19.3.13

fix(port-manager, certificate-manager): Improve port binding and ACME challenge route integration in SmartProxy
19.3.12
2025-05-20 15:32:19 +00:00 · 2025-05-20 15:32:19 +00:00 · 2025-05-19 23:57:16 +00:00 · 2025-05-19 23:57:16 +00:00 · 2025-05-19 23:37:11 +00:00 · 2025-05-19 23:37:11 +00:00
41 changed files with 2702 additions and 2504 deletions
--- a/Final-Refactoring-Summary.md
+++ b/Final-Refactoring-Summary.md
@ -1,100 +0,0 @@
 # SmartProxy Architecture Refactoring - Final Summary
 ## Overview
 Successfully completed comprehensive architecture refactoring of SmartProxy with additional refinements requested by the user.
 ## All Completed Work
 ### Phase 1: Rename NetworkProxy to HttpProxy ✅
 - Renamed directory and all class/file names
 - Updated all imports and references throughout codebase
 - Fixed configuration property names
 ### Phase 2: Extract HTTP Logic from SmartProxy ✅
 - Created HTTP handler modules in HttpProxy
 - Removed duplicated HTTP parsing logic
 - Delegated all HTTP operations to appropriate handlers
 - Simplified SmartProxy's responsibilities
 ### Phase 3: Simplify SmartProxy ✅
 - Updated RouteConnectionHandler to delegate HTTP operations
 - Renamed NetworkProxyBridge to HttpProxyBridge
 - Focused SmartProxy on connection routing only
 ### Phase 4: Consolidate HTTP Utilities ✅
 - Created consolidated `http-types.ts` in HttpProxy
 - Moved all HTTP types to HttpProxy module
 - Updated imports to use consolidated types
 - Maintained backward compatibility
 ### Phase 5: Update Tests and Documentation ✅
 - Renamed test files to match new conventions
 - Updated all test imports and references
 - Fixed test syntax issues
 - Updated README and documentation
 ### Additional Work (User Request) ✅
 1. **Renamed ts/http to ts/routing** ✅
   - Updated all references and imports
   - Changed export namespace from `http` to `routing`
   - Fixed all dependent modules
 2. **Fixed All TypeScript Errors** ✅
   - Resolved 72 initial type errors
   - Fixed test assertion syntax issues
   - Corrected property names (targetUrl → target)
   - Added missing exports (SmartCertManager)
   - Fixed certificate type annotations
 3. **Fixed Test Issues** ✅
   - Replaced `tools.expect` with `expect`
   - Fixed array assertion methods
   - Corrected timeout syntax
   - Updated all property references
 ## Technical Details
 ### Type Fixes Applied:
 - Added `as const` assertions for string literals
 - Fixed imports from old directory structure
 - Exported SmartCertManager through main index
 - Corrected test assertion method calls
 - Fixed numeric type issues in array methods
 ### Test Fixes Applied:
 - Updated from Vitest syntax to tap syntax
 - Fixed toHaveLength to use proper assertions
 - Replaced toContain with includes() checks
 - Fixed timeout property to method call
 - Corrected all targetUrl references
 ## Results
 ✅ **All TypeScript files compile without errors**
 ✅ **All type checks pass**
 ✅ **Test files are properly structured**
 ✅ **Sample tests run successfully**
 ✅ **Documentation is updated**
 ## Breaking Changes for Users
 1. **Class Rename**: `NetworkProxy` → `HttpProxy`
 2. **Import Path**: `network-proxy` → `http-proxy`
 3. **Config Properties**:
   - `useNetworkProxy` → `useHttpProxy`
   - `networkProxyPort` → `httpProxyPort`
 4. **Export Namespace**: `http` → `routing`
 ## Next Steps
 The architecture refactoring is complete and the codebase is now:
 - More maintainable with clear separation of concerns
 - Better organized with proper module boundaries
 - Type-safe with all errors resolved
 - Well-tested with passing test suites
 - Ready for future enhancements like HTTP/3 support
 ## Conclusion
 The SmartProxy refactoring has been successfully completed with all requested enhancements. The codebase now has a cleaner architecture, better naming conventions, and improved type safety while maintaining backward compatibility where possible.
--- a/Phase-2-Summary.md
+++ b/Phase-2-Summary.md
@ -1,49 +0,0 @@
 # Phase 2: Extract HTTP Logic from SmartProxy - Complete
 ## Overview
 Successfully extracted HTTP-specific logic from SmartProxy to HttpProxy, creating a cleaner separation of concerns between TCP routing and HTTP processing.
 ## Changes Made
 ### 1. HTTP Handler Modules in HttpProxy
 - ✅ Created `handlers/` directory in HttpProxy
 - ✅ Implemented `redirect-handler.ts` for HTTP redirect logic
 - ✅ Implemented `static-handler.ts` for static/ACME route handling
 - ✅ Added proper exports in `index.ts`
 ### 2. Simplified SmartProxy's RouteConnectionHandler
 - ✅ Removed duplicated HTTP redirect logic
 - ✅ Removed duplicated static content handling logic
 - ✅ Updated `handleRedirectAction` to delegate to HttpProxy's `RedirectHandler`
 - ✅ Updated `handleStaticAction` to delegate to HttpProxy's `StaticHandler`
 - ✅ Removed unused `getStatusText` helper function
 ### 3. Fixed Naming and References
 - ✅ Updated all NetworkProxy references to HttpProxy throughout SmartProxy
 - ✅ Fixed HttpProxyBridge methods that incorrectly referenced networkProxy
 - ✅ Updated configuration property names:
  - `useNetworkProxy` → `useHttpProxy`
  - `networkProxyPort` → `httpProxyPort`
 - ✅ Fixed imports from `network-proxy` to `http-proxy`
 - ✅ Updated exports in `proxies/index.ts`
 ### 4. Compilation and Testing
 - ✅ Fixed all TypeScript compilation errors
 - ✅ Extended route context to support HTTP methods in handlers
 - ✅ Ensured backward compatibility with existing code
 - ✅ Tests are running (with expected port 80 permission issues)
 ## Benefits Achieved
 1. **Clear Separation**: HTTP/HTTPS handling is now clearly separated from TCP routing
 2. **Reduced Duplication**: HTTP parsing logic exists in only one place (HttpProxy)
 3. **Better Organization**: HTTP handlers are properly organized in the HttpProxy module
 4. **Maintainability**: Easier to modify HTTP handling without affecting routing logic
 5. **Type Safety**: Proper TypeScript types maintained throughout
 ## Next Steps
 Phase 3: Simplify SmartProxy - The groundwork has been laid to further simplify SmartProxy by:
 1. Continuing to reduce its responsibilities to focus on port management and routing
 2. Ensuring all HTTP-specific logic remains in HttpProxy
 3. Improving the integration points between SmartProxy and HttpProxy
--- a/Phase-4-Summary.md
+++ b/Phase-4-Summary.md
@ -1,45 +0,0 @@
 # Phase 4: Consolidate HTTP Utilities - Complete
 ## Overview
 Successfully consolidated HTTP-related types and utilities from the `ts/http` module into the HttpProxy module, creating a single source of truth for all HTTP-related functionality.
 ## Changes Made
 ### 1. Created Consolidated HTTP Types
 - ✅ Created `http-types.ts` in `ts/proxies/http-proxy/models/`
 - ✅ Added comprehensive HTTP status codes enum with additional codes
 - ✅ Implemented HTTP error classes with proper status codes
 - ✅ Added helper functions like `getStatusText()`
 - ✅ Included backward compatibility exports
 ### 2. Updated HttpProxy Module
 - ✅ Updated models index to export the new HTTP types
 - ✅ Updated handlers to use the consolidated types
 - ✅ Added imports for HTTP status codes and helper functions
 ### 3. Cleaned Up ts/http Module
 - ✅ Replaced local HTTP types with re-exports from HttpProxy
 - ✅ Removed redundant type definitions
 - ✅ Kept only router functionality
 - ✅ Updated imports to reference the consolidated types
 ### 4. Ensured Compilation Success
 - ✅ Fixed all import paths
 - ✅ Verified TypeScript compilation succeeds
 - ✅ Maintained backward compatibility for existing code
 ## Benefits Achieved
 1. **Single Source of Truth**: All HTTP types now live in the HttpProxy module
 2. **Better Organization**: HTTP-related code is centralized where it's most used
 3. **Enhanced Type Safety**: Added more comprehensive HTTP status codes and error types
 4. **Reduced Redundancy**: Eliminated duplicate type definitions
 5. **Improved Maintainability**: Easier to update and extend HTTP functionality
 ## Next Steps
 Phase 5: Update Tests and Documentation - This will complete the refactoring by:
 1. Updating test files to use the new structure
 2. Verifying all existing tests still pass
 3. Updating documentation to reflect the new architecture
 4. Creating migration guide for users of the library
--- a/Refactoring-Complete-Summary.md
+++ b/Refactoring-Complete-Summary.md
@ -1,109 +0,0 @@
 # SmartProxy Architecture Refactoring - Complete Summary
 ## Overview
 Successfully completed a comprehensive refactoring of the SmartProxy architecture to provide clearer separation of concerns between HTTP/HTTPS traffic handling and low-level connection routing.
 ## Phases Completed
 ### Phase 1: Rename NetworkProxy to HttpProxy ✅
 - Renamed directory from `network-proxy` to `http-proxy`
 - Updated class and file names throughout the codebase
 - Fixed all imports and references
 - Updated type definitions and interfaces
 ### Phase 2: Extract HTTP Logic from SmartProxy ✅
 - Created HTTP handler modules in HttpProxy
 - Removed duplicated HTTP parsing logic from SmartProxy
 - Delegated redirect and static handling to HttpProxy
 - Fixed naming and references throughout
 ### Phase 3: Simplify SmartProxy ✅
 - Updated RouteConnectionHandler to delegate HTTP operations
 - Renamed NetworkProxyBridge to HttpProxyBridge
 - Simplified route handling in SmartProxy
 - Focused SmartProxy on connection routing
 ### Phase 4: Consolidate HTTP Utilities ✅
 - Created consolidated `http-types.ts` in HttpProxy
 - Moved all HTTP types to HttpProxy module
 - Updated imports to use consolidated types
 - Maintained backward compatibility
 ### Phase 5: Update Tests and Documentation ✅
 - Renamed test files to match new naming convention
 - Updated all test imports and references
 - Updated README and architecture documentation
 - Fixed all API documentation references
 ## Benefits Achieved
 1. **Clear Separation of Concerns**
   - HTTP/HTTPS handling is clearly in HttpProxy
   - SmartProxy focuses on port management and routing
   - Better architectural boundaries
 2. **Improved Naming**
   - HttpProxy clearly indicates its purpose
   - Consistent naming throughout the codebase
   - Better developer experience
 3. **Reduced Code Duplication**
   - HTTP parsing logic exists in one place
   - Consolidated types prevent redundancy
   - Easier maintenance
 4. **Better Organization**
   - HTTP handlers properly organized in HttpProxy
   - Types consolidated where they're used most
   - Clear module boundaries
 5. **Maintained Compatibility**
   - Existing functionality preserved
   - Tests continue to pass
   - API compatibility maintained
 ## Breaking Changes
 For users of the library:
 1. `NetworkProxy` class is now `HttpProxy`
 2. Import paths changed from `network-proxy` to `http-proxy`
 3. Configuration properties renamed:
   - `useNetworkProxy` → `useHttpProxy`
   - `networkProxyPort` → `httpProxyPort`
 ## Migration Guide
 For users upgrading to the new version:
 ```typescript
 // Old code
 import { NetworkProxy } from '@push.rocks/smartproxy';
 const proxy = new NetworkProxy({ port: 8080 });
 // New code
 import { HttpProxy } from '@push.rocks/smartproxy';
 const proxy = new HttpProxy({ port: 8080 });
 // Configuration changes
 const config = {
  // Old
  useNetworkProxy: [443],
  networkProxyPort: 8443,
  // New
  useHttpProxy: [443],
  httpProxyPort: 8443,
 };
 ```
 ## Next Steps
 With this refactoring complete, the codebase is now better positioned for:
 1. Adding HTTP/3 (QUIC) support
 2. Implementing advanced HTTP features
 3. Building an HTTP middleware system
 4. Protocol-specific optimizations
 5. Enhanced HTTP/2 multiplexing
 ## Conclusion
 The refactoring has successfully achieved its goals of providing clearer separation of concerns, better naming, and improved organization while maintaining backward compatibility where possible. The SmartProxy architecture is now more maintainable and extensible for future enhancements.
--- a/changelog.md
+++ b/changelog.md
@ -1,5 +1,77 @@
 # Changelog
 ## 2025-05-20 - 19.3.13 - fix(port-manager, certificate-manager)
 Improve port binding and ACME challenge route integration in SmartProxy
 - Added reference counting in PortManager so that routes sharing the same port reuse the existing binding.
 - Enhanced error handling to distinguish internal port conflicts from external ones, with more descriptive messages.
 - Adjusted ACME challenge route addition to merge with existing port bindings when port is already in use.
 - Refactored updateRoutes to release orphaned ports and bind only new required ports, minimizing rebinding operations.
 - Improved certificate-manager logic to provide clearer error notifications when ACME port conflicts occur.
 ## 2025-05-19 - 19.3.12 - fix(tests)
 Update test mocks to include provisionAllCertificates methods in certificate manager stubs and related objects.
 - Added async provisionAllCertificates functions to several test mocks (e.g. in test.port80-management.node.ts, test.route-callback-simple.ts, test.route-update-callback.node.ts, and test.simple-acme-mock.ts) to simulate ACME certificate provisioning.
 - Enhanced logging and port-add history debugging for ACME challenge port addition.
 ## 2025-05-19 - 19.3.11 - fix(logger)
 Replace raw console logging calls with structured logger usage across certificate management, connection handling, and route processing for improved observability.
 - Replaced console.log, console.warn, and console.error in SmartCertManager with logger.log for more consistent logging.
 - Updated ConnectionManager and RouteConnectionHandler to log detailed connection events using a structured logger.
 - Enhanced logging statements with contextual metadata such as connection IDs, remote IPs, target information, and component identifiers.
 - Standardized log output across proxy modules to aid in debugging and monitoring.
 ## 2025-05-19 - 19.3.10 - fix(certificate-manager, smart-proxy)
 Fix race condition in ACME certificate provisioning and refactor certificate manager initialization to defer provisioning until after port listeners are active
 - Removed superfluous provisionCertificatesAfterPortsReady method
 - Made provisionAllCertificates public so that SmartProxy.start() calls it after ports are listening
 - Updated SmartProxy.start() to wait for port setup (via PortManager) before triggering certificate provisioning
 - Improved ACME HTTP-01 challenge timing so that port 80 (or configured ACME port) is guaranteed to be ready
 - Updated documentation (changelog and Acme timing docs) and tests to reflect the change
 ## 2025-05-19 - 19.3.10 - refactor(certificate-manager, smart-proxy)
 Simplify certificate provisioning code by removing unnecessary wrapper method
 - Removed superfluous SmartCertManager.provisionCertificatesAfterPortsReady() method
 - Made SmartCertManager.provisionAllCertificates() public instead
 - Updated SmartProxy.start() to call provisionAllCertificates() directly
 - Updated documentation and tests to reflect the change
 - No functional changes, just code simplification
 ## 2025-05-19 - 19.3.9 - fix(certificate-manager, smart-proxy)
 Fix ACME certificate provisioning timing to ensure ports are listening first
 - Fixed race condition where certificate provisioning would start before ports were listening
 - Modified SmartCertManager.initialize() to defer certificate provisioning
 - Added SmartCertManager.provisionCertificatesAfterPortsReady() for delayed provisioning
 - Updated SmartProxy.start() to call certificate provisioning after ports are ready
 - This fix prevents ACME HTTP-01 challenges from failing due to port 80 not being ready
 - Added test/test.acme-timing-simple.ts to verify the timing synchronization
 ## 2025-05-19 - 19.3.9 - fix(route-connection-handler)
 Forward non-TLS connections on HttpProxy ports to fix ACME HTTP-01 challenge handling
 - Added a check in RouteConnectionHandler.handleForwardAction to see if the incoming connection is non-TLS and if its port is in useHttpProxy, then forward to HttpProxy.
 - Non-TLS connections on explicitly configured HttpProxy ports are now correctly forwarded, ensuring ACME HTTP-01 challenges succeed.
 - Updated tests in test.http-fix-unit.ts, test.http-fix-verification.ts, and test.http-port8080-forwarding.ts to verify that non-TLS connections on the configured ports are handled properly.
 ## 2025-05-19 - 19.3.8 - fix(route-connection-handler)
 Fix HTTP-01 ACME challenges on port 80 by properly forwarding non-TLS connections to HttpProxy
 - Fixed a bug where non-TLS connections on ports configured in useHttpProxy were not being forwarded to HttpProxy
 - Added check for non-TLS connections on HttpProxy ports in handleForwardAction method
 - This fix resolves ACME HTTP-01 challenges failing on port 80 when useHttpProxy includes port 80
 - Added test/test.http-fix-unit.ts to verify the fix works correctly
 ## 2025-05-19 - 19.3.8 - fix(certificate-manager)
 Preserve certificate manager update callback in updateRoutes
 - Update the test in test/route-callback-simple.ts to override createCertificateManager and ensure the updateRoutes callback is set
 - Ensure that the mock certificate manager always sets the updateRoutes callback, preserving behavior for ACME challenges
 ## 2025-05-19 - 19.3.7 - fix(smartproxy)
 Improve error handling in forwarding connection handler and refine domain matching logic
--- a/docs/certificate-management.md
+++ b/docs/certificate-management.md
@ -1,348 +0,0 @@
 # Certificate Management in SmartProxy v19+
 ## Overview
 SmartProxy v19+ enhances certificate management with support for both global and route-level ACME configuration. This guide covers the updated certificate management system, which now supports flexible configuration hierarchies.
 ## Key Changes from Previous Versions
 ### v19.0.0 Changes
 - **Global ACME configuration**: Set default ACME settings for all routes with `certificate: 'auto'`
 - **Configuration hierarchy**: Top-level ACME settings serve as defaults, route-level settings override
 - **Better error messages**: Clear guidance when ACME configuration is missing
 - **Improved validation**: Configuration validation warns about common issues
 ### v18.0.0 Changes (from v17)
 - **No backward compatibility**: Clean break from the legacy certificate system
 - **No separate Port80Handler**: ACME challenges handled as regular SmartProxy routes
 - **Unified route-based configuration**: Certificates configured directly in route definitions
 - **Direct integration with @push.rocks/smartacme**: Leverages SmartAcme's built-in capabilities
 ## Configuration
 ### Global ACME Configuration (New in v19+)
 Set default ACME settings at the top level that apply to all routes with `certificate: 'auto'`:
 ```typescript
 const proxy = new SmartProxy({
  // Global ACME defaults
  acme: {
    email: 'ssl@example.com',         // Required for Let's Encrypt
    useProduction: false,             // Use staging by default
    port: 80,                         // Port for HTTP-01 challenges
    renewThresholdDays: 30,           // Renew 30 days before expiry
    certificateStore: './certs',      // Certificate storage directory
    autoRenew: true,                  // Enable automatic renewal
    renewCheckIntervalHours: 24       // Check for renewals daily
  },
  routes: [
    // Routes using certificate: 'auto' will inherit global settings
    {
      name: 'website',
      match: { ports: 443, domains: 'example.com' },
      action: {
        type: 'forward',
        target: { host: 'localhost', port: 8080 },
        tls: {
          mode: 'terminate',
          certificate: 'auto'  // Uses global ACME configuration
        }
      }
    }
  ]
 });
 ```
 ### Route-Level Certificate Configuration
 Certificates are now configured at the route level using the `tls` property:
 ```typescript
 const route: IRouteConfig = {
  name: 'secure-website',
  match: {
    ports: 443,
    domains: ['example.com', 'www.example.com']
  },
  action: {
    type: 'forward',
    target: { host: 'localhost', port: 8080 },
    tls: {
      mode: 'terminate',
      certificate: 'auto',  // Use ACME (Let's Encrypt)
      acme: {
        email: 'admin@example.com',
        useProduction: true,
        renewBeforeDays: 30
      }
    }
  }
 };
 ```
 ### Static Certificate Configuration
 For manually managed certificates:
 ```typescript
 const route: IRouteConfig = {
  name: 'api-endpoint',
  match: {
    ports: 443,
    domains: 'api.example.com'
  },
  action: {
    type: 'forward',
    target: { host: 'localhost', port: 9000 },
    tls: {
      mode: 'terminate',
      certificate: {
        certFile: './certs/api.crt',
        keyFile: './certs/api.key',
        ca: '...' // Optional CA chain
      }
    }
  }
 };
 ```
 ## TLS Modes
 SmartProxy supports three TLS modes:
 1. **terminate**: Decrypt TLS at the proxy and forward plain HTTP
 2. **passthrough**: Pass encrypted TLS traffic directly to the backend
 3. **terminate-and-reencrypt**: Decrypt at proxy, then re-encrypt to backend
 ## Certificate Storage
 Certificates are stored in the `./certs` directory by default:
 ```
 ./certs/
 ├── route-name/
 │   ├── cert.pem
 │   ├── key.pem
 │   ├── ca.pem (if available)
 │   └── meta.json
 ```
 ## ACME Integration
 ### How It Works
 1. SmartProxy creates a high-priority route for ACME challenges
 2. When ACME server makes requests to `/.well-known/acme-challenge/*`, SmartProxy handles them automatically
 3. Certificates are obtained and stored locally
 4. Automatic renewal checks every 12 hours
 ### Configuration Options
 ```typescript
 export interface IRouteAcme {
  email: string;                    // Contact email for ACME account
  useProduction?: boolean;          // Use production servers (default: false)
  challengePort?: number;           // Port for HTTP-01 challenges (default: 80)
  renewBeforeDays?: number;         // Days before expiry to renew (default: 30)
 }
 ```
 ## Advanced Usage
 ### Manual Certificate Operations
 ```typescript
 // Get certificate status
 const status = proxy.getCertificateStatus('route-name');
 console.log(status);
 // {
 //   domain: 'example.com',
 //   status: 'valid',
 //   source: 'acme',
 //   expiryDate: Date,
 //   issueDate: Date
 // }
 // Force certificate renewal
 await proxy.renewCertificate('route-name');
 // Manually provision a certificate
 await proxy.provisionCertificate('route-name');
 ```
 ### Events
 SmartProxy emits certificate-related events:
 ```typescript
 proxy.on('certificate:issued', (event) => {
  console.log(`New certificate for ${event.domain}`);
 });
 proxy.on('certificate:renewed', (event) => {
  console.log(`Certificate renewed for ${event.domain}`);
 });
 proxy.on('certificate:expiring', (event) => {
  console.log(`Certificate expiring soon for ${event.domain}`);
 });
 ```
 ## Migration from Previous Versions
 ### Before (v17 and earlier)
 ```typescript
 // Old approach with Port80Handler
 const smartproxy = new SmartProxy({
  port: 443,
  acme: {
    enabled: true,
    accountEmail: 'admin@example.com',
    // ... other ACME options
  }
 });
 // Certificate provisioning was automatic or via certProvisionFunction
 ```
 ### After (v19+)
 ```typescript
 // New approach with global ACME configuration
 const smartproxy = new SmartProxy({
  // Global ACME defaults (v19+)
  acme: {
    email: 'ssl@bleu.de',
    useProduction: true,
    port: 80  // Or 8080 for non-privileged
  },
  routes: [{
    match: { ports: 443, domains: 'example.com' },
    action: {
      type: 'forward',
      target: { host: 'localhost', port: 8080 },
      tls: {
        mode: 'terminate',
        certificate: 'auto'  // Uses global ACME settings
      }
    }
  }]
 });
 ```
 ## Troubleshooting
 ### Common Issues
 1. **Certificate not provisioning**: Ensure the ACME challenge port (80 or configured port) is accessible
 2. **ACME rate limits**: Use staging environment for testing (`useProduction: false`)
 3. **Permission errors**: Ensure the certificate directory is writable
 4. **Invalid email domain**: ACME servers may reject certain email domains (e.g., example.com). Use a real email domain
 5. **Port binding errors**: Use higher ports (e.g., 8080) if running without root privileges
 ### Using Non-Privileged Ports
 For development or non-root environments:
 ```typescript
 const proxy = new SmartProxy({
  acme: {
    email: 'ssl@bleu.de',
    port: 8080,  // Use 8080 instead of 80
    useProduction: false
  },
  routes: [
    {
      match: { ports: 8443, domains: 'example.com' },
      action: {
        type: 'forward',
        target: { host: 'localhost', port: 3000 },
        tls: {
          mode: 'terminate',
          certificate: 'auto'
        }
      }
    }
  ]
 });
 ```
 ### Debug Mode
 Enable detailed logging to troubleshoot certificate issues:
 ```typescript
 const proxy = new SmartProxy({
  enableDetailedLogging: true,
  // ... other options
 });
 ```
 ## Dynamic Route Updates
 When routes are updated dynamically using `updateRoutes()`, SmartProxy maintains certificate management continuity:
 ```typescript
 // Update routes with new domains
 await proxy.updateRoutes([
  {
    name: 'new-domain',
    match: { ports: 443, domains: 'newsite.example.com' },
    action: {
      type: 'forward',
      target: { host: 'localhost', port: 8080 },
      tls: {
        mode: 'terminate',
        certificate: 'auto'  // Will use global ACME config
      }
    }
  }
 ]);
 ```
 ### Important Notes on Route Updates
 1. **Certificate Manager Recreation**: When routes are updated, the certificate manager is recreated to reflect the new configuration
 2. **ACME Callbacks Preserved**: The ACME route update callback is automatically preserved during route updates
 3. **Existing Certificates**: Certificates already provisioned are retained in the certificate store
 4. **New Route Certificates**: New routes with `certificate: 'auto'` will trigger certificate provisioning
 ### ACME Challenge Route Lifecycle
 SmartProxy v19.2.3+ implements an improved challenge route lifecycle to prevent port conflicts:
 1. **Single Challenge Route**: The ACME challenge route on port 80 is added once during initialization, not per certificate
 2. **Persistent During Provisioning**: The challenge route remains active throughout the entire certificate provisioning process
 3. **Concurrency Protection**: Certificate provisioning is serialized to prevent race conditions
 4. **Automatic Cleanup**: The challenge route is automatically removed when the certificate manager stops
 ### Troubleshooting Port 80 Conflicts
 If you encounter "EADDRINUSE" errors on port 80:
 1. **Check Existing Services**: Ensure no other service is using port 80
 2. **Verify Configuration**: Confirm your ACME configuration specifies the correct port
 3. **Monitor Logs**: Check for "Challenge route already active" messages
 4. **Restart Clean**: If issues persist, restart SmartProxy to reset state
 ### Route Update Best Practices
 1. **Batch Updates**: Update multiple routes in a single `updateRoutes()` call for efficiency
 2. **Monitor Certificate Status**: Check certificate status after route updates
 3. **Handle ACME Errors**: Implement error handling for certificate provisioning failures
 4. **Test Updates**: Test route updates in staging environment first
 5. **Check Port Availability**: Ensure port 80 is available before enabling ACME
 ## Best Practices
 1. **Always test with staging ACME servers first**
 2. **Set up monitoring for certificate expiration**
 3. **Use meaningful route names for easier certificate management**
 4. **Store static certificates securely with appropriate permissions**
 5. **Implement certificate status monitoring in production**
 6. **Batch route updates when possible to minimize disruption**
 7. **Monitor certificate provisioning after route updates**
--- a/docs/port80-acme-management.md
+++ b/docs/port80-acme-management.md
@ -1,126 +0,0 @@
 # Port 80 ACME Management in SmartProxy
 ## Overview
 SmartProxy correctly handles port management when both user routes and ACME challenges need to use the same port (typically port 80). This document explains how the system prevents port conflicts and EADDRINUSE errors.
 ## Port Deduplication
 SmartProxy's PortManager implements automatic port deduplication:
 ```typescript
 public async addPort(port: number): Promise<void> {
  // Check if we're already listening on this port
  if (this.servers.has(port)) {
    console.log(`PortManager: Already listening on port ${port}`);
    return;
  }
  // Create server for this port...
 }
 ```
 This means that when both a user route and ACME challenges are configured to use port 80, the port is only opened once and shared between both use cases.
 ## ACME Challenge Route Flow
 1. **Initialization**: When SmartProxy starts and detects routes with `certificate: 'auto'`, it initializes the certificate manager
 2. **Challenge Route Creation**: The certificate manager creates a special challenge route on the configured ACME port (default 80)
 3. **Route Update**: The challenge route is added via `updateRoutes()`, which triggers port allocation
 4. **Deduplication**: If port 80 is already in use by a user route, the PortManager's deduplication prevents double allocation
 5. **Shared Access**: Both user routes and ACME challenges share the same port listener
 ## Configuration Examples
 ### Shared Port (Recommended)
 ```typescript
 const settings = {
  routes: [
    {
      name: 'web-traffic',
      match: {
        ports: [80]
      },
      action: {
        type: 'forward',
        targetUrl: 'http://localhost:3000'
      }
    },
    {
      name: 'secure-traffic',
      match: {
        ports: [443]
      },
      action: {
        type: 'forward',
        targetUrl: 'https://localhost:3001',
        tls: {
          mode: 'terminate',
          certificate: 'auto'
        }
      }
    }
  ],
  acme: {
    email: 'your-email@example.com',
    port: 80  // Same as user route - this is safe!
