} bytes of initial data to target`
+          );
+        }
+        
+        // Write pending data immediately
+        targetSocket.write(combinedData, (err) => {
+          if (err) {
+            console.log(`[${connectionId}] Error writing pending data to target: ${err.message}`);
+            return this.connectionManager.initiateCleanupOnce(record, 'write_error');
+          }
+        });
+        
+        // Clear the buffer now that we've processed it
+        record.pendingData = [];
+        record.pendingDataSize = 0;
+      }
+      
+      // Setup piping in both directions without any delays
+      socket.pipe(targetSocket);
+      targetSocket.pipe(socket);
+      
+      // Resume the socket to ensure data flows
+      socket.resume();
+      
+      // Process any data that might be queued in the interim
+      if (dataQueue.length > 0) {
+        // Write any remaining queued data directly to the target socket
+        for (const chunk of dataQueue) {
+          targetSocket.write(chunk);
+        }
+        // Clear the queue
+        dataQueue.length = 0;
+        queueSize = 0;
+      }
+      
+      if (this.settings.enableDetailedLogging) {
+        console.log(
+          `[${connectionId}] Connection established: ${record.remoteIP} -> ${finalTargetHost}:${connectionOptions.port}` +
+            `${
+              serverName
+                ? ` (SNI: ${serverName})`
+                : domainConfig
+                ? ` (Port-based for domain: ${domainConfig.domains.join(', ')})`
+                : ''
+            }` +
+            ` TLS: ${record.isTLS ? 'Yes' : 'No'}, Keep-Alive: ${
+              record.hasKeepAlive ? 'Yes' : 'No'
+            }`
+        );
+      } else {
+        console.log(
+          `Connection established: ${record.remoteIP} -> ${finalTargetHost}:${connectionOptions.port}` +
+            `${
+              serverName
+                ? ` (SNI: ${serverName})`
+                : domainConfig
+                ? ` (Port-based for domain: ${domainConfig.domains.join(', ')})`
+                : ''
+            }`
+        );
+      }
+      
+      // Add the renegotiation handler for SNI validation
+      if (serverName) {
+        // Create connection info object for the existing connection
+        const connInfo = {
+          sourceIp: record.remoteIP,
+          sourcePort: record.incoming.remotePort || 0,
+          destIp: record.incoming.localAddress || '',
+          destPort: record.incoming.localPort || 0,
+        };
+        
+        // Create a renegotiation handler function
+        const renegotiationHandler = this.tlsManager.createRenegotiationHandler(
+          connectionId,
+          serverName,
+          connInfo,
+          (connectionId, reason) => this.connectionManager.initiateCleanupOnce(record, reason)
+        );
+        
+        // Store the handler in the connection record so we can remove it during cleanup
+        record.renegotiationHandler = renegotiationHandler;
+        
+        // Add the handler to the socket
+        socket.on('data', renegotiationHandler);
+        
+        if (this.settings.enableDetailedLogging) {
+          console.log(
+            `[${connectionId}] TLS renegotiation handler installed for SNI domain: ${serverName}`
+          );
+          if (this.settings.allowSessionTicket === false) {
+            console.log(
+              `[${connectionId}] Session ticket usage is disabled. Connection will be reset on reconnection attempts.`
+            );
+          }
+        }
+      }
+      
+      // Set connection timeout
+      record.cleanupTimer = this.timeoutManager.setupConnectionTimeout(record, (record, reason) => {
+        console.log(
+          `[${connectionId}] Connection from ${record.remoteIP} exceeded max lifetime, forcing cleanup.`
+        );
+        this.connectionManager.initiateCleanupOnce(record, reason);
+      });
+      
+      // Mark TLS handshake as complete for TLS connections
+      if (record.isTLS) {
+        record.tlsHandshakeComplete = true;
+        
+        if (this.settings.enableTlsDebugLogging) {
+          console.log(
+            `[${connectionId}] TLS handshake complete for connection from ${record.remoteIP}`
+          );
+        }
+      }
+    });
+  }
+}

