v25.7.9

fix(tests): use high non-privileged ports in tests to avoid conflicts and CI failures
feat: enhance HTTP/2 support by ensuring Host header is set and adding multiplexed request tests
2026-02-21 13:27:55 +00:00 · 2026-02-21 13:27:55 +00:00 · 2026-02-20 18:30:57 +00:00 · 2026-02-20 18:16:09 +00:00 · 2026-02-19 14:21:05 +00:00 · 2026-02-19 14:21:05 +00:00
44 changed files with 3107 additions and 1066 deletions
--- a/changelog.md
+++ b/changelog.md
@@ -1,5 +1,137 @@
 # Changelog
 ## 2026-02-21 - 25.7.9 - fix(tests)
 use high non-privileged ports in tests to avoid conflicts and CI failures
 - Updated multiple test files to use high-range, non-privileged ports instead of well-known or conflicting ports.
 - Files changed: test/test.acme-http01-challenge.ts, test/test.connection-forwarding.ts, test/test.forwarding-regression.ts, test/test.http-port8080-forwarding.ts, test/test.port-mapping.ts, test/test.smartproxy.ts, test/test.socket-handler.ts.
 - Notable port remappings: 8080/8081 -> 47730/47731 (and other proxy ports like 47710), 8443 -> 47711, 7001/7002 -> 47712/47713, 9090 -> 47721, 8181/8182 -> 47732/47733, 9999 -> 47780, TEST_PORT_START/PROXY_PORT_START -> 47750/48750, and TEST_SERVER_PORT/PROXY_PORT -> 47770/47771.
 ## 2026-02-19 - 25.7.8 - fix(no-changes)
 no changes detected; nothing to release
 - Current package version: 25.7.7
 - Git diff: no changes
 - No files modified; no release necessary
 ## 2026-02-19 - 25.7.7 - fix(proxy)
 restrict PROXY protocol parsing to configured trusted proxy IPs and parse PROXY headers before metrics/fast-path so client IPs reflect the real source
 - Add proxy_ips: Vec<std::net::IpAddr> to ConnectionConfig with a default empty Vec
 - Populate proxy_ips from options.proxy_ips strings in rust/crates/rustproxy/src/lib.rs, parsing each to IpAddr
 - Only peek for and parse PROXY v1 headers when the remote IP is contained in proxy_ips (prevents untrusted clients from injecting PROXY headers)
 - Move PROXY protocol parsing earlier so metrics and fast-path logic use the effective (real client) IP after PROXY parsing
 - If proxy_ips is empty, behavior remains unchanged (no PROXY parsing)
 ## 2026-02-19 - 25.7.6 - fix(throughput)
 add tests for per-IP connection tracking and throughput history; assert per-IP eviction after connection close to prevent memory leak
 - Adds runtime assertions for per-IP TCP connection tracking (m.connections.byIP) while a connection is active
 - Adds checks for throughput history (m.throughput.history) to ensure history length and timestamps are recorded
 - Asserts that per-IP tracking data is evicted after connection close (byIP.size === 0) to verify memory leak fix
 - Reorders test checks so per-IP and history metrics are validated during the active connection and totals are validated after close
 ## 2026-02-19 - 25.7.5 - fix(rustproxy)
 prune stale per-route metrics, add per-route rate limiter caching and regex cache, and improve connection tracking cleanup to prevent memory growth
 - Prune per-route metrics for routes removed from configuration via MetricsCollector::retain_routes invoked during route table updates
 - Introduce per-route shared RateLimiter instances (DashMap) with a request-count-triggered periodic cleanup to avoid stale limiters
 - Cache compiled URL-rewrite regexes (regex_cache) to avoid recompiling patterns on every request and insert compiled regex on first use
 - Improve upstream connection tracking to remove zero-count entries and guard against underflow, preventing unbounded DashMap growth
 - Evict per-IP metrics and timestamps when the last connection for an IP closes so per-IP DashMap entries are fully freed
 - Add unit tests validating connection tracking cleanup, per-IP eviction, and route-metrics retention behavior
 ## 2026-02-19 - 25.7.4 - fix(smart-proxy)
 include proxy IPs in smart proxy configuration
 - Add proxyIps: this.settings.proxyIPs to proxy options in ts/proxies/smart-proxy/smart-proxy.ts
 - Ensures proxy IPs from settings are passed into the proxy implementation (enables proxy IP filtering/whitelisting)
 ## 2026-02-16 - 25.7.3 - fix(metrics)
 centralize connection-closed reporting via ConnectionGuard and remove duplicate explicit metrics.connection_closed calls
 - Removed numerous explicit metrics.connection_closed calls from rust/crates/rustproxy-http/src/proxy_service.rs so connection teardown and byte counting are handled by the connection guard / counting body instead of ad-hoc calls.
 - Simplified ConnectionGuard in rust/crates/rustproxy-passthrough/src/tcp_listener.rs: removed the disarm flag and disarm() method so Drop always reports connection_closed.
 - Stopped disarming the TCP-level guard when handing connections off to HTTP proxy paths (HTTP/WebSocket/streaming flows) to avoid missing or double-reporting metrics.
 - Fixes incorrect/duplicate connection-closed metric emission and ensures consistent byte/connection accounting during streaming and WebSocket upgrades.
 ## 2026-02-16 - 25.7.2 - fix(rustproxy-http)
 preserve original Host header when proxying and add X-Forwarded-* headers; add TLS WebSocket echo backend helper and integration test for terminate-and-reencrypt websocket
 - Preserve the client's original Host header instead of replacing it with backend host:port when proxying requests.
 - Add standard reverse-proxy headers: X-Forwarded-For (appends client IP), X-Forwarded-Host, and X-Forwarded-Proto for upstream requests.
 - Ensure raw TCP/HTTP upstream requests copy original headers and skip X-Forwarded-* (which are added explicitly).
 - Add start_tls_ws_echo_backend test helper to start a TLS WebSocket echo backend for tests.
 - Add integration test test_terminate_and_reencrypt_websocket to verify WS upgrade through terminate-and-reencrypt TLS path.
 - Rename unused parameter upstream to _upstream in proxy_service functions to avoid warnings.
 ## 2026-02-16 - 25.7.1 - fix(proxy)
 use TLS to backends for terminate-and-reencrypt routes
 - Set upstream.use_tls = true when a route's TLS mode is TerminateAndReencrypt so the proxy re-encrypts to backend servers.
 - Add start_tls_http_backend test helper and update integration tests to run TLS-enabled backend servers validating re-encryption behavior.
 - Make the selected upstream mutable to allow toggling the use_tls flag during request handling.
 ## 2026-02-16 - 25.7.0 - feat(routes)
 add protocol-based route matching and ensure terminate-and-reencrypt routes HTTP through the full HTTP proxy; update docs and tests
 - Introduce a new 'protocol' match field for routes (supports 'http' and 'tcp') and preserve it through cloning/merging.
 - Add Rust integration test verifying terminate-and-reencrypt decrypts TLS and routes HTTP traffic via the HTTP proxy (per-request Host/path routing) instead of raw tunneling.
 - Add TypeScript unit tests covering protocol field validation, preservation, interaction with terminate-and-reencrypt, cloning, merging, and matching behavior.
 - Update README with a Protocol-Specific Routing section and clarify terminate-and-reencrypt behavior (HTTP routed via HTTP proxy; non-HTTP uses raw TLS-to-TLS tunnel).
 - Example config: include health check thresholds (unhealthyThreshold and healthyThreshold) in the sample healthCheck settings.
 ## 2026-02-16 - 25.6.0 - feat(rustproxy)
 add protocol-based routing and backend TLS re-encryption support
 - Introduce optional route_match.protocol ("http" | "tcp") in Rust and TypeScript route types to allow protocol-restricted routing.
 - RouteManager: respect protocol field during matching and treat TLS connections without SNI as not matching domain-restricted routes (except wildcard-only routes).
 - HTTP proxy: add BackendStream abstraction to unify plain TCP and tokio-rustls TLS backend streams, and support connecting to upstreams over TLS (upstream.use_tls) with an InsecureBackendVerifier for internal/self-signed backends.
 - WebSocket and HTTP forwarding updated to use BackendStream so upstream TLS is handled transparently.
 - Passthrough listener: perform post-termination protocol detection for TerminateAndReencrypt; route HTTP flows into HttpProxyService and handle non-HTTP as TLS-to-TLS tunnel.
 - Add tests for protocol matching, TLS/no-SNI behavior, and other routing edge cases.
 - Add rustls and tokio-rustls dependencies (Cargo.toml/Cargo.lock updates).
 ## 2026-02-16 - 25.5.0 - feat(tls)
 add shared TLS acceptor with SNI resolver and session resumption; prefer shared acceptor and fall back to per-connection when routes specify custom TLS versions
 - Add CertResolver that pre-parses PEM certs/keys into CertifiedKey instances for SNI-based lookup and cheap runtime resolution
 - Introduce build_shared_tls_acceptor to create a shared ServerConfig with session cache (4096) and Ticketer for session ticket resumption
 - Add ArcSwap<Option<TlsAcceptor>> shared_tls_acceptor to tcp_listener for hot-reloadable, pre-built acceptor and update accept loop/handlers to use it
 - set_tls_configs now attempts to build and store the shared TLS acceptor, falling back to per-connection acceptors on failure; raw PEM configs are still retained for route-level fallbacks
 - Add get_tls_acceptor helper: prefer shared acceptor for performance and session resumption, but build per-connection acceptor when a route requests custom TLS versions
 ## 2026-02-16 - 25.4.0 - feat(rustproxy)
 support dynamically loaded TLS certificates via loadCertificate IPC and include them in listener TLS configs for rebuilds and hot-swap
 - Adds loaded_certs: HashMap<String, TlsCertConfig> to RustProxy to store certificates loaded at runtime
 - Merge loaded_certs into tls_configs in rebuild and listener hot-swap paths so dynamically loaded certs are served immediately
 - Persist loaded certificates on loadCertificate so future rebuilds include them
 ## 2026-02-15 - 25.3.1 - fix(plugins)
 remove unused dependencies and simplify plugin exports
 - Removed multiple dependencies from package.json to reduce dependency footprint: @push.rocks/lik, @push.rocks/smartacme, @push.rocks/smartdelay, @push.rocks/smartfile, @push.rocks/smartnetwork, @push.rocks/smartpromise, @push.rocks/smartrequest, @push.rocks/smartrx, @push.rocks/smartstring, @push.rocks/taskbuffer, @types/minimatch, @types/ws, pretty-ms, ws
 - ts/plugins.ts: stopped importing/exporting node:https and many push.rocks and third-party modules; plugins now only re-export core node modules (without https), tsclass, smartcrypto, smartlog (+ destination-local), smartrust, and minimatch
 - Intended effect: trim surface area and remove unused/optional integrations; patch-level change (no feature/API additions)
 ## 2026-02-14 - 25.3.0 - feat(smart-proxy)
 add background concurrent certificate provisioning with per-domain timeouts and concurrency control
 - Add ISmartProxyOptions settings: certProvisionTimeout (ms) and certProvisionConcurrency (default 4)
 - Run certProvisionFunction as fire-and-forget background tasks (stores promise on start/route-update and awaited on stop)
 - Provision certificates in parallel with a concurrency limit using a new ConcurrencySemaphore utility
 - Introduce per-domain timeout handling (default 300000ms) via withTimeout and surface timeout errors as certificate-failed events
 - Refactor provisioning into provisionSingleDomain to isolate domain handling, ACME fallback preserved
 - Run provisioning outside route update mutex so route updates are not blocked by slow provisioning
 ## 2026-02-14 - 25.2.2 - fix(smart-proxy)
 start metrics polling before certificate provisioning to avoid blocking metrics collection
 - Start metrics polling immediately after Rust engine startup so metrics are available without waiting for certificate provisioning.
 - Run certProvisionFunction after startup because ACME/DNS-01 provisioning can hang or be slow and must not block observability.
 - Code change in ts/proxies/smart-proxy/smart-proxy.ts: metricsAdapter.startPolling() moved to run before provisionCertificatesViaCallback().
 ## 2026-02-14 - 25.2.1 - fix(smartproxy)
 no changes detected in git diff
--- a/deno.lock
+++ b/deno.lock
@@ -5,29 +5,15 @@
    "npm:@git.zone/tsrun@^2.0.1": "2.0.1",
    "npm:@git.zone/tsrust@^1.3.0": "1.3.0",
    "npm:@git.zone/tstest@^3.1.8": "3.1.8_@push.rocks+smartserve@2.0.1_typescript@5.9.3",
    "npm:@push.rocks/lik@^6.2.2": "6.2.2",
    "npm:@push.rocks/smartacme@8": "8.0.0_@push.rocks+smartserve@2.0.1",
    "npm:@push.rocks/smartcrypto@^2.0.4": "2.0.4",
    "npm:@push.rocks/smartdelay@^3.0.5": "3.0.5",
    "npm:@push.rocks/smartfile@^13.1.2": "13.1.2",
    "npm:@push.rocks/smartlog@^3.1.10": "3.1.10",
    "npm:@push.rocks/smartnetwork@^4.4.0": "4.4.0",
    "npm:@push.rocks/smartpromise@^4.2.3": "4.2.3",
    "npm:@push.rocks/smartrequest@^5.0.1": "5.0.1",
    "npm:@push.rocks/smartrust@^1.2.1": "1.2.1",
    "npm:@push.rocks/smartrx@^3.0.10": "3.0.10",
    "npm:@push.rocks/smartserve@^2.0.1": "2.0.1",
    "npm:@push.rocks/smartstring@^4.1.0": "4.1.0",
    "npm:@push.rocks/taskbuffer@^4.2.0": "4.2.0",
    "npm:@tsclass/tsclass@^9.3.0": "9.3.0",
    "npm:@types/minimatch@6": "6.0.0",
    "npm:@types/node@^25.2.3": "25.2.3",
    "npm:@types/ws@^8.18.1": "8.18.1",
    "npm:minimatch@^10.2.0": "10.2.0",
    "npm:pretty-ms@^9.3.0": "9.3.0",
    "npm:typescript@^5.9.3": "5.9.3",
-    "npm:why-is-node-running@^3.2.2": "3.2.2",
+    "npm:why-is-node-running@^3.2.2": "3.2.2"
    "npm:ws@^8.19.0": "8.19.0"
  },
  "npm": {
    "@api.global/typedrequest-interfaces@2.0.2": {
@@ -117,7 +103,7 @@
        "@push.rocks/smartsitemap",
        "@push.rocks/smartstream",
        "@push.rocks/smarttime",
-        "@push.rocks/taskbuffer@3.5.0",
+        "@push.rocks/taskbuffer",
        "@push.rocks/webrequest@3.0.37",
        "@push.rocks/webstore",
        "@tsclass/tsclass@9.3.0",
@@ -164,19 +150,6 @@
      ],
      "tarball": "https://verdaccio.lossless.digital/@api.global/typedsocket/-/typedsocket-3.1.1.tgz"
    },
    "@apiclient.xyz/cloudflare@6.4.3": {
      "integrity": "sha512-ztegUdUO3Zd4mUoTSylKlCEKPBMHEcggrLelR+7CiblM4beHMwopMVlryBmiCY7bOVbUSPoK0xsVTF7VIy3p/A==",
      "dependencies": [
        "@push.rocks/smartdelay",
        "@push.rocks/smartlog",
        "@push.rocks/smartpromise",
        "@push.rocks/smartrequest@5.0.1",
        "@push.rocks/smartstring",
        "@tsclass/tsclass@9.3.0",
        "cloudflare"
      ],
      "tarball": "https://verdaccio.lossless.digital/@apiclient.xyz/cloudflare/-/cloudflare-6.4.3.tgz"
    },
    "@aws-crypto/crc32@5.2.0": {
      "integrity": "sha512-nLbCWqQNgUiwwtFsen1AdzAtvuLRsQS8rYgMuxCrdKf9kOssamGLuPwyTY9wyYblNr9+1XM8v6zoDTPPSIeANg==",
      "dependencies": [
@@ -1590,7 +1563,7 @@
        "@push.rocks/smartpromise",
        "@push.rocks/smartstring",
        "@push.rocks/smartunique",
-        "@push.rocks/taskbuffer@3.5.0",
+        "@push.rocks/taskbuffer",
        "@tsclass/tsclass@9.3.0"
      ],
      "tarball": "https://verdaccio.lossless.digital/@push.rocks/levelcache/-/levelcache-3.2.0.tgz"
@@ -1603,7 +1576,7 @@
        "@push.rocks/smartpromise",
        "@push.rocks/smartrx",
        "@push.rocks/smarttime",
-        "@types/minimatch@5.1.2",
+        "@types/minimatch",
        "@types/symbol-tree",
        "symbol-tree"
      ],
@@ -1632,7 +1605,7 @@
        "@push.rocks/smartpath@6.0.0",
        "@push.rocks/smartpromise",
        "@push.rocks/smartrx",
-        "@push.rocks/taskbuffer@3.5.0",
+        "@push.rocks/taskbuffer",
        "@tsclass/tsclass@9.3.0"
      ],
      "tarball": "https://verdaccio.lossless.digital/@push.rocks/npmextra/-/npmextra-5.3.3.tgz"
@@ -1648,28 +1621,6 @@
      ],
      "tarball": "https://verdaccio.lossless.digital/@push.rocks/qenv/-/qenv-6.1.3.tgz"
    },
    "@push.rocks/smartacme@8.0.0_@push.rocks+smartserve@2.0.1": {
      "integrity": "sha512-Oq+m+LX4IG0p4qCGZLEwa6UlMo5Hfq7paRjpREwQNsaGSKl23xsjsEJLxjxkePwaXnaIkHEwU/5MtrEkg2uKEQ==",
      "dependencies": [
        "@api.global/typedserver@3.0.80_@push.rocks+smartserve@2.0.1",
        "@apiclient.xyz/cloudflare",
        "@push.rocks/lik",
        "@push.rocks/smartdata",
        "@push.rocks/smartdelay",
        "@push.rocks/smartdns@6.2.2",
        "@push.rocks/smartfile@11.2.7",
        "@push.rocks/smartlog",
        "@push.rocks/smartnetwork",
        "@push.rocks/smartpromise",
        "@push.rocks/smartrequest@2.1.0",
        "@push.rocks/smartstring",
        "@push.rocks/smarttime",
        "@push.rocks/smartunique",
        "@tsclass/tsclass@9.3.0",
        "acme-client"
      ],
      "tarball": "https://verdaccio.lossless.digital/@push.rocks/smartacme/-/smartacme-8.0.0.tgz"
    },
    "@push.rocks/smartarchive@4.2.4": {
      "integrity": "sha512-uiqVAXPxmr8G5rv3uZvZFMOCt8l7cZC3nzvsy4YQqKf/VkPhKIEX+b7LkAeNlxPSYUiBQUkNRoawg9+5BaMcHg==",
      "dependencies": [
@@ -1805,7 +1756,7 @@
        "@push.rocks/smartstring",
        "@push.rocks/smarttime",
        "@push.rocks/smartunique",
-        "@push.rocks/taskbuffer@3.5.0",
+        "@push.rocks/taskbuffer",
        "@tsclass/tsclass@9.3.0",
        "mongodb"
      ],
@@ -1818,23 +1769,6 @@
      ],
      "tarball": "https://verdaccio.lossless.digital/@push.rocks/smartdelay/-/smartdelay-3.0.5.tgz"
    },
    "@push.rocks/smartdns@6.2.2": {
      "integrity": "sha512-MhJcHujbyIuwIIFdnXb2OScGtRjNsliLUS8GoAurFsKtcCOaA0ytfP+PNzkukyBufjb1nMiJF3rjhswXdHakAQ==",
      "dependencies": [
        "@push.rocks/smartdelay",
        "@push.rocks/smartenv@5.0.13",
        "@push.rocks/smartpromise",
        "@push.rocks/smartrequest@2.1.0",
        "@tsclass/tsclass@5.0.0",
        "@types/dns-packet",
        "@types/elliptic",
        "acme-client",
        "dns-packet",
        "elliptic",
        "minimatch@10.2.0"
      ],
      "tarball": "https://verdaccio.lossless.digital/@push.rocks/smartdns/-/smartdns-6.2.2.tgz"
    },
    "@push.rocks/smartdns@7.8.0": {
      "integrity": "sha512-5FX74AAgQSqWPZkpTsI/BbUKBQpZKSvs+UdX9IZpwcuPldI+K7D1WeE02mMAGd1Ncd/sYAMor5CTlhnG6L+QhQ==",
      "dependencies": [
@@ -2095,7 +2029,7 @@
    "@push.rocks/smartnetwork@4.4.0": {
      "integrity": "sha512-OvFtz41cvQ7lcXwaIOhghNUUlNoMxvwKDctbDvMyuZyEH08SpLjhyv2FuKbKL/mgwA/WxakTbohoC8SW7t+kiw==",
      "dependencies": [
-        "@push.rocks/smartdns@7.8.0",
+        "@push.rocks/smartdns",
        "@push.rocks/smartping",
        "@push.rocks/smartpromise",
        "@push.rocks/smartstring",
@@ -2449,20 +2383,6 @@
      ],
      "tarball": "https://verdaccio.lossless.digital/@push.rocks/taskbuffer/-/taskbuffer-3.5.0.tgz"
    },
    "@push.rocks/taskbuffer@4.2.0": {
      "integrity": "sha512-ttoBe5y/WXkAo5/wSMcC/Y4Zbyw4XG8kwAsEaqnAPCxa3M9MI1oV/yM1e9gU1IH97HVPidzbTxRU5/PcHDdUsg==",
      "dependencies": [
        "@design.estate/dees-element",
        "@push.rocks/lik",
        "@push.rocks/smartdelay",
        "@push.rocks/smartlog",
        "@push.rocks/smartpromise",
        "@push.rocks/smartrx",
        "@push.rocks/smarttime",
        "@push.rocks/smartunique"
      ],
      "tarball": "https://verdaccio.lossless.digital/@push.rocks/taskbuffer/-/taskbuffer-4.2.0.tgz"
    },
    "@push.rocks/webrequest@3.0.37": {
      "integrity": "sha512-fLN7kP6GeHFxE4UH4r9C9pjcQb0QkJxHeAMwXvbOqB9hh0MFNKhtGU7GoaTn8SVRGRMPc9UqZVNwo6u5l8Wn0A==",
      "dependencies": [
@@ -3317,13 +3237,6 @@
      ],
      "tarball": "https://verdaccio.lossless.digital/@tsclass/tsclass/-/tsclass-4.4.4.tgz"
    },
    "@tsclass/tsclass@5.0.0": {
      "integrity": "sha512-2X66VCk0Oe1L01j6GQHC6F9Gj7lpZPPSUTDNax7e29lm4OqBTyAzTR3ePR8coSbWBwsmRV8awLRSrSI+swlqWA==",
      "dependencies": [
        "type-fest@4.41.0"
      ],
      "tarball": "https://verdaccio.lossless.digital/@tsclass/tsclass/-/tsclass-5.0.0.tgz"
    },
    "@tsclass/tsclass@9.3.0": {
      "integrity": "sha512-KD3oTUN3RGu67tgjNHgWWZGsdYipr1RUDxQ9MMKSgIJ6oNZ4q5m2rg0ibrgyHWkAjTPlHVa6kHP3uVOY+8bnHw==",
      "dependencies": [
@@ -3338,13 +3251,6 @@
      ],
      "tarball": "https://verdaccio.lossless.digital/@tybys/wasm-util/-/wasm-util-0.10.1.tgz"
    },
    "@types/bn.js@5.2.0": {
      "integrity": "sha512-DLbJ1BPqxvQhIGbeu8VbUC1DiAiahHtAYvA0ZEAa4P31F7IaArc8z3C3BRQdWX4mtLQuABG4yzp76ZrS02Ui1Q==",
      "dependencies": [
        "@types/node@24.2.0"
      ],
      "tarball": "https://verdaccio.lossless.digital/@types/bn.js/-/bn.js-5.2.0.tgz"
    },
    "@types/body-parser@1.19.6": {
      "integrity": "sha512-HLFeCYgz89uk22N5Qg3dvGvsv46B8GLvKKo1zKG4NybA8U2DiEO3w9lqGg29t/tfLRJpJ6iQxnVw4OnB7MoM9g==",
      "dependencies": [
@@ -3393,13 +3299,6 @@
      ],
      "tarball": "https://verdaccio.lossless.digital/@types/dns-packet/-/dns-packet-5.6.5.tgz"
    },
    "@types/elliptic@6.4.18": {
      "integrity": "sha512-UseG6H5vjRiNpQvrhy4VF/JXdA3V/Fp5amvveaL+fs28BZ6xIKJBPnUPRlEaZpysD9MbpfaLi8lbl7PGUAkpWw==",
      "dependencies": [
        "@types/bn.js"
      ],
      "tarball": "https://verdaccio.lossless.digital/@types/elliptic/-/elliptic-6.4.18.tgz"
    },
    "@types/express-serve-static-core@5.1.1": {
      "integrity": "sha512-v4zIMr/cX7/d2BpAEX3KNKL/JrT1s43s96lLvvdTmza1oEvDudCqK9aF/djc/SWgy8Yh0h30TZx5VpzqFCxk5A==",
      "dependencies": [
@@ -3481,14 +3380,6 @@
      "integrity": "sha512-K0VQKziLUWkVKiRVrx4a40iPaxTUefQmjtkQofBkYRcoaaL/8rhwDWww9qWbrgicNOgnpIsMxyNIUM4+n6dUIA==",
      "tarball": "https://verdaccio.lossless.digital/@types/minimatch/-/minimatch-5.1.2.tgz"
    },
    "@types/minimatch@6.0.0": {
      "integrity": "sha512-zmPitbQ8+6zNutpwgcQuLcsEpn/Cj54Kbn7L5pX0Os5kdWplB7xPgEh/g+SWOB/qmows2gpuCaPyduq8ZZRnxA==",
      "dependencies": [
        "minimatch@10.2.0"
      ],
      "deprecated": true,
      "tarball": "https://verdaccio.lossless.digital/@types/minimatch/-/minimatch-6.0.0.tgz"
    },
    "@types/ms@2.1.0": {
      "integrity": "sha512-GsCCIZDE/p3i96vtEqx+7dBUGXrc7zeSK3wwPHIaRThS+9OhWIXRqzs4d6k1SVU8g91DrNRWxWUGhp5KXQb2VA==",
      "tarball": "https://verdaccio.lossless.digital/@types/ms/-/ms-2.1.0.tgz"
@@ -3500,14 +3391,6 @@
      ],
      "tarball": "https://verdaccio.lossless.digital/@types/mute-stream/-/mute-stream-0.0.4.tgz"
    },
    "@types/node-fetch@2.6.13": {
      "integrity": "sha512-QGpRVpzSaUs30JBSGPjOg4Uveu384erbHBoT1zeONvyCfwQxIkUshLAOqN/k9EjGviPRmWTTe6aH2qySWKTVSw==",
      "dependencies": [
        "@types/node@24.2.0",
        "form-data"
      ],
      "tarball": "https://verdaccio.lossless.digital/@types/node-fetch/-/node-fetch-2.6.13.tgz"
    },
    "@types/node-forge@1.3.14": {
      "integrity": "sha512-mhVF2BnD4BO+jtOp7z1CdzaK4mbuK0LLQYAvdOLqHTavxFNq4zA1EmYkpnFjP8HOUzedfQkRnp0E2ulSAYSzAw==",
      "dependencies": [
@@ -3515,13 +3398,6 @@
      ],
      "tarball": "https://verdaccio.lossless.digital/@types/node-forge/-/node-forge-1.3.14.tgz"
    },
    "@types/node@18.19.130": {
      "integrity": "sha512-GRaXQx6jGfL8sKfaIDD6OupbIHBr9jv7Jnaml9tB7l4v068PAOXqfcujMMo5PhbIs6ggR1XODELqahT2R8v0fg==",
      "dependencies": [
        "undici-types@5.26.5"
      ],
      "tarball": "https://verdaccio.lossless.digital/@types/node/-/node-18.19.130.tgz"
    },
    "@types/node@22.19.11": {
      "integrity": "sha512-BH7YwL6rA93ReqeQS1c4bsPpcfOmJasG+Fkr6Y59q83f9M1WcBRHR2vM+P9eOisYRcN3ujQoiZY8uk5W+1WL8w==",