  }
 };
 ```
 ### Separate ACME Port
 ```typescript
 const settings = {
  routes: [
    {
      name: 'web-traffic',
      match: {
        ports: [80]
      },
      action: {
        type: 'forward',
        targetUrl: 'http://localhost:3000'
      }
    }
  ],
  acme: {
    email: 'your-email@example.com',
    port: 8080  // Different port for ACME challenges
  }
 };
 ```
 ## Best Practices
 1. **Use Default Port 80**: Let ACME use port 80 (the default) even if you have user routes on that port
 2. **Priority Routing**: ACME challenge routes have high priority (1000) to ensure they take precedence
 3. **Path-Based Routing**: ACME routes only match `/.well-known/acme-challenge/*` paths, avoiding conflicts
 4. **Automatic Cleanup**: Challenge routes are automatically removed when not needed
 ## Troubleshooting
 ### EADDRINUSE Errors
 If you see EADDRINUSE errors, check:
 1. Is another process using the port?
 2. Are you running multiple SmartProxy instances?
 3. Is the previous instance still shutting down?
 ### Certificate Provisioning Issues
 1. Ensure the ACME port is accessible from the internet
 2. Check that DNS is properly configured for your domains
 3. Verify email configuration in ACME settings
 ## Technical Details
 The port deduplication is handled at multiple levels:
 1. **PortManager Level**: Checks if port is already active before creating new listener
 2. **RouteManager Level**: Tracks which ports are needed and updates accordingly
 3. **Certificate Manager Level**: Adds challenge route only when needed
 This multi-level approach ensures robust port management without conflicts.
--- a/docs/porthandling.md
+++ b/docs/porthandling.md
@ -1,468 +0,0 @@
 # SmartProxy Port Handling
 This document covers all the port handling capabilities in SmartProxy, including port range specification, dynamic port mapping, and runtime port management.
 ## Port Range Syntax
 SmartProxy offers flexible port range specification through the `TPortRange` type, which can be defined in three different ways:
 ### 1. Single Port
 ```typescript
 // Match a single port
 {
  match: {
    ports: 443
  }
 }
 ```
 ### 2. Array of Specific Ports
 ```typescript
 // Match multiple specific ports
 {
  match: {
    ports: [80, 443, 8080]
  }
 }
 ```
 ### 3. Port Range
 ```typescript
 // Match a range of ports
 {
  match: {
    ports: [{ from: 8000, to: 8100 }]
  }
 }
 ```
 ### 4. Mixed Port Specifications
 You can combine different port specification methods in a single rule:
 ```typescript
 // Match both specific ports and port ranges
 {
  match: {
    ports: [80, 443, { from: 8000, to: 8100 }]
  }
 }
 ```
 ## Port Forwarding Options
 SmartProxy offers several ways to handle port forwarding from source to target:
 ### 1. Static Port Forwarding
 Forward to a fixed target port:
 ```typescript
 {
  action: {
    type: 'forward',
    target: {
      host: 'backend.example.com',
      port: 8080
    }
  }
 }
 ```
 ### 2. Preserve Source Port
 Forward to the same port on the target:
 ```typescript
 {
  action: {
    type: 'forward',
    target: {
      host: 'backend.example.com',
      port: 'preserve'
    }
  }
 }
 ```
 ### 3. Dynamic Port Mapping
 Use a function to determine the target port based on connection context:
 ```typescript
 {
  action: {
    type: 'forward',
    target: {
      host: 'backend.example.com',
      port: (context) => {
        // Calculate port based on request details
        return 8000 + (context.port % 100);
      }
    }
  }
 }
 ```
 ## Port Selection Context
 When using dynamic port mapping functions, you have access to a rich context object that provides details about the connection:
 ```typescript
 interface IRouteContext {
  // Connection information
  port: number;          // The matched incoming port
  domain?: string;       // The domain from SNI or Host header
  clientIp: string;      // The client's IP address
  serverIp: string;      // The server's IP address
  path?: string;         // URL path (for HTTP connections)
  query?: string;        // Query string (for HTTP connections)
  headers?: Record<string, string>; // HTTP headers (for HTTP connections)
  // TLS information
  isTls: boolean;        // Whether the connection is TLS
  tlsVersion?: string;   // TLS version if applicable
  // Route information
  routeName?: string;    // The name of the matched route
  routeId?: string;      // The ID of the matched route
  // Additional properties
  timestamp: number;     // The request timestamp
  connectionId: string;  // Unique connection identifier
 }
 ```
 ## Common Port Mapping Patterns
 ### 1. Port Offset Mapping
 Forward traffic to target ports with a fixed offset:
 ```typescript
 {
  action: {
    type: 'forward',
    target: {
      host: 'backend.example.com',
      port: (context) => context.port + 1000
    }
  }
 }
 ```
 ### 2. Domain-Based Port Mapping
 Forward to different backend ports based on the domain:
 ```typescript
 {
  action: {
    type: 'forward',
    target: {
      host: 'backend.example.com',
      port: (context) => {
        switch (context.domain) {
          case 'api.example.com': return 8001;
          case 'admin.example.com': return 8002;
          case 'staging.example.com': return 8003;
          default: return 8000;
        }
      }
    }
  }
 }
 ```
 ### 3. Load Balancing with Hash-Based Distribution
 Distribute connections across a port range using a deterministic hash function:
 ```typescript
 {
  action: {
    type: 'forward',
    target: {
      host: 'backend.example.com',
      port: (context) => {
        // Simple hash function to ensure consistent mapping
        const hostname = context.domain || '';
        const hash = hostname.split('').reduce((a, b) => a + b.charCodeAt(0), 0);
        return 8000 + (hash % 10); // Map to ports 8000-8009
      }
    }
  }
 }
 ```
 ## IPv6-Mapped IPv4 Compatibility
 SmartProxy automatically handles IPv6-mapped IPv4 addresses for optimal compatibility. When a connection from an IPv4 address (e.g., `192.168.1.1`) arrives as an IPv6-mapped address (`::ffff:192.168.1.1`), the system normalizes these addresses for consistent matching.
 This is particularly important when:
 1. Matching client IP restrictions in route configurations
 2. Preserving source IP for outgoing connections
 3. Tracking connections and rate limits
 No special configuration is needed - the system handles this normalization automatically.
 ## Dynamic Port Management
 SmartProxy allows for runtime port configuration changes without requiring a restart.
 ### Adding and Removing Ports
 ```typescript
 // Get the SmartProxy instance
 const proxy = new SmartProxy({ /* config */ });
 // Add a new listening port
 await proxy.addListeningPort(8081);
 // Remove a listening port
 await proxy.removeListeningPort(8082);
 ```
 ### Runtime Route Updates
 ```typescript
 // Get current routes
 const currentRoutes = proxy.getRoutes();
 // Add new route for the new port
 const newRoute = {
  name: 'New Dynamic Route',
  match: {
    ports: 8081,
    domains: ['dynamic.example.com']
  },
  action: {
    type: 'forward',
    target: {
      host: 'backend.example.com',
      port: 9000
    }
  }
 };
 // Update the route configuration
 await proxy.updateRoutes([...currentRoutes, newRoute]);
 // Remove routes for a specific port
 const routesWithout8082 = currentRoutes.filter(route => {
  const ports = proxy.routeManager.expandPortRange(route.match.ports);
  return !ports.includes(8082);
 });
 await proxy.updateRoutes(routesWithout8082);
 ```
 ## Performance Considerations
 ### Port Range Expansion
 When using large port ranges, SmartProxy uses internal caching to optimize performance. For example, a range like `{ from: 1000, to: 2000 }` is expanded only once and then cached for future use.
 ### Port Range Validation
 The system automatically validates port ranges to ensure:
 1. Port numbers are within the valid range (1-65535)
 2. The "from" value is not greater than the "to" value in range specifications
 3. Port ranges do not contain duplicate entries
 Invalid port ranges will be logged as warnings and skipped during configuration.
 ## Configuration Recipes
 ### Global Port Range
 Listen on a large range of ports and forward to the same ports on a backend:
 ```typescript
 {
  name: 'Global port range forwarding',
  match: {
    ports: [{ from: 8000, to: 9000 }]
  },
  action: {
    type: 'forward',
    target: {
      host: 'backend.example.com',
      port: 'preserve'
    }
  }
 }
 ```
 ### Domain-Specific Port Ranges
 Different port ranges for different domain groups:
 ```typescript
 [
  {
    name: 'API port range',
    match: {
      ports: [{ from: 8000, to: 8099 }]
    },
    action: {
      type: 'forward',
      target: {
        host: 'api.backend.example.com',
        port: 'preserve'
      }
    }
  },
  {
    name: 'Admin port range',
    match: {
      ports: [{ from: 9000, to: 9099 }]
    },
    action: {
      type: 'forward',
      target: {
        host: 'admin.backend.example.com',
        port: 'preserve'
      }
    }
  }
 ]
 ```
 ### Mixed Internal/External Port Forwarding
 Forward specific high-numbered ports to standard ports on internal servers:
 ```typescript
 [
  {
    name: 'Web server forwarding',
    match: {
      ports: [8080, 8443]
    },
    action: {
      type: 'forward',
      target: {
        host: 'web.internal',
        port: (context) => context.port === 8080 ? 80 : 443
      }
    }
  },
  {
    name: 'Database forwarding',
    match: {
      ports: [15432]
    },
    action: {
      type: 'forward',
      target: {
        host: 'db.internal',
        port: 5432
      }
    }
  }
 ]
 ```
 ## Debugging Port Configurations
 When troubleshooting port forwarding issues, enable detailed logging:
 ```typescript
 const proxy = new SmartProxy({
  routes: [ /* your routes */ ],
  enableDetailedLogging: true
 });
 ```
 This will log:
 - Port configuration during startup
 - Port matching decisions during routing
 - Dynamic port function results
 - Connection details including source and target ports
 ## Port Security Considerations
 ### Restricting Ports
 For security, you may want to restrict which ports can be accessed by specific clients:
 ```typescript
 {
  name: 'Restricted port range',
  match: {
    ports: [{ from: 8000, to: 9000 }],
    clientIp: ['10.0.0.0/8'] // Only internal network can access these ports
  },
  action: {
    type: 'forward',
    target: {
      host: 'internal.example.com',
      port: 'preserve'
    }
  }
 }
 ```
 ### Rate Limiting by Port
 Apply different rate limits for different port ranges:
 ```typescript
 {
  name: 'API ports with rate limiting',
  match: {
    ports: [{ from: 8000, to: 8100 }]
  },
  action: {
    type: 'forward',
    target: {
      host: 'api.example.com',
      port: 'preserve'
    },
    security: {
      rateLimit: {
        enabled: true,
        maxRequests: 100,
        window: 60 // 60 seconds
      }
    }
  }
 }
 ```
 ## Best Practices
 1. **Use Specific Port Ranges**: Instead of large ranges (e.g., 1-65535), use specific ranges for specific purposes
 2. **Prioritize Routes**: When multiple routes could match, use the `priority` field to ensure the most specific route is matched first
 3. **Name Your Routes**: Use descriptive names to make debugging easier, especially when using port ranges
 4. **Use Preserve Port Where Possible**: Using `port: 'preserve'` is more efficient and easier to maintain than creating multiple specific mappings
 5. **Limit Dynamic Port Functions**: While powerful, complex port functions can be harder to debug; prefer simple map or math-based functions
 6. **Use Port Variables**: For complex setups, define your port ranges as variables for easier maintenance:
 ```typescript
 const API_PORTS = [{ from: 8000, to: 8099 }];
 const ADMIN_PORTS = [{ from: 9000, to: 9099 }];
 const routes = [
  {
    name: 'API Routes',
    match: { ports: API_PORTS, /* ... */ },
    // ...
  },
  {
    name: 'Admin Routes',
    match: { ports: ADMIN_PORTS, /* ... */ },
    // ...
  }
 ];
 ```
--- a/examples/certificate-management-v19.ts
+++ b/examples/certificate-management-v19.ts
@ -1,119 +0,0 @@
 /**
 * Certificate Management Example (v19+)
 * 
 * This example demonstrates the new global ACME configuration introduced in v19+
 * along with route-level overrides for specific domains.
 */
 import { 
  SmartProxy, 
  createHttpRoute, 
  createHttpsTerminateRoute,
  createCompleteHttpsServer
 } from '../dist_ts/index.js';
 async function main() {
  // Create a SmartProxy instance with global ACME configuration
  const proxy = new SmartProxy({
    // Global ACME configuration (v19+)
    // These settings apply to all routes with certificate: 'auto'
    acme: {
      email: 'ssl@bleu.de',           // Global contact email
      useProduction: false,           // Use staging by default
      port: 8080,                     // Use non-privileged port
      renewThresholdDays: 30,         // Renew 30 days before expiry
      autoRenew: true,               // Enable automatic renewal
      renewCheckIntervalHours: 12     // Check twice daily
    },
    routes: [
      // Route that uses global ACME settings
      createHttpsTerminateRoute('app.example.com', 
        { host: 'localhost', port: 3000 }, 
        { certificate: 'auto' }  // Uses global ACME configuration
      ),
      // Route with route-level ACME override
      {
        name: 'production-api',
        match: { ports: 443, domains: 'api.example.com' },
        action: {
          type: 'forward',
          target: { host: 'localhost', port: 3001 },
          tls: {
            mode: 'terminate',
            certificate: 'auto',
            acme: {
              email: 'api-certs@example.com',  // Override email
              useProduction: true,             // Use production for API
              renewThresholdDays: 60          // Earlier renewal for critical API
            }
          }
        }
      },
      // Complete HTTPS server with automatic redirects
      ...createCompleteHttpsServer('website.example.com', 
        { host: 'localhost', port: 8080 }, 
        { certificate: 'auto' }
      ),
      // Static certificate (not using ACME)
      {
        name: 'internal-service',
        match: { ports: 8443, domains: 'internal.local' },
        action: {
          type: 'forward',
          target: { host: 'localhost', port: 3002 },
          tls: {
            mode: 'terminate',
            certificate: {
              cert: '-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----',
              key: '-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----'
            }
          }
        }
      }
    ]
  });
  // Monitor certificate events
  proxy.on('certificate:issued', (event) => {
    console.log(`Certificate issued for ${event.domain}`);
    console.log(`Expires: ${event.expiryDate}`);
  });
  proxy.on('certificate:renewed', (event) => {
    console.log(`Certificate renewed for ${event.domain}`);
  });
  proxy.on('certificate:error', (event) => {
    console.error(`Certificate error for ${event.domain}: ${event.error}`);
  });
  // Start the proxy
  await proxy.start();
  console.log('SmartProxy started with global ACME configuration');
  // Check certificate status programmatically
  setTimeout(async () => {
    // Get status for a specific route
    const status = proxy.getCertificateStatus('app-route');
    console.log('Certificate status:', status);
    // Manually trigger renewal if needed
    if (status && status.status === 'expiring') {
      await proxy.renewCertificate('app-route');
    }
  }, 10000);
  // Handle shutdown gracefully
  process.on('SIGINT', async () => {
    console.log('Shutting down proxy...');
    await proxy.stop();
    process.exit(0);
  });
 }
 // Run the example
 main().catch(console.error);
--- a/examples/complete-example-v19.ts
+++ b/examples/complete-example-v19.ts
@ -1,188 +0,0 @@
 /**
 * Complete SmartProxy Example (v19+)
 * 
 * This comprehensive example demonstrates all major features of SmartProxy v19+:
 * - Global ACME configuration
 * - Route-based configuration
 * - Helper functions for common patterns
 * - Dynamic route management
 * - Certificate status monitoring
 * - Error handling and recovery
 */
 import { 
  SmartProxy,
  createHttpRoute,
  createHttpsTerminateRoute,
  createHttpsPassthroughRoute,
  createHttpToHttpsRedirect,
  createCompleteHttpsServer,
  createLoadBalancerRoute,
  createApiRoute,
  createWebSocketRoute,
  createStaticFileRoute,
  createNfTablesRoute
 } from '../dist_ts/index.js';
 async function main() {
  // Create SmartProxy with comprehensive configuration
  const proxy = new SmartProxy({
    // Global ACME configuration (v19+)
    acme: {
      email: 'ssl@bleu.de',
      useProduction: false,  // Use staging for this example
      port: 8080,           // Non-privileged port for development
      autoRenew: true,
      renewCheckIntervalHours: 12
    },
    // Initial routes
    routes: [
      // Basic HTTP service
      createHttpRoute('api.example.com', { host: 'localhost', port: 3000 }),
      // HTTPS with automatic certificates
      createHttpsTerminateRoute('secure.example.com', 
        { host: 'localhost', port: 3001 }, 
        { certificate: 'auto' }
      ),
      // Complete HTTPS server with HTTP->HTTPS redirect
      ...createCompleteHttpsServer('www.example.com', 
        { host: 'localhost', port: 8080 }, 
        { certificate: 'auto' }
      ),
      // Load balancer with multiple backends
      createLoadBalancerRoute(
        'app.example.com',
        ['10.0.0.1', '10.0.0.2', '10.0.0.3'],
        8080,
        {
          tls: {
            mode: 'terminate',
            certificate: 'auto'
          }
        }
      ),
      // API route with CORS
      createApiRoute('api.example.com', '/v1', 
        { host: 'api-backend', port: 8081 }, 
        {
          useTls: true,
          certificate: 'auto',
          addCorsHeaders: true
        }
      ),
      // WebSocket support
      createWebSocketRoute('ws.example.com', '/socket', 
        { host: 'websocket-server', port: 8082 }, 
        {
          useTls: true,
          certificate: 'auto'
        }
      ),
      // Static file server
      createStaticFileRoute(['cdn.example.com', 'static.example.com'], 
        '/var/www/static', 
        {
          serveOnHttps: true,
          certificate: 'auto'
        }
      ),
      // HTTPS passthrough for services that handle their own TLS
      createHttpsPassthroughRoute('legacy.example.com', 
        { host: '192.168.1.100', port: 443 }
      ),
      // HTTP to HTTPS redirects
      createHttpToHttpsRedirect(['*.example.com', 'example.com'])
    ],
    // Enable detailed logging for debugging
    enableDetailedLogging: true
  });
  // Event handlers
  proxy.on('connection', (event) => {
    console.log(`New connection: ${event.source} -> ${event.destination}`);
  });
  proxy.on('certificate:issued', (event) => {
    console.log(`Certificate issued for ${event.domain}`);
  });
  proxy.on('certificate:renewed', (event) => {
    console.log(`Certificate renewed for ${event.domain}`);
  });
  proxy.on('error', (error) => {
    console.error('Proxy error:', error);
  });
  // Start the proxy
  await proxy.start();
  console.log('SmartProxy started successfully');
  console.log('Listening on ports:', proxy.getListeningPorts());
  // Demonstrate dynamic route management
  setTimeout(async () => {
    console.log('Adding new route dynamically...');
    // Get current routes and add a new one
    const currentRoutes = proxy.settings.routes;
    const newRoutes = [
      ...currentRoutes,
      createHttpsTerminateRoute('new-service.example.com', 
        { host: 'localhost', port: 3003 }, 
        { certificate: 'auto' }
      )
    ];
    // Update routes
    await proxy.updateRoutes(newRoutes);
    console.log('New route added successfully');
  }, 5000);
  // Check certificate status periodically
  setInterval(async () => {
    const routes = proxy.settings.routes;
    for (const route of routes) {
      if (route.action.tls?.certificate === 'auto') {
        const status = proxy.getCertificateStatus(route.name);
        if (status) {
          console.log(`Certificate status for ${route.name}:`, status);
          // Renew if expiring soon
          if (status.status === 'expiring') {
            console.log(`Renewing certificate for ${route.name}...`);
            await proxy.renewCertificate(route.name);
          }
        }
      }
    }
  }, 3600000); // Check every hour
  // Graceful shutdown
  process.on('SIGINT', async () => {
    console.log('Shutting down gracefully...');
    await proxy.stop();
    process.exit(0);
  });
  process.on('SIGTERM', async () => {
    console.log('Received SIGTERM, shutting down...');
    await proxy.stop();
    process.exit(0);
  });
 }
 // Run the example
 main().catch((error) => {
  console.error('Failed to start proxy:', error);
  process.exit(1);
 });
--- a/examples/dynamic-port-management.ts
+++ b/examples/dynamic-port-management.ts
@ -1,129 +0,0 @@
 /**
 * Dynamic Port Management Example
 * 
 * This example demonstrates how to dynamically add and remove ports
 * while SmartProxy is running, without requiring a restart.
 * Also shows the new v19+ global ACME configuration.
 */
 import { SmartProxy, createHttpRoute, createHttpsTerminateRoute } from '../dist_ts/index.js';
 import type { IRouteConfig } from '../dist_ts/index.js';
 async function main() {
  // Create a SmartProxy instance with initial routes and global ACME config
  const proxy = new SmartProxy({
    // Global ACME configuration (v19+)
    acme: {
      email: 'ssl@bleu.de',
      useProduction: false,
      port: 8080  // Using non-privileged port for ACME challenges
    },
    routes: [
      // Initial route on port 8080
      createHttpRoute(['example.com', '*.example.com'], { host: 'localhost', port: 3000 })
    ]
  });
  // Start the proxy
  await proxy.start();
  console.log('SmartProxy started with initial configuration');
  console.log('Listening on ports:', proxy.getListeningPorts());
  // Wait 3 seconds
  console.log('Waiting 3 seconds before adding a new port...');
  await new Promise(resolve => setTimeout(resolve, 3000));
  // Add a new port listener without changing routes yet
  await proxy.addListeningPort(8081);
  console.log('Added port 8081 without any routes yet');
  console.log('Now listening on ports:', proxy.getListeningPorts());
  // Wait 3 more seconds
  console.log('Waiting 3 seconds before adding a route for the new port...');
  await new Promise(resolve => setTimeout(resolve, 3000));
  // Get current routes and add a new one for port 8081
  const currentRoutes = proxy.settings.routes;
  // Create a new route for port 8081
  const newRoute: IRouteConfig = {
    match: { 
      ports: 8081,
      domains: ['api.example.com']
    },
    action: {
      type: 'forward' as const,
      target: { host: 'localhost', port: 4000 }
    },
    name: 'API Route'
  };
  // Update routes to include the new one
  await proxy.updateRoutes([...currentRoutes, newRoute]);
  console.log('Added new route for port 8081');
  // Wait 3 more seconds
  console.log('Waiting 3 seconds before adding another port through updateRoutes...');
  await new Promise(resolve => setTimeout(resolve, 3000));
  // Add a completely new port via updateRoutes, which will automatically start listening
  const thirdRoute: IRouteConfig = {
    match: { 
      ports: 8082,
      domains: ['admin.example.com']
    },
    action: {
      type: 'forward' as const,
      target: { host: 'localhost', port: 5000 }
    },
    name: 'Admin Route'
  };
  // Update routes again to include the third route
  await proxy.updateRoutes([...currentRoutes, newRoute, thirdRoute]);
  console.log('Added new route for port 8082 through updateRoutes');
  console.log('Now listening on ports:', proxy.getListeningPorts());
  // Wait 3 more seconds
  console.log('Waiting 3 seconds before removing port 8081...');
  await new Promise(resolve => setTimeout(resolve, 3000));
  // Remove a port without changing routes
  await proxy.removeListeningPort(8081);
  console.log('Removed port 8081 (but route still exists)');
  console.log('Now listening on ports:', proxy.getListeningPorts());
  // Wait 3 more seconds
  console.log('Waiting 3 seconds before stopping all routes on port 8082...');
  await new Promise(resolve => setTimeout(resolve, 3000));
  // Remove all routes for port 8082
  const routesWithout8082 = currentRoutes.filter(route => {
    // Check if this route includes port 8082
    const ports = proxy.routeManager.expandPortRange(route.match.ports);
    return !ports.includes(8082);
  });
  // Update routes without any for port 8082
  await proxy.updateRoutes([...routesWithout8082, newRoute]);
  console.log('Removed routes for port 8082 through updateRoutes');
  console.log('Now listening on ports:', proxy.getListeningPorts());
  // Show statistics
  console.log('Statistics:', proxy.getStatistics());
  // Wait 3 more seconds, then shut down
  console.log('Waiting 3 seconds before shutdown...');
  await new Promise(resolve => setTimeout(resolve, 3000));
  // Stop the proxy
  await proxy.stop();
  console.log('SmartProxy stopped');
 }
 // Run the example
 main().catch(err => {
  console.error('Error in example:', err);
  process.exit(1);
 });
--- a/examples/nftables-integration.ts
+++ b/examples/nftables-integration.ts
@ -1,222 +0,0 @@
 /**
 * NFTables Integration Example
 * 
 * This example demonstrates how to use the NFTables forwarding engine with SmartProxy
 * for high-performance network routing that operates at the kernel level.
 * 
 * NOTE: This requires elevated privileges to run (sudo) as it interacts with nftables.
 * Also shows the new v19+ global ACME configuration.