ts/proxies/smart-proxy/route-helpers.ts

@@ -0,0 +1,344 @@
+import type { 
+  IRouteConfig, 
+  IRouteMatch, 
+  IRouteAction, 
+  IRouteTarget,
+  IRouteTls,
+  IRouteRedirect,
+  IRouteSecurity,
+  IRouteAdvanced
+} from './models/route-types.js';
+
+/**
+ * Basic helper function to create a route configuration
+ */
+export function createRoute(
+  match: IRouteMatch,
+  action: IRouteAction,
+  metadata?: {
+    name?: string;
+    description?: string;
+    priority?: number;
+    tags?: string[];
+  }
+): IRouteConfig {
+  return {
+    match,
+    action,
+    ...metadata
+  };
+}
+
+/**
+ * Create a basic HTTP route configuration 
+ */
+export function createHttpRoute(
+  options: {
+    ports?: number | number[]; // Default: 80
+    domains?: string | string[];
+    path?: string;
+    target: IRouteTarget;
+    headers?: Record<string, string>;
+    security?: IRouteSecurity;
+    name?: string;
+    description?: string;
+    priority?: number;
+    tags?: string[];
+  }
+): IRouteConfig {
+  return createRoute(
+    {
+      ports: options.ports || 80,
+      ...(options.domains ? { domains: options.domains } : {}),
+      ...(options.path ? { path: options.path } : {})
+    },
+    {
+      type: 'forward',
+      target: options.target,
+      ...(options.headers || options.security ? {
+        advanced: {
+          ...(options.headers ? { headers: options.headers } : {})
+        },
+        ...(options.security ? { security: options.security } : {})
+      } : {})
+    },
+    {
+      name: options.name || 'HTTP Route',
+      description: options.description,
+      priority: options.priority,
+      tags: options.tags
+    }
+  );
+}
+
+/**
+ * Create an HTTPS route configuration with TLS termination
+ */
+export function createHttpsRoute(
+  options: {
+    ports?: number | number[]; // Default: 443
+    domains: string | string[];
+    path?: string;
+    target: IRouteTarget;
+    tlsMode?: 'terminate' | 'terminate-and-reencrypt';
+    certificate?: 'auto' | { key: string; cert: string };
+    headers?: Record<string, string>;
+    security?: IRouteSecurity;
+    name?: string;
+    description?: string;
+    priority?: number;
+    tags?: string[];
+  }
+): IRouteConfig {
+  return createRoute(
+    {
+      ports: options.ports || 443,
+      domains: options.domains,
+      ...(options.path ? { path: options.path } : {})
+    },
+    {
+      type: 'forward',
+      target: options.target,
+      tls: {
+        mode: options.tlsMode || 'terminate',
+        certificate: options.certificate || 'auto'
+      },
+      ...(options.headers || options.security ? {
+        advanced: {
+          ...(options.headers ? { headers: options.headers } : {})
+        },
+        ...(options.security ? { security: options.security } : {})
+      } : {})
+    },
+    {
+      name: options.name || 'HTTPS Route',
+      description: options.description,
+      priority: options.priority,
+      tags: options.tags
+    }
+  );
+}
+
+/**
+ * Create an HTTPS passthrough route configuration
+ */
+export function createPassthroughRoute(
+  options: {
+    ports?: number | number[]; // Default: 443
+    domains?: string | string[];
+    target: IRouteTarget;
+    security?: IRouteSecurity;
+    name?: string;
+    description?: string;
+    priority?: number;
+    tags?: string[];
+  }
+): IRouteConfig {
+  return createRoute(
+    {
+      ports: options.ports || 443,
+      ...(options.domains ? { domains: options.domains } : {})
+    },
+    {
+      type: 'forward',
+      target: options.target,
+      tls: {
+        mode: 'passthrough'
+      },
+      ...(options.security ? { security: options.security } : {})
+    },
+    {
+      name: options.name || 'HTTPS Passthrough Route',
+      description: options.description,
+      priority: options.priority,
+      tags: options.tags
+    }
+  );
+}
+
+/**
+ * Create a redirect route configuration
+ */
+export function createRedirectRoute(
+  options: {
+    ports?: number | number[]; // Default: 80
+    domains?: string | string[];
+    path?: string;
+    redirectTo: string;
+    statusCode?: 301 | 302 | 307 | 308;
+    name?: string;
+    description?: string;
+    priority?: number;
+    tags?: string[];
+  }
+): IRouteConfig {
+  return createRoute(
+    {
+      ports: options.ports || 80,
+      ...(options.domains ? { domains: options.domains } : {}),
+      ...(options.path ? { path: options.path } : {})
+    },
+    {
+      type: 'redirect',
+      redirect: {
+        to: options.redirectTo,
+        status: options.statusCode || 301
+      }
+    },
+    {
+      name: options.name || 'Redirect Route',
+      description: options.description,
+      priority: options.priority,
+      tags: options.tags
+    }
+  );
+}
+
+/**
+ * Create an HTTP to HTTPS redirect route configuration
+ */
+export function createHttpToHttpsRedirect(
+  options: {
+    domains: string | string[];
+    statusCode?: 301 | 302 | 307 | 308;
+    name?: string;
+    priority?: number;
+  }
+): IRouteConfig {
+  const domainArray = Array.isArray(options.domains) ? options.domains : [options.domains];
+  
+  return createRedirectRoute({
+    ports: 80,
+    domains: options.domains,
+    redirectTo: 'https://{domain}{path}',
+    statusCode: options.statusCode || 301,
+    name: options.name || `HTTP to HTTPS Redirect for ${domainArray.join(', ')}`,
+    priority: options.priority || 100 // High priority for redirects
+  });
+}
+
+/**
+ * Create a block route configuration
+ */
+export function createBlockRoute(
+  options: {
+    ports: number | number[];
+    domains?: string | string[];
+    clientIp?: string[];
+    name?: string;
+    description?: string;
+    priority?: number;
+    tags?: string[];
+  }
+): IRouteConfig {
+  return createRoute(
+    {
+      ports: options.ports,
+      ...(options.domains ? { domains: options.domains } : {}),
+      ...(options.clientIp ? { clientIp: options.clientIp } : {})
+    },
+    {
+      type: 'block'
+    },
+    {
+      name: options.name || 'Block Route',
+      description: options.description,
+      priority: options.priority || 1000, // Very high priority for blocks
+      tags: options.tags
+    }
+  );
+}
+
+/**
+ * Create a load balancer route configuration
+ */
+export function createLoadBalancerRoute(
+  options: {
+    ports?: number | number[]; // Default: 443
+    domains: string | string[];
+    path?: string;
+    targets: string[]; // Array of host names/IPs for load balancing
+    targetPort: number;
+    tlsMode?: 'passthrough' | 'terminate' | 'terminate-and-reencrypt';
+    certificate?: 'auto' | { key: string; cert: string };
+    headers?: Record<string, string>;
+    security?: IRouteSecurity;
+    name?: string;
+    description?: string;
+    tags?: string[];
+  }
+): IRouteConfig {
+  const useTls = options.tlsMode !== undefined;
+  const defaultPort = useTls ? 443 : 80;
+  
+  return createRoute(
+    {
+      ports: options.ports || defaultPort,
+      domains: options.domains,
+      ...(options.path ? { path: options.path } : {})
+    },
+    {
+      type: 'forward',
+      target: {
+        host: options.targets,
+        port: options.targetPort
+      },
+      ...(useTls ? {
+        tls: {
+          mode: options.tlsMode!,
+          ...(options.tlsMode !== 'passthrough' && options.certificate ? {
+            certificate: options.certificate
+          } : {})
+        }
+      } : {}),
+      ...(options.headers || options.security ? {
+        advanced: {
+          ...(options.headers ? { headers: options.headers } : {})
+        },
+        ...(options.security ? { security: options.security } : {})
+      } : {})
+    },
+    {
+      name: options.name || 'Load Balanced Route',
+      description: options.description || `Load balancing across ${options.targets.length} backends`,
+      tags: options.tags
+    }
+  );
+}
+
+/**
+ * Create a complete HTTPS server configuration with HTTP redirect
+ */
+export function createHttpsServer(
+  options: {
+    domains: string | string[];
+    target: IRouteTarget;
+    certificate?: 'auto' | { key: string; cert: string };
+    security?: IRouteSecurity;
+    addHttpRedirect?: boolean;
+    name?: string;
+  }
+): IRouteConfig[] {
+  const routes: IRouteConfig[] = [];
+  const domainArray = Array.isArray(options.domains) ? options.domains : [options.domains];
+  
+  // Add HTTPS route
+  routes.push(createHttpsRoute({
+    domains: options.domains,
+    target: options.target,
+    certificate: options.certificate || 'auto',
+    security: options.security,
+    name: options.name || `HTTPS Server for ${domainArray.join(', ')}`
+  }));
+  
+  // Add HTTP to HTTPS redirect if requested
+  if (options.addHttpRedirect !== false) {
+    routes.push(createHttpToHttpsRedirect({
+      domains: options.domains,
+      name: `HTTP to HTTPS Redirect for ${domainArray.join(', ')}`,
+      priority: 100
+    }));
+  }
+  
+  return routes;
+}