      "dependencies": [
@@ -3660,13 +3536,6 @@
      "integrity": "sha512-WmoN8qaIAo7WTYWbAZuG8PYEhn5fkz7dZrqTBZ7dtt//lL2Gwms1IcnQ5yHqjDfX8Ft5j4YzDM23f87zBfDe9g==",
      "tarball": "https://verdaccio.lossless.digital/@ungap/structured-clone/-/structured-clone-1.3.0.tgz"
    },
    "abort-controller@3.0.0": {
      "integrity": "sha512-h8lQ8tacZYnR3vNQTgibj+tODHI5/+l06Au2Pcriv/Gmet0eaj4TwWH41sO9wnHDiQsEj19q0drzdWdeAHtweg==",
      "dependencies": [
        "event-target-shim"
      ],
      "tarball": "https://verdaccio.lossless.digital/abort-controller/-/abort-controller-3.0.0.tgz"
    },
    "accepts@1.3.8": {
      "integrity": "sha512-PYAthTa2m2VKxuvSD3DPC/Gy+U+sOA1LAuT8mkmRuvw+NACSaeXEQ+NHcVF7rONl6qcaxV3Uuemwawk+7+SJLw==",
      "dependencies": [
@@ -3849,10 +3718,6 @@
      "integrity": "sha512-RkaJzeJKDbaDWTIPiJwubyljaEPwpVWkm9Rt5h9Nd6h7tEXTJ3VB4qxdZBioV7JO5yLUaOKwz7vDOzlncUsegw==",
      "tarball": "https://verdaccio.lossless.digital/basic-ftp/-/basic-ftp-5.1.0.tgz"
    },
    "bn.js@4.12.2": {
      "integrity": "sha512-n4DSx829VRTRByMRGdjQ9iqsN0Bh4OolPsFnaZBLcbi8iXcB+kJ9s7EnRt4wILZNV3kPLHkRVfOc/HvhC3ovDw==",
      "tarball": "https://verdaccio.lossless.digital/bn.js/-/bn.js-4.12.2.tgz"
    },
    "body-parser@2.2.2": {
      "integrity": "sha512-oP5VkATKlNwcgvxi0vM0p/D3n2C3EReYVX+DNYs5TjZFn/oQt2j+4sVJtSMr18pdRr8wjTcBl6LoV+FUwzPmNA==",
      "dependencies": [
@@ -3904,10 +3769,6 @@
      ],
      "tarball": "https://verdaccio.lossless.digital/broadcast-channel/-/broadcast-channel-7.3.0.tgz"
    },
    "brorand@1.1.0": {
      "integrity": "12c25efe40a45e3c323eb8675a0a0ce57b22371f",
      "tarball": "https://verdaccio.lossless.digital/brorand/-/brorand-1.1.0.tgz"
    },
    "bson@6.10.4": {
      "integrity": "sha512-WIsKqkSC0ABoBJuT1LEX+2HEvNmNKKgnTAyd0fL8qzK4SH2i9NXg+t08YtdZp/V9IZ33cxe3iV4yM0qg8lMQng==",
      "tarball": "https://verdaccio.lossless.digital/bson/-/bson-6.10.4.tgz"
@@ -4051,19 +3912,6 @@
      ],
      "tarball": "https://verdaccio.lossless.digital/cliui/-/cliui-8.0.1.tgz"
    },
    "cloudflare@5.2.0": {
      "integrity": "sha512-dVzqDpPFYR9ApEC9e+JJshFJZXcw4HzM8W+3DHzO5oy9+8rLC53G7x6fEf9A7/gSuSCxuvndzui5qJKftfIM9A==",
      "dependencies": [
        "@types/node@18.19.130",
        "@types/node-fetch",
        "abort-controller",
        "agentkeepalive",
        "form-data-encoder@1.7.2",
        "formdata-node",
        "node-fetch"
      ],
      "tarball": "https://verdaccio.lossless.digital/cloudflare/-/cloudflare-5.2.0.tgz"
    },
    "color-convert@2.0.1": {
      "integrity": "sha512-RRECPsj7iu/xb5oKYcsFHSppFNnsj/52OVTRKb4zP5onXwVF3zVmmToNcOfGC+CRDpfK/U584fMg38ZHCaElKQ==",
      "dependencies": [
@@ -4286,19 +4134,6 @@
      "integrity": "590c61156b0ae2f4f0255732a158b266bc56b21d",
      "tarball": "https://verdaccio.lossless.digital/ee-first/-/ee-first-1.1.1.tgz"
    },
    "elliptic@6.6.1": {
      "integrity": "sha512-RaddvvMatK2LJHqFJ+YA4WysVN5Ita9E35botqIYspQ4TkRAlCicdzKOjlyv/1Za5RyTNn7di//eEV0uTAfe3g==",
      "dependencies": [
        "bn.js",
        "brorand",
        "hash.js",
        "hmac-drbg",
        "inherits",
        "minimalistic-assert",
        "minimalistic-crypto-utils"
      ],
      "tarball": "https://verdaccio.lossless.digital/elliptic/-/elliptic-6.6.1.tgz"
    },
    "emoji-regex@8.0.0": {
      "integrity": "sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A==",
      "tarball": "https://verdaccio.lossless.digital/emoji-regex/-/emoji-regex-8.0.0.tgz"
@@ -4464,10 +4299,6 @@
      "integrity": "41ae2eeb65efa62268aebfea83ac7d79299b0887",
      "tarball": "https://verdaccio.lossless.digital/etag/-/etag-1.8.1.tgz"
    },
    "event-target-shim@5.0.1": {
      "integrity": "sha512-i/2XbnSz/uxRCU6+NdVJgKWDTM427+MqYbkQzD321DuCQJUqOuJKIA0IM2+W2xtYHdKOmZ4dR6fExsd4SXL+WQ==",
      "tarball": "https://verdaccio.lossless.digital/event-target-shim/-/event-target-shim-5.0.1.tgz"
    },
    "eventemitter3@4.0.7": {
      "integrity": "sha512-8guHBZCwKnFhYdHr2ysuRWErTwhoN2X8XELRlrRwpmfeY2jjuUN4taQMsULKUVo1K4DvZl+0pgfyoysHxvmvEw==",
      "tarball": "https://verdaccio.lossless.digital/eventemitter3/-/eventemitter3-4.0.7.tgz"
@@ -4684,10 +4515,6 @@
      ],
      "tarball": "https://verdaccio.lossless.digital/foreground-child/-/foreground-child-3.3.1.tgz"
    },
    "form-data-encoder@1.7.2": {
      "integrity": "sha512-qfqtYan3rxrnCk1VYaA4H+Ms9xdpPqvLZa6xmMgFvhO32x7/3J/ExcTd6qpxM0vH2GdMI+poehyBZvqfMTto8A==",
      "tarball": "https://verdaccio.lossless.digital/form-data-encoder/-/form-data-encoder-1.7.2.tgz"
    },
    "form-data-encoder@2.1.4": {
      "integrity": "sha512-yDYSgNMraqvnxiEXO4hi88+YZxaHC6QKzb5N84iRCTDeRO7ZALpir/lVmf/uXUhnwUr2O4HU8s/n6x+yNjQkHw==",
      "tarball": "https://verdaccio.lossless.digital/form-data-encoder/-/form-data-encoder-2.1.4.tgz"
@@ -4707,14 +4534,6 @@
      "integrity": "d6170107e9efdc4ed30c9dc39016df942b5cb58b",
      "tarball": "https://verdaccio.lossless.digital/format/-/format-0.2.2.tgz"
    },
    "formdata-node@4.4.1": {
      "integrity": "sha512-0iirZp3uVDjVGt9p49aTaqjk84TrglENEDuqfdlZQ1roC9CWlPk6Avf8EEnZNcAqPonwkG35x4n3ww/1THYAeQ==",
      "dependencies": [
        "node-domexception",
        "web-streams-polyfill"
      ],
      "tarball": "https://verdaccio.lossless.digital/formdata-node/-/formdata-node-4.4.1.tgz"
    },
    "forwarded@0.2.0": {
      "integrity": "sha512-buRG0fpBtRHSTCOASe6hD258tEubFoRLb4ZNA6NxMVHNw2gOcwHo9wyablzMzOA5z9xA9L1KNjk/Nt6MT9aYow==",
      "tarball": "https://verdaccio.lossless.digital/forwarded/-/forwarded-0.2.0.tgz"
@@ -4846,7 +4665,7 @@
        "cacheable-lookup",
        "cacheable-request",
        "decompress-response",
-        "form-data-encoder@2.1.4",
+        "form-data-encoder",
        "get-stream@6.0.1",
        "http2-wrapper",
        "lowercase-keys",
@@ -4863,7 +4682,7 @@
      "integrity": "sha512-KyrFvnl+J9US63TEzwoiJOQzZBJY7KgBushJA8X61DMbNsH+2ONkDuLDnCnwUiPTF42tLoEmrPyoqbenVA5zrg==",
      "dependencies": [
        "entities",
-        "webidl-conversions@7.0.0",
+        "webidl-conversions",
        "whatwg-mimetype"
      ],
      "tarball": "https://verdaccio.lossless.digital/happy-dom/-/happy-dom-15.11.7.tgz"
@@ -4886,14 +4705,6 @@
      ],
      "tarball": "https://verdaccio.lossless.digital/has-tostringtag/-/has-tostringtag-1.0.2.tgz"
    },
    "hash.js@1.1.7": {
      "integrity": "sha512-taOaskGt4z4SOANNseOviYDvjEJinIkRgmp7LbKP2YTTmVxWBl87s/uzK9r+44BclBSp2X7K1hqeNfz9JbBeXA==",
      "dependencies": [
        "inherits",
        "minimalistic-assert"
      ],
      "tarball": "https://verdaccio.lossless.digital/hash.js/-/hash.js-1.1.7.tgz"
    },
    "hasown@2.0.2": {
      "integrity": "sha512-0hJU9SCPvmMzIBdZFqNPXWa6dqh7WdH0cII9y+CyS8rG3nL48Bclra9HmKhVVUHyPWNH5Y7xDwAB7bfgSjkUMQ==",
      "dependencies": [
@@ -4939,15 +4750,6 @@
      "bin": true,
      "tarball": "https://verdaccio.lossless.digital/he/-/he-1.2.0.tgz"
    },
    "hmac-drbg@1.0.1": {
      "integrity": "d2745701025a6c775a6c545793ed502fc0c649a1",
      "dependencies": [
        "hash.js",
        "minimalistic-assert",
        "minimalistic-crypto-utils"
      ],
      "tarball": "https://verdaccio.lossless.digital/hmac-drbg/-/hmac-drbg-1.0.1.tgz"
    },
    "html-minifier@4.0.0": {
      "integrity": "sha512-aoGxanpFPLg7MkIl/DDFYtb0iWz7jMFGqFhvEDZga6/4QTjneiD8I/NXL1x5aaoCp7FSIT6h/OhykDdPsbtMig==",
      "dependencies": [
@@ -5845,14 +5647,6 @@
      "integrity": "sha512-UeX942qZpofn5L97h295SkS7j/ADf7Qac8gdRCMBPxi0/1m70aeB2owLFvWbyuMj1dowonlivlVRQVDx+6h+7Q==",
      "tarball": "https://verdaccio.lossless.digital/mingo/-/mingo-7.2.0.tgz"
    },
    "minimalistic-assert@1.0.1": {
      "integrity": "sha512-UtJcAD4yEaGtjPezWuO9wC4nwUnVH/8/Im3yEHQP4b67cXlD/Qr9hdITCU1xDbSEXg2XKNaP8jsReV7vQd00/A==",
      "tarball": "https://verdaccio.lossless.digital/minimalistic-assert/-/minimalistic-assert-1.0.1.tgz"
    },
    "minimalistic-crypto-utils@1.0.1": {
      "integrity": "f6c00c1c0b082246e5c4d99dfb8c7c083b2b582a",
      "tarball": "https://verdaccio.lossless.digital/minimalistic-crypto-utils/-/minimalistic-crypto-utils-1.0.1.tgz"
    },
    "minimatch@10.2.0": {
      "integrity": "sha512-ugkC31VaVg9cF0DFVoADH12k6061zNZkZON+aX8AWsR9GhPcErkcMBceb6znR8wLERM2AkkOxy2nWRLpT9Jq5w==",
      "dependencies": [
@@ -5890,7 +5684,7 @@
      "integrity": "sha512-rMO7CGo/9BFwyZABcKAWL8UJwH/Kc2x0g72uhDWzG48URRax5TCIcJ7Rc3RZqffZzO/Gwff/jyKwCU9TN8gehA==",
      "dependencies": [
        "@types/whatwg-url",
-        "whatwg-url@14.2.0"
+        "whatwg-url"
      ],
      "tarball": "https://verdaccio.lossless.digital/mongodb-connection-string-url/-/mongodb-connection-string-url-3.0.2.tgz"
    },
@@ -5969,17 +5763,6 @@
      ],
      "tarball": "https://verdaccio.lossless.digital/no-case/-/no-case-2.3.2.tgz"
    },
    "node-domexception@1.0.0": {
      "integrity": "sha512-/jKZoMpw0F8GRwl4/eLROPA3cfcXtLApP0QzLmUT/HuPCZWyB7IY9ZrMeKw2O/nFIqPQB3PVM9aYm0F312AXDQ==",
      "tarball": "https://verdaccio.lossless.digital/node-domexception/-/node-domexception-1.0.0.tgz"
    },
    "node-fetch@2.7.0": {
      "integrity": "sha512-c4FRfUm/dbcWZ7U+1Wq0AwCyFL+3nt2bEw05wfxSz+DWpWsitgmSgYmy2dQdWyKC1694ELPqMs/YzUSNozLt8A==",
      "dependencies": [
        "whatwg-url@5.0.0"
      ],
      "tarball": "https://verdaccio.lossless.digital/node-fetch/-/node-fetch-2.7.0.tgz"
    },
    "node-forge@1.3.3": {
      "integrity": "sha512-rLvcdSyRCyouf6jcOIPe/BgwG/d7hKjzMKOas33/pHEr6gbq18IK9zV7DiPvzsz0oBJPme6qr6H6kGZuI9/DZg==",
      "tarball": "https://verdaccio.lossless.digital/node-forge/-/node-forge-1.3.3.tgz"
@@ -6913,10 +6696,6 @@
      ],
      "tarball": "https://verdaccio.lossless.digital/token-types/-/token-types-6.1.2.tgz"
    },
    "tr46@0.0.3": {
      "integrity": "8184fd347dac9cdc185992f3a6622e14b9d9ab6a",
      "tarball": "https://verdaccio.lossless.digital/tr46/-/tr46-0.0.3.tgz"
    },
    "tr46@5.1.1": {
      "integrity": "sha512-hdF5ZgjTqgAntKkklYw0R03MG2x/bSzTtkxmIRw/sTNV8YXsCJ1tfLAX23lhxhHJlEf3CRCOCGGWw3vI3GaSPw==",
      "dependencies": [
@@ -7014,10 +6793,6 @@
      "integrity": "sha512-rvKSBiC5zqCCiDZ9kAOszZcDvdAHwwIKJG33Ykj43OKcWsnmcBRL09YTU4nOeHZ8Y2a7l1MgTd08SBe9A8Qj6A==",
      "tarball": "https://verdaccio.lossless.digital/uint8array-extras/-/uint8array-extras-1.5.0.tgz"
    },
    "undici-types@5.26.5": {
      "integrity": "sha512-JlCMO+ehdEIKqlFxk6IfVoAUVmgz7cU7zD/h9XZ0qzeosSHmUJVOzSQvvYSYWXkFXC+IfLKSIffhv0sVZup6pA==",
      "tarball": "https://verdaccio.lossless.digital/undici-types/-/undici-types-5.26.5.tgz"
    },
    "undici-types@6.21.0": {
      "integrity": "sha512-iwDZqg0QAGrg9Rav5H4n0M64c3mkR59cJ6wQp+7C4nI0gsmExaedaYLNO44eT4AtBBwjbTiGPMlt2Md0T9H9JQ==",
      "tarball": "https://verdaccio.lossless.digital/undici-types/-/undici-types-6.21.0.tgz"
@@ -7134,18 +6909,10 @@
      ],
      "tarball": "https://verdaccio.lossless.digital/vfile/-/vfile-6.0.3.tgz"
    },
    "web-streams-polyfill@4.0.0-beta.3": {
      "integrity": "sha512-QW95TCTaHmsYfHDybGMwO5IJIM93I/6vTRk+daHTWFPhwh+C8Cg7j7XyKrwrj8Ib6vYXe0ocYNrmzY4xAAN6ug==",
      "tarball": "https://verdaccio.lossless.digital/web-streams-polyfill/-/web-streams-polyfill-4.0.0-beta.3.tgz"
    },
    "webdriver-bidi-protocol@0.4.0": {
      "integrity": "sha512-U9VIlNRrq94d1xxR9JrCEAx5Gv/2W7ERSv8oWRoNe/QYbfccS0V3h/H6qeNeCRJxXGMhhnkqvwNrvPAYeuP9VA==",
      "tarball": "https://verdaccio.lossless.digital/webdriver-bidi-protocol/-/webdriver-bidi-protocol-0.4.0.tgz"
    },
    "webidl-conversions@3.0.1": {
      "integrity": "24534275e2a7bc6be7bc86611cc16ae0a5654871",
      "tarball": "https://verdaccio.lossless.digital/webidl-conversions/-/webidl-conversions-3.0.1.tgz"
    },
    "webidl-conversions@7.0.0": {
      "integrity": "sha512-VwddBukDzu71offAQR975unBIGqfKZpM+8ZX6ySk8nYhVoo5CYaZyzt3YBvYtRtO+aoGlqxPg/B87NGVZ/fu6g==",
      "tarball": "https://verdaccio.lossless.digital/webidl-conversions/-/webidl-conversions-7.0.0.tgz"
@@ -7157,19 +6924,11 @@
    "whatwg-url@14.2.0": {
      "integrity": "sha512-De72GdQZzNTUBBChsXueQUnPKDkg/5A5zp7pFDuQAj5UFoENpiACU0wlCvzpAGnTkj++ihpKwKyYewn/XNUbKw==",
      "dependencies": [
-        "tr46@5.1.1",
+        "tr46",
-        "webidl-conversions@7.0.0"
+        "webidl-conversions"
      ],
      "tarball": "https://verdaccio.lossless.digital/whatwg-url/-/whatwg-url-14.2.0.tgz"
    },
    "whatwg-url@5.0.0": {
      "integrity": "966454e8765462e37644d3626f6742ce8b70965d",
      "dependencies": [
        "tr46@0.0.3",
        "webidl-conversions@3.0.1"
      ],
      "tarball": "https://verdaccio.lossless.digital/whatwg-url/-/whatwg-url-5.0.0.tgz"
    },
    "which@2.0.2": {
      "integrity": "sha512-BLI3Tl1TW3Pvl70l3yq3Y64i+awpwXqsGBYWkkqMtnbXgrMD+yj7rhW0kuEDxzJaYXGjEW5ogapKNMEKNMjibA==",
      "dependencies": [
@@ -7295,29 +7054,15 @@
        "npm:@git.zone/tsrun@^2.0.1",
        "npm:@git.zone/tsrust@^1.3.0",
        "npm:@git.zone/tstest@^3.1.8",
        "npm:@push.rocks/lik@^6.2.2",
        "npm:@push.rocks/smartacme@8",
        "npm:@push.rocks/smartcrypto@^2.0.4",
        "npm:@push.rocks/smartdelay@^3.0.5",
        "npm:@push.rocks/smartfile@^13.1.2",
        "npm:@push.rocks/smartlog@^3.1.10",
        "npm:@push.rocks/smartnetwork@^4.4.0",
        "npm:@push.rocks/smartpromise@^4.2.3",
        "npm:@push.rocks/smartrequest@^5.0.1",
        "npm:@push.rocks/smartrust@^1.2.1",
        "npm:@push.rocks/smartrx@^3.0.10",
        "npm:@push.rocks/smartserve@^2.0.1",
        "npm:@push.rocks/smartstring@^4.1.0",
        "npm:@push.rocks/taskbuffer@^4.2.0",
        "npm:@tsclass/tsclass@^9.3.0",
        "npm:@types/minimatch@6",
        "npm:@types/node@^25.2.3",
        "npm:@types/ws@^8.18.1",
        "npm:minimatch@^10.2.0",
        "npm:pretty-ms@^9.3.0",
        "npm:typescript@^5.9.3",
-        "npm:why-is-node-running@^3.2.2",
+        "npm:why-is-node-running@^3.2.2"
        "npm:ws@^8.19.0"
      ]
    }
  }
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
  "name": "@push.rocks/smartproxy",
-  "version": "25.2.1",
+  "version": "25.7.9",
  "private": false,
  "description": "A powerful proxy package with unified route-based configuration for high traffic management. Features include SSL/TLS support, flexible routing patterns, WebSocket handling, advanced security options, and automatic ACME certificate management.",
  "main": "dist_ts/index.js",
@@ -25,25 +25,11 @@
    "why-is-node-running": "^3.2.2"
  },
  "dependencies": {
    "@push.rocks/lik": "^6.2.2",
    "@push.rocks/smartacme": "^8.0.0",
    "@push.rocks/smartcrypto": "^2.0.4",
    "@push.rocks/smartdelay": "^3.0.5",
    "@push.rocks/smartfile": "^13.1.2",
    "@push.rocks/smartlog": "^3.1.10",
    "@push.rocks/smartnetwork": "^4.4.0",
    "@push.rocks/smartpromise": "^4.2.3",
    "@push.rocks/smartrequest": "^5.0.1",
    "@push.rocks/smartrust": "^1.2.1",
    "@push.rocks/smartrx": "^3.0.10",
    "@push.rocks/smartstring": "^4.1.0",
    "@push.rocks/taskbuffer": "^4.2.0",
    "@tsclass/tsclass": "^9.3.0",
-    "@types/minimatch": "^6.0.0",
+    "minimatch": "^10.2.0"
    "@types/ws": "^8.18.1",
    "minimatch": "^10.2.0",
    "pretty-ms": "^9.3.0",
    "ws": "^8.19.0"
  },
  "files": [
    "ts/**/*",
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -8,63 +8,21 @@ importers:
  .:
    dependencies:
      '@push.rocks/lik':
        specifier: ^6.2.2
        version: 6.2.2
      '@push.rocks/smartacme':
        specifier: ^8.0.0
        version: 8.0.0(socks@2.8.7)
      '@push.rocks/smartcrypto':
        specifier: ^2.0.4
        version: 2.0.4
      '@push.rocks/smartdelay':
        specifier: ^3.0.5
        version: 3.0.5
      '@push.rocks/smartfile':
        specifier: ^13.1.2
        version: 13.1.2
      '@push.rocks/smartlog':
        specifier: ^3.1.10
        version: 3.1.10
      '@push.rocks/smartnetwork':
        specifier: ^4.4.0
        version: 4.4.0
      '@push.rocks/smartpromise':
        specifier: ^4.2.3
        version: 4.2.3
      '@push.rocks/smartrequest':
        specifier: ^5.0.1
        version: 5.0.1
      '@push.rocks/smartrust':
        specifier: ^1.2.1
        version: 1.2.1
      '@push.rocks/smartrx':
        specifier: ^3.0.10
        version: 3.0.10
      '@push.rocks/smartstring':
        specifier: ^4.1.0
        version: 4.1.0
      '@push.rocks/taskbuffer':
        specifier: ^4.2.0
        version: 4.2.0
      '@tsclass/tsclass':
        specifier: ^9.3.0
        version: 9.3.0
      '@types/minimatch':
        specifier: ^6.0.0
        version: 6.0.0
      '@types/ws':
        specifier: ^8.18.1
        version: 8.18.1
      minimatch:
        specifier: ^10.2.0
        version: 10.2.0
      pretty-ms:
        specifier: ^9.3.0
        version: 9.3.0
      ws:
        specifier: ^8.19.0
        version: 8.19.0
    devDependencies:
      '@git.zone/tsbuild':
        specifier: ^4.1.2
@@ -113,9 +71,6 @@ packages:
      '@push.rocks/smartserve':
        optional: true
  '@apiclient.xyz/cloudflare@6.4.3':
    resolution: {integrity: sha512-ztegUdUO3Zd4mUoTSylKlCEKPBMHEcggrLelR+7CiblM4beHMwopMVlryBmiCY7bOVbUSPoK0xsVTF7VIy3p/A==}
  '@aws-crypto/crc32@5.2.0':
    resolution: {integrity: sha512-nLbCWqQNgUiwwtFsen1AdzAtvuLRsQS8rYgMuxCrdKf9kOssamGLuPwyTY9wyYblNr9+1XM8v6zoDTPPSIeANg==}
    engines: {node: '>=16.0.0'}
@@ -312,15 +267,9 @@ packages:
  '@design.estate/dees-domtools@2.3.6':
    resolution: {integrity: sha512-cKaPNtSpp/ZuuXVx2dXO3K2FU3/HjC4ZkqtXb8Kl6yy9rNDbgtjcI4PuOk9Ux1SJzw7FgcxqVh7OSEV60htbmg==}
  '@design.estate/dees-domtools@2.3.8':
    resolution: {integrity: sha512-jUG9GMvPxKMwmRIZ9oLTL3c8hHvHuiwIk8cTrYnuZzGO/uJJ5/czk9o6LRXUuCOOG7TRLtqgOpK8EEQgaadfZA==}
  '@design.estate/dees-element@2.1.3':
    resolution: {integrity: sha512-TjXWxVcdSPaT1IOk31ckfxvAZnJLuTxhFGsNCKoh63/UE2FVf6slp8//UFvN+ADigiA9ZsY0azkY99XbJCwDDA==}
  '@design.estate/dees-element@2.1.6':
    resolution: {integrity: sha512-7zyHkUjB8UEQgT9VbB2IJtc/yuPt9CI5JGel3b6BxA1kecY64ceIjFvof1uIkc0QP8q2fMLLY45r1c+9zDTjzg==}
  '@emnapi/core@1.8.1':
    resolution: {integrity: sha512-AvT9QFpxK0Zd8J0jopedNm+w/2fIzvtPKPjqyw9jwvBaReTTqPBk9Hixaz7KbjimP+QNz605/XnjFcDAL2pqBg==}
@@ -580,15 +529,9 @@ packages:
  '@lit-labs/ssr-dom-shim@1.4.0':
    resolution: {integrity: sha512-ficsEARKnmmW5njugNYKipTm4SFnbik7CXtoencDZzmzo/dQ+2Q0bgkzJuoJP20Aj0F+izzJjOqsnkd6F/o1bw==}
  '@lit-labs/ssr-dom-shim@1.5.1':
    resolution: {integrity: sha512-Aou5UdlSpr5whQe8AA/bZG0jMj96CoJIWbGfZ91qieWu5AWUMKw8VR/pAkQkJYvBNhmCcWnZlyyk5oze8JIqYA==}
  '@lit/reactive-element@2.1.1':
    resolution: {integrity: sha512-N+dm5PAYdQ8e6UlywyyrgI2t++wFGXfHx+dSJ1oBrg6FAxUj40jId++EaRm80MKX5JnlH1sBsyZ5h0bcZKemCg==}
  '@lit/reactive-element@2.1.2':
    resolution: {integrity: sha512-pbCDiVMnne1lYUIaYNN5wrwQXDtHaYtg7YEFPeW+hws6U47WeFvISGUWekPGKWOP1ygrs0ef0o1VJMk1exos5A==}
  '@mixmark-io/domino@2.2.0':
    resolution: {integrity: sha512-Y28PR25bHXUg88kCV7nivXrP2Nj2RueZ3/l/jdx6J9f8J4nsEGcgX0Qe6lt7Pa+J79+kPiJU3LguR6O/6zrLOw==}
@@ -706,9 +649,6 @@ packages:
  '@push.rocks/qenv@6.1.3':
    resolution: {integrity: sha512-+z2hsAU/7CIgpYLFqvda8cn9rUBMHqLdQLjsFfRn5jPoD7dJ5rFlpkbhfM4Ws8mHMniwWaxGKo+q/YBhtzRBLg==}
  '@push.rocks/smartacme@8.0.0':
    resolution: {integrity: sha512-Oq+m+LX4IG0p4qCGZLEwa6UlMo5Hfq7paRjpREwQNsaGSKl23xsjsEJLxjxkePwaXnaIkHEwU/5MtrEkg2uKEQ==}
  '@push.rocks/smartarchive@4.2.4':
    resolution: {integrity: sha512-uiqVAXPxmr8G5rv3uZvZFMOCt8l7cZC3nzvsy4YQqKf/VkPhKIEX+b7LkAeNlxPSYUiBQUkNRoawg9+5BaMcHg==}
@@ -746,9 +686,6 @@ packages:
  '@push.rocks/smartdelay@3.0.5':
    resolution: {integrity: sha512-mUuI7kj2f7ztjpic96FvRIlf2RsKBa5arw81AHNsndbxO6asRcxuWL8dTVxouEIK8YsBUlj0AsrCkHhMbLQdHw==}
  '@push.rocks/smartdns@6.2.2':
    resolution: {integrity: sha512-MhJcHujbyIuwIIFdnXb2OScGtRjNsliLUS8GoAurFsKtcCOaA0ytfP+PNzkukyBufjb1nMiJF3rjhswXdHakAQ==}
  '@push.rocks/smartdns@7.6.1':
    resolution: {integrity: sha512-nnP5+A2GOt0WsHrYhtKERmjdEHUchc+QbCCBEqlyeQTn+mNfx2WZvKVI1DFRJt8lamvzxP6Hr/BSe3WHdh4Snw==}
@@ -797,9 +734,6 @@ packages:
  '@push.rocks/smartjson@5.2.0':
    resolution: {integrity: sha512-710e8UwovRfPgUtaBHcd6unaODUjV5fjxtGcGCqtaTcmvOV6VpasdVfT66xMDzQmWH2E9ZfHDJeso9HdDQzNQA==}
  '@push.rocks/smartjson@6.0.0':
    resolution: {integrity: sha512-FYfJnmukt66WePn6xrVZ3BLmRQl9W82LcsICK3VU9sGW7kasig090jKXPm+yX8ibQcZAO/KyR/Q8tMIYZNxGew==}
  '@push.rocks/smartlog-destination-devtools@1.0.12':
    resolution: {integrity: sha512-zvsIkrqByc0JRaBgIyhh+PSz2SY/e/bmhZdUcr/OW6pudgAcqe2sso68EzrKux0w9OMl1P9ZnzF3FpCZPFWD/A==}
@@ -902,9 +836,6 @@ packages:
  '@push.rocks/smartstate@2.0.27':
    resolution: {integrity: sha512-q4UKir7GV3hakJWXQR4DoA4tUVwT5GRkJ/MtanHYF0wZLHfS19+nGmyO9y974zk3eT9hmy3+Lq5cKtU2W6+Y3w==}
  '@push.rocks/smartstate@2.0.30':
    resolution: {integrity: sha512-IuNW8XtSumXIr7g7MIFyWg5PBwLF2mwsymTJbSEycK2Pa9ZLk4yjRHnR907xCilxgiMU9ixQZyNdpa5MMF999A==}
  '@push.rocks/smartstream@3.2.5':
    resolution: {integrity: sha512-PLGGIFDy8JLNVUnnntMSIYN4W081YSbNC7Y/sWpvUT8PAXtbEXXUiDFgK5o3gcI0ptpKQxHAwxhzNlPj0sbFVg==}
@@ -935,9 +866,6 @@ packages:
  '@push.rocks/taskbuffer@3.5.0':
    resolution: {integrity: sha512-Y9WwIEIyp6oVFdj06j84tfrZIvjhbMb3DF52rYxlTeYLk3W7RPhSg1bGPCbtkXWeKdBrSe37V90BkOG7Qq8Pqg==}
  '@push.rocks/taskbuffer@4.2.0':
    resolution: {integrity: sha512-ttoBe5y/WXkAo5/wSMcC/Y4Zbyw4XG8kwAsEaqnAPCxa3M9MI1oV/yM1e9gU1IH97HVPidzbTxRU5/PcHDdUsg==}
  '@push.rocks/webrequest@3.0.37':
    resolution: {integrity: sha512-fLN7kP6GeHFxE4UH4r9C9pjcQb0QkJxHeAMwXvbOqB9hh0MFNKhtGU7GoaTn8SVRGRMPc9UqZVNwo6u5l8Wn0A==}
@@ -1368,20 +1296,6 @@ packages:
  '@tempfix/idb@8.0.3':
    resolution: {integrity: sha512-hPJQKO7+oAIY+pDNImrZ9QAINbz9KmwT+yO4iRVwdPanok2YKpaUxdJzIvCUwY0YgAawlvYdffbLvRLV5hbs2g==}
  '@tempfix/lenis@1.3.20':
    resolution: {integrity: sha512-ypeB0FuHLHOCQXW4d0RQ69txPJJH+1CHcpsZIUdcv2t1vR0IVyQr2vHihtde9UOXhjzqEnUphWon/UcJNsa0YA==}
    peerDependencies:
      '@nuxt/kit': '>=3.0.0'
      react: '>=17.0.0'
      vue: '>=3.0.0'
    peerDependenciesMeta:
      '@nuxt/kit':
        optional: true
      react:
        optional: true
      vue:
        optional: true
  '@tokenizer/inflate@0.4.1':
    resolution: {integrity: sha512-2mAv+8pkG6GIZiF1kNg1jAjh27IDxEPKwdGul3snfztFerfPGI1LjDezZp3i7BElXompqEtPmoPx6c2wgtWsOA==}
    engines: {node: '>=18'}
@@ -1395,9 +1309,6 @@ packages:
  '@tsclass/tsclass@4.4.4':
    resolution: {integrity: sha512-YZOAF+u+r4u5rCev2uUd1KBTBdfyFdtDmcv4wuN+864lMccbdfRICR3SlJwCfYS1lbeV3QNLYGD30wjRXgvCJA==}
  '@tsclass/tsclass@5.0.0':
    resolution: {integrity: sha512-2X66VCk0Oe1L01j6GQHC6F9Gj7lpZPPSUTDNax7e29lm4OqBTyAzTR3ePR8coSbWBwsmRV8awLRSrSI+swlqWA==}
  '@tsclass/tsclass@9.3.0':
    resolution: {integrity: sha512-KD3oTUN3RGu67tgjNHgWWZGsdYipr1RUDxQ9MMKSgIJ6oNZ4q5m2rg0ibrgyHWkAjTPlHVa6kHP3uVOY+8bnHw==}
@@ -1470,25 +1381,15 @@ packages:
  '@types/minimatch@5.1.2':
    resolution: {integrity: sha512-K0VQKziLUWkVKiRVrx4a40iPaxTUefQmjtkQofBkYRcoaaL/8rhwDWww9qWbrgicNOgnpIsMxyNIUM4+n6dUIA==}
  '@types/minimatch@6.0.0':
    resolution: {integrity: sha512-zmPitbQ8+6zNutpwgcQuLcsEpn/Cj54Kbn7L5pX0Os5kdWplB7xPgEh/g+SWOB/qmows2gpuCaPyduq8ZZRnxA==}
    deprecated: This is a stub types definition. minimatch provides its own type definitions, so you do not need this installed.