 */
 import { SmartProxy } from '../ts/proxies/smart-proxy/index.js';
 import { 
  createNfTablesRoute,
  createNfTablesTerminateRoute,
  createCompleteNfTablesHttpsServer
 } from '../ts/proxies/smart-proxy/utils/route-helpers.js';
 // Simple NFTables-based HTTP forwarding example
 async function simpleForwardingExample() {
  console.log('Starting simple NFTables forwarding example...');
  // Create a SmartProxy instance with a simple NFTables route
  const proxy = new SmartProxy({
    routes: [
      createNfTablesRoute('example.com', {
        host: 'localhost',
        port: 8080
      }, {
        ports: 80,
        protocol: 'tcp',
        preserveSourceIP: true,
        tableName: 'smartproxy_example'
      })
    ],
    enableDetailedLogging: true
  });
  // Start the proxy
  await proxy.start();
  console.log('NFTables proxy started. Press Ctrl+C to stop.');
  // Handle shutdown
  process.on('SIGINT', async () => {
    console.log('Stopping proxy...');
    await proxy.stop();
    process.exit(0);
  });
 }
 // HTTPS termination example with NFTables
 async function httpsTerminationExample() {
  console.log('Starting HTTPS termination with NFTables example...');
  // Create a SmartProxy instance with global ACME and NFTables HTTPS termination
  const proxy = new SmartProxy({
    // Global ACME configuration (v19+)
    acme: {
      email: 'ssl@bleu.de',
      useProduction: false,
      port: 80  // NFTables needs root, so we can use port 80
    },
    routes: [
      createNfTablesTerminateRoute('secure.example.com', {
        host: 'localhost',
        port: 8443
      }, {
        ports: 443,
        certificate: 'auto', // Uses global ACME configuration
        tableName: 'smartproxy_https'
      })
    ],
    enableDetailedLogging: true
  });
  // Start the proxy
  await proxy.start();
  console.log('HTTPS termination proxy started. Press Ctrl+C to stop.');
  // Handle shutdown
  process.on('SIGINT', async () => {
    console.log('Stopping proxy...');
    await proxy.stop();
    process.exit(0);
  });
 }
 // Complete HTTPS server with HTTP redirects using NFTables
 async function completeHttpsServerExample() {
  console.log('Starting complete HTTPS server with NFTables example...');
  // Create a SmartProxy instance with a complete HTTPS server
  const proxy = new SmartProxy({
    routes: createCompleteNfTablesHttpsServer('complete.example.com', {
      host: 'localhost',
      port: 8443
    }, {
      certificate: 'auto',
      tableName: 'smartproxy_complete'
    }),
    enableDetailedLogging: true
  });
  // Start the proxy
  await proxy.start();
  console.log('Complete HTTPS server started. Press Ctrl+C to stop.');
  // Handle shutdown
  process.on('SIGINT', async () => {
    console.log('Stopping proxy...');
    await proxy.stop();
    process.exit(0);
  });
 }
 // Load balancing example with NFTables
 async function loadBalancingExample() {
  console.log('Starting load balancing with NFTables example...');
  // Create a SmartProxy instance with a load balancing configuration
  const proxy = new SmartProxy({
    routes: [
      createNfTablesRoute('lb.example.com', {
        // NFTables will automatically distribute connections to these hosts
        host: 'backend1.example.com',
        port: 8080
      }, {
        ports: 80,
        tableName: 'smartproxy_lb'
      })
    ],
    enableDetailedLogging: true
  });
  // Start the proxy
  await proxy.start();
  console.log('Load balancing proxy started. Press Ctrl+C to stop.');
  // Handle shutdown
  process.on('SIGINT', async () => {
    console.log('Stopping proxy...');
    await proxy.stop();
    process.exit(0);
  });
 }
 // Advanced example with QoS and security settings
 async function advancedExample() {
  console.log('Starting advanced NFTables example with QoS and security...');
  // Create a SmartProxy instance with advanced settings
  const proxy = new SmartProxy({
    routes: [
      createNfTablesRoute('advanced.example.com', {
        host: 'localhost',
        port: 8080
      }, {
        ports: 80,
        protocol: 'tcp',
        preserveSourceIP: true,
        maxRate: '10mbps', // QoS rate limiting
        priority: 2, // QoS priority (1-10, lower is higher priority)
        ipAllowList: ['192.168.1.0/24'], // Only allow this subnet
        ipBlockList: ['192.168.1.100'], // Block this specific IP
        useIPSets: true, // Use IP sets for more efficient rule processing
        useAdvancedNAT: true, // Use connection tracking for stateful NAT
        tableName: 'smartproxy_advanced'
      })
    ],
    enableDetailedLogging: true
  });
  // Start the proxy
  await proxy.start();
  console.log('Advanced NFTables proxy started. Press Ctrl+C to stop.');
  // Handle shutdown
  process.on('SIGINT', async () => {
    console.log('Stopping proxy...');
    await proxy.stop();
    process.exit(0);
  });
 }
 // Run one of the examples based on the command line argument
 async function main() {
  const example = process.argv[2] || 'simple';
  switch (example) {
    case 'simple':
      await simpleForwardingExample();
      break;
    case 'https':
      await httpsTerminationExample();
      break;
    case 'complete':
      await completeHttpsServerExample();
      break;
    case 'lb':
      await loadBalancingExample();
      break;
    case 'advanced':
      await advancedExample();
      break;
    default:
      console.error('Unknown example:', example);
      console.log('Available examples: simple, https, complete, lb, advanced');
      process.exit(1);
  }
 }
 // Check if running as root/sudo
 if (process.getuid && process.getuid() !== 0) {
  console.error('This example requires root privileges to modify nftables rules.');
  console.log('Please run with sudo: sudo tsx examples/nftables-integration.ts');
  process.exit(1);
 }
 main().catch(err => {
  console.error('Error running example:', err);
  process.exit(1);
 });
--- a/package.json
+++ b/package.json
@ -1,6 +1,6 @@
 {
  "name": "@push.rocks/smartproxy",
-  "version": "19.3.7",
+  "version": "19.3.13",
  "private": false,
  "description": "A powerful proxy package with unified route-based configuration for high traffic management. Features include SSL/TLS support, flexible routing patterns, WebSocket handling, advanced security options, and automatic ACME certificate management.",
  "main": "dist_ts/index.js",
@ -27,6 +27,7 @@
    "@push.rocks/smartcrypto": "^2.0.4",
    "@push.rocks/smartdelay": "^3.0.5",
    "@push.rocks/smartfile": "^11.2.0",
    "@push.rocks/smartlog": "^3.1.2",
    "@push.rocks/smartnetwork": "^4.0.2",
    "@push.rocks/smartpromise": "^4.2.3",
    "@push.rocks/smartrequest": "^2.1.0",
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@ -23,6 +23,9 @@ importers:
      '@push.rocks/smartfile':
        specifier: ^11.2.0
        version: 11.2.0
      '@push.rocks/smartlog':
        specifier: ^3.1.2
        version: 3.1.2
      '@push.rocks/smartnetwork':
        specifier: ^4.0.2
        version: 4.0.2
@ -902,12 +905,6 @@ packages:
  '@push.rocks/smartlog-interfaces@3.0.2':
    resolution: {integrity: sha512-8hGRTJehbsFSJxLhCQkA018mZtXVPxPTblbg9VaE/EqISRzUw+eosJ2EJV7M4Qu0eiTJZjnWnNLn8CkD77ziWw==}
  '@push.rocks/smartlog@3.0.7':
    resolution: {integrity: sha512-WHOw0iHHjCEbYY4KGX40iFtLI11QJvvWIbC9yFn3Mt+nrdupMnry7Ztc5v/PqO8lu33Q6xDBMXiNQ9yNY0HVGw==}
  '@push.rocks/smartlog@3.0.9':
    resolution: {integrity: sha512-B/YIJrwXsbxPkAJly8+55yx3Eqm5bIaCZ/xD2oe6fD8Zp58VLF2P8hpoQZJOiSO+KI7wXVlTEFHsmt8fpRZIVA==}
  '@push.rocks/smartlog@3.1.2':
    resolution: {integrity: sha512-krjWramvM8R+dY69KoBBsUtsMHKtw7eCdvcg/uYsU6e8gzOfGiQOuWeat39d6doPHbzGuxh6lSOWGUpUTTu6aw==}
@ -1931,10 +1928,6 @@ packages:
    resolution: {integrity: sha512-Mti+f9lpJNcwF4tWV8/OrTTtF1gZi+f8FqlyAdouralcFWFQWF2+NgCHShjkCb+IFBLq9buZwE1xckQU4peSuQ==}
    engines: {node: '>=4'}
  chalk@5.4.1:
    resolution: {integrity: sha512-zgVZuo2WcZgfUEmsn6eO3kINexW8RAE4maiQ8QNs8CtpPCSyMiYsULR3HQYkm3w8FIA3SberyMJMSldGsW+U3w==}
    engines: {node: ^12.17.0 || ^14.13 || >=16.0.0}
  character-entities-html4@2.1.0:
    resolution: {integrity: sha512-1v7fgQRj6hnSwFpq1Eu0ynr/CDEw0rXo2B61qXrLNdHZmPKgb7fqS1a2JwF0rISo9q77jDI8VMEHoApn8qDoZA==}
@ -1965,14 +1958,6 @@ packages:
    resolution: {integrity: sha512-LYv6XPxoyODi36Dp976riBtSY27VmFo+MKqEU9QCCWyTrdEPDog+RWA7xQWHi6Vbp61j5c4cdzzX1NidnwtUWg==}
    engines: {node: '>=12'}
  cli-cursor@5.0.0:
    resolution: {integrity: sha512-aCj4O5wKyszjMmDT4tZj93kxyydN/K5zPWSCe6/0AV/AA1pqe5ZBIw0a2ZfPQV7lL5/yb5HsUreJ6UFAF1tEQw==}
    engines: {node: '>=18'}
  cli-spinners@2.9.2:
    resolution: {integrity: sha512-ywqV+5MmyL4E7ybXgKys4DugZbX0FC6LnwrhjuykIjnK9k8OQacQ7axGKnjDXWNhns0xot3bZI5h55H8yo9cJg==}
    engines: {node: '>=6'}
  cliui@8.0.1:
    resolution: {integrity: sha512-BSeNnyus75C4//NQ9gQt1/csTXyo/8Sb+afLAkzAptFuMsod9HFokGNudZpi/oQV73hnVK+sR+5PVRMd+Dr7YQ==}
    engines: {node: '>=12'}
@ -2231,9 +2216,6 @@ packages:
  elliptic@6.6.1:
    resolution: {integrity: sha512-RaddvvMatK2LJHqFJ+YA4WysVN5Ita9E35botqIYspQ4TkRAlCicdzKOjlyv/1Za5RyTNn7di//eEV0uTAfe3g==}
  emoji-regex@10.4.0:
    resolution: {integrity: sha512-EC+0oUMY1Rqm4O6LLrgjtYDvcVYTy7chDnM4Q7030tP4Kwj3u/pR6gP9ygnp2CJMK5Gq+9Q2oqmrFJAz01DXjw==}
  emoji-regex@8.0.0:
    resolution: {integrity: sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A==}
@ -2520,10 +2502,6 @@ packages:
    resolution: {integrity: sha512-DyFP3BM/3YHTQOCUL/w0OZHR0lpKeGrxotcHWcqNEdnltqFwXVfhEBQ94eIo34AfQpo0rGki4cyIiftY06h2Fg==}
    engines: {node: 6.* || 8.* || >= 10.*}
  get-east-asian-width@1.3.0:
    resolution: {integrity: sha512-vpeMIQKxczTD/0s2CdEWHcb0eeJe6TFjxb+J5xgX7hScxqrGuyjmv4c1D4A/gelKfyox0gJJwIHF+fLjeaM8kQ==}
    engines: {node: '>=18'}
  get-intrinsic@1.3.0:
    resolution: {integrity: sha512-9fSjSaos/fRIVIp+xSJlE6lfwhES7LNtKaCBIamHsjr2na1BiABJPo0mOjjz8GJDURarmCPGqaiVg5mfjb98CQ==}
    engines: {node: '>= 0.4'}
@ -2730,10 +2708,6 @@ packages:
    resolution: {integrity: sha1-bKiwe5nHeZgCWQDlVc7Y7YCHmoM=}
    engines: {node: '>=0.10.0'}
  is-interactive@2.0.0:
    resolution: {integrity: sha512-qP1vozQRI+BMOPcjFzrjXuQvdak2pHNUMZoeG2eRbiSqyvbEf/wQtEOTOX1guk6E3t36RkaqiSt8A/6YElNxLQ==}
    engines: {node: '>=12'}
  is-ip@4.0.0:
    resolution: {integrity: sha512-4B4XA2HEIm/PY+OSpeMBXr8pGWBYbXuHgjMAqrwbLO3CPTCAd9ArEJzBUKGZtk9viY6+aSfadGnWyjY3ydYZkw==}
    engines: {node: ^12.20.0 || ^14.13.1 || >=16.0.0}
@ -2774,10 +2748,6 @@ packages:
    resolution: {integrity: sha512-Dnz92NInDqYckGEUJv689RbRiTSEHCQ7wOVeALbkOz999YpqT46yMRIGtSNl2iCL1waAZSx40+h59NV/EwzV/A==}
    engines: {node: '>=18'}
  is-unicode-supported@1.3.0:
    resolution: {integrity: sha512-43r2mRvz+8JRIKnWJ+3j8JtjRKZ6GmjzfaE/qiBJnikNnYv/6bagRJ1kUhNk8R5EX/GkobD+r+sfxCPJsiKBLQ==}
    engines: {node: '>=12'}
  is-unicode-supported@2.1.0:
    resolution: {integrity: sha512-mE00Gnza5EEB3Ds0HfMyllZzbBrmLOX3vfWoj9A9PEnTfratQ/BcaJOuMhnkhjXvb2+FkY3VuHqtAGpTPmglFQ==}
    engines: {node: '>=18'}
@ -2937,10 +2907,6 @@ packages:
  lodash@4.17.21:
    resolution: {integrity: sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg==}
  log-symbols@6.0.0:
    resolution: {integrity: sha512-i24m8rpwhmPIS4zscNzK6MSEhk0DUWa/8iYQWxhffV8jkI4Phvs3F+quL5xvS0gdQR0FyTCMMH33Y78dDTzzIw==}
    engines: {node: '>=18'}
  logform@2.7.0:
    resolution: {integrity: sha512-TFYA4jnP7PVbmlBIfhlSe+WKxs9dklXMTEGcBCIvLhE/Tn3H6Gk1norupVW7m5Cnd4bLcr08AytbyV/xj7f/kQ==}
    engines: {node: '>= 12.0.0'}
@ -3152,10 +3118,6 @@ packages:
    engines: {node: '>=16'}
    hasBin: true
  mimic-function@5.0.1:
    resolution: {integrity: sha512-VP79XUPxV2CigYP3jWwAUFSku2aKqBH7uTAapFWCBqutsbmDo96KY5o8uh6U+/YSIn5OxJnXp73beVkpqMIGhA==}
    engines: {node: '>=18'}
  mimic-response@3.1.0:
    resolution: {integrity: sha512-z0yWI+4FDrrweS8Zmt4Ej5HdJmky15+L2e6Wgn3+iK5fWzb6T3fhNFq2+MeTRb064c6Wr4N/wv0DzQTjNzHNGQ==}
    engines: {node: '>=10'}
@ -3337,10 +3299,6 @@ packages:
  one-time@1.0.0:
    resolution: {integrity: sha512-5DXOiRKwuSEcQ/l0kGCF6Q3jcADFv5tSmRaJck/OqkVFcOzutB134KRSfF0xDrL39MNnqxbHBbUUcjZIhTgb2g==}
  onetime@7.0.0:
    resolution: {integrity: sha512-VXJjc87FScF88uafS3JllDgvAm+c/Slfz06lorj2uAY34rlUu0Nt+v8wreiImcrgAjjIHp1rXpTDlLOGw29WwQ==}
    engines: {node: '>=18'}
  only@0.0.2:
    resolution: {integrity: sha1-Kv3oTQPlC5qO3EROMGEKcCle37Q=}
@ -3348,10 +3306,6 @@ packages:
    resolution: {integrity: sha512-7x81NCL719oNbsq/3mh+hVrAWmFuEYUqrq/Iw3kUzH8ReypT9QQ0BLoJS7/G9k6N81XjW4qHWtjWwe/9eLy1EQ==}
    engines: {node: '>=12'}
  ora@8.2.0:
    resolution: {integrity: sha512-weP+BZ8MVNnlCm8c0Qdc1WSWq4Qn7I+9CJGm7Qali6g44e/PUzbjNqJX5NJ9ljlNMosfJvg1fKEGILklK9cwnw==}
    engines: {node: '>=18'}
  p-cancelable@3.0.0:
    resolution: {integrity: sha512-mlVgR3PGuzlo0MmTdk4cXqXWlwQDLnONTAg6sm62XkMJEiRxN3GL3SffkYvqwonbkJBcrI7Uvv5Zh9yjvn2iUw==}
    engines: {node: '>=12.20'}
@ -3658,10 +3612,6 @@ packages:
    resolution: {integrity: sha512-40yHxbNcl2+rzXvZuVkrYohathsSJlMTXKryG5y8uciHv1+xDLHQpgjG64JUO9nrEq2jGLH6IZ8BcZyw3wrweg==}
    engines: {node: '>=14.16'}
  restore-cursor@5.1.0:
    resolution: {integrity: sha512-oMA2dcrw6u0YfxJQXm342bFKX/E4sG9rbTzO9ptUcR/e8A33cHuvStiYOwH7fszkZlZ1z/ta9AAoPk2F4qIOHA==}
    engines: {node: '>=18'}
  rimraf@3.0.2:
    resolution: {integrity: sha512-JZkJMZkAGFFPP2YqXZXPbMlMBgsxzE8ILs4lMIX/2o0L9UBw9O/Y3o6wFw/i9YLapcUJWwqbi3kdxIPdC62TIA==}
    hasBin: true
@ -3818,10 +3768,6 @@ packages:
    resolution: {integrity: sha512-RwNA9Z/7PrK06rYLIzFMlaF+l73iwpzsqRIFgbMLbTcLD6cOao82TaWefPXQvB2fOC4AjuYSEndS7N/mTCbkdQ==}
    engines: {node: '>= 0.8'}
  stdin-discarder@0.2.2:
    resolution: {integrity: sha512-UhDfHmA92YAlNnCfhmq0VeNL5bDbiZGg7sZ2IvPsXubGkiNa9EC+tUTsjBRsYUAz87btI6/1wf4XoVvQ3uRnmQ==}
    engines: {node: '>=18'}
  stream-shift@1.0.3:
    resolution: {integrity: sha512-76ORR0DO1o1hlKwTbi/DM3EXWGf3ZJYO8cXX5RJwnul2DEg2oyoZyjLNoQM8WsvZiFKCRfC1O0J7iCvie3RZmQ==}
@ -3840,10 +3786,6 @@ packages:
    resolution: {integrity: sha512-HnLOCR3vjcY8beoNLtcjZ5/nxn2afmME6lhrDrebokqMap+XbeW8n9TXpPDOqdGK5qcI3oT0GKTW6wC7EMiVqA==}
    engines: {node: '>=12'}
  string-width@7.2.0:
    resolution: {integrity: sha512-tsaTIkKW9b4N+AEj+SVA+WhJzV7/zMhcSu78mLKWSk7cXMOSHsBKFWUs0fWwq8QyK3MgJBQRX6Gbi4kYbdvGkQ==}
    engines: {node: '>=18'}
  string_decoder@1.1.1:
    resolution: {integrity: sha512-n/ShnvDi6FHbbVfviro+WojiFzv+s8MPMHBczVePfUpDJLwoLT0ht1l4YwBCbi8pJAveEEdnkHyPyTP/mzRfwg==}
@ -5381,7 +5323,7 @@ snapshots:
      '@push.rocks/smartcli': 4.0.11
      '@push.rocks/smartdelay': 3.0.5
      '@push.rocks/smartfile': 11.2.0
-      '@push.rocks/smartlog': 3.0.9
+      '@push.rocks/smartlog': 3.1.2
      '@push.rocks/smartpath': 5.0.18
      '@push.rocks/smartpromise': 4.2.3
      typescript: 5.7.3
@ -5411,7 +5353,7 @@ snapshots:
      '@push.rocks/smartcli': 4.0.11
      '@push.rocks/smartdelay': 3.0.5
      '@push.rocks/smartfile': 11.2.0
-      '@push.rocks/smartlog': 3.0.9
+      '@push.rocks/smartlog': 3.1.2
      '@push.rocks/smartnpm': 2.0.4
      '@push.rocks/smartpath': 5.0.18
      '@push.rocks/smartrequest': 2.1.0
@ -5710,7 +5652,7 @@ snapshots:
      '@api.global/typedrequest': 3.1.10
      '@configvault.io/interfaces': 1.0.17
      '@push.rocks/smartfile': 11.2.0
-      '@push.rocks/smartlog': 3.0.7
+      '@push.rocks/smartlog': 3.1.2
      '@push.rocks/smartpath': 5.0.18
  '@push.rocks/smartacme@8.0.0(@aws-sdk/credential-providers@3.798.0)(socks@2.8.4)':
@ -5736,7 +5678,6 @@ snapshots:
      - '@mongodb-js/zstd'
      - '@nuxt/kit'
      - aws-crt
      - bufferutil
      - encoding
      - gcp-metadata
      - kerberos
@ -5745,7 +5686,6 @@ snapshots:
      - snappy
      - socks
      - supports-color
      - utf-8-validate
      - vue
  '@push.rocks/smartarchive@3.0.8':
@ -5816,7 +5756,7 @@ snapshots:
  '@push.rocks/smartcli@4.0.11':
    dependencies:
      '@push.rocks/lik': 6.2.2
-      '@push.rocks/smartlog': 3.0.9
+      '@push.rocks/smartlog': 3.1.2
      '@push.rocks/smartobject': 1.0.12
      '@push.rocks/smartpromise': 4.2.3
      '@push.rocks/smartrx': 3.0.10
@ -5841,7 +5781,7 @@ snapshots:
    dependencies:
      '@push.rocks/lik': 6.2.2
      '@push.rocks/smartdelay': 3.0.5
-      '@push.rocks/smartlog': 3.0.7
+      '@push.rocks/smartlog': 3.1.2
      '@push.rocks/smartmongo': 2.0.12(@aws-sdk/credential-providers@3.798.0)(socks@2.8.4)
      '@push.rocks/smartpromise': 4.2.3
      '@push.rocks/smartrx': 3.0.10
@ -5979,25 +5919,6 @@ snapshots:
      '@api.global/typedrequest-interfaces': 2.0.2
      '@tsclass/tsclass': 4.4.4
  '@push.rocks/smartlog@3.0.7':
    dependencies:
      '@push.rocks/isounique': 1.0.5
      '@push.rocks/smartlog-interfaces': 3.0.2
  '@push.rocks/smartlog@3.0.9':
    dependencies:
      '@api.global/typedrequest-interfaces': 3.0.19
      '@push.rocks/consolecolor': 2.0.2
      '@push.rocks/isounique': 1.0.5
      '@push.rocks/smartclickhouse': 2.0.17
      '@push.rocks/smartfile': 11.2.0
      '@push.rocks/smarthash': 3.0.4
      '@push.rocks/smartpromise': 4.2.3
      '@push.rocks/smarttime': 4.1.1
      '@push.rocks/webrequest': 3.0.37
      '@tsclass/tsclass': 9.2.0
      ora: 8.2.0
  '@push.rocks/smartlog@3.1.2':
    dependencies:
      '@api.global/typedrequest-interfaces': 3.0.19
@ -6322,7 +6243,7 @@ snapshots:
    dependencies:
      '@push.rocks/lik': 6.2.2
      '@push.rocks/smartdelay': 3.0.5
-      '@push.rocks/smartlog': 3.0.7
+      '@push.rocks/smartlog': 3.1.2
      '@push.rocks/smartpromise': 4.2.3
      '@push.rocks/smartrx': 3.0.10
      '@push.rocks/smarttime': 4.1.1
@ -7590,8 +7511,6 @@ snapshots:
      escape-string-regexp: 1.0.5
      supports-color: 5.5.0
  chalk@5.4.1: {}
  character-entities-html4@2.1.0: {}
  character-entities-legacy@3.0.0: {}
@ -7616,12 +7535,6 @@ snapshots:
    dependencies:
      escape-string-regexp: 5.0.0
  cli-cursor@5.0.0:
    dependencies:
      restore-cursor: 5.1.0
  cli-spinners@2.9.2: {}
  cliui@8.0.1:
    dependencies:
      string-width: 4.2.3
@ -7856,8 +7769,6 @@ snapshots:
      minimalistic-assert: 1.0.1
      minimalistic-crypto-utils: 1.0.1
  emoji-regex@10.4.0: {}
  emoji-regex@8.0.0: {}
  emoji-regex@9.2.2: {}
@ -8217,8 +8128,6 @@ snapshots:
  get-caller-file@2.0.5: {}
  get-east-asian-width@1.3.0: {}
  get-intrinsic@1.3.0:
    dependencies:
      call-bind-apply-helpers: 1.0.2
@ -8499,8 +8408,6 @@ snapshots:
  is-gzip@1.0.0: {}
  is-interactive@2.0.0: {}
  is-ip@4.0.0:
    dependencies:
      ip-regex: 5.0.0
@ -8534,8 +8441,6 @@ snapshots:
  is-stream@4.0.1: {}
  is-unicode-supported@1.3.0: {}
  is-unicode-supported@2.1.0: {}
  is-windows@1.0.2: {}
@ -8710,11 +8615,6 @@ snapshots:
  lodash@4.17.21: {}
  log-symbols@6.0.0:
    dependencies:
      chalk: 5.4.1
      is-unicode-supported: 1.3.0
  logform@2.7.0:
    dependencies:
      '@colors/colors': 1.6.0
@ -9101,8 +9001,6 @@ snapshots:
  mime@4.0.6: {}
  mimic-function@5.0.1: {}
  mimic-response@3.1.0: {}
  mimic-response@4.0.0: {}
@ -9268,10 +9166,6 @@ snapshots:
    dependencies:
      fn.name: 1.1.0
  onetime@7.0.0:
    dependencies:
      mimic-function: 5.0.1
  only@0.0.2: {}
  open@8.4.2:
@ -9280,18 +9174,6 @@ snapshots:
      is-docker: 2.2.1
      is-wsl: 2.2.0
  ora@8.2.0:
    dependencies:
      chalk: 5.4.1
      cli-cursor: 5.0.0
      cli-spinners: 2.9.2
      is-interactive: 2.0.0
      is-unicode-supported: 2.1.0
      log-symbols: 6.0.0
      stdin-discarder: 0.2.2
      string-width: 7.2.0
      strip-ansi: 7.1.0
  p-cancelable@3.0.0: {}
  p-finally@1.0.0: {}
@ -9647,11 +9529,6 @@ snapshots:
    dependencies:
      lowercase-keys: 3.0.0
  restore-cursor@5.1.0:
    dependencies:
      onetime: 7.0.0
      signal-exit: 4.1.0
  rimraf@3.0.2:
    dependencies:
      glob: 7.2.3
@ -9866,8 +9743,6 @@ snapshots:
  statuses@2.0.1: {}
  stdin-discarder@0.2.2: {}
  stream-shift@1.0.3: {}
  streamsearch@0.1.2: {}
@ -9891,12 +9766,6 @@ snapshots:
      emoji-regex: 9.2.2
      strip-ansi: 7.1.0
  string-width@7.2.0:
    dependencies:
      emoji-regex: 10.4.0
      get-east-asian-width: 1.3.0
      strip-ansi: 7.1.0
  string_decoder@1.1.1:
    dependencies:
      safe-buffer: 5.1.2
--- a/readme.hints.md
+++ b/readme.hints.md
@ -91,4 +91,68 @@ const proxy = new SmartProxy({
 - Update `plugins.ts` when adding new dependencies.
 - Maintain test coverage for new routing or proxy features.
 - Keep `ts/` and `dist_ts/` in sync after refactors.
- Consider implementing top-level ACME config support for backward compatibility
+- Consider implementing top-level ACME config support for backward compatibility
 ## HTTP-01 ACME Challenge Fix (v19.3.8)
 ### Issue
 Non-TLS connections on ports configured in `useHttpProxy` were not being forwarded to HttpProxy. This caused ACME HTTP-01 challenges to fail when the ACME port (usually 80) was included in `useHttpProxy`.
 ### Root Cause
 In the `RouteConnectionHandler.handleForwardAction` method, only connections with TLS settings (mode: 'terminate' or 'terminate-and-reencrypt') were being forwarded to HttpProxy. Non-TLS connections were always handled as direct connections, even when the port was configured for HttpProxy.
 ### Solution
 Added a check for non-TLS connections on ports listed in `useHttpProxy`:
 ```typescript
 // No TLS settings - check if this port should use HttpProxy
 const isHttpProxyPort = this.settings.useHttpProxy?.includes(record.localPort);
 if (isHttpProxyPort && this.httpProxyBridge.getHttpProxy()) {
  // Forward non-TLS connections to HttpProxy if configured
  this.httpProxyBridge.forwardToHttpProxy(/*...*/);
  return;
 }
 ```
 ### Test Coverage
 - `test/test.http-fix-unit.ts` - Unit tests verifying the fix
 - Tests confirm that non-TLS connections on HttpProxy ports are properly forwarded
 - Tests verify that non-HttpProxy ports still use direct connections
 ### Configuration Example
 ```typescript
 const proxy = new SmartProxy({
  useHttpProxy: [80], // Enable HttpProxy for port 80
  httpProxyPort: 8443,
  acme: {
    email: 'ssl@example.com',
    port: 80
  },
  routes: [
    // Your routes here
  ]
 });
 ```
 ## ACME Certificate Provisioning Timing Fix (v19.3.9)
 ### Issue
 Certificate provisioning would start before ports were listening, causing ACME HTTP-01 challenges to fail with connection refused errors.
 ### Root Cause
 SmartProxy initialization sequence:
 1. Certificate manager initialized → immediately starts provisioning
 2. Ports start listening (too late for ACME challenges)
 ### Solution
 Deferred certificate provisioning until after ports are ready:
 ```typescript
 // SmartCertManager.initialize() now skips automatic provisioning
 // SmartProxy.start() calls provisionAllCertificates() directly after ports are listening
 ```
 ### Test Coverage
 - `test/test.acme-timing-simple.ts` - Verifies proper timing sequence
 ### Migration
 Update to v19.3.9+, no configuration changes needed.
--- a/readme.md
+++ b/readme.md
@ -1412,6 +1412,8 @@ createRedirectRoute({
 - `routes` (IRouteConfig[], required) - Array of route configurations
 - `defaults` (object) - Default settings for all routes
 - `acme` (IAcmeOptions) - ACME certificate options
 - `useHttpProxy` (number[], optional) - Array of ports to forward to HttpProxy (e.g. `[80, 443]`)
 - `httpProxyPort` (number, default 8443) - Port where HttpProxy listens for forwarded connections
 - Connection timeouts: `initialDataTimeout`, `socketTimeout`, `inactivityTimeout`, etc.
 - Socket opts: `noDelay`, `keepAlive`, `enableKeepAliveProbes`
 - `certProvisionFunction` (callback) - Custom certificate provisioning
@ -1478,6 +1480,28 @@ HttpProxy now supports full route-based configuration including:
 - Use higher priority for block routes to ensure they take precedence
 - Enable `enableDetailedLogging` or `enableTlsDebugLogging` for debugging
 ### ACME HTTP-01 Challenges
 - If ACME HTTP-01 challenges fail, ensure:
  1. Port 80 (or configured ACME port) is included in `useHttpProxy` 
  2. You're using SmartProxy v19.3.9+ for proper timing (ports must be listening before provisioning)
 - Since v19.3.8: Non-TLS connections on ports listed in `useHttpProxy` are properly forwarded to HttpProxy
 - Since v19.3.9: Certificate provisioning waits for ports to be ready before starting ACME challenges
 - Example configuration for ACME on port 80:
  ```typescript
  const proxy = new SmartProxy({
    useHttpProxy: [80], // Ensure port 80 is forwarded to HttpProxy
    httpProxyPort: 8443,
    acme: {
      email: 'ssl@example.com',
      port: 80
    },
    routes: [/* your routes */]
  });
  ```
 - Common issues:
  - "Connection refused" during challenges → Update to v19.3.9+ for timing fix
  - HTTP requests not parsed → Ensure port is in `useHttpProxy` array
 ### NFTables Integration
 - Ensure NFTables is installed: `apt install nftables` or `yum install nftables`
 - Verify root/sudo permissions for NFTables operations
--- a/readme.plan.md
+++ b/readme.plan.md
@ -1,179 +1,384 @@
-# SmartProxy v19.4.0 - Completed Refactoring
+# SmartProxy Development Plan
-## Overview
+## ACME Route Port Binding Intelligence Improvement
-SmartProxy has been successfully refactored with clearer separation of concerns between HTTP/HTTPS traffic handling and low-level connection routing. Version 19.4.0 introduces global ACME configuration and enhanced route management.
+### Problem Statement
 Currently, SmartProxy has an issue with port binding conflicts between regular routes and ACME challenge routes. While SmartProxy is designed to support multiple routes sharing the same port (differentiated by host, path, etc.), there's a specific conflict when adding ACME challenge routes to a port that is already in use by other routes.
-## Current Architecture (v19.4.0)
+This results in the error: `Port 80 is already in use for ACME challenges` when SmartProxy tries to bind the ACME challenge route to a port that it's already using.
-### HttpProxy (formerly NetworkProxy)
+### Root Cause Analysis
-**Purpose**: Handle all HTTP/HTTPS traffic with TLS termination
+1. **Double Binding Attempt**: SmartProxy tries to bind to port 80 twice - once for application routes and once for ACME challenge routes.
