v25.11.11

changelog.md

@@ -1,5 +1,27 @@
 # Changelog
 
+## 2026-03-16 - 25.11.11 - fix(rustproxy-http)
+improve HTTP/2 proxy error logging with warning-level connection failures and debug error details
+
+- Adds debug-formatted error fields to HTTP/2 handshake, retry, fallback, and request failure logs
+- Promotes upstream HTTP/2 connection error logs from debug to warn to improve operational visibility
+
+## 2026-03-16 - 25.11.10 - fix(rustproxy-http)
+validate pooled HTTP/2 connections asynchronously before reuse and evict stale senders
+
+- Add an async ready() check with a 500ms timeout before reusing pooled HTTP/2 senders to catch GOAWAY/RST states before forwarding requests
+- Return connection age from the HTTP/2 pool checkout path and log warnings for older pooled connections
+- Evict pooled HTTP/2 senders when they are closed, exceed max age, fail readiness validation, or time out during readiness checks
+
+## 2026-03-16 - 25.11.9 - fix(rustproxy-routing)
+reduce hot-path allocations in routing, metrics, and proxy protocol handling
+
+- skip HTTP header map construction unless a route on the current port uses header matching
+- reuse computed client IP strings during HTTP route matching to avoid redundant allocations
+- optimize per-route and per-IP metric updates with get-first lookups to avoid unnecessary String creation on existing entries
+- replace heap-allocated PROXY protocol peek and discard buffers with stack-allocated buffers in the TCP listener
+- improve domain matcher case-insensitive wildcard checks while preserving glob fallback behavior
+
 ## 2026-03-16 - 25.11.8 - fix(rustproxy-http)
 prevent premature idle timeouts during streamed HTTP responses and ensure TLS close_notify is sent on dropped connections
 

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@push.rocks/smartproxy",
-  "version": "25.11.8",
+  "version": "25.11.11",
   "private": false,
   "description": "A powerful proxy package with unified route-based configuration for high traffic management. Features include SSL/TLS support, flexible routing patterns, WebSocket handling, advanced security options, and automatic ACME certificate management.",
   "main": "dist_ts/index.js",

rust/crates/rustproxy-http/src/connection_pool.rs

@@ -10,7 +10,7 @@ use bytes::Bytes;
 use dashmap::DashMap;
 use http_body_util::combinators::BoxBody;
 use hyper::client::conn::{http1, http2};
-use tracing::debug;
+use tracing::{debug, warn};
 
 /// Maximum idle connections per backend key.
 const MAX_IDLE_PER_KEY: usize = 16;
@@ -115,20 +115,27 @@ impl ConnectionPool {
 
     /// Try to get a cloned HTTP/2 sender for the given key.
     /// HTTP/2 senders are Clone-able (multiplexed), so we clone rather than remove.
-    pub fn checkout_h2(&self, key: &PoolKey) -> Option<http2::SendRequest<BoxBody<Bytes, hyper::Error>>> {
+    pub fn checkout_h2(&self, key: &PoolKey) -> Option<(http2::SendRequest<BoxBody<Bytes, hyper::Error>>, Duration)> {
         let entry = self.h2_pool.get(key)?;
         let pooled = entry.value();
+        let age = pooled.created_at.elapsed();
 
         // Check if the h2 connection is still alive and not too old
-        if pooled.sender.is_closed() || pooled.created_at.elapsed() >= MAX_H2_AGE {
+        if pooled.sender.is_closed() || age >= MAX_H2_AGE {
+            let reason = if pooled.sender.is_closed() { "closed" } else { "max_age" };
+            debug!("Pool evict (h2): {}:{} (reason={}, age={:.1}s)", key.host, key.port, reason, age.as_secs_f64());
             drop(entry);
             self.h2_pool.remove(key);
             return None;
         }
 
         if pooled.sender.is_ready() {
-            debug!("Pool hit (h2): {}:{}", key.host, key.port);
+            if age > Duration::from_secs(30) {
-            return Some(pooled.sender.clone());
+                warn!("Pool hit (h2): {}:{} — connection age {:.1}s (>30s, may be stale)", key.host, key.port, age.as_secs_f64());
+            } else {
+                debug!("Pool hit (h2): {}:{} (age={:.1}s)", key.host, key.port, age.as_secs_f64());
+            }
+            return Some((pooled.sender.clone(), age));
         }
         None
     }

rust/crates/rustproxy-http/src/proxy_service.rs

@@ -399,11 +399,19 @@ impl HttpProxyService {
         let path = req.uri().path().to_string();
         let method = req.method().clone();
 