ts/proxies/smart-proxy/route-manager.ts

@@ -0,0 +1,587 @@
+import * as plugins from '../../plugins.js';
+import type {
+  IRouteConfig,
+  IRouteMatch,
+  IRouteAction,
+  TPortRange
+} from './models/route-types.js';
+import type {
+  ISmartProxyOptions,
+  IRoutedSmartProxyOptions,
+  IDomainConfig
+} from './models/interfaces.js';
+import {
+  isRoutedOptions,
+  isLegacyOptions
+} from './models/interfaces.js';
+
+/**
+ * Result of route matching
+ */
+export interface IRouteMatchResult {
+  route: IRouteConfig;
+  // Additional match parameters (path, query, etc.)
+  params?: Record<string, string>;
+}
+
+/**
+ * The RouteManager handles all routing decisions based on connections and attributes
+ */
+export class RouteManager extends plugins.EventEmitter {
+  private routes: IRouteConfig[] = [];
+  private portMap: Map<number, IRouteConfig[]> = new Map();
+  private options: IRoutedSmartProxyOptions;
+  
+  constructor(options: ISmartProxyOptions) {
+    super();
+    
+    // We no longer support legacy options, always use provided options
+    this.options = options;
+    
+    // Initialize routes from either source
+    this.updateRoutes(this.options.routes);
+  }
+  
+  /**
+   * Update routes with new configuration
+   */
+  public updateRoutes(routes: IRouteConfig[] = []): void {
+    // Sort routes by priority (higher first)
+    this.routes = [...(routes || [])].sort((a, b) => {
+      const priorityA = a.priority ?? 0;
+      const priorityB = b.priority ?? 0;
+      return priorityB - priorityA;
+    });
+    
+    // Rebuild port mapping for fast lookups
+    this.rebuildPortMap();
+  }
+  
+  /**
+   * Rebuild the port mapping for fast lookups
+   */
+  private rebuildPortMap(): void {
+    this.portMap.clear();
+    
+    for (const route of this.routes) {
+      const ports = this.expandPortRange(route.match.ports);
+      
+      for (const port of ports) {
+        if (!this.portMap.has(port)) {
+          this.portMap.set(port, []);
+        }
+        this.portMap.get(port)!.push(route);
+      }
+    }
+  }
+  
+  /**
+   * Expand a port range specification into an array of individual ports
+   */
+  private expandPortRange(portRange: TPortRange): number[] {
+    if (typeof portRange === 'number') {
+      return [portRange];
+    }
+    
+    if (Array.isArray(portRange)) {
+      // Handle array of port objects or numbers
+      return portRange.flatMap(item => {
+        if (typeof item === 'number') {
+          return [item];
+        } else if (typeof item === 'object' && 'from' in item && 'to' in item) {
+          // Handle port range object
+          const ports: number[] = [];
+          for (let p = item.from; p <= item.to; p++) {
+            ports.push(p);
+          }
+          return ports;
+        }
+        return [];
+      });
+    }
+    
+    return [];
+  }
+  
+  /**
+   * Get all ports that should be listened on
+   */
+  public getListeningPorts(): number[] {
+    return Array.from(this.portMap.keys());
+  }
+  
+  /**
+   * Get all routes for a given port
+   */
+  public getRoutesForPort(port: number): IRouteConfig[] {
+    return this.portMap.get(port) || [];
+  }
+  
+  /**
+   * Test if a pattern matches a domain using glob matching
+   */
+  private matchDomain(pattern: string, domain: string): boolean {
+    // Convert glob pattern to regex
+    const regexPattern = pattern
+      .replace(/\./g, '\\.')    // Escape dots
+      .replace(/\*/g, '.*');    // Convert * to .*
+    
+    const regex = new RegExp(`^${regexPattern}$`, 'i');
+    return regex.test(domain);
+  }
+  
+  /**
+   * Match a domain against all patterns in a route
+   */
+  private matchRouteDomain(route: IRouteConfig, domain: string): boolean {
+    if (!route.match.domains) {
+      // If no domains specified, match all domains
+      return true;
+    }
+    
+    const patterns = Array.isArray(route.match.domains) 
+      ? route.match.domains 
+      : [route.match.domains];
+    
+    return patterns.some(pattern => this.matchDomain(pattern, domain));
+  }
+  
+  /**
+   * Check if a client IP is allowed by a route's security settings
+   */
+  private isClientIpAllowed(route: IRouteConfig, clientIp: string): boolean {
+    const security = route.action.security;
+    
+    if (!security) {
+      return true; // No security settings means allowed
+    }
+    
+    // Check blocked IPs first
+    if (security.blockedIps && security.blockedIps.length > 0) {
+      for (const pattern of security.blockedIps) {
+        if (this.matchIpPattern(pattern, clientIp)) {
+          return false; // IP is blocked
+        }
+      }
+    }
+    
+    // If there are allowed IPs, check them
+    if (security.allowedIps && security.allowedIps.length > 0) {
+      for (const pattern of security.allowedIps) {
+        if (this.matchIpPattern(pattern, clientIp)) {
+          return true; // IP is allowed
+        }
+      }
+      return false; // IP not in allowed list
+    }
+    
+    // No allowed IPs specified, so IP is allowed
+    return true;
+  }
+  
+  /**
+   * Match an IP against a pattern
+   */
+  private matchIpPattern(pattern: string, ip: string): boolean {
+    // Handle exact match
+    if (pattern === ip) {
+      return true;
+    }
+    
+    // Handle CIDR notation (e.g., 192.168.1.0/24)
+    if (pattern.includes('/')) {
+      return this.matchIpCidr(pattern, ip);
+    }
+    
+    // Handle glob pattern (e.g., 192.168.1.*)
+    if (pattern.includes('*')) {
+      const regexPattern = pattern.replace(/\./g, '\\.').replace(/\*/g, '.*');
+      const regex = new RegExp(`^${regexPattern}$`);
+      return regex.test(ip);
+    }
+    
+    return false;
+  }
+  
+  /**
+   * Match an IP against a CIDR pattern
+   */
+  private matchIpCidr(cidr: string, ip: string): boolean {
+    try {
+      // In a real implementation, you'd use a proper IP library
+      // This is a simplified implementation
+      const [subnet, bits] = cidr.split('/');
+      const mask = parseInt(bits, 10);
+      
+      // Convert IP addresses to numeric values
+      const ipNum = this.ipToNumber(ip);
+      const subnetNum = this.ipToNumber(subnet);
+      
+      // Calculate subnet mask
+      const maskNum = ~(2 ** (32 - mask) - 1);
+      
+      // Check if IP is in subnet
+      return (ipNum & maskNum) === (subnetNum & maskNum);
+    } catch (e) {
+      console.error(`Error matching IP ${ip} against CIDR ${cidr}:`, e);
+      return false;
+    }
+  }
+  
+  /**
+   * Convert an IP address to a numeric value
+   */
+  private ipToNumber(ip: string): number {
+    const parts = ip.split('.').map(part => parseInt(part, 10));
+    return (parts[0] << 24) | (parts[1] << 16) | (parts[2] << 8) | parts[3];
+  }
+  
+  /**
+   * Find the matching route for a connection
+   */
+  public findMatchingRoute(options: {
+    port: number;
+    domain?: string;
+    clientIp: string;
+    path?: string;
+    tlsVersion?: string;
+  }): IRouteMatchResult | null {
+    const { port, domain, clientIp, path, tlsVersion } = options;
+    
+    // Get all routes for this port
+    const routesForPort = this.getRoutesForPort(port);
+    
+    // Find the first matching route based on priority order
+    for (const route of routesForPort) {
+      // Check domain match if specified
+      if (domain && !this.matchRouteDomain(route, domain)) {
+        continue;
+      }
+      
+      // Check path match if specified in both route and request
+      if (path && route.match.path) {
+        if (!this.matchPath(route.match.path, path)) {
+          continue;
+        }
+      }
+      
+      // Check client IP match
+      if (route.match.clientIp && !route.match.clientIp.some(pattern => 
+        this.matchIpPattern(pattern, clientIp))) {
+        continue;
+      }
+      
+      // Check TLS version match
+      if (tlsVersion && route.match.tlsVersion && 
+          !route.match.tlsVersion.includes(tlsVersion)) {
+        continue;
+      }
+      
+      // Check security settings
+      if (!this.isClientIpAllowed(route, clientIp)) {
+        continue;
+      }
+      
+      // All checks passed, this route matches
+      return { route };
+    }
+    
+    return null;
+  }
+  
+  /**
+   * Match a path against a pattern
+   */
+  private matchPath(pattern: string, path: string): boolean {
+    // Convert the glob pattern to a regex
+    const regexPattern = pattern
+      .replace(/\./g, '\\.')    // Escape dots
+      .replace(/\*/g, '.*')     // Convert * to .*
+      .replace(/\//g, '\\/');   // Escape slashes
+    
+    const regex = new RegExp(`^${regexPattern}$`);
+    return regex.test(path);
+  }
+  
+  /**
+   * Convert a domain config to routes
+   * (For backward compatibility with code that still uses domainConfigs)
+   */
+  public domainConfigToRoutes(domainConfig: IDomainConfig): IRouteConfig[] {