  '@types/ms@2.1.0':
    resolution: {integrity: sha512-GsCCIZDE/p3i96vtEqx+7dBUGXrc7zeSK3wwPHIaRThS+9OhWIXRqzs4d6k1SVU8g91DrNRWxWUGhp5KXQb2VA==}
  '@types/mute-stream@0.0.4':
    resolution: {integrity: sha512-CPM9nzrCPPJHQNA9keH9CVkVI+WR5kMa+7XEs5jcGQ0VoAGnLv242w8lIVgwAEfmE4oufJRaTc9PNLQl0ioAow==}
  '@types/node-fetch@2.6.13':
    resolution: {integrity: sha512-QGpRVpzSaUs30JBSGPjOg4Uveu384erbHBoT1zeONvyCfwQxIkUshLAOqN/k9EjGviPRmWTTe6aH2qySWKTVSw==}
  '@types/node-forge@1.3.14':
    resolution: {integrity: sha512-mhVF2BnD4BO+jtOp7z1CdzaK4mbuK0LLQYAvdOLqHTavxFNq4zA1EmYkpnFjP8HOUzedfQkRnp0E2ulSAYSzAw==}
  '@types/node@18.19.130':
    resolution: {integrity: sha512-GRaXQx6jGfL8sKfaIDD6OupbIHBr9jv7Jnaml9tB7l4v068PAOXqfcujMMo5PhbIs6ggR1XODELqahT2R8v0fg==}
  '@types/node@22.19.11':
    resolution: {integrity: sha512-BH7YwL6rA93ReqeQS1c4bsPpcfOmJasG+Fkr6Y59q83f9M1WcBRHR2vM+P9eOisYRcN3ujQoiZY8uk5W+1WL8w==}
@@ -1564,10 +1465,6 @@ packages:
  '@ungap/structured-clone@1.3.0':
    resolution: {integrity: sha512-WmoN8qaIAo7WTYWbAZuG8PYEhn5fkz7dZrqTBZ7dtt//lL2Gwms1IcnQ5yHqjDfX8Ft5j4YzDM23f87zBfDe9g==}
  abort-controller@3.0.0:
    resolution: {integrity: sha512-h8lQ8tacZYnR3vNQTgibj+tODHI5/+l06Au2Pcriv/Gmet0eaj4TwWH41sO9wnHDiQsEj19q0drzdWdeAHtweg==}
    engines: {node: '>=6.5'}
  accepts@1.3.8:
    resolution: {integrity: sha512-PYAthTa2m2VKxuvSD3DPC/Gy+U+sOA1LAuT8mkmRuvw+NACSaeXEQ+NHcVF7rONl6qcaxV3Uuemwawk+7+SJLw==}
    engines: {node: '>= 0.6'}
@@ -1808,9 +1705,6 @@ packages:
    resolution: {integrity: sha512-BSeNnyus75C4//NQ9gQt1/csTXyo/8Sb+afLAkzAptFuMsod9HFokGNudZpi/oQV73hnVK+sR+5PVRMd+Dr7YQ==}
    engines: {node: '>=12'}
  cloudflare@5.2.0:
    resolution: {integrity: sha512-dVzqDpPFYR9ApEC9e+JJshFJZXcw4HzM8W+3DHzO5oy9+8rLC53G7x6fEf9A7/gSuSCxuvndzui5qJKftfIM9A==}
  color-convert@2.0.1:
    resolution: {integrity: sha512-RRECPsj7iu/xb5oKYcsFHSppFNnsj/52OVTRKb4zP5onXwVF3zVmmToNcOfGC+CRDpfK/U584fMg38ZHCaElKQ==}
    engines: {node: '>=7.0.0'}
@@ -2059,10 +1953,6 @@ packages:
    resolution: {integrity: sha1-Qa4u62XvpiJorr/qg6x9eSmbCIc=}
    engines: {node: '>= 0.6'}
  event-target-shim@5.0.1:
    resolution: {integrity: sha512-i/2XbnSz/uxRCU6+NdVJgKWDTM427+MqYbkQzD321DuCQJUqOuJKIA0IM2+W2xtYHdKOmZ4dR6fExsd4SXL+WQ==}
    engines: {node: '>=6'}
  eventemitter3@4.0.7:
    resolution: {integrity: sha512-8guHBZCwKnFhYdHr2ysuRWErTwhoN2X8XELRlrRwpmfeY2jjuUN4taQMsULKUVo1K4DvZl+0pgfyoysHxvmvEw==}
@@ -2168,9 +2058,6 @@ packages:
    resolution: {integrity: sha512-gIXjKqtFuWEgzFRJA9WCQeSJLZDjgJUOMCMzxtvFq/37KojM1BFGufqsCy0r4qSQmYLsZYMeyRqzIWOMup03sw==}
    engines: {node: '>=14'}
  form-data-encoder@1.7.2:
    resolution: {integrity: sha512-qfqtYan3rxrnCk1VYaA4H+Ms9xdpPqvLZa6xmMgFvhO32x7/3J/ExcTd6qpxM0vH2GdMI+poehyBZvqfMTto8A==}
  form-data-encoder@2.1.4:
    resolution: {integrity: sha512-yDYSgNMraqvnxiEXO4hi88+YZxaHC6QKzb5N84iRCTDeRO7ZALpir/lVmf/uXUhnwUr2O4HU8s/n6x+yNjQkHw==}
    engines: {node: '>= 14.17'}
@@ -2183,10 +2070,6 @@ packages:
    resolution: {integrity: sha1-1hcBB+nv3E7TDJ3DkBbflCtctYs=}
    engines: {node: '>=0.4.x'}
  formdata-node@4.4.1:
    resolution: {integrity: sha512-0iirZp3uVDjVGt9p49aTaqjk84TrglENEDuqfdlZQ1roC9CWlPk6Avf8EEnZNcAqPonwkG35x4n3ww/1THYAeQ==}
    engines: {node: '>= 12.20'}
  forwarded@0.2.0:
    resolution: {integrity: sha512-buRG0fpBtRHSTCOASe6hD258tEubFoRLb4ZNA6NxMVHNw2gOcwHo9wyablzMzOA5z9xA9L1KNjk/Nt6MT9aYow==}
    engines: {node: '>= 0.6'}
@@ -2478,21 +2361,12 @@ packages:
  lit-element@4.2.1:
    resolution: {integrity: sha512-WGAWRGzirAgyphK2urmYOV72tlvnxw7YfyLDgQ+OZnM9vQQBQnumQ7jUJe6unEzwGU3ahFOjuz1iz1jjrpCPuw==}
  lit-element@4.2.2:
    resolution: {integrity: sha512-aFKhNToWxoyhkNDmWZwEva2SlQia+jfG0fjIWV//YeTaWrVnOxD89dPKfigCUspXFmjzOEUQpOkejH5Ly6sG0w==}
  lit-html@3.3.1:
    resolution: {integrity: sha512-S9hbyDu/vs1qNrithiNyeyv64c9yqiW9l+DBgI18fL+MTvOtWoFR0FWiyq1TxaYef5wNlpEmzlXoBlZEO+WjoA==}
  lit-html@3.3.2:
    resolution: {integrity: sha512-Qy9hU88zcmaxBXcc10ZpdK7cOLXvXpRoBxERdtqV9QOrfpMZZ6pSYP91LhpPtap3sFMUiL7Tw2RImbe0Al2/kw==}
  lit@3.3.1:
    resolution: {integrity: sha512-Ksr/8L3PTapbdXJCk+EJVB78jDodUMaP54gD24W186zGRARvwrsPfS60wae/SSCTCNZVPd1chXqio1qHQmu4NA==}
  lit@3.3.2:
    resolution: {integrity: sha512-NF9zbsP79l4ao2SNrH3NkfmFgN/hBYSQo90saIVI1o5GpjAdCPVstVzO1MrLOakHoEhYkrtRjPK6Ob521aoYWQ==}
  locate-path@5.0.0:
    resolution: {integrity: sha512-t7hw9pI+WvuwNJXwk5zVHpyhIqzg2qTlklJOf0mVxGSbe3Fp2VieZcduNYjaLDoy6p9uGpQEGWG87WpMKlNq8g==}
    engines: {node: '>=8'}
@@ -2848,19 +2722,6 @@ packages:
  no-case@2.3.2:
    resolution: {integrity: sha512-rmTZ9kz+f3rCvK2TD1Ue/oZlns7OGoIWP4fc3llxxRXlOkHKoWPPWJOfFYpITabSow43QJbRIoHQXtt10VldyQ==}
  node-domexception@1.0.0:
    resolution: {integrity: sha512-/jKZoMpw0F8GRwl4/eLROPA3cfcXtLApP0QzLmUT/HuPCZWyB7IY9ZrMeKw2O/nFIqPQB3PVM9aYm0F312AXDQ==}
    engines: {node: '>=10.5.0'}
  node-fetch@2.7.0:
    resolution: {integrity: sha512-c4FRfUm/dbcWZ7U+1Wq0AwCyFL+3nt2bEw05wfxSz+DWpWsitgmSgYmy2dQdWyKC1694ELPqMs/YzUSNozLt8A==}
    engines: {node: 4.x || >=6.0.0}
    peerDependencies:
      encoding: ^0.1.0
    peerDependenciesMeta:
      encoding:
        optional: true
  node-forge@1.3.3:
    resolution: {integrity: sha512-rLvcdSyRCyouf6jcOIPe/BgwG/d7hKjzMKOas33/pHEr6gbq18IK9zV7DiPvzsz0oBJPme6qr6H6kGZuI9/DZg==}
    engines: {node: '>= 6.13.0'}
@@ -3383,9 +3244,6 @@ packages:
    resolution: {integrity: sha512-dRXchy+C0IgK8WPC6xvCHFRIWYUbqqdEIKPaKo/AcTUNzwLTK6AH7RjdLWsEZcAN/TBdtfUw3PYEgPr5VPr6ww==}
    engines: {node: '>=14.16'}
  tr46@0.0.3:
    resolution: {integrity: sha1-gYT9NH2snNwYWZLzpmIuFLnZq2o=}
  tr46@5.1.1:
    resolution: {integrity: sha512-hdF5ZgjTqgAntKkklYw0R03MG2x/bSzTtkxmIRw/sTNV8YXsCJ1tfLAX23lhxhHJlEf3CRCOCGGWw3vI3GaSPw==}
    engines: {node: '>=18'}
@@ -3454,9 +3312,6 @@ packages:
    resolution: {integrity: sha512-rvKSBiC5zqCCiDZ9kAOszZcDvdAHwwIKJG33Ykj43OKcWsnmcBRL09YTU4nOeHZ8Y2a7l1MgTd08SBe9A8Qj6A==}
    engines: {node: '>=18'}
  undici-types@5.26.5:
    resolution: {integrity: sha512-JlCMO+ehdEIKqlFxk6IfVoAUVmgz7cU7zD/h9XZ0qzeosSHmUJVOzSQvvYSYWXkFXC+IfLKSIffhv0sVZup6pA==}
  undici-types@6.21.0:
    resolution: {integrity: sha512-iwDZqg0QAGrg9Rav5H4n0M64c3mkR59cJ6wQp+7C4nI0gsmExaedaYLNO44eT4AtBBwjbTiGPMlt2Md0T9H9JQ==}
@@ -3516,16 +3371,9 @@ packages:
  vfile@6.0.3:
    resolution: {integrity: sha512-KzIbH/9tXat2u30jf+smMwFCsno4wHVdNmzFyL+T/L3UGqqk6JKfVqOFOZEpZSHADH1k40ab6NUIXZq422ov3Q==}
  web-streams-polyfill@4.0.0-beta.3:
    resolution: {integrity: sha512-QW95TCTaHmsYfHDybGMwO5IJIM93I/6vTRk+daHTWFPhwh+C8Cg7j7XyKrwrj8Ib6vYXe0ocYNrmzY4xAAN6ug==}
    engines: {node: '>= 14'}
  webdriver-bidi-protocol@0.4.0:
    resolution: {integrity: sha512-U9VIlNRrq94d1xxR9JrCEAx5Gv/2W7ERSv8oWRoNe/QYbfccS0V3h/H6qeNeCRJxXGMhhnkqvwNrvPAYeuP9VA==}
  webidl-conversions@3.0.1:
    resolution: {integrity: sha1-JFNCdeKnvGvnvIZhHMFq4KVlSHE=}
  webidl-conversions@7.0.0:
    resolution: {integrity: sha512-VwddBukDzu71offAQR975unBIGqfKZpM+8ZX6ySk8nYhVoo5CYaZyzt3YBvYtRtO+aoGlqxPg/B87NGVZ/fu6g==}
    engines: {node: '>=12'}
@@ -3538,9 +3386,6 @@ packages:
    resolution: {integrity: sha512-De72GdQZzNTUBBChsXueQUnPKDkg/5A5zp7pFDuQAj5UFoENpiACU0wlCvzpAGnTkj++ihpKwKyYewn/XNUbKw==}
    engines: {node: '>=18'}
  whatwg-url@5.0.0:
    resolution: {integrity: sha1-lmRU6HZUYuN2RNNib2dCzotwll0=}
  which@2.0.2:
    resolution: {integrity: sha512-BLI3Tl1TW3Pvl70l3yq3Y64i+awpwXqsGBYWkkqMtnbXgrMD+yj7rhW0kuEDxzJaYXGjEW5ogapKNMEKNMjibA==}
    engines: {node: '>= 8'}
@@ -3719,18 +3564,6 @@ snapshots:
      - utf-8-validate
      - vue
  '@apiclient.xyz/cloudflare@6.4.3':
    dependencies:
      '@push.rocks/smartdelay': 3.0.5
      '@push.rocks/smartlog': 3.1.10
      '@push.rocks/smartpromise': 4.2.3
      '@push.rocks/smartrequest': 5.0.1
      '@push.rocks/smartstring': 4.1.0
      '@tsclass/tsclass': 9.3.0
      cloudflare: 5.2.0
    transitivePeerDependencies:
      - encoding
  '@aws-crypto/crc32@5.2.0':
    dependencies:
      '@aws-crypto/util': 5.2.0
@@ -4271,32 +4104,6 @@ snapshots:
      - supports-color
      - vue
  '@design.estate/dees-domtools@2.3.8':
    dependencies:
      '@api.global/typedrequest': 3.2.5
      '@design.estate/dees-comms': 1.0.30
      '@push.rocks/lik': 6.2.2
      '@push.rocks/smartdelay': 3.0.5
      '@push.rocks/smartjson': 5.2.0
      '@push.rocks/smartmarkdown': 3.0.3
      '@push.rocks/smartpromise': 4.2.3
      '@push.rocks/smartrouter': 1.3.3
      '@push.rocks/smartrx': 3.0.10
      '@push.rocks/smartstate': 2.0.30
      '@push.rocks/smartstring': 4.1.0
      '@push.rocks/smarturl': 3.1.0
      '@push.rocks/webrequest': 3.0.37
      '@push.rocks/websetup': 3.0.19
      '@push.rocks/webstore': 2.0.20
      '@tempfix/lenis': 1.3.20
      lit: 3.3.2
      sweet-scroll: 4.0.0
    transitivePeerDependencies:
      - '@nuxt/kit'
      - react
      - supports-color
      - vue
  '@design.estate/dees-element@2.1.3':
    dependencies:
      '@design.estate/dees-domtools': 2.3.6
@@ -4309,18 +4116,6 @@ snapshots:
      - supports-color
      - vue
  '@design.estate/dees-element@2.1.6':
    dependencies:
      '@design.estate/dees-domtools': 2.3.8
      '@push.rocks/isounique': 1.0.5
      '@push.rocks/smartrx': 3.0.10
      lit: 3.3.2
    transitivePeerDependencies:
      - '@nuxt/kit'
      - react
      - supports-color
      - vue
  '@emnapi/core@1.8.1':
    dependencies:
      '@emnapi/wasi-threads': 1.1.0
@@ -4660,16 +4455,10 @@ snapshots:
  '@lit-labs/ssr-dom-shim@1.4.0': {}
  '@lit-labs/ssr-dom-shim@1.5.1': {}
  '@lit/reactive-element@2.1.1':
    dependencies:
      '@lit-labs/ssr-dom-shim': 1.4.0
  '@lit/reactive-element@2.1.2':
    dependencies:
      '@lit-labs/ssr-dom-shim': 1.5.1
  '@mixmark-io/domino@2.2.0': {}
  '@module-federation/error-codes@0.22.0': {}
@@ -4934,40 +4723,6 @@ snapshots:
      '@push.rocks/smartlog': 3.1.10
      '@push.rocks/smartpath': 6.0.0
  '@push.rocks/smartacme@8.0.0(socks@2.8.7)':
    dependencies:
      '@api.global/typedserver': 3.0.80(@push.rocks/smartserve@2.0.1)
      '@apiclient.xyz/cloudflare': 6.4.3
      '@push.rocks/lik': 6.2.2
      '@push.rocks/smartdata': 5.16.7(socks@2.8.7)
      '@push.rocks/smartdelay': 3.0.5
      '@push.rocks/smartdns': 6.2.2
      '@push.rocks/smartfile': 11.2.7
      '@push.rocks/smartlog': 3.1.10
      '@push.rocks/smartnetwork': 4.4.0
      '@push.rocks/smartpromise': 4.2.3
      '@push.rocks/smartrequest': 2.1.0
      '@push.rocks/smartstring': 4.1.0
      '@push.rocks/smarttime': 4.1.1
      '@push.rocks/smartunique': 3.0.9
      '@tsclass/tsclass': 9.3.0
      acme-client: 5.4.0
    transitivePeerDependencies:
      - '@aws-sdk/credential-providers'
      - '@mongodb-js/zstd'
      - '@nuxt/kit'
      - bare-abort-controller
      - encoding
      - gcp-metadata
      - kerberos
      - mongodb-client-encryption
      - react
      - react-native-b4a
      - snappy
      - socks
      - supports-color
      - vue
  '@push.rocks/smartarchive@4.2.4':
    dependencies:
      '@push.rocks/smartdelay': 3.0.5
@@ -5109,22 +4864,6 @@ snapshots:
    dependencies:
      '@push.rocks/smartpromise': 4.2.3
  '@push.rocks/smartdns@6.2.2':
    dependencies:
      '@push.rocks/smartdelay': 3.0.5
      '@push.rocks/smartenv': 5.0.13
      '@push.rocks/smartpromise': 4.2.3
      '@push.rocks/smartrequest': 2.1.0
      '@tsclass/tsclass': 5.0.0
      '@types/dns-packet': 5.6.5
      '@types/elliptic': 6.4.18
      acme-client: 5.4.0
      dns-packet: 5.6.1
      elliptic: 6.6.1
      minimatch: 10.2.0
    transitivePeerDependencies:
      - supports-color
  '@push.rocks/smartdns@7.6.1':
    dependencies:
      '@push.rocks/smartdelay': 3.0.5
@@ -5247,13 +4986,6 @@ snapshots:
      fast-json-stable-stringify: 2.1.0
      lodash.clonedeep: 4.5.0
  '@push.rocks/smartjson@6.0.0':
    dependencies:
      '@push.rocks/smartenv': 6.0.0
      '@push.rocks/smartstring': 4.1.0
      fast-json-stable-stringify: 2.1.0
      lodash.clonedeep: 4.5.0
  '@push.rocks/smartlog-destination-devtools@1.0.12':
    dependencies:
      '@push.rocks/smartlog-interfaces': 3.0.2
@@ -5584,15 +5316,6 @@ snapshots:
      '@push.rocks/smartrx': 3.0.10
      '@push.rocks/webstore': 2.0.20
  '@push.rocks/smartstate@2.0.30':
    dependencies:
      '@push.rocks/lik': 6.2.2
      '@push.rocks/smarthash': 3.2.6
      '@push.rocks/smartjson': 6.0.0
      '@push.rocks/smartpromise': 4.2.3
      '@push.rocks/smartrx': 3.0.10
      '@push.rocks/webstore': 2.0.20
  '@push.rocks/smartstream@3.2.5':
    dependencies:
      '@push.rocks/lik': 6.2.2
@@ -5657,22 +5380,6 @@ snapshots:
      - supports-color
      - vue
  '@push.rocks/taskbuffer@4.2.0':
    dependencies:
      '@design.estate/dees-element': 2.1.6
      '@push.rocks/lik': 6.2.2
      '@push.rocks/smartdelay': 3.0.5
      '@push.rocks/smartlog': 3.1.10
      '@push.rocks/smartpromise': 4.2.3
      '@push.rocks/smartrx': 3.0.10
      '@push.rocks/smarttime': 4.1.1
      '@push.rocks/smartunique': 3.0.9
    transitivePeerDependencies:
      - '@nuxt/kit'
      - react
      - supports-color
      - vue
  '@push.rocks/webrequest@3.0.37':
    dependencies:
      '@push.rocks/smartdelay': 3.0.5
@@ -6201,8 +5908,6 @@ snapshots:
  '@tempfix/idb@8.0.3': {}
  '@tempfix/lenis@1.3.20': {}
  '@tokenizer/inflate@0.4.1':
    dependencies:
      debug: 4.4.3
@@ -6218,10 +5923,6 @@ snapshots:
    dependencies:
      type-fest: 4.41.0
  '@tsclass/tsclass@5.0.0':
    dependencies:
      type-fest: 4.41.0
  '@tsclass/tsclass@9.3.0':
    dependencies:
      type-fest: 4.41.0
@@ -6315,29 +6016,16 @@ snapshots:
  '@types/minimatch@5.1.2': {}
  '@types/minimatch@6.0.0':
    dependencies:
      minimatch: 10.2.0
  '@types/ms@2.1.0': {}
  '@types/mute-stream@0.0.4':
    dependencies:
      '@types/node': 25.2.3
  '@types/node-fetch@2.6.13':
    dependencies:
      '@types/node': 25.2.3
      form-data: 4.0.5
  '@types/node-forge@1.3.14':
    dependencies:
      '@types/node': 25.2.3
  '@types/node@18.19.130':
    dependencies:
      undici-types: 5.26.5
  '@types/node@22.19.11':
    dependencies:
      undici-types: 6.21.0
@@ -6410,10 +6098,6 @@ snapshots:
  '@ungap/structured-clone@1.3.0': {}
  abort-controller@3.0.0:
    dependencies:
      event-target-shim: 5.0.1
  accepts@1.3.8:
    dependencies:
      mime-types: 2.1.35
@@ -6660,18 +6344,6 @@ snapshots:
      strip-ansi: 6.0.1
      wrap-ansi: 7.0.0
  cloudflare@5.2.0:
    dependencies:
      '@types/node': 18.19.130
      '@types/node-fetch': 2.6.13
      abort-controller: 3.0.0
      agentkeepalive: 4.6.0
      form-data-encoder: 1.7.2
      formdata-node: 4.4.1
      node-fetch: 2.7.0
    transitivePeerDependencies:
      - encoding
  color-convert@2.0.1:
    dependencies:
      color-name: 1.1.4
@@ -6923,8 +6595,6 @@ snapshots:
  etag@1.8.1: {}
  event-target-shim@5.0.1: {}
  eventemitter3@4.0.7: {}
  events-universal@1.0.1:
@@ -7076,8 +6746,6 @@ snapshots:
      cross-spawn: 7.0.6
      signal-exit: 4.1.0
  form-data-encoder@1.7.2: {}
  form-data-encoder@2.1.4: {}
  form-data@4.0.5:
@@ -7090,11 +6758,6 @@ snapshots:
  format@0.2.2: {}
  formdata-node@4.4.1:
    dependencies:
      node-domexception: 1.0.0
      web-streams-polyfill: 4.0.0-beta.3
  forwarded@0.2.0: {}
  fresh@2.0.0: {}
@@ -7412,32 +7075,16 @@ snapshots:
      '@lit/reactive-element': 2.1.1
      lit-html: 3.3.1
  lit-element@4.2.2:
    dependencies:
      '@lit-labs/ssr-dom-shim': 1.5.1
      '@lit/reactive-element': 2.1.2
      lit-html: 3.3.2
  lit-html@3.3.1:
    dependencies:
      '@types/trusted-types': 2.0.7
  lit-html@3.3.2:
    dependencies:
      '@types/trusted-types': 2.0.7
  lit@3.3.1:
    dependencies:
      '@lit/reactive-element': 2.1.1
      lit-element: 4.2.1
      lit-html: 3.3.1
  lit@3.3.2:
    dependencies:
      '@lit/reactive-element': 2.1.2
      lit-element: 4.2.2
      lit-html: 3.3.2
  locate-path@5.0.0:
    dependencies:
      p-locate: 4.1.0
@@ -8001,12 +7648,6 @@ snapshots:
    dependencies:
      lower-case: 1.1.4
  node-domexception@1.0.0: {}
  node-fetch@2.7.0:
    dependencies:
      whatwg-url: 5.0.0
  node-forge@1.3.3: {}
  normalize-newline@4.1.0:
@@ -8652,8 +8293,6 @@ snapshots:
      '@tokenizer/token': 0.3.0
      ieee754: 1.2.1
  tr46@0.0.3: {}
  tr46@5.1.1:
    dependencies:
      punycode: 2.3.1
@@ -8705,8 +8344,6 @@ snapshots:
  uint8array-extras@1.5.0: {}
  undici-types@5.26.5: {}
  undici-types@6.21.0: {}
  undici-types@7.16.0: {}
@@ -8773,12 +8410,8 @@ snapshots:
      '@types/unist': 3.0.3
      vfile-message: 4.0.3
  web-streams-polyfill@4.0.0-beta.3: {}
  webdriver-bidi-protocol@0.4.0: {}
  webidl-conversions@3.0.1: {}
  webidl-conversions@7.0.0: {}
  whatwg-mimetype@3.0.0: {}
@@ -8788,11 +8421,6 @@ snapshots:
      tr46: 5.1.1
      webidl-conversions: 7.0.0
  whatwg-url@5.0.0:
    dependencies:
      tr46: 0.0.3
      webidl-conversions: 3.0.1
  which@2.0.2:
    dependencies:
      isexe: 2.0.0
--- a/readme.md
+++ b/readme.md
@@ -27,7 +27,7 @@ Whether you're building microservices, deploying edge infrastructure, or need a
 | 🦀 **Rust-Powered Engine** | All networking handled by a high-performance Rust binary via IPC |
 | 🔀 **Unified Route-Based Config** | Clean match/action patterns for intuitive traffic routing |
 | 🔒 **Automatic SSL/TLS** | Zero-config HTTPS with Let's Encrypt ACME integration |
-| 🎯 **Flexible Matching** | Route by port, domain, path, client IP, TLS version, headers, or custom logic |
+| 🎯 **Flexible Matching** | Route by port, domain, path, protocol, client IP, TLS version, headers, or custom logic |
 | 🚄 **High-Performance** | Choose between user-space or kernel-level (NFTables) forwarding |
 | ⚖️ **Load Balancing** | Round-robin, least-connections, IP-hash with health checks |
 | 🛡️ **Enterprise Security** | IP filtering, rate limiting, basic auth, JWT auth, connection limits |
@@ -89,7 +89,7 @@ SmartProxy uses a powerful **match/action** pattern that makes routing predictab
 ```
 Every route consists of:
- **Match** — What traffic to capture (ports, domains, paths, IPs, headers)
+- **Match** — What traffic to capture (ports, domains, paths, protocol, IPs, headers)
 - **Action** — What to do with it (`forward` or `socket-handler`)
 - **Security** (optional) — IP allow/block lists, rate limits, authentication
 - **Headers** (optional) — Request/response header manipulation with template variables
@@ -103,7 +103,7 @@ SmartProxy supports three TLS handling modes:
 |------|-------------|----------|
 | `passthrough` | Forward encrypted traffic as-is (SNI-based routing) | Backend handles TLS |
 | `terminate` | Decrypt at proxy, forward plain HTTP to backend | Standard reverse proxy |
-| `terminate-and-reencrypt` | Decrypt, then re-encrypt to backend | Zero-trust environments |
+| `terminate-and-reencrypt` | Decrypt at proxy, re-encrypt to backend. HTTP traffic gets full per-request routing (Host header, path matching) via the HTTP proxy; non-HTTP traffic uses a raw TLS-to-TLS tunnel | Zero-trust / defense-in-depth environments |
 ## 💡 Common Use Cases
@@ -135,13 +135,13 @@ const proxy = new SmartProxy({
      ],
      {
        tls: { mode: 'terminate', certificate: 'auto' },
        loadBalancing: {
        algorithm: 'round-robin',
        healthCheck: {
          path: '/health',
          interval: 30000,
-            timeout: 5000
+          timeout: 5000,
-          }
+          unhealthyThreshold: 3,
          healthyThreshold: 2
        }
      }
    )
@@ -318,6 +318,42 @@ const proxy = new SmartProxy({
 > **Note:** Routes with dynamic functions (host/port callbacks) are automatically relayed through the TypeScript socket handler server, since JavaScript functions can't be serialized to Rust.
 ### 🔀 Protocol-Specific Routing
 Restrict routes to specific application-layer protocols. When `protocol` is set, the Rust engine detects the protocol after connection (or after TLS termination) and only matches routes that accept that protocol:
 ```typescript
 // HTTP-only route (rejects raw TCP connections)
 const httpOnlyRoute: IRouteConfig = {
  name: 'http-api',
  match: {
    ports: 443,
    domains: 'api.example.com',
    protocol: 'http',   // Only match HTTP/1.1, HTTP/2, and WebSocket upgrades
  },
  action: {
    type: 'forward',
    targets: [{ host: 'api-backend', port: 8080 }],
    tls: { mode: 'terminate', certificate: 'auto' }
  }
 };
 // Raw TCP route (rejects HTTP traffic)
 const tcpOnlyRoute: IRouteConfig = {
  name: 'database-proxy',
  match: {
    ports: 5432,
    protocol: 'tcp',    // Only match non-HTTP TCP streams
  },
  action: {
    type: 'forward',
    targets: [{ host: 'db-server', port: 5432 }]
  }
 };
 ```
 > **Note:** Omitting `protocol` (the default) matches any protocol. For TLS routes, protocol detection happens *after* TLS termination — during the initial SNI-based route match, `protocol` is not yet known and the route is allowed to match. The protocol restriction is enforced after the proxy peeks at the decrypted data.
 ### 🔒 Security Controls
 Comprehensive per-route security options:
@@ -549,6 +585,7 @@ interface IRouteMatch {
  clientIp?: string[];                 // ['10.0.0.0/8', '192.168.*']
  tlsVersion?: string[];               // ['TLSv1.2', 'TLSv1.3']
  headers?: Record<string, string | RegExp>;  // Match by HTTP headers
  protocol?: 'http' | 'tcp';          // Match specific protocol ('http' includes h2 + WebSocket upgrades)
 }
 ```
--- a/rust/Cargo.lock
+++ b/rust/Cargo.lock
@@ -509,7 +509,7 @@ dependencies = [
 "hyper",
 "libc",
 "pin-project-lite",
- "socket2",
+ "socket2 0.6.2",
 "tokio",
 "tower-service",
 "tracing",
@@ -966,12 +966,15 @@ dependencies = [
 "hyper",
 "hyper-util",
 "regex",
 "rustls",
 "rustproxy-config",
 "rustproxy-metrics",
 "rustproxy-routing",
 "rustproxy-security",
 "socket2 0.5.10",
 "thiserror 2.0.18",
 "tokio",
 "tokio-rustls",
 "tokio-util",
 "tracing",
 ]
@@ -1017,6 +1020,7 @@ dependencies = [
 "rustproxy-routing",
 "serde",
 "serde_json",
 "socket2 0.5.10",
 "thiserror 2.0.18",
 "tokio",
 "tokio-rustls",
@@ -1202,6 +1206,16 @@ version = "1.15.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "67b1b7a3b5fe4f1376887184045fcf45c69e92af734b7aaddc05fb777b6fbd03"
 [[package]]
 name = "socket2"
 version = "0.5.10"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e22376abed350d73dd1cd119b57ffccad95b4e585a7cda43e286245ce23c0678"
 dependencies = [
 "libc",
 "windows-sys 0.52.0",
 ]
 [[package]]
 name = "socket2"
 version = "0.6.2"
@@ -1327,7 +1341,7 @@ dependencies = [
 "parking_lot",
 "pin-project-lite",
 "signal-hook-registry",
- "socket2",
+ "socket2 0.6.2",
 "tokio-macros",
 "windows-sys 0.61.2",
 ]
--- a/rust/Cargo.toml
+++ b/rust/Cargo.toml
@@ -88,6 +88,9 @@ async-trait = "0.1"
 # libc for uid checks
 libc = "0.2"
 # Socket-level options (keepalive, etc.)
 socket2 = { version = "0.5", features = ["all"] }
 # Internal crates
 rustproxy-config = { path = "crates/rustproxy-config" }
 rustproxy-routing = { path = "crates/rustproxy-routing" }
--- a/rust/crates/rustproxy-config/src/helpers.rs
+++ b/rust/crates/rustproxy-config/src/helpers.rs
@@ -17,6 +17,7 @@ pub fn create_http_route(
            client_ip: None,
            tls_version: None,
            headers: None,
            protocol: None,
        },
        action: RouteAction {
            action_type: RouteActionType::Forward,
@@ -108,6 +109,7 @@ pub fn create_http_to_https_redirect(
            client_ip: None,
            tls_version: None,
            headers: None,
            protocol: None,
        },
        action: RouteAction {
            action_type: RouteActionType::Forward,
@@ -200,6 +202,7 @@ pub fn create_load_balancer_route(
            client_ip: None,
            tls_version: None,
            headers: None,
            protocol: None,
        },
        action: RouteAction {
            action_type: RouteActionType::Forward,
--- a/rust/crates/rustproxy-config/src/proxy_options.rs
+++ b/rust/crates/rustproxy-config/src/proxy_options.rs
@@ -208,6 +208,10 @@ pub struct RustProxyOptions {
    #[serde(skip_serializing_if = "Option::is_none")]
    pub connection_rate_limit_per_minute: Option<u64>,
    /// Global maximum simultaneous connections (default: 100000)
    #[serde(skip_serializing_if = "Option::is_none")]
    pub max_connections: Option<u64>,
    // ─── Keep-Alive Settings ─────────────────────────────────────────
    /// How to treat keep-alive connections
@@ -272,6 +276,7 @@ impl Default for RustProxyOptions {
            enable_randomized_timeouts: None,
            max_connections_per_ip: None,
            connection_rate_limit_per_minute: None,
            max_connections: None,
            keep_alive_treatment: None,
            keep_alive_inactivity_multiplier: None,
            extended_keep_alive_lifetime: None,
--- a/rust/crates/rustproxy-config/src/route_types.rs
+++ b/rust/crates/rustproxy-config/src/route_types.rs
@@ -114,6 +114,10 @@ pub struct RouteMatch {
    /// Match specific HTTP headers
    #[serde(skip_serializing_if = "Option::is_none")]
    pub headers: Option<HashMap<String, String>>,
    /// Match specific protocol: "http" (includes h2 + websocket) or "tcp"
    #[serde(skip_serializing_if = "Option::is_none")]
    pub protocol: Option<String>,
 }
 // ─── Target Match ────────────────────────────────────────────────────
--- a/rust/crates/rustproxy-http/Cargo.toml
+++ b/rust/crates/rustproxy-http/Cargo.toml
@@ -18,9 +18,12 @@ http-body = { workspace = true }
 http-body-util = { workspace = true }
 bytes = { workspace = true }
 tokio = { workspace = true }
 rustls = { workspace = true }
 tokio-rustls = { workspace = true }
 tracing = { workspace = true }
 thiserror = { workspace = true }
 anyhow = { workspace = true }
 arc-swap = { workspace = true }
 dashmap = { workspace = true }
 tokio-util = { workspace = true }
 socket2 = { workspace = true }
--- a/rust/crates/rustproxy-http/src/connection_pool.rs
+++ b/rust/crates/rustproxy-http/src/connection_pool.rs
@@ -0,0 +1,188 @@
 //! Backend connection pool for HTTP/1.1 and HTTP/2.
 //!
 //! Reuses idle keep-alive connections to avoid per-request TCP+TLS handshakes.
 //! HTTP/2 connections are multiplexed (clone the sender for each request).
 use std::sync::Arc;
 use std::time::{Duration, Instant};
 use bytes::Bytes;
 use dashmap::DashMap;
 use http_body_util::combinators::BoxBody;
 use hyper::client::conn::{http1, http2};
 use tracing::debug;
 /// Maximum idle connections per backend key.
 const MAX_IDLE_PER_KEY: usize = 16;
 /// Default idle timeout — connections not used within this window are evicted.
 const IDLE_TIMEOUT: Duration = Duration::from_secs(90);
 /// Background eviction interval.
 const EVICTION_INTERVAL: Duration = Duration::from_secs(30);
 /// Identifies a unique backend endpoint.
 #[derive(Clone, Debug, Hash, Eq, PartialEq)]
 pub struct PoolKey {
    pub host: String,
    pub port: u16,
    pub use_tls: bool,
    pub h2: bool,
 }
 /// An idle HTTP/1.1 sender with a timestamp for eviction.
 struct IdleH1 {
    sender: http1::SendRequest<BoxBody<Bytes, hyper::Error>>,
    idle_since: Instant,
 }
 /// A pooled HTTP/2 sender (multiplexed, Clone-able).
 struct PooledH2 {
    sender: http2::SendRequest<BoxBody<Bytes, hyper::Error>>,
    #[allow(dead_code)] // Reserved for future age-based eviction
    created_at: Instant,
 }
 /// Backend connection pool.
 pub struct ConnectionPool {
    /// HTTP/1.1 idle connections indexed by backend key.
    h1_pool: Arc<DashMap<PoolKey, Vec<IdleH1>>>,
    /// HTTP/2 multiplexed connections indexed by backend key.
    h2_pool: Arc<DashMap<PoolKey, PooledH2>>,
    /// Handle for the background eviction task.
    eviction_handle: Option<tokio::task::JoinHandle<()>>,
 }
 impl ConnectionPool {
    /// Create a new pool and start the background eviction task.
    pub fn new() -> Self {
        let h1_pool: Arc<DashMap<PoolKey, Vec<IdleH1>>> = Arc::new(DashMap::new());
        let h2_pool: Arc<DashMap<PoolKey, PooledH2>> = Arc::new(DashMap::new());
        let h1_clone = Arc::clone(&h1_pool);
        let h2_clone = Arc::clone(&h2_pool);
        let eviction_handle = tokio::spawn(async move {
            Self::eviction_loop(h1_clone, h2_clone).await;
        });
        Self {
            h1_pool,
            h2_pool,
            eviction_handle: Some(eviction_handle),
        }
    }
    /// Try to check out an idle HTTP/1.1 sender for the given key.
    /// Returns `None` if no usable idle connection exists.
    pub fn checkout_h1(&self, key: &PoolKey) -> Option<http1::SendRequest<BoxBody<Bytes, hyper::Error>>> {
        let mut entry = self.h1_pool.get_mut(key)?;
        let idles = entry.value_mut();
        while let Some(idle) = idles.pop() {
            // Check if the connection is still alive and ready
            if idle.idle_since.elapsed() < IDLE_TIMEOUT && idle.sender.is_ready() && !idle.sender.is_closed() {
                debug!("Pool hit (h1): {}:{}", key.host, key.port);
                return Some(idle.sender);
            }
            // Stale or closed — drop it
        }
        // Clean up empty entry
        if idles.is_empty() {
            drop(entry);
            self.h1_pool.remove(key);
        }
        None
    }
    /// Return an HTTP/1.1 sender to the pool after the response body has been prepared.
    /// The caller should NOT call this if the sender is closed or not ready.
    pub fn checkin_h1(&self, key: PoolKey, sender: http1::SendRequest<BoxBody<Bytes, hyper::Error>>) {
        if sender.is_closed() || !sender.is_ready() {
            return; // Don't pool broken connections
        }
        let mut entry = self.h1_pool.entry(key).or_insert_with(Vec::new);
        if entry.value().len() < MAX_IDLE_PER_KEY {
            entry.value_mut().push(IdleH1 {
                sender,
                idle_since: Instant::now(),
            });
        }
        // If at capacity, just drop the sender
    }
    /// Try to get a cloned HTTP/2 sender for the given key.
    /// HTTP/2 senders are Clone-able (multiplexed), so we clone rather than remove.
    pub fn checkout_h2(&self, key: &PoolKey) -> Option<http2::SendRequest<BoxBody<Bytes, hyper::Error>>> {
        let entry = self.h2_pool.get(key)?;
        let pooled = entry.value();
        // Check if the h2 connection is still alive
        if pooled.sender.is_closed() {
            drop(entry);
            self.h2_pool.remove(key);
            return None;
        }
        if pooled.sender.is_ready() {
            debug!("Pool hit (h2): {}:{}", key.host, key.port);
            return Some(pooled.sender.clone());
        }
        None
    }
    /// Register an HTTP/2 sender in the pool. Since h2 is multiplexed,
    /// only one sender per key is stored (it's Clone-able).
    pub fn register_h2(&self, key: PoolKey, sender: http2::SendRequest<BoxBody<Bytes, hyper::Error>>) {
        if sender.is_closed() {
            return;
        }
        self.h2_pool.insert(key, PooledH2 {
            sender,
            created_at: Instant::now(),
        });
    }
    /// Background eviction loop — runs every EVICTION_INTERVAL to remove stale connections.
    async fn eviction_loop(
        h1_pool: Arc<DashMap<PoolKey, Vec<IdleH1>>>,
        h2_pool: Arc<DashMap<PoolKey, PooledH2>>,
    ) {
        let mut interval = tokio::time::interval(EVICTION_INTERVAL);
        loop {
            interval.tick().await;
            // Evict stale H1 connections
            let mut empty_keys = Vec::new();
            for mut entry in h1_pool.iter_mut() {
                entry.value_mut().retain(|idle| {
                    idle.idle_since.elapsed() < IDLE_TIMEOUT && !idle.sender.is_closed()
                });
                if entry.value().is_empty() {
                    empty_keys.push(entry.key().clone());
                }
            }
            for key in empty_keys {
                h1_pool.remove(&key);
            }
            // Evict dead H2 connections
            let mut dead_h2 = Vec::new();
            for entry in h2_pool.iter() {
                if entry.value().sender.is_closed() {
                    dead_h2.push(entry.key().clone());
                }
            }
            for key in dead_h2 {
                h2_pool.remove(&key);
            }
        }
    }
 }
 impl Drop for ConnectionPool {
    fn drop(&mut self) {
        if let Some(handle) = self.eviction_handle.take() {
            handle.abort();
        }
    }
 }
--- a/rust/crates/rustproxy-http/src/lib.rs
+++ b/rust/crates/rustproxy-http/src/lib.rs
@@ -3,6 +3,7 @@
 //! Hyper-based HTTP proxy service for RustProxy.