-        // Extract headers for matching
+        // Extract headers for matching — only allocate the HashMap if any route
-        let headers: HashMap<String, String> = req.headers()
+        // on this port actually uses header matching. Most deployments don't,
-            .iter()
+        // so this saves ~20-30 String allocations per request.
-            .map(|(k, v)| (k.to_string(), v.to_str().unwrap_or("").to_string()))
+        let current_rm = self.route_manager.load();
-            .collect();
+        let needs_headers = current_rm.any_route_has_headers(port);
+        let headers: Option<HashMap<String, String>> = if needs_headers {
+            Some(req.headers()
+                .iter()
+                .map(|(k, v)| (k.to_string(), v.to_str().unwrap_or("").to_string()))
+                .collect())
+        } else {
+            None
+        };
 
         debug!("HTTP {} {} (host: {:?}) from {}", method, path, host, peer_addr);
 
@@ -414,19 +422,19 @@ impl HttpProxyService {
             }
         }
 
-        // Match route
+        // Match route (current_rm already loaded above for headers check)
+        let ip_string = peer_addr.ip().to_string();
         let ctx = rustproxy_routing::MatchContext {
             port,
             domain: host.as_deref(),
             path: Some(&path),
-            client_ip: Some(&peer_addr.ip().to_string()),
+            client_ip: Some(&ip_string),
             tls_version: None,
-            headers: Some(&headers),
+            headers: headers.as_ref(),
             is_tls: false,
             protocol: Some("http"),
         };
 
-        let current_rm = self.route_manager.load();
         let route_match = match current_rm.find_route(&ctx) {
             Some(rm) => rm,
             None => {
@@ -436,7 +444,7 @@ impl HttpProxyService {
         };
 
         let route_id = route_match.route.id.as_deref();
-        let ip_str = peer_addr.ip().to_string();
+        let ip_str = ip_string; // reuse from above (avoid redundant to_string())
         self.metrics.record_http_request();
 
         // Apply request filters (IP check, rate limiting, auth)
@@ -651,17 +659,40 @@ impl HttpProxyService {
                 h2: use_h2,
             };
 