 2. **Overlapping Route Updates**: When adding a challenge route, it triggers a port binding operation without checking if the port is already bound.
 3. **Naive Error Handling**: The code detects EADDRINUSE but doesn't distinguish between external conflicts and internal conflicts.
 4. **Port Binding Semantics**: The port manager doesn't recognize that a port already bound by SmartProxy can be reused for additional routes.
-**Current Responsibilities**:
+### Solution Architecture
- TLS termination for HTTPS
+We need a more intelligent approach to port binding that understands when a port can be shared between routes vs. when a new binding is needed:
 - HTTP/1.1 and HTTP/2 protocol handling
 - HTTP request/response parsing
 - HTTP to HTTPS redirects
 - ACME challenge handling
 - Static route handlers
 - WebSocket protocol upgrades
 - Connection pooling for backend servers
 - Certificate management integration
-### SmartProxy
+1. **Port Binding Awareness**: Track what ports are already bound by SmartProxy itself.
-**Purpose**: Central API for all proxy needs with route-based configuration
+2. **Smart Route Updates**: Only attempt to bind to ports that aren't already bound by SmartProxy.
 3. **Route Merging Logic**: When adding ACME challenge routes, merge them with existing routes on the same ports.
 4. **Dynamic Port Management**: Release port bindings when no routes are using them and rebind when needed.
 5. **Improved Error Recovery**: Handle port conflicts gracefully, with distinct handling for internal vs. external conflicts.
-**Current Responsibilities**:
+### Implementation Plan
 - Port management (listen on multiple ports)
 - Route-based connection routing
 - TLS passthrough (SNI-based routing)
 - NFTables integration
 - Certificate management via SmartCertManager
 - Raw TCP proxying
 - Connection lifecycle management
 - Global ACME configuration (v19+)
-## Completed Implementation
+#### Phase 1: Improve Port Manager Intelligence
 - [ ] Enhance `PortManager` to distinguish between ports that need new bindings vs ports that can reuse existing bindings
 - [ ] Add an internal tracking mechanism to detect when a requested port is already bound internally
 - [ ] Modify port addition logic to skip binding operations for ports already bound by SmartProxy
 - [ ] Implement reference counting for port bindings to track how many routes use each port
 - [ ] Add logic to release port bindings when no routes are using them anymore
 - [ ] Update error handling to provide more context for port binding failures
-### Phase 1: Rename and Reorganize ✅
+#### Phase 2: Refine ACME Challenge Route Integration
- NetworkProxy renamed to HttpProxy
+- [ ] Modify `addChallengeRoute()` to check if the port is already in use by SmartProxy
- Directory structure reorganized
+- [ ] Ensure route updates don't trigger unnecessary port binding operations
- All imports and references updated
+- [ ] Implement a merging strategy for ACME routes with existing routes on the same port
 - [ ] Add diagnostic logging to track route and port binding relationships
-### Phase 2: Certificate Management ✅
+#### Phase 3: Enhance Proxy Route Management
- Unified certificate management in SmartCertManager
+- [ ] Restructure route update process to group routes by port
- Global ACME configuration support (v19+)
+- [ ] Implement a more efficient route update mechanism that minimizes port binding operations
- Route-level certificate overrides
+- [ ] Develop port lifecycle management to track usage across route changes
- Automatic renewal system
+- [ ] Add validation to detect potential binding conflicts before attempting operations
-   - Renamed `network-proxy.ts` to `http-proxy.ts`
+- [ ] Create a proper route dependency graph to understand the relationships between routes
-   - Updated `NetworkProxy` class to `HttpProxy` class
+- [ ] Implement efficient detection of "orphaned" ports that no longer have associated routes
   - Updated all type definitions and interfaces
-3. **Update exports**
+#### Phase 4: Improve Error Handling and Recovery
-   - Updated exports in `ts/index.ts`
+- [ ] Enhance error messages to be more specific about the nature of port conflicts
-   - Fixed imports across the codebase
+- [ ] Add recovery mechanisms for common port binding scenarios
 - [ ] Implement a fallback port selection strategy for ACME challenges
 - [ ] Create a more robust validation system to catch issues before they cause runtime errors
-### Phase 2: Extract HTTP Logic from SmartProxy ✅
+### Detailed Technical Tasks
-1. **Create HTTP handler modules in HttpProxy**
+#### Phase 1: Improve Port Manager Intelligence
-   - Created handlers directory with:
+1. Modify `/ts/proxies/smart-proxy/port-manager.ts`:
-     - `redirect-handler.ts` - HTTP redirect logic
+   - Add a new method `isPortBoundBySmartProxy(port: number): boolean`
-     - `static-handler.ts` - Static/ACME route handling
+   - Refactor `addPort()` to check if the port is already bound
-     - `index.ts` - Module exports
+   - Update `updatePorts()` to be more intelligent about which ports need binding
   - Add reference counting for port usage
-2. **Move HTTP parsing from RouteConnectionHandler**
+2. Implement Port Reference Counting:
   - Updated `handleRedirectAction` to delegate to `RedirectHandler`
   - Updated `handleStaticAction` to delegate to `StaticHandler`
   - Removed duplicated HTTP parsing logic
 3. **Clean up references and naming**
   - Updated all NetworkProxy references to HttpProxy
   - Renamed config properties: `useNetworkProxy` → `useHttpProxy`
   - Renamed config properties: `networkProxyPort` → `httpProxyPort`
   - Fixed HttpProxyBridge methods and references
 ### Phase 3: Simplify SmartProxy
 1. **Update RouteConnectionHandler**
   - Remove embedded HTTP parsing
   - Delegate HTTP routes to HttpProxy
   - Focus on connection routing only
 2. **Simplified route handling**
   ```typescript
-   // Simplified handleRedirectAction
+   // Add to PortManager class
-   private handleRedirectAction(socket, record, route) {
+   private portRefCounts: Map<number, number> = new Map();
-     // Delegate to HttpProxy
+   
-     this.httpProxy.handleRedirect(socket, route);
+   public incrementPortRefCount(port: number): void {
     const currentCount = this.portRefCounts.get(port) || 0;
     this.portRefCounts.set(port, currentCount + 1);
     logger.log('debug', `Port ${port} reference count increased to ${currentCount + 1}`, { port, refCount: currentCount + 1 });
   }
-   // Simplified handleStaticAction
+   public decrementPortRefCount(port: number): number {
-   private handleStaticAction(socket, record, route) {
+     const currentCount = this.portRefCounts.get(port) || 0;
-     // Delegate to HttpProxy
+     if (currentCount <= 0) {
-     this.httpProxy.handleStatic(socket, route);
+       logger.log('warn', `Attempted to decrement reference count for port ${port} below zero`, { port });
       return 0;
     }
     const newCount = currentCount - 1;
     this.portRefCounts.set(port, newCount);
     logger.log('debug', `Port ${port} reference count decreased to ${newCount}`, { port, refCount: newCount });
     return newCount;
   }
   public getPortRefCount(port: number): number {
     return this.portRefCounts.get(port) || 0;
   }
   ```
-3. **Update NetworkProxyBridge**
+3. Port Binding Logic Enhancements:
-   - Rename to HttpProxyBridge
+   ```typescript
-   - Update integration points
+   public async addPort(port: number): Promise<void> {
     // If already bound by this instance, just increment ref count and return
     if (this.servers.has(port)) {
       this.incrementPortRefCount(port);
       logger.log('debug', `Port ${port} is already bound by SmartProxy, reusing binding`, { port });
       return;
     }
     // Initialize ref count for new port
     this.portRefCounts.set(port, 1);
     // Continue with normal binding...
   }
   public async removePort(port: number): Promise<void> {
     // Decrement reference count
     const newCount = this.decrementPortRefCount(port);
     // If port is still in use by other routes, keep it
     if (newCount > 0) {
       logger.log('debug', `Port ${port} still in use by ${newCount} routes, keeping binding open`, { port, refCount: newCount });
       return;
     }
     // No more references, can actually close the port
     const server = this.servers.get(port);
     if (!server) {
       logger.log('warn', `Port ${port} not found in servers map`, { port });
       return;
     }
     // Continue with normal unbinding logic...
   }
   ```
-### Phase 4: Consolidate HTTP Utilities ✅
+4. Add Smarter Port Conflict Detection:
   ```typescript
   private isPortConflict(error: any): { isConflict: boolean; isExternal: boolean } {
     if (error.code !== 'EADDRINUSE') {
       return { isConflict: false, isExternal: false };
     }
     // Check if we already have this port
     const isBoundInternally = this.servers.has(Number(error.port));
     return { isConflict: true, isExternal: !isBoundInternally };
   }
   ```
-1. **Move HTTP types to http-proxy**
+#### Phase 2: Refine ACME Challenge Route Integration
-   - Created consolidated `http-types.ts` in `ts/proxies/http-proxy/models/`
+1. Modify `/ts/proxies/smart-proxy/certificate-manager.ts`:
-   - Includes HTTP status codes, error classes, and interfaces
+   - Enhance `addChallengeRoute()` to be aware of existing port bindings
-   - Added helper functions like `getStatusText()`
+   - Add port verification before attempting to add challenge routes
-2. **Clean up ts/http directory**
+2. Smart Route Merging Logic:
-   - Kept only router functionality
+   ```typescript
-   - Replaced local HTTP types with re-exports from HttpProxy
+   private async addChallengeRoute(): Promise<void> {
-   - Updated imports throughout the codebase to use consolidated types
+     // Check if route is already active
     if (this.challengeRouteActive) {
       return;
     }
-### Phase 5: Update Tests and Documentation ✅
+     // Create challenge route
     const challengeRoute = this.challengeRoute;
     const challengePort = this.globalAcmeDefaults?.port || 80;
     // Check if port is already in use by another route
     const portAlreadyUsed = this.routes.some(r => 
       Array.isArray(r.match.ports) 
       ? r.match.ports.includes(challengePort)
       : r.match.ports === challengePort
     );
     if (portAlreadyUsed) {
       logger.log('info', `Port ${challengePort} is already used by an existing route, merging ACME challenge route`);
     }
     // Continue with route update...
   }
   ```
-1. **Update test files**
+3. Update Route Manager Communication:
-   - Renamed NetworkProxy references to HttpProxy
+   ```typescript
-   - Renamed test files to match new naming
+   // Add this method to smart-proxy.ts
-   - Updated imports and references throughout tests
+   private async addRouteWithoutRebinding(route: IRouteConfig): Promise<void> {
-   - Fixed certificate manager method names
+     // Add route to configuration without triggering a port rebind
     this.settings.routes.push(route);
     this.routeManager.updateRoutes(this.settings.routes);
     // Update HttpProxy if needed, but skip port binding updates
     if (this.httpProxyBridge.getHttpProxy()) {
       await this.httpProxyBridge.syncRoutesToHttpProxy(this.settings.routes);
     }
   }
   ```
-2. **Update documentation**
+#### Phase 3: Enhance Proxy Route Management
-   - Updated README to reflect HttpProxy naming
+1. Modify `/ts/proxies/smart-proxy/smart-proxy.ts`:
-   - Updated architecture descriptions
+   - Refactor `updateRoutes()` to group routes by port
-   - Updated usage examples
+   - Implement incremental updates that preserve port bindings
-   - Fixed all API documentation references
+   - Add orphaned port detection and cleanup
-## Migration Steps
+2. Group Routes by Port:
   ```typescript
   private groupRoutesByPort(routes: IRouteConfig[]): Map<number, IRouteConfig[]> {
     const portMap = new Map<number, IRouteConfig[]>();
     for (const route of routes) {
       const ports = Array.isArray(route.match.ports) 
         ? route.match.ports 
         : [route.match.ports];
       for (const port of ports) {
         if (!portMap.has(port)) {
           portMap.set(port, []);
         }
         portMap.get(port)!.push(route);
       }
     }
     return portMap;
   }
   ```
-1. Create feature branch: `refactor/http-proxy-consolidation`
+3. Implement Port Usage Tracking:
-2. Phase 1: Rename NetworkProxy (1 day)
+   ```typescript
-3. Phase 2: Extract HTTP logic (2 days)
+   private updatePortUsageMap(routes: IRouteConfig[]): Map<number, Set<string>> {
-4. Phase 3: Simplify SmartProxy (1 day)
+     // Map of port -> Set of route names using that port
-5. Phase 4: Consolidate utilities (1 day)
+     const portUsage = new Map<number, Set<string>>();
-6. Phase 5: Update tests/docs (1 day)
+     
-7. Integration testing (1 day)
+     for (const route of routes) {
-8. Code review and merge
+       const ports = Array.isArray(route.match.ports) 
         ? route.match.ports 
         : [route.match.ports];
       const routeName = route.name || `unnamed_${Math.random().toString(36).substring(2, 9)}`;
       for (const port of ports) {
         if (!portUsage.has(port)) {
           portUsage.set(port, new Set());
         }
         portUsage.get(port)!.add(routeName);
       }
     }
     return portUsage;
   }
   private findOrphanedPorts(oldUsage: Map<number, Set<string>>, newUsage: Map<number, Set<string>>): number[] {
     // Find ports that have no routes in new configuration
     const orphanedPorts: number[] = [];
     for (const [port, routes] of oldUsage.entries()) {
       if (!newUsage.has(port) || newUsage.get(port)!.size === 0) {
         orphanedPorts.push(port);
         logger.log('info', `Port ${port} no longer has any associated routes, will be released`, { port });
       }
     }
     return orphanedPorts;
   }
   ```
-## Benefits
+4. Implement Incremental Update Logic:
   ```typescript
   public async updateRoutesIncremental(newRoutes: IRouteConfig[]): Promise<void> {
     // Track port usage before and after update
     const oldPortUsage = this.updatePortUsageMap(this.settings.routes);
     const newPortUsage = this.updatePortUsageMap(newRoutes);
     // Find orphaned ports - ports that no longer have any routes
     const orphanedPorts = this.findOrphanedPorts(oldPortUsage, newPortUsage);
     // Ports that need new bindings - not in old configuration
     const newBindingPorts = [...newPortUsage.keys()].filter(p => !oldPortUsage.has(p));
     // Close orphaned ports
     if (orphanedPorts.length > 0) {
       logger.log('info', `Releasing ${orphanedPorts.length} orphaned ports: ${orphanedPorts.join(', ')}`, { ports: orphanedPorts });
       await this.portManager.removePorts(orphanedPorts);
     }
     // Bind to new ports
     if (newBindingPorts.length > 0) {
       logger.log('info', `Binding to ${newBindingPorts.length} new ports: ${newBindingPorts.join(', ')}`, { ports: newBindingPorts });
       await this.portManager.addPorts(newBindingPorts);
     }
     // Update route configuration
     this.settings.routes = newRoutes;
     this.routeManager.updateRoutes(newRoutes);
     // Update other components...
   }
   ```
-1. **Clear Separation**: HTTP/HTTPS handling is clearly separated from TCP routing
+#### Phase 4: Improve Error Handling and Recovery
-2. **Better Naming**: HttpProxy clearly indicates its purpose
+1. Enhance Error Reporting:
-3. **No Duplication**: HTTP parsing logic exists in one place
+   ```typescript
-4. **Maintainability**: Easier to modify HTTP handling without affecting routing
+   private handlePortBindingError(port: number, error: any): void {
-5. **Testability**: Each component has a single responsibility
+     if (error.code === 'EADDRINUSE') {
-6. **Performance**: Optimized paths for different traffic types
+       const isInternalConflict = this.portManager.isPortBoundBySmartProxy(port);
       if (isInternalConflict) {
         logger.log('warn', `Port ${port} is already bound by SmartProxy. This is likely a route configuration issue.`, { port });
       } else {
         logger.log('error', `Port ${port} is in use by another application. Please choose a different port.`, { port });
       }
     } else {
       logger.log('error', `Failed to bind to port ${port}: ${error.message}`, { port, error });
     }
   }
   ```
-## Future Enhancements
+2. Implement ACME Port Fallback Strategy:
   ```typescript
   private async selectAcmePort(): Promise<number> {
     const preferredPort = this.globalAcmeDefaults?.port || 80;
     // Check if preferred port is already bound internally
     if (this.portManager.isPortBoundBySmartProxy(preferredPort)) {
       // We can use it without a new binding
       return preferredPort;
     }
     // Try to bind to preferred port
     try {
       // Temporary test binding
       const server = plugins.net.createServer();
       await new Promise<void>((resolve, reject) => {
         server.listen(preferredPort, () => {
           server.close();
           resolve();
         }).on('error', reject);
       });
       // If we get here, port is available
       return preferredPort;
     } catch (error) {
       if (error.code === 'EADDRINUSE') {
         // Port is unavailable, try fallback ports
         for (const fallbackPort of [8080, 8081, 8082, 8083, 8084]) {
           try {
             // Test if we can bind to fallback
             const server = plugins.net.createServer();
             await new Promise<void>((resolve, reject) => {
               server.listen(fallbackPort, () => {
                 server.close();
                 resolve();
               }).on('error', reject);
             });
             logger.log('warn', `Primary ACME port ${preferredPort} is unavailable, using fallback port ${fallbackPort}`);
             return fallbackPort;
           } catch {
             // Try next fallback
           }
         }
       }
       // All attempts failed
       throw new Error(`Could not find an available port for ACME challenges`);
     }
   }
   ```
-After this refactoring, we can more easily add:
+### Testing Strategy
 1. **Unit Tests**:
   - Test port binding intelligence
   - Test route merging logic
   - Test error handling mechanisms
   - Test port reference counting
   - Test orphaned port detection and cleanup
-1. HTTP/3 (QUIC) support in HttpProxy
+2. **Integration Tests**:
-2. Advanced HTTP features (compression, caching)
+   - Test multiple routes on the same port
-3. HTTP middleware system
+   - Test ACME challenges on ports with existing routes
-4. Protocol-specific optimizations
+   - Test dynamic route addition and removal
-5. Better HTTP/2 multiplexing
+   - Test port lifecycle (bind → share → release)
   - Test various recovery scenarios
-## Breaking Changes from v18 to v19
+3. **Stress Tests**:
   - Test rapid route updates
   - Test concurrent operations
   - Test large scale route changes (add/remove many at once)
   - Test frequent changes to see if ports are properly released
   - Test recovery from port conflicts
-1. `NetworkProxy` class renamed to `HttpProxy`
+### Release Plan
-2. Import paths change from `network-proxy` to `http-proxy`
+1. **19.4.0** - Phase 1 & 2: Port Manager and ACME Route Improvements
-3. Global ACME configuration now available at the top level
+2. **19.5.0** - Phase 3: Enhanced Route Management
-4. Certificate management unified under SmartCertManager
+3. **19.6.0** - Phase 4: Improved Error Handling and Recovery
 ## Future Enhancements
 1. HTTP/3 (QUIC) support in HttpProxy
 2. Advanced HTTP features (compression, caching)
 3. HTTP middleware system
 4. Protocol-specific optimizations
 5. Better HTTP/2 multiplexing
 6. Enhanced monitoring and metrics
 ## Key Features in v19.4.0
 1. **Global ACME Configuration**: Default settings for all routes with `certificate: 'auto'`
 2. **Enhanced Route Management**: Better separation between routing and certificate management
 3. **Improved Test Coverage**: Fixed test exports and port bindings
 4. **Better Error Messages**: Clear guidance for ACME configuration issues
 5. **Non-Privileged Port Support**: Examples for development environments
--- a/test/test.acme-http01-challenge.ts
+++ b/test/test.acme-http01-challenge.ts
@ -0,0 +1,174 @@
 import { tap, expect } from '@git.zone/tstest/tapbundle';
 import { SmartProxy } from '../ts/index.js';
 import * as net from 'net';
 // Test that HTTP-01 challenges are properly processed when the initial data arrives
 tap.test('should correctly handle HTTP-01 challenge requests with initial data chunk', async (tapTest) => {
  // Prepare test data
  const challengeToken = 'test-acme-http01-challenge-token';
  const challengeResponse = 'mock-response-for-challenge';
  const challengePath = `/.well-known/acme-challenge/${challengeToken}`;
  // Create a handler function that responds to ACME challenges
  const acmeHandler = (context: any) => {
    // Log request details for debugging
    console.log(`Received request: ${context.method} ${context.path}`);
    // Check if this is an ACME challenge request
    if (context.path.startsWith('/.well-known/acme-challenge/')) {
      const token = context.path.substring('/.well-known/acme-challenge/'.length);
      // If the token matches our test token, return the response
      if (token === challengeToken) {
        return {
          status: 200,
          headers: {
            'Content-Type': 'text/plain'
          },
          body: challengeResponse
        };
      }
    }
    // For any other requests, return 404
    return {
      status: 404,
      headers: {
        'Content-Type': 'text/plain'
      },
      body: 'Not found'
    };
  };
  // Create a proxy with the ACME challenge route
  const proxy = new SmartProxy({
    routes: [{
      name: 'acme-challenge-route',
      match: {
        ports: 8080,
        paths: ['/.well-known/acme-challenge/*']
      },
      action: {
        type: 'static',
        handler: acmeHandler
      }
    }]
  });
  await proxy.start();
  // Create a client to test the HTTP-01 challenge
  const testClient = new net.Socket();
  let responseData = '';
  // Set up client handlers
  testClient.on('data', (data) => {
    responseData += data.toString();
  });
  // Connect to the proxy and send the HTTP-01 challenge request
  await new Promise<void>((resolve, reject) => {
    testClient.connect(8080, 'localhost', () => {
      // Send HTTP request for the challenge token
      testClient.write(
        `GET ${challengePath} HTTP/1.1\r\n` +
        'Host: test.example.com\r\n' +
        'User-Agent: ACME Challenge Test\r\n' +
        'Accept: */*\r\n' +
        '\r\n'
      );
      resolve();
    });
    testClient.on('error', reject);
  });
  // Wait for the response
  await new Promise(resolve => setTimeout(resolve, 100));
  // Verify that we received a valid HTTP response with the challenge token
  expect(responseData).toContain('HTTP/1.1 200');
  expect(responseData).toContain('Content-Type: text/plain');
  expect(responseData).toContain(challengeResponse);
  // Cleanup
  testClient.destroy();
  await proxy.stop();
 });
 // Test that non-existent challenge tokens return 404
 tap.test('should return 404 for non-existent challenge tokens', async (tapTest) => {
  // Create a handler function that behaves like a real ACME handler
  const acmeHandler = (context: any) => {
    if (context.path.startsWith('/.well-known/acme-challenge/')) {
      const token = context.path.substring('/.well-known/acme-challenge/'.length);
      // In this test, we only recognize one specific token
      if (token === 'valid-token') {
        return {
          status: 200,
          headers: { 'Content-Type': 'text/plain' },
          body: 'valid-response'
        };
      }
    }
    // For all other paths or unrecognized tokens, return 404
    return {
      status: 404,
      headers: { 'Content-Type': 'text/plain' },
      body: 'Not found'
    };
  };
  // Create a proxy with the ACME challenge route
  const proxy = new SmartProxy({
    routes: [{
      name: 'acme-challenge-route',
      match: {
        ports: 8081,
        paths: ['/.well-known/acme-challenge/*']
      },
      action: {
        type: 'static',
        handler: acmeHandler
      }
    }]
  });
  await proxy.start();
  // Create a client to test the invalid challenge request
  const testClient = new net.Socket();
  let responseData = '';
  testClient.on('data', (data) => {
    responseData += data.toString();
  });
  // Connect and send a request for a non-existent token
  await new Promise<void>((resolve, reject) => {
    testClient.connect(8081, 'localhost', () => {
      testClient.write(
        'GET /.well-known/acme-challenge/invalid-token HTTP/1.1\r\n' +
        'Host: test.example.com\r\n' +
        '\r\n'
      );
      resolve();
    });
    testClient.on('error', reject);
  });
  // Wait for the response
  await new Promise(resolve => setTimeout(resolve, 100));
  // Verify we got a 404 Not Found
  expect(responseData).toContain('HTTP/1.1 404');
  expect(responseData).toContain('Not found');
  // Cleanup
  testClient.destroy();
  await proxy.stop();
 });
 tap.start();
--- a/test/test.acme-timing-simple.ts
+++ b/test/test.acme-timing-simple.ts
@ -0,0 +1,103 @@
 import { tap, expect } from '@git.zone/tstest/tapbundle';
 import { SmartProxy } from '../ts/index.js';
 // Test that certificate provisioning is deferred until after ports are listening
 tap.test('should defer certificate provisioning until ports are ready', async (tapTest) => {
  // Track when operations happen
  let portsListening = false;
  let certProvisioningStarted = false;
  let operationOrder: string[] = [];
  // Create proxy with certificate route but without real ACME
  const proxy = new SmartProxy({
    routes: [{
      name: 'test-route',
      match: {
        ports: 8443,
        domains: ['test.local']
      },
      action: {
        type: 'forward',
        target: { host: 'localhost', port: 8181 },
        tls: {
          mode: 'terminate',
          certificate: 'auto',
          acme: {
            email: 'test@local.dev',
            useProduction: false
          }
        }
      }
    }]
  });
  // Override the certificate manager creation to avoid real ACME
  const originalCreateCertManager = proxy['createCertificateManager'];
  proxy['createCertificateManager'] = async function(...args: any[]) {
    console.log('Creating mock cert manager');
    operationOrder.push('create-cert-manager');
    const mockCertManager = {
      initialize: async () => {
        operationOrder.push('cert-manager-init');
        console.log('Mock cert manager initialized');
      },
      provisionAllCertificates: async () => {
        operationOrder.push('cert-provisioning');
        certProvisioningStarted = true;
        // Check that ports are listening when provisioning starts
        if (!portsListening) {
          throw new Error('Certificate provisioning started before ports ready!');
        }
        console.log('Mock certificate provisioning (ports are ready)');
      },
      stop: async () => {},
      setHttpProxy: () => {},
      setGlobalAcmeDefaults: () => {},
      setAcmeStateManager: () => {},
      setUpdateRoutesCallback: () => {},
      getAcmeOptions: () => ({}),
      getState: () => ({ challengeRouteActive: false })
    };
    // Call initialize immediately as the real createCertificateManager does
    await mockCertManager.initialize();
    return mockCertManager;
  };
  // Track port manager operations
  const originalAddPorts = proxy['portManager'].addPorts;
  proxy['portManager'].addPorts = async function(ports: number[]) {
    operationOrder.push('ports-starting');
    const result = await originalAddPorts.call(this, ports);
    operationOrder.push('ports-ready');
    portsListening = true;
    console.log('Ports are now listening');
    return result;
  };
  // Start the proxy
  await proxy.start();
  // Log the operation order for debugging
  console.log('Operation order:', operationOrder);
  // Verify operations happened in the correct order
  expect(operationOrder).toContain('create-cert-manager');
  expect(operationOrder).toContain('cert-manager-init');
  expect(operationOrder).toContain('ports-starting');
  expect(operationOrder).toContain('ports-ready');
  expect(operationOrder).toContain('cert-provisioning');
  // Verify ports were ready before certificate provisioning
  const portsReadyIndex = operationOrder.indexOf('ports-ready');
  const certProvisioningIndex = operationOrder.indexOf('cert-provisioning');
  expect(portsReadyIndex).toBeLessThan(certProvisioningIndex);
  expect(certProvisioningStarted).toEqual(true);
  expect(portsListening).toEqual(true);
  await proxy.stop();
 });
 tap.start();
--- a/test/test.acme-timing.ts
+++ b/test/test.acme-timing.ts
@ -0,0 +1,159 @@
 import { tap, expect } from '@git.zone/tstest/tapbundle';
 import { SmartProxy } from '../ts/index.js';
 import * as net from 'net';
 // Test that certificate provisioning waits for ports to be ready
 tap.test('should defer certificate provisioning until after ports are listening', async (tapTest) => {
  // Track the order of operations
  const operationLog: string[] = [];
  // Create a mock server to verify ports are listening
  let port80Listening = false;
  const testServer = net.createServer(() => {
    // We don't need to handle connections, just track that we're listening
  });
  // Try to use port 8080 instead of 80 to avoid permission issues in testing
  const acmePort = 8080;
  // Create proxy with ACME certificate requirement
  const proxy = new SmartProxy({
    useHttpProxy: [acmePort],
    httpProxyPort: 8844,
    acme: {
      email: 'test@example.com',
      useProduction: false,
      port: acmePort
    },
    routes: [{
      name: 'test-acme-route',
      match: {
        ports: 8443,
        domains: ['test.local']
      },
      action: {
        type: 'forward',
        target: { host: 'localhost', port: 8181 },
        tls: {
          mode: 'terminate',
          certificate: 'auto',
          acme: {
            email: 'test@example.com',
            useProduction: false
          }
        }
      }
    }]
  });
  // Mock some internal methods to track operation order
  const originalAddPorts = proxy['portManager'].addPorts;
  proxy['portManager'].addPorts = async function(ports: number[]) {
    operationLog.push('Starting port listeners');
    const result = await originalAddPorts.call(this, ports);
    operationLog.push('Port listeners started');
    port80Listening = true;
    return result;
  };
  // Track certificate provisioning
  const originalProvisionAll = proxy['certManager'] ? 