+    const routes: IRouteConfig[] = [];
+    const { domains, forwarding } = domainConfig;
+    
+    // Determine the action based on forwarding type
+    let action: IRouteAction = {
+      type: 'forward',
+      target: {
+        host: forwarding.target.host,
+        port: forwarding.target.port
+      }
+    };
+    
+    // Set TLS mode based on forwarding type
+    switch (forwarding.type) {
+      case 'http-only':
+        // No TLS settings needed
+        break;
+      case 'https-passthrough':
+        action.tls = { mode: 'passthrough' };
+        break;
+      case 'https-terminate-to-http':
+        action.tls = { 
+          mode: 'terminate',
+          certificate: forwarding.https?.customCert ? {
+            key: forwarding.https.customCert.key,
+            cert: forwarding.https.customCert.cert
+          } : 'auto'
+        };
+        break;
+      case 'https-terminate-to-https':
+        action.tls = { 
+          mode: 'terminate-and-reencrypt',
+          certificate: forwarding.https?.customCert ? {
+            key: forwarding.https.customCert.key,
+            cert: forwarding.https.customCert.cert
+          } : 'auto'
+        };
+        break;
+    }
+    
+    // Add security settings if present
+    if (forwarding.security) {
+      action.security = {
+        allowedIps: forwarding.security.allowedIps,
+        blockedIps: forwarding.security.blockedIps,
+        maxConnections: forwarding.security.maxConnections
+      };
+    }
+    
+    // Add advanced settings if present
+    if (forwarding.advanced) {
+      action.advanced = {
+        timeout: forwarding.advanced.timeout,
+        headers: forwarding.advanced.headers,
+        keepAlive: forwarding.advanced.keepAlive
+      };
+    }
+    
+    // Determine which port to use based on forwarding type
+    const defaultPort = forwarding.type.startsWith('https') ? 443 : 80;
+    
+    // Add the main route
+    routes.push({
+      match: {
+        ports: defaultPort,
+        domains
+      },
+      action,
+      name: `Route for ${domains.join(', ')}`
+    });
+    
+    // Add HTTP redirect if needed
+    if (forwarding.http?.redirectToHttps) {
+      routes.push({
+        match: {
+          ports: 80,
+          domains
+        },
+        action: {
+          type: 'redirect',
+          redirect: {
+            to: 'https://{domain}{path}',
+            status: 301
+          }
+        },
+        name: `HTTP Redirect for ${domains.join(', ')}`,
+        priority: 100 // Higher priority for redirects
+      });
+    }
+    
+    // Add port ranges if specified
+    if (forwarding.advanced?.portRanges) {
+      for (const range of forwarding.advanced.portRanges) {
+        routes.push({
+          match: {
+            ports: [{ from: range.from, to: range.to }],
+            domains
+          },
+          action,
+          name: `Port Range ${range.from}-${range.to} for ${domains.join(', ')}`
+        });
+      }
+    }
+    
+    return routes;
+  }
+  
+  /**
+   * Update routes based on domain configs
+   * (For backward compatibility with code that still uses domainConfigs)
+   */
+  public updateFromDomainConfigs(domainConfigs: IDomainConfig[]): void {
+    const routes: IRouteConfig[] = [];
+    
+    // Convert each domain config to routes
+    for (const config of domainConfigs) {
+      routes.push(...this.domainConfigToRoutes(config));
+    }
+    
+    // Merge with existing routes that aren't derived from domain configs
+    const nonDomainRoutes = this.routes.filter(r => 
+      !r.name || !r.name.includes('for '));
+    
+    this.updateRoutes([...nonDomainRoutes, ...routes]);
+  }
+  
+  /**
+   * Validate the route configuration and return any warnings
+   */
+  public validateConfiguration(): string[] {
+    const warnings: string[] = [];
+    const duplicatePorts = new Map<number, number>();
+    
+    // Check for routes with the same exact match criteria
+    for (let i = 0; i < this.routes.length; i++) {
+      for (let j = i + 1; j < this.routes.length; j++) {
+        const route1 = this.routes[i];
+        const route2 = this.routes[j];
+        
+        // Check if route match criteria are the same
+        if (this.areMatchesSimilar(route1.match, route2.match)) {
+          warnings.push(
+            `Routes "${route1.name || i}" and "${route2.name || j}" have similar match criteria. ` +
+            `The route with higher priority (${Math.max(route1.priority || 0, route2.priority || 0)}) will be used.`
+          );
+        }
+      }
+    }
+    
+    // Check for routes that may never be matched due to priority
+    for (let i = 0; i < this.routes.length; i++) {
+      const route = this.routes[i];
+      const higherPriorityRoutes = this.routes.filter(r => 
+        (r.priority || 0) > (route.priority || 0));
+      
+      for (const higherRoute of higherPriorityRoutes) {
+        if (this.isRouteShadowed(route, higherRoute)) {
+          warnings.push(
+            `Route "${route.name || i}" may never be matched because it is shadowed by ` +
+            `higher priority route "${higherRoute.name || 'unnamed'}"`
+          );
+          break;
+        }
+      }
+    }
+    
+    return warnings;
+  }
+  
+  /**
+   * Check if two route matches are similar (potential conflict)
+   */
+  private areMatchesSimilar(match1: IRouteMatch, match2: IRouteMatch): boolean {
+    // Check port overlap
+    const ports1 = new Set(this.expandPortRange(match1.ports));
+    const ports2 = new Set(this.expandPortRange(match2.ports));
+    
+    let havePortOverlap = false;
+    for (const port of ports1) {
+      if (ports2.has(port)) {
+        havePortOverlap = true;
+        break;
+      }
+    }
+    
+    if (!havePortOverlap) {
+      return false;
+    }
+    
+    // Check domain overlap
+    if (match1.domains && match2.domains) {
+      const domains1 = Array.isArray(match1.domains) ? match1.domains : [match1.domains];
+      const domains2 = Array.isArray(match2.domains) ? match2.domains : [match2.domains];
+      
+      // Check if any domain pattern from match1 could match any from match2
+      let haveDomainOverlap = false;
+      for (const domain1 of domains1) {
+        for (const domain2 of domains2) {
+          if (domain1 === domain2 || 
+              (domain1.includes('*') || domain2.includes('*'))) {
+            haveDomainOverlap = true;
+            break;
+          }
+        }
+        if (haveDomainOverlap) break;
+      }
+      
+      if (!haveDomainOverlap) {
+        return false;
+      }
+    } else if (match1.domains || match2.domains) {
+      // One has domains, the other doesn't - they could overlap
+      // The one with domains is more specific, so it's not exactly a conflict
+      return false;
+    }
+    
+    // Check path overlap
+    if (match1.path && match2.path) {
+      // This is a simplified check - in a real implementation,
+      // you'd need to check if the path patterns could match the same paths
+      return match1.path === match2.path || 
+             match1.path.includes('*') || 
+             match2.path.includes('*');
+    } else if (match1.path || match2.path) {
+      // One has a path, the other doesn't
+      return false;
+    }
+    
+    // If we get here, the matches have significant overlap
+    return true;
+  }
+  
+  /**
+   * Check if a route is completely shadowed by a higher priority route
+   */
+  private isRouteShadowed(route: IRouteConfig, higherPriorityRoute: IRouteConfig): boolean {
+    // If they don't have similar match criteria, no shadowing occurs
+    if (!this.areMatchesSimilar(route.match, higherPriorityRoute.match)) {
+      return false;
+    }
+    
+    // If higher priority route has more specific criteria, no shadowing
+    if (this.isRouteMoreSpecific(higherPriorityRoute.match, route.match)) {
+      return false;
+    }
+    
+    // If higher priority route is equally or less specific but has higher priority,
+    // it shadows the lower priority route
+    return true;
+  }
+  
+  /**
+   * Check if route1 is more specific than route2
+   */
+  private isRouteMoreSpecific(match1: IRouteMatch, match2: IRouteMatch): boolean {
+    // Check if match1 has more specific criteria
+    let match1Points = 0;
+    let match2Points = 0;
+    
+    // Path is the most specific
+    if (match1.path) match1Points += 3;
+    if (match2.path) match2Points += 3;
+    
+    // Domain is next most specific
+    if (match1.domains) match1Points += 2;
+    if (match2.domains) match2Points += 2;
+    
+    // Client IP and TLS version are least specific
+    if (match1.clientIp) match1Points += 1;
+    if (match2.clientIp) match2Points += 1;
+    
+    if (match1.tlsVersion) match1Points += 1;
+    if (match2.tlsVersion) match2Points += 1;
+    
+    return match1Points > match2Points;
+  }
+}

