v25.8.0

- Added `socket2` dependency for socket options.
- Introduced `keep_alive`, `keep_alive_initial_delay_ms`, and `max_connections` fields in `ConnectionConfig`.
- Implemented TCP keepalive settings in `TcpListenerManager` for both client and backend connections.
- Created a new `ConnectionPool` for managing idle HTTP/1.1 and HTTP/2 connections to reduce overhead.
- Enhanced TLS configuration to support ALPN for HTTP/2.
- Added performance tests for connection pooling, stability, and concurrent connections.

changelog.md

@@ -1,5 +1,131 @@
 # Changelog
 
+## 2026-02-24 - 25.8.0 - feat(rustproxy)
+use tikv-jemallocator as the global allocator to reduce glibc fragmentation and slow RSS growth; add allocator dependency and enable it in rustproxy, update lockfile, and run tsrust before tests
+
+- Added tikv-jemallocator dependency to rust/Cargo.toml and rust/crates/rustproxy/Cargo.toml
+- Enabled tikv_jemallocator as the global allocator in rust/crates/rustproxy/src/main.rs
+- Updated rust/Cargo.lock with tikv-jemallocator and tikv-jemalloc-sys entries
+- Modified package.json test script to run tsrust before tstest
+
+## 2026-02-24 - 25.7.10 - fix(rustproxy)
+Use cooperative cancellation for background tasks, prune stale caches and metric entries, and switch tests to dynamic port allocation to avoid port conflicts
+
+- Introduce tokio_util::sync::CancellationToken to coordinate graceful shutdown of sampling and renewal tasks; await handles on stop and reset the token so the proxy can be restarted.
+- Add safety Drop impls (RustProxy, TcpListenerManager) as a last-resort abort path when stop() is not called.
+- MetricsCollector: avoid creating per-IP metric entries when the IP has no active connections; prune orphaned per-IP metric maps during sampling; add tests covering late record_bytes races and pruning behavior.
+- Passthrough/ConnectionTracker: remove per-connection record/zombie-scanner complexity, add cleanup_stale_timestamps to prune rate-limit timestamp entries, and add an RAII ConnectionTrackerGuard to guarantee connection_closed is invoked.
+- HTTP proxy improvements: add prune_stale_routes and reset_round_robin to clear caches (rate limiters, regex cache, round-robin counters) on route updates.
+- Tests: add test/helpers/port-allocator.ts and update many tests to use findFreePorts/assertPortsFree (dynamic ports + post-test port assertions) to avoid flakiness and port collisions in CI.
+
+## 2026-02-21 - 25.7.9 - fix(tests)
+use high non-privileged ports in tests to avoid conflicts and CI failures
+
+- Updated multiple test files to use high-range, non-privileged ports instead of well-known or conflicting ports.
+- Files changed: test/test.acme-http01-challenge.ts, test/test.connection-forwarding.ts, test/test.forwarding-regression.ts, test/test.http-port8080-forwarding.ts, test/test.port-mapping.ts, test/test.smartproxy.ts, test/test.socket-handler.ts.
+- Notable port remappings: 8080/8081 -> 47730/47731 (and other proxy ports like 47710), 8443 -> 47711, 7001/7002 -> 47712/47713, 9090 -> 47721, 8181/8182 -> 47732/47733, 9999 -> 47780, TEST_PORT_START/PROXY_PORT_START -> 47750/48750, and TEST_SERVER_PORT/PROXY_PORT -> 47770/47771.
+
+## 2026-02-19 - 25.7.8 - fix(no-changes)
+no changes detected; nothing to release
+
+- Current package version: 25.7.7
+- Git diff: no changes
+- No files modified; no release necessary
+
+## 2026-02-19 - 25.7.7 - fix(proxy)
+restrict PROXY protocol parsing to configured trusted proxy IPs and parse PROXY headers before metrics/fast-path so client IPs reflect the real source
+
+- Add proxy_ips: Vec<std::net::IpAddr> to ConnectionConfig with a default empty Vec
+- Populate proxy_ips from options.proxy_ips strings in rust/crates/rustproxy/src/lib.rs, parsing each to IpAddr
+- Only peek for and parse PROXY v1 headers when the remote IP is contained in proxy_ips (prevents untrusted clients from injecting PROXY headers)
+- Move PROXY protocol parsing earlier so metrics and fast-path logic use the effective (real client) IP after PROXY parsing
+- If proxy_ips is empty, behavior remains unchanged (no PROXY parsing)
+
+## 2026-02-19 - 25.7.6 - fix(throughput)
+add tests for per-IP connection tracking and throughput history; assert per-IP eviction after connection close to prevent memory leak
+
+- Adds runtime assertions for per-IP TCP connection tracking (m.connections.byIP) while a connection is active
+- Adds checks for throughput history (m.throughput.history) to ensure history length and timestamps are recorded
+- Asserts that per-IP tracking data is evicted after connection close (byIP.size === 0) to verify memory leak fix
+- Reorders test checks so per-IP and history metrics are validated during the active connection and totals are validated after close
+
+## 2026-02-19 - 25.7.5 - fix(rustproxy)
+prune stale per-route metrics, add per-route rate limiter caching and regex cache, and improve connection tracking cleanup to prevent memory growth
+
+- Prune per-route metrics for routes removed from configuration via MetricsCollector::retain_routes invoked during route table updates
+- Introduce per-route shared RateLimiter instances (DashMap) with a request-count-triggered periodic cleanup to avoid stale limiters
+- Cache compiled URL-rewrite regexes (regex_cache) to avoid recompiling patterns on every request and insert compiled regex on first use
+- Improve upstream connection tracking to remove zero-count entries and guard against underflow, preventing unbounded DashMap growth
+- Evict per-IP metrics and timestamps when the last connection for an IP closes so per-IP DashMap entries are fully freed
+- Add unit tests validating connection tracking cleanup, per-IP eviction, and route-metrics retention behavior
+
+## 2026-02-19 - 25.7.4 - fix(smart-proxy)
+include proxy IPs in smart proxy configuration
+
+- Add proxyIps: this.settings.proxyIPs to proxy options in ts/proxies/smart-proxy/smart-proxy.ts
+- Ensures proxy IPs from settings are passed into the proxy implementation (enables proxy IP filtering/whitelisting)
+
+## 2026-02-16 - 25.7.3 - fix(metrics)
+centralize connection-closed reporting via ConnectionGuard and remove duplicate explicit metrics.connection_closed calls
+
+- Removed numerous explicit metrics.connection_closed calls from rust/crates/rustproxy-http/src/proxy_service.rs so connection teardown and byte counting are handled by the connection guard / counting body instead of ad-hoc calls.
+- Simplified ConnectionGuard in rust/crates/rustproxy-passthrough/src/tcp_listener.rs: removed the disarm flag and disarm() method so Drop always reports connection_closed.
+- Stopped disarming the TCP-level guard when handing connections off to HTTP proxy paths (HTTP/WebSocket/streaming flows) to avoid missing or double-reporting metrics.
+- Fixes incorrect/duplicate connection-closed metric emission and ensures consistent byte/connection accounting during streaming and WebSocket upgrades.
+
+## 2026-02-16 - 25.7.2 - fix(rustproxy-http)
+preserve original Host header when proxying and add X-Forwarded-* headers; add TLS WebSocket echo backend helper and integration test for terminate-and-reencrypt websocket
+
+- Preserve the client's original Host header instead of replacing it with backend host:port when proxying requests.
+- Add standard reverse-proxy headers: X-Forwarded-For (appends client IP), X-Forwarded-Host, and X-Forwarded-Proto for upstream requests.
+- Ensure raw TCP/HTTP upstream requests copy original headers and skip X-Forwarded-* (which are added explicitly).
+- Add start_tls_ws_echo_backend test helper to start a TLS WebSocket echo backend for tests.
+- Add integration test test_terminate_and_reencrypt_websocket to verify WS upgrade through terminate-and-reencrypt TLS path.
+- Rename unused parameter upstream to _upstream in proxy_service functions to avoid warnings.
+
+## 2026-02-16 - 25.7.1 - fix(proxy)
+use TLS to backends for terminate-and-reencrypt routes
+
+- Set upstream.use_tls = true when a route's TLS mode is TerminateAndReencrypt so the proxy re-encrypts to backend servers.
+- Add start_tls_http_backend test helper and update integration tests to run TLS-enabled backend servers validating re-encryption behavior.
+- Make the selected upstream mutable to allow toggling the use_tls flag during request handling.
+
+## 2026-02-16 - 25.7.0 - feat(routes)
+add protocol-based route matching and ensure terminate-and-reencrypt routes HTTP through the full HTTP proxy; update docs and tests
+
+- Introduce a new 'protocol' match field for routes (supports 'http' and 'tcp') and preserve it through cloning/merging.
+- Add Rust integration test verifying terminate-and-reencrypt decrypts TLS and routes HTTP traffic via the HTTP proxy (per-request Host/path routing) instead of raw tunneling.
+- Add TypeScript unit tests covering protocol field validation, preservation, interaction with terminate-and-reencrypt, cloning, merging, and matching behavior.
+- Update README with a Protocol-Specific Routing section and clarify terminate-and-reencrypt behavior (HTTP routed via HTTP proxy; non-HTTP uses raw TLS-to-TLS tunnel).
+- Example config: include health check thresholds (unhealthyThreshold and healthyThreshold) in the sample healthCheck settings.
+
+## 2026-02-16 - 25.6.0 - feat(rustproxy)
+add protocol-based routing and backend TLS re-encryption support
+
+- Introduce optional route_match.protocol ("http" | "tcp") in Rust and TypeScript route types to allow protocol-restricted routing.
+- RouteManager: respect protocol field during matching and treat TLS connections without SNI as not matching domain-restricted routes (except wildcard-only routes).
+- HTTP proxy: add BackendStream abstraction to unify plain TCP and tokio-rustls TLS backend streams, and support connecting to upstreams over TLS (upstream.use_tls) with an InsecureBackendVerifier for internal/self-signed backends.
+- WebSocket and HTTP forwarding updated to use BackendStream so upstream TLS is handled transparently.
+- Passthrough listener: perform post-termination protocol detection for TerminateAndReencrypt; route HTTP flows into HttpProxyService and handle non-HTTP as TLS-to-TLS tunnel.
+- Add tests for protocol matching, TLS/no-SNI behavior, and other routing edge cases.
+- Add rustls and tokio-rustls dependencies (Cargo.toml/Cargo.lock updates).
+
+## 2026-02-16 - 25.5.0 - feat(tls)
+add shared TLS acceptor with SNI resolver and session resumption; prefer shared acceptor and fall back to per-connection when routes specify custom TLS versions
+
+- Add CertResolver that pre-parses PEM certs/keys into CertifiedKey instances for SNI-based lookup and cheap runtime resolution
+- Introduce build_shared_tls_acceptor to create a shared ServerConfig with session cache (4096) and Ticketer for session ticket resumption
+- Add ArcSwap<Option<TlsAcceptor>> shared_tls_acceptor to tcp_listener for hot-reloadable, pre-built acceptor and update accept loop/handlers to use it
+- set_tls_configs now attempts to build and store the shared TLS acceptor, falling back to per-connection acceptors on failure; raw PEM configs are still retained for route-level fallbacks
+- Add get_tls_acceptor helper: prefer shared acceptor for performance and session resumption, but build per-connection acceptor when a route requests custom TLS versions
+
+## 2026-02-16 - 25.4.0 - feat(rustproxy)
+support dynamically loaded TLS certificates via loadCertificate IPC and include them in listener TLS configs for rebuilds and hot-swap
+
+- Adds loaded_certs: HashMap<String, TlsCertConfig> to RustProxy to store certificates loaded at runtime
+- Merge loaded_certs into tls_configs in rebuild and listener hot-swap paths so dynamically loaded certs are served immediately
+- Persist loaded certificates on loadCertificate so future rebuilds include them
+
 ## 2026-02-15 - 25.3.1 - fix(plugins)
 remove unused dependencies and simplify plugin exports
 

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@push.rocks/smartproxy",
-  "version": "25.3.1",
+  "version": "25.8.0",
   "private": false,
   "description": "A powerful proxy package with unified route-based configuration for high traffic management. Features include SSL/TLS support, flexible routing patterns, WebSocket handling, advanced security options, and automatic ACME certificate management.",
   "main": "dist_ts/index.js",
@@ -9,7 +9,7 @@
   "author": "Lossless GmbH",
   "license": "MIT",
   "scripts": {
-    "test": "(tstest test/**/test*.ts --verbose --timeout 60 --logfile)",
+    "test": "(tsrust) && (tstest test/**/test*.ts --verbose --timeout 60 --logfile)",
     "build": "(tsbuild tsfolders --allowimplicitany) && (tsrust)",
     "format": "(gitzone format)",
     "buildDocs": "tsdoc"

readme.md

@@ -27,7 +27,7 @@ Whether you're building microservices, deploying edge infrastructure, or need a
 | 🦀 **Rust-Powered Engine** | All networking handled by a high-performance Rust binary via IPC |
 | 🔀 **Unified Route-Based Config** | Clean match/action patterns for intuitive traffic routing |
 | 🔒 **Automatic SSL/TLS** | Zero-config HTTPS with Let's Encrypt ACME integration |
-| 🎯 **Flexible Matching** | Route by port, domain, path, client IP, TLS version, headers, or custom logic |
+| 🎯 **Flexible Matching** | Route by port, domain, path, protocol, client IP, TLS version, headers, or custom logic |
 | 🚄 **High-Performance** | Choose between user-space or kernel-level (NFTables) forwarding |
 | ⚖️ **Load Balancing** | Round-robin, least-connections, IP-hash with health checks |
 | 🛡️ **Enterprise Security** | IP filtering, rate limiting, basic auth, JWT auth, connection limits |
@@ -89,7 +89,7 @@ SmartProxy uses a powerful **match/action** pattern that makes routing predictab
 ```
 
 Every route consists of:
-- **Match** — What traffic to capture (ports, domains, paths, IPs, headers)
+- **Match** — What traffic to capture (ports, domains, paths, protocol, IPs, headers)
 - **Action** — What to do with it (`forward` or `socket-handler`)
 - **Security** (optional) — IP allow/block lists, rate limits, authentication
 - **Headers** (optional) — Request/response header manipulation with template variables
@@ -103,7 +103,7 @@ SmartProxy supports three TLS handling modes:
 |------|-------------|----------|
 | `passthrough` | Forward encrypted traffic as-is (SNI-based routing) | Backend handles TLS |
 | `terminate` | Decrypt at proxy, forward plain HTTP to backend | Standard reverse proxy |
-| `terminate-and-reencrypt` | Decrypt, then re-encrypt to backend | Zero-trust environments |
+| `terminate-and-reencrypt` | Decrypt at proxy, re-encrypt to backend. HTTP traffic gets full per-request routing (Host header, path matching) via the HTTP proxy; non-HTTP traffic uses a raw TLS-to-TLS tunnel | Zero-trust / defense-in-depth environments |
 
 ## 💡 Common Use Cases
 
@@ -135,13 +135,13 @@ const proxy = new SmartProxy({
       ],
       {
         tls: { mode: 'terminate', certificate: 'auto' },
-        loadBalancing: {
+        algorithm: 'round-robin',
-          algorithm: 'round-robin',
+        healthCheck: {
-          healthCheck: {
+          path: '/health',
-            path: '/health',
+          interval: 30000,
-            interval: 30000,
+          timeout: 5000,
-            timeout: 5000
+          unhealthyThreshold: 3,
-          }
+          healthyThreshold: 2
         }
       }
     )
@@ -318,6 +318,42 @@ const proxy = new SmartProxy({
 
 > **Note:** Routes with dynamic functions (host/port callbacks) are automatically relayed through the TypeScript socket handler server, since JavaScript functions can't be serialized to Rust.
 
+### 🔀 Protocol-Specific Routing
+
+Restrict routes to specific application-layer protocols. When `protocol` is set, the Rust engine detects the protocol after connection (or after TLS termination) and only matches routes that accept that protocol:
+
+```typescript
+// HTTP-only route (rejects raw TCP connections)
+const httpOnlyRoute: IRouteConfig = {
+  name: 'http-api',
+  match: {
+    ports: 443,
+    domains: 'api.example.com',
+    protocol: 'http',   // Only match HTTP/1.1, HTTP/2, and WebSocket upgrades
+  },
+  action: {
+    type: 'forward',
+    targets: [{ host: 'api-backend', port: 8080 }],
+    tls: { mode: 'terminate', certificate: 'auto' }
+  }
+};
+
+// Raw TCP route (rejects HTTP traffic)
+const tcpOnlyRoute: IRouteConfig = {
+  name: 'database-proxy',
+  match: {
+    ports: 5432,
+    protocol: 'tcp',    // Only match non-HTTP TCP streams
+  },
+  action: {
+    type: 'forward',
+    targets: [{ host: 'db-server', port: 5432 }]
+  }
+};
+```
+
+> **Note:** Omitting `protocol` (the default) matches any protocol. For TLS routes, protocol detection happens *after* TLS termination — during the initial SNI-based route match, `protocol` is not yet known and the route is allowed to match. The protocol restriction is enforced after the proxy peeks at the decrypted data.
+
 ### 🔒 Security Controls
 
 Comprehensive per-route security options:
@@ -549,6 +585,7 @@ interface IRouteMatch {
   clientIp?: string[];                 // ['10.0.0.0/8', '192.168.*']
   tlsVersion?: string[];               // ['TLSv1.2', 'TLSv1.3']
   headers?: Record<string, string | RegExp>;  // Match by HTTP headers
+  protocol?: 'http' | 'tcp';          // Match specific protocol ('http' includes h2 + WebSocket upgrades)
 }
 ```
 