 //! Handles HTTP request parsing, route-based forwarding, and response filtering.
 pub mod connection_pool;
 pub mod counting_body;
 pub mod proxy_service;
 pub mod request_filter;
@@ -10,6 +11,7 @@ pub mod response_filter;
 pub mod template;
 pub mod upstream_selector;
 pub use connection_pool::*;
 pub use counting_body::*;
 pub use proxy_service::*;
 pub use template::*;
--- a/rust/crates/rustproxy-http/src/proxy_service.rs
+++ b/rust/crates/rustproxy-http/src/proxy_service.rs
@@ -9,6 +9,7 @@ use std::sync::Arc;
 use std::sync::atomic::{AtomicU64, Ordering};
 use bytes::Bytes;
 use dashmap::DashMap;
 use http_body_util::{BodyExt, Full, combinators::BoxBody};
 use hyper::body::Incoming;
 use hyper::{Request, Response, StatusCode};
@@ -18,8 +19,12 @@ use tokio::net::TcpStream;
 use tokio_util::sync::CancellationToken;
 use tracing::{debug, error, info, warn};
 use std::pin::Pin;
 use std::task::{Context, Poll};
 use rustproxy_routing::RouteManager;
 use rustproxy_metrics::MetricsCollector;
 use rustproxy_security::RateLimiter;
 use crate::counting_body::{CountingBody, Direction};
 use crate::request_filter::RequestFilter;
@@ -35,6 +40,74 @@ const DEFAULT_WS_INACTIVITY_TIMEOUT: std::time::Duration = std::time::Duration::
 /// Default WebSocket max lifetime (24 hours).
 const DEFAULT_WS_MAX_LIFETIME: std::time::Duration = std::time::Duration::from_secs(86400);
 /// Backend stream that can be either plain TCP or TLS-wrapped.
 /// Used for `terminate-and-reencrypt` mode where the backend requires TLS.
 pub(crate) enum BackendStream {
    Plain(TcpStream),
    Tls(tokio_rustls::client::TlsStream<TcpStream>),
 }
 impl tokio::io::AsyncRead for BackendStream {
    fn poll_read(
        self: Pin<&mut Self>,
        cx: &mut Context<'_>,
        buf: &mut tokio::io::ReadBuf<'_>,
    ) -> Poll<std::io::Result<()>> {
        match self.get_mut() {
            BackendStream::Plain(s) => Pin::new(s).poll_read(cx, buf),
            BackendStream::Tls(s) => Pin::new(s).poll_read(cx, buf),
        }
    }
 }
 impl tokio::io::AsyncWrite for BackendStream {
    fn poll_write(
        self: Pin<&mut Self>,
        cx: &mut Context<'_>,
        buf: &[u8],
    ) -> Poll<std::io::Result<usize>> {
        match self.get_mut() {
            BackendStream::Plain(s) => Pin::new(s).poll_write(cx, buf),
            BackendStream::Tls(s) => Pin::new(s).poll_write(cx, buf),
        }
    }
    fn poll_flush(self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll<std::io::Result<()>> {
        match self.get_mut() {
            BackendStream::Plain(s) => Pin::new(s).poll_flush(cx),
            BackendStream::Tls(s) => Pin::new(s).poll_flush(cx),
        }
    }
    fn poll_shutdown(self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll<std::io::Result<()>> {
        match self.get_mut() {
            BackendStream::Plain(s) => Pin::new(s).poll_shutdown(cx),
            BackendStream::Tls(s) => Pin::new(s).poll_shutdown(cx),
        }
    }
 }
 /// Connect to a backend over TLS using the shared backend TLS config
 /// (from tls_handler). Session resumption is automatic.
 async fn connect_tls_backend(
    backend_tls_config: &Arc<rustls::ClientConfig>,
    host: &str,
    port: u16,
 ) -> Result<tokio_rustls::client::TlsStream<TcpStream>, Box<dyn std::error::Error + Send + Sync>> {
    let connector = tokio_rustls::TlsConnector::from(Arc::clone(backend_tls_config));
    let stream = TcpStream::connect(format!("{}:{}", host, port)).await?;
    stream.set_nodelay(true)?;
    // Apply keepalive with 60s default
    let _ = socket2::SockRef::from(&stream).set_tcp_keepalive(
        &socket2::TcpKeepalive::new().with_time(std::time::Duration::from_secs(60))
    );
    let server_name = rustls::pki_types::ServerName::try_from(host.to_string())?;
    let tls_stream = connector.connect(server_name, stream).await?;
    debug!("Backend TLS connection established to {}:{}", host, port);
    Ok(tls_stream)
 }
 /// HTTP proxy service that processes HTTP traffic.
 pub struct HttpProxyService {
    route_manager: Arc<RouteManager>,
@@ -42,6 +115,16 @@ pub struct HttpProxyService {
    upstream_selector: UpstreamSelector,
    /// Timeout for connecting to upstream backends.
    connect_timeout: std::time::Duration,
    /// Per-route rate limiters (keyed by route ID).
    route_rate_limiters: Arc<DashMap<String, Arc<RateLimiter>>>,
    /// Request counter for periodic rate limiter cleanup.
    request_counter: AtomicU64,
    /// Cache of compiled URL rewrite regexes (keyed by pattern string).
    regex_cache: DashMap<String, Regex>,
    /// Shared backend TLS config for session resumption across connections.
    backend_tls_config: Arc<rustls::ClientConfig>,
    /// Backend connection pool for reusing keep-alive connections.
    connection_pool: Arc<crate::connection_pool::ConnectionPool>,
 }
 impl HttpProxyService {
@@ -51,6 +134,11 @@ impl HttpProxyService {
            metrics,
            upstream_selector: UpstreamSelector::new(),
            connect_timeout: DEFAULT_CONNECT_TIMEOUT,
            route_rate_limiters: Arc::new(DashMap::new()),
            request_counter: AtomicU64::new(0),
            regex_cache: DashMap::new(),
            backend_tls_config: Self::default_backend_tls_config(),
            connection_pool: Arc::new(crate::connection_pool::ConnectionPool::new()),
        }
    }
@@ -65,9 +153,20 @@ impl HttpProxyService {
            metrics,
            upstream_selector: UpstreamSelector::new(),
            connect_timeout,
            route_rate_limiters: Arc::new(DashMap::new()),
            request_counter: AtomicU64::new(0),
            regex_cache: DashMap::new(),
            backend_tls_config: Self::default_backend_tls_config(),
            connection_pool: Arc::new(crate::connection_pool::ConnectionPool::new()),
        }
    }
    /// Set the shared backend TLS config (enables session resumption).
    /// Call this after construction to inject the shared config from tls_handler.
    pub fn set_backend_tls_config(&mut self, config: Arc<rustls::ClientConfig>) {
        self.backend_tls_config = config;
    }
    /// Handle an incoming HTTP connection on a plain TCP stream.
    pub async fn handle_connection(
        self: Arc<Self>,
@@ -81,8 +180,10 @@ impl HttpProxyService {
    /// Handle an incoming HTTP connection on any IO type (plain TCP or TLS-terminated).
    ///
-    /// Uses HTTP/1.1 with upgrade support. Responds to graceful shutdown via the
+    /// Uses `hyper_util::server::conn::auto::Builder` to auto-detect h1 vs h2
-    /// cancel token — in-flight requests complete, but no new requests are accepted.
+    /// based on ALPN negotiation (TLS) or connection preface (h2c).
    /// Supports HTTP/1.1 upgrades (WebSocket) and HTTP/2 CONNECT.
    /// Responds to graceful shutdown via the cancel token.
    pub async fn handle_io<I>(
        self: Arc<Self>,
        stream: I,
@@ -105,24 +206,23 @@ impl HttpProxyService {
            }
        });
-        // Use http1::Builder with upgrades for WebSocket support
+        // Auto-detect h1 vs h2 based on ALPN / connection preface.
-        let mut conn = hyper::server::conn::http1::Builder::new()
+        // serve_connection_with_upgrades supports h1 Upgrade (WebSocket) and h2 CONNECT.
-            .keep_alive(true)
+        let builder = hyper_util::server::conn::auto::Builder::new(hyper_util::rt::TokioExecutor::new());
-            .serve_connection(io, service)
+        let conn = builder.serve_connection_with_upgrades(io, service);
-            .with_upgrades();
+        // Pin on the heap — auto::UpgradeableConnection is !Unpin
        let mut conn = Box::pin(conn);
        // Use select to support graceful shutdown via cancellation token
        let conn_pin = std::pin::Pin::new(&mut conn);
        tokio::select! {
-            result = conn_pin => {
+            result = conn.as_mut() => {
                if let Err(e) = result {
                    debug!("HTTP connection error from {}: {}", peer_addr, e);
                }
            }
            _ = cancel.cancelled() => {
                // Graceful shutdown: let in-flight request finish, stop accepting new ones
-                let conn_pin = std::pin::Pin::new(&mut conn);
+                conn.as_mut().graceful_shutdown();
                conn_pin.graceful_shutdown();
                if let Err(e) = conn.await {
                    debug!("HTTP connection error during shutdown from {}: {}", peer_addr, e);
                }
@@ -144,7 +244,10 @@ impl HttpProxyService {
            .map(|h| {
                // Strip port from host header
                h.split(':').next().unwrap_or(h).to_string()
-            });
+            })
            // HTTP/2 uses :authority pseudo-header instead of Host;
            // hyper maps it to the URI authority component
            .or_else(|| req.uri().host().map(|h| h.to_string()));
        let path = req.uri().path().to_string();
        let method = req.method().clone();
@@ -173,6 +276,7 @@ impl HttpProxyService {
            tls_version: None,
            headers: Some(&headers),
            is_tls: false,
            protocol: Some("http"),
        };
        let route_match = match self.route_manager.find_route(&ctx) {
@@ -186,20 +290,37 @@ impl HttpProxyService {
        let route_id = route_match.route.id.as_deref();
        let ip_str = peer_addr.ip().to_string();
        self.metrics.record_http_request();
        self.metrics.connection_opened(route_id, Some(&ip_str));
        // Apply request filters (IP check, rate limiting, auth)
        if let Some(ref security) = route_match.route.security {
-            if let Some(response) = RequestFilter::apply(security, &req, &peer_addr) {
+            // Look up or create a shared rate limiter for this route
-                self.metrics.connection_closed(route_id, Some(&ip_str));
+            let rate_limiter = security.rate_limit.as_ref()
                .filter(|rl| rl.enabled)
                .map(|rl| {
                    let route_key = route_id.unwrap_or("__default__").to_string();
                    self.route_rate_limiters
                        .entry(route_key)
                        .or_insert_with(|| Arc::new(RateLimiter::new(rl.max_requests, rl.window)))
                        .clone()
                });
            if let Some(response) = RequestFilter::apply_with_rate_limiter(
                security, &req, &peer_addr, rate_limiter.as_ref(),
            ) {
                return Ok(response);
            }
        }
        // Periodic rate limiter cleanup (every 1000 requests)
        let count = self.request_counter.fetch_add(1, Ordering::Relaxed);
        if count % 1000 == 0 {
            for entry in self.route_rate_limiters.iter() {
                entry.value().cleanup();
            }
        }
        // Check for test response (returns immediately, no upstream needed)
        if let Some(ref advanced) = route_match.route.action.advanced {
            if let Some(ref test_response) = advanced.test_response {
                self.metrics.connection_closed(route_id, Some(&ip_str));
                return Ok(Self::build_test_response(test_response));
            }
        }
@@ -207,7 +328,6 @@ impl HttpProxyService {
        // Check for static file serving
        if let Some(ref advanced) = route_match.route.action.advanced {
            if let Some(ref static_files) = advanced.static_files {
                self.metrics.connection_closed(route_id, Some(&ip_str));
                return Ok(Self::serve_static_file(&path, static_files));
            }
        }
@@ -216,12 +336,19 @@ impl HttpProxyService {
        let target = match route_match.target {
            Some(t) => t,
            None => {
                self.metrics.connection_closed(route_id, Some(&ip_str));
                return Ok(error_response(StatusCode::BAD_GATEWAY, "No target available"));
            }
        };
-        let upstream = self.upstream_selector.select(target, &peer_addr, port);
+        let mut upstream = self.upstream_selector.select(target, &peer_addr, port);
        // If the route uses terminate-and-reencrypt, always re-encrypt to backend
        if let Some(ref tls) = route_match.route.action.tls {
            if tls.mode == rustproxy_config::TlsMode::TerminateAndReencrypt {
                upstream.use_tls = true;
            }
        }
        let upstream_key = format!("{}:{}", upstream.host, upstream.port);
        self.upstream_selector.connection_started(&upstream_key);
@@ -253,7 +380,7 @@ impl HttpProxyService {
                Some(q) => format!("{}?{}", path, q),
                None => path.clone(),
            };
-            Self::apply_url_rewrite(&raw_path, &route_match.route)
+            self.apply_url_rewrite(&raw_path, &route_match.route)
        };
        // Build upstream request - stream body instead of buffering
@@ -273,58 +400,164 @@ impl HttpProxyService {
            }
        }
-        // Connect to upstream with timeout
+        // Ensure Host header is set (HTTP/2 requests don't have Host; need it for h1 backends)
-        let upstream_stream = match tokio::time::timeout(
+        if !upstream_headers.contains_key("host") {
            if let Some(ref h) = host {
                if let Ok(val) = hyper::header::HeaderValue::from_str(h) {
                    upstream_headers.insert(hyper::header::HOST, val);
                }
            }
        }
        // Add standard reverse-proxy headers (X-Forwarded-*)
        {
            let original_host = host.as_deref().unwrap_or("");
            let forwarded_proto = if route_match.route.action.tls.as_ref()
                .map(|t| matches!(t.mode,
                    rustproxy_config::TlsMode::Terminate
                    | rustproxy_config::TlsMode::TerminateAndReencrypt))
                .unwrap_or(false)
            {
                "https"
            } else {
                "http"
            };
            // X-Forwarded-For: append client IP to existing chain
            let client_ip = peer_addr.ip().to_string();
            let xff_value = if let Some(existing) = upstream_headers.get("x-forwarded-for") {
                format!("{}, {}", existing.to_str().unwrap_or(""), client_ip)
            } else {
                client_ip
            };
            if let Ok(val) = hyper::header::HeaderValue::from_str(&xff_value) {
                upstream_headers.insert(
                    hyper::header::HeaderName::from_static("x-forwarded-for"),
                    val,
                );
            }
            // X-Forwarded-Host: original Host header
            if let Ok(val) = hyper::header::HeaderValue::from_str(original_host) {
                upstream_headers.insert(
                    hyper::header::HeaderName::from_static("x-forwarded-host"),
                    val,
                );
            }
            // X-Forwarded-Proto: original client protocol
            if let Ok(val) = hyper::header::HeaderValue::from_str(forwarded_proto) {
                upstream_headers.insert(
                    hyper::header::HeaderName::from_static("x-forwarded-proto"),
                    val,
                );
            }
        }
        // --- Connection pooling: try reusing an existing connection first ---
        let pool_key = crate::connection_pool::PoolKey {
            host: upstream.host.clone(),
            port: upstream.port,
            use_tls: upstream.use_tls,
            h2: use_h2,
        };
        // Try pooled connection first (H2 only — H2 senders are Clone and multiplexed,
        // so checkout doesn't consume request parts. For H1, we try pool inside forward_h1.)
        if use_h2 {
            if let Some(sender) = self.connection_pool.checkout_h2(&pool_key) {
                let result = self.forward_h2_pooled(
                    sender, parts, body, upstream_headers, &upstream_path,
                    route_match.route, route_id, &ip_str, &pool_key,
                ).await;
                self.upstream_selector.connection_ended(&upstream_key);
                return result;
            }
        }
        // Fresh connection path
        let backend = if upstream.use_tls {
            match tokio::time::timeout(
                self.connect_timeout,
                connect_tls_backend(&self.backend_tls_config, &upstream.host, upstream.port),
            ).await {
                Ok(Ok(tls)) => BackendStream::Tls(tls),
                Ok(Err(e)) => {
                    error!("Failed TLS connect to upstream {}:{}: {}", upstream.host, upstream.port, e);
                    self.upstream_selector.connection_ended(&upstream_key);
                    return Ok(error_response(StatusCode::BAD_GATEWAY, "Backend TLS unavailable"));
                }
                Err(_) => {
                    error!("Upstream TLS connect timeout for {}:{}", upstream.host, upstream.port);
                    self.upstream_selector.connection_ended(&upstream_key);
                    return Ok(error_response(StatusCode::GATEWAY_TIMEOUT, "Backend TLS connect timeout"));
                }
            }
        } else {
            match tokio::time::timeout(
                self.connect_timeout,
                TcpStream::connect(format!("{}:{}", upstream.host, upstream.port)),
            ).await {
-            Ok(Ok(s)) => s,
+                Ok(Ok(s)) => {
                    s.set_nodelay(true).ok();
                    let _ = socket2::SockRef::from(&s).set_tcp_keepalive(
                        &socket2::TcpKeepalive::new().with_time(std::time::Duration::from_secs(60))
                    );
                    BackendStream::Plain(s)
                }
                Ok(Err(e)) => {
                    error!("Failed to connect to upstream {}:{}: {}", upstream.host, upstream.port, e);
                    self.upstream_selector.connection_ended(&upstream_key);
                self.metrics.connection_closed(route_id, Some(&ip_str));
                    return Ok(error_response(StatusCode::BAD_GATEWAY, "Backend unavailable"));
                }
                Err(_) => {
                    error!("Upstream connect timeout for {}:{}", upstream.host, upstream.port);
                    self.upstream_selector.connection_ended(&upstream_key);
                self.metrics.connection_closed(route_id, Some(&ip_str));
                    return Ok(error_response(StatusCode::GATEWAY_TIMEOUT, "Backend connect timeout"));
                }
            }
        };
        upstream_stream.set_nodelay(true).ok();
-        let io = TokioIo::new(upstream_stream);
+        let io = TokioIo::new(backend);
        let result = if use_h2 {
-            // HTTP/2 backend
+            self.forward_h2(io, parts, body, upstream_headers, &upstream_path, &upstream, route_match.route, route_id, &ip_str, &pool_key).await
            self.forward_h2(io, parts, body, upstream_headers, &upstream_path, &upstream, route_match.route, route_id, &ip_str).await
        } else {
-            // HTTP/1.1 backend (default)
+            self.forward_h1(io, parts, body, upstream_headers, &upstream_path, &upstream, route_match.route, route_id, &ip_str, &pool_key).await
            self.forward_h1(io, parts, body, upstream_headers, &upstream_path, &upstream, route_match.route, route_id, &ip_str).await
        };
        self.upstream_selector.connection_ended(&upstream_key);
        result
    }
    /// Forward request to backend via HTTP/1.1 with body streaming.
    /// Tries a pooled connection first; if unavailable, uses the fresh IO connection.
    async fn forward_h1(
        &self,
-        io: TokioIo<TcpStream>,
+        io: TokioIo<BackendStream>,
        parts: hyper::http::request::Parts,
        body: Incoming,
        upstream_headers: hyper::HeaderMap,
        upstream_path: &str,
-        upstream: &crate::upstream_selector::UpstreamSelection,
+        _upstream: &crate::upstream_selector::UpstreamSelection,
        route: &rustproxy_config::RouteConfig,
        route_id: Option<&str>,
        source_ip: &str,
        pool_key: &crate::connection_pool::PoolKey,
    ) -> Result<Response<BoxBody<Bytes, hyper::Error>>, hyper::Error> {
-        let (mut sender, conn) = match hyper::client::conn::http1::handshake(io).await {
+        // Try pooled H1 connection first — avoids TCP+TLS handshake
        if let Some(pooled_sender) = self.connection_pool.checkout_h1(pool_key) {
            return self.forward_h1_with_sender(
                pooled_sender, parts, body, upstream_headers, upstream_path,
                route, route_id, source_ip, pool_key,
            ).await;
        }
        // Fresh connection: explicitly type the handshake with BoxBody for uniform pool type
        let (sender, conn): (
            hyper::client::conn::http1::SendRequest<BoxBody<Bytes, hyper::Error>>,
            hyper::client::conn::http1::Connection<TokioIo<BackendStream>, BoxBody<Bytes, hyper::Error>>,
        ) = match hyper::client::conn::http1::handshake(io).await {
            Ok(h) => h,
            Err(e) => {
                error!("Upstream handshake failed: {}", e);
                self.metrics.connection_closed(route_id, Some(source_ip));
                return Ok(error_response(StatusCode::BAD_GATEWAY, "Backend handshake failed"));
            }
        };
@@ -335,21 +568,33 @@ impl HttpProxyService {
            }
        });
        self.forward_h1_with_sender(sender, parts, body, upstream_headers, upstream_path, route, route_id, source_ip, pool_key).await
    }
    /// Common H1 forwarding logic used by both fresh and pooled paths.
    async fn forward_h1_with_sender(
        &self,
        mut sender: hyper::client::conn::http1::SendRequest<BoxBody<Bytes, hyper::Error>>,
        parts: hyper::http::request::Parts,
        body: Incoming,
        upstream_headers: hyper::HeaderMap,
        upstream_path: &str,
        route: &rustproxy_config::RouteConfig,
        route_id: Option<&str>,
        source_ip: &str,
        pool_key: &crate::connection_pool::PoolKey,
    ) -> Result<Response<BoxBody<Bytes, hyper::Error>>, hyper::Error> {
        // Always use HTTP/1.1 for h1 backend connections (h2 incoming requests have version HTTP/2.0)
        let mut upstream_req = Request::builder()
            .method(parts.method)
            .uri(upstream_path)
-            .version(parts.version);
+            .version(hyper::Version::HTTP_11);
        if let Some(headers) = upstream_req.headers_mut() {
            *headers = upstream_headers;
            if let Ok(host_val) = hyper::header::HeaderValue::from_str(
                &format!("{}:{}", upstream.host, upstream.port)
            ) {
                headers.insert(hyper::header::HOST, host_val);
            }
        }
-        // Wrap the request body in CountingBody to track bytes_in
+        // Wrap the request body in CountingBody then box it for the uniform pool type
        let counting_req_body = CountingBody::new(
            body,
            Arc::clone(&self.metrics),
@@ -357,41 +602,48 @@ impl HttpProxyService {
            Some(source_ip.to_string()),
            Direction::In,
        );
        let boxed_body: BoxBody<Bytes, hyper::Error> = BoxBody::new(counting_req_body);
-        // Stream the request body through to upstream
+        let upstream_req = upstream_req.body(boxed_body).unwrap();
        let upstream_req = upstream_req.body(counting_req_body).unwrap();
        let upstream_response = match sender.send_request(upstream_req).await {
            Ok(resp) => resp,
            Err(e) => {
                error!("Upstream request failed: {}", e);
                self.metrics.connection_closed(route_id, Some(source_ip));
                return Ok(error_response(StatusCode::BAD_GATEWAY, "Backend request failed"));
            }
        };
        // Return sender to pool (body streams lazily, sender is reusable once response head is received)
        self.connection_pool.checkin_h1(pool_key.clone(), sender);
        self.build_streaming_response(upstream_response, route, route_id, source_ip).await
    }
-    /// Forward request to backend via HTTP/2 with body streaming.
+    /// Forward request to backend via HTTP/2 with body streaming (fresh connection).
    /// Registers the h2 sender in the pool for future multiplexed requests.
    async fn forward_h2(
        &self,
-        io: TokioIo<TcpStream>,
+        io: TokioIo<BackendStream>,
        parts: hyper::http::request::Parts,
        body: Incoming,
        upstream_headers: hyper::HeaderMap,
        upstream_path: &str,
-        upstream: &crate::upstream_selector::UpstreamSelection,
+        _upstream: &crate::upstream_selector::UpstreamSelection,
        route: &rustproxy_config::RouteConfig,
        route_id: Option<&str>,
        source_ip: &str,
        pool_key: &crate::connection_pool::PoolKey,
    ) -> Result<Response<BoxBody<Bytes, hyper::Error>>, hyper::Error> {
        let exec = hyper_util::rt::TokioExecutor::new();
-        let (mut sender, conn) = match hyper::client::conn::http2::handshake(exec, io).await {
+        // Explicitly type the handshake with BoxBody for uniform pool type
        let (sender, conn): (
            hyper::client::conn::http2::SendRequest<BoxBody<Bytes, hyper::Error>>,
            hyper::client::conn::http2::Connection<TokioIo<BackendStream>, BoxBody<Bytes, hyper::Error>, hyper_util::rt::TokioExecutor>,
        ) = match hyper::client::conn::http2::handshake(exec, io).await {
            Ok(h) => h,
            Err(e) => {
                error!("HTTP/2 upstream handshake failed: {}", e);
                self.metrics.connection_closed(route_id, Some(source_ip));
                return Ok(error_response(StatusCode::BAD_GATEWAY, "Backend H2 handshake failed"));
            }
        };
@@ -402,20 +654,49 @@ impl HttpProxyService {
            }
        });
        // Register for multiplexed reuse
        self.connection_pool.register_h2(pool_key.clone(), sender.clone());
        self.forward_h2_with_sender(sender, parts, body, upstream_headers, upstream_path, route, route_id, source_ip).await
    }
    /// Forward request using an existing (pooled) HTTP/2 sender.
    async fn forward_h2_pooled(
        &self,
        sender: hyper::client::conn::http2::SendRequest<BoxBody<Bytes, hyper::Error>>,
        parts: hyper::http::request::Parts,
        body: Incoming,
        upstream_headers: hyper::HeaderMap,
        upstream_path: &str,
        route: &rustproxy_config::RouteConfig,
        route_id: Option<&str>,
        source_ip: &str,
        _pool_key: &crate::connection_pool::PoolKey,
    ) -> Result<Response<BoxBody<Bytes, hyper::Error>>, hyper::Error> {
        self.forward_h2_with_sender(sender, parts, body, upstream_headers, upstream_path, route, route_id, source_ip).await
    }
    /// Common H2 forwarding logic used by both fresh and pooled paths.
    async fn forward_h2_with_sender(
        &self,
        mut sender: hyper::client::conn::http2::SendRequest<BoxBody<Bytes, hyper::Error>>,
        parts: hyper::http::request::Parts,
        body: Incoming,
        upstream_headers: hyper::HeaderMap,
        upstream_path: &str,
        route: &rustproxy_config::RouteConfig,
        route_id: Option<&str>,
        source_ip: &str,
    ) -> Result<Response<BoxBody<Bytes, hyper::Error>>, hyper::Error> {
        let mut upstream_req = Request::builder()
            .method(parts.method)
            .uri(upstream_path);
        if let Some(headers) = upstream_req.headers_mut() {
            *headers = upstream_headers;
            if let Ok(host_val) = hyper::header::HeaderValue::from_str(
                &format!("{}:{}", upstream.host, upstream.port)
            ) {
                headers.insert(hyper::header::HOST, host_val);
            }
        }
-        // Wrap the request body in CountingBody to track bytes_in
+        // Wrap the request body in CountingBody then box it for the uniform pool type
        let counting_req_body = CountingBody::new(
            body,
            Arc::clone(&self.metrics),
@@ -423,15 +704,14 @@ impl HttpProxyService {
            Some(source_ip.to_string()),
            Direction::In,
        );
        let boxed_body: BoxBody<Bytes, hyper::Error> = BoxBody::new(counting_req_body);
-        // Stream the request body through to upstream
+        let upstream_req = upstream_req.body(boxed_body).unwrap();
        let upstream_req = upstream_req.body(counting_req_body).unwrap();
        let upstream_response = match sender.send_request(upstream_req).await {
            Ok(resp) => resp,
            Err(e) => {
                error!("HTTP/2 upstream request failed: {}", e);
                self.metrics.connection_closed(route_id, Some(source_ip));
                return Ok(error_response(StatusCode::BAD_GATEWAY, "Backend H2 request failed"));
            }
        };
@@ -442,8 +722,7 @@ impl HttpProxyService {
    /// Build the client-facing response from an upstream response, streaming the body.
    ///
    /// The response body is wrapped in a `CountingBody` that counts bytes as they
-    /// stream from upstream to client. When the body is fully consumed (or dropped),
+    /// stream from upstream to client.
    /// it reports byte counts to the metrics collector and calls `connection_closed`.
    async fn build_streaming_response(
        &self,
        upstream_response: Response<Incoming>,
@@ -472,11 +751,6 @@ impl HttpProxyService {
            Direction::Out,
        );
        // Close the connection metric now — the HTTP request/response cycle is done
        // from the proxy's perspective once we hand the streaming body to hyper.
        // Bytes will still be counted as they flow.
        self.metrics.connection_closed(route_id, Some(source_ip));
        let body: BoxBody<Bytes, hyper::Error> = BoxBody::new(counting_body);
        Ok(response.body(body).unwrap())
@@ -508,7 +782,6 @@ impl HttpProxyService {
                    .unwrap_or("");
                if !allowed_origins.is_empty() && !allowed_origins.iter().any(|o| o == "*" || o == origin) {
                    self.upstream_selector.connection_ended(upstream_key);
                    self.metrics.connection_closed(route_id, Some(source_ip));
                    return Ok(error_response(StatusCode::FORBIDDEN, "Origin not allowed"));
                }
            }
@@ -516,26 +789,48 @@ impl HttpProxyService {
        info!("WebSocket upgrade from {} -> {}:{}", peer_addr, upstream.host, upstream.port);
-        // Connect to upstream with timeout
+        // Connect to upstream with timeout (TLS if upstream.use_tls is set)
-        let mut upstream_stream = match tokio::time::timeout(
+        let mut upstream_stream: BackendStream = if upstream.use_tls {
            match tokio::time::timeout(
                self.connect_timeout,
                connect_tls_backend(&self.backend_tls_config, &upstream.host, upstream.port),
            ).await {
                Ok(Ok(tls)) => BackendStream::Tls(tls),
                Ok(Err(e)) => {
                    error!("WebSocket: failed TLS connect upstream {}:{}: {}", upstream.host, upstream.port, e);
                    self.upstream_selector.connection_ended(upstream_key);
                    return Ok(error_response(StatusCode::BAD_GATEWAY, "Backend TLS unavailable"));
                }
                Err(_) => {
                    error!("WebSocket: upstream TLS connect timeout for {}:{}", upstream.host, upstream.port);
                    self.upstream_selector.connection_ended(upstream_key);
                    return Ok(error_response(StatusCode::GATEWAY_TIMEOUT, "Backend TLS connect timeout"));
                }
            }
        } else {
            match tokio::time::timeout(
                self.connect_timeout,
                TcpStream::connect(format!("{}:{}", upstream.host, upstream.port)),
            ).await {
-            Ok(Ok(s)) => s,
+                Ok(Ok(s)) => {
                    s.set_nodelay(true).ok();
                    let _ = socket2::SockRef::from(&s).set_tcp_keepalive(
                        &socket2::TcpKeepalive::new().with_time(std::time::Duration::from_secs(60))
                    );
                    BackendStream::Plain(s)
                }
                Ok(Err(e)) => {
                    error!("WebSocket: failed to connect upstream {}:{}: {}", upstream.host, upstream.port, e);
                    self.upstream_selector.connection_ended(upstream_key);
                self.metrics.connection_closed(route_id, Some(source_ip));
                    return Ok(error_response(StatusCode::BAD_GATEWAY, "Backend unavailable"));
                }
                Err(_) => {
                    error!("WebSocket: upstream connect timeout for {}:{}", upstream.host, upstream.port);
                    self.upstream_selector.connection_ended(upstream_key);
                self.metrics.connection_closed(route_id, Some(source_ip));
                    return Ok(error_response(StatusCode::GATEWAY_TIMEOUT, "Backend connect timeout"));
                }
            }
        };
        upstream_stream.set_nodelay(true).ok();
        let path = req.uri().path().to_string();
        let upstream_path = {
@@ -562,13 +857,57 @@ impl HttpProxyService {
            parts.method, upstream_path
        );
-        let upstream_host = format!("{}:{}", upstream.host, upstream.port);
+        // Copy all original headers (preserving the client's Host header).
        // Skip X-Forwarded-* since we set them ourselves below.
        let mut has_host_header = false;
        for (name, value) in parts.headers.iter() {
-            if name == hyper::header::HOST {
+            let name_str = name.as_str();
-                raw_request.push_str(&format!("host: {}\r\n", upstream_host));
+            if name_str == "x-forwarded-for"
-            } else {
+                || name_str == "x-forwarded-host"
                || name_str == "x-forwarded-proto"
            {
                continue;
            }
            if name_str == "host" {
                has_host_header = true;
            }
            raw_request.push_str(&format!("{}: {}\r\n", name, value.to_str().unwrap_or("")));
        }
        // HTTP/2 requests don't have Host header; add one from URI authority for h1 backends
        let ws_host = parts.uri.host().map(|h| h.to_string());
        if !has_host_header {
            if let Some(ref h) = ws_host {
                raw_request.push_str(&format!("host: {}\r\n", h));
            }
        }
        // Add standard reverse-proxy headers (X-Forwarded-*)
        {
            let original_host = parts.headers.get("host")
                .and_then(|h| h.to_str().ok())
                .or(ws_host.as_deref())
                .unwrap_or("");
            let forwarded_proto = if route.action.tls.as_ref()
                .map(|t| matches!(t.mode,
                    rustproxy_config::TlsMode::Terminate
                    | rustproxy_config::TlsMode::TerminateAndReencrypt))
                .unwrap_or(false)
            {
                "https"
            } else {
                "http"
            };
            let client_ip = peer_addr.ip().to_string();
            let xff_value = if let Some(existing) = parts.headers.get("x-forwarded-for") {
                format!("{}, {}", existing.to_str().unwrap_or(""), client_ip)
            } else {
                client_ip
            };
            raw_request.push_str(&format!("x-forwarded-for: {}\r\n", xff_value));
            raw_request.push_str(&format!("x-forwarded-host: {}\r\n", original_host));
            raw_request.push_str(&format!("x-forwarded-proto: {}\r\n", forwarded_proto));
        }
        if let Some(ref route_headers) = route.headers {
@@ -593,7 +932,6 @@ impl HttpProxyService {
        if let Err(e) = upstream_stream.write_all(raw_request.as_bytes()).await {
            error!("WebSocket: failed to send upgrade request to upstream: {}", e);
            self.upstream_selector.connection_ended(upstream_key);
            self.metrics.connection_closed(route_id, Some(source_ip));
            return Ok(error_response(StatusCode::BAD_GATEWAY, "Backend write failed"));
        }
@@ -604,7 +942,6 @@ impl HttpProxyService {
                Ok(0) => {
                    error!("WebSocket: upstream closed before completing handshake");
                    self.upstream_selector.connection_ended(upstream_key);
                    self.metrics.connection_closed(route_id, Some(source_ip));
                    return Ok(error_response(StatusCode::BAD_GATEWAY, "Backend closed"));
                }
                Ok(_) => {
@@ -618,14 +955,12 @@ impl HttpProxyService {
                    if response_buf.len() > 8192 {
                        error!("WebSocket: upstream response headers too large");
                        self.upstream_selector.connection_ended(upstream_key);
                        self.metrics.connection_closed(route_id, Some(source_ip));
                        return Ok(error_response(StatusCode::BAD_GATEWAY, "Backend response too large"));
                    }
                }
                Err(e) => {
                    error!("WebSocket: failed to read upstream response: {}", e);
                    self.upstream_selector.connection_ended(upstream_key);
                    self.metrics.connection_closed(route_id, Some(source_ip));
                    return Ok(error_response(StatusCode::BAD_GATEWAY, "Backend read failed"));
                }
            }
@@ -643,7 +978,6 @@ impl HttpProxyService {
        if status_code != 101 {
            debug!("WebSocket: upstream rejected upgrade with status {}", status_code);
            self.upstream_selector.connection_ended(upstream_key);
            self.metrics.connection_closed(route_id, Some(source_ip));
            return Ok(error_response(
                StatusCode::from_u16(status_code).unwrap_or(StatusCode::BAD_GATEWAY),
                "WebSocket upgrade rejected by backend",
@@ -687,9 +1021,6 @@ impl HttpProxyService {
                Err(e) => {
                    debug!("WebSocket: client upgrade failed: {}", e);
                    upstream_selector.connection_ended(&upstream_key_owned);
                    if let Some(ref rid) = route_id_owned {
                        metrics.connection_closed(Some(rid.as_str()), Some(&source_ip_owned));
                    }
                    return;
                }
            };
@@ -794,7 +1125,6 @@ impl HttpProxyService {
            upstream_selector.connection_ended(&upstream_key_owned);
            if let Some(ref rid) = route_id_owned {
                metrics.record_bytes(bytes_in, bytes_out, Some(rid.as_str()), Some(&source_ip_owned));
                metrics.connection_closed(Some(rid.as_str()), Some(&source_ip_owned));
            }
        });
@@ -824,8 +1154,8 @@ impl HttpProxyService {
        response.body(BoxBody::new(body)).unwrap()
    }
-    /// Apply URL rewriting rules from route config.