ts/proxies/smart-proxy/smart-proxy.ts

@@ -1,30 +1,42 @@
 import * as plugins from '../../plugins.js';
 
-// Importing from the new structure
+// Importing required components
 import { ConnectionManager } from './connection-manager.js';
 import { SecurityManager } from './security-manager.js';
-import { DomainConfigManager } from './domain-config-manager.js';
 import { TlsManager } from './tls-manager.js';
 import { NetworkProxyBridge } from './network-proxy-bridge.js';
 import { TimeoutManager } from './timeout-manager.js';
 import { PortRangeManager } from './port-range-manager.js';
-import { ConnectionHandler } from './connection-handler.js';
+import { RouteManager } from './route-manager.js';
+import { RouteConnectionHandler } from './route-connection-handler.js';
 
-// External dependencies from migrated modules
+// External dependencies
 import { Port80Handler } from '../../http/port80/port80-handler.js';
 import { CertProvisioner } from '../../certificate/providers/cert-provisioner.js';
 import type { ICertificateData } from '../../certificate/models/certificate-types.js';
 import { buildPort80Handler } from '../../certificate/acme/acme-factory.js';
-import type { TForwardingType } from '../../forwarding/config/forwarding-types.js';
 import { createPort80HandlerOptions } from '../../common/port80-adapter.js';
 
-// Import types from models
-import type { ISmartProxyOptions, IDomainConfig } from './models/interfaces.js';
-// Provide backward compatibility types
-export type { ISmartProxyOptions as IPortProxySettings, IDomainConfig };
+// Import types and utilities
+import type {
+  ISmartProxyOptions,
+  IRoutedSmartProxyOptions
+} from './models/interfaces.js';
+import { isRoutedOptions } from './models/interfaces.js';
+import type { IRouteConfig } from './models/route-types.js';
 