    proxy['certManager']['provisionAllCertificates'] : null;
  if (proxy['certManager']) {
    proxy['certManager']['provisionAllCertificates'] = async function() {
      operationLog.push('Starting certificate provisioning');
      // Check if port 80 is listening
      if (!port80Listening) {
        operationLog.push('ERROR: Certificate provisioning started before ports ready');
      }
      // Don't actually provision certificates in the test
      operationLog.push('Certificate provisioning completed');
    };
  }
  // Start the proxy
  await proxy.start();
  // Verify the order of operations
  expect(operationLog).toContain('Starting port listeners');
  expect(operationLog).toContain('Port listeners started');
  expect(operationLog).toContain('Starting certificate provisioning');
  // Ensure port listeners started before certificate provisioning
  const portStartIndex = operationLog.indexOf('Port listeners started');
  const certStartIndex = operationLog.indexOf('Starting certificate provisioning');
  expect(portStartIndex).toBeLessThan(certStartIndex);
  expect(operationLog).not.toContain('ERROR: Certificate provisioning started before ports ready');
  await proxy.stop();
 });
 // Test that ACME challenge route is available when certificate is requested
 tap.test('should have ACME challenge route ready before certificate provisioning', async (tapTest) => {
  let challengeRouteActive = false;
  let certificateProvisioningStarted = false;
  const proxy = new SmartProxy({
    useHttpProxy: [8080],
    httpProxyPort: 8844,
    acme: {
      email: 'test@example.com',
      useProduction: false,
      port: 8080
    },
    routes: [{
      name: 'test-route',
      match: {
        ports: 8443,
        domains: ['test.example.com']
      },
      action: {
        type: 'forward',
        target: { host: 'localhost', port: 8181 },
        tls: {
          mode: 'terminate',
          certificate: 'auto'
        }
      }
    }]
  });
  // Mock the certificate manager to track operations
  const originalInitialize = proxy['certManager'] ? 
    proxy['certManager'].initialize : null;
  if (proxy['certManager']) {
    const certManager = proxy['certManager'];
    // Track when challenge route is added
    const originalAddChallenge = certManager['addChallengeRoute'];
    certManager['addChallengeRoute'] = async function() {
      await originalAddChallenge.call(this);
      challengeRouteActive = true;
    };
    // Track when certificate provisioning starts
    const originalProvisionAcme = certManager['provisionAcmeCertificate'];
    certManager['provisionAcmeCertificate'] = async function(...args: any[]) {
      certificateProvisioningStarted = true;
      // Verify challenge route is active
      expect(challengeRouteActive).toEqual(true);
      // Don't actually provision in test
      return;
    };
  }
  await proxy.start();
  // Give it a moment to complete initialization
  await new Promise(resolve => setTimeout(resolve, 100));
  // Verify challenge route was added before any certificate provisioning
  expect(challengeRouteActive).toEqual(true);
  await proxy.stop();
 });
 tap.start();
--- a/test/test.http-fix-unit.ts
+++ b/test/test.http-fix-unit.ts
@ -0,0 +1,183 @@
 import { tap, expect } from '@git.zone/tstest/tapbundle';
 import * as net from 'net';
 // Unit test for the HTTP forwarding fix
 tap.test('should forward non-TLS connections on HttpProxy ports', async (tapTest) => {
  // Test configuration
  const testPort = 8080;
  const httpProxyPort = 8844;
  // Track forwarding logic
  let forwardedToHttpProxy = false;
  let setupDirectConnection = false;
  // Create mock settings
  const mockSettings = {
    useHttpProxy: [testPort],
    httpProxyPort: httpProxyPort,
    routes: [{
      name: 'test-route',
      match: { ports: testPort },
      action: {
        type: 'forward',
        target: { host: 'localhost', port: 8181 }
      }
    }]
  };
  // Create mock connection record
  const mockRecord = {
    id: 'test-connection',
    localPort: testPort,
    remoteIP: '127.0.0.1',
    isTLS: false
  };
  // Mock HttpProxyBridge
  const mockHttpProxyBridge = {
    getHttpProxy: () => ({ available: true }),
    forwardToHttpProxy: async () => {
      forwardedToHttpProxy = true;
    }
  };
  // Test the logic from handleForwardAction
  const route = mockSettings.routes[0];
  const action = route.action;
  // Simulate the fixed logic
  if (!action.tls) {
    // No TLS settings - check if this port should use HttpProxy
    const isHttpProxyPort = mockSettings.useHttpProxy?.includes(mockRecord.localPort);
    if (isHttpProxyPort && mockHttpProxyBridge.getHttpProxy()) {
      // Forward non-TLS connections to HttpProxy if configured
      console.log(`Using HttpProxy for non-TLS connection on port ${mockRecord.localPort}`);
      await mockHttpProxyBridge.forwardToHttpProxy();
    } else {
      // Basic forwarding
      console.log(`Using basic forwarding`);
      setupDirectConnection = true;
    }
  }
  // Verify the fix works correctly
  expect(forwardedToHttpProxy).toEqual(true);
  expect(setupDirectConnection).toEqual(false);
  console.log('Test passed: Non-TLS connections on HttpProxy ports are forwarded correctly');
 });
 // Test that non-HttpProxy ports still use direct connection
 tap.test('should use direct connection for non-HttpProxy ports', async (tapTest) => {
  let forwardedToHttpProxy = false;
  let setupDirectConnection = false;
  const mockSettings = {
    useHttpProxy: [80, 443], // Different ports
    httpProxyPort: 8844,
    routes: [{
      name: 'test-route',
      match: { ports: 8080 }, // Not in useHttpProxy
      action: {
        type: 'forward',
        target: { host: 'localhost', port: 8181 }
      }
    }]
  };
  const mockRecord = {
    id: 'test-connection-2',
    localPort: 8080, // Not in useHttpProxy
    remoteIP: '127.0.0.1',
    isTLS: false
  };
  const mockHttpProxyBridge = {
    getHttpProxy: () => ({ available: true }),
    forwardToHttpProxy: async () => {
      forwardedToHttpProxy = true;
    }
  };
  const route = mockSettings.routes[0];
  const action = route.action;
  // Test the logic
  if (!action.tls) {
    const isHttpProxyPort = mockSettings.useHttpProxy?.includes(mockRecord.localPort);
    if (isHttpProxyPort && mockHttpProxyBridge.getHttpProxy()) {
      console.log(`Using HttpProxy for non-TLS connection on port ${mockRecord.localPort}`);
      await mockHttpProxyBridge.forwardToHttpProxy();
    } else {
      console.log(`Using basic forwarding for port ${mockRecord.localPort}`);
      setupDirectConnection = true;
    }
  }
  // Verify port 8080 uses direct connection when not in useHttpProxy
  expect(forwardedToHttpProxy).toEqual(false);
  expect(setupDirectConnection).toEqual(true);
  console.log('Test passed: Non-HttpProxy ports use direct connection');
 });
 // Test HTTP-01 ACME challenge scenario
 tap.test('should handle ACME HTTP-01 challenges on port 80 with HttpProxy', async (tapTest) => {
  let forwardedToHttpProxy = false;
  const mockSettings = {
    useHttpProxy: [80], // Port 80 configured for HttpProxy
    httpProxyPort: 8844,
    acme: {
      port: 80,
      email: 'test@example.com'
    },
    routes: [{
      name: 'acme-challenge',
      match: { 
        ports: 80,
        paths: ['/.well-known/acme-challenge/*']
      },
      action: {
        type: 'forward',
        target: { host: 'localhost', port: 8080 }
      }
    }]
  };
  const mockRecord = {
    id: 'acme-connection',
    localPort: 80,
    remoteIP: '127.0.0.1',
    isTLS: false
  };
  const mockHttpProxyBridge = {
    getHttpProxy: () => ({ available: true }),
    forwardToHttpProxy: async () => {
      forwardedToHttpProxy = true;
    }
  };
  const route = mockSettings.routes[0];
  const action = route.action;
  // Test the fix for ACME HTTP-01 challenges
  if (!action.tls) {
    const isHttpProxyPort = mockSettings.useHttpProxy?.includes(mockRecord.localPort);
    if (isHttpProxyPort && mockHttpProxyBridge.getHttpProxy()) {
      console.log(`Using HttpProxy for ACME challenge on port ${mockRecord.localPort}`);
      await mockHttpProxyBridge.forwardToHttpProxy();
    }
  }
  // Verify HTTP-01 challenges on port 80 go through HttpProxy
  expect(forwardedToHttpProxy).toEqual(true);
  console.log('Test passed: ACME HTTP-01 challenges on port 80 use HttpProxy');
 });
 tap.start();
--- a/test/test.http-fix-verification.ts
+++ b/test/test.http-fix-verification.ts
@ -0,0 +1,168 @@
 import { tap, expect } from '@git.zone/tstest/tapbundle';
 import { RouteConnectionHandler } from '../ts/proxies/smart-proxy/route-connection-handler.js';
 import { ISmartProxyOptions } from '../ts/proxies/smart-proxy/models/interfaces.js';
 import * as net from 'net';
 // Direct test of the fix in RouteConnectionHandler
 tap.test('should detect and forward non-TLS connections on useHttpProxy ports', async (tapTest) => {
  // Create mock objects
  const mockSettings: ISmartProxyOptions = {
    useHttpProxy: [8080],
    httpProxyPort: 8844,
    routes: [{
      name: 'test-route',
      match: { ports: 8080 },
      action: {
        type: 'forward',
        target: { host: 'localhost', port: 8181 }
      }
    }]
  };
  let httpProxyForwardCalled = false;
  let directConnectionCalled = false;
  // Create mocks for dependencies
  const mockHttpProxyBridge = {
    getHttpProxy: () => ({ available: true }),
    forwardToHttpProxy: async (...args: any[]) => {
      console.log('Mock: forwardToHttpProxy called');
      httpProxyForwardCalled = true;
    }
  };
  // Mock connection manager
  const mockConnectionManager = {
    createConnection: (socket: any) => ({
      id: 'test-connection',
      localPort: 8080,
      remoteIP: '127.0.0.1',
      isTLS: false
    }),
    initiateCleanupOnce: () => {},
    cleanupConnection: () => {}
  };
  // Mock route manager that returns a matching route
  const mockRouteManager = {
    findMatchingRoute: (criteria: any) => ({
      route: mockSettings.routes[0]
    })
  };
  // Create route connection handler instance
  const handler = new RouteConnectionHandler(
    mockSettings,
    mockConnectionManager as any,
    {} as any, // security manager
    {} as any, // tls manager
    mockHttpProxyBridge as any,
    {} as any, // timeout manager
    mockRouteManager as any
  );
  // Override setupDirectConnection to track if it's called
  handler['setupDirectConnection'] = (...args: any[]) => {
    console.log('Mock: setupDirectConnection called');
    directConnectionCalled = true;
  };
  // Test: Create a mock socket representing non-TLS connection on port 8080
  const mockSocket = new net.Socket();
  mockSocket.localPort = 8080;
  mockSocket.remoteAddress = '127.0.0.1';
  // Simulate the handler processing the connection
  handler.handleConnection(mockSocket);
  // Simulate receiving non-TLS data
  mockSocket.emit('data', Buffer.from('GET / HTTP/1.1\r\nHost: test.local\r\n\r\n'));
  // Give it a moment to process
  await new Promise(resolve => setTimeout(resolve, 100));
  // Verify that the connection was forwarded to HttpProxy, not direct connection
  expect(httpProxyForwardCalled).toEqual(true);
  expect(directConnectionCalled).toEqual(false);
  mockSocket.destroy();
 });
 // Test that verifies TLS connections still work normally
 tap.test('should handle TLS connections normally', async (tapTest) => {
  const mockSettings: ISmartProxyOptions = {
    useHttpProxy: [443],
    httpProxyPort: 8844,
    routes: [{
      name: 'tls-route',
      match: { ports: 443 },
      action: {
        type: 'forward',
        target: { host: 'localhost', port: 8443 },
        tls: { mode: 'terminate' }
      }
    }]
  };
  let httpProxyForwardCalled = false;
  const mockHttpProxyBridge = {
    getHttpProxy: () => ({ available: true }),
    forwardToHttpProxy: async (...args: any[]) => {
      httpProxyForwardCalled = true;
    }
  };
  const mockConnectionManager = {
    createConnection: (socket: any) => ({
      id: 'test-tls-connection',
      localPort: 443,
      remoteIP: '127.0.0.1',
      isTLS: true,
      tlsHandshakeComplete: false
    }),
    initiateCleanupOnce: () => {},
    cleanupConnection: () => {}
  };
  const mockTlsManager = {
    isTlsHandshake: (chunk: Buffer) => true,
    isClientHello: (chunk: Buffer) => true,
    extractSNI: (chunk: Buffer) => 'test.local'
  };
  const mockRouteManager = {
    findMatchingRoute: (criteria: any) => ({
      route: mockSettings.routes[0]
    })
  };
  const handler = new RouteConnectionHandler(
    mockSettings,
    mockConnectionManager as any,
    {} as any,
    mockTlsManager as any,
    mockHttpProxyBridge as any,
    {} as any,
    mockRouteManager as any
  );
  const mockSocket = new net.Socket();
  mockSocket.localPort = 443;
  mockSocket.remoteAddress = '127.0.0.1';
  handler.handleConnection(mockSocket);
  // Simulate TLS handshake
  const tlsHandshake = Buffer.from([0x16, 0x03, 0x01, 0x00, 0x05]);
  mockSocket.emit('data', tlsHandshake);
  await new Promise(resolve => setTimeout(resolve, 100));
  // TLS connections with 'terminate' mode should go to HttpProxy
  expect(httpProxyForwardCalled).toEqual(true);
  mockSocket.destroy();
 });
 tap.start();
--- a/test/test.http-forwarding-fix.ts
+++ b/test/test.http-forwarding-fix.ts
@ -0,0 +1,150 @@
 import { tap, expect } from '@git.zone/tstest/tapbundle';
 import { SmartProxy } from '../ts/index.js';
 import * as net from 'net';
 // Test that verifies HTTP connections on ports configured in useHttpProxy are properly forwarded
 tap.test('should detect and forward non-TLS connections on HttpProxy ports', async (tapTest) => {
  // Track whether the connection was forwarded to HttpProxy
  let forwardedToHttpProxy = false;
  let connectionPath = '';
  // Mock the HttpProxy forwarding
  const originalForward = SmartProxy.prototype['httpProxyBridge'].prototype.forwardToHttpProxy;
  SmartProxy.prototype['httpProxyBridge'].prototype.forwardToHttpProxy = function(...args: any[]) {
    forwardedToHttpProxy = true;
    connectionPath = 'httpproxy';
    console.log('Mock: Connection forwarded to HttpProxy');
    // Just close the connection for the test
    args[1].end(); // socket.end()
  };
  // Create a SmartProxy with useHttpProxy configured
  const proxy = new SmartProxy({
    useHttpProxy: [8080],
    httpProxyPort: 8844,
    enableDetailedLogging: true,
    routes: [{
      name: 'test-route',
      match: {
        ports: 8080
      },
      action: {
        type: 'forward',
        target: { host: 'localhost', port: 8181 }
      }
    }]
  });
  // Override the HttpProxy initialization to avoid actual HttpProxy setup
  proxy['httpProxyBridge'].getHttpProxy = () => ({} as any);
  await proxy.start();
  // Make a connection to port 8080
  const client = new net.Socket();
  await new Promise<void>((resolve, reject) => {
    client.connect(8080, 'localhost', () => {
      console.log('Client connected to proxy on port 8080');
      // Send a non-TLS HTTP request
      client.write('GET / HTTP/1.1\r\nHost: test.local\r\n\r\n');
      resolve();
    });
    client.on('error', reject);
  });
  // Give it a moment to process
  await new Promise(resolve => setTimeout(resolve, 100));
  // Verify the connection was forwarded to HttpProxy
  expect(forwardedToHttpProxy).toEqual(true);
  expect(connectionPath).toEqual('httpproxy');
  client.destroy();
  await proxy.stop();
  // Restore original method
  SmartProxy.prototype['httpProxyBridge'].prototype.forwardToHttpProxy = originalForward;
 });
 // Test that verifies the fix detects non-TLS connections
 tap.test('should properly detect non-TLS connections on HttpProxy ports', async (tapTest) => {
  const targetPort = 8182;
  let receivedConnection = false;
  // Create a target server that never receives the connection (because it goes to HttpProxy)
  const targetServer = net.createServer((socket) => {
    receivedConnection = true;
    socket.end();
  });
  await new Promise<void>((resolve) => {
    targetServer.listen(targetPort, () => {
      console.log(`Target server listening on port ${targetPort}`);
      resolve();
    });
  });
  // Mock HttpProxyBridge to track forwarding
  let httpProxyForwardCalled = false;
  const proxy = new SmartProxy({
    useHttpProxy: [8080],
    httpProxyPort: 8844,
    routes: [{
      name: 'test-route',
      match: {
        ports: 8080
      },
      action: {
        type: 'forward',
        target: { host: 'localhost', port: targetPort }
      }
    }]
  });
  // Override the forwardToHttpProxy method to track calls
  const originalForward = proxy['httpProxyBridge'].forwardToHttpProxy;
  proxy['httpProxyBridge'].forwardToHttpProxy = async function(...args: any[]) {
    httpProxyForwardCalled = true;
    console.log('HttpProxy forward called with connectionId:', args[0]);
    // Just end the connection
    args[1].end();
  };
  // Mock getHttpProxy to return a truthy value
  proxy['httpProxyBridge'].getHttpProxy = () => ({} as any);
  await proxy.start();
  // Make a non-TLS connection
  const client = new net.Socket();
  await new Promise<void>((resolve, reject) => {
    client.connect(8080, 'localhost', () => {
      console.log('Connected to proxy');
      client.write('GET / HTTP/1.1\r\nHost: test.local\r\n\r\n');
      resolve();
    });
    client.on('error', () => resolve()); // Ignore errors since we're ending the connection
  });
  await new Promise(resolve => setTimeout(resolve, 100));
  // Verify that HttpProxy was called, not direct connection
  expect(httpProxyForwardCalled).toEqual(true);
  expect(receivedConnection).toEqual(false); // Target should not receive direct connection
  client.destroy();
  await proxy.stop();
  await new Promise<void>((resolve) => {
    targetServer.close(() => resolve());
  });
  // Restore original method
  proxy['httpProxyBridge'].forwardToHttpProxy = originalForward;
 });
 tap.start();
--- a/test/test.http-port8080-forwarding.ts
+++ b/test/test.http-port8080-forwarding.ts
@ -0,0 +1,160 @@
 import { tap, expect } from '@git.zone/tstest/tapbundle';
 import { SmartProxy } from '../ts/index.js';
 import * as http from 'http';
 tap.test('should forward HTTP connections on port 8080 to HttpProxy', async (tapTest) => {
  // Create a mock HTTP server to act as our target
  const targetPort = 8181;
  let receivedRequest = false;
  let receivedPath = '';
  const targetServer = http.createServer((req, res) => {
    // Log request details for debugging
    console.log(`Target server received: ${req.method} ${req.url}`);
    receivedPath = req.url || '';
    if (req.url === '/.well-known/acme-challenge/test-token') {
      receivedRequest = true;
      res.writeHead(200, { 'Content-Type': 'text/plain' });
      res.end('test-challenge-response');
    } else {
      res.writeHead(200);
      res.end('OK');
    }
  });
  await new Promise<void>((resolve) => {
    targetServer.listen(targetPort, () => {
      console.log(`Target server listening on port ${targetPort}`);
      resolve();
    });
  });
  // Create SmartProxy with port 8080 configured for HttpProxy
  const proxy = new SmartProxy({
    useHttpProxy: [8080], // Enable HttpProxy for port 8080
    httpProxyPort: 8844,
    enableDetailedLogging: true,
    routes: [{
      name: 'test-route',
      match: {
        ports: 8080,
        domains: ['test.local']
      },
      action: {
        type: 'forward',
        target: { host: 'localhost', port: targetPort }
      }
    }]
  });
  await proxy.start();
  // Give the proxy a moment to fully initialize
  await new Promise(resolve => setTimeout(resolve, 500));
  // Make an HTTP request to port 8080
  const options = {
    hostname: 'localhost',
    port: 8080,
    path: '/.well-known/acme-challenge/test-token',
    method: 'GET',
    headers: {
      'Host': 'test.local'
    }
  };
  const response = await new Promise<http.IncomingMessage>((resolve, reject) => {
    const req = http.request(options, (res) => resolve(res));
    req.on('error', reject);
    req.end();
  });
  // Collect response data
  let responseData = '';
  response.setEncoding('utf8');
  response.on('data', chunk => responseData += chunk);
  await new Promise(resolve => response.on('end', resolve));
  // Verify the request was properly forwarded
  expect(response.statusCode).toEqual(200);
  expect(receivedPath).toEqual('/.well-known/acme-challenge/test-token');
  expect(responseData).toEqual('test-challenge-response');
  expect(receivedRequest).toEqual(true);
  await proxy.stop();
  await new Promise<void>((resolve) => {
    targetServer.close(() => resolve());
  });
 });
 tap.test('should handle basic HTTP request forwarding', async (tapTest) => {
  // Create a simple target server
  const targetPort = 8182;
  let receivedRequest = false;
  const targetServer = http.createServer((req, res) => {
    console.log(`Target received: ${req.method} ${req.url} from ${req.headers.host}`);
    receivedRequest = true;
    res.writeHead(200, { 'Content-Type': 'text/plain' });
    res.end('Hello from target');
  });
  await new Promise<void>((resolve) => {
    targetServer.listen(targetPort, () => {
      console.log(`Target server listening on port ${targetPort}`);
      resolve();
    });
  });
  // Create a simple proxy without HttpProxy
  const proxy = new SmartProxy({
    routes: [{
      name: 'simple-forward',
      match: {
        ports: 8081,
        domains: ['test.local']
      },
      action: {
        type: 'forward',
        target: { host: 'localhost', port: targetPort }
      }
    }]
  });
  await proxy.start();
  await new Promise(resolve => setTimeout(resolve, 500));
  // Make request
  const options = {
    hostname: 'localhost',
    port: 8081,
    path: '/test',
    method: 'GET',
    headers: {
      'Host': 'test.local'
    }
  };
  const response = await new Promise<http.IncomingMessage>((resolve, reject) => {
    const req = http.request(options, (res) => resolve(res));
    req.on('error', reject);
    req.end();
  });
  let responseData = '';
  response.setEncoding('utf8');
  response.on('data', chunk => responseData += chunk);
  await new Promise(resolve => response.on('end', resolve));
  expect(response.statusCode).toEqual(200);
  expect(responseData).toEqual('Hello from target');
  expect(receivedRequest).toEqual(true);
  await proxy.stop();
  await new Promise<void>((resolve) => {
    targetServer.close(() => resolve());
  });
 });
 tap.start();
--- a/test/test.http-port8080-simple.ts
+++ b/test/test.http-port8080-simple.ts
@ -0,0 +1,96 @@
 import { tap, expect } from '@git.zone/tstest/tapbundle';
 import { SmartProxy } from '../ts/index.js';
 import * as net from 'net';
 tap.test('should forward HTTP connections on port 8080 to HttpProxy', async (tapTest) => {
  // Create a simple echo server to act as our target
  const targetPort = 8181;
  let receivedData = '';
  const targetServer = net.createServer((socket) => {
    console.log('Target server received connection');
    socket.on('data', (data) => {
      receivedData += data.toString();
      console.log('Target server received data:', data.toString().split('\n')[0]);
      // Send a simple HTTP response
      const response = 'HTTP/1.1 200 OK\r\nContent-Type: text/plain\r\nContent-Length: 13\r\n\r\nHello, World!';
      socket.write(response);
    });
  });
  await new Promise<void>((resolve) => {
    targetServer.listen(targetPort, () => {
      console.log(`Target server listening on port ${targetPort}`);
      resolve();
    });
  });
  // Create SmartProxy with port 8080 configured for HttpProxy
  const proxy = new SmartProxy({
    useHttpProxy: [8080], // Enable HttpProxy for port 8080
    httpProxyPort: 8844,
    enableDetailedLogging: true,
    routes: [{
      name: 'test-route',
      match: {
        ports: 8080
      },
      action: {
        type: 'forward',
        target: { host: 'localhost', port: targetPort }
      }
    }]
  });
  await proxy.start();
  // Give the proxy a moment to fully initialize
  await new Promise(resolve => setTimeout(resolve, 500));
  console.log('Making test connection to proxy on port 8080...');
  // Create a simple TCP connection to test
  const client = new net.Socket();
  const responsePromise = new Promise<string>((resolve, reject) => {
    let response = '';
    client.on('data', (data) => {
      response += data.toString();
      console.log('Client received:', data.toString());
    });
    client.on('end', () => {
      resolve(response);
    });
    client.on('error', reject);
  });
  await new Promise<void>((resolve, reject) => {
    client.connect(8080, 'localhost', () => {
      console.log('Client connected to proxy');
      // Send a simple HTTP request
      client.write('GET / HTTP/1.1\r\nHost: test.local\r\n\r\n');
      resolve();
    });
    client.on('error', reject);
  });
  // Wait for response
  const response = await responsePromise;
  // Check that we got the response
  expect(response).toContain('Hello, World!');
  expect(receivedData).toContain('GET / HTTP/1.1');
  client.destroy();
  await proxy.stop();
  await new Promise<void>((resolve) => {
    targetServer.close(() => resolve());
  });
 });
 tap.start();
--- a/test/test.port-forwarding-fix.ts
+++ b/test/test.port-forwarding-fix.ts
@ -5,7 +5,9 @@ import { SmartProxy } from '../ts/proxies/smart-proxy/smart-proxy.js';
 let echoServer: net.Server;
 let proxy: SmartProxy;
-tap.test('port forwarding should not immediately close connections', async () => {
+tap.test('port forwarding should not immediately close connections', async (tools) => {
  // Set a timeout for this test
  tools.timeout(10000); // 10 seconds
  // Create an echo server
  echoServer = await new Promise<net.Server>((resolve) => {
    const server = net.createServer((socket) => {
@ -39,7 +41,9 @@ tap.test('port forwarding should not immediately close connections', async () =>
  const result = await new Promise<string>((resolve, reject) => {
    client.on('data', (data) => {
-      resolve(data.toString());
+      const response = data.toString();
      client.end(); // Close the connection after receiving data
      resolve(response);
    });
    client.on('error', reject);
@ -48,8 +52,6 @@ tap.test('port forwarding should not immediately close connections', async () =>
  });
  expect(result).toEqual('ECHO: Hello');
  client.end();
 });
 tap.test('TLS passthrough should work correctly', async () => {
@ -76,11 +78,23 @@ tap.test('TLS passthrough should work correctly', async () => {
 tap.test('cleanup', async () => {
  if (echoServer) {
-    echoServer.close();
+    await new Promise<void>((resolve) => {
      echoServer.close(() => {
        console.log('Echo server closed');
        resolve();
      });
    });
  }
  if (proxy) {
    await proxy.stop();
    console.log('Proxy stopped');
  }
 });
-export default tap.start();
+export default tap.start().then(() => {
  // Force exit after tests complete
  setTimeout(() => {
    console.log('Forcing process exit');
    process.exit(0);
  }, 1000);
 });
--- a/test/test.port80-management.node.ts
+++ b/test/test.port80-management.node.ts
@ -98,6 +98,13 @@ tap.test('should not double-register port 80 when user route and ACME use same p
        };
        // This would trigger route update in real implementation
      },
      provisionAllCertificates: async function() {
        // Mock implementation to satisfy the call in SmartProxy.start()
        // Add the ACME challenge port here too in case initialize was skipped
        const challengePort = acmeOptions?.port || 80;
        await mockPortManager.addPort(challengePort);
        console.log(`Added ACME challenge port from provisionAllCertificates: ${challengePort}`);
      },
      getAcmeOptions: () => acmeOptions,
      getState: () => ({ challengeRouteActive: false }),
      stop: async () => {}
@ -175,9 +182,13 @@ tap.test('should handle ACME on different port than user routes', async (tools)
  // Mock the port manager
  const mockPortManager = {
    addPort: async (port: number) => {
      console.log(`Attempting to add port: ${port}`);
      if (!activePorts.has(port)) {
        activePorts.add(port);
        portAddHistory.push(port);
        console.log(`Port ${port} added to history`);
      } else {
        console.log(`Port ${port} already active, not adding to history`);
      }
    },
    addPorts: async (ports: number[]) => {
@ -207,17 +218,31 @@ tap.test('should handle ACME on different port than user routes', async (tools)
      setAcmeStateManager: function() {},
      initialize: async function() {
        // Simulate ACME route addition on different port
        const challengePort = acmeOptions?.port || 80;
        const challengeRoute = {
          name: 'acme-challenge',
          priority: 1000,
          match: {
-            ports: acmeOptions?.port || 80,
+            ports: challengePort,
            path: '/.well-known/acme-challenge/*'
          },
          action: {
            type: 'static'
          }
        };
        // Add the ACME port to our port tracking
        await mockPortManager.addPort(challengePort);
        // For debugging
        console.log(`Added ACME challenge port: ${challengePort}`);
      },
      provisionAllCertificates: async function() {
        // Mock implementation to satisfy the call in SmartProxy.start()
        // Add the ACME challenge port here too in case initialize was skipped
        const challengePort = acmeOptions?.port || 80;
        await mockPortManager.addPort(challengePort);
        console.log(`Added ACME challenge port from provisionAllCertificates: ${challengePort}`);
      },
      getAcmeOptions: () => acmeOptions,
      getState: () => ({ challengeRouteActive: false }),
@ -242,6 +267,9 @@ tap.test('should handle ACME on different port than user routes', async (tools)
  await proxy.start();
  // Log the port history for debugging
  console.log('Port add history:', portAddHistory);
  // Verify that all expected ports were added
  expect(portAddHistory.includes(80)).toBeTrue();    // User route
  expect(portAddHistory.includes(443)).toBeTrue();   // TLS route  
--- a/test/test.route-callback-simple.ts
+++ b/test/test.route-callback-simple.ts
@ -30,10 +30,16 @@ tap.test('should set update routes callback on certificate manager', async () =>
    }]
  });
-  // Mock createCertificateManager to track callback setting
+  // Track callback setting
  let callbackSet = false;
-  (proxy as any).createCertificateManager = async function(...args: any[]) {
+  // Override createCertificateManager to track callback setting
  (proxy as any).createCertificateManager = async function(
    routes: any,
    certStore: string,
    acmeOptions?: any,
    initialState?: any
  ) {
    // Create a mock certificate manager
    const mockCertManager = {
      setUpdateRoutesCallback: function(callback: any) {
@ -43,9 +49,32 @@ tap.test('should set update routes callback on certificate manager', async () =>
      setGlobalAcmeDefaults: function() {},
      setAcmeStateManager: function() {},
      initialize: async function() {},
-      stop: async function() {}
+      provisionAllCertificates: async function() {},
      stop: async function() {},
      getAcmeOptions: function() { return acmeOptions || {}; },
      getState: function() { return initialState || { challengeRouteActive: false }; }
    };
    // Mimic the real createCertificateManager behavior
    // Always set up the route update callback for ACME challenges
    mockCertManager.setUpdateRoutesCallback(async (routes) => {
      await this.updateRoutes(routes);
    });
    // Connect with HttpProxy if available (mimic real behavior)
    if ((this as any).httpProxyBridge.getHttpProxy()) {
      mockCertManager.setHttpProxy((this as any).httpProxyBridge.getHttpProxy());
    }
    // Set the ACME state manager
    mockCertManager.setAcmeStateManager((this as any).acmeStateManager);
    // Pass down the global ACME config if available
    if ((this as any).settings.acme) {
      mockCertManager.setGlobalAcmeDefaults((this as any).settings.acme);
    }
    await mockCertManager.initialize();
    return mockCertManager;
  };
--- a/test/test.route-update-callback.node.ts
+++ b/test/test.route-update-callback.node.ts
@ -60,6 +60,9 @@ tap.test('should preserve route update callback after updateRoutes', async () =>
        // This is where the callback is actually set in the real implementation
        return Promise.resolve();
      },
      provisionAllCertificates: async function() {
        return Promise.resolve();
      },
      stop: async function() {},
      getAcmeOptions: function() {
        return { email: 'test@testdomain.test' };
@ -114,6 +117,7 @@ tap.test('should preserve route update callback after updateRoutes', async () =>
        setGlobalAcmeDefaults: function() {},
        setAcmeStateManager: function() {},
        initialize: async function() {},
        provisionAllCertificates: async function() {},
        stop: async function() {},
        getAcmeOptions: function() {
          return { email: 'test@testdomain.test' };
@ -233,6 +237,7 @@ tap.test('should handle route updates when cert manager is not initialized', asy
      updateRoutesCallback: null,
      setHttpProxy: function() {},
      initialize: async function() {},
      provisionAllCertificates: async function() {},
      stop: async function() {},
      getAcmeOptions: function() {
        return { email: 'test@testdomain.test' };
@ -295,6 +300,7 @@ tap.test('real code integration test - verify fix is applied', async () => {
      setGlobalAcmeDefaults: function() {},
      setAcmeStateManager: function() {},
      initialize: async function() {},
      provisionAllCertificates: async function() {},
      stop: async function() {},
      getAcmeOptions: function() {
        return acmeOptions || { email: 'test@example.com', useProduction: false };
--- a/test/test.simple-acme-mock.ts
+++ b/test/test.simple-acme-mock.ts
@ -45,8 +45,12 @@ tap.test('should properly initialize with ACME configuration', async (tools) =>
      setGlobalAcmeDefaults: () => {},
      setAcmeStateManager: () => {},
      initialize: async () => {
        // Using logger would be better but in test we'll keep console.log
        console.log('Mock certificate manager initialized');
      },
      provisionAllCertificates: async () => {
        console.log('Mock certificate provisioning');
      },
      stop: async () => {
        console.log('Mock certificate manager stopped');
      }
@ -55,7 +59,10 @@ tap.test('should properly initialize with ACME configuration', async (tools) =>
  // Mock NFTables
  (proxy as any).nftablesManager = {
-    ensureNFTablesSetup: async () => {},
+    provisionRoute: async () => {},
    deprovisionRoute: async () => {},
    updateRoute: async () => {},
    getStatus: async () => ({}),
    stop: async () => {}
  };
--- a/ts/00_commitinfo_data.ts
+++ b/ts/00_commitinfo_data.ts
@ -3,6 +3,6 @@
 */
 export const commitinfo = {
  name: '@push.rocks/smartproxy',
-  version: '19.3.7',
+  version: '19.3.13',
  description: 'A powerful proxy package with unified route-based configuration for high traffic management. Features include SSL/TLS support, flexible routing patterns, WebSocket handling, advanced security options, and automatic ACME certificate management.'