+    /// Apply URL rewriting rules from route config, using the compiled regex cache.
-    fn apply_url_rewrite(path: &str, route: &rustproxy_config::RouteConfig) -> String {
+    fn apply_url_rewrite(&self, path: &str, route: &rustproxy_config::RouteConfig) -> String {
        let rewrite = match route.action.advanced.as_ref()
            .and_then(|a| a.url_rewrite.as_ref())
        {
@@ -844,10 +1174,20 @@ impl HttpProxyService {
            (path.to_string(), String::new())
        };
        // Look up or compile the regex, caching for future requests
        let cached = self.regex_cache.get(&rewrite.pattern);
        if let Some(re) = cached {
            let result = re.replace_all(&subject, rewrite.target.as_str());
            return format!("{}{}", result, suffix);
        }
        // Not cached — compile and insert
        match Regex::new(&rewrite.pattern) {
            Ok(re) => {
                let result = re.replace_all(&subject, rewrite.target.as_str());
-                format!("{}{}", result, suffix)
+                let out = format!("{}{}", result, suffix);
                self.regex_cache.insert(rewrite.pattern.clone(), re);
                out
            }
            Err(e) => {
                warn!("Invalid URL rewrite pattern '{}': {}", rewrite.pattern, e);
@@ -967,6 +1307,70 @@ fn guess_content_type(path: &std::path::Path) -> &'static str {
    }
 }
 impl HttpProxyService {
    /// Build a default backend TLS config with InsecureVerifier.
    /// Used as fallback when no shared config is injected from tls_handler.
    fn default_backend_tls_config() -> Arc<rustls::ClientConfig> {
        let _ = rustls::crypto::ring::default_provider().install_default();
        let config = rustls::ClientConfig::builder()
            .dangerous()
            .with_custom_certificate_verifier(Arc::new(InsecureBackendVerifier))
            .with_no_client_auth();
        Arc::new(config)
    }
 }
 /// Insecure certificate verifier for backend TLS connections (fallback only).
 /// The production path uses the shared config from tls_handler which has the same
 /// behavior but with session resumption across all outbound connections.
 #[derive(Debug)]
 struct InsecureBackendVerifier;
 impl rustls::client::danger::ServerCertVerifier for InsecureBackendVerifier {
    fn verify_server_cert(
        &self,
        _end_entity: &rustls::pki_types::CertificateDer<'_>,
        _intermediates: &[rustls::pki_types::CertificateDer<'_>],
        _server_name: &rustls::pki_types::ServerName<'_>,
        _ocsp_response: &[u8],
        _now: rustls::pki_types::UnixTime,
    ) -> Result<rustls::client::danger::ServerCertVerified, rustls::Error> {
        Ok(rustls::client::danger::ServerCertVerified::assertion())
    }
    fn verify_tls12_signature(
        &self,
        _message: &[u8],
        _cert: &rustls::pki_types::CertificateDer<'_>,
        _dss: &rustls::DigitallySignedStruct,
    ) -> Result<rustls::client::danger::HandshakeSignatureValid, rustls::Error> {
        Ok(rustls::client::danger::HandshakeSignatureValid::assertion())
    }
    fn verify_tls13_signature(
        &self,
        _message: &[u8],
        _cert: &rustls::pki_types::CertificateDer<'_>,
        _dss: &rustls::DigitallySignedStruct,
    ) -> Result<rustls::client::danger::HandshakeSignatureValid, rustls::Error> {
        Ok(rustls::client::danger::HandshakeSignatureValid::assertion())
    }
    fn supported_verify_schemes(&self) -> Vec<rustls::SignatureScheme> {
        vec![
            rustls::SignatureScheme::RSA_PKCS1_SHA256,
            rustls::SignatureScheme::RSA_PKCS1_SHA384,
            rustls::SignatureScheme::RSA_PKCS1_SHA512,
            rustls::SignatureScheme::ECDSA_NISTP256_SHA256,
            rustls::SignatureScheme::ECDSA_NISTP384_SHA384,
            rustls::SignatureScheme::ED25519,
            rustls::SignatureScheme::RSA_PSS_SHA256,
            rustls::SignatureScheme::RSA_PSS_SHA384,
            rustls::SignatureScheme::RSA_PSS_SHA512,
        ]
    }
 }
 impl Default for HttpProxyService {
    fn default() -> Self {
        Self {
@@ -974,6 +1378,11 @@ impl Default for HttpProxyService {
            metrics: Arc::new(MetricsCollector::new()),
            upstream_selector: UpstreamSelector::new(),
            connect_timeout: DEFAULT_CONNECT_TIMEOUT,
            route_rate_limiters: Arc::new(DashMap::new()),
            request_counter: AtomicU64::new(0),
            regex_cache: DashMap::new(),
            backend_tls_config: Self::default_backend_tls_config(),
            connection_pool: Arc::new(crate::connection_pool::ConnectionPool::new()),
        }
    }
 }
--- a/rust/crates/rustproxy-http/src/upstream_selector.rs
+++ b/rust/crates/rustproxy-http/src/upstream_selector.rs
@@ -115,10 +115,18 @@ impl UpstreamSelector {
    /// Record that a connection to the given host has ended.
    pub fn connection_ended(&self, host: &str) {
        if let Some(counter) = self.active_connections.get(host) {
-            let prev = counter.value().fetch_sub(1, Ordering::Relaxed);
+            let prev = counter.value().load(Ordering::Relaxed);
            // Guard against underflow (shouldn't happen, but be safe)
            if prev == 0 {
-                counter.value().store(0, Ordering::Relaxed);
+                // Already at zero — just clean up the entry
                drop(counter);
                self.active_connections.remove(host);
                return;
            }
            counter.value().fetch_sub(1, Ordering::Relaxed);
            // Clean up zero-count entries to prevent memory growth
            if prev <= 1 {
                drop(counter);
                self.active_connections.remove(host);
            }
        }
    }
@@ -204,6 +212,31 @@ mod tests {
        assert_eq!(r4.host, "a");
    }
    #[test]
    fn test_connection_tracking_cleanup() {
        let selector = UpstreamSelector::new();
        selector.connection_started("backend:8080");
        selector.connection_started("backend:8080");
        assert_eq!(
            selector.active_connections.get("backend:8080").unwrap().load(Ordering::Relaxed),
            2
        );
        selector.connection_ended("backend:8080");
        assert_eq!(
            selector.active_connections.get("backend:8080").unwrap().load(Ordering::Relaxed),
            1
        );
        // Last connection ends — entry should be removed entirely
        selector.connection_ended("backend:8080");
        assert!(selector.active_connections.get("backend:8080").is_none());
        // Ending on a non-existent key should not panic
        selector.connection_ended("nonexistent:9999");
    }
    #[test]
    fn test_ip_hash_consistent() {
        let selector = UpstreamSelector::new();
--- a/rust/crates/rustproxy-metrics/src/collector.rs
+++ b/rust/crates/rustproxy-metrics/src/collector.rs
@@ -1,5 +1,6 @@
 use dashmap::DashMap;
 use serde::{Deserialize, Serialize};
 use std::collections::HashSet;
 use std::sync::atomic::{AtomicU64, Ordering};
 use std::sync::Mutex;
@@ -196,6 +197,12 @@ impl MetricsCollector {
                if val <= 1 {
                    drop(counter);
                    self.ip_connections.remove(ip);
                    // Evict all per-IP tracking data for this IP
                    self.ip_total_connections.remove(ip);
                    self.ip_bytes_in.remove(ip);
                    self.ip_bytes_out.remove(ip);
                    self.ip_pending_tp.remove(ip);
                    self.ip_throughput.remove(ip);
                }
            }
        }
@@ -342,6 +349,17 @@ impl MetricsCollector {
        }
    }
    /// Remove per-route metrics for route IDs that are no longer active.
    /// Call this after `update_routes()` to prune stale entries.
    pub fn retain_routes(&self, active_route_ids: &HashSet<String>) {
        self.route_connections.retain(|k, _| active_route_ids.contains(k));
        self.route_total_connections.retain(|k, _| active_route_ids.contains(k));
        self.route_bytes_in.retain(|k, _| active_route_ids.contains(k));
        self.route_bytes_out.retain(|k, _| active_route_ids.contains(k));
        self.route_pending_tp.retain(|k, _| active_route_ids.contains(k));
        self.route_throughput.retain(|k, _| active_route_ids.contains(k));
    }
    /// Get current active connection count.
    pub fn active_connections(&self) -> u64 {
        self.active_connections.load(Ordering::Relaxed)
@@ -633,6 +651,42 @@ mod tests {
        assert!(collector.ip_connections.get("1.2.3.4").is_none());
    }
    #[test]
    fn test_per_ip_full_eviction_on_last_close() {
        let collector = MetricsCollector::with_retention(60);
        // Open connections from two IPs
        collector.connection_opened(Some("route-a"), Some("10.0.0.1"));
        collector.connection_opened(Some("route-a"), Some("10.0.0.1"));
        collector.connection_opened(Some("route-b"), Some("10.0.0.2"));
        // Record bytes to populate per-IP DashMaps
        collector.record_bytes(100, 200, Some("route-a"), Some("10.0.0.1"));
        collector.record_bytes(300, 400, Some("route-b"), Some("10.0.0.2"));
        collector.sample_all();
        // Verify per-IP data exists
        assert!(collector.ip_total_connections.get("10.0.0.1").is_some());
        assert!(collector.ip_bytes_in.get("10.0.0.1").is_some());
        assert!(collector.ip_throughput.get("10.0.0.1").is_some());
        // Close all connections for 10.0.0.1
        collector.connection_closed(Some("route-a"), Some("10.0.0.1"));
        collector.connection_closed(Some("route-a"), Some("10.0.0.1"));
        // All per-IP data for 10.0.0.1 should be evicted
        assert!(collector.ip_connections.get("10.0.0.1").is_none());
        assert!(collector.ip_total_connections.get("10.0.0.1").is_none());
        assert!(collector.ip_bytes_in.get("10.0.0.1").is_none());
        assert!(collector.ip_bytes_out.get("10.0.0.1").is_none());
        assert!(collector.ip_pending_tp.get("10.0.0.1").is_none());
        assert!(collector.ip_throughput.get("10.0.0.1").is_none());
        // 10.0.0.2 should still have data
        assert!(collector.ip_connections.get("10.0.0.2").is_some());
        assert!(collector.ip_total_connections.get("10.0.0.2").is_some());
    }
    #[test]
    fn test_http_request_tracking() {
        let collector = MetricsCollector::with_retention(60);
@@ -650,6 +704,35 @@ mod tests {
        assert_eq!(snapshot.http_requests_per_sec, 3);
    }
    #[test]
    fn test_retain_routes_prunes_stale() {
        let collector = MetricsCollector::with_retention(60);
        // Create metrics for 3 routes
        collector.connection_opened(Some("route-a"), None);
        collector.connection_opened(Some("route-b"), None);
        collector.connection_opened(Some("route-c"), None);
        collector.record_bytes(100, 200, Some("route-a"), None);
        collector.record_bytes(100, 200, Some("route-b"), None);
        collector.record_bytes(100, 200, Some("route-c"), None);
        collector.sample_all();
        // Now "route-b" is removed from config
        let active = HashSet::from(["route-a".to_string(), "route-c".to_string()]);
        collector.retain_routes(&active);
        // route-b entries should be gone
        assert!(collector.route_connections.get("route-b").is_none());
        assert!(collector.route_total_connections.get("route-b").is_none());
        assert!(collector.route_bytes_in.get("route-b").is_none());
        assert!(collector.route_bytes_out.get("route-b").is_none());
        assert!(collector.route_throughput.get("route-b").is_none());
        // route-a and route-c should still exist
        assert!(collector.route_total_connections.get("route-a").is_some());
        assert!(collector.route_total_connections.get("route-c").is_some());
    }
    #[test]
    fn test_throughput_history_in_snapshot() {
        let collector = MetricsCollector::with_retention(60);
--- a/rust/crates/rustproxy-passthrough/Cargo.toml
+++ b/rust/crates/rustproxy-passthrough/Cargo.toml
@@ -23,3 +23,4 @@ rustls-pemfile = { workspace = true }
 tokio-util = { workspace = true }
 serde = { workspace = true }
 serde_json = { workspace = true }
 socket2 = { workspace = true }
--- a/rust/crates/rustproxy-passthrough/src/connection_tracker.rs
+++ b/rust/crates/rustproxy-passthrough/src/connection_tracker.rs
@@ -95,10 +95,11 @@ impl ConnectionTracker {
    pub fn connection_closed(&self, ip: &IpAddr) {
        if let Some(counter) = self.active.get(ip) {
            let prev = counter.value().fetch_sub(1, Ordering::Relaxed);
-            // Clean up zero entries
+            // Clean up zero entries to prevent memory growth
            if prev <= 1 {
                drop(counter);
                self.active.remove(ip);
                self.timestamps.remove(ip);
            }
        }
    }
@@ -205,10 +206,13 @@ impl ConnectionTracker {
                        let zombies = tracker.scan_zombies();
                        if !zombies.is_empty() {
                            warn!(
-                                "Detected {} zombie connection(s): {:?}",
+                                "Cleaning up {} zombie connection(s): {:?}",
                                zombies.len(),
                                zombies
                            );
                            for id in &zombies {
                                tracker.unregister_connection(*id);
                            }
                        }
                    }
                }
@@ -304,6 +308,30 @@ mod tests {
        assert_eq!(tracker.tracked_ips(), 1);
    }
    #[test]
    fn test_timestamps_cleaned_on_last_close() {
        let tracker = ConnectionTracker::new(None, Some(100));
        let ip: IpAddr = "10.0.0.1".parse().unwrap();
        // try_accept populates the timestamps map (when rate limiting is enabled)
        assert!(tracker.try_accept(&ip));
        tracker.connection_opened(&ip);
        assert!(tracker.try_accept(&ip));
        tracker.connection_opened(&ip);
        // Timestamps should exist
        assert!(tracker.timestamps.get(&ip).is_some());
        // Close one connection — timestamps should still exist
        tracker.connection_closed(&ip);
        assert!(tracker.timestamps.get(&ip).is_some());
        // Close last connection — timestamps should be cleaned up
        tracker.connection_closed(&ip);
        assert!(tracker.timestamps.get(&ip).is_none());
        assert!(tracker.active.get(&ip).is_none());
    }
    #[test]
    fn test_register_unregister_connection() {
        let tracker = ConnectionTracker::new(None, None);
--- a/rust/crates/rustproxy-passthrough/src/lib.rs
+++ b/rust/crates/rustproxy-passthrough/src/lib.rs
@@ -11,6 +11,7 @@ pub mod tls_handler;
 pub mod connection_record;
 pub mod connection_tracker;
 pub mod socket_relay;
 pub mod socket_opts;
 pub use tcp_listener::*;
 pub use sni_parser::*;
@@ -20,3 +21,4 @@ pub use tls_handler::*;
 pub use connection_record::*;
 pub use connection_tracker::*;
 pub use socket_relay::*;
 pub use socket_opts::*;
--- a/rust/crates/rustproxy-passthrough/src/sni_parser.rs
+++ b/rust/crates/rustproxy-passthrough/src/sni_parser.rs
@@ -196,6 +196,7 @@ pub fn is_http(data: &[u8]) -> bool {
        b"PATC",
        b"OPTI",
        b"CONN",
        b"PRI ",   // HTTP/2 connection preface
    ];
    starts.iter().any(|s| data.starts_with(s))
 }
--- a/rust/crates/rustproxy-passthrough/src/socket_opts.rs
+++ b/rust/crates/rustproxy-passthrough/src/socket_opts.rs
@@ -0,0 +1,19 @@
 //! Socket-level options for TCP streams (keepalive, etc.).
 //!
 //! Uses `socket2::SockRef::from()` to borrow the raw fd without ownership transfer.
 use std::io;
 use std::time::Duration;
 use tokio::net::TcpStream;
 /// Apply TCP keepalive to a connected socket.
 ///
 /// Enables SO_KEEPALIVE and sets the initial probe delay.
 /// On Linux, also sets the interval between probes to the same value.
 pub fn apply_keepalive(stream: &TcpStream, delay: Duration) -> io::Result<()> {
    let sock_ref = socket2::SockRef::from(stream);
    let ka = socket2::TcpKeepalive::new().with_time(delay);
    #[cfg(target_os = "linux")]
    let ka = ka.with_interval(delay);
    sock_ref.set_tcp_keepalive(&ka)
 }
--- a/rust/crates/rustproxy-passthrough/src/tcp_listener.rs
+++ b/rust/crates/rustproxy-passthrough/src/tcp_listener.rs
@@ -2,6 +2,7 @@ use std::collections::HashMap;
 use std::sync::Arc;
 use arc_swap::ArcSwap;
 use tokio::net::TcpListener;
 use tokio_rustls::TlsAcceptor;
 use tokio_util::sync::CancellationToken;
 use tracing::{info, error, debug, warn};
 use thiserror::Error;
@@ -14,6 +15,7 @@ use crate::sni_parser;
 use crate::forwarder;
 use crate::tls_handler;
 use crate::connection_tracker::ConnectionTracker;
 use crate::socket_opts;
 /// RAII guard that decrements the active connection metric on drop.
 /// Ensures connection_closed is called on ALL exit paths — normal, error, or panic.
@@ -21,7 +23,6 @@ struct ConnectionGuard {
    metrics: Arc<MetricsCollector>,
    route_id: Option<String>,
    source_ip: Option<String>,
    disarmed: bool,
 }
 impl ConnectionGuard {
@@ -30,24 +31,15 @@ impl ConnectionGuard {
            metrics,
            route_id: route_id.map(|s| s.to_string()),
            source_ip: source_ip.map(|s| s.to_string()),
            disarmed: false,
        }
    }
    /// Disarm the guard — prevents the Drop from running.
    /// Use when handing off to a path that manages its own cleanup (e.g., HTTP proxy).
    fn disarm(mut self) {
        self.disarmed = true;
    }
 }
 impl Drop for ConnectionGuard {
    fn drop(&mut self) {
        if !self.disarmed {
        self.metrics.connection_closed(self.route_id.as_deref(), self.source_ip.as_deref());
    }
 }
 }
 #[derive(Debug, Error)]
 pub enum ListenerError {
@@ -93,6 +85,15 @@ pub struct ConnectionConfig {
    pub accept_proxy_protocol: bool,
    /// Whether to send PROXY protocol
    pub send_proxy_protocol: bool,
    /// Trusted IPs that may send PROXY protocol headers.
    /// When non-empty, only connections from these IPs will have PROXY headers parsed.
    pub proxy_ips: Vec<std::net::IpAddr>,
    /// Enable TCP keepalive on sockets (default: true)
    pub keep_alive: bool,
    /// Initial delay before first keepalive probe (ms, default: 60000)
    pub keep_alive_initial_delay_ms: u64,
    /// Global maximum simultaneous connections (default: 100000)
    pub max_connections: u64,
 }
 impl Default for ConnectionConfig {
@@ -110,6 +111,10 @@ impl Default for ConnectionConfig {
            extended_keep_alive_lifetime_ms: None,
            accept_proxy_protocol: false,
            send_proxy_protocol: false,
            proxy_ips: Vec::new(),
            keep_alive: true,
            keep_alive_initial_delay_ms: 60_000,
            max_connections: 100_000,
        }
    }
 }
@@ -122,8 +127,10 @@ pub struct TcpListenerManager {
    route_manager: Arc<ArcSwap<RouteManager>>,
    /// Shared metrics collector
    metrics: Arc<MetricsCollector>,
-    /// TLS acceptors indexed by domain (ArcSwap for hot-reload visibility in accept loops)
+    /// Raw PEM TLS configs indexed by domain (kept for fallback with custom TLS versions)
    tls_configs: Arc<ArcSwap<HashMap<String, TlsCertConfig>>>,
    /// Shared TLS acceptor (pre-parsed certs + session cache). None when no certs configured.
    shared_tls_acceptor: Arc<ArcSwap<Option<TlsAcceptor>>>,
    /// HTTP proxy service for HTTP-level forwarding
    http_proxy: Arc<HttpProxyService>,
    /// Connection configuration
@@ -134,56 +141,68 @@ pub struct TcpListenerManager {
    cancel_token: CancellationToken,
    /// Path to Unix domain socket for relaying socket-handler connections to TypeScript.
    socket_handler_relay: Arc<std::sync::RwLock<Option<String>>>,
    /// Global connection semaphore — limits total simultaneous connections.
    conn_semaphore: Arc<tokio::sync::Semaphore>,
 }
 impl TcpListenerManager {
    pub fn new(route_manager: Arc<RouteManager>) -> Self {
        let metrics = Arc::new(MetricsCollector::new());
        let conn_config = ConnectionConfig::default();
-        let http_proxy = Arc::new(HttpProxyService::with_connect_timeout(
+        let mut http_proxy_svc = HttpProxyService::with_connect_timeout(
            Arc::clone(&route_manager),
            Arc::clone(&metrics),
            std::time::Duration::from_millis(conn_config.connection_timeout_ms),
-        ));
+        );
        http_proxy_svc.set_backend_tls_config(tls_handler::shared_backend_tls_config());
        let http_proxy = Arc::new(http_proxy_svc);
        let conn_tracker = Arc::new(ConnectionTracker::new(
            conn_config.max_connections_per_ip,
            conn_config.connection_rate_limit_per_minute,
        ));
        let max_conns = conn_config.max_connections as usize;
        Self {
            listeners: HashMap::new(),
            route_manager: Arc::new(ArcSwap::from(route_manager)),
            metrics,
            tls_configs: Arc::new(ArcSwap::from(Arc::new(HashMap::new()))),
            shared_tls_acceptor: Arc::new(ArcSwap::from(Arc::new(None))),
            http_proxy,
            conn_config: Arc::new(conn_config),
            conn_tracker,
            cancel_token: CancellationToken::new(),
            socket_handler_relay: Arc::new(std::sync::RwLock::new(None)),
            conn_semaphore: Arc::new(tokio::sync::Semaphore::new(max_conns)),
        }
    }
    /// Create with a metrics collector.
    pub fn with_metrics(route_manager: Arc<RouteManager>, metrics: Arc<MetricsCollector>) -> Self {
        let conn_config = ConnectionConfig::default();
-        let http_proxy = Arc::new(HttpProxyService::with_connect_timeout(
+        let mut http_proxy_svc = HttpProxyService::with_connect_timeout(
            Arc::clone(&route_manager),
            Arc::clone(&metrics),
            std::time::Duration::from_millis(conn_config.connection_timeout_ms),
-        ));
+        );
        http_proxy_svc.set_backend_tls_config(tls_handler::shared_backend_tls_config());
        let http_proxy = Arc::new(http_proxy_svc);
        let conn_tracker = Arc::new(ConnectionTracker::new(
            conn_config.max_connections_per_ip,
            conn_config.connection_rate_limit_per_minute,
        ));
        let max_conns = conn_config.max_connections as usize;
        Self {
            listeners: HashMap::new(),
            route_manager: Arc::new(ArcSwap::from(route_manager)),
            metrics,
            tls_configs: Arc::new(ArcSwap::from(Arc::new(HashMap::new()))),
            shared_tls_acceptor: Arc::new(ArcSwap::from(Arc::new(None))),
            http_proxy,
            conn_config: Arc::new(conn_config),
            conn_tracker,
            cancel_token: CancellationToken::new(),
            socket_handler_relay: Arc::new(std::sync::RwLock::new(None)),
            conn_semaphore: Arc::new(tokio::sync::Semaphore::new(max_conns)),
        }
    }
@@ -193,12 +212,31 @@ impl TcpListenerManager {
            config.max_connections_per_ip,
            config.connection_rate_limit_per_minute,
        ));
        self.conn_semaphore = Arc::new(tokio::sync::Semaphore::new(config.max_connections as usize));
        self.conn_config = Arc::new(config);
    }
    /// Set TLS certificate configurations.
    /// Builds a shared TLS acceptor with pre-parsed certs and session resumption support.
    /// Uses ArcSwap so running accept loops immediately see the new certs.
    pub fn set_tls_configs(&self, configs: HashMap<String, TlsCertConfig>) {
        if !configs.is_empty() {
            match tls_handler::CertResolver::new(&configs)
                .and_then(tls_handler::build_shared_tls_acceptor)
            {
                Ok(acceptor) => {
                    info!("Built shared TLS acceptor for {} domain(s)", configs.len());
                    self.shared_tls_acceptor.store(Arc::new(Some(acceptor)));
                }
                Err(e) => {
                    warn!("Failed to build shared TLS acceptor: {}, falling back to per-connection", e);
                    self.shared_tls_acceptor.store(Arc::new(None));
                }
            }
        } else {
            self.shared_tls_acceptor.store(Arc::new(None));
        }
        // Keep raw PEM configs for fallback (routes with custom TLS versions)
        self.tls_configs.store(Arc::new(configs));
    }
@@ -224,16 +262,19 @@ impl TcpListenerManager {
        let route_manager_swap = Arc::clone(&self.route_manager);
        let metrics = Arc::clone(&self.metrics);
        let tls_configs = Arc::clone(&self.tls_configs);
        let shared_tls_acceptor = Arc::clone(&self.shared_tls_acceptor);
        let http_proxy = Arc::clone(&self.http_proxy);
        let conn_config = Arc::clone(&self.conn_config);
        let conn_tracker = Arc::clone(&self.conn_tracker);
        let cancel = self.cancel_token.clone();
        let relay = Arc::clone(&self.socket_handler_relay);
        let semaphore = Arc::clone(&self.conn_semaphore);
        let handle = tokio::spawn(async move {
            Self::accept_loop(
                listener, port, route_manager_swap, metrics, tls_configs,
-                http_proxy, conn_config, conn_tracker, cancel, relay,
+                shared_tls_acceptor, http_proxy, conn_config, conn_tracker, cancel, relay,
                semaphore,
            ).await;
        });
@@ -322,11 +363,13 @@ impl TcpListenerManager {
        route_manager_swap: Arc<ArcSwap<RouteManager>>,
        metrics: Arc<MetricsCollector>,
        tls_configs: Arc<ArcSwap<HashMap<String, TlsCertConfig>>>,
        shared_tls_acceptor: Arc<ArcSwap<Option<TlsAcceptor>>>,
        http_proxy: Arc<HttpProxyService>,
        conn_config: Arc<ConnectionConfig>,
        conn_tracker: Arc<ConnectionTracker>,
        cancel: CancellationToken,
        socket_handler_relay: Arc<std::sync::RwLock<Option<String>>>,
        conn_semaphore: Arc<tokio::sync::Semaphore>,
    ) {
        loop {
            tokio::select! {
@@ -339,10 +382,31 @@ impl TcpListenerManager {
                        Ok((stream, peer_addr)) => {
                            let ip = peer_addr.ip();
                            // Global connection limit — acquire semaphore permit with timeout
                            let permit = match tokio::time::timeout(
                                std::time::Duration::from_secs(5),
                                conn_semaphore.clone().acquire_owned(),
                            ).await {
                                Ok(Ok(permit)) => permit,
                                Ok(Err(_)) => {
                                    // Semaphore closed — shouldn't happen, but be safe
                                    debug!("Connection semaphore closed, dropping connection from {}", peer_addr);
                                    drop(stream);
                                    continue;
                                }
                                Err(_) => {
                                    // Timeout — global limit reached
                                    debug!("Global connection limit reached, dropping connection from {}", peer_addr);
                                    drop(stream);
                                    continue;
                                }
                            };
                            // Check per-IP limits and rate limiting
                            if !conn_tracker.try_accept(&ip) {
                                debug!("Rejected connection from {} (per-IP limit or rate limit)", peer_addr);
                                drop(stream);
                                drop(permit);
                                continue;
                            }
@@ -353,6 +417,8 @@ impl TcpListenerManager {
                            let m = Arc::clone(&metrics);
                            // Load the latest TLS configs from ArcSwap on each connection
                            let tc = tls_configs.load_full();
                            // Load the latest shared TLS acceptor from ArcSwap
                            let sa = shared_tls_acceptor.load_full();
                            let hp = Arc::clone(&http_proxy);
                            let cc = Arc::clone(&conn_config);
                            let ct = Arc::clone(&conn_tracker);
@@ -361,8 +427,10 @@ impl TcpListenerManager {
                            debug!("Accepted connection from {} on port {}", peer_addr, port);
                            tokio::spawn(async move {
                                // Move permit into the task — auto-releases on drop
                                let _permit = permit;
                                let result = Self::handle_connection(
-                                    stream, port, peer_addr, rm, m, tc, hp, cc, cn, sr,
+                                    stream, port, peer_addr, rm, m, tc, sa, hp, cc, cn, sr,
                                ).await;
                                if let Err(e) = result {
                                    debug!("Connection error from {}: {}", peer_addr, e);
@@ -388,6 +456,7 @@ impl TcpListenerManager {
        route_manager: Arc<RouteManager>,
        metrics: Arc<MetricsCollector>,
        tls_configs: Arc<HashMap<String, TlsCertConfig>>,
        shared_tls_acceptor: Arc<Option<TlsAcceptor>>,
        http_proxy: Arc<HttpProxyService>,
        conn_config: Arc<ConnectionConfig>,
        cancel: CancellationToken,
@@ -396,8 +465,48 @@ impl TcpListenerManager {
        use tokio::io::AsyncReadExt;
        stream.set_nodelay(true)?;
        if conn_config.keep_alive {
            let delay = std::time::Duration::from_millis(conn_config.keep_alive_initial_delay_ms);
            if let Err(e) = socket_opts::apply_keepalive(&stream, delay) {
                debug!("Failed to set keepalive on client socket: {}", e);
            }
        }
-        // Extract source IP once for all metric calls
+        // --- PROXY protocol: must happen BEFORE ip_str and fast path ---
        // Only parse PROXY headers from trusted proxy IPs (security).