rust/Cargo.lock

@@ -509,7 +509,7 @@ dependencies = [
  "hyper",
  "libc",
  "pin-project-lite",
- "socket2",
+ "socket2 0.6.2",
  "tokio",
  "tower-service",
  "tracing",
@@ -936,6 +936,7 @@ dependencies = [
  "rustproxy-tls",
  "serde",
  "serde_json",
+ "tikv-jemallocator",
  "tokio",
  "tokio-rustls",
  "tokio-util",
@@ -966,12 +967,15 @@ dependencies = [
  "hyper",
  "hyper-util",
  "regex",
+ "rustls",
  "rustproxy-config",
  "rustproxy-metrics",
  "rustproxy-routing",
  "rustproxy-security",
+ "socket2 0.5.10",
  "thiserror 2.0.18",
  "tokio",
+ "tokio-rustls",
  "tokio-util",
  "tracing",
 ]
@@ -1017,6 +1021,7 @@ dependencies = [
  "rustproxy-routing",
  "serde",
  "serde_json",
+ "socket2 0.5.10",
  "thiserror 2.0.18",
  "tokio",
  "tokio-rustls",
@@ -1202,6 +1207,16 @@ version = "1.15.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "67b1b7a3b5fe4f1376887184045fcf45c69e92af734b7aaddc05fb777b6fbd03"
 
+[[package]]
+name = "socket2"
+version = "0.5.10"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e22376abed350d73dd1cd119b57ffccad95b4e585a7cda43e286245ce23c0678"
+dependencies = [
+ "libc",
+ "windows-sys 0.52.0",
+]
+
 [[package]]
 name = "socket2"
 version = "0.6.2"
@@ -1284,6 +1299,26 @@ dependencies = [
  "cfg-if",
 ]
 
+[[package]]
+name = "tikv-jemalloc-sys"
+version = "0.6.1+5.3.0-1-ge13ca993e8ccb9ba9847cc330696e02839f328f7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "cd8aa5b2ab86a2cefa406d889139c162cbb230092f7d1d7cbc1716405d852a3b"
+dependencies = [
+ "cc",
+ "libc",
+]
+
+[[package]]
+name = "tikv-jemallocator"
+version = "0.6.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0359b4327f954e0567e69fb191cf1436617748813819c94b8cd4a431422d053a"
+dependencies = [
+ "libc",
+ "tikv-jemalloc-sys",
+]
+
 [[package]]
 name = "time"
 version = "0.3.47"
@@ -1327,7 +1362,7 @@ dependencies = [
  "parking_lot",
  "pin-project-lite",
  "signal-hook-registry",
- "socket2",
+ "socket2 0.6.2",
  "tokio-macros",
  "windows-sys 0.61.2",
 ]

rust/Cargo.toml

@@ -88,6 +88,12 @@ async-trait = "0.1"
 # libc for uid checks
 libc = "0.2"
 
+# Socket-level options (keepalive, etc.)
+socket2 = { version = "0.5", features = ["all"] }
+
+# jemalloc allocator (prevents glibc fragmentation / slow RSS growth)
+tikv-jemallocator = "0.6"
+
 # Internal crates
 rustproxy-config = { path = "crates/rustproxy-config" }
 rustproxy-routing = { path = "crates/rustproxy-routing" }

rust/crates/rustproxy-config/src/helpers.rs

@@ -17,6 +17,7 @@ pub fn create_http_route(
             client_ip: None,
             tls_version: None,
             headers: None,
+            protocol: None,
         },
         action: RouteAction {
             action_type: RouteActionType::Forward,
@@ -108,6 +109,7 @@ pub fn create_http_to_https_redirect(
             client_ip: None,
             tls_version: None,
             headers: None,
+            protocol: None,
         },
         action: RouteAction {
             action_type: RouteActionType::Forward,
@@ -200,6 +202,7 @@ pub fn create_load_balancer_route(
             client_ip: None,
             tls_version: None,
             headers: None,
+            protocol: None,
         },
         action: RouteAction {
             action_type: RouteActionType::Forward,

rust/crates/rustproxy-config/src/proxy_options.rs

@@ -208,6 +208,10 @@ pub struct RustProxyOptions {
     #[serde(skip_serializing_if = "Option::is_none")]
     pub connection_rate_limit_per_minute: Option<u64>,
 
+    /// Global maximum simultaneous connections (default: 100000)
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub max_connections: Option<u64>,
+
     // ─── Keep-Alive Settings ─────────────────────────────────────────
 
     /// How to treat keep-alive connections
@@ -272,6 +276,7 @@ impl Default for RustProxyOptions {
             enable_randomized_timeouts: None,
             max_connections_per_ip: None,
             connection_rate_limit_per_minute: None,
+            max_connections: None,
             keep_alive_treatment: None,
             keep_alive_inactivity_multiplier: None,
             extended_keep_alive_lifetime: None,

rust/crates/rustproxy-config/src/route_types.rs

@@ -114,6 +114,10 @@ pub struct RouteMatch {
     /// Match specific HTTP headers
     #[serde(skip_serializing_if = "Option::is_none")]
     pub headers: Option<HashMap<String, String>>,
+
+    /// Match specific protocol: "http" (includes h2 + websocket) or "tcp"
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub protocol: Option<String>,
 }
 
 // ─── Target Match ────────────────────────────────────────────────────

rust/crates/rustproxy-http/Cargo.toml

@@ -18,9 +18,12 @@ http-body = { workspace = true }
 http-body-util = { workspace = true }
 bytes = { workspace = true }
 tokio = { workspace = true }
+rustls = { workspace = true }
+tokio-rustls = { workspace = true }
 tracing = { workspace = true }
 thiserror = { workspace = true }
 anyhow = { workspace = true }
 arc-swap = { workspace = true }
 dashmap = { workspace = true }
 tokio-util = { workspace = true }
+socket2 = { workspace = true }

rust/crates/rustproxy-http/src/connection_pool.rs

@@ -0,0 +1,188 @@
+//! Backend connection pool for HTTP/1.1 and HTTP/2.
+//!
+//! Reuses idle keep-alive connections to avoid per-request TCP+TLS handshakes.
+//! HTTP/2 connections are multiplexed (clone the sender for each request).
+
+use std::sync::Arc;
+use std::time::{Duration, Instant};
+
+use bytes::Bytes;
+use dashmap::DashMap;
+use http_body_util::combinators::BoxBody;
+use hyper::client::conn::{http1, http2};
+use tracing::debug;
+
+/// Maximum idle connections per backend key.
+const MAX_IDLE_PER_KEY: usize = 16;
+/// Default idle timeout — connections not used within this window are evicted.
+const IDLE_TIMEOUT: Duration = Duration::from_secs(90);
+/// Background eviction interval.
+const EVICTION_INTERVAL: Duration = Duration::from_secs(30);
+
+/// Identifies a unique backend endpoint.
+#[derive(Clone, Debug, Hash, Eq, PartialEq)]
+pub struct PoolKey {
+    pub host: String,
+    pub port: u16,
+    pub use_tls: bool,
+    pub h2: bool,
+}
+
+/// An idle HTTP/1.1 sender with a timestamp for eviction.
+struct IdleH1 {
+    sender: http1::SendRequest<BoxBody<Bytes, hyper::Error>>,
+    idle_since: Instant,
+}
+
+/// A pooled HTTP/2 sender (multiplexed, Clone-able).
+struct PooledH2 {
+    sender: http2::SendRequest<BoxBody<Bytes, hyper::Error>>,
+    #[allow(dead_code)] // Reserved for future age-based eviction
+    created_at: Instant,
+}
+
+/// Backend connection pool.
+pub struct ConnectionPool {
+    /// HTTP/1.1 idle connections indexed by backend key.
+    h1_pool: Arc<DashMap<PoolKey, Vec<IdleH1>>>,
+    /// HTTP/2 multiplexed connections indexed by backend key.
+    h2_pool: Arc<DashMap<PoolKey, PooledH2>>,
+    /// Handle for the background eviction task.
+    eviction_handle: Option<tokio::task::JoinHandle<()>>,
+}
+
+impl ConnectionPool {
+    /// Create a new pool and start the background eviction task.
+    pub fn new() -> Self {
+        let h1_pool: Arc<DashMap<PoolKey, Vec<IdleH1>>> = Arc::new(DashMap::new());
+        let h2_pool: Arc<DashMap<PoolKey, PooledH2>> = Arc::new(DashMap::new());
+
+        let h1_clone = Arc::clone(&h1_pool);
+        let h2_clone = Arc::clone(&h2_pool);
+        let eviction_handle = tokio::spawn(async move {
+            Self::eviction_loop(h1_clone, h2_clone).await;
+        });
+
+        Self {
+            h1_pool,
+            h2_pool,
+            eviction_handle: Some(eviction_handle),
+        }
+    }
+
+    /// Try to check out an idle HTTP/1.1 sender for the given key.
+    /// Returns `None` if no usable idle connection exists.
+    pub fn checkout_h1(&self, key: &PoolKey) -> Option<http1::SendRequest<BoxBody<Bytes, hyper::Error>>> {
+        let mut entry = self.h1_pool.get_mut(key)?;
+        let idles = entry.value_mut();
+
+        while let Some(idle) = idles.pop() {
+            // Check if the connection is still alive and ready
+            if idle.idle_since.elapsed() < IDLE_TIMEOUT && idle.sender.is_ready() && !idle.sender.is_closed() {
+                debug!("Pool hit (h1): {}:{}", key.host, key.port);
+                return Some(idle.sender);
+            }
+            // Stale or closed — drop it
+        }
+
+        // Clean up empty entry
+        if idles.is_empty() {
+            drop(entry);
+            self.h1_pool.remove(key);
+        }
+        None
+    }
+
+    /// Return an HTTP/1.1 sender to the pool after the response body has been prepared.
+    /// The caller should NOT call this if the sender is closed or not ready.
+    pub fn checkin_h1(&self, key: PoolKey, sender: http1::SendRequest<BoxBody<Bytes, hyper::Error>>) {
+        if sender.is_closed() || !sender.is_ready() {
+            return; // Don't pool broken connections
+        }
+
+        let mut entry = self.h1_pool.entry(key).or_insert_with(Vec::new);
+        if entry.value().len() < MAX_IDLE_PER_KEY {
+            entry.value_mut().push(IdleH1 {
+                sender,
+                idle_since: Instant::now(),
+            });
+        }
+        // If at capacity, just drop the sender
+    }
+
+    /// Try to get a cloned HTTP/2 sender for the given key.
+    /// HTTP/2 senders are Clone-able (multiplexed), so we clone rather than remove.
+    pub fn checkout_h2(&self, key: &PoolKey) -> Option<http2::SendRequest<BoxBody<Bytes, hyper::Error>>> {
+        let entry = self.h2_pool.get(key)?;
+        let pooled = entry.value();
+
+        // Check if the h2 connection is still alive
+        if pooled.sender.is_closed() {
+            drop(entry);
+            self.h2_pool.remove(key);
+            return None;
+        }
+
+        if pooled.sender.is_ready() {
+            debug!("Pool hit (h2): {}:{}", key.host, key.port);
+            return Some(pooled.sender.clone());
+        }
+        None
+    }
+
+    /// Register an HTTP/2 sender in the pool. Since h2 is multiplexed,
+    /// only one sender per key is stored (it's Clone-able).
+    pub fn register_h2(&self, key: PoolKey, sender: http2::SendRequest<BoxBody<Bytes, hyper::Error>>) {
+        if sender.is_closed() {
+            return;
+        }
+        self.h2_pool.insert(key, PooledH2 {
+            sender,
+            created_at: Instant::now(),
+        });
+    }
+
+    /// Background eviction loop — runs every EVICTION_INTERVAL to remove stale connections.
+    async fn eviction_loop(
+        h1_pool: Arc<DashMap<PoolKey, Vec<IdleH1>>>,
+        h2_pool: Arc<DashMap<PoolKey, PooledH2>>,
+    ) {
+        let mut interval = tokio::time::interval(EVICTION_INTERVAL);
+        loop {
+            interval.tick().await;
+
+            // Evict stale H1 connections
+            let mut empty_keys = Vec::new();
+            for mut entry in h1_pool.iter_mut() {
+                entry.value_mut().retain(|idle| {
+                    idle.idle_since.elapsed() < IDLE_TIMEOUT && !idle.sender.is_closed()
+                });
+                if entry.value().is_empty() {
+                    empty_keys.push(entry.key().clone());
+                }
+            }
+            for key in empty_keys {
+                h1_pool.remove(&key);
+            }
+
+            // Evict dead H2 connections
+            let mut dead_h2 = Vec::new();
+            for entry in h2_pool.iter() {
+                if entry.value().sender.is_closed() {
+                    dead_h2.push(entry.key().clone());
+                }
+            }
+            for key in dead_h2 {
+                h2_pool.remove(&key);
+            }
+        }
+    }
+}
+
+impl Drop for ConnectionPool {
+    fn drop(&mut self) {
+        if let Some(handle) = self.eviction_handle.take() {
+            handle.abort();
+        }
+    }
+}

rust/crates/rustproxy-http/src/lib.rs

@@ -3,6 +3,7 @@
 //! Hyper-based HTTP proxy service for RustProxy.
 //! Handles HTTP request parsing, route-based forwarding, and response filtering.
 