-            // H2 pool checkout (H2 senders are Clone and multiplexed)
+            // H2 pool checkout with async readiness validation.
+            // checkout_h2 does synchronous is_closed()/is_ready() checks, but these
+            // reflect cached state — the H2 connection driver (a separate tokio task)
+            // may not have processed a pending GOAWAY/RST yet. The ready().await
+            // forces the runtime to yield, giving the driver a chance to detect failures.
             if use_h2 {
-                if let Some(sender) = self.connection_pool.checkout_h2(&pool_key) {
+                if let Some((mut sender, age)) = self.connection_pool.checkout_h2(&pool_key) {
-                    self.metrics.backend_pool_hit(&upstream_key);
+                    match tokio::time::timeout(
-                    self.metrics.set_backend_protocol(&upstream_key, "h2");
+                        std::time::Duration::from_millis(500),
-                    let result = self.forward_h2_pooled(
+                        sender.ready(),
-                        sender, parts, body, upstream_headers, &upstream_path,
+                    ).await {
-                        route_match.route, route_id, &ip_str, &pool_key, domain_str, &conn_activity,
+                        Ok(Ok(())) => {
-                    ).await;
+                            self.metrics.backend_pool_hit(&upstream_key);
-                    self.upstream_selector.connection_ended(&upstream_key);
+                            self.metrics.set_backend_protocol(&upstream_key, "h2");
-                    return result;
+                            let result = self.forward_h2_pooled(
+                                sender, parts, body, upstream_headers, &upstream_path,
+                                route_match.route, route_id, &ip_str, &pool_key, domain_str, &conn_activity,
+                            ).await;
+                            self.upstream_selector.connection_ended(&upstream_key);
+                            return result;
+                        }
+                        Ok(Err(e)) => {
+                            warn!(backend = %upstream_key, age_secs = age.as_secs(),
+                                "Pooled H2 sender failed ready check (GOAWAY/RST): {}, evicting", e);
+                            self.connection_pool.remove_h2(&pool_key);
+                            // Fall through to fresh connection
+                        }
+                        Err(_) => {
+                            warn!(backend = %upstream_key, age_secs = age.as_secs(),
+                                "Pooled H2 sender ready check timed out (500ms), evicting");
+                            self.connection_pool.remove_h2(&pool_key);
+                            // Fall through to fresh connection
+                        }
+                    }
                 }
             }
         }
@@ -959,7 +990,7 @@ impl HttpProxyService {
         ) = match tokio::time::timeout(self.connect_timeout, h2_builder.handshake(io)).await {
             Ok(Ok(h)) => h,
             Ok(Err(e)) => {
-                error!(backend = %backend_key, domain = %domain, error = %e, "Backend H2 handshake failed");
+                error!(backend = %backend_key, domain = %domain, error = %e, error_debug = ?e, "Backend H2 handshake failed");
                 self.metrics.backend_handshake_error(&backend_key);
                 return Ok(error_response(StatusCode::BAD_GATEWAY, "Backend H2 handshake failed"));
             }
@@ -977,7 +1008,7 @@ impl HttpProxyService {
             let key = pool_key.clone();
             tokio::spawn(async move {
                 if let Err(e) = conn.await {
-                    debug!("HTTP/2 upstream connection error: {}", e);
+                    warn!("HTTP/2 upstream connection error: {} ({:?})", e, e);
                 }
                 pool.remove_h2(&key);
             });
@@ -1109,7 +1140,7 @@ impl HttpProxyService {
         ) = match tokio::time::timeout(self.connect_timeout, h2_builder.handshake(io)).await {
             Ok(Ok(h)) => h,
             Ok(Err(e)) => {
-                error!(backend = %backend_key, domain = %domain, error = %e, "H2 retry: handshake failed");
+                error!(backend = %backend_key, domain = %domain, error = %e, error_debug = ?e, "H2 retry: handshake failed");
                 self.metrics.backend_handshake_error(&backend_key);
                 self.metrics.backend_connection_closed(&backend_key);
                 return Ok(error_response(StatusCode::BAD_GATEWAY, "Backend H2 retry handshake failed"));
@@ -1128,7 +1159,7 @@ impl HttpProxyService {
             let key = pool_key.clone();
             tokio::spawn(async move {
                 if let Err(e) = conn.await {
-                    debug!("H2 retry: upstream connection error: {}", e);
+                    warn!("H2 retry: upstream connection error: {} ({:?})", e, e);
                 }
                 pool.remove_h2(&key);
             });
@@ -1257,7 +1288,7 @@ impl HttpProxyService {
                     let key = pool_key.clone();
                     tokio::spawn(async move {
                         if let Err(e) = conn.await {
-                            debug!("HTTP/2 upstream connection error: {}", e);
+                            warn!("HTTP/2 upstream connection error: {} ({:?})", e, e);
                         }
                         pool.remove_h2(&key);
                     });
@@ -1312,6 +1343,7 @@ impl HttpProxyService {
                             backend = %bk,
                             domain = %domain,
                             error = %e,
+                            error_debug = ?e,
                             "Auto-detect: H2 request failed, falling back to H1"
                         );
                         self.metrics.backend_h2_failure(&bk);
@@ -1569,11 +1601,11 @@ impl HttpProxyService {
                 // Evict the dead sender so subsequent requests get fresh connections
                 if let Some(key) = pool_key {
                     let bk = format!("{}:{}", key.host, key.port);
-                    error!(backend = %bk, domain = %domain, error = %e, "Backend H2 request failed");
+                    error!(backend = %bk, domain = %domain, error = %e, error_debug = ?e, "Backend H2 request failed");
                     self.metrics.backend_request_error(&bk);
                     self.connection_pool.remove_h2(key);
                 } else {
-                    error!(domain = %domain, error = %e, "Backend H2 request failed");
+                    error!(domain = %domain, error = %e, error_debug = ?e, "Backend H2 request failed");
                 }
                 return Ok(error_response(StatusCode::BAD_GATEWAY, "Backend H2 request failed"));
             }

rust/crates/rustproxy-metrics/src/collector.rs

@@ -266,44 +266,67 @@ impl MetricsCollector {
         self.global_pending_tp_in.fetch_add(bytes_in, Ordering::Relaxed);
         self.global_pending_tp_out.fetch_add(bytes_out, Ordering::Relaxed);
 
+        // Per-route tracking: use get() first (zero-alloc fast path for existing entries),
+        // fall back to entry() with to_string() only on the rare first-chunk miss.
         if let Some(route_id) = route_id {
-            self.route_bytes_in
+            if let Some(counter) = self.route_bytes_in.get(route_id) {
-                .entry(route_id.to_string())
+                counter.fetch_add(bytes_in, Ordering::Relaxed);
-                .or_insert_with(|| AtomicU64::new(0))
+            } else {
-                .fetch_add(bytes_in, Ordering::Relaxed);
+                self.route_bytes_in.entry(route_id.to_string())
-            self.route_bytes_out
+                    .or_insert_with(|| AtomicU64::new(0))
-                .entry(route_id.to_string())
+                    .fetch_add(bytes_in, Ordering::Relaxed);
-                .or_insert_with(|| AtomicU64::new(0))
+            }
-                .fetch_add(bytes_out, Ordering::Relaxed);
+            if let Some(counter) = self.route_bytes_out.get(route_id) {
+                counter.fetch_add(bytes_out, Ordering::Relaxed);
+            } else {
+                self.route_bytes_out.entry(route_id.to_string())
+                    .or_insert_with(|| AtomicU64::new(0))
+                    .fetch_add(bytes_out, Ordering::Relaxed);
+            }
 