        // Non-proxy connections skip the peek entirely (no latency cost).
        let mut effective_peer_addr = peer_addr;
        if !conn_config.proxy_ips.is_empty() && conn_config.proxy_ips.contains(&peer_addr.ip()) {
            // Trusted proxy IP — peek for PROXY protocol header
            let mut proxy_peek = vec![0u8; 256];
            let pn = match tokio::time::timeout(
                std::time::Duration::from_millis(conn_config.initial_data_timeout_ms),
                stream.peek(&mut proxy_peek),
            ).await {
                Ok(Ok(n)) => n,
                Ok(Err(e)) => return Err(e.into()),
                Err(_) => return Err("Initial data timeout (proxy protocol peek)".into()),
            };
            if pn > 0 && crate::proxy_protocol::is_proxy_protocol_v1(&proxy_peek[..pn]) {
                match crate::proxy_protocol::parse_v1(&proxy_peek[..pn]) {
                    Ok((header, consumed)) => {
                        debug!("PROXY protocol: real client {} -> {}", header.source_addr, header.dest_addr);
                        effective_peer_addr = header.source_addr;
                        // Consume the proxy protocol header bytes
                        let mut discard = vec![0u8; consumed];
                        stream.read_exact(&mut discard).await?;
                    }
                    Err(e) => {
                        debug!("Failed to parse PROXY protocol header: {}", e);
                        // Not a PROXY protocol header, continue normally
                    }
                }
            }
        }
        let peer_addr = effective_peer_addr;
        // Extract source IP once for all metric calls (reflects real client IP after PROXY parsing)
        let ip_str = peer_addr.ip().to_string();
        // === Fast path: try port-only matching before peeking at data ===
@@ -418,6 +527,7 @@ impl TcpListenerManager {
                tls_version: None,
                headers: None,
                is_tls: false,
                protocol: None,
            };
            if let Some(quick_match) = route_manager.find_route(&quick_ctx) {
@@ -486,6 +596,12 @@ impl TcpListenerManager {
                            Err(_) => return Err("Backend connection timeout".into()),
                        };
                        backend.set_nodelay(true)?;
                        if conn_config.keep_alive {
                            let delay = std::time::Duration::from_millis(conn_config.keep_alive_initial_delay_ms);
                            if let Err(e) = socket_opts::apply_keepalive(&backend, delay) {
                                debug!("Failed to set keepalive on backend socket: {}", e);
                            }
                        }
                        // Send PROXY protocol header if configured
                        let should_send_proxy = conn_config.send_proxy_protocol
@@ -529,37 +645,6 @@ impl TcpListenerManager {
        }
        // === End fast path ===
        // Handle PROXY protocol if configured
        let mut effective_peer_addr = peer_addr;
        if conn_config.accept_proxy_protocol {
            let mut proxy_peek = vec![0u8; 256];
            let pn = match tokio::time::timeout(
                std::time::Duration::from_millis(conn_config.initial_data_timeout_ms),
                stream.peek(&mut proxy_peek),
            ).await {
                Ok(Ok(n)) => n,
                Ok(Err(e)) => return Err(e.into()),
                Err(_) => return Err("Initial data timeout (proxy protocol peek)".into()),
            };
            if pn > 0 && crate::proxy_protocol::is_proxy_protocol_v1(&proxy_peek[..pn]) {
                match crate::proxy_protocol::parse_v1(&proxy_peek[..pn]) {
                    Ok((header, consumed)) => {
                        debug!("PROXY protocol: real client {} -> {}", header.source_addr, header.dest_addr);
                        effective_peer_addr = header.source_addr;
                        // Consume the proxy protocol header bytes
                        let mut discard = vec![0u8; consumed];
                        stream.read_exact(&mut discard).await?;
                    }
                    Err(e) => {
                        debug!("Failed to parse PROXY protocol header: {}", e);
                        // Not a PROXY protocol header, continue normally
                    }
                }
            }
        }
        let peer_addr = effective_peer_addr;
        // Peek at initial bytes with timeout
        let mut peek_buf = vec![0u8; 4096];
        let n = match tokio::time::timeout(
@@ -622,6 +707,8 @@ impl TcpListenerManager {
            tls_version: None,
            headers: None,
            is_tls,
            // For TLS connections, protocol is unknown until after termination
            protocol: if is_http { Some("http") } else if !is_tls { Some("tcp") } else { None },
        };
        let route_match = route_manager.find_route(&ctx);
@@ -750,6 +837,12 @@ impl TcpListenerManager {
                    Err(_) => return Err("Backend connection timeout".into()),
                };
                backend.set_nodelay(true)?;
                if conn_config.keep_alive {
                    let delay = std::time::Duration::from_millis(conn_config.keep_alive_initial_delay_ms);
                    if let Err(e) = socket_opts::apply_keepalive(&backend, delay) {
                        debug!("Failed to set keepalive on backend socket: {}", e);
                    }
                }
                // Send PROXY protocol header if configured
                if let Some(ref header) = proxy_header {
@@ -777,13 +870,9 @@ impl TcpListenerManager {
                Ok(())
            }
            Some(rustproxy_config::TlsMode::Terminate) => {
-                let tls_config = Self::find_tls_config(&domain, &tls_configs)?;
+                // Use shared acceptor (session resumption) or fall back to per-connection
                // TLS accept with timeout, applying route-level TLS settings
                let route_tls = route_match.route.action.tls.as_ref();
-                let acceptor = tls_handler::build_tls_acceptor_with_config(
+                let acceptor = Self::get_tls_acceptor(&domain, &tls_configs, &*shared_tls_acceptor, route_tls)?;
                    &tls_config.cert_pem, &tls_config.key_pem, route_tls,
                )?;
                let tls_stream = match tokio::time::timeout(
                    std::time::Duration::from_millis(conn_config.initial_data_timeout_ms),
                    tls_handler::accept_tls(stream, &acceptor),
@@ -803,13 +892,20 @@ impl TcpListenerManager {
                    }
                };
                // Check protocol restriction from route config
                if let Some(ref required_protocol) = route_match.route.route_match.protocol {
                    let detected = if peeked { "http" } else { "tcp" };
                    if required_protocol != detected {
                        debug!("Protocol mismatch: route requires '{}', got '{}'", required_protocol, detected);
                        return Err("Protocol mismatch".into());
                    }
                }
                if peeked {
                    debug!(
                        "TLS Terminate + HTTP: {} -> {}:{} (domain: {:?})",
                        peer_addr, target_host, target_port, domain
                    );
                    // HTTP proxy manages its own per-request metrics — disarm TCP-level guard
                    _conn_guard.disarm();
                    http_proxy.handle_io(buf_stream, peer_addr, port, cancel.clone()).await;
                } else {
                    debug!(
@@ -826,6 +922,12 @@ impl TcpListenerManager {
                        Err(_) => return Err("Backend connection timeout".into()),
                    };
                    backend.set_nodelay(true)?;
                    if conn_config.keep_alive {
                        let delay = std::time::Duration::from_millis(conn_config.keep_alive_initial_delay_ms);
                        if let Err(e) = socket_opts::apply_keepalive(&backend, delay) {
                            debug!("Failed to set keepalive on backend socket: {}", e);
                        }
                    }
                    let (tls_read, tls_write) = tokio::io::split(buf_stream);
                    let (backend_read, backend_write) = tokio::io::split(backend);
@@ -843,18 +945,63 @@ impl TcpListenerManager {
                Ok(())
            }
            Some(rustproxy_config::TlsMode::TerminateAndReencrypt) => {
                // Inline TLS accept + HTTP detection (same pattern as Terminate mode)
                let route_tls = route_match.route.action.tls.as_ref();
-                Self::handle_tls_terminate_reencrypt(
+                let acceptor = Self::get_tls_acceptor(&domain, &tls_configs, &*shared_tls_acceptor, route_tls)?;
-                    stream, n, &domain, &target_host, target_port,
+                let tls_stream = match tokio::time::timeout(
-                    peer_addr, &tls_configs, Arc::clone(&metrics), route_id, &conn_config, route_tls,
+                    std::time::Duration::from_millis(conn_config.initial_data_timeout_ms),
-                ).await
+                    tls_handler::accept_tls(stream, &acceptor),
                ).await {
                    Ok(Ok(s)) => s,
                    Ok(Err(e)) => return Err(e),
                    Err(_) => return Err("TLS handshake timeout".into()),
                };
                // Peek at decrypted data to detect protocol
                let mut buf_stream = tokio::io::BufReader::new(tls_stream);
                let is_http_data = {
                    use tokio::io::AsyncBufReadExt;
                    match buf_stream.fill_buf().await {
                        Ok(data) => sni_parser::is_http(data),
                        Err(_) => false,
                    }
                };
                // Check protocol restriction from route config
                if let Some(ref required_protocol) = route_match.route.route_match.protocol {
                    let detected = if is_http_data { "http" } else { "tcp" };
                    if required_protocol != detected {
                        debug!("Protocol mismatch: route requires '{}', got '{}'", required_protocol, detected);
                        return Err("Protocol mismatch".into());
                    }
                }
                if is_http_data {
                    // HTTP: full per-request routing via HttpProxyService
                    // (backend TLS handled by HttpProxyService when upstream.use_tls is set)
                    debug!(
                        "TLS Terminate+Reencrypt + HTTP: {} (domain: {:?})",
                        peer_addr, domain
                    );
                    http_proxy.handle_io(buf_stream, peer_addr, port, cancel.clone()).await;
                } else {
                    // Non-HTTP: TLS-to-TLS tunnel (existing behavior for raw TCP protocols)
                    debug!(
                        "TLS Terminate+Reencrypt + TCP: {} -> {}:{}",
                        peer_addr, target_host, target_port
                    );
                    Self::handle_tls_reencrypt_tunnel(
                        buf_stream, &target_host, target_port,
                        peer_addr, Arc::clone(&metrics), route_id,
                        &conn_config,
                    ).await?;
                }
                Ok(())
            }
            None => {
                if is_http {
                    // Plain HTTP - use HTTP proxy for request-level routing
                    debug!("HTTP proxy: {} on port {}", peer_addr, port);
                    // HTTP proxy manages its own per-request metrics — disarm TCP-level guard
                    _conn_guard.disarm();
                    http_proxy.handle_connection(stream, peer_addr, port, cancel.clone()).await;
                    Ok(())
                } else {
@@ -868,6 +1015,12 @@ impl TcpListenerManager {
                        Err(_) => return Err("Backend connection timeout".into()),
                    };
                    backend.set_nodelay(true)?;
                    if conn_config.keep_alive {
                        let delay = std::time::Duration::from_millis(conn_config.keep_alive_initial_delay_ms);
                        if let Err(e) = socket_opts::apply_keepalive(&backend, delay) {
                            debug!("Failed to set keepalive on backend socket: {}", e);
                        }
                    }
                    // Send PROXY protocol header if configured
                    if let Some(ref header) = proxy_header {
@@ -982,40 +1135,18 @@ impl TcpListenerManager {
        Ok(())
    }
-    /// Handle TLS terminate-and-reencrypt: accept TLS from client, connect TLS to backend.
+    /// Handle non-HTTP TLS-to-TLS tunnel for terminate-and-reencrypt mode.
-    async fn handle_tls_terminate_reencrypt(
+    /// TLS accept has already been done by the caller; this only connects to the
-        stream: tokio::net::TcpStream,
+    /// backend over TLS and forwards bidirectionally.
-        _peek_len: usize,
+    async fn handle_tls_reencrypt_tunnel(
-        domain: &Option<String>,
+        buf_stream: tokio::io::BufReader<tokio_rustls::server::TlsStream<tokio::net::TcpStream>>,
        target_host: &str,
        target_port: u16,
        peer_addr: std::net::SocketAddr,
        tls_configs: &HashMap<String, TlsCertConfig>,
        metrics: Arc<MetricsCollector>,
        route_id: Option<&str>,
        conn_config: &ConnectionConfig,
        route_tls: Option<&rustproxy_config::RouteTls>,
    ) -> Result<(), Box<dyn std::error::Error + Send + Sync>> {
        let tls_config = Self::find_tls_config(domain, tls_configs)?;
        let acceptor = tls_handler::build_tls_acceptor_with_config(
            &tls_config.cert_pem, &tls_config.key_pem, route_tls,
        )?;
        // Accept TLS from client with timeout
        let client_tls = match tokio::time::timeout(
            std::time::Duration::from_millis(conn_config.initial_data_timeout_ms),
            tls_handler::accept_tls(stream, &acceptor),
        ).await {
            Ok(Ok(s)) => s,
            Ok(Err(e)) => return Err(e),
            Err(_) => return Err("TLS handshake timeout".into()),
        };
        debug!(
            "TLS Terminate+Reencrypt: {} -> {}:{} (domain: {:?})",
            peer_addr, target_host, target_port, domain
        );
        // Connect to backend over TLS with timeout
        let backend_tls = match tokio::time::timeout(
            std::time::Duration::from_millis(conn_config.connection_timeout_ms),
@@ -1026,8 +1157,9 @@ impl TcpListenerManager {
            Err(_) => return Err("Backend TLS connection timeout".into()),
        };
-        // Forward between two TLS streams
+        // Forward between decrypted client stream and backend TLS stream
-        let (client_read, client_write) = tokio::io::split(client_tls);
+        // (BufReader preserves any already-buffered data from the peek)
        let (client_read, client_write) = tokio::io::split(buf_stream);
        let (backend_read, backend_write) = tokio::io::split(backend_tls);
        let base_inactivity_ms = conn_config.socket_timeout_ms;
@@ -1069,6 +1201,30 @@ impl TcpListenerManager {
        Ok(())
    }
    /// Get a TLS acceptor, preferring the shared one (with session resumption)
    /// and falling back to per-connection when custom TLS versions are configured.
    fn get_tls_acceptor(
        domain: &Option<String>,
        tls_configs: &HashMap<String, TlsCertConfig>,
        shared_tls_acceptor: &Option<TlsAcceptor>,
        route_tls: Option<&rustproxy_config::RouteTls>,
    ) -> Result<TlsAcceptor, Box<dyn std::error::Error + Send + Sync>> {
        let has_custom_versions = route_tls
            .and_then(|t| t.versions.as_ref())
            .map(|v| !v.is_empty())
            .unwrap_or(false);
        if !has_custom_versions {
            if let Some(shared) = shared_tls_acceptor {
                return Ok(shared.clone()); // TlsAcceptor wraps Arc<ServerConfig>, clone is cheap
            }
        }
        // Fallback: per-connection acceptor (custom TLS versions or shared build failed)
        let tls_config = Self::find_tls_config(domain, tls_configs)?;
        tls_handler::build_tls_acceptor_with_config(&tls_config.cert_pem, &tls_config.key_pem, route_tls)
    }
    /// Find the TLS config for a given domain.
    fn find_tls_config<'a>(
        domain: &Option<String>,
--- a/rust/crates/rustproxy-passthrough/src/tls_handler.rs
+++ b/rust/crates/rustproxy-passthrough/src/tls_handler.rs
@@ -1,17 +1,102 @@
 use std::collections::HashMap;
 use std::io::BufReader;
-use std::sync::Arc;
+use std::sync::{Arc, OnceLock};
 use rustls::pki_types::{CertificateDer, PrivateKeyDer};
 use rustls::server::ResolvesServerCert;
 use rustls::sign::CertifiedKey;
 use rustls::ServerConfig;
 use tokio::net::TcpStream;
 use tokio_rustls::{TlsAcceptor, TlsConnector, server::TlsStream as ServerTlsStream};
-use tracing::debug;
+use tracing::{debug, info};
 use crate::tcp_listener::TlsCertConfig;
 /// Ensure the default crypto provider is installed.
 fn ensure_crypto_provider() {
    let _ = rustls::crypto::ring::default_provider().install_default();
 }
 /// SNI-based certificate resolver with pre-parsed CertifiedKeys.
 /// Enables shared ServerConfig across connections — avoids per-connection PEM parsing
 /// and enables TLS session resumption.
 #[derive(Debug)]
 pub struct CertResolver {
    certs: HashMap<String, Arc<CertifiedKey>>,
    fallback: Option<Arc<CertifiedKey>>,
 }
 impl CertResolver {
    /// Build a resolver from PEM-encoded cert/key configs.
    /// Parses all PEM data upfront so connections only do a cheap HashMap lookup.
    pub fn new(configs: &HashMap<String, TlsCertConfig>) -> Result<Self, Box<dyn std::error::Error + Send + Sync>> {
        ensure_crypto_provider();
        let provider = rustls::crypto::ring::default_provider();
        let mut certs = HashMap::new();
        let mut fallback = None;
        for (domain, cfg) in configs {
            let cert_chain = load_certs(&cfg.cert_pem)?;
            let key = load_private_key(&cfg.key_pem)?;
            let ck = Arc::new(CertifiedKey::from_der(cert_chain, key, &provider)
                .map_err(|e| format!("CertifiedKey for {}: {}", domain, e))?);
            if domain == "*" {
                fallback = Some(Arc::clone(&ck));
            }
            certs.insert(domain.clone(), ck);
        }
        // If no explicit "*" fallback, use the first available cert
        if fallback.is_none() {
            fallback = certs.values().next().map(Arc::clone);
        }
        Ok(Self { certs, fallback })
    }
 }
 impl ResolvesServerCert for CertResolver {
    fn resolve(&self, client_hello: rustls::server::ClientHello<'_>) -> Option<Arc<CertifiedKey>> {
        let domain = match client_hello.server_name() {
            Some(name) => name,
            None => return self.fallback.clone(),
        };
        // Exact match
        if let Some(ck) = self.certs.get(domain) {
            return Some(Arc::clone(ck));
        }
        // Wildcard: sub.example.com → *.example.com
        if let Some(dot) = domain.find('.') {
            let wc = format!("*.{}", &domain[dot + 1..]);
            if let Some(ck) = self.certs.get(&wc) {
                return Some(Arc::clone(ck));
            }
        }
        self.fallback.clone()
    }
 }
 /// Build a shared TLS acceptor with SNI resolution, session cache, and session tickets.
 /// The returned acceptor can be reused across all connections (cheap Arc clone).
 pub fn build_shared_tls_acceptor(resolver: CertResolver) -> Result<TlsAcceptor, Box<dyn std::error::Error + Send + Sync>> {
    ensure_crypto_provider();
    let mut config = ServerConfig::builder()
        .with_no_client_auth()
        .with_cert_resolver(Arc::new(resolver));
    // ALPN: advertise h2 and http/1.1 for client-facing HTTP/2 support
    config.alpn_protocols = vec![b"h2".to_vec(), b"http/1.1".to_vec()];
    // Shared session cache — enables session ID resumption across connections
    config.session_storage = rustls::server::ServerSessionMemoryCache::new(4096);
    // Session ticket resumption (12-hour lifetime, Chacha20Poly1305 encrypted)
    config.ticketer = rustls::crypto::ring::Ticketer::new()
        .map_err(|e| format!("Ticketer: {}", e))?;
    info!("Built shared TLS config with session cache (4096), ticket support, and ALPN h2+http/1.1");
    Ok(TlsAcceptor::from(Arc::new(config)))
 }
 /// Build a TLS acceptor from PEM-encoded cert and key data.
 pub fn build_tls_acceptor(cert_pem: &str, key_pem: &str) -> Result<TlsAcceptor, Box<dyn std::error::Error + Send + Sync>> {
    build_tls_acceptor_with_config(cert_pem, key_pem, None)
@@ -40,6 +125,9 @@ pub fn build_tls_acceptor_with_config(
            .with_single_cert(certs, key)?
    };
    // ALPN: advertise h2 and http/1.1 for client-facing HTTP/2 support
    config.alpn_protocols = vec![b"h2".to_vec(), b"http/1.1".to_vec()];
    // Apply session timeout if configured
    if let Some(route_tls) = tls_config {
        if let Some(timeout_secs) = route_tls.session_timeout {
@@ -97,21 +185,40 @@ pub async fn accept_tls(
    Ok(tls_stream)
 }
-/// Connect to a backend with TLS (for terminate-and-reencrypt mode).
+/// Get or create a shared backend TLS `ClientConfig`.
-pub async fn connect_tls(
+///
-    host: &str,
+/// Uses `OnceLock` to ensure only one config is created across the entire process.
-    port: u16,
+/// The built-in rustls `Resumption` (session tickets + session IDs) is enabled
-) -> Result<tokio_rustls::client::TlsStream<TcpStream>, Box<dyn std::error::Error + Send + Sync>> {
+/// by default, so all outbound backend connections share the same session cache.
 static SHARED_CLIENT_CONFIG: OnceLock<Arc<rustls::ClientConfig>> = OnceLock::new();
 pub fn shared_backend_tls_config() -> Arc<rustls::ClientConfig> {
    SHARED_CLIENT_CONFIG.get_or_init(|| {
        ensure_crypto_provider();
        let config = rustls::ClientConfig::builder()
            .dangerous()
            .with_custom_certificate_verifier(Arc::new(InsecureVerifier))
            .with_no_client_auth();
        info!("Built shared backend TLS client config with session resumption");
        Arc::new(config)
    }).clone()
 }
-    let connector = TlsConnector::from(Arc::new(config));
+/// Connect to a backend with TLS (for terminate-and-reencrypt mode).
 /// Uses the shared backend TLS config for session resumption.
 pub async fn connect_tls(
    host: &str,
    port: u16,
 ) -> Result<tokio_rustls::client::TlsStream<TcpStream>, Box<dyn std::error::Error + Send + Sync>> {
    let config = shared_backend_tls_config();
    let connector = TlsConnector::from(config);
    let stream = TcpStream::connect(format!("{}:{}", host, port)).await?;
    stream.set_nodelay(true)?;
    // Apply keepalive with 60s default (tls_handler doesn't have ConnectionConfig access)
    if let Err(e) = crate::socket_opts::apply_keepalive(&stream, std::time::Duration::from_secs(60)) {
        debug!("Failed to set keepalive on backend TLS socket: {}", e);
    }
    let server_name = rustls::pki_types::ServerName::try_from(host.to_string())?;
    let tls_stream = connector.connect(server_name, stream).await?;
--- a/rust/crates/rustproxy-routing/src/route_manager.rs
+++ b/rust/crates/rustproxy-routing/src/route_manager.rs
@@ -12,6 +12,8 @@ pub struct MatchContext<'a> {
    pub tls_version: Option<&'a str>,
    pub headers: Option<&'a HashMap<String, String>>,
    pub is_tls: bool,
    /// Detected protocol: "http" or "tcp". None when unknown (e.g. pre-TLS-termination).
    pub protocol: Option<&'a str>,
 }
 /// Result of a route match.
@@ -87,9 +89,17 @@ impl RouteManager {
                if !matchers::domain_matches_any(&patterns, domain) {
                    return false;
                }
            } else if ctx.is_tls {
                // TLS connection without SNI cannot match a domain-restricted route.
                // This prevents session-ticket resumption from misrouting when clients
                // omit SNI (RFC 8446 recommends but doesn't mandate SNI on resumption).
                // Wildcard-only routes (domains: ["*"]) still match since they accept all.
                let patterns = domains.to_vec();
                let is_wildcard_only = patterns.iter().all(|d| *d == "*");
                if !is_wildcard_only {
                    return false;
                }
            }
            // If no domain provided but route requires domain, it depends on context
            // For TLS passthrough, we need SNI; for other cases we may still match
        }
        // Path matching
@@ -137,6 +147,17 @@ impl RouteManager {
            }
        }
        // Protocol matching
        if let Some(ref required_protocol) = rm.protocol {
            if let Some(protocol) = ctx.protocol {
                if required_protocol != protocol {
                    return false;
                }
            }
            // If protocol not yet known (None), allow match — protocol will be
            // validated after detection (post-TLS-termination peek)
        }
        true
    }
@@ -277,6 +298,7 @@ mod tests {
                client_ip: None,
                tls_version: None,
                headers: None,
                protocol: None,
            },
            action: RouteAction {
                action_type: RouteActionType::Forward,
@@ -327,6 +349,7 @@ mod tests {
            tls_version: None,
            headers: None,
            is_tls: false,
            protocol: None,
        };
        let result = manager.find_route(&ctx);
@@ -349,6 +372,7 @@ mod tests {
            tls_version: None,
            headers: None,
            is_tls: false,
            protocol: None,
        };
        let result = manager.find_route(&ctx).unwrap();
@@ -372,6 +396,7 @@ mod tests {
            tls_version: None,
            headers: None,
            is_tls: false,
            protocol: None,
        };
        assert!(manager.find_route(&ctx).is_none());
@@ -457,6 +482,116 @@ mod tests {
            tls_version: None,
            headers: None,
            is_tls: false,
            protocol: None,
        };
        assert!(manager.find_route(&ctx).is_some());
    }
    #[test]
    fn test_tls_no_sni_rejects_domain_restricted_route() {
        let routes = vec![make_route(443, Some("example.com"), 0)];
        let manager = RouteManager::new(routes);
        // TLS connection without SNI should NOT match a domain-restricted route
        let ctx = MatchContext {
            port: 443,
            domain: None,
            path: None,
            client_ip: None,
            tls_version: None,
            headers: None,
            is_tls: true,
            protocol: None,
        };
        assert!(manager.find_route(&ctx).is_none());
    }
    #[test]
    fn test_tls_no_sni_rejects_wildcard_subdomain_route() {
        let routes = vec![make_route(443, Some("*.example.com"), 0)];
        let manager = RouteManager::new(routes);
        // TLS connection without SNI should NOT match *.example.com
        let ctx = MatchContext {
            port: 443,
            domain: None,
            path: None,
            client_ip: None,
            tls_version: None,
            headers: None,
            is_tls: true,
            protocol: None,
        };
        assert!(manager.find_route(&ctx).is_none());
    }
    #[test]
    fn test_tls_no_sni_matches_wildcard_only_route() {
        let routes = vec![make_route(443, Some("*"), 0)];
        let manager = RouteManager::new(routes);
        // TLS connection without SNI SHOULD match a wildcard-only route
        let ctx = MatchContext {
            port: 443,
            domain: None,
            path: None,
            client_ip: None,
            tls_version: None,
            headers: None,
            is_tls: true,
            protocol: None,
        };
        assert!(manager.find_route(&ctx).is_some());
    }
    #[test]
    fn test_tls_no_sni_skips_domain_restricted_matches_fallback() {
        // Two routes: first is domain-restricted, second is wildcard catch-all
        let routes = vec![
            make_route(443, Some("specific.com"), 10),
            make_route(443, Some("*"), 0),
        ];
        let manager = RouteManager::new(routes);
        // TLS without SNI should skip specific.com and fall through to wildcard
        let ctx = MatchContext {
            port: 443,
            domain: None,
            path: None,
            client_ip: None,
            tls_version: None,
            headers: None,
            is_tls: true,
            protocol: None,
        };
        let result = manager.find_route(&ctx);
        assert!(result.is_some());
        let matched_domains = result.unwrap().route.route_match.domains.as_ref()
            .map(|d| d.to_vec()).unwrap();
        assert!(matched_domains.contains(&"*"));
    }
    #[test]
    fn test_non_tls_no_domain_still_matches_domain_restricted() {
        // Non-TLS (plain HTTP) without domain should still match domain-restricted routes
        // (the HTTP proxy layer handles Host-based routing)
        let routes = vec![make_route(80, Some("example.com"), 0)];
        let manager = RouteManager::new(routes);
        let ctx = MatchContext {
            port: 80,
            domain: None,
            path: None,
            client_ip: None,
            tls_version: None,
            headers: None,
            is_tls: false,
            protocol: None,
        };
        assert!(manager.find_route(&ctx).is_some());
@@ -475,6 +610,7 @@ mod tests {
            tls_version: None,
            headers: None,
            is_tls: false,
            protocol: None,
        };
        assert!(manager.find_route(&ctx).is_some());
@@ -525,6 +661,7 @@ mod tests {
            tls_version: None,
            headers: None,
            is_tls: false,
            protocol: None,
        };
        let result = manager.find_route(&ctx).unwrap();
        assert_eq!(result.target.unwrap().host.first(), "api-backend");
@@ -538,8 +675,102 @@ mod tests {
            tls_version: None,
            headers: None,
            is_tls: false,
            protocol: None,
        };
        let result = manager.find_route(&ctx).unwrap();
        assert_eq!(result.target.unwrap().host.first(), "default-backend");
    }
    fn make_route_with_protocol(port: u16, domain: Option<&str>, protocol: Option<&str>) -> RouteConfig {
        let mut route = make_route(port, domain, 0);
        route.route_match.protocol = protocol.map(|s| s.to_string());
        route
    }
    #[test]
    fn test_protocol_http_matches_http() {
        let routes = vec![make_route_with_protocol(80, None, Some("http"))];
        let manager = RouteManager::new(routes);
        let ctx = MatchContext {
            port: 80,
            domain: None,
            path: None,
            client_ip: None,
            tls_version: None,
            headers: None,
            is_tls: false,
            protocol: Some("http"),
        };
        assert!(manager.find_route(&ctx).is_some());
    }
    #[test]
    fn test_protocol_http_rejects_tcp() {
        let routes = vec![make_route_with_protocol(80, None, Some("http"))];
        let manager = RouteManager::new(routes);
        let ctx = MatchContext {
            port: 80,
            domain: None,
            path: None,
            client_ip: None,
            tls_version: None,
            headers: None,
            is_tls: false,
            protocol: Some("tcp"),
        };
        assert!(manager.find_route(&ctx).is_none());
    }
    #[test]
    fn test_protocol_none_matches_any() {
        // Route with no protocol restriction matches any protocol
        let routes = vec![make_route_with_protocol(80, None, None)];
        let manager = RouteManager::new(routes);
        let ctx_http = MatchContext {
            port: 80,
            domain: None,
            path: None,
            client_ip: None,
            tls_version: None,
            headers: None,
            is_tls: false,
            protocol: Some("http"),
        };
        assert!(manager.find_route(&ctx_http).is_some());
        let ctx_tcp = MatchContext {
            port: 80,
            domain: None,
            path: None,
            client_ip: None,
            tls_version: None,
            headers: None,
            is_tls: false,
            protocol: Some("tcp"),
        };
        assert!(manager.find_route(&ctx_tcp).is_some());
    }
    #[test]
    fn test_protocol_http_matches_when_unknown() {
        // Route with protocol: "http" should match when ctx.protocol is None
        // (pre-TLS-termination, protocol not yet known)
        let routes = vec![make_route_with_protocol(443, None, Some("http"))];
        let manager = RouteManager::new(routes);
        let ctx = MatchContext {
            port: 443,
            domain: None,
            path: None,
            client_ip: None,
            tls_version: None,
            headers: None,
            is_tls: true,
            protocol: None,
        };
        assert!(manager.find_route(&ctx).is_some());
    }
 }
--- a/rust/crates/rustproxy/src/lib.rs
+++ b/rust/crates/rustproxy/src/lib.rs
@@ -27,7 +27,7 @@
 pub mod challenge_server;
 pub mod management;
-use std::collections::HashMap;
+use std::collections::{HashMap, HashSet};
 use std::sync::Arc;
 use std::time::Instant;
@@ -77,6 +77,8 @@ pub struct RustProxy {
    started_at: Option<Instant>,
    /// Shared path to a Unix domain socket for relaying socket-handler connections back to TypeScript.
    socket_handler_relay: Arc<std::sync::RwLock<Option<String>>>,
    /// Dynamically loaded certificates (via loadCertificate IPC), independent of CertManager.
    loaded_certs: HashMap<String, TlsCertConfig>,
 }
 impl RustProxy {
@@ -118,6 +120,7 @@ impl RustProxy {
            started: false,
            started_at: None,
            socket_handler_relay: Arc::new(std::sync::RwLock::new(None)),
            loaded_certs: HashMap::new(),
        })
    }
@@ -214,6 +217,13 @@ impl RustProxy {
            extended_keep_alive_lifetime_ms: options.extended_keep_alive_lifetime,
            accept_proxy_protocol: options.accept_proxy_protocol.unwrap_or(false),
            send_proxy_protocol: options.send_proxy_protocol.unwrap_or(false),
            proxy_ips: options.proxy_ips.as_deref().unwrap_or(&[])
                .iter()
                .filter_map(|s| s.parse::<std::net::IpAddr>().ok())
                .collect(),
            keep_alive: options.keep_alive.unwrap_or(true),
            keep_alive_initial_delay_ms: options.keep_alive_initial_delay.unwrap_or(60_000),
            max_connections: options.max_connections.unwrap_or(100_000),
        }
    }
@@ -268,6 +278,13 @@ impl RustProxy {
            }
        }
        // Merge dynamically loaded certs (from loadCertificate IPC)
        for (d, c) in &self.loaded_certs {
            if !tls_configs.contains_key(d) {
                tls_configs.insert(d.clone(), c.clone());
            }
        }
        if !tls_configs.is_empty() {
            debug!("Loaded TLS certificates for {} domains", tls_configs.len());
            listener.set_tls_configs(tls_configs);
@@ -555,6 +572,12 @@ impl RustProxy {
            vec![]
        };
        // Prune per-route metrics for route IDs that no longer exist
        let active_route_ids: HashSet<String> = routes.iter()
            .filter_map(|r| r.id.clone())
            .collect();
        self.metrics.retain_routes(&active_route_ids);
        // Atomically swap the route table
        let new_manager = Arc::new(new_manager);
        self.route_table.store(Arc::clone(&new_manager));
@@ -576,6 +599,12 @@ impl RustProxy {
                    }
                }
            }
            // Merge dynamically loaded certs (from loadCertificate IPC)
            for (d, c) in &self.loaded_certs {
                if !tls_configs.contains_key(d) {
                    tls_configs.insert(d.clone(), c.clone());
                }
            }
            listener.set_tls_configs(tls_configs);
            // Add new ports
@@ -786,6 +815,12 @@ impl RustProxy {
            cm.load_static(domain.to_string(), bundle);
        }
        // Persist in loaded_certs so future rebuild calls include this cert
        self.loaded_certs.insert(domain.to_string(), TlsCertConfig {
            cert_pem: cert_pem.clone(),
            key_pem: key_pem.clone(),
        });
        // Hot-swap TLS config on the listener
        if let Some(ref mut listener) = self.listener_manager {
            let mut tls_configs = Self::extract_tls_configs(&self.options.routes);
@@ -809,6 +844,13 @@ impl RustProxy {
                }
            }
            // Merge dynamically loaded certs from previous loadCertificate calls
            for (d, c) in &self.loaded_certs {
                if !tls_configs.contains_key(d) {
                    tls_configs.insert(d.clone(), c.clone());
                }
            }
            listener.set_tls_configs(tls_configs);
        }
--- a/rust/crates/rustproxy/tests/common/mod.rs
+++ b/rust/crates/rustproxy/tests/common/mod.rs
@@ -185,6 +185,76 @@ pub async fn wait_for_port(port: u16, timeout_ms: u64) -> bool {
    false
 }
 /// Start a TLS HTTP echo backend: accepts TLS, then responds with HTTP JSON
 /// containing request details. Combines TLS acceptance with HTTP echo behavior.
 pub async fn start_tls_http_backend(
    port: u16,
    backend_name: &str,
    cert_pem: &str,
    key_pem: &str,
 ) -> JoinHandle<()> {
    use std::sync::Arc;
    let acceptor = rustproxy_passthrough::build_tls_acceptor(cert_pem, key_pem)
        .expect("Failed to build TLS acceptor");
    let acceptor = Arc::new(acceptor);
    let name = backend_name.to_string();
    let listener = TcpListener::bind(format!("127.0.0.1:{}", port))
        .await
        .unwrap_or_else(|_| panic!("Failed to bind TLS HTTP backend on port {}", port));
    tokio::spawn(async move {
        loop {
            let (stream, _) = match listener.accept().await {
                Ok(conn) => conn,
                Err(_) => break,
            };
            let acc = acceptor.clone();
            let backend = name.clone();
            tokio::spawn(async move {
                let mut tls_stream = match acc.accept(stream).await {
                    Ok(s) => s,
                    Err(_) => return,
                };
                let mut buf = vec![0u8; 16384];
                let n = match tls_stream.read(&mut buf).await {
                    Ok(0) | Err(_) => return,
                    Ok(n) => n,
                };
                let req_str = String::from_utf8_lossy(&buf[..n]);
                // Parse first line: METHOD PATH HTTP/x.x
                let first_line = req_str.lines().next().unwrap_or("");
                let parts: Vec<&str> = first_line.split_whitespace().collect();
                let method = parts.first().copied().unwrap_or("UNKNOWN");
                let path = parts.get(1).copied().unwrap_or("/");
                // Extract Host header
                let host = req_str
                    .lines()
                    .find(|l| l.to_lowercase().starts_with("host:"))
                    .map(|l| l[5..].trim())
                    .unwrap_or("unknown");
                let body = format!(
                    r#"{{"method":"{}","path":"{}","host":"{}","backend":"{}"}}"#,
                    method, path, host, backend
                );
                let response = format!(
                    "HTTP/1.1 200 OK\r\nContent-Type: application/json\r\nContent-Length: {}\r\nConnection: close\r\n\r\n{}",
                    body.len(),
                    body,
                );
                let _ = tls_stream.write_all(response.as_bytes()).await;
                let _ = tls_stream.shutdown().await;
            });
        }
    })
 }
 /// Helper to create a minimal route config for testing.
 pub fn make_test_route(
    port: u16,
@@ -201,6 +271,7 @@ pub fn make_test_route(
            client_ip: None,
            tls_version: None,
            headers: None,
            protocol: None,
        },
        action: rustproxy_config::RouteAction {
            action_type: rustproxy_config::RouteActionType::Forward,
@@ -381,6 +452,86 @@ pub fn make_tls_terminate_route(
    route
 }
 /// Start a TLS WebSocket echo backend: accepts TLS, performs WS handshake, then echoes data.
 /// Combines TLS acceptance (like `start_tls_http_backend`) with WebSocket echo (like `start_ws_echo_backend`).
 pub async fn start_tls_ws_echo_backend(
    port: u16,
    cert_pem: &str,
    key_pem: &str,
 ) -> JoinHandle<()> {
    use std::sync::Arc;
    let acceptor = rustproxy_passthrough::build_tls_acceptor(cert_pem, key_pem)
        .expect("Failed to build TLS acceptor");
    let acceptor = Arc::new(acceptor);
    let listener = TcpListener::bind(format!("127.0.0.1:{}", port))
        .await
        .unwrap_or_else(|_| panic!("Failed to bind TLS WS echo backend on port {}", port));
    tokio::spawn(async move {
        loop {
            let (stream, _) = match listener.accept().await {
                Ok(conn) => conn,
                Err(_) => break,
            };
            let acc = acceptor.clone();
            tokio::spawn(async move {
                let mut tls_stream = match acc.accept(stream).await {
                    Ok(s) => s,
                    Err(_) => return,
                };
                // Read the HTTP upgrade request
                let mut buf = vec![0u8; 4096];
                let n = match tls_stream.read(&mut buf).await {
                    Ok(0) | Err(_) => return,
                    Ok(n) => n,
                };
                let req_str = String::from_utf8_lossy(&buf[..n]);
                // Extract Sec-WebSocket-Key for handshake
                let ws_key = req_str
                    .lines()
                    .find(|l| l.to_lowercase().starts_with("sec-websocket-key:"))
                    .map(|l| l.split(':').nth(1).unwrap_or("").trim().to_string())
                    .unwrap_or_default();
                // Send 101 Switching Protocols
                let accept_response = format!(
                    "HTTP/1.1 101 Switching Protocols\r\n\
                     Upgrade: websocket\r\n\
                     Connection: Upgrade\r\n\
                     Sec-WebSocket-Accept: {}\r\n\
                     \r\n",
                    ws_key
                );
                if tls_stream
                    .write_all(accept_response.as_bytes())
                    .await
                    .is_err()
                {
                    return;
                }
                // Echo all data back (raw TCP after upgrade)
                let mut echo_buf = vec![0u8; 65536];
                loop {
                    let n = match tls_stream.read(&mut echo_buf).await {
                        Ok(0) | Err(_) => break,
                        Ok(n) => n,
                    };
                    if tls_stream.write_all(&echo_buf[..n]).await.is_err() {
                        break;
                    }
                }
            });
        }
    })
 }
 /// Helper to create a TLS passthrough route for testing.
 pub fn make_tls_passthrough_route(
    port: u16,
--- a/rust/crates/rustproxy/tests/integration_http_proxy.rs
+++ b/rust/crates/rustproxy/tests/integration_http_proxy.rs
@@ -407,6 +407,305 @@ async fn test_websocket_through_proxy() {
    proxy.stop().await.unwrap();
 }
 /// Test that terminate-and-reencrypt mode routes HTTP traffic through the
 /// full HTTP proxy with per-request Host-based routing.