+pub mod connection_pool;
 pub mod counting_body;
 pub mod proxy_service;
 pub mod request_filter;
@@ -10,6 +11,7 @@ pub mod response_filter;
 pub mod template;
 pub mod upstream_selector;
 
+pub use connection_pool::*;
 pub use counting_body::*;
 pub use proxy_service::*;
 pub use template::*;

rust/crates/rustproxy-http/src/proxy_service.rs

@@ -9,6 +9,7 @@ use std::sync::Arc;
 use std::sync::atomic::{AtomicU64, Ordering};
 
 use bytes::Bytes;
+use dashmap::DashMap;
 use http_body_util::{BodyExt, Full, combinators::BoxBody};
 use hyper::body::Incoming;
 use hyper::{Request, Response, StatusCode};
@@ -18,8 +19,12 @@ use tokio::net::TcpStream;
 use tokio_util::sync::CancellationToken;
 use tracing::{debug, error, info, warn};
 
+use std::pin::Pin;
+use std::task::{Context, Poll};
+
 use rustproxy_routing::RouteManager;
 use rustproxy_metrics::MetricsCollector;
+use rustproxy_security::RateLimiter;
 
 use crate::counting_body::{CountingBody, Direction};
 use crate::request_filter::RequestFilter;
@@ -35,6 +40,74 @@ const DEFAULT_WS_INACTIVITY_TIMEOUT: std::time::Duration = std::time::Duration::
 /// Default WebSocket max lifetime (24 hours).
 const DEFAULT_WS_MAX_LIFETIME: std::time::Duration = std::time::Duration::from_secs(86400);
 
+/// Backend stream that can be either plain TCP or TLS-wrapped.
+/// Used for `terminate-and-reencrypt` mode where the backend requires TLS.
+pub(crate) enum BackendStream {
+    Plain(TcpStream),
+    Tls(tokio_rustls::client::TlsStream<TcpStream>),
+}
+
+impl tokio::io::AsyncRead for BackendStream {
+    fn poll_read(
+        self: Pin<&mut Self>,
+        cx: &mut Context<'_>,
+        buf: &mut tokio::io::ReadBuf<'_>,
+    ) -> Poll<std::io::Result<()>> {
+        match self.get_mut() {
+            BackendStream::Plain(s) => Pin::new(s).poll_read(cx, buf),
+            BackendStream::Tls(s) => Pin::new(s).poll_read(cx, buf),
+        }
+    }
+}
+
+impl tokio::io::AsyncWrite for BackendStream {
+    fn poll_write(
+        self: Pin<&mut Self>,
+        cx: &mut Context<'_>,
+        buf: &[u8],
+    ) -> Poll<std::io::Result<usize>> {
+        match self.get_mut() {
+            BackendStream::Plain(s) => Pin::new(s).poll_write(cx, buf),
+            BackendStream::Tls(s) => Pin::new(s).poll_write(cx, buf),
+        }
+    }
+
+    fn poll_flush(self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll<std::io::Result<()>> {
+        match self.get_mut() {
+            BackendStream::Plain(s) => Pin::new(s).poll_flush(cx),
+            BackendStream::Tls(s) => Pin::new(s).poll_flush(cx),
+        }
+    }
+
+    fn poll_shutdown(self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll<std::io::Result<()>> {
+        match self.get_mut() {
+            BackendStream::Plain(s) => Pin::new(s).poll_shutdown(cx),
+            BackendStream::Tls(s) => Pin::new(s).poll_shutdown(cx),
+        }
+    }
+}
+
+/// Connect to a backend over TLS using the shared backend TLS config
+/// (from tls_handler). Session resumption is automatic.
+async fn connect_tls_backend(
+    backend_tls_config: &Arc<rustls::ClientConfig>,
+    host: &str,
+    port: u16,
+) -> Result<tokio_rustls::client::TlsStream<TcpStream>, Box<dyn std::error::Error + Send + Sync>> {
+    let connector = tokio_rustls::TlsConnector::from(Arc::clone(backend_tls_config));
+    let stream = TcpStream::connect(format!("{}:{}", host, port)).await?;
+    stream.set_nodelay(true)?;
+    // Apply keepalive with 60s default
+    let _ = socket2::SockRef::from(&stream).set_tcp_keepalive(
+        &socket2::TcpKeepalive::new().with_time(std::time::Duration::from_secs(60))
+    );
+
+    let server_name = rustls::pki_types::ServerName::try_from(host.to_string())?;
+    let tls_stream = connector.connect(server_name, stream).await?;
+    debug!("Backend TLS connection established to {}:{}", host, port);
+    Ok(tls_stream)
+}
+
 /// HTTP proxy service that processes HTTP traffic.
 pub struct HttpProxyService {
     route_manager: Arc<RouteManager>,
@@ -42,6 +115,16 @@ pub struct HttpProxyService {
     upstream_selector: UpstreamSelector,
     /// Timeout for connecting to upstream backends.
     connect_timeout: std::time::Duration,
+    /// Per-route rate limiters (keyed by route ID).
+    route_rate_limiters: Arc<DashMap<String, Arc<RateLimiter>>>,
+    /// Request counter for periodic rate limiter cleanup.
+    request_counter: AtomicU64,
+    /// Cache of compiled URL rewrite regexes (keyed by pattern string).
+    regex_cache: DashMap<String, Regex>,
+    /// Shared backend TLS config for session resumption across connections.
+    backend_tls_config: Arc<rustls::ClientConfig>,
+    /// Backend connection pool for reusing keep-alive connections.
+    connection_pool: Arc<crate::connection_pool::ConnectionPool>,
 }
 
 impl HttpProxyService {
@@ -51,6 +134,11 @@ impl HttpProxyService {
             metrics,
             upstream_selector: UpstreamSelector::new(),
             connect_timeout: DEFAULT_CONNECT_TIMEOUT,
+            route_rate_limiters: Arc::new(DashMap::new()),
+            request_counter: AtomicU64::new(0),
+            regex_cache: DashMap::new(),
+            backend_tls_config: Self::default_backend_tls_config(),
+            connection_pool: Arc::new(crate::connection_pool::ConnectionPool::new()),
         }
     }
 
@@ -65,9 +153,28 @@ impl HttpProxyService {
             metrics,
             upstream_selector: UpstreamSelector::new(),
             connect_timeout,
+            route_rate_limiters: Arc::new(DashMap::new()),
+            request_counter: AtomicU64::new(0),
+            regex_cache: DashMap::new(),
+            backend_tls_config: Self::default_backend_tls_config(),
+            connection_pool: Arc::new(crate::connection_pool::ConnectionPool::new()),
         }
     }
 
+    /// Set the shared backend TLS config (enables session resumption).
+    /// Call this after construction to inject the shared config from tls_handler.
+    pub fn set_backend_tls_config(&mut self, config: Arc<rustls::ClientConfig>) {
+        self.backend_tls_config = config;
+    }
+
+    /// Prune caches for route IDs that are no longer active.
+    /// Call after route updates to prevent unbounded growth.
+    pub fn prune_stale_routes(&self, active_route_ids: &std::collections::HashSet<String>) {
+        self.route_rate_limiters.retain(|k, _| active_route_ids.contains(k));
+        self.regex_cache.clear();
+        self.upstream_selector.reset_round_robin();
+    }
+
     /// Handle an incoming HTTP connection on a plain TCP stream.
     pub async fn handle_connection(
         self: Arc<Self>,
@@ -81,8 +188,10 @@ impl HttpProxyService {
 
     /// Handle an incoming HTTP connection on any IO type (plain TCP or TLS-terminated).
     ///
-    /// Uses HTTP/1.1 with upgrade support. Responds to graceful shutdown via the
+    /// Uses `hyper_util::server::conn::auto::Builder` to auto-detect h1 vs h2
-    /// cancel token — in-flight requests complete, but no new requests are accepted.
+    /// based on ALPN negotiation (TLS) or connection preface (h2c).
+    /// Supports HTTP/1.1 upgrades (WebSocket) and HTTP/2 CONNECT.
+    /// Responds to graceful shutdown via the cancel token.
     pub async fn handle_io<I>(
         self: Arc<Self>,
         stream: I,
@@ -105,24 +214,23 @@ impl HttpProxyService {
             }
         });
 
-        // Use http1::Builder with upgrades for WebSocket support
+        // Auto-detect h1 vs h2 based on ALPN / connection preface.
-        let mut conn = hyper::server::conn::http1::Builder::new()
+        // serve_connection_with_upgrades supports h1 Upgrade (WebSocket) and h2 CONNECT.
-            .keep_alive(true)
+        let builder = hyper_util::server::conn::auto::Builder::new(hyper_util::rt::TokioExecutor::new());
-            .serve_connection(io, service)
+        let conn = builder.serve_connection_with_upgrades(io, service);
-            .with_upgrades();
+        // Pin on the heap — auto::UpgradeableConnection is !Unpin
+        let mut conn = Box::pin(conn);
 
         // Use select to support graceful shutdown via cancellation token
-        let conn_pin = std::pin::Pin::new(&mut conn);
         tokio::select! {
-            result = conn_pin => {
+            result = conn.as_mut() => {
                 if let Err(e) = result {
                     debug!("HTTP connection error from {}: {}", peer_addr, e);
                 }
             }
             _ = cancel.cancelled() => {
                 // Graceful shutdown: let in-flight request finish, stop accepting new ones
-                let conn_pin = std::pin::Pin::new(&mut conn);
+                conn.as_mut().graceful_shutdown();
-                conn_pin.graceful_shutdown();
                 if let Err(e) = conn.await {
                     debug!("HTTP connection error during shutdown from {}: {}", peer_addr, e);
                 }
@@ -144,7 +252,10 @@ impl HttpProxyService {
             .map(|h| {
                 // Strip port from host header
                 h.split(':').next().unwrap_or(h).to_string()
-            });
+            })
+            // HTTP/2 uses :authority pseudo-header instead of Host;
+            // hyper maps it to the URI authority component
+            .or_else(|| req.uri().host().map(|h| h.to_string()));
 
         let path = req.uri().path().to_string();
         let method = req.method().clone();
@@ -173,6 +284,7 @@ impl HttpProxyService {
             tls_version: None,
             headers: Some(&headers),
             is_tls: false,
+            protocol: Some("http"),
         };
 
         let route_match = match self.route_manager.find_route(&ctx) {
@@ -186,20 +298,37 @@ impl HttpProxyService {
         let route_id = route_match.route.id.as_deref();
         let ip_str = peer_addr.ip().to_string();
         self.metrics.record_http_request();
-        self.metrics.connection_opened(route_id, Some(&ip_str));
 
         // Apply request filters (IP check, rate limiting, auth)
         if let Some(ref security) = route_match.route.security {
-            if let Some(response) = RequestFilter::apply(security, &req, &peer_addr) {
+            // Look up or create a shared rate limiter for this route
-                self.metrics.connection_closed(route_id, Some(&ip_str));
+            let rate_limiter = security.rate_limit.as_ref()
+                .filter(|rl| rl.enabled)
+                .map(|rl| {
+                    let route_key = route_id.unwrap_or("__default__").to_string();
+                    self.route_rate_limiters
+                        .entry(route_key)
+                        .or_insert_with(|| Arc::new(RateLimiter::new(rl.max_requests, rl.window)))
+                        .clone()
+                });
+            if let Some(response) = RequestFilter::apply_with_rate_limiter(
+                security, &req, &peer_addr, rate_limiter.as_ref(),
+            ) {
                 return Ok(response);
             }
         }
 
+        // Periodic rate limiter cleanup (every 1000 requests)
+        let count = self.request_counter.fetch_add(1, Ordering::Relaxed);
+        if count % 1000 == 0 {
+            for entry in self.route_rate_limiters.iter() {
+                entry.value().cleanup();
+            }
+        }
+
         // Check for test response (returns immediately, no upstream needed)
         if let Some(ref advanced) = route_match.route.action.advanced {
             if let Some(ref test_response) = advanced.test_response {
-                self.metrics.connection_closed(route_id, Some(&ip_str));
                 return Ok(Self::build_test_response(test_response));
             }
         }
@@ -207,7 +336,6 @@ impl HttpProxyService {
         // Check for static file serving
         if let Some(ref advanced) = route_match.route.action.advanced {
             if let Some(ref static_files) = advanced.static_files {
-                self.metrics.connection_closed(route_id, Some(&ip_str));
                 return Ok(Self::serve_static_file(&path, static_files));
             }
         }
@@ -216,12 +344,19 @@ impl HttpProxyService {
         let target = match route_match.target {
             Some(t) => t,
             None => {
-                self.metrics.connection_closed(route_id, Some(&ip_str));
                 return Ok(error_response(StatusCode::BAD_GATEWAY, "No target available"));
             }
         };
 
-        let upstream = self.upstream_selector.select(target, &peer_addr, port);
+        let mut upstream = self.upstream_selector.select(target, &peer_addr, port);
+
+        // If the route uses terminate-and-reencrypt, always re-encrypt to backend
+        if let Some(ref tls) = route_match.route.action.tls {
+            if tls.mode == rustproxy_config::TlsMode::TerminateAndReencrypt {
+                upstream.use_tls = true;
+            }
+        }
+
         let upstream_key = format!("{}:{}", upstream.host, upstream.port);
         self.upstream_selector.connection_started(&upstream_key);
 
@@ -253,7 +388,7 @@ impl HttpProxyService {
                 Some(q) => format!("{}?{}", path, q),
                 None => path.clone(),
             };
-            Self::apply_url_rewrite(&raw_path, &route_match.route)
+            self.apply_url_rewrite(&raw_path, &route_match.route)
         };
 
         // Build upstream request - stream body instead of buffering
@@ -273,58 +408,164 @@ impl HttpProxyService {
             }
         }
 