 }
--- a/ts/core/utils/index.ts
+++ b/ts/core/utils/index.ts
@ -12,3 +12,4 @@ export * from './security-utils.js';
 export * from './shared-security-manager.js';
 export * from './event-system.js';
 export * from './websocket-utils.js';
 export * from './logger.js';
--- a/ts/core/utils/logger.ts
+++ b/ts/core/utils/logger.ts
@ -0,0 +1,10 @@
 import * as plugins from '../../plugins.js';
 export const logger = new plugins.smartlog.Smartlog({
  logContext: {},
  minimumLogLevel: 'info',
 });
 logger.addLogDestination(new plugins.smartlogDestinationLocal.DestinationLocal());
 logger.log('info', 'Logger initialized');
--- a/ts/plugins.ts
+++ b/ts/plugins.ts
@ -26,6 +26,8 @@ import * as smartcrypto from '@push.rocks/smartcrypto';
 import * as smartacme from '@push.rocks/smartacme';
 import * as smartacmePlugins from '@push.rocks/smartacme/dist_ts/smartacme.plugins.js';
 import * as smartacmeHandlers from '@push.rocks/smartacme/dist_ts/handlers/index.js';
 import * as smartlog from '@push.rocks/smartlog';
 import * as smartlogDestinationLocal from '@push.rocks/smartlog/destination-local';
 import * as taskbuffer from '@push.rocks/taskbuffer';
 export {
@ -39,6 +41,8 @@ export {
  smartacme,
  smartacmePlugins,
  smartacmeHandlers,
  smartlog,
  smartlogDestinationLocal,
  taskbuffer,
 };
--- a/ts/proxies/http-proxy/handlers/static-handler.ts
+++ b/ts/proxies/http-proxy/handlers/static-handler.ts
@ -24,7 +24,8 @@ export class StaticHandler {
    socket: plugins.net.Socket,
    route: IRouteConfig,
    context: IStaticHandlerContext,
-    record: IConnectionRecord
+    record: IConnectionRecord,
    initialChunk?: Buffer
  ): Promise<void> {
    const { connectionId, connectionManager, settings } = context;
    const logger = context.logger || createLogger(settings.logLevel || 'info');
@ -239,7 +240,16 @@ export class StaticHandler {
      }
    };
-    // Listen for data
+    // Process initial chunk if provided
    if (initialChunk && initialChunk.length > 0) {
      if (settings.enableDetailedLogging) {
        logger.info(`[${connectionId}] Processing initial data chunk (${initialChunk.length} bytes)`);
      }
      // Process the initial chunk immediately
      handleHttpData(initialChunk);
    }
    // Listen for additional data
    socket.on('data', handleHttpData);
    // Ensure cleanup on socket close
--- a/ts/proxies/smart-proxy/certificate-manager.ts
+++ b/ts/proxies/smart-proxy/certificate-manager.ts
@ -4,6 +4,7 @@ import type { IRouteConfig, IRouteTls } from './models/route-types.js';
 import type { IAcmeOptions } from './models/interfaces.js';
 import { CertStore } from './cert-store.js';
 import type { AcmeStateManager } from './acme-state-manager.js';
 import { logger } from '../../core/utils/logger.js';
 export interface ICertStatus {
  domain: string;
@ -125,15 +126,16 @@ export class SmartCertManager {
      // Add challenge route once at initialization if not already active
      if (!this.challengeRouteActive) {
-        console.log('Adding ACME challenge route during initialization');
+        logger.log('info', 'Adding ACME challenge route during initialization', { component: 'certificate-manager' });
        await this.addChallengeRoute();
      } else {
-        console.log('Challenge route already active from previous instance');
+        logger.log('info', 'Challenge route already active from previous instance', { component: 'certificate-manager' });
      }
    }
-    // Provision certificates for all routes
+    // Skip automatic certificate provisioning during initialization
-    await this.provisionAllCertificates();
+    // This will be called later after ports are listening
    logger.log('info', 'Certificate manager initialized. Deferring certificate provisioning until after ports are listening.', { component: 'certificate-manager' });
    // Start renewal timer
    this.startRenewalTimer();
@ -142,7 +144,7 @@ export class SmartCertManager {
  /**
   * Provision certificates for all routes that need them
   */
-  private async provisionAllCertificates(): Promise<void> {
+  public async provisionAllCertificates(): Promise<void> {
    const certRoutes = this.routes.filter(r => 
      r.action.tls?.mode === 'terminate' || 
      r.action.tls?.mode === 'terminate-and-reencrypt'
@ -156,7 +158,7 @@ export class SmartCertManager {
        try {
          await this.provisionCertificate(route, true); // Allow concurrent since we're managing it here
        } catch (error) {
-          console.error(`Failed to provision certificate for route ${route.name}: ${error}`);
+          logger.log('error', `Failed to provision certificate for route ${route.name}`, { routeName: route.name, error, component: 'certificate-manager' });
        }
      }
    } finally {
@ -175,13 +177,13 @@ export class SmartCertManager {
    // Check if provisioning is already in progress (prevent concurrent provisioning)
    if (!allowConcurrent && this.isProvisioning) {
-      console.log(`Certificate provisioning already in progress, skipping ${route.name}`);
+      logger.log('info', `Certificate provisioning already in progress, skipping ${route.name}`, { routeName: route.name, component: 'certificate-manager' });
      return;
    }
    const domains = this.extractDomainsFromRoute(route);
    if (domains.length === 0) {
-      console.warn(`Route ${route.name} has TLS termination but no domains`);
+      logger.log('warn', `Route ${route.name} has TLS termination but no domains`, { routeName: route.name, component: 'certificate-manager' });
      return;
    }
@ -218,7 +220,7 @@ export class SmartCertManager {
    // Check if we already have a valid certificate
    const existingCert = await this.certStore.getCertificate(routeName);
    if (existingCert && this.isCertificateValid(existingCert)) {
-      console.log(`Using existing valid certificate for ${primaryDomain}`);
+      logger.log('info', `Using existing valid certificate for ${primaryDomain}`, { domain: primaryDomain, component: 'certificate-manager' });
      await this.applyCertificate(primaryDomain, existingCert);
      this.updateCertStatus(routeName, 'valid', 'acme', existingCert);
      return;
@ -229,7 +231,7 @@ export class SmartCertManager {
                         this.globalAcmeDefaults?.renewThresholdDays || 
                         30;
-    console.log(`Requesting ACME certificate for ${domains.join(', ')} (renew ${renewThreshold} days before expiry)`);
+    logger.log('info', `Requesting ACME certificate for ${domains.join(', ')} (renew ${renewThreshold} days before expiry)`, { domains: domains.join(', '), renewThreshold, component: 'certificate-manager' });
    this.updateCertStatus(routeName, 'pending', 'acme');
    try {
@ -251,7 +253,7 @@ export class SmartCertManager {
                                    hasDnsChallenge;
      if (shouldIncludeWildcard) {
-        console.log(`Requesting wildcard certificate for ${primaryDomain} (DNS-01 available)`);
+        logger.log('info', `Requesting wildcard certificate for ${primaryDomain} (DNS-01 available)`, { domain: primaryDomain, challengeType: 'DNS-01', component: 'certificate-manager' });
      }
      // Use smartacme to get certificate with optional wildcard
@ -278,9 +280,9 @@ export class SmartCertManager {
      await this.applyCertificate(primaryDomain, certData);
      this.updateCertStatus(routeName, 'valid', 'acme', certData);
-      console.log(`Successfully provisioned ACME certificate for ${primaryDomain}`);
+      logger.log('info', `Successfully provisioned ACME certificate for ${primaryDomain}`, { domain: primaryDomain, component: 'certificate-manager' });
    } catch (error) {
-      console.error(`Failed to provision ACME certificate for ${primaryDomain}: ${error}`);
+      logger.log('error', `Failed to provision ACME certificate for ${primaryDomain}: ${error.message}`, { domain: primaryDomain, error: error.message, component: 'certificate-manager' });
      this.updateCertStatus(routeName, 'error', 'acme', undefined, error.message);
      throw error;
    }
@ -327,9 +329,9 @@ export class SmartCertManager {
      await this.applyCertificate(domain, certData);
      this.updateCertStatus(routeName, 'valid', 'static', certData);
-      console.log(`Successfully loaded static certificate for ${domain}`);
+      logger.log('info', `Successfully loaded static certificate for ${domain}`, { domain, component: 'certificate-manager' });
    } catch (error) {
-      console.error(`Failed to provision static certificate for ${domain}: ${error}`);
+      logger.log('error', `Failed to provision static certificate for ${domain}: ${error.message}`, { domain, error: error.message, component: 'certificate-manager' });
      this.updateCertStatus(routeName, 'error', 'static', undefined, error.message);
      throw error;
    }
@ -340,7 +342,7 @@ export class SmartCertManager {
   */
  private async applyCertificate(domain: string, certData: ICertificateData): Promise<void> {
    if (!this.httpProxy) {
-      console.warn('HttpProxy not set, cannot apply certificate');
+      logger.log('warn', `HttpProxy not set, cannot apply certificate for domain ${domain}`, { domain, component: 'certificate-manager' });
      return;
    }
@ -397,13 +399,13 @@ export class SmartCertManager {
  private async addChallengeRoute(): Promise<void> {
    // Check with state manager first
    if (this.acmeStateManager && this.acmeStateManager.isChallengeRouteActive()) {
-      console.log('Challenge route already active in global state, skipping');
+      logger.log('info', 'Challenge route already active in global state, skipping', { component: 'certificate-manager' });
      this.challengeRouteActive = true;
      return;
    }
    if (this.challengeRouteActive) {
-      console.log('Challenge route already active locally, skipping');
+      logger.log('info', 'Challenge route already active locally, skipping', { component: 'certificate-manager' });
      return;
    }
@ -414,6 +416,33 @@ export class SmartCertManager {
    if (!this.challengeRoute) {
      throw new Error('Challenge route not initialized');
    }
    // Get the challenge port
    const challengePort = this.globalAcmeDefaults?.port || 80;
    // Check if any existing routes are already using this port
    const portInUseByRoutes = this.routes.some(route => {
      const routePorts = Array.isArray(route.match.ports) ? route.match.ports : [route.match.ports];
      return routePorts.some(p => {
        // Handle both number and port range objects
        if (typeof p === 'number') {
          return p === challengePort;
        } else if (typeof p === 'object' && 'from' in p && 'to' in p) {
          // Port range case - check if challengePort is in range
          return challengePort >= p.from && challengePort <= p.to;
        }
        return false;
      });
    });
    if (portInUseByRoutes) {
      logger.log('info', `Port ${challengePort} is already used by another route, merging ACME challenge route`, {
        port: challengePort,
        component: 'certificate-manager'
      });
    }
    // Add the challenge route
    const challengeRoute = this.challengeRoute;
    try {
@ -426,12 +455,29 @@ export class SmartCertManager {
        this.acmeStateManager.addChallengeRoute(challengeRoute);
      }
-      console.log('ACME challenge route successfully added');
+      logger.log('info', 'ACME challenge route successfully added', { component: 'certificate-manager' });
    } catch (error) {
-      console.error('Failed to add challenge route:', error);
+      // Handle specific EADDRINUSE errors differently based on whether it's an internal conflict
      if ((error as any).code === 'EADDRINUSE') {
-        throw new Error(`Port ${this.globalAcmeDefaults?.port || 80} is already in use for ACME challenges`);
+        logger.log('error', `Failed to add challenge route on port ${challengePort}: ${error.message}`, { 
          error: error.message, 
          port: challengePort,
          component: 'certificate-manager'
        });
        // Provide a more informative error message
        throw new Error(
          `Port ${challengePort} is already in use. ` + 
          `If it's in use by an external process, configure a different port in the ACME settings. ` +
          `If it's in use by SmartProxy, there may be a route configuration issue.`
        );
      }
      // Log and rethrow other errors
      logger.log('error', `Failed to add challenge route: ${error.message}`, { 
        error: error.message, 
        component: 'certificate-manager' 
      });
      throw error;
    }
  }
@ -441,7 +487,7 @@ export class SmartCertManager {
   */
  private async removeChallengeRoute(): Promise<void> {
    if (!this.challengeRouteActive) {
-      console.log('Challenge route not active, skipping removal');
+      logger.log('info', 'Challenge route not active, skipping removal', { component: 'certificate-manager' });
      return;
    }
@ -459,9 +505,9 @@ export class SmartCertManager {
        this.acmeStateManager.removeChallengeRoute('acme-challenge');
      }
-      console.log('ACME challenge route successfully removed');
+      logger.log('info', 'ACME challenge route successfully removed', { component: 'certificate-manager' });
    } catch (error) {
-      console.error('Failed to remove challenge route:', error);
+      logger.log('error', `Failed to remove challenge route: ${error.message}`, { error: error.message, component: 'certificate-manager' });
      // Reset the flag even on error to avoid getting stuck
      this.challengeRouteActive = false;
      throw error;
@ -491,11 +537,11 @@ export class SmartCertManager {
        const cert = await this.certStore.getCertificate(routeName);
        if (cert && !this.isCertificateValid(cert)) {
-          console.log(`Certificate for ${routeName} needs renewal`);
+          logger.log('info', `Certificate for ${routeName} needs renewal`, { routeName, component: 'certificate-manager' });
          try {
            await this.provisionCertificate(route);
          } catch (error) {
-            console.error(`Failed to renew certificate for ${routeName}: ${error}`);
+            logger.log('error', `Failed to renew certificate for ${routeName}: ${error.message}`, { routeName, error: error.message, component: 'certificate-manager' });
          }
        }
      }
@ -620,7 +666,7 @@ export class SmartCertManager {
    // Always remove challenge route on shutdown
    if (this.challengeRoute) {
-      console.log('Removing ACME challenge route during shutdown');
+      logger.log('info', 'Removing ACME challenge route during shutdown', { component: 'certificate-manager' });
      await this.removeChallengeRoute();
    }
--- a/ts/proxies/smart-proxy/connection-manager.ts
+++ b/ts/proxies/smart-proxy/connection-manager.ts
@ -2,6 +2,7 @@ import * as plugins from '../../plugins.js';
 import type { IConnectionRecord, ISmartProxyOptions } from './models/interfaces.js';
 import { SecurityManager } from './security-manager.js';
 import { TimeoutManager } from './timeout-manager.js';
 import { logger } from '../../core/utils/logger.js';
 /**
 * Manages connection lifecycle, tracking, and cleanup
@ -97,7 +98,7 @@ export class ConnectionManager {
   */
  public initiateCleanupOnce(record: IConnectionRecord, reason: string = 'normal'): void {
    if (this.settings.enableDetailedLogging) {
-      console.log(`[${record.id}] Connection cleanup initiated for ${record.remoteIP} (${reason})`);
+      logger.log('info', `Connection cleanup initiated`, { connectionId: record.id, remoteIP: record.remoteIP, reason, component: 'connection-manager' });
    }
    if (
@ -139,7 +140,7 @@ export class ConnectionManager {
          // Reset the handler references
          record.renegotiationHandler = undefined;
        } catch (err) {
-          console.log(`[${record.id}] Error removing data handlers: ${err}`);
+          logger.log('error', `Error removing data handlers for connection ${record.id}: ${err}`, { connectionId: record.id, error: err, component: 'connection-manager' });
        }
      }
@ -160,16 +161,36 @@ export class ConnectionManager {
      // Log connection details
      if (this.settings.enableDetailedLogging) {
-        console.log(
+        logger.log('info', 
-          `[${record.id}] Connection from ${record.remoteIP} on port ${record.localPort} terminated (${reason}).` +
+          `Connection from ${record.remoteIP} on port ${record.localPort} terminated (${reason}). ` +
-            ` Duration: ${plugins.prettyMs(duration)}, Bytes IN: ${bytesReceived}, OUT: ${bytesSent}, ` +
+          `Duration: ${plugins.prettyMs(duration)}, Bytes IN: ${bytesReceived}, OUT: ${bytesSent}, ` +
-            `TLS: ${record.isTLS ? 'Yes' : 'No'}, Keep-Alive: ${record.hasKeepAlive ? 'Yes' : 'No'}` +
+          `TLS: ${record.isTLS ? 'Yes' : 'No'}, Keep-Alive: ${record.hasKeepAlive ? 'Yes' : 'No'}` +
-            `${record.usingNetworkProxy ? ', Using NetworkProxy' : ''}` +
+          `${record.usingNetworkProxy ? ', Using NetworkProxy' : ''}` +
-            `${record.domainSwitches ? `, Domain switches: ${record.domainSwitches}` : ''}`
+          `${record.domainSwitches ? `, Domain switches: ${record.domainSwitches}` : ''}`, 
          {
            connectionId: record.id,
            remoteIP: record.remoteIP,
            localPort: record.localPort,
            reason,
            duration: plugins.prettyMs(duration),
            bytes: { in: bytesReceived, out: bytesSent },
            tls: record.isTLS,
            keepAlive: record.hasKeepAlive,
            usingNetworkProxy: record.usingNetworkProxy,
            domainSwitches: record.domainSwitches || 0,
            component: 'connection-manager'
          }
        );
      } else {
-        console.log(
+        logger.log('info', 
-          `[${record.id}] Connection from ${record.remoteIP} terminated (${reason}). Active connections: ${this.connectionRecords.size}`
+          `Connection from ${record.remoteIP} terminated (${reason}). Active connections: ${this.connectionRecords.size}`, 
          {
            connectionId: record.id,
            remoteIP: record.remoteIP,
            reason,
            activeConnections: this.connectionRecords.size,
            component: 'connection-manager'
          }
        );
      }
    }
@ -189,7 +210,7 @@ export class ConnectionManager {
              socket.destroy();
            }
          } catch (err) {
-            console.log(`[${record.id}] Error destroying ${side} socket: ${err}`);
+            logger.log('error', `Error destroying ${side} socket for connection ${record.id}: ${err}`, { connectionId: record.id, side, error: err, component: 'connection-manager' });
          }
        }, 1000);
@ -199,13 +220,13 @@ export class ConnectionManager {
        }
      }
    } catch (err) {
-      console.log(`[${record.id}] Error closing ${side} socket: ${err}`);
+      logger.log('error', `Error closing ${side} socket for connection ${record.id}: ${err}`, { connectionId: record.id, side, error: err, component: 'connection-manager' });
      try {
        if (!socket.destroyed) {
          socket.destroy();
        }
      } catch (destroyErr) {
-        console.log(`[${record.id}] Error destroying ${side} socket: ${destroyErr}`);
+        logger.log('error', `Error destroying ${side} socket for connection ${record.id}: ${destroyErr}`, { connectionId: record.id, side, error: destroyErr, component: 'connection-manager' });
      }
    }
  }
@ -224,21 +245,36 @@ export class ConnectionManager {
      if (code === 'ECONNRESET') {
        reason = 'econnreset';
-        console.log(
+        logger.log('warn', `ECONNRESET on ${side} connection from ${record.remoteIP}. Error: ${err.message}. Duration: ${plugins.prettyMs(connectionDuration)}, Last activity: ${plugins.prettyMs(lastActivityAge)}`, {
-          `[${record.id}] ECONNRESET on ${side} side from ${record.remoteIP}: ${err.message}. ` +
+          connectionId: record.id,
-          `Duration: ${plugins.prettyMs(connectionDuration)}, Last activity: ${plugins.prettyMs(lastActivityAge)} ago`
+          side,
-        );
+          remoteIP: record.remoteIP,
          error: err.message,
          duration: plugins.prettyMs(connectionDuration),
          lastActivity: plugins.prettyMs(lastActivityAge),
          component: 'connection-manager'
        });
      } else if (code === 'ETIMEDOUT') {
        reason = 'etimedout';
-        console.log(
+        logger.log('warn', `ETIMEDOUT on ${side} connection from ${record.remoteIP}. Error: ${err.message}. Duration: ${plugins.prettyMs(connectionDuration)}, Last activity: ${plugins.prettyMs(lastActivityAge)}`, {
-          `[${record.id}] ETIMEDOUT on ${side} side from ${record.remoteIP}: ${err.message}. ` +
+          connectionId: record.id,
-          `Duration: ${plugins.prettyMs(connectionDuration)}, Last activity: ${plugins.prettyMs(lastActivityAge)} ago`
+          side,
-        );
+          remoteIP: record.remoteIP,
          error: err.message,
          duration: plugins.prettyMs(connectionDuration),
          lastActivity: plugins.prettyMs(lastActivityAge),
          component: 'connection-manager'
        });
      } else {
-        console.log(
+        logger.log('error', `Error on ${side} connection from ${record.remoteIP}: ${err.message}. Duration: ${plugins.prettyMs(connectionDuration)}, Last activity: ${plugins.prettyMs(lastActivityAge)}`, {
-          `[${record.id}] Error on ${side} side from ${record.remoteIP}: ${err.message}. ` +
+          connectionId: record.id,
-          `Duration: ${plugins.prettyMs(connectionDuration)}, Last activity: ${plugins.prettyMs(lastActivityAge)} ago`
+          side,
-        );
+          remoteIP: record.remoteIP,
          error: err.message,
          duration: plugins.prettyMs(connectionDuration),
          lastActivity: plugins.prettyMs(lastActivityAge),
          component: 'connection-manager'
        });
      }
      if (side === 'incoming' && record.incomingTerminationReason === null) {
@ -259,7 +295,12 @@ export class ConnectionManager {
  public handleClose(side: 'incoming' | 'outgoing', record: IConnectionRecord) {
    return () => {
      if (this.settings.enableDetailedLogging) {
-        console.log(`[${record.id}] Connection closed on ${side} side from ${record.remoteIP}`);
+        logger.log('info', `Connection closed on ${side} side`, {
          connectionId: record.id,
          side,
          remoteIP: record.remoteIP,
          component: 'connection-manager'
        });
      }
      if (side === 'incoming' && record.incomingTerminationReason === null) {
@ -321,11 +362,13 @@ export class ConnectionManager {
      if (inactivityTime > effectiveTimeout && !record.connectionClosed) {
        // For keep-alive connections, issue a warning first
        if (record.hasKeepAlive && !record.inactivityWarningIssued) {
-          console.log(
+          logger.log('warn', `Keep-alive connection ${id} from ${record.remoteIP} inactive for ${plugins.prettyMs(inactivityTime)}. Will close in 10 minutes if no activity.`, {
-            `[${id}] Warning: Keep-alive connection from ${record.remoteIP} inactive for ${
+            connectionId: id,
-              plugins.prettyMs(inactivityTime)
+            remoteIP: record.remoteIP,
-            }. Will close in 10 minutes if no activity.`
+            inactiveFor: plugins.prettyMs(inactivityTime),
-          );
+            closureWarning: '10 minutes',
            component: 'connection-manager'
          });
          // Set warning flag and add grace period
          record.inactivityWarningIssued = true;
@ -337,27 +380,30 @@ export class ConnectionManager {
              record.outgoing.write(Buffer.alloc(0));
              if (this.settings.enableDetailedLogging) {
-                console.log(`[${id}] Sent probe packet to test keep-alive connection`);
+                logger.log('info', `Sent probe packet to test keep-alive connection ${id}`, { connectionId: id, component: 'connection-manager' });
              }
            } catch (err) {
-              console.log(`[${id}] Error sending probe packet: ${err}`);
+              logger.log('error', `Error sending probe packet to connection ${id}: ${err}`, { connectionId: id, error: err, component: 'connection-manager' });
            }
          }
        } else {
          // For non-keep-alive or after warning, close the connection
-          console.log(
+          logger.log('warn', `Closing inactive connection ${id} from ${record.remoteIP} (inactive for ${plugins.prettyMs(inactivityTime)}, keep-alive: ${record.hasKeepAlive ? 'Yes' : 'No'})`, {
-            `[${id}] Inactivity check: No activity on connection from ${record.remoteIP} ` +
+            connectionId: id,
-            `for ${plugins.prettyMs(inactivityTime)}.` +
+            remoteIP: record.remoteIP,
-            (record.hasKeepAlive ? ' Despite keep-alive being enabled.' : '')
+            inactiveFor: plugins.prettyMs(inactivityTime),
-          );
+            hasKeepAlive: record.hasKeepAlive,
            component: 'connection-manager'
          });
          this.cleanupConnection(record, 'inactivity');
        }
      } else if (inactivityTime <= effectiveTimeout && record.inactivityWarningIssued) {
        // If activity detected after warning, clear the warning
        if (this.settings.enableDetailedLogging) {
-          console.log(
+          logger.log('info', `Connection ${id} activity detected after inactivity warning`, {
-            `[${id}] Connection activity detected after inactivity warning, resetting warning`
+            connectionId: id,
-          );
+            component: 'connection-manager'
          });
        }
        record.inactivityWarningIssued = false;
      }
@ -369,11 +415,12 @@ export class ConnectionManager {
        !record.connectionClosed &&
        now - record.outgoingClosedTime > 120000
      ) {
-        console.log(
+        logger.log('warn', `Parity check: Connection ${id} from ${record.remoteIP} has incoming socket still active ${plugins.prettyMs(now - record.outgoingClosedTime)} after outgoing socket closed`, {
-          `[${id}] Parity check: Incoming socket for ${record.remoteIP} still active ${
+          connectionId: id,
-            plugins.prettyMs(now - record.outgoingClosedTime)
+          remoteIP: record.remoteIP,
-          } after outgoing closed.`
+          timeElapsed: plugins.prettyMs(now - record.outgoingClosedTime),
-        );
+          component: 'connection-manager'
        });
        this.cleanupConnection(record, 'parity_check');
      }
    }
@ -406,7 +453,7 @@ export class ConnectionManager {
            record.outgoing.end();
          }
        } catch (err) {
-          console.log(`Error during graceful connection end for ${id}: ${err}`);
+          logger.log('error', `Error during graceful end of connection ${id}: ${err}`, { connectionId: id, error: err, component: 'connection-manager' });
        }
      }
    }
@ -433,7 +480,7 @@ export class ConnectionManager {
              }
            }
          } catch (err) {
-            console.log(`Error during forced connection destruction for ${id}: ${err}`);
+            logger.log('error', `Error during forced destruction of connection ${id}: ${err}`, { connectionId: id, error: err, component: 'connection-manager' });
          }
        }
      }
--- a/ts/proxies/smart-proxy/http-proxy-bridge.ts
+++ b/ts/proxies/smart-proxy/http-proxy-bridge.ts
@ -63,11 +63,24 @@ export class HttpProxyBridge {
   */
  private routeToHttpProxyConfig(route: IRouteConfig): any {
    // Convert route to HttpProxy domain config format
    let domain = '*';
    if (route.match.domains) {
      if (Array.isArray(route.match.domains)) {
        domain = route.match.domains[0] || '*';
      } else {
        domain = route.match.domains;
      }
    }
    return {
-      domain: route.match.domains?.[0] || '*',
+      domain,
      target: route.action.target,
      tls: route.action.tls,
-      security: route.action.security
+      security: route.action.security,
      match: {
        ...route.match,
        domains: domain  // Ensure domains is always set for HttpProxy
      }
    };
  }
--- a/ts/proxies/smart-proxy/port-manager.ts
+++ b/ts/proxies/smart-proxy/port-manager.ts
@ -1,6 +1,7 @@
 import * as plugins from '../../plugins.js';
 import type { ISmartProxyOptions } from './models/interfaces.js';
 import { RouteConnectionHandler } from './route-connection-handler.js';
 import { logger } from '../../core/utils/logger.js';
 /**
 * PortManager handles the dynamic creation and removal of port listeners
@ -8,12 +9,17 @@ import { RouteConnectionHandler } from './route-connection-handler.js';
 * This class provides methods to add and remove listening ports at runtime,
 * allowing SmartProxy to adapt to configuration changes without requiring
 * a full restart.