 ///
 /// This verifies the new behavior: after TLS termination, HTTP data is detected
 /// and routed through HttpProxyService (like nginx) instead of being blindly tunneled.
 #[tokio::test]
 async fn test_terminate_and_reencrypt_http_routing() {
    let backend1_port = next_port();
    let backend2_port = next_port();
    let proxy_port = next_port();
    let (cert1, key1) = generate_self_signed_cert("alpha.example.com");
    let (cert2, key2) = generate_self_signed_cert("beta.example.com");
    // Generate separate backend certs (backends are independent TLS servers)
    let (backend_cert1, backend_key1) = generate_self_signed_cert("localhost");
    let (backend_cert2, backend_key2) = generate_self_signed_cert("localhost");
    // Start TLS HTTP echo backends (proxy re-encrypts to these)
    let _b1 = start_tls_http_backend(backend1_port, "alpha", &backend_cert1, &backend_key1).await;
    let _b2 = start_tls_http_backend(backend2_port, "beta", &backend_cert2, &backend_key2).await;
    // Create terminate-and-reencrypt routes
    let mut route1 = make_tls_terminate_route(
        proxy_port, "alpha.example.com", "127.0.0.1", backend1_port, &cert1, &key1,
    );
    route1.action.tls.as_mut().unwrap().mode = rustproxy_config::TlsMode::TerminateAndReencrypt;
    let mut route2 = make_tls_terminate_route(
        proxy_port, "beta.example.com", "127.0.0.1", backend2_port, &cert2, &key2,
    );
    route2.action.tls.as_mut().unwrap().mode = rustproxy_config::TlsMode::TerminateAndReencrypt;
    let options = RustProxyOptions {
        routes: vec![route1, route2],
        ..Default::default()
    };
    let mut proxy = RustProxy::new(options).unwrap();
    proxy.start().await.unwrap();
    assert!(wait_for_port(proxy_port, 2000).await);
    // Test alpha domain - HTTP request through TLS terminate-and-reencrypt
    let alpha_result = with_timeout(async {
        let _ = rustls::crypto::ring::default_provider().install_default();
        let tls_config = rustls::ClientConfig::builder()
            .dangerous()
            .with_custom_certificate_verifier(std::sync::Arc::new(InsecureVerifier))
            .with_no_client_auth();
        let connector = tokio_rustls::TlsConnector::from(std::sync::Arc::new(tls_config));
        let stream = tokio::net::TcpStream::connect(format!("127.0.0.1:{}", proxy_port))
            .await
            .unwrap();
        let server_name = rustls::pki_types::ServerName::try_from("alpha.example.com".to_string()).unwrap();
        let mut tls_stream = connector.connect(server_name, stream).await.unwrap();
        let request = "GET /api/data HTTP/1.1\r\nHost: alpha.example.com\r\nConnection: close\r\n\r\n";
        tls_stream.write_all(request.as_bytes()).await.unwrap();
        let mut response = Vec::new();
        tls_stream.read_to_end(&mut response).await.unwrap();
        String::from_utf8_lossy(&response).to_string()
    }, 10)
    .await
    .unwrap();
    let alpha_body = extract_body(&alpha_result);
    assert!(
        alpha_body.contains(r#""backend":"alpha"#),
        "Expected alpha backend, got: {}",
        alpha_body
    );
    assert!(
        alpha_body.contains(r#""method":"GET"#),
        "Expected GET method, got: {}",
        alpha_body
    );
    assert!(
        alpha_body.contains(r#""path":"/api/data"#),
        "Expected /api/data path, got: {}",
        alpha_body
    );
    // Verify original Host header is preserved (not replaced with backend IP:port)
    assert!(
        alpha_body.contains(r#""host":"alpha.example.com"#),
        "Expected original Host header alpha.example.com, got: {}",
        alpha_body
    );
    // Test beta domain - different host goes to different backend
    let beta_result = with_timeout(async {
        let _ = rustls::crypto::ring::default_provider().install_default();
        let tls_config = rustls::ClientConfig::builder()
            .dangerous()
            .with_custom_certificate_verifier(std::sync::Arc::new(InsecureVerifier))
            .with_no_client_auth();
        let connector = tokio_rustls::TlsConnector::from(std::sync::Arc::new(tls_config));
        let stream = tokio::net::TcpStream::connect(format!("127.0.0.1:{}", proxy_port))
            .await
            .unwrap();
        let server_name = rustls::pki_types::ServerName::try_from("beta.example.com".to_string()).unwrap();
        let mut tls_stream = connector.connect(server_name, stream).await.unwrap();
        let request = "GET /other HTTP/1.1\r\nHost: beta.example.com\r\nConnection: close\r\n\r\n";
        tls_stream.write_all(request.as_bytes()).await.unwrap();
        let mut response = Vec::new();
        tls_stream.read_to_end(&mut response).await.unwrap();
        String::from_utf8_lossy(&response).to_string()
    }, 10)
    .await
    .unwrap();
    let beta_body = extract_body(&beta_result);
    assert!(
        beta_body.contains(r#""backend":"beta"#),
        "Expected beta backend, got: {}",
        beta_body
    );
    assert!(
        beta_body.contains(r#""path":"/other"#),
        "Expected /other path, got: {}",
        beta_body
    );
    // Verify original Host header is preserved for beta too
    assert!(
        beta_body.contains(r#""host":"beta.example.com"#),
        "Expected original Host header beta.example.com, got: {}",
        beta_body
    );
    proxy.stop().await.unwrap();
 }
 /// Test that WebSocket upgrade works through terminate-and-reencrypt mode.
 ///
 /// Verifies the full chain: client→TLS→proxy terminates→re-encrypts→TLS→backend WebSocket.
 /// The proxy's `handle_websocket_upgrade` checks `upstream.use_tls` and calls
 /// `connect_tls_backend()` when true. This test covers that path.
 #[tokio::test]
 async fn test_terminate_and_reencrypt_websocket() {
    let backend_port = next_port();
    let proxy_port = next_port();
    let domain = "ws.example.com";
    // Frontend cert (client→proxy TLS)
    let (frontend_cert, frontend_key) = generate_self_signed_cert(domain);
    // Backend cert (proxy→backend TLS)
    let (backend_cert, backend_key) = generate_self_signed_cert("localhost");
    // Start TLS WebSocket echo backend
    let _backend = start_tls_ws_echo_backend(backend_port, &backend_cert, &backend_key).await;
    // Create terminate-and-reencrypt route
    let mut route = make_tls_terminate_route(
        proxy_port,
        domain,
        "127.0.0.1",
        backend_port,
        &frontend_cert,
        &frontend_key,
    );
    route.action.tls.as_mut().unwrap().mode = rustproxy_config::TlsMode::TerminateAndReencrypt;
    let options = RustProxyOptions {
        routes: vec![route],
        ..Default::default()
    };
    let mut proxy = RustProxy::new(options).unwrap();
    proxy.start().await.unwrap();
    assert!(wait_for_port(proxy_port, 2000).await);
    let result = with_timeout(
        async {
            let _ = rustls::crypto::ring::default_provider().install_default();
            let tls_config = rustls::ClientConfig::builder()
                .dangerous()
                .with_custom_certificate_verifier(std::sync::Arc::new(InsecureVerifier))
                .with_no_client_auth();
            let connector =
                tokio_rustls::TlsConnector::from(std::sync::Arc::new(tls_config));
            let stream = tokio::net::TcpStream::connect(format!("127.0.0.1:{}", proxy_port))
                .await
                .unwrap();
            let server_name =
                rustls::pki_types::ServerName::try_from(domain.to_string()).unwrap();
            let mut tls_stream = connector.connect(server_name, stream).await.unwrap();
            // Send WebSocket upgrade request through TLS
            let request = format!(
                "GET /ws HTTP/1.1\r\n\
                 Host: {}\r\n\
                 Upgrade: websocket\r\n\
                 Connection: Upgrade\r\n\
                 Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==\r\n\
                 Sec-WebSocket-Version: 13\r\n\
                 \r\n",
                domain
            );
            tls_stream.write_all(request.as_bytes()).await.unwrap();
            // Read the 101 response (byte-by-byte until \r\n\r\n)
            let mut response_buf = Vec::with_capacity(4096);
            let mut temp = [0u8; 1];
            loop {
                let n = tls_stream.read(&mut temp).await.unwrap();
                if n == 0 {
                    break;
                }
                response_buf.push(temp[0]);
                if response_buf.len() >= 4 {
                    let len = response_buf.len();
                    if response_buf[len - 4..] == *b"\r\n\r\n" {
                        break;
                    }
                }
            }
            let response_str = String::from_utf8_lossy(&response_buf).to_string();
            assert!(
                response_str.contains("101"),
                "Expected 101 Switching Protocols, got: {}",
                response_str
            );
            assert!(
                response_str.to_lowercase().contains("upgrade: websocket"),
                "Expected Upgrade header, got: {}",
                response_str
            );
            // After upgrade, send data and verify echo
            let test_data = b"Hello TLS WebSocket!";
            tls_stream.write_all(test_data).await.unwrap();
            // Read echoed data
            let mut echo_buf = vec![0u8; 256];
            let n = tls_stream.read(&mut echo_buf).await.unwrap();
            let echoed = &echo_buf[..n];
            assert_eq!(echoed, test_data, "Expected echo of sent data");
            "ok".to_string()
        },
        10,
    )
    .await
    .unwrap();
    assert_eq!(result, "ok");
    proxy.stop().await.unwrap();
 }
 /// Test that the protocol field on route config is accepted and processed.
 #[tokio::test]
 async fn test_protocol_field_in_route_config() {
    let backend_port = next_port();
    let proxy_port = next_port();
    let _backend = start_http_echo_backend(backend_port, "main").await;
    // Create a route with protocol: "http" - should only match HTTP traffic
    let mut route = make_test_route(proxy_port, None, "127.0.0.1", backend_port);
    route.route_match.protocol = Some("http".to_string());
    let options = RustProxyOptions {
        routes: vec![route],
        ..Default::default()
    };
    let mut proxy = RustProxy::new(options).unwrap();
    proxy.start().await.unwrap();
    assert!(wait_for_port(proxy_port, 2000).await);
    // HTTP request should match the route and get proxied
    let result = with_timeout(async {
        let response = send_http_request(proxy_port, "example.com", "GET", "/test").await;
        extract_body(&response).to_string()
    }, 10)
    .await
    .unwrap();
    assert!(
        result.contains(r#""backend":"main"#),
        "Expected main backend, got: {}",
        result
    );
    assert!(
        result.contains(r#""path":"/test"#),
        "Expected /test path, got: {}",
        result
    );
    proxy.stop().await.unwrap();
 }
 /// InsecureVerifier for test TLS client connections.
 #[derive(Debug)]
 struct InsecureVerifier;
--- a/test/test.acme-http01-challenge.ts
+++ b/test/test.acme-http01-challenge.ts
@@ -37,7 +37,7 @@ tap.test('should correctly handle HTTP-01 challenge requests with initial data c
    routes: [{
      name: 'acme-challenge-route',
      match: {
-        ports: 8080,
+        ports: 47700,
        path: '/.well-known/acme-challenge/*'
      },
      action: {
@@ -60,7 +60,7 @@ tap.test('should correctly handle HTTP-01 challenge requests with initial data c
  // Connect to the proxy and send the HTTP-01 challenge request
  await new Promise<void>((resolve, reject) => {
-    testClient.connect(8080, 'localhost', () => {
+    testClient.connect(47700, 'localhost', () => {
      // Send HTTP request for the challenge token
      testClient.write(
        `GET ${challengePath} HTTP/1.1\r\n` +
@@ -113,7 +113,7 @@ tap.test('should return 404 for non-existent challenge tokens', async (tapTest)
    routes: [{
      name: 'acme-challenge-route',
      match: {
-        ports: 8081,
+        ports: 47701,
        path: '/.well-known/acme-challenge/*'
      },
      action: {
@@ -135,7 +135,7 @@ tap.test('should return 404 for non-existent challenge tokens', async (tapTest)
  // Connect and send a request for a non-existent token
  await new Promise<void>((resolve, reject) => {
-    testClient.connect(8081, 'localhost', () => {
+    testClient.connect(47701, 'localhost', () => {
      testClient.write(
        'GET /.well-known/acme-challenge/invalid-token HTTP/1.1\r\n' +
        'Host: test.example.com\r\n' +
--- a/test/test.connection-forwarding.ts
+++ b/test/test.connection-forwarding.ts
@@ -24,8 +24,8 @@ tap.test('setup test servers', async () => {
  });
  await new Promise<void>((resolve) => {
-    testServer.listen(7001, '127.0.0.1', () => {
+    testServer.listen(47712, '127.0.0.1', () => {
-      console.log('TCP test server listening on port 7001');
+      console.log('TCP test server listening on port 47712');
      resolve();
    });
  });
@@ -45,8 +45,8 @@ tap.test('setup test servers', async () => {
  );
  await new Promise<void>((resolve) => {
-    tlsTestServer.listen(7002, '127.0.0.1', () => {
+    tlsTestServer.listen(47713, '127.0.0.1', () => {
-      console.log('TLS test server listening on port 7002');
+      console.log('TLS test server listening on port 47713');
      resolve();
    });
  });
@@ -60,13 +60,13 @@ tap.test('should forward TCP connections correctly', async () => {
      {
        name: 'tcp-forward',
        match: {
-          ports: 8080,
+          ports: 47710,
        },
        action: {
          type: 'forward',
          targets: [{
            host: '127.0.0.1',
-            port: 7001,
+            port: 47712,
          }],
        },
      },
@@ -77,7 +77,7 @@ tap.test('should forward TCP connections correctly', async () => {
  // Test TCP forwarding
  const client = await new Promise<net.Socket>((resolve, reject) => {
-    const socket = net.connect(8080, '127.0.0.1', () => {
+    const socket = net.connect(47710, '127.0.0.1', () => {
      console.log('Connected to proxy');
      resolve(socket);
    });
@@ -106,7 +106,7 @@ tap.test('should handle TLS passthrough correctly', async () => {
      {
        name: 'tls-passthrough',
        match: {
-          ports: 8443,
+          ports: 47711,
          domains: 'test.example.com',
        },
        action: {
@@ -116,7 +116,7 @@ tap.test('should handle TLS passthrough correctly', async () => {
          },
          targets: [{
            host: '127.0.0.1',
-            port: 7002,
+            port: 47713,
          }],
        },
      },
@@ -129,7 +129,7 @@ tap.test('should handle TLS passthrough correctly', async () => {
  const client = await new Promise<tls.TLSSocket>((resolve, reject) => {
    const socket = tls.connect(
      {
-        port: 8443,
+        port: 47711,
        host: '127.0.0.1',
        servername: 'test.example.com',
        rejectUnauthorized: false,
@@ -164,7 +164,7 @@ tap.test('should handle SNI-based forwarding', async () => {
      {
        name: 'domain-a',
        match: {
-          ports: 8443,
+          ports: 47711,
          domains: 'a.example.com',
        },
        action: {
@@ -174,14 +174,14 @@ tap.test('should handle SNI-based forwarding', async () => {
          },
          targets: [{
            host: '127.0.0.1',
-            port: 7002,
+            port: 47713,
          }],
        },
      },
      {
        name: 'domain-b',
        match: {
-          ports: 8443,
+          ports: 47711,
          domains: 'b.example.com',
        },
        action: {
@@ -191,7 +191,7 @@ tap.test('should handle SNI-based forwarding', async () => {
          },
          targets: [{
            host: '127.0.0.1',
-            port: 7002,
+            port: 47713,
          }],
        },
      },
@@ -204,7 +204,7 @@ tap.test('should handle SNI-based forwarding', async () => {
  const clientA = await new Promise<tls.TLSSocket>((resolve, reject) => {
    const socket = tls.connect(
      {
-        port: 8443,
+        port: 47711,
        host: '127.0.0.1',
        servername: 'a.example.com',
        rejectUnauthorized: false,
@@ -231,7 +231,7 @@ tap.test('should handle SNI-based forwarding', async () => {
  const clientB = await new Promise<tls.TLSSocket>((resolve, reject) => {
    const socket = tls.connect(
      {
-        port: 8443,
+        port: 47711,
        host: '127.0.0.1',
        servername: 'b.example.com',
        rejectUnauthorized: false,
--- a/test/test.forwarding-regression.ts
+++ b/test/test.forwarding-regression.ts
@@ -21,8 +21,8 @@ tap.test('forward connections should not be immediately closed', async (t) => {
  // Listen on a non-privileged port
  await new Promise<void>((resolve) => {
-    testServer.listen(9090, '127.0.0.1', () => {
+    testServer.listen(47721, '127.0.0.1', () => {
-      console.log('Test server listening on port 9090');
+      console.log('Test server listening on port 47721');
      resolve();
    });
  });
@@ -34,13 +34,13 @@ tap.test('forward connections should not be immediately closed', async (t) => {
      {
        name: 'forward-test',
        match: {
-          ports: 8080,
+          ports: 47720,
        },
        action: {
          type: 'forward',
          targets: [{
            host: '127.0.0.1',
-            port: 9090,
+            port: 47721,
          }],
        },
      },
@@ -51,7 +51,7 @@ tap.test('forward connections should not be immediately closed', async (t) => {
  // Create a client connection through the proxy
  const client = net.createConnection({
-    port: 8080,
+    port: 47720,
    host: '127.0.0.1',
  });
--- a/test/test.http-port8080-forwarding.ts
+++ b/test/test.http-port8080-forwarding.ts
@@ -4,7 +4,7 @@ import * as http from 'http';
 tap.test('should forward HTTP connections on port 8080', async (tapTest) => {
  // Create a mock HTTP server to act as our target
-  const targetPort = 8181;
+  const targetPort = 47732;
  let receivedRequest = false;
  let receivedPath = '';
@@ -36,7 +36,7 @@ tap.test('should forward HTTP connections on port 8080', async (tapTest) => {
    routes: [{
      name: 'test-route',
      match: {
-        ports: 8080
+        ports: 47730
        // Remove domain restriction for HTTP connections
        // Domain matching happens after HTTP headers are received
      },
@@ -55,7 +55,7 @@ tap.test('should forward HTTP connections on port 8080', async (tapTest) => {
  // Make an HTTP request to port 8080
  const options = {
    hostname: 'localhost',
-    port: 8080,
+    port: 47730,
    path: '/.well-known/acme-challenge/test-token',
    method: 'GET',
    headers: {
@@ -104,7 +104,7 @@ tap.test('should forward HTTP connections on port 8080', async (tapTest) => {
 tap.test('should handle basic HTTP request forwarding', async (tapTest) => {
  // Create a simple target server
-  const targetPort = 8182;
+  const targetPort = 47733;
  let receivedRequest = false;
  const targetServer = http.createServer((req, res) => {
@@ -126,7 +126,7 @@ tap.test('should handle basic HTTP request forwarding', async (tapTest) => {
    routes: [{
      name: 'simple-forward',
      match: {
-        ports: 8081
+        ports: 47731
        // Remove domain restriction for HTTP connections
      },
      action: {
@@ -142,7 +142,7 @@ tap.test('should handle basic HTTP request forwarding', async (tapTest) => {
  // Make request
  const options = {
    hostname: 'localhost',
-    port: 8081,
+    port: 47731,
    path: '/test',
    method: 'GET',
    headers: {
--- a/test/test.perf-improvements.ts
+++ b/test/test.perf-improvements.ts
@@ -0,0 +1,472 @@
 import { tap, expect } from '@git.zone/tstest/tapbundle';
 import { SmartProxy } from '../ts/index.js';
 import * as http from 'http';
 import * as https from 'https';
 import * as http2 from 'http2';
 import * as net from 'net';
 import * as tls from 'tls';
 import * as fs from 'fs';
 import * as path from 'path';
 // ---------------------------------------------------------------------------
 // Port assignments (47600–47620 range to avoid conflicts)
 // ---------------------------------------------------------------------------
 const HTTP_ECHO_PORT  = 47600; // backend HTTP echo server
 const PROXY_HTTP_PORT = 47601; // SmartProxy plain HTTP forwarding
 const PROXY_HTTPS_PORT = 47602; // SmartProxy TLS-terminate HTTPS forwarding
 const TCP_ECHO_PORT   = 47603; // backend TCP echo server
 const PROXY_TCP_PORT  = 47604; // SmartProxy plain TCP forwarding
 // ---------------------------------------------------------------------------
 // Shared state
 // ---------------------------------------------------------------------------
 let httpEchoServer: http.Server;
 let tcpEchoServer: net.Server;
 let proxy: SmartProxy;
 const certPem = fs.readFileSync(path.join(import.meta.dirname, '..', 'assets', 'certs', 'cert.pem'), 'utf8');
 const keyPem  = fs.readFileSync(path.join(import.meta.dirname, '..', 'assets', 'certs', 'key.pem'), 'utf8');
 // ---------------------------------------------------------------------------
 // Helper: make an HTTP request and return { status, body }
 // ---------------------------------------------------------------------------
 function httpRequest(
  options: http.RequestOptions,
  body?: string,
 ): Promise<{ status: number; body: string }> {
  return new Promise((resolve, reject) => {
    const req = http.request(options, (res) => {
      let data = '';
      res.on('data', (chunk: string) => (data += chunk));
      res.on('end', () => resolve({ status: res.statusCode!, body: data }));
    });
    req.on('error', reject);
    req.setTimeout(5000, () => {
      req.destroy(new Error('timeout'));
    });
    if (body) req.end(body);
    else req.end();
  });
 }
 // Same but for HTTPS
 function httpsRequest(
  options: https.RequestOptions,
  body?: string,
 ): Promise<{ status: number; body: string }> {
  return new Promise((resolve, reject) => {
    const req = https.request(options, (res) => {
      let data = '';
      res.on('data', (chunk: string) => (data += chunk));
      res.on('end', () => resolve({ status: res.statusCode!, body: data }));
    });
    req.on('error', reject);
    req.setTimeout(5000, () => {
      req.destroy(new Error('timeout'));
    });
    if (body) req.end(body);
    else req.end();
  });
 }
 // Helper: wait for metrics to settle on a condition
 async function waitForMetrics(
  metrics: ReturnType<SmartProxy['getMetrics']>,
  condition: () => boolean,
  maxWaitMs = 3000,
 ): Promise<void> {
  const start = Date.now();
  while (Date.now() - start < maxWaitMs) {
    // Force a fresh poll
    await (proxy as any).metricsAdapter.poll();
    if (condition()) return;
    await new Promise((r) => setTimeout(r, 100));
  }
 }
 // ===========================================================================
 // 1. Setup backend servers
 // ===========================================================================
 tap.test('setup - backend servers', async () => {
  // HTTP echo server: POST → echo:<body>, GET → ok
  httpEchoServer = http.createServer((req, res) => {
    if (req.method === 'POST') {
      let body = '';
      req.on('data', (chunk: string) => (body += chunk));
      req.on('end', () => {
        res.writeHead(200, { 'Content-Type': 'text/plain' });
        res.end(`echo:${body}`);
      });
    } else {
      res.writeHead(200, { 'Content-Type': 'text/plain' });
      res.end('ok');
    }
  });
  await new Promise<void>((resolve, reject) => {
    httpEchoServer.on('error', reject);
    httpEchoServer.listen(HTTP_ECHO_PORT, () => {
      console.log(`HTTP echo server on port ${HTTP_ECHO_PORT}`);
      resolve();
    });
  });
  // TCP echo server
  tcpEchoServer = net.createServer((socket) => {
    socket.on('data', (data) => socket.write(data));
  });
  await new Promise<void>((resolve, reject) => {
    tcpEchoServer.on('error', reject);
    tcpEchoServer.listen(TCP_ECHO_PORT, () => {
      console.log(`TCP echo server on port ${TCP_ECHO_PORT}`);
      resolve();
    });
  });
 });
 // ===========================================================================
 // 2. Setup SmartProxy
 // ===========================================================================
 tap.test('setup - SmartProxy with 3 routes', async () => {
  proxy = new SmartProxy({
    routes: [
      // Plain HTTP forward: 47601 → 47600
      {
        name: 'http-forward',
        match: { ports: PROXY_HTTP_PORT },
        action: {
          type: 'forward',
          targets: [{ host: 'localhost', port: HTTP_ECHO_PORT }],
        },
      },
      // TLS-terminate HTTPS: 47602 → 47600
      {
        name: 'https-terminate',
        match: { ports: PROXY_HTTPS_PORT, domains: 'localhost' },
        action: {
          type: 'forward',
          targets: [{ host: 'localhost', port: HTTP_ECHO_PORT }],
          tls: {
            mode: 'terminate',
            certificate: {
              key: keyPem,
              cert: certPem,
            },
          },
        },
      },
      // Plain TCP forward: 47604 → 47603
      {
        name: 'tcp-forward',
        match: { ports: PROXY_TCP_PORT },
        action: {
          type: 'forward',
          targets: [{ host: 'localhost', port: TCP_ECHO_PORT }],
        },
      },
    ],
    metrics: {
      enabled: true,
      sampleIntervalMs: 100,
    },
    enableDetailedLogging: false,
  });
  await proxy.start();
  // Give the proxy a moment to fully bind
  await new Promise((r) => setTimeout(r, 500));
 });
 // ===========================================================================
 // 3. HTTP/1.1 connection pooling: sequential requests reuse connections
 // ===========================================================================
 tap.test('HTTP/1.1 connection pooling: sequential requests reuse connections', async (tools) => {
  tools.timeout(30000);
  const metrics = proxy.getMetrics();
  const REQUEST_COUNT = 20;
  // Use a non-keepalive agent so each request closes the client→proxy socket
  // (Rust's backend connection pool still reuses proxy→backend connections)
  const agent = new http.Agent({ keepAlive: false });
  for (let i = 0; i < REQUEST_COUNT; i++) {
    const result = await httpRequest(
      {
        hostname: 'localhost',
        port: PROXY_HTTP_PORT,
        path: '/echo',
        method: 'POST',
        headers: { 'Content-Type': 'text/plain' },
        agent,
      },
      `msg-${i}`,
    );
    expect(result.status).toEqual(200);
    expect(result.body).toEqual(`echo:msg-${i}`);
  }
  agent.destroy();
  // Wait for all connections to settle and metrics to update
  await waitForMetrics(metrics, () => metrics.connections.active() === 0, 5000);
  expect(metrics.connections.active()).toEqual(0);
  // Bytes should have been transferred
  await waitForMetrics(metrics, () => metrics.totals.bytesIn() > 0);
  expect(metrics.totals.bytesIn()).toBeGreaterThan(0);
  expect(metrics.totals.bytesOut()).toBeGreaterThan(0);
  console.log(`HTTP pooling test: ${REQUEST_COUNT} requests completed. bytesIn=${metrics.totals.bytesIn()}, bytesOut=${metrics.totals.bytesOut()}`);
 });
 // ===========================================================================
 // 4. HTTPS with TLS termination: multiple requests through TLS
 // ===========================================================================
 tap.test('HTTPS with TLS termination: multiple requests through TLS', async (tools) => {
  tools.timeout(30000);
  const REQUEST_COUNT = 10;
  const agent = new https.Agent({ keepAlive: false, rejectUnauthorized: false });
  for (let i = 0; i < REQUEST_COUNT; i++) {
    const result = await httpsRequest(
      {
        hostname: 'localhost',
        port: PROXY_HTTPS_PORT,
        path: '/echo',
        method: 'POST',
        headers: { 'Content-Type': 'text/plain' },
        rejectUnauthorized: false,
        servername: 'localhost',
        agent,
      },
      `tls-${i}`,
    );
    expect(result.status).toEqual(200);
    expect(result.body).toEqual(`echo:tls-${i}`);
  }
  agent.destroy();
  console.log(`HTTPS termination test: ${REQUEST_COUNT} requests completed successfully`);
 });
 // ===========================================================================
 // 5. TLS ALPN negotiation verification
 // ===========================================================================
 tap.test('HTTP/2 end-to-end: ALPN h2 with multiplexed requests', async (tools) => {
  tools.timeout(15000);
  // Connect an HTTP/2 session over TLS
  const session = http2.connect(`https://localhost:${PROXY_HTTPS_PORT}`, {
    rejectUnauthorized: false,
  });
  await new Promise<void>((resolve, reject) => {
    session.on('connect', () => resolve());
    session.on('error', reject);
    setTimeout(() => reject(new Error('h2 connect timeout')), 5000);
  });
  // Verify ALPN negotiated h2
  const alpnProtocol = (session.socket as tls.TLSSocket).alpnProtocol;
  console.log(`TLS ALPN negotiated protocol: ${alpnProtocol}`);
  expect(alpnProtocol).toEqual('h2');
  // Send 5 multiplexed POST requests on the same h2 session
  const REQUEST_COUNT = 5;
  const promises: Promise<{ status: number; body: string }>[] = [];
  for (let i = 0; i < REQUEST_COUNT; i++) {
    promises.push(
      new Promise<{ status: number; body: string }>((resolve, reject) => {
        const reqStream = session.request({
          ':method': 'POST',
          ':path': '/echo',
          'content-type': 'text/plain',
        });
        let data = '';
        let status = 0;
        reqStream.on('response', (headers) => {
          status = headers[':status'] as number;
        });
        reqStream.on('data', (chunk: Buffer) => {
          data += chunk.toString();
        });
        reqStream.on('end', () => resolve({ status, body: data }));
        reqStream.on('error', reject);
        reqStream.end(`h2-msg-${i}`);
      }),
    );
  }
  const results = await Promise.all(promises);
  for (let i = 0; i < REQUEST_COUNT; i++) {
    expect(results[i].status).toEqual(200);
    expect(results[i].body).toEqual(`echo:h2-msg-${i}`);
  }
  await new Promise<void>((resolve) => session.close(() => resolve()));
  console.log(`HTTP/2 end-to-end: ${REQUEST_COUNT} multiplexed requests completed successfully`);
 });
 // ===========================================================================
 // 6. Connection stability: no leaked connections after repeated open/close
 // ===========================================================================
 tap.test('connection stability: no leaked connections after repeated open/close', async (tools) => {
  tools.timeout(60000);
  const metrics = proxy.getMetrics();
  const BATCH_SIZE = 50;
  // Ensure we start clean
  await waitForMetrics(metrics, () => metrics.connections.active() === 0);
  // Record total connections before
  await (proxy as any).metricsAdapter.poll();
  const totalBefore = metrics.connections.total();
  // --- Batch 1: 50 sequential TCP connections ---
  for (let i = 0; i < BATCH_SIZE; i++) {
    await new Promise<void>((resolve, reject) => {
      const client = new net.Socket();
      client.connect(PROXY_TCP_PORT, 'localhost', () => {
        const msg = `batch1-${i}`;
        client.write(msg);
        client.once('data', (data) => {
          expect(data.toString()).toEqual(msg);
          client.end();
        });
      });
      client.on('close', () => resolve());
      client.on('error', reject);
      client.setTimeout(5000, () => {
        client.destroy(new Error('timeout'));
      });
    });
  }
  // Wait for all connections to drain
  await waitForMetrics(metrics, () => metrics.connections.active() === 0, 5000);
  expect(metrics.connections.active()).toEqual(0);
  console.log(`Batch 1 done: active=${metrics.connections.active()}, total=${metrics.connections.total()}`);
  // --- Batch 2: another 50 ---
  for (let i = 0; i < BATCH_SIZE; i++) {
    await new Promise<void>((resolve, reject) => {
      const client = new net.Socket();
      client.connect(PROXY_TCP_PORT, 'localhost', () => {
        const msg = `batch2-${i}`;
        client.write(msg);
        client.once('data', (data) => {
          expect(data.toString()).toEqual(msg);
          client.end();
        });
      });
      client.on('close', () => resolve());
      client.on('error', reject);
      client.setTimeout(5000, () => {
        client.destroy(new Error('timeout'));
      });
    });
  }
  // Wait for all connections to drain again
  await waitForMetrics(metrics, () => metrics.connections.active() === 0, 5000);
  expect(metrics.connections.active()).toEqual(0);
  // Total should reflect ~100 new connections
  await (proxy as any).metricsAdapter.poll();
  const totalAfter = metrics.connections.total();
  const newConnections = totalAfter - totalBefore;
  console.log(`Batch 2 done: active=${metrics.connections.active()}, total=${totalAfter}, new=${newConnections}`);
  expect(newConnections).toBeGreaterThanOrEqual(BATCH_SIZE * 2);
 });
 // ===========================================================================
 // 7. Concurrent connections: burst and drain
 // ===========================================================================
 tap.test('concurrent connections: burst and drain', async (tools) => {
  tools.timeout(30000);
  const metrics = proxy.getMetrics();
  const CONCURRENT = 20;
  // Ensure we start clean
  await waitForMetrics(metrics, () => metrics.connections.active() === 0, 5000);
  // Open 20 TCP connections simultaneously
  const clients: net.Socket[] = [];
  const connectPromises: Promise<void>[] = [];
  for (let i = 0; i < CONCURRENT; i++) {
    const client = new net.Socket();
    clients.push(client);
    connectPromises.push(
      new Promise<void>((resolve, reject) => {
        client.connect(PROXY_TCP_PORT, 'localhost', () => resolve());
        client.on('error', reject);
        client.setTimeout(5000, () => {
          client.destroy(new Error('timeout'));
        });
      }),
    );
  }
  await Promise.all(connectPromises);
  // Send data on all connections and wait for echo
  const echoPromises = clients.map((client, i) => {
    return new Promise<void>((resolve, reject) => {
      const msg = `concurrent-${i}`;
      client.once('data', (data) => {
        expect(data.toString()).toEqual(msg);
        resolve();
      });
      client.write(msg);
      client.on('error', reject);
    });
  });
  await Promise.all(echoPromises);
  // Poll metrics — active connections should be CONCURRENT
  await waitForMetrics(metrics, () => metrics.connections.active() >= CONCURRENT, 3000);
  const activeWhileOpen = metrics.connections.active();
  console.log(`Burst: active connections while open = ${activeWhileOpen}`);
  expect(activeWhileOpen).toBeGreaterThanOrEqual(CONCURRENT);
  // Close all connections
  for (const client of clients) {
    client.end();
  }
  // Wait for drain
  await waitForMetrics(metrics, () => metrics.connections.active() === 0, 5000);
  expect(metrics.connections.active()).toEqual(0);