-        // Connect to upstream with timeout
+        // Ensure Host header is set (HTTP/2 requests don't have Host; need it for h1 backends)
-        let upstream_stream = match tokio::time::timeout(
+        if !upstream_headers.contains_key("host") {
-            self.connect_timeout,
+            if let Some(ref h) = host {
-            TcpStream::connect(format!("{}:{}", upstream.host, upstream.port)),
+                if let Ok(val) = hyper::header::HeaderValue::from_str(h) {
-        ).await {
+                    upstream_headers.insert(hyper::header::HOST, val);
-            Ok(Ok(s)) => s,
+                }
-            Ok(Err(e)) => {
-                error!("Failed to connect to upstream {}:{}: {}", upstream.host, upstream.port, e);
-                self.upstream_selector.connection_ended(&upstream_key);
-                self.metrics.connection_closed(route_id, Some(&ip_str));
-                return Ok(error_response(StatusCode::BAD_GATEWAY, "Backend unavailable"));
             }
-            Err(_) => {
+        }
-                error!("Upstream connect timeout for {}:{}", upstream.host, upstream.port);
+
+        // Add standard reverse-proxy headers (X-Forwarded-*)
+        {
+            let original_host = host.as_deref().unwrap_or("");
+            let forwarded_proto = if route_match.route.action.tls.as_ref()
+                .map(|t| matches!(t.mode,
+                    rustproxy_config::TlsMode::Terminate
+                    | rustproxy_config::TlsMode::TerminateAndReencrypt))
+                .unwrap_or(false)
+            {
+                "https"
+            } else {
+                "http"
+            };
+
+            // X-Forwarded-For: append client IP to existing chain
+            let client_ip = peer_addr.ip().to_string();
+            let xff_value = if let Some(existing) = upstream_headers.get("x-forwarded-for") {
+                format!("{}, {}", existing.to_str().unwrap_or(""), client_ip)
+            } else {
+                client_ip
+            };
+            if let Ok(val) = hyper::header::HeaderValue::from_str(&xff_value) {
+                upstream_headers.insert(
+                    hyper::header::HeaderName::from_static("x-forwarded-for"),
+                    val,
+                );
+            }
+            // X-Forwarded-Host: original Host header
+            if let Ok(val) = hyper::header::HeaderValue::from_str(original_host) {
+                upstream_headers.insert(
+                    hyper::header::HeaderName::from_static("x-forwarded-host"),
+                    val,
+                );
+            }
+            // X-Forwarded-Proto: original client protocol
+            if let Ok(val) = hyper::header::HeaderValue::from_str(forwarded_proto) {
+                upstream_headers.insert(
+                    hyper::header::HeaderName::from_static("x-forwarded-proto"),
+                    val,
+                );
+            }
+        }
+
+        // --- Connection pooling: try reusing an existing connection first ---
+        let pool_key = crate::connection_pool::PoolKey {
+            host: upstream.host.clone(),
+            port: upstream.port,
+            use_tls: upstream.use_tls,
+            h2: use_h2,
+        };
+
+        // Try pooled connection first (H2 only — H2 senders are Clone and multiplexed,
+        // so checkout doesn't consume request parts. For H1, we try pool inside forward_h1.)
+        if use_h2 {
+            if let Some(sender) = self.connection_pool.checkout_h2(&pool_key) {
+                let result = self.forward_h2_pooled(
+                    sender, parts, body, upstream_headers, &upstream_path,
+                    route_match.route, route_id, &ip_str, &pool_key,
+                ).await;
                 self.upstream_selector.connection_ended(&upstream_key);
-                self.metrics.connection_closed(route_id, Some(&ip_str));
+                return result;
-                return Ok(error_response(StatusCode::GATEWAY_TIMEOUT, "Backend connect timeout"));
+            }
+        }
+
+        // Fresh connection path
+        let backend = if upstream.use_tls {
+            match tokio::time::timeout(
+                self.connect_timeout,
+                connect_tls_backend(&self.backend_tls_config, &upstream.host, upstream.port),
+            ).await {
+                Ok(Ok(tls)) => BackendStream::Tls(tls),
+                Ok(Err(e)) => {
+                    error!("Failed TLS connect to upstream {}:{}: {}", upstream.host, upstream.port, e);
+                    self.upstream_selector.connection_ended(&upstream_key);
+                    return Ok(error_response(StatusCode::BAD_GATEWAY, "Backend TLS unavailable"));
+                }
+                Err(_) => {
+                    error!("Upstream TLS connect timeout for {}:{}", upstream.host, upstream.port);
+                    self.upstream_selector.connection_ended(&upstream_key);
+                    return Ok(error_response(StatusCode::GATEWAY_TIMEOUT, "Backend TLS connect timeout"));
+                }
+            }
+        } else {
+            match tokio::time::timeout(
+                self.connect_timeout,
+                TcpStream::connect(format!("{}:{}", upstream.host, upstream.port)),
+            ).await {
+                Ok(Ok(s)) => {
+                    s.set_nodelay(true).ok();
+                    let _ = socket2::SockRef::from(&s).set_tcp_keepalive(
+                        &socket2::TcpKeepalive::new().with_time(std::time::Duration::from_secs(60))
+                    );
+                    BackendStream::Plain(s)
+                }
+                Ok(Err(e)) => {
+                    error!("Failed to connect to upstream {}:{}: {}", upstream.host, upstream.port, e);
+                    self.upstream_selector.connection_ended(&upstream_key);
+                    return Ok(error_response(StatusCode::BAD_GATEWAY, "Backend unavailable"));
+                }
+                Err(_) => {
+                    error!("Upstream connect timeout for {}:{}", upstream.host, upstream.port);
+                    self.upstream_selector.connection_ended(&upstream_key);
+                    return Ok(error_response(StatusCode::GATEWAY_TIMEOUT, "Backend connect timeout"));
+                }
             }
         };
-        upstream_stream.set_nodelay(true).ok();
 
-        let io = TokioIo::new(upstream_stream);
+        let io = TokioIo::new(backend);
 
         let result = if use_h2 {
-            // HTTP/2 backend
+            self.forward_h2(io, parts, body, upstream_headers, &upstream_path, &upstream, route_match.route, route_id, &ip_str, &pool_key).await
-            self.forward_h2(io, parts, body, upstream_headers, &upstream_path, &upstream, route_match.route, route_id, &ip_str).await
         } else {
-            // HTTP/1.1 backend (default)
+            self.forward_h1(io, parts, body, upstream_headers, &upstream_path, &upstream, route_match.route, route_id, &ip_str, &pool_key).await
-            self.forward_h1(io, parts, body, upstream_headers, &upstream_path, &upstream, route_match.route, route_id, &ip_str).await
         };
         self.upstream_selector.connection_ended(&upstream_key);
         result
     }
 
     /// Forward request to backend via HTTP/1.1 with body streaming.
+    /// Tries a pooled connection first; if unavailable, uses the fresh IO connection.
     async fn forward_h1(
         &self,
-        io: TokioIo<TcpStream>,
+        io: TokioIo<BackendStream>,
         parts: hyper::http::request::Parts,
         body: Incoming,
         upstream_headers: hyper::HeaderMap,
         upstream_path: &str,
-        upstream: &crate::upstream_selector::UpstreamSelection,
+        _upstream: &crate::upstream_selector::UpstreamSelection,
         route: &rustproxy_config::RouteConfig,
         route_id: Option<&str>,
         source_ip: &str,
+        pool_key: &crate::connection_pool::PoolKey,
     ) -> Result<Response<BoxBody<Bytes, hyper::Error>>, hyper::Error> {
-        let (mut sender, conn) = match hyper::client::conn::http1::handshake(io).await {
+        // Try pooled H1 connection first — avoids TCP+TLS handshake
+        if let Some(pooled_sender) = self.connection_pool.checkout_h1(pool_key) {
+            return self.forward_h1_with_sender(
+                pooled_sender, parts, body, upstream_headers, upstream_path,
+                route, route_id, source_ip, pool_key,
+            ).await;
+        }
+
+        // Fresh connection: explicitly type the handshake with BoxBody for uniform pool type
+        let (sender, conn): (
+            hyper::client::conn::http1::SendRequest<BoxBody<Bytes, hyper::Error>>,
+            hyper::client::conn::http1::Connection<TokioIo<BackendStream>, BoxBody<Bytes, hyper::Error>>,
+        ) = match hyper::client::conn::http1::handshake(io).await {
             Ok(h) => h,
             Err(e) => {
                 error!("Upstream handshake failed: {}", e);
-                self.metrics.connection_closed(route_id, Some(source_ip));
                 return Ok(error_response(StatusCode::BAD_GATEWAY, "Backend handshake failed"));
             }
         };
@@ -335,21 +576,33 @@ impl HttpProxyService {
             }
         });
 
+        self.forward_h1_with_sender(sender, parts, body, upstream_headers, upstream_path, route, route_id, source_ip, pool_key).await
+    }
+
+    /// Common H1 forwarding logic used by both fresh and pooled paths.
+    async fn forward_h1_with_sender(
+        &self,
+        mut sender: hyper::client::conn::http1::SendRequest<BoxBody<Bytes, hyper::Error>>,
+        parts: hyper::http::request::Parts,
+        body: Incoming,
+        upstream_headers: hyper::HeaderMap,
+        upstream_path: &str,
+        route: &rustproxy_config::RouteConfig,
+        route_id: Option<&str>,
+        source_ip: &str,
+        pool_key: &crate::connection_pool::PoolKey,
+    ) -> Result<Response<BoxBody<Bytes, hyper::Error>>, hyper::Error> {
+        // Always use HTTP/1.1 for h1 backend connections (h2 incoming requests have version HTTP/2.0)
         let mut upstream_req = Request::builder()
             .method(parts.method)
             .uri(upstream_path)
-            .version(parts.version);
+            .version(hyper::Version::HTTP_11);
 
         if let Some(headers) = upstream_req.headers_mut() {
             *headers = upstream_headers;
-            if let Ok(host_val) = hyper::header::HeaderValue::from_str(
-                &format!("{}:{}", upstream.host, upstream.port)
-            ) {
-                headers.insert(hyper::header::HOST, host_val);
-            }
         }
 
-        // Wrap the request body in CountingBody to track bytes_in
+        // Wrap the request body in CountingBody then box it for the uniform pool type
         let counting_req_body = CountingBody::new(
             body,
             Arc::clone(&self.metrics),
@@ -357,41 +610,48 @@ impl HttpProxyService {
             Some(source_ip.to_string()),
             Direction::In,
         );
+        let boxed_body: BoxBody<Bytes, hyper::Error> = BoxBody::new(counting_req_body);
 
-        // Stream the request body through to upstream
+        let upstream_req = upstream_req.body(boxed_body).unwrap();
-        let upstream_req = upstream_req.body(counting_req_body).unwrap();
 
         let upstream_response = match sender.send_request(upstream_req).await {
             Ok(resp) => resp,
             Err(e) => {
                 error!("Upstream request failed: {}", e);
-                self.metrics.connection_closed(route_id, Some(source_ip));
                 return Ok(error_response(StatusCode::BAD_GATEWAY, "Backend request failed"));
             }
         };
 
+        // Return sender to pool (body streams lazily, sender is reusable once response head is received)
+        self.connection_pool.checkin_h1(pool_key.clone(), sender);
+
         self.build_streaming_response(upstream_response, route, route_id, source_ip).await
     }
 
-    /// Forward request to backend via HTTP/2 with body streaming.
+    /// Forward request to backend via HTTP/2 with body streaming (fresh connection).
+    /// Registers the h2 sender in the pool for future multiplexed requests.
     async fn forward_h2(
         &self,
-        io: TokioIo<TcpStream>,
+        io: TokioIo<BackendStream>,
         parts: hyper::http::request::Parts,
         body: Incoming,
         upstream_headers: hyper::HeaderMap,
         upstream_path: &str,
-        upstream: &crate::upstream_selector::UpstreamSelection,
+        _upstream: &crate::upstream_selector::UpstreamSelection,
         route: &rustproxy_config::RouteConfig,
         route_id: Option<&str>,
         source_ip: &str,
+        pool_key: &crate::connection_pool::PoolKey,
     ) -> Result<Response<BoxBody<Bytes, hyper::Error>>, hyper::Error> {
         let exec = hyper_util::rt::TokioExecutor::new();
-        let (mut sender, conn) = match hyper::client::conn::http2::handshake(exec, io).await {
+        // Explicitly type the handshake with BoxBody for uniform pool type
+        let (sender, conn): (
+            hyper::client::conn::http2::SendRequest<BoxBody<Bytes, hyper::Error>>,
+            hyper::client::conn::http2::Connection<TokioIo<BackendStream>, BoxBody<Bytes, hyper::Error>, hyper_util::rt::TokioExecutor>,
+        ) = match hyper::client::conn::http2::handshake(exec, io).await {
             Ok(h) => h,
             Err(e) => {
                 error!("HTTP/2 upstream handshake failed: {}", e);
-                self.metrics.connection_closed(route_id, Some(source_ip));
                 return Ok(error_response(StatusCode::BAD_GATEWAY, "Backend H2 handshake failed"));
             }
         };
@@ -402,20 +662,49 @@ impl HttpProxyService {
             }
         });
 
+        // Register for multiplexed reuse
+        self.connection_pool.register_h2(pool_key.clone(), sender.clone());
+
+        self.forward_h2_with_sender(sender, parts, body, upstream_headers, upstream_path, route, route_id, source_ip).await
+    }
+
+    /// Forward request using an existing (pooled) HTTP/2 sender.
+    async fn forward_h2_pooled(
+        &self,
+        sender: hyper::client::conn::http2::SendRequest<BoxBody<Bytes, hyper::Error>>,
+        parts: hyper::http::request::Parts,
+        body: Incoming,
+        upstream_headers: hyper::HeaderMap,
+        upstream_path: &str,
+        route: &rustproxy_config::RouteConfig,
+        route_id: Option<&str>,
+        source_ip: &str,
+        _pool_key: &crate::connection_pool::PoolKey,
+    ) -> Result<Response<BoxBody<Bytes, hyper::Error>>, hyper::Error> {
+        self.forward_h2_with_sender(sender, parts, body, upstream_headers, upstream_path, route, route_id, source_ip).await
+    }
+
+    /// Common H2 forwarding logic used by both fresh and pooled paths.
+    async fn forward_h2_with_sender(
+        &self,
+        mut sender: hyper::client::conn::http2::SendRequest<BoxBody<Bytes, hyper::Error>>,
+        parts: hyper::http::request::Parts,
+        body: Incoming,
+        upstream_headers: hyper::HeaderMap,
+        upstream_path: &str,
+        route: &rustproxy_config::RouteConfig,
+        route_id: Option<&str>,
+        source_ip: &str,
+    ) -> Result<Response<BoxBody<Bytes, hyper::Error>>, hyper::Error> {
         let mut upstream_req = Request::builder()
             .method(parts.method)
             .uri(upstream_path);
 
         if let Some(headers) = upstream_req.headers_mut() {
             *headers = upstream_headers;
-            if let Ok(host_val) = hyper::header::HeaderValue::from_str(
-                &format!("{}:{}", upstream.host, upstream.port)
-            ) {
-                headers.insert(hyper::header::HOST, host_val);
-            }
         }
 
-        // Wrap the request body in CountingBody to track bytes_in
+        // Wrap the request body in CountingBody then box it for the uniform pool type
         let counting_req_body = CountingBody::new(
             body,
             Arc::clone(&self.metrics),
@@ -423,15 +712,14 @@ impl HttpProxyService {
             Some(source_ip.to_string()),
             Direction::In,
         );
+        let boxed_body: BoxBody<Bytes, hyper::Error> = BoxBody::new(counting_req_body);
 
-        // Stream the request body through to upstream
+        let upstream_req = upstream_req.body(boxed_body).unwrap();
-        let upstream_req = upstream_req.body(counting_req_body).unwrap();
 
         let upstream_response = match sender.send_request(upstream_req).await {
             Ok(resp) => resp,
             Err(e) => {
                 error!("HTTP/2 upstream request failed: {}", e);
-                self.metrics.connection_closed(route_id, Some(source_ip));
                 return Ok(error_response(StatusCode::BAD_GATEWAY, "Backend H2 request failed"));
             }
         };
@@ -442,8 +730,7 @@ impl HttpProxyService {
     /// Build the client-facing response from an upstream response, streaming the body.
     ///
     /// The response body is wrapped in a `CountingBody` that counts bytes as they
-    /// stream from upstream to client. When the body is fully consumed (or dropped),
+    /// stream from upstream to client.
-    /// it reports byte counts to the metrics collector and calls `connection_closed`.
     async fn build_streaming_response(
         &self,
         upstream_response: Response<Incoming>,
@@ -472,11 +759,6 @@ impl HttpProxyService {
             Direction::Out,
         );
 