             // Accumulate into per-route pending throughput counters (lock-free)
-            let entry = self.route_pending_tp
+            if let Some(entry) = self.route_pending_tp.get(route_id) {
-                .entry(route_id.to_string())
+                entry.0.fetch_add(bytes_in, Ordering::Relaxed);
-                .or_insert_with(|| (AtomicU64::new(0), AtomicU64::new(0)));
+                entry.1.fetch_add(bytes_out, Ordering::Relaxed);
-            entry.0.fetch_add(bytes_in, Ordering::Relaxed);
+            } else {
-            entry.1.fetch_add(bytes_out, Ordering::Relaxed);
+                let entry = self.route_pending_tp.entry(route_id.to_string())
+                    .or_insert_with(|| (AtomicU64::new(0), AtomicU64::new(0)));
+                entry.0.fetch_add(bytes_in, Ordering::Relaxed);
+                entry.1.fetch_add(bytes_out, Ordering::Relaxed);
+            }
         }
 
+        // Per-IP tracking: same get()-first pattern to avoid String allocation on hot path.
         if let Some(ip) = source_ip {
             // Only record per-IP stats if the IP still has active connections.
             // This prevents orphaned entries when record_bytes races with
             // connection_closed (which evicts all per-IP data on last close).
             if self.ip_connections.contains_key(ip) {
-                self.ip_bytes_in
+                if let Some(counter) = self.ip_bytes_in.get(ip) {
-                    .entry(ip.to_string())
+                    counter.fetch_add(bytes_in, Ordering::Relaxed);
-                    .or_insert_with(|| AtomicU64::new(0))
+                } else {
-                    .fetch_add(bytes_in, Ordering::Relaxed);
+                    self.ip_bytes_in.entry(ip.to_string())
-                self.ip_bytes_out
+                        .or_insert_with(|| AtomicU64::new(0))
-                    .entry(ip.to_string())
+                        .fetch_add(bytes_in, Ordering::Relaxed);
-                    .or_insert_with(|| AtomicU64::new(0))
+                }
-                    .fetch_add(bytes_out, Ordering::Relaxed);
+                if let Some(counter) = self.ip_bytes_out.get(ip) {
+                    counter.fetch_add(bytes_out, Ordering::Relaxed);
+                } else {
+                    self.ip_bytes_out.entry(ip.to_string())
+                        .or_insert_with(|| AtomicU64::new(0))
+                        .fetch_add(bytes_out, Ordering::Relaxed);
+                }
 
                 // Accumulate into per-IP pending throughput counters (lock-free)
-                let entry = self.ip_pending_tp
+                if let Some(entry) = self.ip_pending_tp.get(ip) {
-                    .entry(ip.to_string())
+                    entry.0.fetch_add(bytes_in, Ordering::Relaxed);
-                    .or_insert_with(|| (AtomicU64::new(0), AtomicU64::new(0)));
+                    entry.1.fetch_add(bytes_out, Ordering::Relaxed);
-                entry.0.fetch_add(bytes_in, Ordering::Relaxed);
+                } else {
-                entry.1.fetch_add(bytes_out, Ordering::Relaxed);
+                    let entry = self.ip_pending_tp.entry(ip.to_string())
+                        .or_insert_with(|| (AtomicU64::new(0), AtomicU64::new(0)));
+                    entry.0.fetch_add(bytes_in, Ordering::Relaxed);
+                    entry.1.fetch_add(bytes_out, Ordering::Relaxed);
+                }
             }
         }
     }