  console.log('Drain: all connections closed, active=0');
 });
 // ===========================================================================
 // 8. Cleanup
 // ===========================================================================
 tap.test('cleanup', async () => {
  await proxy.stop();
  await new Promise<void>((resolve) => {
    httpEchoServer.close(() => {
      console.log('HTTP echo server closed');
      resolve();
    });
  });
  await new Promise<void>((resolve) => {
    tcpEchoServer.close(() => {
      console.log('TCP echo server closed');
      resolve();
    });
  });
 });
 export default tap.start();
--- a/test/test.port-mapping.ts
+++ b/test/test.port-mapping.ts
@@ -14,8 +14,8 @@ import type { IRouteConfig, IRouteContext } from '../ts/proxies/smart-proxy/mode
 let testServers: Array<{ server: net.Server; port: number }> = [];
 let smartProxy: SmartProxy;
-const TEST_PORT_START = 4000;
+const TEST_PORT_START = 47750;
-const PROXY_PORT_START = 5000;
+const PROXY_PORT_START = 48750;
 const TEST_DATA = 'Hello through dynamic port mapper!';
 // Cleanup function to close all servers and proxies
@@ -103,9 +103,9 @@ function createTestClient(port: number, data: string): Promise<string> {
 tap.test('setup port mapping test environment', async () => {
  // Create multiple test servers on different ports
  await Promise.all([
-    createTestServer(TEST_PORT_START),     // Server on port 4000
+    createTestServer(TEST_PORT_START),     // Server on port 47750
-    createTestServer(TEST_PORT_START + 1), // Server on port 4001
+    createTestServer(TEST_PORT_START + 1), // Server on port 47751
-    createTestServer(TEST_PORT_START + 2), // Server on port 4002
+    createTestServer(TEST_PORT_START + 2), // Server on port 47752
  ]);
  // Create a SmartProxy with dynamic port mapping routes
@@ -119,7 +119,7 @@ tap.test('setup port mapping test environment', async () => {
        name: 'Identity Port Mapping'
      }),
-      // Offset port mapping from 5001 to 4001 (offset -1000)
+      // Offset port mapping from 48751 to 47751 (offset -1000)
      createOffsetPortMappingRoute({
        ports: PROXY_PORT_START + 1,
        targetHost: 'localhost',
@@ -170,13 +170,13 @@ tap.test('setup port mapping test environment', async () => {
  await smartProxy.start();
 });
-// Test 1: Simple identity port mapping (5000 -> 4000)
+// Test 1: Simple identity port mapping (48750 -> 47750)
 tap.test('should map port using identity function', async () => {
  const response = await createTestClient(PROXY_PORT_START, TEST_DATA);
  expect(response).toEqual(`Server ${TEST_PORT_START} says: ${TEST_DATA}`);
 });
-// Test 2: Offset port mapping (5001 -> 4001)
+// Test 2: Offset port mapping (48751 -> 47751)
 tap.test('should map port using offset function', async () => {
  const response = await createTestClient(PROXY_PORT_START + 1, TEST_DATA);
  expect(response).toEqual(`Server ${TEST_PORT_START + 1} says: ${TEST_DATA}`);
--- a/test/test.route-config.ts
+++ b/test/test.route-config.ts
@@ -562,4 +562,168 @@ tap.test('Route Integration - Combining Multiple Route Types', async () => {
  }
 });
 // --------------------------------- Protocol Match Field Tests ---------------------------------
 tap.test('Routes: Should accept protocol field on route match', async () => {
  // Create a route with protocol: 'http'
  const httpOnlyRoute: IRouteConfig = {
    match: {
      ports: 443,
      domains: 'api.example.com',
      protocol: 'http',
    },
    action: {
      type: 'forward',
      targets: [{ host: 'backend', port: 8080 }],
      tls: {
        mode: 'terminate',
        certificate: 'auto',
      },
    },
    name: 'HTTP-only Route',
  };
  // Validate the route - protocol field should not cause errors
  const validation = validateRouteConfig(httpOnlyRoute);
  expect(validation.valid).toBeTrue();
  // Verify the protocol field is preserved
  expect(httpOnlyRoute.match.protocol).toEqual('http');
 });
 tap.test('Routes: Should accept protocol tcp on route match', async () => {
  // Create a route with protocol: 'tcp'
  const tcpOnlyRoute: IRouteConfig = {
    match: {
      ports: 443,
      domains: 'db.example.com',
      protocol: 'tcp',
    },
    action: {
      type: 'forward',
      targets: [{ host: 'db-server', port: 5432 }],
      tls: {
        mode: 'passthrough',
      },
    },
    name: 'TCP-only Route',
  };
  const validation = validateRouteConfig(tcpOnlyRoute);
  expect(validation.valid).toBeTrue();
  expect(tcpOnlyRoute.match.protocol).toEqual('tcp');
 });
 tap.test('Routes: Protocol field should work with terminate-and-reencrypt', async () => {
  // Create a terminate-and-reencrypt route that only accepts HTTP
  const reencryptRoute = createHttpsTerminateRoute(
    'secure.example.com',
    { host: 'backend', port: 443 },
    { reencrypt: true, certificate: 'auto', name: 'Reencrypt HTTP Route' }
  );
  // Set protocol restriction to http
  reencryptRoute.match.protocol = 'http';
  // Validate the route
  const validation = validateRouteConfig(reencryptRoute);
  expect(validation.valid).toBeTrue();
  // Verify TLS mode
  expect(reencryptRoute.action.tls?.mode).toEqual('terminate-and-reencrypt');
  // Verify protocol field is preserved
  expect(reencryptRoute.match.protocol).toEqual('http');
 });
 tap.test('Routes: Protocol field should not affect domain/port matching', async () => {
  // Routes with and without protocol field should both match the same domain/port
  const routeWithProtocol: IRouteConfig = {
    match: {
      ports: 443,
      domains: 'example.com',
      protocol: 'http',
    },
    action: {
      type: 'forward',
      targets: [{ host: 'backend', port: 8080 }],
      tls: { mode: 'terminate', certificate: 'auto' },
    },
    name: 'With Protocol',
    priority: 10,
  };
  const routeWithoutProtocol: IRouteConfig = {
    match: {
      ports: 443,
      domains: 'example.com',
    },
    action: {
      type: 'forward',
      targets: [{ host: 'fallback', port: 8081 }],
      tls: { mode: 'terminate', certificate: 'auto' },
    },
    name: 'Without Protocol',
    priority: 5,
  };
  const routes = [routeWithProtocol, routeWithoutProtocol];
  // Both routes should match the domain/port (protocol is a hint for Rust-side matching)
  const matches = findMatchingRoutes(routes, { domain: 'example.com', port: 443 });
  expect(matches.length).toEqual(2);
  // The one with higher priority should be first
  const best = findBestMatchingRoute(routes, { domain: 'example.com', port: 443 });
  expect(best).not.toBeUndefined();
  expect(best!.name).toEqual('With Protocol');
 });
 tap.test('Routes: Protocol field preserved through route cloning', async () => {
  const original: IRouteConfig = {
    match: {
      ports: 8443,
      domains: 'clone-test.example.com',
      protocol: 'http',
    },
    action: {
      type: 'forward',
      targets: [{ host: 'backend', port: 3000 }],
      tls: { mode: 'terminate-and-reencrypt', certificate: 'auto' },
    },
    name: 'Clone Test',
  };
  const cloned = cloneRoute(original);
  // Verify protocol is preserved in clone
  expect(cloned.match.protocol).toEqual('http');
  expect(cloned.action.tls?.mode).toEqual('terminate-and-reencrypt');
  // Modify clone should not affect original
  cloned.match.protocol = 'tcp';
  expect(original.match.protocol).toEqual('http');
 });
 tap.test('Routes: Protocol field preserved through route merging', async () => {
  const base: IRouteConfig = {
    match: {
      ports: 443,
      domains: 'merge-test.example.com',
      protocol: 'http',
    },
    action: {
      type: 'forward',
      targets: [{ host: 'backend', port: 3000 }],
      tls: { mode: 'terminate-and-reencrypt', certificate: 'auto' },
    },
    name: 'Merge Base',
  };
  // Merge with override that changes name but not protocol
  const merged = mergeRouteConfigs(base, { name: 'Merged Route' });
  expect(merged.match.protocol).toEqual('http');
  expect(merged.name).toEqual('Merged Route');
 });
 export default tap.start();
--- a/test/test.smartproxy.ts
+++ b/test/test.smartproxy.ts
@@ -4,8 +4,8 @@ import { SmartProxy } from '../ts/proxies/smart-proxy/index.js';
 let testServer: net.Server;
 let smartProxy: SmartProxy;
-const TEST_SERVER_PORT = 4000;
+const TEST_SERVER_PORT = 47770;
-const PROXY_PORT = 4001;
+const PROXY_PORT = 47771;
 const TEST_DATA = 'Hello through port proxy!';
 // Track all created servers and proxies for proper cleanup
--- a/test/test.socket-handler.ts
+++ b/test/test.socket-handler.ts
@@ -10,7 +10,7 @@ tap.test('setup socket handler test', async () => {
  const routes: IRouteConfig[] = [{
    name: 'echo-handler',
    match: { 
-      ports: 9999
+      ports: 47780
      // No domains restriction - matches all connections
    },
    action: {
@@ -43,7 +43,7 @@ tap.test('should handle socket with custom function', async () => {
  let response = '';
  await new Promise<void>((resolve, reject) => {
-    client.connect(9999, 'localhost', () => {
+    client.connect(47780, 'localhost', () => {
      console.log('Client connected to proxy');
      resolve();
    });
@@ -78,7 +78,7 @@ tap.test('should handle async socket handler', async () => {
  // Update route with async handler
  await proxy.updateRoutes([{
    name: 'async-handler',
-    match: { ports: 9999 },
+    match: { ports: 47780 },
    action: {
      type: 'socket-handler',
      socketHandler: async (socket, context) => {
@@ -108,7 +108,7 @@ tap.test('should handle async socket handler', async () => {
  });
  await new Promise<void>((resolve, reject) => {
-    client.connect(9999, 'localhost', () => {
+    client.connect(47780, 'localhost', () => {
      // Send initial data to trigger the handler
      client.write('test data\n');
      resolve();
@@ -131,7 +131,7 @@ tap.test('should handle errors in socket handler', async () => {
  // Update route with error-throwing handler
  await proxy.updateRoutes([{
    name: 'error-handler',
-    match: { ports: 9999 },
+    match: { ports: 47780 },
    action: {
      type: 'socket-handler',
      socketHandler: (socket, context) => {
@@ -148,7 +148,7 @@ tap.test('should handle errors in socket handler', async () => {
  });
  await new Promise<void>((resolve, reject) => {
-    client.connect(9999, 'localhost', () => {
+    client.connect(47780, 'localhost', () => {
      // Connection established - send data to trigger handler
      client.write('trigger\n');
      resolve();
--- a/test/test.throughput.ts
+++ b/test/test.throughput.ts
@@ -151,11 +151,28 @@ tap.test('TCP forward - real-time byte tracking', async (tools) => {
  console.log(`TCP forward (during) — recent throughput: in=${tpDuring.in}, out=${tpDuring.out}`);
  expect(tpDuring.in + tpDuring.out).toBeGreaterThan(0);
  // ── v25.2.0: Per-IP tracking (TCP connections) ──
  // Must check WHILE connection is active — per-IP data is evicted on last close
  const byIP = mDuring.connections.byIP();
  console.log('TCP forward — connections byIP:', Array.from(byIP.entries()));
  expect(byIP.size).toBeGreaterThan(0);
  const topIPs = mDuring.connections.topIPs(10);
  console.log('TCP forward — topIPs:', topIPs);
  expect(topIPs.length).toBeGreaterThan(0);
  expect(topIPs[0].ip).toBeTruthy();
  // ── v25.2.0: Throughput history ──
  const history = mDuring.throughput.history(10);
  console.log('TCP forward — throughput history length:', history.length);
  expect(history.length).toBeGreaterThan(0);
  expect(history[0].timestamp).toBeGreaterThan(0);
  // Close connection
  client.destroy();
  await tools.delayFor(500);
-  // Final check
+  // Final check — totals persist even after connection close
  await pollMetrics(proxy);
  const m = proxy.getMetrics();
  const bytesIn = m.totals.bytesIn();
@@ -168,21 +185,10 @@ tap.test('TCP forward - real-time byte tracking', async (tools) => {
  const byRoute = m.throughput.byRoute();
  console.log('TCP forward — throughput byRoute:', Array.from(byRoute.entries()));
-  // ── v25.2.0: Per-IP tracking (TCP connections) ──
+  // After close, per-IP data should be evicted (memory leak fix)
-  const byIP = m.connections.byIP();
+  const byIPAfter = m.connections.byIP();
-  console.log('TCP forward — connections byIP:', Array.from(byIP.entries()));
+  console.log('TCP forward — connections byIP after close:', Array.from(byIPAfter.entries()));
-  expect(byIP.size).toBeGreaterThan(0);
+  expect(byIPAfter.size).toEqual(0);
  const topIPs = m.connections.topIPs(10);
  console.log('TCP forward — topIPs:', topIPs);
  expect(topIPs.length).toBeGreaterThan(0);
  expect(topIPs[0].ip).toBeTruthy();
  // ── v25.2.0: Throughput history ──
  const history = m.throughput.history(10);
  console.log('TCP forward — throughput history length:', history.length);
  expect(history.length).toBeGreaterThan(0);
  expect(history[0].timestamp).toBeGreaterThan(0);
  await proxy.stop();
  await tools.delayFor(200);
--- a/ts/00_commitinfo_data.ts
+++ b/ts/00_commitinfo_data.ts
@@ -3,6 +3,6 @@
 */
 export const commitinfo = {
  name: '@push.rocks/smartproxy',
-  version: '25.2.1',
+  version: '25.7.9',
  description: 'A powerful proxy package with unified route-based configuration for high traffic management. Features include SSL/TLS support, flexible routing patterns, WebSocket handling, advanced security options, and automatic ACME certificate management.'
 }
--- a/ts/plugins.ts
+++ b/ts/plugins.ts
@@ -2,14 +2,13 @@
 import { EventEmitter } from 'node:events';
 import * as fs from 'node:fs';
 import * as http from 'node:http';
 import * as https from 'node:https';
 import * as net from 'node:net';
 import * as path from 'node:path';
 import * as tls from 'node:tls';
 import * as url from 'node:url';
 import * as http2 from 'node:http2';
-export { EventEmitter, fs, http, https, net, path, tls, url, http2 };
+export { EventEmitter, fs, http, net, path, tls, url, http2 };
 // tsclass scope
 import * as tsclass from '@tsclass/tsclass';
@@ -17,44 +16,19 @@ import * as tsclass from '@tsclass/tsclass';
 export { tsclass };
 // pushrocks scope
 import * as lik from '@push.rocks/lik';
 import * as smartdelay from '@push.rocks/smartdelay';
 import * as smartpromise from '@push.rocks/smartpromise';
 import * as smartrequest from '@push.rocks/smartrequest';
 import * as smartstring from '@push.rocks/smartstring';
 import * as smartfile from '@push.rocks/smartfile';
 import * as smartcrypto from '@push.rocks/smartcrypto';
 import * as smartacme from '@push.rocks/smartacme';
 import * as smartacmePlugins from '@push.rocks/smartacme/dist_ts/smartacme.plugins.js';
 import * as smartacmeHandlers from '@push.rocks/smartacme/dist_ts/handlers/index.js';
 import * as smartlog from '@push.rocks/smartlog';
 import * as smartlogDestinationLocal from '@push.rocks/smartlog/destination-local';
 import * as taskbuffer from '@push.rocks/taskbuffer';
 import * as smartrx from '@push.rocks/smartrx';
 import * as smartrust from '@push.rocks/smartrust';
 export {
  lik,
  smartdelay,
  smartrequest,
  smartpromise,
  smartstring,
  smartfile,
  smartcrypto,
  smartacme,
  smartacmePlugins,
  smartacmeHandlers,
  smartlog,
  smartlogDestinationLocal,
  taskbuffer,
  smartrx,
  smartrust,
 };
 // third party scope
 import prettyMs from 'pretty-ms';
 import * as ws from 'ws';
 import wsDefault from 'ws';
 import { minimatch } from 'minimatch';
-export { prettyMs, ws, wsDefault, minimatch };
+export { minimatch };
--- a/ts/proxies/smart-proxy/models/interfaces.ts
+++ b/ts/proxies/smart-proxy/models/interfaces.ts
@@ -180,6 +180,21 @@ export interface ISmartProxyOptions {
   */
  certProvisionFallbackToAcme?: boolean;
  /**
   * Per-domain timeout in ms for certProvisionFunction calls.
   * If a single domain's provisioning takes longer than this, it's aborted
   * and a certificate-failed event is emitted.
   * Default: 300000 (5 minutes)
   */
  certProvisionTimeout?: number;
  /**
   * Maximum number of domains to provision certificates for concurrently.
   * Prevents overwhelming ACME providers when many domains provision at once.
   * Default: 4
   */
  certProvisionConcurrency?: number;
  /**
   * Disable the default self-signed fallback certificate.
   * When false (default), a self-signed cert is generated at startup and loaded
--- a/ts/proxies/smart-proxy/models/route-types.ts
+++ b/ts/proxies/smart-proxy/models/route-types.ts
@@ -39,6 +39,7 @@ export interface IRouteMatch {
  clientIp?: string[];     // Match specific client IPs
  tlsVersion?: string[];   // Match specific TLS versions
  headers?: Record<string, string | RegExp>; // Match specific HTTP headers
  protocol?: 'http' | 'tcp';  // Match specific protocol (http includes h2 + websocket upgrades)
 }
--- a/ts/proxies/smart-proxy/smart-proxy.ts
+++ b/ts/proxies/smart-proxy/smart-proxy.ts
@@ -12,6 +12,7 @@ import { SharedRouteManager as RouteManager } from '../../core/routing/route-man
 import { RouteValidator } from './utils/route-validator.js';
 import { generateDefaultCertificate } from './utils/default-cert-generator.js';
 import { Mutex } from './utils/mutex.js';
 import { ConcurrencySemaphore } from './utils/concurrency-semaphore.js';
 // Types
 import type { ISmartProxyOptions, TSmartProxyCertProvisionObject, IAcmeOptions, ICertProvisionEventComms, ICertificateIssuedEvent, ICertificateFailedEvent } from './models/interfaces.js';
@@ -38,6 +39,7 @@ export class SmartProxy extends plugins.EventEmitter {
  private metricsAdapter: RustMetricsAdapter;
  private routeUpdateLock: Mutex;
  private stopping = false;
  private certProvisionPromise: Promise<void> | null = null;
  constructor(settingsArg: ISmartProxyOptions) {
    super();
@@ -191,13 +193,18 @@ export class SmartProxy extends plugins.EventEmitter {
      }
    }
-    // Handle certProvisionFunction
+    // Start metrics polling BEFORE cert provisioning — the Rust engine is already
-    await this.provisionCertificatesViaCallback(preloadedDomains);
+    // running and accepting connections, so metrics should be available immediately.
-
+    // Cert provisioning can hang indefinitely (e.g. DNS-01 ACME timeouts) and must
-    // Start metrics polling
+    // not block metrics collection.
    this.metricsAdapter.startPolling();
    logger.log('info', 'SmartProxy started (Rust engine)', { component: 'smart-proxy' });
    // Fire-and-forget cert provisioning — Rust engine is already running and serving traffic.
    // Events (certificate-issued / certificate-failed) fire independently per domain.
    this.certProvisionPromise = this.provisionCertificatesViaCallback(preloadedDomains)
      .catch((err) => logger.log('error', `Unexpected error in cert provisioning: ${err.message}`, { component: 'smart-proxy' }));
  }
  /**
@@ -207,6 +214,12 @@ export class SmartProxy extends plugins.EventEmitter {
    logger.log('info', 'SmartProxy shutting down...', { component: 'smart-proxy' });
    this.stopping = true;
    // Wait for in-flight cert provisioning to bail out (it checks this.stopping)
    if (this.certProvisionPromise) {
      await this.certProvisionPromise;
      this.certProvisionPromise = null;
    }
    // Stop metrics polling
    this.metricsAdapter.stopPolling();
@@ -234,7 +247,7 @@ export class SmartProxy extends plugins.EventEmitter {
   * Update routes atomically.
   */
  public async updateRoutes(newRoutes: IRouteConfig[]): Promise<void> {
-    return this.routeUpdateLock.runExclusive(async () => {
+    await this.routeUpdateLock.runExclusive(async () => {
      // Validate
      const validation = RouteValidator.validateRoutes(newRoutes);
      if (!validation.valid) {
@@ -270,11 +283,13 @@ export class SmartProxy extends plugins.EventEmitter {
      // Update stored routes
      this.settings.routes = newRoutes;
      // Handle cert provisioning for new routes
      await this.provisionCertificatesViaCallback();
      logger.log('info', `Routes updated (${newRoutes.length} routes)`, { component: 'smart-proxy' });
    });
    // Fire-and-forget cert provisioning outside the mutex — routes are already updated,
    // cert provisioning doesn't need the route update lock and may be slow.
    this.certProvisionPromise = this.provisionCertificatesViaCallback()
      .catch((err) => logger.log('error', `Unexpected error in cert provisioning after route update: ${err.message}`, { component: 'smart-proxy' }));
  }
  /**
@@ -394,6 +409,7 @@ export class SmartProxy extends plugins.EventEmitter {
      keepAliveTreatment: this.settings.keepAliveTreatment,
      keepAliveInactivityMultiplier: this.settings.keepAliveInactivityMultiplier,
      extendedKeepAliveLifetime: this.settings.extendedKeepAliveLifetime,
      proxyIps: this.settings.proxyIPs,
      acceptProxyProtocol: this.settings.acceptProxyProtocol,
      sendProxyProtocol: this.settings.sendProxyProtocol,
      metrics: this.settings.metrics,
@@ -409,7 +425,9 @@ export class SmartProxy extends plugins.EventEmitter {
    const provisionFn = this.settings.certProvisionFunction;
    if (!provisionFn) return;
-    const provisionedDomains = new Set<string>(skipDomains);
+    // Phase 1: Collect all unique (domain, route) pairs that need provisioning
    const seen = new Set<string>(skipDomains);
    const tasks: Array<{ domain: string; route: IRouteConfig }> = [];
    for (const route of this.settings.routes) {
      if (route.action.tls?.certificate !== 'auto') continue;
@@ -419,10 +437,41 @@ export class SmartProxy extends plugins.EventEmitter {
      const certDomains = this.normalizeDomainsForCertProvisioning(rawDomains);
      for (const domain of certDomains) {
-        if (provisionedDomains.has(domain)) continue;
+        if (seen.has(domain)) continue;
-        provisionedDomains.add(domain);
+        seen.add(domain);
        tasks.push({ domain, route });
      }
    }
    if (tasks.length === 0) return;
    // Phase 2: Process all domains in parallel with concurrency limit
    const concurrency = this.settings.certProvisionConcurrency ?? 4;
    const semaphore = new ConcurrencySemaphore(concurrency);
    const promises = tasks.map(async ({ domain, route }) => {
      await semaphore.acquire();
      try {
        await this.provisionSingleDomain(domain, route, provisionFn);
      } finally {
        semaphore.release();
      }
    });
    await Promise.allSettled(promises);
  }
  /**
   * Provision a single domain's certificate via the callback.
   * Includes per-domain timeout and shutdown checks.
   */
  private async provisionSingleDomain(
    domain: string,
    route: IRouteConfig,
    provisionFn: (domain: string, eventComms: ICertProvisionEventComms) => Promise<TSmartProxyCertProvisionObject>,
  ): Promise<void> {
    if (this.stopping) return;
        // Build eventComms channel for this domain
    let expiryDate: string | undefined;
    let source = 'certProvisionFunction';
@@ -434,11 +483,18 @@ export class SmartProxy extends plugins.EventEmitter {
      setSource: (s) => { source = s; },
    };
    const timeoutMs = this.settings.certProvisionTimeout ?? 300_000; // 5 min default
    try {
-          const result: TSmartProxyCertProvisionObject = await provisionFn(domain, eventComms);
+      const result: TSmartProxyCertProvisionObject = await this.withTimeout(
        provisionFn(domain, eventComms),
        timeoutMs,
        `Certificate provisioning timed out for ${domain} after ${timeoutMs}ms`,
      );
      if (this.stopping) return;
      if (result === 'http01') {
            // Callback wants HTTP-01 for this domain — trigger Rust ACME explicitly
        if (route.name) {
          try {
            await this.bridge.provisionCertificate(route.name);
@@ -448,11 +504,12 @@ export class SmartProxy extends plugins.EventEmitter {
              'Note: Rust ACME is disabled when certProvisionFunction is set.', { component: 'smart-proxy' });
          }
        }
-            continue;
+        return;
      }
          // Got a static cert object - load it into Rust
      if (result && typeof result === 'object') {
        if (this.stopping) return;
        const certObj = result as plugins.tsclass.network.ICert;
        await this.bridge.loadCertificate(
          domain,
@@ -470,7 +527,6 @@ export class SmartProxy extends plugins.EventEmitter {
          }
        }
            // Emit certificate-issued event
        this.emit('certificate-issued', {
          domain,
          expiryDate: expiryDate || (certObj.validUntil ? new Date(certObj.validUntil).toISOString() : undefined),
@@ -480,7 +536,6 @@ export class SmartProxy extends plugins.EventEmitter {
    } catch (err: any) {
      logger.log('warn', `certProvisionFunction failed for ${domain}: ${err.message}`, { component: 'smart-proxy' });
          // Emit certificate-failed event
      this.emit('certificate-failed', {
        domain,
        error: err.message,
@@ -501,7 +556,18 @@ export class SmartProxy extends plugins.EventEmitter {
      }
    }
  }
-    }
+
  /**
   * Race a promise against a timeout. Rejects with the given message if the timeout fires first.
   */
  private withTimeout<T>(promise: Promise<T>, ms: number, message: string): Promise<T> {
    return new Promise<T>((resolve, reject) => {
      const timer = setTimeout(() => reject(new Error(message)), ms);
      promise.then(
        (val) => { clearTimeout(timer); resolve(val); },
        (err) => { clearTimeout(timer); reject(err); },
      );
    });
  }
  /**
--- a/ts/proxies/smart-proxy/utils/concurrency-semaphore.ts
+++ b/ts/proxies/smart-proxy/utils/concurrency-semaphore.ts
@@ -0,0 +1,28 @@
 /**
 * Async concurrency semaphore — limits the number of concurrent async operations.
 */
 export class ConcurrencySemaphore {
  private running = 0;
  private waitQueue: Array<() => void> = [];
  constructor(private readonly maxConcurrency: number) {}
  async acquire(): Promise<void> {
    if (this.running < this.maxConcurrency) {
      this.running++;
      return;
    }
    return new Promise<void>((resolve) => {
      this.waitQueue.push(() => {
        this.running++;
        resolve();
      });
    });
  }
  release(): void {
    this.running--;
    const next = this.waitQueue.shift();
    if (next) next();
  }
 }
--- a/ts/proxies/smart-proxy/utils/index.ts
+++ b/ts/proxies/smart-proxy/utils/index.ts
@@ -17,6 +17,9 @@ export * from './route-utils.js';
 // Export default certificate generator
 export { generateDefaultCertificate } from './default-cert-generator.js';
 // Export concurrency semaphore
 export { ConcurrencySemaphore } from './concurrency-semaphore.js';
 // Export additional functions from route-helpers that weren't already exported
 export {
  createApiGatewayRoute,
Author	SHA1	Message	Date
Juergen Kunz	755c81c042	v25.7.9 Some checks failed Default (tags) / security (push) Successful in 44s Details Default (tags) / test (push) Failing after 4m0s Details Default (tags) / release (push) Has been skipped Details Default (tags) / metadata (push) Has been skipped Details	2026-02-21 13:27:55 +00:00
Juergen Kunz	9368226ce0	fix(tests): use high non-privileged ports in tests to avoid conflicts and CI failures	2026-02-21 13:27:55 +00:00
Juergen Kunz	d4739045cd	feat: enhance HTTP/2 support by ensuring Host header is set and adding multiplexed request tests	2026-02-20 18:30:57 +00:00
Juergen Kunz	9521f2e044	feat: add TCP keepalive options and connection pooling for improved performance - Added `socket2` dependency for socket options. - Introduced `keep_alive`, `keep_alive_initial_delay_ms`, and `max_connections` fields in `ConnectionConfig`. - Implemented TCP keepalive settings in `TcpListenerManager` for both client and backend connections. - Created a new `ConnectionPool` for managing idle HTTP/1.1 and HTTP/2 connections to reduce overhead. - Enhanced TLS configuration to support ALPN for HTTP/2. - Added performance tests for connection pooling, stability, and concurrent connections.	2026-02-20 18:16:09 +00:00
Juergen Kunz	0f6752b9a7	v25.7.8 Some checks failed Default (tags) / security (push) Successful in 12m17s Details Default (tags) / test (push) Failing after 4m14s Details Default (tags) / release (push) Has been skipped Details Default (tags) / metadata (push) Has been skipped Details	2026-02-19 14:21:05 +00:00
Juergen Kunz	b8b7490d44	fix(no-changes): no changes detected; nothing to release	2026-02-19 14:21:05 +00:00
Juergen Kunz	8c2042a2f5	v25.7.7 Some checks failed Default (tags) / security (push) Successful in 12m19s Details Default (tags) / test (push) Failing after 4m16s Details Default (tags) / release (push) Has been skipped Details Default (tags) / metadata (push) Has been skipped Details	2026-02-19 14:03:31 +00:00
Juergen Kunz	3514260316	fix(proxy): restrict PROXY protocol parsing to configured trusted proxy IPs and parse PROXY headers before metrics/fast-path so client IPs reflect the real source	2026-02-19 14:03:31 +00:00
Juergen Kunz	f171cc8c5d	v25.7.6 Some checks failed Default (tags) / security (push) Successful in 12m20s Details Default (tags) / test (push) Failing after 4m18s Details Default (tags) / release (push) Has been skipped Details Default (tags) / metadata (push) Has been skipped Details	2026-02-19 09:12:50 +00:00
Juergen Kunz	c7722c30f3	fix(throughput): add tests for per-IP connection tracking and throughput history; assert per-IP eviction after connection close to prevent memory leak	2026-02-19 09:12:50 +00:00
Juergen Kunz	0ae882731a	v25.7.5 Some checks failed Default (tags) / security (push) Successful in 12m22s Details Default (tags) / test (push) Failing after 4m16s Details Default (tags) / release (push) Has been skipped Details Default (tags) / metadata (push) Has been skipped Details	2026-02-19 08:48:46 +00:00
Juergen Kunz	53d73c7dc6	fix(rustproxy): prune stale per-route metrics, add per-route rate limiter caching and regex cache, and improve connection tracking cleanup to prevent memory growth	2026-02-19 08:48:46 +00:00
Juergen Kunz	b4b8bd925d	v25.7.4 Some checks failed Default (tags) / security (push) Successful in 12m5s Details Default (tags) / test (push) Failing after 4m5s Details Default (tags) / release (push) Has been skipped Details Default (tags) / metadata (push) Has been skipped Details	2026-02-19 08:07:34 +00:00
Juergen Kunz	5ac44b898b	fix(smart-proxy): include proxy IPs in smart proxy configuration	2026-02-19 08:07:34 +00:00
Juergen Kunz	9b4393b5ac	v25.7.3 Some checks failed Default (tags) / security (push) Successful in 33s Details Default (tags) / test (push) Failing after 4m1s Details Default (tags) / release (push) Has been skipped Details Default (tags) / metadata (push) Has been skipped Details	2026-02-16 14:35:26 +00:00
Juergen Kunz	02b4ed8018	fix(metrics): centralize connection-closed reporting via ConnectionGuard and remove duplicate explicit metrics.connection_closed calls	2026-02-16 14:35:26 +00:00
Juergen Kunz	e4e4b4f1ec	v25.7.2 Some checks failed Default (tags) / security (push) Successful in 33s Details Default (tags) / test (push) Failing after 4m4s Details Default (tags) / release (push) Has been skipped Details Default (tags) / metadata (push) Has been skipped Details	2026-02-16 13:43:22 +00:00
Juergen Kunz	d361a21543	fix(rustproxy-http): preserve original Host header when proxying and add X-Forwarded-* headers; add TLS WebSocket echo backend helper and integration test for terminate-and-reencrypt websocket	2026-02-16 13:43:22 +00:00
Juergen Kunz	106713a546	v25.7.1 Some checks failed Default (tags) / security (push) Successful in 34s Details Default (tags) / test (push) Failing after 4m6s Details Default (tags) / release (push) Has been skipped Details Default (tags) / metadata (push) Has been skipped Details	2026-02-16 13:29:45 +00:00
Juergen Kunz	101675b5f8	fix(proxy): use TLS to backends for terminate-and-reencrypt routes	2026-02-16 13:29:45 +00:00
Juergen Kunz	9fac17bc39	v25.7.0 Some checks failed Default (tags) / security (push) Successful in 30s Details Default (tags) / test (push) Failing after 4m1s Details Default (tags) / release (push) Has been skipped Details Default (tags) / metadata (push) Has been skipped Details	2026-02-16 12:11:49 +00:00
Juergen Kunz	2e3cf515a4	feat(routes): add protocol-based route matching and ensure terminate-and-reencrypt routes HTTP through the full HTTP proxy; update docs and tests	2026-02-16 12:11:49 +00:00
Juergen Kunz	754d32fd34	v25.6.0 Some checks failed Default (tags) / security (push) Successful in 1m39s Details Default (tags) / test (push) Failing after 5m7s Details Default (tags) / release (push) Has been skipped Details Default (tags) / metadata (push) Has been skipped Details	2026-02-16 12:02:36 +00:00
Juergen Kunz	f0b7c27996	feat(rustproxy): add protocol-based routing and backend TLS re-encryption support	2026-02-16 12:02:36 +00:00
Juergen Kunz	db932e8acc	v25.5.0 Some checks failed Default (tags) / security (push) Successful in 1m1s Details Default (tags) / test (push) Failing after 5m5s Details Default (tags) / release (push) Has been skipped Details Default (tags) / metadata (push) Has been skipped Details	2026-02-16 03:00:39 +00:00
Juergen Kunz	455d5bb757	feat(tls): add shared TLS acceptor with SNI resolver and session resumption; prefer shared acceptor and fall back to per-connection when routes specify custom TLS versions	2026-02-16 03:00:39 +00:00
Juergen Kunz	fa2a27df6d	v25.4.0 Some checks failed Default (tags) / security (push) Successful in 30s Details Default (tags) / test (push) Failing after 5m5s Details Default (tags) / release (push) Has been skipped Details Default (tags) / metadata (push) Has been skipped Details	2026-02-16 01:37:43 +00:00
Juergen Kunz	7b2ccbdd11	feat(rustproxy): support dynamically loaded TLS certificates via loadCertificate IPC and include them in listener TLS configs for rebuilds and hot-swap	2026-02-16 01:37:43 +00:00
Juergen Kunz	8409984fcc	v25.3.1 Some checks failed Default (tags) / security (push) Successful in 1m44s Details Default (tags) / test (push) Failing after 5m8s Details Default (tags) / release (push) Has been skipped Details Default (tags) / metadata (push) Has been skipped Details	2026-02-15 15:05:03 +00:00
Juergen Kunz	af10d189a3	fix(plugins): remove unused dependencies and simplify plugin exports	2026-02-15 15:05:03 +00:00
Juergen Kunz	0b4d180cdf	v25.3.0 Some checks failed Default (tags) / security (push) Has been cancelled Details Default (tags) / test (push) Has been cancelled Details Default (tags) / release (push) Has been cancelled Details Default (tags) / metadata (push) Has been cancelled Details	2026-02-14 14:02:25 +00:00
Juergen Kunz	7b3545d1b5	feat(smart-proxy): add background concurrent certificate provisioning with per-domain timeouts and concurrency control	2026-02-14 14:02:25 +00:00
Juergen Kunz	e837419d5d	v25.2.2 Some checks failed Default (tags) / security (push) Has been cancelled Details Default (tags) / test (push) Has been cancelled Details Default (tags) / release (push) Has been cancelled Details Default (tags) / metadata (push) Has been cancelled Details	2026-02-14 12:42:20 +00:00
Juergen Kunz	487a603fa3	fix(smart-proxy): start metrics polling before certificate provisioning to avoid blocking metrics collection	2026-02-14 12:42:20 +00:00