-        // Close the connection metric now — the HTTP request/response cycle is done
-        // from the proxy's perspective once we hand the streaming body to hyper.
-        // Bytes will still be counted as they flow.
-        self.metrics.connection_closed(route_id, Some(source_ip));
-
         let body: BoxBody<Bytes, hyper::Error> = BoxBody::new(counting_body);
 
         Ok(response.body(body).unwrap())
@@ -508,7 +790,6 @@ impl HttpProxyService {
                     .unwrap_or("");
                 if !allowed_origins.is_empty() && !allowed_origins.iter().any(|o| o == "*" || o == origin) {
                     self.upstream_selector.connection_ended(upstream_key);
-                    self.metrics.connection_closed(route_id, Some(source_ip));
                     return Ok(error_response(StatusCode::FORBIDDEN, "Origin not allowed"));
                 }
             }
@@ -516,26 +797,48 @@ impl HttpProxyService {
 
         info!("WebSocket upgrade from {} -> {}:{}", peer_addr, upstream.host, upstream.port);
 
-        // Connect to upstream with timeout
+        // Connect to upstream with timeout (TLS if upstream.use_tls is set)
-        let mut upstream_stream = match tokio::time::timeout(
+        let mut upstream_stream: BackendStream = if upstream.use_tls {
-            self.connect_timeout,
+            match tokio::time::timeout(
-            TcpStream::connect(format!("{}:{}", upstream.host, upstream.port)),
+                self.connect_timeout,
-        ).await {
+                connect_tls_backend(&self.backend_tls_config, &upstream.host, upstream.port),
-            Ok(Ok(s)) => s,
+            ).await {
-            Ok(Err(e)) => {
+                Ok(Ok(tls)) => BackendStream::Tls(tls),
-                error!("WebSocket: failed to connect upstream {}:{}: {}", upstream.host, upstream.port, e);
+                Ok(Err(e)) => {
-                self.upstream_selector.connection_ended(upstream_key);
+                    error!("WebSocket: failed TLS connect upstream {}:{}: {}", upstream.host, upstream.port, e);
-                self.metrics.connection_closed(route_id, Some(source_ip));
+                    self.upstream_selector.connection_ended(upstream_key);
-                return Ok(error_response(StatusCode::BAD_GATEWAY, "Backend unavailable"));
+                    return Ok(error_response(StatusCode::BAD_GATEWAY, "Backend TLS unavailable"));
+                }
+                Err(_) => {
+                    error!("WebSocket: upstream TLS connect timeout for {}:{}", upstream.host, upstream.port);
+                    self.upstream_selector.connection_ended(upstream_key);
+                    return Ok(error_response(StatusCode::GATEWAY_TIMEOUT, "Backend TLS connect timeout"));
+                }
             }
-            Err(_) => {
+        } else {
-                error!("WebSocket: upstream connect timeout for {}:{}", upstream.host, upstream.port);
+            match tokio::time::timeout(
-                self.upstream_selector.connection_ended(upstream_key);
+                self.connect_timeout,
-                self.metrics.connection_closed(route_id, Some(source_ip));
+                TcpStream::connect(format!("{}:{}", upstream.host, upstream.port)),
-                return Ok(error_response(StatusCode::GATEWAY_TIMEOUT, "Backend connect timeout"));
+            ).await {
+                Ok(Ok(s)) => {
+                    s.set_nodelay(true).ok();
+                    let _ = socket2::SockRef::from(&s).set_tcp_keepalive(
+                        &socket2::TcpKeepalive::new().with_time(std::time::Duration::from_secs(60))
+                    );
+                    BackendStream::Plain(s)
+                }
+                Ok(Err(e)) => {
+                    error!("WebSocket: failed to connect upstream {}:{}: {}", upstream.host, upstream.port, e);
+                    self.upstream_selector.connection_ended(upstream_key);
+                    return Ok(error_response(StatusCode::BAD_GATEWAY, "Backend unavailable"));
+                }
+                Err(_) => {
+                    error!("WebSocket: upstream connect timeout for {}:{}", upstream.host, upstream.port);
+                    self.upstream_selector.connection_ended(upstream_key);
+                    return Ok(error_response(StatusCode::GATEWAY_TIMEOUT, "Backend connect timeout"));
+                }
             }
         };
-        upstream_stream.set_nodelay(true).ok();
 
         let path = req.uri().path().to_string();
         let upstream_path = {
@@ -562,13 +865,57 @@ impl HttpProxyService {
             parts.method, upstream_path
         );
 
-        let upstream_host = format!("{}:{}", upstream.host, upstream.port);
+        // Copy all original headers (preserving the client's Host header).
+        // Skip X-Forwarded-* since we set them ourselves below.
+        let mut has_host_header = false;
         for (name, value) in parts.headers.iter() {
-            if name == hyper::header::HOST {
+            let name_str = name.as_str();
-                raw_request.push_str(&format!("host: {}\r\n", upstream_host));
+            if name_str == "x-forwarded-for"
-            } else {
+                || name_str == "x-forwarded-host"
-                raw_request.push_str(&format!("{}: {}\r\n", name, value.to_str().unwrap_or("")));
+                || name_str == "x-forwarded-proto"
+            {
+                continue;
             }
+            if name_str == "host" {
+                has_host_header = true;
+            }
+            raw_request.push_str(&format!("{}: {}\r\n", name, value.to_str().unwrap_or("")));
+        }
+
+        // HTTP/2 requests don't have Host header; add one from URI authority for h1 backends
+        let ws_host = parts.uri.host().map(|h| h.to_string());
+        if !has_host_header {
+            if let Some(ref h) = ws_host {
+                raw_request.push_str(&format!("host: {}\r\n", h));
+            }
+        }
+
+        // Add standard reverse-proxy headers (X-Forwarded-*)
+        {
+            let original_host = parts.headers.get("host")
+                .and_then(|h| h.to_str().ok())
+                .or(ws_host.as_deref())
+                .unwrap_or("");
+            let forwarded_proto = if route.action.tls.as_ref()
+                .map(|t| matches!(t.mode,
+                    rustproxy_config::TlsMode::Terminate
+                    | rustproxy_config::TlsMode::TerminateAndReencrypt))
+                .unwrap_or(false)
+            {
+                "https"
+            } else {
+                "http"
+            };
+
+            let client_ip = peer_addr.ip().to_string();
+            let xff_value = if let Some(existing) = parts.headers.get("x-forwarded-for") {
+                format!("{}, {}", existing.to_str().unwrap_or(""), client_ip)
+            } else {
+                client_ip
+            };
+            raw_request.push_str(&format!("x-forwarded-for: {}\r\n", xff_value));
+            raw_request.push_str(&format!("x-forwarded-host: {}\r\n", original_host));
+            raw_request.push_str(&format!("x-forwarded-proto: {}\r\n", forwarded_proto));
         }
 
         if let Some(ref route_headers) = route.headers {
@@ -593,7 +940,6 @@ impl HttpProxyService {
         if let Err(e) = upstream_stream.write_all(raw_request.as_bytes()).await {
             error!("WebSocket: failed to send upgrade request to upstream: {}", e);
             self.upstream_selector.connection_ended(upstream_key);
-            self.metrics.connection_closed(route_id, Some(source_ip));
             return Ok(error_response(StatusCode::BAD_GATEWAY, "Backend write failed"));
         }
 
@@ -604,7 +950,6 @@ impl HttpProxyService {
                 Ok(0) => {
                     error!("WebSocket: upstream closed before completing handshake");
                     self.upstream_selector.connection_ended(upstream_key);
-                    self.metrics.connection_closed(route_id, Some(source_ip));
                     return Ok(error_response(StatusCode::BAD_GATEWAY, "Backend closed"));
                 }
                 Ok(_) => {
@@ -618,14 +963,12 @@ impl HttpProxyService {
                     if response_buf.len() > 8192 {
                         error!("WebSocket: upstream response headers too large");
                         self.upstream_selector.connection_ended(upstream_key);
-                        self.metrics.connection_closed(route_id, Some(source_ip));
                         return Ok(error_response(StatusCode::BAD_GATEWAY, "Backend response too large"));
                     }
                 }
                 Err(e) => {
                     error!("WebSocket: failed to read upstream response: {}", e);
                     self.upstream_selector.connection_ended(upstream_key);
-                    self.metrics.connection_closed(route_id, Some(source_ip));
                     return Ok(error_response(StatusCode::BAD_GATEWAY, "Backend read failed"));
                 }
             }
@@ -643,7 +986,6 @@ impl HttpProxyService {
         if status_code != 101 {
             debug!("WebSocket: upstream rejected upgrade with status {}", status_code);
             self.upstream_selector.connection_ended(upstream_key);
-            self.metrics.connection_closed(route_id, Some(source_ip));
             return Ok(error_response(
                 StatusCode::from_u16(status_code).unwrap_or(StatusCode::BAD_GATEWAY),
                 "WebSocket upgrade rejected by backend",
@@ -687,9 +1029,6 @@ impl HttpProxyService {
                 Err(e) => {
                     debug!("WebSocket: client upgrade failed: {}", e);
                     upstream_selector.connection_ended(&upstream_key_owned);
-                    if let Some(ref rid) = route_id_owned {
-                        metrics.connection_closed(Some(rid.as_str()), Some(&source_ip_owned));
-                    }
                     return;
                 }
             };
@@ -794,7 +1133,6 @@ impl HttpProxyService {
             upstream_selector.connection_ended(&upstream_key_owned);
             if let Some(ref rid) = route_id_owned {
                 metrics.record_bytes(bytes_in, bytes_out, Some(rid.as_str()), Some(&source_ip_owned));
-                metrics.connection_closed(Some(rid.as_str()), Some(&source_ip_owned));
             }
         });
 
@@ -824,8 +1162,8 @@ impl HttpProxyService {
         response.body(BoxBody::new(body)).unwrap()
     }
 
-    /// Apply URL rewriting rules from route config.
+    /// Apply URL rewriting rules from route config, using the compiled regex cache.
-    fn apply_url_rewrite(path: &str, route: &rustproxy_config::RouteConfig) -> String {
+    fn apply_url_rewrite(&self, path: &str, route: &rustproxy_config::RouteConfig) -> String {
         let rewrite = match route.action.advanced.as_ref()
             .and_then(|a| a.url_rewrite.as_ref())
         {
@@ -844,10 +1182,20 @@ impl HttpProxyService {
             (path.to_string(), String::new())
         };
 
+        // Look up or compile the regex, caching for future requests
+        let cached = self.regex_cache.get(&rewrite.pattern);
+        if let Some(re) = cached {
+            let result = re.replace_all(&subject, rewrite.target.as_str());
+            return format!("{}{}", result, suffix);
+        }
+
+        // Not cached — compile and insert
         match Regex::new(&rewrite.pattern) {
             Ok(re) => {
                 let result = re.replace_all(&subject, rewrite.target.as_str());
-                format!("{}{}", result, suffix)
+                let out = format!("{}{}", result, suffix);
+                self.regex_cache.insert(rewrite.pattern.clone(), re);
+                out
             }
             Err(e) => {
                 warn!("Invalid URL rewrite pattern '{}': {}", rewrite.pattern, e);
@@ -967,6 +1315,70 @@ fn guess_content_type(path: &std::path::Path) -> &'static str {
     }
 }
 
+impl HttpProxyService {
+    /// Build a default backend TLS config with InsecureVerifier.
+    /// Used as fallback when no shared config is injected from tls_handler.
+    fn default_backend_tls_config() -> Arc<rustls::ClientConfig> {
+        let _ = rustls::crypto::ring::default_provider().install_default();
+        let config = rustls::ClientConfig::builder()
+            .dangerous()
+            .with_custom_certificate_verifier(Arc::new(InsecureBackendVerifier))
+            .with_no_client_auth();
+        Arc::new(config)
+    }
+}
+
+/// Insecure certificate verifier for backend TLS connections (fallback only).
+/// The production path uses the shared config from tls_handler which has the same
+/// behavior but with session resumption across all outbound connections.
+#[derive(Debug)]
+struct InsecureBackendVerifier;
+
+impl rustls::client::danger::ServerCertVerifier for InsecureBackendVerifier {
+    fn verify_server_cert(
+        &self,
+        _end_entity: &rustls::pki_types::CertificateDer<'_>,
+        _intermediates: &[rustls::pki_types::CertificateDer<'_>],
+        _server_name: &rustls::pki_types::ServerName<'_>,
+        _ocsp_response: &[u8],
+        _now: rustls::pki_types::UnixTime,
+    ) -> Result<rustls::client::danger::ServerCertVerified, rustls::Error> {
+        Ok(rustls::client::danger::ServerCertVerified::assertion())
+    }
+
+    fn verify_tls12_signature(
+        &self,
+        _message: &[u8],
+        _cert: &rustls::pki_types::CertificateDer<'_>,
+        _dss: &rustls::DigitallySignedStruct,
+    ) -> Result<rustls::client::danger::HandshakeSignatureValid, rustls::Error> {
+        Ok(rustls::client::danger::HandshakeSignatureValid::assertion())
+    }
+
+    fn verify_tls13_signature(
+        &self,
+        _message: &[u8],
+        _cert: &rustls::pki_types::CertificateDer<'_>,
+        _dss: &rustls::DigitallySignedStruct,
+    ) -> Result<rustls::client::danger::HandshakeSignatureValid, rustls::Error> {
+        Ok(rustls::client::danger::HandshakeSignatureValid::assertion())
+    }
+
+    fn supported_verify_schemes(&self) -> Vec<rustls::SignatureScheme> {
+        vec![
+            rustls::SignatureScheme::RSA_PKCS1_SHA256,
+            rustls::SignatureScheme::RSA_PKCS1_SHA384,
+            rustls::SignatureScheme::RSA_PKCS1_SHA512,
+            rustls::SignatureScheme::ECDSA_NISTP256_SHA256,
+            rustls::SignatureScheme::ECDSA_NISTP384_SHA384,
+            rustls::SignatureScheme::ED25519,
+            rustls::SignatureScheme::RSA_PSS_SHA256,
+            rustls::SignatureScheme::RSA_PSS_SHA384,
+            rustls::SignatureScheme::RSA_PSS_SHA512,
+        ]
+    }
+}
+
 impl Default for HttpProxyService {
     fn default() -> Self {
         Self {
@@ -974,6 +1386,11 @@ impl Default for HttpProxyService {
             metrics: Arc::new(MetricsCollector::new()),
             upstream_selector: UpstreamSelector::new(),
             connect_timeout: DEFAULT_CONNECT_TIMEOUT,
+            route_rate_limiters: Arc::new(DashMap::new()),
+            request_counter: AtomicU64::new(0),
+            regex_cache: DashMap::new(),
+            backend_tls_config: Self::default_backend_tls_config(),
+            connection_pool: Arc::new(crate::connection_pool::ConnectionPool::new()),
         }
     }
 }

rust/crates/rustproxy-http/src/upstream_selector.rs

@@ -115,11 +115,27 @@ impl UpstreamSelector {
     /// Record that a connection to the given host has ended.
     pub fn connection_ended(&self, host: &str) {
         if let Some(counter) = self.active_connections.get(host) {
-            let prev = counter.value().fetch_sub(1, Ordering::Relaxed);
+            let prev = counter.value().load(Ordering::Relaxed);
-            // Guard against underflow (shouldn't happen, but be safe)
             if prev == 0 {
-                counter.value().store(0, Ordering::Relaxed);
+                // Already at zero — just clean up the entry
+                drop(counter);
+                self.active_connections.remove(host);
+                return;
             }
+            counter.value().fetch_sub(1, Ordering::Relaxed);
+            // Clean up zero-count entries to prevent memory growth
+            if prev <= 1 {
+                drop(counter);
+                self.active_connections.remove(host);
+            }
+        }
+    }
+
+    /// Clear stale round-robin counters on route update.
+    /// Resetting is harmless — counters just restart cycling from index 0.
+    pub fn reset_round_robin(&self) {
+        if let Ok(mut counters) = self.round_robin.lock() {
+            counters.clear();
         }
     }
 