 /**
- * SmartProxy - Main class that coordinates all components
+ * SmartProxy - Pure route-based API
+ *
+ * SmartProxy is a unified proxy system that works with routes to define connection handling behavior.
+ * Each route contains matching criteria (ports, domains, etc.) and an action to take (forward, redirect, block).
+ *
+ * Configuration is provided through a set of routes, with each route defining:
+ * - What to match (ports, domains, paths, client IPs)
+ * - What to do with matching traffic (forward, redirect, block)
+ * - How to handle TLS (passthrough, terminate, terminate-and-reencrypt)
+ * - Security settings (IP restrictions, connection limits)
+ * - Advanced options (timeout, headers, etc.)
  */
 export class SmartProxy extends plugins.EventEmitter {
   private netServers: plugins.net.Server[] = [];
@@ -34,24 +46,55 @@ export class SmartProxy extends plugins.EventEmitter {
   // Component managers
   private connectionManager: ConnectionManager;
   private securityManager: SecurityManager;
-  public domainConfigManager: DomainConfigManager;
   private tlsManager: TlsManager;
   private networkProxyBridge: NetworkProxyBridge;
   private timeoutManager: TimeoutManager;
   private portRangeManager: PortRangeManager;
-  private connectionHandler: ConnectionHandler;
+  private routeManager: RouteManager;
+  private routeConnectionHandler: RouteConnectionHandler;
   
   // Port80Handler for ACME certificate management
   private port80Handler: Port80Handler | null = null;
   // CertProvisioner for unified certificate workflows
   private certProvisioner?: CertProvisioner;
   
+  /**
+   * Constructor for SmartProxy
+   *
+   * @param settingsArg Configuration options containing routes and other settings
+   * Routes define how traffic is matched and handled, with each route having:
+   * - match: criteria for matching traffic (ports, domains, paths, IPs)
+   * - action: what to do with matched traffic (forward, redirect, block)
+   *
+   * Example:
+   * ```ts
+   * const proxy = new SmartProxy({
+   *   routes: [
+   *     {
+   *       match: {
+   *         ports: 443,
+   *         domains: ['example.com', '*.example.com']
+   *       },
+   *       action: {
+   *         type: 'forward',
+   *         target: { host: '10.0.0.1', port: 8443 },
+   *         tls: { mode: 'passthrough' }
+   *       }
+   *     }
+   *   ],
+   *   defaults: {
+   *     target: { host: 'localhost', port: 8080 },
+   *     security: { allowedIps: ['*'] }
+   *   }
+   * });
+   * ```
+   */
   constructor(settingsArg: ISmartProxyOptions) {
     super();
+    
     // Set reasonable defaults for all settings
     this.settings = {
       ...settingsArg,
-      targetIP: settingsArg.targetIP || 'localhost',
       initialDataTimeout: settingsArg.initialDataTimeout || 120000,
       socketTimeout: settingsArg.socketTimeout || 3600000,
       inactivityCheckInterval: settingsArg.inactivityCheckInterval || 60000,
@@ -76,12 +119,11 @@ export class SmartProxy extends plugins.EventEmitter {
       keepAliveInactivityMultiplier: settingsArg.keepAliveInactivityMultiplier || 6,
       extendedKeepAliveLifetime: settingsArg.extendedKeepAliveLifetime || 7 * 24 * 60 * 60 * 1000,
       networkProxyPort: settingsArg.networkProxyPort || 8443,
-      acme: settingsArg.acme || {},
-      globalPortRanges: settingsArg.globalPortRanges || [],
     };
     
     // Set default ACME options if not provided
-    if (!this.settings.acme || Object.keys(this.settings.acme).length === 0) {
+    this.settings.acme = this.settings.acme || {};
+    if (Object.keys(this.settings.acme).length === 0) {
       this.settings.acme = {
         enabled: false,
         port: 80,
@@ -91,7 +133,7 @@ export class SmartProxy extends plugins.EventEmitter {
         autoRenew: true,
         certificateStore: './certs',
         skipConfiguredCerts: false,
-        httpsRedirectPort: this.settings.fromPort,
+        httpsRedirectPort: this.settings.fromPort || 443,
         renewCheckIntervalHours: 24,
         domainForwards: []
       };
@@ -105,26 +147,31 @@ export class SmartProxy extends plugins.EventEmitter {
       this.securityManager, 
       this.timeoutManager
     );
-    this.domainConfigManager = new DomainConfigManager(this.settings);
-    this.tlsManager = new TlsManager(this.settings);
-    this.networkProxyBridge = new NetworkProxyBridge(this.settings);
+    
+    // Create the route manager
+    this.routeManager = new RouteManager(this.settings);
+
+    // Create port range manager
     this.portRangeManager = new PortRangeManager(this.settings);
     
-    // Initialize connection handler
-    this.connectionHandler = new ConnectionHandler(
+    // Create other required components
+    this.tlsManager = new TlsManager(this.settings);
+    this.networkProxyBridge = new NetworkProxyBridge(this.settings);
+    
+    // Initialize connection handler with route support
+    this.routeConnectionHandler = new RouteConnectionHandler(
       this.settings,
       this.connectionManager,
       this.securityManager,
-      this.domainConfigManager,
       this.tlsManager,
       this.networkProxyBridge,
       this.timeoutManager,
-      this.portRangeManager
+      this.routeManager
     );
   }
   
   /**
-   * The settings for the port proxy
+   * The settings for the SmartProxy
    */
   public settings: ISmartProxyOptions;
   
@@ -142,8 +189,9 @@ export class SmartProxy extends plugins.EventEmitter {
       // Build and start the Port80Handler
       this.port80Handler = buildPort80Handler({
         ...config,
-        httpsRedirectPort: config.httpsRedirectPort || this.settings.fromPort
+        httpsRedirectPort: config.httpsRedirectPort || 443
       });
+      
       // Share Port80Handler with NetworkProxyBridge before start
       this.networkProxyBridge.setPort80Handler(this.port80Handler);
       await this.port80Handler.start();
@@ -154,7 +202,7 @@ export class SmartProxy extends plugins.EventEmitter {
   }
   
   /**
-   * Start the proxy server
+   * Start the proxy server with support for both configuration types
    */
   public async start() {
     // Don't start if already shutting down
@@ -163,11 +211,7 @@ export class SmartProxy extends plugins.EventEmitter {
       return;
     }
 