 * 
 * It includes a reference counting system to track how many routes are using
 * each port, so ports can be automatically released when they are no longer needed.
 */
 export class PortManager {
  private servers: Map<number, plugins.net.Server> = new Map();
  private settings: ISmartProxyOptions;
  private routeConnectionHandler: RouteConnectionHandler;
  private isShuttingDown: boolean = false;
  // Track how many routes are using each port
  private portRefCounts: Map<number, number> = new Map();
  /**
   * Create a new PortManager
@ -38,10 +44,18 @@ export class PortManager {
  public async addPort(port: number): Promise<void> {
    // Check if we're already listening on this port
    if (this.servers.has(port)) {
-      console.log(`PortManager: Already listening on port ${port}`);
+      // Port is already bound, just increment the reference count
      this.incrementPortRefCount(port);
      logger.log('debug', `PortManager: Port ${port} is already bound by SmartProxy, reusing binding`, { 
        port,
        component: 'port-manager'
      });
      return;
    }
    // Initialize reference count for new port
    this.portRefCounts.set(port, 1);
    // Create a server for this port
    const server = plugins.net.createServer((socket) => {
      // Check if shutting down
@ -54,24 +68,56 @@ export class PortManager {
      // Delegate to route connection handler
      this.routeConnectionHandler.handleConnection(socket);
    }).on('error', (err: Error) => {
-      console.log(`Server Error on port ${port}: ${err.message}`);
+      logger.log('error', `Server Error on port ${port}: ${err.message}`, {
        port,
        error: err.message,
        component: 'port-manager'
      });
    });
    // Start listening on the port
    return new Promise<void>((resolve, reject) => {
      server.listen(port, () => {
        const isHttpProxyPort = this.settings.useHttpProxy?.includes(port);
-        console.log(
+        logger.log('info', `SmartProxy -> OK: Now listening on port ${port}${
-          `SmartProxy -> OK: Now listening on port ${port}${
+          isHttpProxyPort ? ' (HttpProxy forwarding enabled)' : ''
-            isHttpProxyPort ? ' (HttpProxy forwarding enabled)' : ''
+        }`, {
-          }`
+          port,
-        );
+          isHttpProxyPort: !!isHttpProxyPort,
          component: 'port-manager'
        });
        // Store the server reference
        this.servers.set(port, server);
        resolve();
      }).on('error', (err) => {
-        console.log(`Failed to listen on port ${port}: ${err.message}`);
+        // Check if this is an external conflict
        const { isConflict, isExternal } = this.isPortConflict(err);
        if (isConflict && !isExternal) {
          // This is an internal conflict (port already bound by SmartProxy)
          // This shouldn't normally happen because we check servers.has(port) above
          logger.log('warn', `Port ${port} binding conflict: already in use by SmartProxy`, {
            port,
            component: 'port-manager'
          });
          // Still increment reference count to maintain tracking
          this.incrementPortRefCount(port);
          resolve();
          return;
        }
        // Log the error and propagate it
        logger.log('error', `Failed to listen on port ${port}: ${err.message}`, {
          port,
          error: err.message,
          code: (err as any).code,
          component: 'port-manager'
        });
        // Clean up reference count since binding failed
        this.portRefCounts.delete(port);
        reject(err);
      });
    });
@ -84,10 +130,28 @@ export class PortManager {
   * @returns Promise that resolves when the server is closed
   */
  public async removePort(port: number): Promise<void> {
    // Decrement the reference count first
    const newRefCount = this.decrementPortRefCount(port);
    // If there are still references to this port, keep it open
    if (newRefCount > 0) {
      logger.log('debug', `PortManager: Port ${port} still has ${newRefCount} references, keeping open`, {
        port,
        refCount: newRefCount,
        component: 'port-manager'
      });
      return;
    }
    // Get the server for this port
    const server = this.servers.get(port);
    if (!server) {
-      console.log(`PortManager: Not listening on port ${port}`);
+      logger.log('warn', `PortManager: Not listening on port ${port}`, {
        port,
        component: 'port-manager'
      });
      // Ensure reference count is reset
      this.portRefCounts.delete(port);
      return;
    }
@ -95,13 +159,21 @@ export class PortManager {
    return new Promise<void>((resolve) => {
      server.close((err) => {
        if (err) {
-          console.log(`Error closing server on port ${port}: ${err.message}`);
+          logger.log('error', `Error closing server on port ${port}: ${err.message}`, {
            port,
            error: err.message,
            component: 'port-manager'
          });
        } else {
-          console.log(`SmartProxy -> Stopped listening on port ${port}`);
+          logger.log('info', `SmartProxy -> Stopped listening on port ${port}`, {
            port,
            component: 'port-manager'
          });
        }
-        // Remove the server reference
+        // Remove the server reference and clean up reference counting
        this.servers.delete(port);
        this.portRefCounts.delete(port);
        resolve();
      });
    });
@ -192,4 +264,89 @@ export class PortManager {
  public getServers(): Map<number, plugins.net.Server> {
    return new Map(this.servers);
  }
  /**
   * Check if a port is bound by this SmartProxy instance
   * 
   * @param port The port number to check
   * @returns True if the port is currently bound by SmartProxy
   */
  public isPortBoundBySmartProxy(port: number): boolean {
    return this.servers.has(port);
  }
  /**
   * Get the current reference count for a port
   * 
   * @param port The port number to check
   * @returns The number of routes using this port, 0 if none
   */
  public getPortRefCount(port: number): number {
    return this.portRefCounts.get(port) || 0;
  }
  /**
   * Increment the reference count for a port
   * 
   * @param port The port number to increment
   * @returns The new reference count
   */
  public incrementPortRefCount(port: number): number {
    const currentCount = this.portRefCounts.get(port) || 0;
    const newCount = currentCount + 1;
    this.portRefCounts.set(port, newCount);
    logger.log('debug', `Port ${port} reference count increased to ${newCount}`, { 
      port, 
      refCount: newCount,
      component: 'port-manager' 
    });
    return newCount;
  }
  /**
   * Decrement the reference count for a port
   * 
   * @param port The port number to decrement
   * @returns The new reference count
   */
  public decrementPortRefCount(port: number): number {
    const currentCount = this.portRefCounts.get(port) || 0;
    if (currentCount <= 0) {
      logger.log('warn', `Attempted to decrement reference count for port ${port} below zero`, { 
        port,
        component: 'port-manager'
      });
      return 0;
    }
    const newCount = currentCount - 1;
    this.portRefCounts.set(port, newCount);
    logger.log('debug', `Port ${port} reference count decreased to ${newCount}`, { 
      port, 
      refCount: newCount,
      component: 'port-manager'
    });
    return newCount;
  }
  /**
   * Determine if a port binding error is due to an external or internal conflict
   * 
   * @param error The error object from a failed port binding
   * @returns Object indicating if this is a conflict and if it's external
   */
  private isPortConflict(error: any): { isConflict: boolean; isExternal: boolean } {
    if (error.code !== 'EADDRINUSE') {
      return { isConflict: false, isExternal: false };
    }
    // Check if we already have this port
    const isBoundInternally = this.servers.has(Number(error.port));
    return { isConflict: true, isExternal: !isBoundInternally };
  }
 }
--- a/ts/proxies/smart-proxy/route-connection-handler.ts
+++ b/ts/proxies/smart-proxy/route-connection-handler.ts
@ -1,5 +1,6 @@
 import * as plugins from '../../plugins.js';
 import type { IConnectionRecord, ISmartProxyOptions } from './models/interfaces.js';
 import { logger } from '../../core/utils/logger.js';
 // Route checking functions have been removed
 import type { IRouteConfig, IRouteAction, IRouteContext } from './models/route-types.js';
 import { ConnectionManager } from './connection-manager.js';
@ -83,7 +84,7 @@ export class RouteConnectionHandler {
    // Validate IP against rate limits and connection limits
    const ipValidation = this.securityManager.validateIP(remoteIP);
    if (!ipValidation.allowed) {
-      console.log(`Connection rejected from ${remoteIP}: ${ipValidation.reason}`);
+      logger.log('warn', `Connection rejected`, { remoteIP, reason: ipValidation.reason, component: 'route-handler' });
      socket.end();
      socket.destroy();
      return;
@ -114,21 +115,35 @@ export class RouteConnectionHandler {
        } catch (err) {
          // Ignore errors - these are optional enhancements
          if (this.settings.enableDetailedLogging) {
-            console.log(`[${connectionId}] Enhanced TCP keep-alive settings not supported: ${err}`);
+            logger.log('warn', `Enhanced TCP keep-alive settings not supported`, { connectionId, error: err, component: 'route-handler' });
          }
        }
      }
    }
    if (this.settings.enableDetailedLogging) {
-      console.log(
+      logger.log('info', 
-        `[${connectionId}] New connection from ${remoteIP} on port ${localPort}. ` +
+        `New connection from ${remoteIP} on port ${localPort}. ` +
-          `Keep-Alive: ${record.hasKeepAlive ? 'Enabled' : 'Disabled'}. ` +
+        `Keep-Alive: ${record.hasKeepAlive ? 'Enabled' : 'Disabled'}. ` +
-          `Active connections: ${this.connectionManager.getConnectionCount()}`
+        `Active connections: ${this.connectionManager.getConnectionCount()}`, 
        {
          connectionId,
          remoteIP,
          localPort,
          keepAlive: record.hasKeepAlive ? 'Enabled' : 'Disabled',
          activeConnections: this.connectionManager.getConnectionCount(),
          component: 'route-handler'
        }
      );
    } else {
-      console.log(
+      logger.log('info', 
-        `New connection from ${remoteIP} on port ${localPort}. Active connections: ${this.connectionManager.getConnectionCount()}`
+        `New connection from ${remoteIP} on port ${localPort}. Active connections: ${this.connectionManager.getConnectionCount()}`, 
        {
          remoteIP,
          localPort,
          activeConnections: this.connectionManager.getConnectionCount(),
          component: 'route-handler'
        }
      );
    }
@ -147,14 +162,20 @@ export class RouteConnectionHandler {
    // Set an initial timeout for handshake data
    let initialTimeout: NodeJS.Timeout | null = setTimeout(() => {
      if (!initialDataReceived) {
-        console.log(
+        logger.log('warn', `No initial data received from ${record.remoteIP} after ${this.settings.initialDataTimeout}ms for connection ${connectionId}`, {
-          `[${connectionId}] Initial data warning (${this.settings.initialDataTimeout}ms) for connection from ${record.remoteIP}`
+          connectionId,
-        );
+          timeout: this.settings.initialDataTimeout,
          remoteIP: record.remoteIP,
          component: 'route-handler'
        });
        // Add a grace period
        setTimeout(() => {
          if (!initialDataReceived) {
-            console.log(`[${connectionId}] Final initial data timeout after grace period`);
+            logger.log('warn', `Final initial data timeout after grace period for connection ${connectionId}`, {
              connectionId,
              component: 'route-handler'
            });
            if (record.incomingTerminationReason === null) {
              record.incomingTerminationReason = 'initial_timeout';
              this.connectionManager.incrementTerminationStat('incoming', 'initial_timeout');
@ -187,10 +208,11 @@ export class RouteConnectionHandler {
      // Block non-TLS connections on port 443
      if (!this.tlsManager.isTlsHandshake(chunk) && localPort === 443) {
-        console.log(
+        logger.log('warn', `Non-TLS connection ${connectionId} detected on port 443. Terminating connection - only TLS traffic is allowed on standard HTTPS port.`, {
-          `[${connectionId}] Non-TLS connection detected on port 443. ` +
+          connectionId,
-            `Terminating connection - only TLS traffic is allowed on standard HTTPS port.`
+          message: 'Terminating connection - only TLS traffic is allowed on standard HTTPS port.',
-        );
+          component: 'route-handler'
        });
        if (record.incomingTerminationReason === null) {
          record.incomingTerminationReason = 'non_tls_blocked';
          this.connectionManager.incrementTerminationStat('incoming', 'non_tls_blocked');
@ -223,7 +245,10 @@ export class RouteConnectionHandler {
          // Check if we should reject connections without SNI
          if (!serverName && this.settings.allowSessionTicket === false) {
-            console.log(`[${connectionId}] No SNI detected in TLS ClientHello; sending TLS alert.`);
+            logger.log('warn', `No SNI detected in TLS ClientHello for connection ${connectionId}; sending TLS alert`, {
              connectionId,
              component: 'route-handler'
            });
            if (record.incomingTerminationReason === null) {
              record.incomingTerminationReason = 'session_ticket_blocked_no_sni';
              this.connectionManager.incrementTerminationStat(
@ -245,7 +270,11 @@ export class RouteConnectionHandler {
          }
          if (this.settings.enableDetailedLogging) {
-            console.log(`[${connectionId}] TLS connection with SNI: ${serverName || '(empty)'}`);
+            logger.log('info', `TLS connection with SNI`, {
              connectionId,
              serverName: serverName || '(empty)',
              component: 'route-handler'
            });
          }
        }
      }
@ -278,12 +307,18 @@ export class RouteConnectionHandler {
    });
    if (!routeMatch) {
-      console.log(
+      logger.log('warn', `No route found for ${serverName || 'connection'} on port ${localPort} (connection: ${connectionId})`, {
-        `[${connectionId}] No route found for ${serverName || 'connection'} on port ${localPort}`
+        connectionId,
-      );
+        serverName: serverName || 'connection',
        localPort,
        component: 'route-handler'
      });
      // No matching route, use default/fallback handling
-      console.log(`[${connectionId}] Using default route handling for connection`);
+      logger.log('info', `Using default route handling for connection ${connectionId}`, {
        connectionId,
        component: 'route-handler'
      });
      // Check default security settings
      const defaultSecuritySettings = this.settings.defaults?.security;
@ -296,7 +331,11 @@ export class RouteConnectionHandler {
          );
          if (!isAllowed) {
-            console.log(`[${connectionId}] IP ${remoteIP} not in default allowed list`);
+            logger.log('warn', `IP ${remoteIP} not in default allowed list for connection ${connectionId}`, {
              connectionId,
              remoteIP,
              component: 'route-handler'
            });
            socket.end();
            this.connectionManager.cleanupConnection(record, 'ip_blocked');
            return;
@ -321,7 +360,10 @@ export class RouteConnectionHandler {
        );
      } else {
        // No default target available, terminate the connection
-        console.log(`[${connectionId}] No default target configured. Closing connection.`);
+        logger.log('warn', `No default target configured for connection ${connectionId}. Closing connection`, {
          connectionId,
          component: 'route-handler'
        });
        socket.end();
        this.connectionManager.cleanupConnection(record, 'no_default_target');
        return;
@ -332,11 +374,13 @@ export class RouteConnectionHandler {
    const route = routeMatch.route;
    if (this.settings.enableDetailedLogging) {
-      console.log(
+      logger.log('info', `Route matched`, {
-        `[${connectionId}] Route matched: "${route.name || 'unnamed'}" for ${
+        connectionId,
-          serverName || 'connection'
+        routeName: route.name || 'unnamed',
-        } on port ${localPort}`
+        serverName: serverName || 'connection',
-      );
+        localPort,
        component: 'route-handler'
      });
    }
@ -352,11 +396,15 @@ export class RouteConnectionHandler {
        return this.handleBlockAction(socket, record, route);
      case 'static':
-        this.handleStaticAction(socket, record, route);
+        this.handleStaticAction(socket, record, route, initialChunk);
        return;
      default:
-        console.log(`[${connectionId}] Unknown action type: ${(route.action as any).type}`);
+        logger.log('error', `Unknown action type '${(route.action as any).type}' for connection ${connectionId}`, {
          connectionId,
          actionType: (route.action as any).type,
          component: 'route-handler'
        });
        socket.end();
        this.connectionManager.cleanupConnection(record, 'unknown_action');
    }
@ -381,30 +429,36 @@ export class RouteConnectionHandler {
      // Log the connection for monitoring purposes
      if (this.settings.enableDetailedLogging) {
-        console.log(
+        logger.log('info', `NFTables forwarding (kernel-level)`, {
-          `[${record.id}] NFTables forwarding (kernel-level): ` +
+          connectionId: record.id,
-            `${record.remoteIP}:${socket.remotePort} -> ${socket.localAddress}:${record.localPort}` +
+          source: `${record.remoteIP}:${socket.remotePort}`,
-            ` (Route: "${route.name || 'unnamed'}", Domain: ${record.lockedDomain || 'n/a'})`
+          destination: `${socket.localAddress}:${record.localPort}`,
-        );
+          routeName: route.name || 'unnamed',
          domain: record.lockedDomain || 'n/a',
          component: 'route-handler'
        });
      } else {
-        console.log(
+        logger.log('info', `NFTables forwarding`, {
-          `[${record.id}] NFTables forwarding: ${record.remoteIP} -> port ${
+          connectionId: record.id,
-            record.localPort
+          remoteIP: record.remoteIP,
-          } (Route: "${route.name || 'unnamed'}")`
+          localPort: record.localPort,
-        );
+          routeName: route.name || 'unnamed',
          component: 'route-handler'
        });
      }
      // Additional NFTables-specific logging if configured
      if (action.nftables) {
        const nftConfig = action.nftables;
        if (this.settings.enableDetailedLogging) {
-          console.log(
+          logger.log('info', `NFTables config`, {
-            `[${record.id}] NFTables config: ` +
+            connectionId: record.id,
-              `protocol=${nftConfig.protocol || 'tcp'}, ` +
+            protocol: nftConfig.protocol || 'tcp',
-              `preserveSourceIP=${nftConfig.preserveSourceIP || false}, ` +
+            preserveSourceIP: nftConfig.preserveSourceIP || false,
-              `priority=${nftConfig.priority || 'default'}, ` +
+            priority: nftConfig.priority || 'default',
-              `maxRate=${nftConfig.maxRate || 'unlimited'}`
+            maxRate: nftConfig.maxRate || 'unlimited',
-          );
+            component: 'route-handler'
          });
        }
      }
@ -419,7 +473,10 @@ export class RouteConnectionHandler {
    // We should have a target configuration for forwarding
    if (!action.target) {
-      console.log(`[${connectionId}] Forward action missing target configuration`);
+      logger.log('error', `Forward action missing target configuration for connection ${connectionId}`, {
        connectionId,
        component: 'route-handler'
      });
      socket.end();
      this.connectionManager.cleanupConnection(record, 'missing_target');
      return;
@ -447,14 +504,18 @@ export class RouteConnectionHandler {
      try {
        targetHost = action.target.host(routeContext);
        if (this.settings.enableDetailedLogging) {
-          console.log(
+          logger.log('info', `Dynamic host resolved to ${Array.isArray(targetHost) ? targetHost.join(', ') : targetHost} for connection ${connectionId}`, {
-            `[${connectionId}] Dynamic host resolved to: ${
+            connectionId,
-              Array.isArray(targetHost) ? targetHost.join(', ') : targetHost
+            targetHost: Array.isArray(targetHost) ? targetHost.join(', ') : targetHost,
-            }`
+            component: 'route-handler'
-          );
+          });
        }
      } catch (err) {
-        console.log(`[${connectionId}] Error in host mapping function: ${err}`);
+        logger.log('error', `Error in host mapping function for connection ${connectionId}: ${err}`, {
          connectionId,
          error: err,
          component: 'route-handler'
        });
        socket.end();
        this.connectionManager.cleanupConnection(record, 'host_mapping_error');
        return;
@ -474,14 +535,21 @@ export class RouteConnectionHandler {
      try {
        targetPort = action.target.port(routeContext);
        if (this.settings.enableDetailedLogging) {
-          console.log(
+          logger.log('info', `Dynamic port mapping from ${record.localPort} to ${targetPort} for connection ${connectionId}`, {
-            `[${connectionId}] Dynamic port mapping: ${record.localPort} -> ${targetPort}`
+            connectionId,
-          );
+            sourcePort: record.localPort,
            targetPort,
            component: 'route-handler'
          });
        }
        // Store the resolved target port in the context for potential future use
        routeContext.targetPort = targetPort;
      } catch (err) {
-        console.log(`[${connectionId}] Error in port mapping function: ${err}`);
+        logger.log('error', `Error in port mapping function for connection ${connectionId}: ${err}`, {
          connectionId,
          error: err,
          component: 'route-handler'
        });
        socket.end();
        this.connectionManager.cleanupConnection(record, 'port_mapping_error');
        return;
@ -503,7 +571,12 @@ export class RouteConnectionHandler {
        case 'passthrough':
          // For TLS passthrough, just forward directly
          if (this.settings.enableDetailedLogging) {
-            console.log(`[${connectionId}] Using TLS passthrough to ${selectedHost}:${targetPort}`);
+            logger.log('info', `Using TLS passthrough to ${selectedHost}:${targetPort} for connection ${connectionId}`, {
              connectionId,
              targetHost: selectedHost,
              targetPort,
              component: 'route-handler'
            });
          }
          return this.setupDirectConnection(
@ -521,9 +594,11 @@ export class RouteConnectionHandler {
          // For TLS termination, use HttpProxy
          if (this.httpProxyBridge.getHttpProxy()) {
            if (this.settings.enableDetailedLogging) {
-              console.log(
+              logger.log('info', `Using HttpProxy for TLS termination to ${Array.isArray(action.target.host) ? action.target.host.join(', ') : action.target.host} for connection ${connectionId}`, {
-                `[${connectionId}] Using HttpProxy for TLS termination to ${action.target.host}`
+                connectionId,
-              );
+                targetHost: action.target.host,
                component: 'route-handler'
              });
            }
            // If we have an initial chunk with TLS data, start processing it
@ -540,64 +615,97 @@ export class RouteConnectionHandler {
            }
            // This shouldn't normally happen - we should have TLS data at this point
-            console.log(`[${connectionId}] TLS termination route without TLS data`);
+            logger.log('error', `TLS termination route without TLS data for connection ${connectionId}`, {
              connectionId,
              component: 'route-handler'
            });
            socket.end();
            this.connectionManager.cleanupConnection(record, 'tls_error');
            return;
          } else {
-            console.log(`[${connectionId}] HttpProxy not available for TLS termination`);
+            logger.log('error', `HttpProxy not available for TLS termination for connection ${connectionId}`, {
              connectionId,
              component: 'route-handler'
            });
            socket.end();
            this.connectionManager.cleanupConnection(record, 'no_http_proxy');
            return;
          }
      }
    } else {
-      // No TLS settings - basic forwarding
+      // No TLS settings - check if this port should use HttpProxy
-      if (this.settings.enableDetailedLogging) {
+      const isHttpProxyPort = this.settings.useHttpProxy?.includes(record.localPort);
-        console.log(
+      
-          `[${connectionId}] Using basic forwarding to ${action.target.host}:${action.target.port}`
+      if (isHttpProxyPort && this.httpProxyBridge.getHttpProxy()) {
        // Forward non-TLS connections to HttpProxy if configured
        if (this.settings.enableDetailedLogging) {
          logger.log('info', `Using HttpProxy for non-TLS connection ${connectionId} on port ${record.localPort}`, {
            connectionId,
            port: record.localPort,
            component: 'route-handler'
          });
        }
        this.httpProxyBridge.forwardToHttpProxy(
          connectionId,
          socket,
          record,
          initialChunk,
          this.settings.httpProxyPort || 8443,
          (reason) => this.connectionManager.initiateCleanupOnce(record, reason)
        );
        return;
      } else {
        // Basic forwarding
        if (this.settings.enableDetailedLogging) {
          logger.log('info', `Using basic forwarding to ${Array.isArray(action.target.host) ? action.target.host.join(', ') : action.target.host}:${action.target.port} for connection ${connectionId}`, {
            connectionId,
            targetHost: action.target.host,
            targetPort: action.target.port,
            component: 'route-handler'
          });
        }
        // Get the appropriate host value
        let targetHost: string;
        if (typeof action.target.host === 'function') {
          // For function-based host, use the same routeContext created earlier
          const hostResult = action.target.host(routeContext);
          targetHost = Array.isArray(hostResult)
            ? hostResult[Math.floor(Math.random() * hostResult.length)]
            : hostResult;
        } else {
          // For static host value
          targetHost = Array.isArray(action.target.host)
            ? action.target.host[Math.floor(Math.random() * action.target.host.length)]
            : action.target.host;
        }
        // Determine port - either function-based, static, or preserve incoming port
        let targetPort: number;
        if (typeof action.target.port === 'function') {
          targetPort = action.target.port(routeContext);
        } else if (action.target.port === 'preserve') {
          targetPort = record.localPort;
        } else {
          targetPort = action.target.port;
        }
        // Update the connection record and context with resolved values
        record.targetHost = targetHost;
        record.targetPort = targetPort;
        return this.setupDirectConnection(
          socket,
          record,
          record.lockedDomain,
          initialChunk,
          undefined,
          targetHost,
          targetPort
        );
      }
      // Get the appropriate host value
      let targetHost: string;
      if (typeof action.target.host === 'function') {
        // For function-based host, use the same routeContext created earlier
        const hostResult = action.target.host(routeContext);
        targetHost = Array.isArray(hostResult)
          ? hostResult[Math.floor(Math.random() * hostResult.length)]
          : hostResult;
      } else {
        // For static host value
        targetHost = Array.isArray(action.target.host)
          ? action.target.host[Math.floor(Math.random() * action.target.host.length)]
          : action.target.host;
      }
      // Determine port - either function-based, static, or preserve incoming port
      let targetPort: number;
      if (typeof action.target.port === 'function') {
        targetPort = action.target.port(routeContext);
      } else if (action.target.port === 'preserve') {
        targetPort = record.localPort;
      } else {
        targetPort = action.target.port;
      }
      // Update the connection record and context with resolved values
      record.targetHost = targetHost;
      record.targetPort = targetPort;
      return this.setupDirectConnection(
        socket,
        record,
        record.lockedDomain,
        initialChunk,
        undefined,
        targetHost,
        targetPort
      );
    }
  }
@ -611,7 +719,10 @@ export class RouteConnectionHandler {
  ): void {
    // For TLS connections, we can't do redirects at the TCP level
    if (record.isTLS) {
-      console.log(`[${record.id}] Cannot redirect TLS connection at TCP level`);
+      logger.log('warn', `Cannot redirect TLS connection ${record.id} at TCP level`, {
        connectionId: record.id,
        component: 'route-handler'
      });
      socket.end();
      this.connectionManager.cleanupConnection(record, 'tls_redirect_error');
      return;
@ -636,9 +747,11 @@ export class RouteConnectionHandler {
    const connectionId = record.id;
    if (this.settings.enableDetailedLogging) {
-      console.log(
+      logger.log('info', `Blocking connection ${connectionId} based on route '${route.name || 'unnamed'}'`, {
-        `[${connectionId}] Blocking connection based on route "${route.name || 'unnamed'}"`
+        connectionId,
-      );
+        routeName: route.name || 'unnamed',
        component: 'route-handler'
      });