@@ -204,6 +220,31 @@ mod tests {
         assert_eq!(r4.host, "a");
     }
 
+    #[test]
+    fn test_connection_tracking_cleanup() {
+        let selector = UpstreamSelector::new();
+
+        selector.connection_started("backend:8080");
+        selector.connection_started("backend:8080");
+        assert_eq!(
+            selector.active_connections.get("backend:8080").unwrap().load(Ordering::Relaxed),
+            2
+        );
+
+        selector.connection_ended("backend:8080");
+        assert_eq!(
+            selector.active_connections.get("backend:8080").unwrap().load(Ordering::Relaxed),
+            1
+        );
+
+        // Last connection ends — entry should be removed entirely
+        selector.connection_ended("backend:8080");
+        assert!(selector.active_connections.get("backend:8080").is_none());
+
+        // Ending on a non-existent key should not panic
+        selector.connection_ended("nonexistent:9999");
+    }
+
     #[test]
     fn test_ip_hash_consistent() {
         let selector = UpstreamSelector::new();

rust/crates/rustproxy-metrics/src/collector.rs

@@ -1,5 +1,6 @@
 use dashmap::DashMap;
 use serde::{Deserialize, Serialize};
+use std::collections::HashSet;
 use std::sync::atomic::{AtomicU64, Ordering};
 use std::sync::Mutex;
 
@@ -196,6 +197,12 @@ impl MetricsCollector {
                 if val <= 1 {
                     drop(counter);
                     self.ip_connections.remove(ip);
+                    // Evict all per-IP tracking data for this IP
+                    self.ip_total_connections.remove(ip);
+                    self.ip_bytes_in.remove(ip);
+                    self.ip_bytes_out.remove(ip);
+                    self.ip_pending_tp.remove(ip);
+                    self.ip_throughput.remove(ip);
                 }
             }
         }
@@ -232,21 +239,26 @@ impl MetricsCollector {
         }
 
         if let Some(ip) = source_ip {
-            self.ip_bytes_in
+            // Only record per-IP stats if the IP still has active connections.
-                .entry(ip.to_string())
+            // This prevents orphaned entries when record_bytes races with
-                .or_insert_with(|| AtomicU64::new(0))
+            // connection_closed (which evicts all per-IP data on last close).
-                .fetch_add(bytes_in, Ordering::Relaxed);
+            if self.ip_connections.contains_key(ip) {
-            self.ip_bytes_out
+                self.ip_bytes_in
-                .entry(ip.to_string())
+                    .entry(ip.to_string())
-                .or_insert_with(|| AtomicU64::new(0))
+                    .or_insert_with(|| AtomicU64::new(0))
-                .fetch_add(bytes_out, Ordering::Relaxed);
+                    .fetch_add(bytes_in, Ordering::Relaxed);
+                self.ip_bytes_out
+                    .entry(ip.to_string())
+                    .or_insert_with(|| AtomicU64::new(0))
+                    .fetch_add(bytes_out, Ordering::Relaxed);
 
-            // Accumulate into per-IP pending throughput counters (lock-free)
+                // Accumulate into per-IP pending throughput counters (lock-free)
-            let entry = self.ip_pending_tp
+                let entry = self.ip_pending_tp
-                .entry(ip.to_string())
+                    .entry(ip.to_string())
-                .or_insert_with(|| (AtomicU64::new(0), AtomicU64::new(0)));
+                    .or_insert_with(|| (AtomicU64::new(0), AtomicU64::new(0)));
-            entry.0.fetch_add(bytes_in, Ordering::Relaxed);
+                entry.0.fetch_add(bytes_in, Ordering::Relaxed);
-            entry.1.fetch_add(bytes_out, Ordering::Relaxed);
+                entry.1.fetch_add(bytes_out, Ordering::Relaxed);
+            }
         }
     }
 
@@ -340,6 +352,26 @@ impl MetricsCollector {
             tracker.record_bytes(pending_reqs, 0);
             tracker.sample();
         }
+
+        // Safety-net: prune orphaned per-IP entries that have no corresponding
+        // ip_connections entry. This catches any entries created by a race between
+        // record_bytes and connection_closed.
+        self.ip_bytes_in.retain(|k, _| self.ip_connections.contains_key(k));
+        self.ip_bytes_out.retain(|k, _| self.ip_connections.contains_key(k));
+        self.ip_pending_tp.retain(|k, _| self.ip_connections.contains_key(k));
+        self.ip_throughput.retain(|k, _| self.ip_connections.contains_key(k));
+        self.ip_total_connections.retain(|k, _| self.ip_connections.contains_key(k));
+    }
+
+    /// Remove per-route metrics for route IDs that are no longer active.
+    /// Call this after `update_routes()` to prune stale entries.
+    pub fn retain_routes(&self, active_route_ids: &HashSet<String>) {
+        self.route_connections.retain(|k, _| active_route_ids.contains(k));
+        self.route_total_connections.retain(|k, _| active_route_ids.contains(k));
+        self.route_bytes_in.retain(|k, _| active_route_ids.contains(k));
+        self.route_bytes_out.retain(|k, _| active_route_ids.contains(k));
+        self.route_pending_tp.retain(|k, _| active_route_ids.contains(k));
+        self.route_throughput.retain(|k, _| active_route_ids.contains(k));
     }
 
     /// Get current active connection count.
@@ -633,6 +665,42 @@ mod tests {
         assert!(collector.ip_connections.get("1.2.3.4").is_none());
     }
 
+    #[test]
+    fn test_per_ip_full_eviction_on_last_close() {
+        let collector = MetricsCollector::with_retention(60);
+
+        // Open connections from two IPs
+        collector.connection_opened(Some("route-a"), Some("10.0.0.1"));
+        collector.connection_opened(Some("route-a"), Some("10.0.0.1"));
+        collector.connection_opened(Some("route-b"), Some("10.0.0.2"));
+
+        // Record bytes to populate per-IP DashMaps
+        collector.record_bytes(100, 200, Some("route-a"), Some("10.0.0.1"));
+        collector.record_bytes(300, 400, Some("route-b"), Some("10.0.0.2"));
+        collector.sample_all();
+
+        // Verify per-IP data exists
+        assert!(collector.ip_total_connections.get("10.0.0.1").is_some());
+        assert!(collector.ip_bytes_in.get("10.0.0.1").is_some());
+        assert!(collector.ip_throughput.get("10.0.0.1").is_some());
+
+        // Close all connections for 10.0.0.1
+        collector.connection_closed(Some("route-a"), Some("10.0.0.1"));
+        collector.connection_closed(Some("route-a"), Some("10.0.0.1"));
+
+        // All per-IP data for 10.0.0.1 should be evicted
+        assert!(collector.ip_connections.get("10.0.0.1").is_none());
+        assert!(collector.ip_total_connections.get("10.0.0.1").is_none());
+        assert!(collector.ip_bytes_in.get("10.0.0.1").is_none());
+        assert!(collector.ip_bytes_out.get("10.0.0.1").is_none());
+        assert!(collector.ip_pending_tp.get("10.0.0.1").is_none());
+        assert!(collector.ip_throughput.get("10.0.0.1").is_none());
+
+        // 10.0.0.2 should still have data
+        assert!(collector.ip_connections.get("10.0.0.2").is_some());
+        assert!(collector.ip_total_connections.get("10.0.0.2").is_some());
+    }
+
     #[test]
     fn test_http_request_tracking() {
         let collector = MetricsCollector::with_retention(60);
@@ -650,6 +718,78 @@ mod tests {
         assert_eq!(snapshot.http_requests_per_sec, 3);
     }
 
+    #[test]
+    fn test_retain_routes_prunes_stale() {
+        let collector = MetricsCollector::with_retention(60);
+
+        // Create metrics for 3 routes
+        collector.connection_opened(Some("route-a"), None);
+        collector.connection_opened(Some("route-b"), None);
+        collector.connection_opened(Some("route-c"), None);
+        collector.record_bytes(100, 200, Some("route-a"), None);
+        collector.record_bytes(100, 200, Some("route-b"), None);
+        collector.record_bytes(100, 200, Some("route-c"), None);
+        collector.sample_all();
+
+        // Now "route-b" is removed from config
+        let active = HashSet::from(["route-a".to_string(), "route-c".to_string()]);
+        collector.retain_routes(&active);
+
+        // route-b entries should be gone
+        assert!(collector.route_connections.get("route-b").is_none());
+        assert!(collector.route_total_connections.get("route-b").is_none());
+        assert!(collector.route_bytes_in.get("route-b").is_none());
+        assert!(collector.route_bytes_out.get("route-b").is_none());
+        assert!(collector.route_throughput.get("route-b").is_none());
+
+        // route-a and route-c should still exist
+        assert!(collector.route_total_connections.get("route-a").is_some());
+        assert!(collector.route_total_connections.get("route-c").is_some());
+    }
+
+    #[test]
+    fn test_record_bytes_after_close_no_orphan() {
+        let collector = MetricsCollector::with_retention(60);
+
+        // Open a connection, record bytes, then close
+        collector.connection_opened(Some("route-a"), Some("10.0.0.1"));
+        collector.record_bytes(100, 200, Some("route-a"), Some("10.0.0.1"));
+        collector.connection_closed(Some("route-a"), Some("10.0.0.1"));
+
+        // IP should be fully evicted
+        assert!(collector.ip_connections.get("10.0.0.1").is_none());
+
+        // Now record_bytes arrives late (simulates race) — should NOT re-create entries
+        collector.record_bytes(50, 75, Some("route-a"), Some("10.0.0.1"));
+        assert!(collector.ip_bytes_in.get("10.0.0.1").is_none());
+        assert!(collector.ip_bytes_out.get("10.0.0.1").is_none());
+        assert!(collector.ip_pending_tp.get("10.0.0.1").is_none());
+
+        // Global bytes should still be counted
+        assert_eq!(collector.total_bytes_in.load(Ordering::Relaxed), 150);
+        assert_eq!(collector.total_bytes_out.load(Ordering::Relaxed), 275);
+    }
+
+    #[test]
+    fn test_sample_all_prunes_orphaned_ip_entries() {
+        let collector = MetricsCollector::with_retention(60);
+
+        // Manually insert orphaned entries (simulates the race before the guard)
+        collector.ip_bytes_in.insert("orphan-ip".to_string(), AtomicU64::new(100));
+        collector.ip_bytes_out.insert("orphan-ip".to_string(), AtomicU64::new(200));
+        collector.ip_pending_tp.insert("orphan-ip".to_string(), (AtomicU64::new(0), AtomicU64::new(0)));
+
+        // No ip_connections entry for "orphan-ip"
+        assert!(collector.ip_connections.get("orphan-ip").is_none());
+
+        // sample_all should prune the orphans
+        collector.sample_all();
+
+        assert!(collector.ip_bytes_in.get("orphan-ip").is_none());
+        assert!(collector.ip_bytes_out.get("orphan-ip").is_none());
+        assert!(collector.ip_pending_tp.get("orphan-ip").is_none());
+    }
+
     #[test]
     fn test_throughput_history_in_snapshot() {
         let collector = MetricsCollector::with_retention(60);

rust/crates/rustproxy-passthrough/Cargo.toml

@@ -23,3 +23,4 @@ rustls-pemfile = { workspace = true }
 tokio-util = { workspace = true }
 serde = { workspace = true }
 serde_json = { workspace = true }
+socket2 = { workspace = true }

rust/crates/rustproxy-passthrough/src/connection_record.rs

@@ -1,155 +0,0 @@
-use std::sync::atomic::{AtomicBool, AtomicU64, Ordering};
-use std::time::{Duration, Instant};
-
-/// Per-connection tracking record with atomics for lock-free updates.
-///
-/// Each field uses atomics so that the forwarding tasks can update
-/// bytes_received / bytes_sent / last_activity without holding any lock,
-/// while the zombie scanner reads them concurrently.
-pub struct ConnectionRecord {
-    /// Unique connection ID assigned by the ConnectionTracker.
-    pub id: u64,
-    /// Wall-clock instant when this connection was created.
-    pub created_at: Instant,
-    /// Milliseconds since `created_at` when the last activity occurred.
-    /// Updated atomically by the forwarding loops.
-    pub last_activity: AtomicU64,
-    /// Total bytes received from the client (inbound).
-    pub bytes_received: AtomicU64,
-    /// Total bytes sent to the client (outbound / from backend).
-    pub bytes_sent: AtomicU64,
-    /// True once the client side of the connection has closed.
-    pub client_closed: AtomicBool,
-    /// True once the backend side of the connection has closed.
-    pub backend_closed: AtomicBool,
-    /// Whether this connection uses TLS (affects zombie thresholds).
-    pub is_tls: AtomicBool,
-    /// Whether this connection has keep-alive semantics.
-    pub has_keep_alive: AtomicBool,
-}
-
-impl ConnectionRecord {
-    /// Create a new connection record with the given ID.
-    /// All counters start at zero, all flags start as false.
-    pub fn new(id: u64) -> Self {
-        Self {
-            id,
-            created_at: Instant::now(),
-            last_activity: AtomicU64::new(0),
-            bytes_received: AtomicU64::new(0),
-            bytes_sent: AtomicU64::new(0),
-            client_closed: AtomicBool::new(false),
-            backend_closed: AtomicBool::new(false),
-            is_tls: AtomicBool::new(false),
-            has_keep_alive: AtomicBool::new(false),
-        }
-    }
-
-    /// Update `last_activity` to reflect the current elapsed time.
-    pub fn touch(&self) {
-        let elapsed_ms = self.created_at.elapsed().as_millis() as u64;
-        self.last_activity.store(elapsed_ms, Ordering::Relaxed);
-    }
-
-    /// Record `n` bytes received from the client (inbound).
-    pub fn record_bytes_in(&self, n: u64) {
-        self.bytes_received.fetch_add(n, Ordering::Relaxed);
-        self.touch();
-    }
-
-    /// Record `n` bytes sent to the client (outbound / from backend).
-    pub fn record_bytes_out(&self, n: u64) {
-        self.bytes_sent.fetch_add(n, Ordering::Relaxed);
-        self.touch();
-    }
-
-    /// How long since the last activity on this connection.
-    pub fn idle_duration(&self) -> Duration {
-        let last_ms = self.last_activity.load(Ordering::Relaxed);
-        let age_ms = self.created_at.elapsed().as_millis() as u64;
-        Duration::from_millis(age_ms.saturating_sub(last_ms))
-    }
-
-    /// Total age of this connection (time since creation).
-    pub fn age(&self) -> Duration {
-        self.created_at.elapsed()
-    }
-}
-
-#[cfg(test)]
-mod tests {
-    use super::*;
-    use std::thread;
-
-    #[test]
-    fn test_new_record() {
-        let record = ConnectionRecord::new(42);
-        assert_eq!(record.id, 42);
-        assert_eq!(record.bytes_received.load(Ordering::Relaxed), 0);
-        assert_eq!(record.bytes_sent.load(Ordering::Relaxed), 0);
-        assert!(!record.client_closed.load(Ordering::Relaxed));
-        assert!(!record.backend_closed.load(Ordering::Relaxed));
-        assert!(!record.is_tls.load(Ordering::Relaxed));
-        assert!(!record.has_keep_alive.load(Ordering::Relaxed));
-    }
-
-    #[test]
-    fn test_record_bytes() {
-        let record = ConnectionRecord::new(1);
-        record.record_bytes_in(100);
-        record.record_bytes_in(200);
-        assert_eq!(record.bytes_received.load(Ordering::Relaxed), 300);
-
-        record.record_bytes_out(50);
-        record.record_bytes_out(75);
-        assert_eq!(record.bytes_sent.load(Ordering::Relaxed), 125);
-    }
-
-    #[test]
-    fn test_touch_updates_activity() {
-        let record = ConnectionRecord::new(1);
-        assert_eq!(record.last_activity.load(Ordering::Relaxed), 0);
-
-        // Sleep briefly so elapsed time is nonzero
-        thread::sleep(Duration::from_millis(10));
-        record.touch();
-
-        let activity = record.last_activity.load(Ordering::Relaxed);
-        assert!(activity >= 10, "last_activity should be at least 10ms, got {}", activity);
-    }
-
-    #[test]
-    fn test_idle_duration() {
-        let record = ConnectionRecord::new(1);
-        // Initially idle_duration ~ age since last_activity is 0
-        thread::sleep(Duration::from_millis(20));
-        let idle = record.idle_duration();
-        assert!(idle >= Duration::from_millis(20));
-
-        // After touch, idle should be near zero
-        record.touch();
-        let idle = record.idle_duration();
-        assert!(idle < Duration::from_millis(10));
-    }
-
-    #[test]
-    fn test_age() {
-        let record = ConnectionRecord::new(1);
-        thread::sleep(Duration::from_millis(20));
-        let age = record.age();
-        assert!(age >= Duration::from_millis(20));
-    }
-
-    #[test]
-    fn test_flags() {
-        let record = ConnectionRecord::new(1);
-        record.client_closed.store(true, Ordering::Relaxed);
-        record.is_tls.store(true, Ordering::Relaxed);
-        record.has_keep_alive.store(true, Ordering::Relaxed);
-
-        assert!(record.client_closed.load(Ordering::Relaxed));
-        assert!(!record.backend_closed.load(Ordering::Relaxed));
-        assert!(record.is_tls.load(Ordering::Relaxed));
-        assert!(record.has_keep_alive.load(Ordering::Relaxed));
-    }
-}