-    // Process domain configs
-    // Note: ensureForwardingConfig is no longer needed since forwarding is now required
-
-    // Initialize domain config manager with the processed configs
-    this.domainConfigManager.updateDomainConfigs(this.settings.domainConfigs);
+    // Pure route-based configuration - no domain configs needed
 
     // Initialize Port80Handler if enabled
     await this.initializePort80Handler();
@@ -176,20 +220,39 @@ export class SmartProxy extends plugins.EventEmitter {
     if (this.port80Handler) {
       const acme = this.settings.acme!;
 
-      // Convert domain forwards to use the new forwarding system if possible
+      // Setup domain forwards based on configuration type
       const domainForwards = acme.domainForwards?.map(f => {
-        // If the domain has a forwarding config in domainConfigs, use that
-        const domainConfig = this.settings.domainConfigs.find(
-          dc => dc.domains.some(d => d === f.domain)
-        );
+        if (isLegacyOptions(this.settings)) {
+          // If using legacy mode, check if domain config exists
+          const domainConfig = this.settings.domainConfigs.find(
+            dc => dc.domains.some(d => d === f.domain)
+          );
 
-        if (domainConfig?.forwarding) {
-          return {
+          if (domainConfig?.forwarding) {
+            return {
+              domain: f.domain,
+              forwardConfig: f.forwardConfig,
+              acmeForwardConfig: f.acmeForwardConfig,
+              sslRedirect: f.sslRedirect || domainConfig.forwarding.http?.redirectToHttps || false
+            };
+          }
+        } else {
+          // In route mode, look for matching route
+          const route = this.routeManager.findMatchingRoute({
+            port: 443,
             domain: f.domain,
-            forwardConfig: f.forwardConfig,
-            acmeForwardConfig: f.acmeForwardConfig,
-            sslRedirect: f.sslRedirect || domainConfig.forwarding.http?.redirectToHttps || false
-          };
+            clientIp: '127.0.0.1' // Dummy IP for finding routes
+          })?.route;
+
+          if (route && route.action.type === 'forward' && route.action.tls) {
+            // If we found a matching route with TLS settings
+            return {
+              domain: f.domain,
+              forwardConfig: f.forwardConfig,
+              acmeForwardConfig: f.acmeForwardConfig,
+              sslRedirect: f.sslRedirect || false
+            };
+          }
         }
 
         // Otherwise use the existing configuration
@@ -201,8 +264,11 @@ export class SmartProxy extends plugins.EventEmitter {
         };
       }) || [];
 
+      // Create CertProvisioner with appropriate parameters
+      // No longer need to support multiple configuration types
+      // Just pass the routes directly
       this.certProvisioner = new CertProvisioner(
-        this.settings.domainConfigs,
+        this.settings.routes,
         this.port80Handler,
         this.networkProxyBridge,
         this.settings.certProvisionFunction,
@@ -212,6 +278,7 @@ export class SmartProxy extends plugins.EventEmitter {
         domainForwards
       );
 
+      // Register certificate event handler
       this.certProvisioner.on('certificate', (certData) => {
         this.emit('certificate', {
           domain: certData.domain,
@@ -228,25 +295,22 @@ export class SmartProxy extends plugins.EventEmitter {
     }
 
     // Initialize and start NetworkProxy if needed
-    if (
-      this.settings.useNetworkProxy &&
-      this.settings.useNetworkProxy.length > 0
-    ) {
+    if (this.settings.useNetworkProxy && this.settings.useNetworkProxy.length > 0) {
       await this.networkProxyBridge.initialize();
       await this.networkProxyBridge.start();
     }
 
-    // Validate port configuration
-    const configWarnings = this.portRangeManager.validateConfiguration();
+    // Validate the route configuration
+    const configWarnings = this.routeManager.validateConfiguration();
     if (configWarnings.length > 0) {
-      console.log("Port configuration warnings:");
+      console.log("Route configuration warnings:");
       for (const warning of configWarnings) {
         console.log(` - ${warning}`);
       }
     }
 
-    // Get listening ports from PortRangeManager
-    const listeningPorts = this.portRangeManager.getListeningPorts();
+    // Get listening ports from RouteManager
+    const listeningPorts = this.routeManager.getListeningPorts();
 
     // Create servers for each port
     for (const port of listeningPorts) {
@@ -258,8 +322,8 @@ export class SmartProxy extends plugins.EventEmitter {
           return;
         }
         
-        // Delegate to connection handler
-        this.connectionHandler.handleConnection(socket);
+        // Delegate to route connection handler
+        this.routeConnectionHandler.handleConnection(socket);
       }).on('error', (err: Error) => {
         console.log(`Server Error on port ${port}: ${err.message}`);
       });
@@ -268,7 +332,9 @@ export class SmartProxy extends plugins.EventEmitter {
         const isNetworkProxyPort = this.settings.useNetworkProxy?.includes(port);
         console.log(
           `SmartProxy -> OK: Now listening on port ${port}${
-            this.settings.sniEnabled && !isNetworkProxyPort ? ' (SNI passthrough enabled)' : ''
+            isLegacyOptions(this.settings) && this.settings.sniEnabled && !isNetworkProxyPort ? 
+              ' (SNI passthrough enabled)' : 
+              ''
           }${isNetworkProxyPort ? ' (NetworkProxy forwarding enabled)' : ''}`
         );
       });
@@ -348,12 +414,19 @@ export class SmartProxy extends plugins.EventEmitter {
     }
   }
   
+  /**
+   * Extract domain configurations from routes for certificate provisioning
+   *
+   * Note: This method has been removed as we now work directly with routes
+   */
+  
   /**
    * Stop the proxy server
    */
   public async stop() {
     console.log('SmartProxy shutting down...');
     this.isShuttingDown = true;
+    
     // Stop CertProvisioner if active
     if (this.certProvisioner) {
       await this.certProvisioner.stop();
@@ -412,44 +485,73 @@ export class SmartProxy extends plugins.EventEmitter {
   