    }
    // Simply close the connection
@ -652,14 +765,15 @@ export class RouteConnectionHandler {
  private async handleStaticAction(
    socket: plugins.net.Socket,
    record: IConnectionRecord,
-    route: IRouteConfig
+    route: IRouteConfig,
    initialChunk?: Buffer
  ): Promise<void> {
    // Delegate to HttpProxy's StaticHandler
    await StaticHandler.handleStatic(socket, route, {
      connectionId: record.id,
      connectionManager: this.connectionManager,
      settings: this.settings
-    }, record);
+    }, record, initialChunk);
  }
  /**
@ -676,8 +790,16 @@ export class RouteConnectionHandler {
    targetSocket.once('error', (err) => {
      // This handler runs only once during the initial connection phase
      const code = (err as any).code;
-      console.log(
+      logger.log('error', 
-        `[${connectionId}] Connection setup error to ${finalTargetHost}:${finalTargetPort}: ${err.message} (${code})`
+        `Connection setup error for ${connectionId} to ${finalTargetHost}:${finalTargetPort}: ${err.message} (${code})`, 
        {
          connectionId,
          targetHost: finalTargetHost,
          targetPort: finalTargetPort,
          errorMessage: err.message,
          errorCode: code,
          component: 'route-handler'
        }
      );
      // Resume the incoming socket to prevent it from hanging
@ -685,29 +807,57 @@ export class RouteConnectionHandler {
      // Log specific error types for easier debugging
      if (code === 'ECONNREFUSED') {
-        console.log(
+        logger.log('error', 
-          `[${connectionId}] Target ${finalTargetHost}:${finalTargetPort} refused connection. ` +
+          `Connection ${connectionId}: Target ${finalTargetHost}:${finalTargetPort} refused connection. Check if the target service is running and listening on that port.`, 
-          `Check if the target service is running and listening on that port.`
+          {
            connectionId,
            targetHost: finalTargetHost,
            targetPort: finalTargetPort,
            recommendation: 'Check if the target service is running and listening on that port.',
            component: 'route-handler'
          }
        );
      } else if (code === 'ETIMEDOUT') {
-        console.log(
+        logger.log('error', 
-          `[${connectionId}] Connection to ${finalTargetHost}:${finalTargetPort} timed out. ` +
+          `Connection ${connectionId} to ${finalTargetHost}:${finalTargetPort} timed out. Check network conditions, firewall rules, or if the target is too far away.`, 
-          `Check network conditions, firewall rules, or if the target is too far away.`
+          {
            connectionId,
            targetHost: finalTargetHost,
            targetPort: finalTargetPort,
            recommendation: 'Check network conditions, firewall rules, or if the target is too far away.',
            component: 'route-handler'
          }
        );
      } else if (code === 'ECONNRESET') {
-        console.log(
+        logger.log('error', 
-          `[${connectionId}] Connection to ${finalTargetHost}:${finalTargetPort} was reset. ` +
+          `Connection ${connectionId} to ${finalTargetHost}:${finalTargetPort} was reset. The target might have closed the connection abruptly.`, 
-          `The target might have closed the connection abruptly.`
+          {
            connectionId,
            targetHost: finalTargetHost,
            targetPort: finalTargetPort,
            recommendation: 'The target might have closed the connection abruptly.',
            component: 'route-handler'
          }
        );
      } else if (code === 'EHOSTUNREACH') {
-        console.log(
+        logger.log('error', 
-          `[${connectionId}] Host ${finalTargetHost} is unreachable. ` +
+          `Connection ${connectionId}: Host ${finalTargetHost} is unreachable. Check DNS settings, network routing, or firewall rules.`, 
-          `Check DNS settings, network routing, or firewall rules.`
+          {
            connectionId,
            targetHost: finalTargetHost,
            recommendation: 'Check DNS settings, network routing, or firewall rules.',
            component: 'route-handler'
          }
        );
      } else if (code === 'ENOTFOUND') {
-        console.log(
+        logger.log('error', 
-          `[${connectionId}] DNS lookup failed for ${finalTargetHost}. ` +
+          `Connection ${connectionId}: DNS lookup failed for ${finalTargetHost}. Check your DNS settings or if the hostname is correct.`, 
-          `Check your DNS settings or if the hostname is correct.`
+          {
            connectionId,
            targetHost: finalTargetHost,
            recommendation: 'Check your DNS settings or if the hostname is correct.',
            component: 'route-handler'
          }
        );
      }
@ -756,9 +906,12 @@ export class RouteConnectionHandler {
    record.targetPort = finalTargetPort;
    if (this.settings.enableDetailedLogging) {
-      console.log(
+      logger.log('info', `Setting up direct connection ${connectionId} to ${finalTargetHost}:${finalTargetPort}`, {
-        `[${connectionId}] Setting up direct connection to ${finalTargetHost}:${finalTargetPort}`
+        connectionId,
-      );
+        targetHost: finalTargetHost,
        targetPort: finalTargetPort,
        component: 'route-handler'
      });
    }
    // Setup connection options
@ -803,9 +956,11 @@ export class RouteConnectionHandler {
        } catch (err) {
          // Ignore errors - these are optional enhancements
          if (this.settings.enableDetailedLogging) {
-            console.log(
+            logger.log('warn', `Enhanced TCP keep-alive not supported for outgoing socket on connection ${connectionId}: ${err}`, {
-              `[${connectionId}] Enhanced TCP keep-alive not supported for outgoing socket: ${err}`
+              connectionId,
-            );
+              error: err,
              component: 'route-handler'
            });
          }
        }
      }
@ -825,22 +980,23 @@ export class RouteConnectionHandler {
    socket.on('timeout', () => {
      // For keep-alive connections, just log a warning instead of closing
      if (record.hasKeepAlive) {
-        console.log(
+        logger.log('warn', `Timeout event on incoming keep-alive connection ${connectionId} from ${record.remoteIP} after ${plugins.prettyMs(this.settings.socketTimeout || 3600000)}. Connection preserved.`, {
-          `[${connectionId}] Timeout event on incoming keep-alive connection from ${
+          connectionId,
-            record.remoteIP
+          remoteIP: record.remoteIP,
-          } after ${plugins.prettyMs(
+          timeout: plugins.prettyMs(this.settings.socketTimeout || 3600000),
-            this.settings.socketTimeout || 3600000
+          status: 'Connection preserved',
-          )}. Connection preserved.`
+          component: 'route-handler'
-        );
+        });
        return;
      }
      // For non-keep-alive connections, proceed with normal cleanup
-      console.log(
+      logger.log('warn', `Timeout on incoming side for connection ${connectionId} from ${record.remoteIP} after ${plugins.prettyMs(this.settings.socketTimeout || 3600000)}`, {
-        `[${connectionId}] Timeout on incoming side from ${
+        connectionId,
-          record.remoteIP
+        remoteIP: record.remoteIP,
-        } after ${plugins.prettyMs(this.settings.socketTimeout || 3600000)}`
+        timeout: plugins.prettyMs(this.settings.socketTimeout || 3600000),
-      );
+        component: 'route-handler'
      });
      if (record.incomingTerminationReason === null) {
        record.incomingTerminationReason = 'timeout';
        this.connectionManager.incrementTerminationStat('incoming', 'timeout');
@ -851,22 +1007,23 @@ export class RouteConnectionHandler {
    targetSocket.on('timeout', () => {
      // For keep-alive connections, just log a warning instead of closing
      if (record.hasKeepAlive) {
-        console.log(
+        logger.log('warn', `Timeout event on outgoing keep-alive connection ${connectionId} from ${record.remoteIP} after ${plugins.prettyMs(this.settings.socketTimeout || 3600000)}. Connection preserved.`, {
-          `[${connectionId}] Timeout event on outgoing keep-alive connection from ${
+          connectionId,
-            record.remoteIP
+          remoteIP: record.remoteIP,
-          } after ${plugins.prettyMs(
+          timeout: plugins.prettyMs(this.settings.socketTimeout || 3600000),
-            this.settings.socketTimeout || 3600000
+          status: 'Connection preserved',
-          )}. Connection preserved.`
+          component: 'route-handler'
-        );
+        });
        return;
      }
      // For non-keep-alive connections, proceed with normal cleanup
-      console.log(
+      logger.log('warn', `Timeout on outgoing side for connection ${connectionId} from ${record.remoteIP} after ${plugins.prettyMs(this.settings.socketTimeout || 3600000)}`, {
-        `[${connectionId}] Timeout on outgoing side from ${
+        connectionId,
-          record.remoteIP
+        remoteIP: record.remoteIP,
-        } after ${plugins.prettyMs(this.settings.socketTimeout || 3600000)}`
+        timeout: plugins.prettyMs(this.settings.socketTimeout || 3600000),
-      );
+        component: 'route-handler'
      });
      if (record.outgoingTerminationReason === null) {
        record.outgoingTerminationReason = 'timeout';
        this.connectionManager.incrementTerminationStat('outgoing', 'timeout');
@ -886,9 +1043,12 @@ export class RouteConnectionHandler {
    // Wait for the outgoing connection to be ready before setting up piping
    targetSocket.once('connect', () => {
      if (this.settings.enableDetailedLogging) {
-        console.log(
+        logger.log('info', `Connection ${connectionId} established to target ${finalTargetHost}:${finalTargetPort}`, {
-          `[${connectionId}] Connection established to target: ${finalTargetHost}:${finalTargetPort}`
+          connectionId,
-        );
+          targetHost: finalTargetHost,
          targetPort: finalTargetPort,
          component: 'route-handler'
        });
      }
      // Clear the initial connection error handler
@ -910,7 +1070,11 @@ export class RouteConnectionHandler {
        // Write pending data immediately
        targetSocket.write(combinedData, (err) => {
          if (err) {
-            console.log(`[${connectionId}] Error writing pending data to target: ${err.message}`);
+            logger.log('error', `Error writing pending data to target for connection ${connectionId}: ${err.message}`, {
              connectionId,
              error: err.message,
              component: 'route-handler'
            });
            return this.connectionManager.initiateCleanupOnce(record, 'write_error');
          }
        });
@ -931,15 +1095,17 @@ export class RouteConnectionHandler {
      });
      // Log successful connection
-      console.log(
+      logger.log('info', 
        `Connection established: ${record.remoteIP} -> ${finalTargetHost}:${finalTargetPort}` +
-          `${
+        `${serverName ? ` (SNI: ${serverName})` : record.lockedDomain ? ` (Domain: ${record.lockedDomain})` : ''}`, 
-            serverName
+        {
-              ? ` (SNI: ${serverName})`
+          remoteIP: record.remoteIP,
-              : record.lockedDomain
+          targetHost: finalTargetHost,
-              ? ` (Domain: ${record.lockedDomain})`
+          targetPort: finalTargetPort,
-              : ''
+          sni: serverName || undefined,
-          }`
+          domain: !serverName && record.lockedDomain ? record.lockedDomain : undefined,
          component: 'route-handler'
        }
      );
      // Add TLS renegotiation handler if needed
@ -967,17 +1133,21 @@ export class RouteConnectionHandler {
        socket.on('data', renegotiationHandler);
        if (this.settings.enableDetailedLogging) {
-          console.log(
+          logger.log('info', `TLS renegotiation handler installed for connection ${connectionId} with SNI ${serverName}`, {
-            `[${connectionId}] TLS renegotiation handler installed for SNI domain: ${serverName}`
+            connectionId,
-          );
+            serverName,
            component: 'route-handler'
          });
        }
      }
      // Set connection timeout
      record.cleanupTimer = this.timeoutManager.setupConnectionTimeout(record, (record, reason) => {
-        console.log(
+        logger.log('warn', `Connection ${connectionId} from ${record.remoteIP} exceeded max lifetime, forcing cleanup`, {
-          `[${connectionId}] Connection from ${record.remoteIP} exceeded max lifetime, forcing cleanup.`
+          connectionId,
-        );
+          remoteIP: record.remoteIP,
          component: 'route-handler'
        });
        this.connectionManager.initiateCleanupOnce(record, reason);
      });
--- a/ts/proxies/smart-proxy/smart-proxy.ts
+++ b/ts/proxies/smart-proxy/smart-proxy.ts
@ -1,4 +1,5 @@
 import * as plugins from '../../plugins.js';
 import { logger } from '../../core/utils/logger.js';
 // Importing required components
 import { ConnectionManager } from './connection-manager.js';
@ -63,6 +64,9 @@ export class SmartProxy extends plugins.EventEmitter {
  private routeUpdateLock: any = null; // Will be initialized as AsyncMutex
  private acmeStateManager: AcmeStateManager;
  // Track port usage across route updates
  private portUsageMap: Map<number, Set<string>> = new Map();
  /**
   * Constructor for SmartProxy
   *
@ -239,7 +243,7 @@ export class SmartProxy extends plugins.EventEmitter {
    );
    if (autoRoutes.length === 0 && !this.hasStaticCertRoutes()) {
-      console.log('No routes require certificate management');
+      logger.log('info', 'No routes require certificate management', { component: 'certificate-manager' });
      return;
    }
@ -256,7 +260,7 @@ export class SmartProxy extends plugins.EventEmitter {
        useProduction: this.settings.acme.useProduction || false,
        port: this.settings.acme.port || 80
      };
-      console.log(`Using top-level ACME configuration with email: ${acmeOptions.email}`);
+      logger.log('info', `Using top-level ACME configuration with email: ${acmeOptions.email}`, { component: 'certificate-manager' });
    } else if (autoRoutes.length > 0) {
      // Check for route-level ACME config
      const routeWithAcme = autoRoutes.find(r => r.action.tls?.acme?.email);
@ -267,7 +271,7 @@ export class SmartProxy extends plugins.EventEmitter {
          useProduction: routeAcme.useProduction || false,
          port: routeAcme.challengePort || 80
        };
-        console.log(`Using route-level ACME configuration from route '${routeWithAcme.name}' with email: ${acmeOptions.email}`);
+        logger.log('info', `Using route-level ACME configuration from route '${routeWithAcme.name}' with email: ${acmeOptions.email}`, { component: 'certificate-manager' });
      }
    }
@ -305,7 +309,7 @@ export class SmartProxy extends plugins.EventEmitter {
  public async start() {
    // Don't start if already shutting down
    if (this.isShuttingDown) {
-      console.log("Cannot start SmartProxy while it's shutting down");
+      logger.log('warn', "Cannot start SmartProxy while it's in the shutdown process");
      return;
    }
@ -332,15 +336,25 @@ export class SmartProxy extends plugins.EventEmitter {
    const allWarnings = [...configWarnings, ...acmeWarnings];
    if (allWarnings.length > 0) {
-      console.log("Configuration warnings:");
+      logger.log('warn', `${allWarnings.length} configuration warnings found`, { count: allWarnings.length });
      for (const warning of allWarnings) {
-        console.log(` - ${warning}`);
+        logger.log('warn', `${warning}`);
      }
    }
    // Get listening ports from RouteManager
    const listeningPorts = this.routeManager.getListeningPorts();
    // Initialize port usage tracking
    this.portUsageMap = this.updatePortUsageMap(this.settings.routes);
    // Log port usage for startup
    logger.log('info', `SmartProxy starting with ${listeningPorts.length} ports: ${listeningPorts.join(', ')}`, {
      portCount: listeningPorts.length,
      ports: listeningPorts,
      component: 'smart-proxy'
    });
    // Provision NFTables rules for routes that use NFTables
    for (const route of this.settings.routes) {
      if (route.action.forwardingEngine === 'nftables') {
@ -350,6 +364,12 @@ export class SmartProxy extends plugins.EventEmitter {
    // Start port listeners using the PortManager
    await this.portManager.addPorts(listeningPorts);
    // Now that ports are listening, provision any required certificates
    if (this.certManager) {
      logger.log('info', 'Starting certificate provisioning now that ports are ready', { component: 'certificate-manager' });
      await this.certManager.provisionAllCertificates();
    }
    // Set up periodic connection logging and inactivity checks
    this.connectionLogger = setInterval(() => {
@ -405,16 +425,26 @@ export class SmartProxy extends plugins.EventEmitter {
      const terminationStats = this.connectionManager.getTerminationStats();
      // Log detailed stats
-      console.log(
+      logger.log('info', 'Connection statistics', {
-        `Active connections: ${connectionRecords.size}. ` +
+        activeConnections: connectionRecords.size,
-        `Types: TLS=${tlsConnections} (Completed=${completedTlsHandshakes}, Pending=${pendingTlsHandshakes}), ` +
+        tls: {
-        `Non-TLS=${nonTlsConnections}, KeepAlive=${keepAliveConnections}, HttpProxy=${httpProxyConnections}. ` +
+          total: tlsConnections,
-        `Longest running: IN=${plugins.prettyMs(maxIncoming)}, OUT=${plugins.prettyMs(maxOutgoing)}. ` +
+          completed: completedTlsHandshakes,
-        `Termination stats: ${JSON.stringify({
+          pending: pendingTlsHandshakes
-          IN: terminationStats.incoming,
+        },
-          OUT: terminationStats.outgoing,
+        nonTls: nonTlsConnections,
-        })}`
+        keepAlive: keepAliveConnections,
-      );
+        httpProxy: httpProxyConnections,
        longestRunning: {
          incoming: plugins.prettyMs(maxIncoming),
          outgoing: plugins.prettyMs(maxOutgoing)
        },
        terminationStats: {
          incoming: terminationStats.incoming,
          outgoing: terminationStats.outgoing
        },
        component: 'connection-manager'
      });
    }, this.settings.inactivityCheckInterval || 60000);
    // Make sure the interval doesn't keep the process alive
@ -433,19 +463,19 @@ export class SmartProxy extends plugins.EventEmitter {
   * Stop the proxy server
   */
  public async stop() {
-    console.log('SmartProxy shutting down...');
+    logger.log('info', 'SmartProxy shutting down...');
    this.isShuttingDown = true;
    this.portManager.setShuttingDown(true);
    // Stop certificate manager
    if (this.certManager) {
      await this.certManager.stop();
-      console.log('Certificate manager stopped');
+      logger.log('info', 'Certificate manager stopped');
    }
    // Stop NFTablesManager
    await this.nftablesManager.stop();
-    console.log('NFTablesManager stopped');
+    logger.log('info', 'NFTablesManager stopped');
    // Stop the connection logger
    if (this.connectionLogger) {
@ -455,7 +485,7 @@ export class SmartProxy extends plugins.EventEmitter {
    // Stop all port listeners
    await this.portManager.closeAll();
-    console.log('All servers closed. Cleaning up active connections...');
+    logger.log('info', 'All servers closed. Cleaning up active connections...');
    // Clean up all active connections
    this.connectionManager.clearConnections();
@ -466,7 +496,7 @@ export class SmartProxy extends plugins.EventEmitter {
    // Clear ACME state manager
    this.acmeStateManager.clear();
-    console.log('SmartProxy shutdown complete.');
+    logger.log('info', 'SmartProxy shutdown complete.');
  }
  /**
@ -475,7 +505,7 @@ export class SmartProxy extends plugins.EventEmitter {
   * Note: This legacy method has been removed. Use updateRoutes instead.
   */
  public async updateDomainConfigs(): Promise<void> {
-    console.warn('Method updateDomainConfigs() is deprecated. Use updateRoutes() instead.');
+    logger.log('warn', 'Method updateDomainConfigs() is deprecated. Use updateRoutes() instead.');
    throw new Error('updateDomainConfigs() is deprecated - use updateRoutes() instead');
  }
@ -491,7 +521,7 @@ export class SmartProxy extends plugins.EventEmitter {
      const challengeRouteExists = this.settings.routes.some(r => r.name === 'acme-challenge');
      if (!challengeRouteExists) {
-        console.log('Challenge route successfully removed from routes');
+        logger.log('info', 'Challenge route successfully removed from routes');
        return;
      }
@ -499,7 +529,9 @@ export class SmartProxy extends plugins.EventEmitter {
      await plugins.smartdelay.delayFor(retryDelay);
    }
-    throw new Error('Failed to verify challenge route removal after ' + maxRetries + ' attempts');
+    const error = `Failed to verify challenge route removal after ${maxRetries} attempts`;
    logger.log('error', error);
    throw new Error(error);
  }
  /**
@ -527,7 +559,19 @@ export class SmartProxy extends plugins.EventEmitter {
   */
  public async updateRoutes(newRoutes: IRouteConfig[]): Promise<void> {
    return this.routeUpdateLock.runExclusive(async () => {
-      console.log(`Updating routes (${newRoutes.length} routes)`);
+      logger.log('info', `Updating routes (${newRoutes.length} routes)`, { routeCount: newRoutes.length, component: 'route-manager' });
      // Track port usage before and after updates
      const oldPortUsage = this.updatePortUsageMap(this.settings.routes);
      const newPortUsage = this.updatePortUsageMap(newRoutes);
      // Find orphaned ports - ports that no longer have any routes
      const orphanedPorts = this.findOrphanedPorts(oldPortUsage, newPortUsage);
      // Find new ports that need binding
      const currentPorts = new Set(this.portManager.getListeningPorts());
      const newPortsSet = new Set(newPortUsage.keys());
      const newBindingPorts = Array.from(newPortsSet).filter(p => !currentPorts.has(p));
      // Get existing routes that use NFTables
      const oldNfTablesRoutes = this.settings.routes.filter(
@ -565,14 +609,29 @@ export class SmartProxy extends plugins.EventEmitter {
      // Update routes in RouteManager
      this.routeManager.updateRoutes(newRoutes);
-      // Get the new set of required ports
+      // Release orphaned ports first
-      const requiredPorts = this.routeManager.getListeningPorts();
+      if (orphanedPorts.length > 0) {
-
+        logger.log('info', `Releasing ${orphanedPorts.length} orphaned ports: ${orphanedPorts.join(', ')}`, { 
-      // Update port listeners to match the new configuration
+          ports: orphanedPorts,
-      await this.portManager.updatePorts(requiredPorts);
+          component: 'smart-proxy'
        });
        await this.portManager.removePorts(orphanedPorts);
      }
      // Add new ports
      if (newBindingPorts.length > 0) {
        logger.log('info', `Binding to ${newBindingPorts.length} new ports: ${newBindingPorts.join(', ')}`, { 
          ports: newBindingPorts,
          component: 'smart-proxy'
        });
        await this.portManager.addPorts(newBindingPorts);
      }
      // Update settings with the new routes
      this.settings.routes = newRoutes;
      // Save the new port usage map for future reference
      this.portUsageMap = newPortUsage;
      // If HttpProxy is initialized, resync the configurations
      if (this.httpProxyBridge.getHttpProxy()) {
@ -618,6 +677,78 @@ export class SmartProxy extends plugins.EventEmitter {
    await this.certManager.provisionCertificate(route);
  }
  /**
   * Update the port usage map based on the provided routes
   * 
   * This tracks which ports are used by which routes, allowing us to
   * detect when a port is no longer needed and can be released.
   */
  private updatePortUsageMap(routes: IRouteConfig[]): Map<number, Set<string>> {
    // Reset the usage map
    const portUsage = new Map<number, Set<string>>();
    for (const route of routes) {
      // Get the ports for this route
      const portsConfig = Array.isArray(route.match.ports) 
        ? route.match.ports 
        : [route.match.ports];
      // Expand port range objects to individual port numbers
      const expandedPorts: number[] = [];
      for (const portConfig of portsConfig) {
        if (typeof portConfig === 'number') {
          expandedPorts.push(portConfig);
        } else if (typeof portConfig === 'object' && 'from' in portConfig && 'to' in portConfig) {
          // Expand the port range
          for (let p = portConfig.from; p <= portConfig.to; p++) {
            expandedPorts.push(p);
          }
        }
      }
      // Use route name if available, otherwise generate a unique ID
      const routeName = route.name || `unnamed_${Math.random().toString(36).substring(2, 9)}`;
      // Add each port to the usage map
      for (const port of expandedPorts) {
        if (!portUsage.has(port)) {
          portUsage.set(port, new Set());
        }
        portUsage.get(port)!.add(routeName);
      }
    }
    // Log port usage for debugging
    for (const [port, routes] of portUsage.entries()) {
      logger.log('debug', `Port ${port} is used by ${routes.size} routes: ${Array.from(routes).join(', ')}`, {
        port,
        routeCount: routes.size,
        component: 'smart-proxy'
      });
    }
    return portUsage;
  }
  /**
   * Find ports that have no routes in the new configuration
   */
  private findOrphanedPorts(oldUsage: Map<number, Set<string>>, newUsage: Map<number, Set<string>>): number[] {
    const orphanedPorts: number[] = [];
    for (const [port, routes] of oldUsage.entries()) {
      if (!newUsage.has(port) || newUsage.get(port)!.size === 0) {
        orphanedPorts.push(port);
        logger.log('info', `Port ${port} no longer has any associated routes, will be released`, {
          port,
          component: 'smart-proxy'
        });
      }
    }
    return orphanedPorts;
  }
  /**
   * Force renewal of a certificate
@ -652,14 +783,14 @@ export class SmartProxy extends plugins.EventEmitter {
    // Check for wildcard domains (they can't get ACME certs)
    if (domain.includes('*')) {
-      console.log(`Wildcard domains like "${domain}" are not supported for ACME certificates`);
+      logger.log('warn', `Wildcard domains like "${domain}" are not supported for automatic ACME certificates`, { domain, component: 'certificate-manager' });
      return false;
    }
    // Check if domain has at least one dot and no invalid characters
    const validDomainRegex = /^[a-zA-Z0-9]([a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?(\.[a-zA-Z0-9]([a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?)*$/;
    if (!validDomainRegex.test(domain)) {
-      console.log(`Domain "${domain}" has invalid format`);
+      logger.log('warn', `Domain "${domain}" has invalid format for certificate issuance`, { domain, component: 'certificate-manager' });
      return false;
    }
Author	SHA1	Message	Date
Philipp Kunz	b5e985eaf9	19.3.13 Some checks failed Default (tags) / security (push) Successful in 34s Details Default (tags) / test (push) Failing after 18m13s Details Default (tags) / release (push) Has been cancelled Details Default (tags) / metadata (push) Has been cancelled Details	2025-05-20 15:32:19 +00:00
Philipp Kunz	669cc2809c	fix(port-manager, certificate-manager): Improve port binding and ACME challenge route integration in SmartProxy	2025-05-20 15:32:19 +00:00
Philipp Kunz	3b1531d4a2	19.3.12 Some checks failed Default (tags) / security (push) Successful in 38s Details Default (tags) / test (push) Failing after 37m5s Details Default (tags) / release (push) Has been cancelled Details Default (tags) / metadata (push) Has been cancelled Details	2025-05-19 23:57:16 +00:00
Philipp Kunz	018a49dbc2	fix(tests): Update test mocks to include provisionAllCertificates methods in certificate manager stubs and related objects.	2025-05-19 23:57:16 +00:00
Philipp Kunz	b30464a612	19.3.11 Some checks failed Default (tags) / security (push) Successful in 38s Details Default (tags) / test (push) Failing after 57m9s Details Default (tags) / release (push) Has been cancelled Details Default (tags) / metadata (push) Has been cancelled Details	2025-05-19 23:37:11 +00:00
Philipp Kunz	c9abdea556	fix(logger): Replace raw console logging calls with structured logger usage across certificate management, connection handling, and route processing for improved observability.	2025-05-19 23:37:11 +00:00
Philipp Kunz	e61766959f	update	2025-05-19 22:47:13 +00:00
Philipp Kunz	62dc067a2a	19.3.10 Some checks failed Default (tags) / security (push) Successful in 37s Details Default (tags) / test (push) Failing after 1h12m13s Details Default (tags) / release (push) Has been cancelled Details Default (tags) / metadata (push) Has been cancelled Details	2025-05-19 22:07:08 +00:00
Philipp Kunz	91018173b0	fix(certificate-manager, smart-proxy): Fix race condition in ACME certificate provisioning and refactor certificate manager initialization to defer provisioning until after port listeners are active	2025-05-19 22:07:08 +00:00
Philipp Kunz	84c5d0a69e	19.3.9 Some checks failed Default (tags) / security (push) Successful in 34s Details Default (tags) / test (push) Failing after 1h12m9s Details Default (tags) / release (push) Has been cancelled Details Default (tags) / metadata (push) Has been cancelled Details	2025-05-19 19:59:22 +00:00
Philipp Kunz	42fe1e5d15	fix(route-connection-handler): Forward non-TLS connections on HttpProxy ports to fix ACME HTTP-01 challenge handling	2025-05-19 19:59:22 +00:00
Philipp Kunz	85bd448858	19.3.8 Some checks failed Default (tags) / security (push) Successful in 36s Details Default (tags) / test (push) Failing after 1h12m11s Details Default (tags) / release (push) Has been cancelled Details Default (tags) / metadata (push) Has been cancelled Details	2025-05-19 19:17:48 +00:00
Philipp Kunz	da061292ae	fix(certificate-manager): Preserve certificate manager update callback in updateRoutes	2025-05-19 19:17:48 +00:00