rust/crates/rustproxy-passthrough/src/connection_tracker.rs

@@ -2,24 +2,9 @@ use dashmap::DashMap;
 use std::collections::VecDeque;
 use std::net::IpAddr;
 use std::sync::atomic::{AtomicU64, Ordering};
-use std::sync::Arc;
 use std::time::{Duration, Instant};
-use tokio_util::sync::CancellationToken;
-use tracing::{debug, warn};
-
-use super::connection_record::ConnectionRecord;
-
-/// Thresholds for zombie detection (non-TLS connections).
-const HALF_ZOMBIE_TIMEOUT_PLAIN: Duration = Duration::from_secs(30);
-/// Thresholds for zombie detection (TLS connections).
-const HALF_ZOMBIE_TIMEOUT_TLS: Duration = Duration::from_secs(300);
-/// Stuck connection timeout (non-TLS): received data but never sent any.
-const STUCK_TIMEOUT_PLAIN: Duration = Duration::from_secs(60);
-/// Stuck connection timeout (TLS): received data but never sent any.
-const STUCK_TIMEOUT_TLS: Duration = Duration::from_secs(300);
 
 /// Tracks active connections per IP and enforces per-IP limits and rate limiting.
-/// Also maintains per-connection records for zombie detection.
 pub struct ConnectionTracker {
     /// Active connection counts per IP
     active: DashMap<IpAddr, AtomicU64>,
@@ -29,10 +14,6 @@ pub struct ConnectionTracker {
     max_per_ip: Option<u64>,
     /// Maximum new connections per minute per IP (None = unlimited)
     rate_limit_per_minute: Option<u64>,
-    /// Per-connection tracking records for zombie detection
-    connections: DashMap<u64, Arc<ConnectionRecord>>,
-    /// Monotonically increasing connection ID counter
-    next_id: AtomicU64,
 }
 
 impl ConnectionTracker {
@@ -42,8 +23,6 @@ impl ConnectionTracker {
             timestamps: DashMap::new(),
             max_per_ip,
             rate_limit_per_minute,
-            connections: DashMap::new(),
-            next_id: AtomicU64::new(1),
         }
     }
 
@@ -95,10 +74,11 @@ impl ConnectionTracker {
     pub fn connection_closed(&self, ip: &IpAddr) {
         if let Some(counter) = self.active.get(ip) {
             let prev = counter.value().fetch_sub(1, Ordering::Relaxed);
-            // Clean up zero entries
+            // Clean up zero entries to prevent memory growth
             if prev <= 1 {
                 drop(counter);
                 self.active.remove(ip);
+                self.timestamps.remove(ip);
             }
         }
     }
@@ -111,115 +91,27 @@ impl ConnectionTracker {
             .unwrap_or(0)
     }
 
+    /// Prune stale timestamp entries for IPs that have no active connections
+    /// and no recent timestamps. This cleans up entries left by rate-limited IPs
+    /// that never had connection_opened called.
+    pub fn cleanup_stale_timestamps(&self) {
+        if self.rate_limit_per_minute.is_none() {
+            return; // No rate limiting — timestamps map should be empty
+        }
+        let now = Instant::now();
+        let one_minute = Duration::from_secs(60);
+        self.timestamps.retain(|ip, timestamps| {
+            timestamps.retain(|t| now.duration_since(*t) < one_minute);
+            // Keep if there are active connections or recent timestamps
+            !timestamps.is_empty() || self.active.contains_key(ip)
+        });
+    }
+
     /// Get the total number of tracked IPs.
     pub fn tracked_ips(&self) -> usize {
         self.active.len()
     }
 
-    /// Register a new connection and return its tracking record.
-    ///
-    /// The returned `Arc<ConnectionRecord>` should be passed to the forwarding
-    /// loop so it can update bytes / activity atomics in real time.
-    pub fn register_connection(&self, is_tls: bool) -> Arc<ConnectionRecord> {
-        let id = self.next_id.fetch_add(1, Ordering::Relaxed);
-        let record = Arc::new(ConnectionRecord::new(id));
-        record.is_tls.store(is_tls, Ordering::Relaxed);
-        self.connections.insert(id, Arc::clone(&record));
-        record
-    }
-
-    /// Remove a connection record when the connection is fully closed.
-    pub fn unregister_connection(&self, id: u64) {
-        self.connections.remove(&id);
-    }
-
-    /// Scan all tracked connections and return IDs of zombie connections.
-    ///
-    /// A connection is considered a zombie in any of these cases:
-    /// - **Full zombie**: both `client_closed` and `backend_closed` are true.
-    /// - **Half zombie**: one side closed for longer than the threshold
-    ///   (5 min for TLS, 30s for non-TLS).
-    /// - **Stuck**: `bytes_received > 0` but `bytes_sent == 0` for longer
-    ///   than the stuck threshold (5 min for TLS, 60s for non-TLS).
-    pub fn scan_zombies(&self) -> Vec<u64> {
-        let mut zombies = Vec::new();
-
-        for entry in self.connections.iter() {
-            let record = entry.value();
-            let id = *entry.key();
-            let is_tls = record.is_tls.load(Ordering::Relaxed);
-            let client_closed = record.client_closed.load(Ordering::Relaxed);
-            let backend_closed = record.backend_closed.load(Ordering::Relaxed);
-            let idle = record.idle_duration();
-            let bytes_in = record.bytes_received.load(Ordering::Relaxed);
-            let bytes_out = record.bytes_sent.load(Ordering::Relaxed);
-
-            // Full zombie: both sides closed
-            if client_closed && backend_closed {
-                zombies.push(id);
-                continue;
-            }
-
-            // Half zombie: one side closed for too long
-            let half_timeout = if is_tls {
-                HALF_ZOMBIE_TIMEOUT_TLS
-            } else {
-                HALF_ZOMBIE_TIMEOUT_PLAIN
-            };
-
-            if (client_closed || backend_closed) && idle >= half_timeout {
-                zombies.push(id);
-                continue;
-            }
-
-            // Stuck: received data but never sent anything for too long
-            let stuck_timeout = if is_tls {
-                STUCK_TIMEOUT_TLS
-            } else {
-                STUCK_TIMEOUT_PLAIN
-            };
-
-            if bytes_in > 0 && bytes_out == 0 && idle >= stuck_timeout {
-                zombies.push(id);
-            }
-        }
-
-        zombies
-    }
-
-    /// Start a background task that periodically scans for zombie connections.
-    ///
-    /// The scanner runs every 10 seconds and logs any zombies it finds.
-    /// It stops when the provided `CancellationToken` is cancelled.
-    pub fn start_zombie_scanner(self: &Arc<Self>, cancel: CancellationToken) {
-        let tracker = Arc::clone(self);
-        tokio::spawn(async move {
-            let interval = Duration::from_secs(10);
-            loop {
-                tokio::select! {
-                    _ = cancel.cancelled() => {
-                        debug!("Zombie scanner shutting down");
-                        break;
-                    }
-                    _ = tokio::time::sleep(interval) => {
-                        let zombies = tracker.scan_zombies();
-                        if !zombies.is_empty() {
-                            warn!(
-                                "Detected {} zombie connection(s): {:?}",
-                                zombies.len(),
-                                zombies
-                            );
-                        }
-                    }
-                }
-            }
-        });
-    }
-
-    /// Get the total number of tracked connections (with records).
-    pub fn total_connections(&self) -> usize {
-        self.connections.len()
-    }
 }
 
 #[cfg(test)]
@@ -305,98 +197,51 @@ mod tests {
     }
 
     #[test]
-    fn test_register_unregister_connection() {
+    fn test_timestamps_cleaned_on_last_close() {
-        let tracker = ConnectionTracker::new(None, None);
+        let tracker = ConnectionTracker::new(None, Some(100));
-        assert_eq!(tracker.total_connections(), 0);
+        let ip: IpAddr = "10.0.0.1".parse().unwrap();
 
-        let record1 = tracker.register_connection(false);
+        // try_accept populates the timestamps map (when rate limiting is enabled)
-        assert_eq!(tracker.total_connections(), 1);
+        assert!(tracker.try_accept(&ip));
-        assert!(!record1.is_tls.load(Ordering::Relaxed));
+        tracker.connection_opened(&ip);
+        assert!(tracker.try_accept(&ip));
+        tracker.connection_opened(&ip);
 
-        let record2 = tracker.register_connection(true);
+        // Timestamps should exist
-        assert_eq!(tracker.total_connections(), 2);
+        assert!(tracker.timestamps.get(&ip).is_some());
-        assert!(record2.is_tls.load(Ordering::Relaxed));
 
-        // IDs should be unique
+        // Close one connection — timestamps should still exist
-        assert_ne!(record1.id, record2.id);
+        tracker.connection_closed(&ip);
+        assert!(tracker.timestamps.get(&ip).is_some());
 
-        tracker.unregister_connection(record1.id);
+        // Close last connection — timestamps should be cleaned up
-        assert_eq!(tracker.total_connections(), 1);
+        tracker.connection_closed(&ip);
-
+        assert!(tracker.timestamps.get(&ip).is_none());
-        tracker.unregister_connection(record2.id);
+        assert!(tracker.active.get(&ip).is_none());
-        assert_eq!(tracker.total_connections(), 0);
     }
 
     #[test]
-    fn test_full_zombie_detection() {
+    fn test_cleanup_stale_timestamps() {
-        let tracker = ConnectionTracker::new(None, None);
+        // Rate limit of 100/min so timestamps are tracked
-        let record = tracker.register_connection(false);
+        let tracker = ConnectionTracker::new(None, Some(100));
+        let ip: IpAddr = "10.0.0.1".parse().unwrap();
 
-        // Not a zombie initially
+        // try_accept adds a timestamp entry
-        assert!(tracker.scan_zombies().is_empty());
+        assert!(tracker.try_accept(&ip));
 
-        // Set both sides closed -> full zombie
+        // Simulate: connection was rate-limited and never accepted,
-        record.client_closed.store(true, Ordering::Relaxed);
+        // so no connection_opened / connection_closed pair
-        record.backend_closed.store(true, Ordering::Relaxed);
+        assert!(tracker.timestamps.get(&ip).is_some());
+        assert!(tracker.active.get(&ip).is_none()); // never opened
 
-        let zombies = tracker.scan_zombies();
+        // Cleanup won't remove it yet because timestamp is recent
-        assert_eq!(zombies.len(), 1);
+        tracker.cleanup_stale_timestamps();
-        assert_eq!(zombies[0], record.id);
+        assert!(tracker.timestamps.get(&ip).is_some());
-    }
 
-    #[test]
+        // After expiry (use 0-second window trick: create tracker with 0 rate)
-    fn test_half_zombie_not_triggered_immediately() {
+        // Actually, we can't fast-forward time easily, so just verify the cleanup
-        let tracker = ConnectionTracker::new(None, None);
+        // doesn't panic and handles the no-rate-limit case
-        let record = tracker.register_connection(false);
+        let tracker2 = ConnectionTracker::new(None, None);
-        record.touch(); // mark activity now
+        tracker2.cleanup_stale_timestamps(); // should be a no-op
-
-        // Only one side closed, but just now -> not a zombie yet
-        record.client_closed.store(true, Ordering::Relaxed);
-        assert!(tracker.scan_zombies().is_empty());
-    }
-
-    #[test]
-    fn test_stuck_connection_not_triggered_immediately() {
-        let tracker = ConnectionTracker::new(None, None);
-        let record = tracker.register_connection(false);
-        record.touch(); // mark activity now
-
-        // Has received data but sent nothing -> but just started, not stuck yet
-        record.bytes_received.store(1000, Ordering::Relaxed);
-        assert!(tracker.scan_zombies().is_empty());
-    }
-
-    #[test]
-    fn test_unregister_removes_from_zombie_scan() {
-        let tracker = ConnectionTracker::new(None, None);
-        let record = tracker.register_connection(false);
-        let id = record.id;
-
-        // Make it a full zombie
-        record.client_closed.store(true, Ordering::Relaxed);
-        record.backend_closed.store(true, Ordering::Relaxed);
-        assert_eq!(tracker.scan_zombies().len(), 1);
-
-        // Unregister should remove it
-        tracker.unregister_connection(id);
-        assert!(tracker.scan_zombies().is_empty());
-    }
-
-    #[test]
-    fn test_total_connections() {
-        let tracker = ConnectionTracker::new(None, None);
-        assert_eq!(tracker.total_connections(), 0);
-
-        let r1 = tracker.register_connection(false);
-        let r2 = tracker.register_connection(true);
-        let r3 = tracker.register_connection(false);
-        assert_eq!(tracker.total_connections(), 3);
-
-        tracker.unregister_connection(r2.id);
-        assert_eq!(tracker.total_connections(), 2);
-
-        tracker.unregister_connection(r1.id);
-        tracker.unregister_connection(r3.id);
-        assert_eq!(tracker.total_connections(), 0);
     }
 }