   /**
    * Updates the domain configurations for the proxy
+   *
+   * Note: This legacy method has been removed. Use updateRoutes instead.
    */
-  public async updateDomainConfigs(newDomainConfigs: IDomainConfig[]): Promise<void> {
-    console.log(`Updating domain configurations (${newDomainConfigs.length} configs)`);
+  public async updateDomainConfigs(): Promise<void> {
+    console.warn('Method updateDomainConfigs() is deprecated. Use updateRoutes() instead.');
+    throw new Error('updateDomainConfigs() is deprecated - use updateRoutes() instead');
+  }
+  
+  /**
+   * Update routes with new configuration
+   *
+   * This method replaces the current route configuration with the provided routes.
+   * It also provisions certificates for routes that require TLS termination and have
+   * `certificate: 'auto'` set in their TLS configuration.
+   *
+   * @param newRoutes Array of route configurations to use
+   *
+   * Example:
+   * ```ts
+   * proxy.updateRoutes([
+   *   {
+   *     match: { ports: 443, domains: 'secure.example.com' },
+   *     action: {
+   *       type: 'forward',
+   *       target: { host: '10.0.0.1', port: 8443 },
+   *       tls: { mode: 'terminate', certificate: 'auto' }
+   *     }
+   *   }
+   * ]);
+   * ```
+   */
+  public async updateRoutes(newRoutes: IRouteConfig[]): Promise<void> {
+    console.log(`Updating routes (${newRoutes.length} routes)`);
 
-    // Update domain configs in DomainConfigManager
-    this.domainConfigManager.updateDomainConfigs(newDomainConfigs);
+    // Update routes in RouteManager
+    this.routeManager.updateRoutes(newRoutes);
 
     // If NetworkProxy is initialized, resync the configurations
     if (this.networkProxyBridge.getNetworkProxy()) {
-      await this.networkProxyBridge.syncDomainConfigsToNetworkProxy();
+      await this.networkProxyBridge.syncRoutesToNetworkProxy(newRoutes);
     }
 
-    // If Port80Handler is running, provision certificates based on forwarding type
+    // If Port80Handler is running, provision certificates based on routes
     if (this.port80Handler && this.settings.acme?.enabled) {
-      for (const domainConfig of newDomainConfigs) {
-        // Skip certificate provisioning for http-only or passthrough configs that don't need certs
-        const forwardingType = domainConfig.forwarding.type;
-        const needsCertificate =
-          forwardingType === 'https-terminate-to-http' ||
-          forwardingType === 'https-terminate-to-https';
+      for (const route of newRoutes) {
+        // Skip routes without domains
+        if (!route.match.domains) continue;
 
-        // Skip certificate provisioning if ACME is explicitly disabled for this domain
-        const acmeDisabled = domainConfig.forwarding.acme?.enabled === false;
+        // Skip non-forward routes
+        if (route.action.type !== 'forward') continue;
 
-        if (!needsCertificate || acmeDisabled) {
-          if (this.settings.enableDetailedLogging) {
-            console.log(`Skipping certificate provisioning for ${domainConfig.domains.join(', ')} (${forwardingType})`);
-          }
-          continue;
-        }
+        // Skip routes without TLS termination
+        if (!route.action.tls ||
+            route.action.tls.mode === 'passthrough' ||
+            !route.action.target) continue;
 
-        for (const domain of domainConfig.domains) {
+        // Skip certificate provisioning if certificate is not auto
+        if (route.action.tls.certificate !== 'auto') continue;
+
+        const domains = Array.isArray(route.match.domains)
+          ? route.match.domains
+          : [route.match.domains];
+
+        for (const domain of domains) {
           const isWildcard = domain.includes('*');
           let provision: string | plugins.tsclass.network.ICert = 'http01';
 
-          // Check for ACME forwarding configuration in the domain
-          const forwardAcmeChallenges = domainConfig.forwarding.acme?.forwardChallenges;
-
           if (this.settings.certProvisionFunction) {
             try {
               provision = await this.settings.certProvisionFunction(domain);
@@ -467,13 +569,16 @@ export class SmartProxy extends plugins.EventEmitter {
               continue;
             }
 
-            // Create Port80Handler options from the forwarding configuration
-            const port80Config = createPort80HandlerOptions(domain, domainConfig.forwarding);
+            // Register domain with Port80Handler
+            this.port80Handler.addDomain({
+              domainName: domain,
+              sslRedirect: true,
+              acmeMaintenance: true
+            });
 
-            this.port80Handler.addDomain(port80Config);
             console.log(`Registered domain ${domain} with Port80Handler for HTTP-01`);
           } else {
-            // Static certificate (e.g., DNS-01 provisioned) supports wildcards
+            // Handle static certificate (e.g., DNS-01 provisioned)
             const certObj = provision as plugins.tsclass.network.ICert;
             const certData: ICertificateData = {
               domain: certObj.domainName,
@@ -486,11 +591,11 @@ export class SmartProxy extends plugins.EventEmitter {
           }
         }
       }
-      console.log('Provisioned certificates for new domains');
+
+      console.log('Provisioned certificates for new routes');
     }
   }
   
-  
   /**
    * Request a certificate for a specific domain
    */
@@ -583,7 +688,8 @@ export class SmartProxy extends plugins.EventEmitter {
       networkProxyConnections,
       terminationStats,
       acmeEnabled: !!this.port80Handler,
-      port80HandlerPort: this.port80Handler ? this.settings.acme?.port : null
+      port80HandlerPort: this.port80Handler ? this.settings.acme?.port : null,
+      routes: this.routeManager.getListeningPorts().length
     };
   }
   
@@ -591,18 +697,44 @@ export class SmartProxy extends plugins.EventEmitter {
    * Get a list of eligible domains for ACME certificates
    */
   public getEligibleDomainsForCertificates(): string[] {
-    // Collect all non-wildcard domains from domain configs
     const domains: string[] = [];
     
-    for (const config of this.settings.domainConfigs) {
+    // Get domains from routes
+    const routes = isRoutedOptions(this.settings) ? this.settings.routes : [];
+    
+    for (const route of routes) {
+      if (!route.match.domains) continue;
+      
+      // Skip routes without TLS termination or auto certificates
+      if (route.action.type !== 'forward' || 
+          !route.action.tls || 
+          route.action.tls.mode === 'passthrough' || 
+          route.action.tls.certificate !== 'auto') continue;
+      
+      const routeDomains = Array.isArray(route.match.domains) 
+        ? route.match.domains 
+        : [route.match.domains];
+      
       // Skip domains that can't be used with ACME
-      const eligibleDomains = config.domains.filter(domain => 
+      const eligibleDomains = routeDomains.filter(domain => 
         !domain.includes('*') && this.isValidDomain(domain)
       );
       
       domains.push(...eligibleDomains);
     }
     
+    // For legacy mode, also get domains from domain configs
+    if (isLegacyOptions(this.settings)) {
+      for (const config of this.settings.domainConfigs) {
+        // Skip domains that can't be used with ACME
+        const eligibleDomains = config.domains.filter(domain => 
+          !domain.includes('*') && this.isValidDomain(domain)
+        );
+        
+        domains.push(...eligibleDomains);
+      }
+    }
+    
     return domains;
   }