rust/crates/rustproxy-passthrough/src/tcp_listener.rs

@@ -561,8 +561,9 @@ impl TcpListenerManager {
         // Non-proxy connections skip the peek entirely (no latency cost).
         let mut effective_peer_addr = peer_addr;
         if !conn_config.proxy_ips.is_empty() && conn_config.proxy_ips.contains(&peer_addr.ip()) {
-            // Trusted proxy IP — peek for PROXY protocol header
+            // Trusted proxy IP — peek for PROXY protocol header.
-            let mut proxy_peek = vec![0u8; 256];
+            // Use stack-allocated buffers (PROXY v1 headers are max ~108 bytes).
+            let mut proxy_peek = [0u8; 256];
             let pn = match tokio::time::timeout(
                 std::time::Duration::from_millis(conn_config.initial_data_timeout_ms),
                 stream.peek(&mut proxy_peek),
@@ -577,9 +578,9 @@ impl TcpListenerManager {
                     Ok((header, consumed)) => {
                         debug!("PROXY protocol: real client {} -> {}", header.source_addr, header.dest_addr);
                         effective_peer_addr = header.source_addr;
-                        // Consume the proxy protocol header bytes
+                        // Consume the proxy protocol header bytes (stack buffer, max 108 bytes)
-                        let mut discard = vec![0u8; consumed];
+                        let mut discard = [0u8; 128];
-                        stream.read_exact(&mut discard).await?;
+                        stream.read_exact(&mut discard[..consumed]).await?;
                     }
                     Err(e) => {
                         debug!("Failed to parse PROXY protocol header: {}", e);

rust/crates/rustproxy-routing/src/matchers/domain.rs

@@ -6,25 +6,28 @@
 /// - `example.com` exact match
 /// - `**.example.com` matches any depth of subdomain
 pub fn domain_matches(pattern: &str, domain: &str) -> bool {
-    let pattern = pattern.trim().to_lowercase();
+    let pattern = pattern.trim();
-    let domain = domain.trim().to_lowercase();
+    let domain = domain.trim();
 
     if pattern == "*" {
         return true;
     }
 
-    if pattern == domain {
+    if pattern.eq_ignore_ascii_case(domain) {
         return true;
     }
 
     // Wildcard patterns
-    if pattern.starts_with("*.") {
+    if pattern.starts_with("*.") || pattern.starts_with("*.") {
         let suffix = &pattern[2..]; // e.g., "example.com"
         // Match exact parent or any single-level subdomain
-        if domain == suffix {
+        if domain.eq_ignore_ascii_case(suffix) {
             return true;
         }
-        if domain.ends_with(&format!(".{}", suffix)) {
+        if domain.len() > suffix.len() + 1
+            && domain.as_bytes()[domain.len() - suffix.len() - 1] == b'.'
+            && domain[domain.len() - suffix.len()..].eq_ignore_ascii_case(suffix)
+        {
             // Check it's a single level subdomain for `*.`
             let prefix = &domain[..domain.len() - suffix.len() - 1];
             return !prefix.contains('.');
@@ -35,11 +38,22 @@ pub fn domain_matches(pattern: &str, domain: &str) -> bool {
     if pattern.starts_with("**.") {
         let suffix = &pattern[3..];
         // Match exact parent or any depth of subdomain
-        return domain == suffix || domain.ends_with(&format!(".{}", suffix));
+        if domain.eq_ignore_ascii_case(suffix) {
+            return true;
+        }
+        if domain.len() > suffix.len() + 1
+            && domain.as_bytes()[domain.len() - suffix.len() - 1] == b'.'
+            && domain[domain.len() - suffix.len()..].eq_ignore_ascii_case(suffix)
+        {
+            return true;
+        }
+        return false;
     }
 
-    // Use glob-match for more complex patterns
+    // Use glob-match for more complex patterns (case-insensitive via lowercasing)
-    glob_match::glob_match(&pattern, &domain)
+    let pattern_lower = pattern.to_lowercase();
+    let domain_lower = domain.to_lowercase();
+    glob_match::glob_match(&pattern_lower, &domain_lower)
 }
 
 /// Check if a domain matches any of the given patterns.

rust/crates/rustproxy-routing/src/route_manager.rs

@@ -60,6 +60,16 @@ impl RouteManager {
         manager
     }
 
+    /// Check if any route on the given port uses header matching.
+    /// Used to skip expensive header HashMap construction when no route needs it.
+    pub fn any_route_has_headers(&self, port: u16) -> bool {
+        if let Some(indices) = self.port_index.get(&port) {
+            indices.iter().any(|&idx| self.routes[idx].route_match.headers.is_some())
+        } else {
+            false
+        }
+    }
+
     /// Find the best matching route for the given context.
     pub fn find_route<'a>(&'a self, ctx: &MatchContext<'_>) -> Option<RouteMatchResult<'a>> {
         // Get routes for this port

ts/00_commitinfo_data.ts

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@push.rocks/smartproxy',
-  version: '25.11.8',
+  version: '25.11.11',
   description: 'A powerful proxy package with unified route-based configuration for high traffic management. Features include SSL/TLS support, flexible routing patterns, WebSocket handling, advanced security options, and automatic ACME certificate management.'
 }