rust/crates/rustproxy-passthrough/src/lib.rs

@@ -8,15 +8,15 @@ pub mod sni_parser;
 pub mod forwarder;
 pub mod proxy_protocol;
 pub mod tls_handler;
-pub mod connection_record;
 pub mod connection_tracker;
 pub mod socket_relay;
+pub mod socket_opts;
 
 pub use tcp_listener::*;
 pub use sni_parser::*;
 pub use forwarder::*;
 pub use proxy_protocol::*;
 pub use tls_handler::*;
-pub use connection_record::*;
 pub use connection_tracker::*;
 pub use socket_relay::*;
+pub use socket_opts::*;

rust/crates/rustproxy-passthrough/src/sni_parser.rs

@@ -196,6 +196,7 @@ pub fn is_http(data: &[u8]) -> bool {
         b"PATC",
         b"OPTI",
         b"CONN",
+        b"PRI ",   // HTTP/2 connection preface
     ];
     starts.iter().any(|s| data.starts_with(s))
 }

rust/crates/rustproxy-passthrough/src/socket_opts.rs

@@ -0,0 +1,19 @@
+//! Socket-level options for TCP streams (keepalive, etc.).
+//!
+//! Uses `socket2::SockRef::from()` to borrow the raw fd without ownership transfer.
+
+use std::io;
+use std::time::Duration;
+use tokio::net::TcpStream;
+
+/// Apply TCP keepalive to a connected socket.
+///
+/// Enables SO_KEEPALIVE and sets the initial probe delay.
+/// On Linux, also sets the interval between probes to the same value.
+pub fn apply_keepalive(stream: &TcpStream, delay: Duration) -> io::Result<()> {
+    let sock_ref = socket2::SockRef::from(stream);
+    let ka = socket2::TcpKeepalive::new().with_time(delay);
+    #[cfg(target_os = "linux")]
+    let ka = ka.with_interval(delay);
+    sock_ref.set_tcp_keepalive(&ka)
+}

rust/crates/rustproxy-passthrough/src/tcp_listener.rs

@@ -2,6 +2,7 @@ use std::collections::HashMap;
 use std::sync::Arc;
 use arc_swap::ArcSwap;
 use tokio::net::TcpListener;
+use tokio_rustls::TlsAcceptor;
 use tokio_util::sync::CancellationToken;
 use tracing::{info, error, debug, warn};
 use thiserror::Error;
@@ -14,6 +15,7 @@ use crate::sni_parser;
 use crate::forwarder;
 use crate::tls_handler;
 use crate::connection_tracker::ConnectionTracker;
+use crate::socket_opts;
 
 /// RAII guard that decrements the active connection metric on drop.
 /// Ensures connection_closed is called on ALL exit paths — normal, error, or panic.
@@ -21,7 +23,6 @@ struct ConnectionGuard {
     metrics: Arc<MetricsCollector>,
     route_id: Option<String>,
     source_ip: Option<String>,
-    disarmed: bool,
 }
 
 impl ConnectionGuard {
@@ -30,22 +31,32 @@ impl ConnectionGuard {
             metrics,
             route_id: route_id.map(|s| s.to_string()),
             source_ip: source_ip.map(|s| s.to_string()),
-            disarmed: false,
         }
     }
-
-    /// Disarm the guard — prevents the Drop from running.
-    /// Use when handing off to a path that manages its own cleanup (e.g., HTTP proxy).
-    fn disarm(mut self) {
-        self.disarmed = true;
-    }
 }
 
 impl Drop for ConnectionGuard {
     fn drop(&mut self) {
-        if !self.disarmed {
+        self.metrics.connection_closed(self.route_id.as_deref(), self.source_ip.as_deref());
-            self.metrics.connection_closed(self.route_id.as_deref(), self.source_ip.as_deref());
+    }
-        }
+}
+
+/// RAII guard that calls ConnectionTracker::connection_closed on drop.
+/// Ensures per-IP tracking is cleaned up on ALL exit paths — normal, error, or panic.
+struct ConnectionTrackerGuard {
+    tracker: Arc<ConnectionTracker>,
+    ip: std::net::IpAddr,
+}
+
+impl ConnectionTrackerGuard {
+    fn new(tracker: Arc<ConnectionTracker>, ip: std::net::IpAddr) -> Self {
+        Self { tracker, ip }
+    }
+}
+
+impl Drop for ConnectionTrackerGuard {
+    fn drop(&mut self) {
+        self.tracker.connection_closed(&self.ip);
     }
 }
 
@@ -93,6 +104,15 @@ pub struct ConnectionConfig {
     pub accept_proxy_protocol: bool,
     /// Whether to send PROXY protocol
     pub send_proxy_protocol: bool,
+    /// Trusted IPs that may send PROXY protocol headers.
+    /// When non-empty, only connections from these IPs will have PROXY headers parsed.
+    pub proxy_ips: Vec<std::net::IpAddr>,
+    /// Enable TCP keepalive on sockets (default: true)
+    pub keep_alive: bool,
+    /// Initial delay before first keepalive probe (ms, default: 60000)
+    pub keep_alive_initial_delay_ms: u64,
+    /// Global maximum simultaneous connections (default: 100000)
+    pub max_connections: u64,
 }
 
 impl Default for ConnectionConfig {
@@ -110,6 +130,10 @@ impl Default for ConnectionConfig {
             extended_keep_alive_lifetime_ms: None,
             accept_proxy_protocol: false,
             send_proxy_protocol: false,
+            proxy_ips: Vec::new(),
+            keep_alive: true,
+            keep_alive_initial_delay_ms: 60_000,
+            max_connections: 100_000,
         }
     }
 }
@@ -122,8 +146,10 @@ pub struct TcpListenerManager {
     route_manager: Arc<ArcSwap<RouteManager>>,
     /// Shared metrics collector
     metrics: Arc<MetricsCollector>,
-    /// TLS acceptors indexed by domain (ArcSwap for hot-reload visibility in accept loops)
+    /// Raw PEM TLS configs indexed by domain (kept for fallback with custom TLS versions)
     tls_configs: Arc<ArcSwap<HashMap<String, TlsCertConfig>>>,
+    /// Shared TLS acceptor (pre-parsed certs + session cache). None when no certs configured.
+    shared_tls_acceptor: Arc<ArcSwap<Option<TlsAcceptor>>>,
     /// HTTP proxy service for HTTP-level forwarding
     http_proxy: Arc<HttpProxyService>,
     /// Connection configuration
@@ -134,56 +160,68 @@ pub struct TcpListenerManager {
     cancel_token: CancellationToken,
     /// Path to Unix domain socket for relaying socket-handler connections to TypeScript.
     socket_handler_relay: Arc<std::sync::RwLock<Option<String>>>,
+    /// Global connection semaphore — limits total simultaneous connections.
+    conn_semaphore: Arc<tokio::sync::Semaphore>,
 }
 
 impl TcpListenerManager {
     pub fn new(route_manager: Arc<RouteManager>) -> Self {
         let metrics = Arc::new(MetricsCollector::new());
         let conn_config = ConnectionConfig::default();
-        let http_proxy = Arc::new(HttpProxyService::with_connect_timeout(
+        let mut http_proxy_svc = HttpProxyService::with_connect_timeout(
             Arc::clone(&route_manager),
             Arc::clone(&metrics),
             std::time::Duration::from_millis(conn_config.connection_timeout_ms),
-        ));
+        );
+        http_proxy_svc.set_backend_tls_config(tls_handler::shared_backend_tls_config());
+        let http_proxy = Arc::new(http_proxy_svc);
         let conn_tracker = Arc::new(ConnectionTracker::new(
             conn_config.max_connections_per_ip,
             conn_config.connection_rate_limit_per_minute,
         ));
+        let max_conns = conn_config.max_connections as usize;
         Self {
             listeners: HashMap::new(),
             route_manager: Arc::new(ArcSwap::from(route_manager)),
             metrics,
             tls_configs: Arc::new(ArcSwap::from(Arc::new(HashMap::new()))),
+            shared_tls_acceptor: Arc::new(ArcSwap::from(Arc::new(None))),
             http_proxy,
             conn_config: Arc::new(conn_config),
             conn_tracker,
             cancel_token: CancellationToken::new(),
             socket_handler_relay: Arc::new(std::sync::RwLock::new(None)),
+            conn_semaphore: Arc::new(tokio::sync::Semaphore::new(max_conns)),
         }
     }
 
     /// Create with a metrics collector.
     pub fn with_metrics(route_manager: Arc<RouteManager>, metrics: Arc<MetricsCollector>) -> Self {
         let conn_config = ConnectionConfig::default();
-        let http_proxy = Arc::new(HttpProxyService::with_connect_timeout(
+        let mut http_proxy_svc = HttpProxyService::with_connect_timeout(
             Arc::clone(&route_manager),
             Arc::clone(&metrics),
             std::time::Duration::from_millis(conn_config.connection_timeout_ms),
-        ));
+        );
+        http_proxy_svc.set_backend_tls_config(tls_handler::shared_backend_tls_config());
+        let http_proxy = Arc::new(http_proxy_svc);
         let conn_tracker = Arc::new(ConnectionTracker::new(
             conn_config.max_connections_per_ip,
             conn_config.connection_rate_limit_per_minute,
         ));
+        let max_conns = conn_config.max_connections as usize;
         Self {
             listeners: HashMap::new(),
             route_manager: Arc::new(ArcSwap::from(route_manager)),
             metrics,
             tls_configs: Arc::new(ArcSwap::from(Arc::new(HashMap::new()))),
+            shared_tls_acceptor: Arc::new(ArcSwap::from(Arc::new(None))),
             http_proxy,
             conn_config: Arc::new(conn_config),
             conn_tracker,
             cancel_token: CancellationToken::new(),
             socket_handler_relay: Arc::new(std::sync::RwLock::new(None)),
+            conn_semaphore: Arc::new(tokio::sync::Semaphore::new(max_conns)),
         }
     }
 
@@ -193,12 +231,31 @@ impl TcpListenerManager {
             config.max_connections_per_ip,
             config.connection_rate_limit_per_minute,
         ));
+        self.conn_semaphore = Arc::new(tokio::sync::Semaphore::new(config.max_connections as usize));
         self.conn_config = Arc::new(config);
     }
 
     /// Set TLS certificate configurations.
+    /// Builds a shared TLS acceptor with pre-parsed certs and session resumption support.
     /// Uses ArcSwap so running accept loops immediately see the new certs.
     pub fn set_tls_configs(&self, configs: HashMap<String, TlsCertConfig>) {
+        if !configs.is_empty() {
+            match tls_handler::CertResolver::new(&configs)
+                .and_then(tls_handler::build_shared_tls_acceptor)
+            {
+                Ok(acceptor) => {
+                    info!("Built shared TLS acceptor for {} domain(s)", configs.len());
+                    self.shared_tls_acceptor.store(Arc::new(Some(acceptor)));
+                }
+                Err(e) => {
+                    warn!("Failed to build shared TLS acceptor: {}, falling back to per-connection", e);
+                    self.shared_tls_acceptor.store(Arc::new(None));
+                }
+            }
+        } else {
+            self.shared_tls_acceptor.store(Arc::new(None));
+        }
+        // Keep raw PEM configs for fallback (routes with custom TLS versions)
         self.tls_configs.store(Arc::new(configs));
     }
 
@@ -224,16 +281,19 @@ impl TcpListenerManager {
         let route_manager_swap = Arc::clone(&self.route_manager);
         let metrics = Arc::clone(&self.metrics);
         let tls_configs = Arc::clone(&self.tls_configs);
+        let shared_tls_acceptor = Arc::clone(&self.shared_tls_acceptor);
         let http_proxy = Arc::clone(&self.http_proxy);
         let conn_config = Arc::clone(&self.conn_config);
         let conn_tracker = Arc::clone(&self.conn_tracker);
         let cancel = self.cancel_token.clone();
         let relay = Arc::clone(&self.socket_handler_relay);
+        let semaphore = Arc::clone(&self.conn_semaphore);
 
         let handle = tokio::spawn(async move {
             Self::accept_loop(
                 listener, port, route_manager_swap, metrics, tls_configs,
-                http_proxy, conn_config, conn_tracker, cancel, relay,
+                shared_tls_acceptor, http_proxy, conn_config, conn_tracker, cancel, relay,
+                semaphore,
             ).await;
         });
 
@@ -310,6 +370,16 @@ impl TcpListenerManager {
         self.route_manager.store(route_manager);
     }
 
+    /// Prune HTTP proxy caches for route IDs that are no longer active.
+    pub fn prune_http_proxy_caches(&self, active_route_ids: &std::collections::HashSet<String>) {
+        self.http_proxy.prune_stale_routes(active_route_ids);
+    }
+
+    /// Get a reference to the connection tracker.
+    pub fn conn_tracker(&self) -> &Arc<ConnectionTracker> {
+        &self.conn_tracker
+    }
+
     /// Get a reference to the metrics collector.
     pub fn metrics(&self) -> &Arc<MetricsCollector> {
         &self.metrics
@@ -322,11 +392,13 @@ impl TcpListenerManager {
         route_manager_swap: Arc<ArcSwap<RouteManager>>,
         metrics: Arc<MetricsCollector>,
         tls_configs: Arc<ArcSwap<HashMap<String, TlsCertConfig>>>,
+        shared_tls_acceptor: Arc<ArcSwap<Option<TlsAcceptor>>>,
         http_proxy: Arc<HttpProxyService>,
         conn_config: Arc<ConnectionConfig>,
         conn_tracker: Arc<ConnectionTracker>,
         cancel: CancellationToken,
         socket_handler_relay: Arc<std::sync::RwLock<Option<String>>>,
+        conn_semaphore: Arc<tokio::sync::Semaphore>,
     ) {
         loop {
             tokio::select! {
@@ -339,10 +411,31 @@ impl TcpListenerManager {
                         Ok((stream, peer_addr)) => {
                             let ip = peer_addr.ip();
 
+                            // Global connection limit — acquire semaphore permit with timeout
+                            let permit = match tokio::time::timeout(
+                                std::time::Duration::from_secs(5),
+                                conn_semaphore.clone().acquire_owned(),
+                            ).await {
+                                Ok(Ok(permit)) => permit,
+                                Ok(Err(_)) => {
+                                    // Semaphore closed — shouldn't happen, but be safe
+                                    debug!("Connection semaphore closed, dropping connection from {}", peer_addr);
+                                    drop(stream);
+                                    continue;
+                                }
+                                Err(_) => {
+                                    // Timeout — global limit reached
+                                    debug!("Global connection limit reached, dropping connection from {}", peer_addr);
+                                    drop(stream);
+                                    continue;
+                                }
+                            };
+
                             // Check per-IP limits and rate limiting
                             if !conn_tracker.try_accept(&ip) {
                                 debug!("Rejected connection from {} (per-IP limit or rate limit)", peer_addr);
                                 drop(stream);
+                                drop(permit);
                                 continue;
                             }
 
@@ -353,6 +446,8 @@ impl TcpListenerManager {
                             let m = Arc::clone(&metrics);
                             // Load the latest TLS configs from ArcSwap on each connection
                             let tc = tls_configs.load_full();
+                            // Load the latest shared TLS acceptor from ArcSwap
+                            let sa = shared_tls_acceptor.load_full();
                             let hp = Arc::clone(&http_proxy);
                             let cc = Arc::clone(&conn_config);
                             let ct = Arc::clone(&conn_tracker);
@@ -361,13 +456,16 @@ impl TcpListenerManager {
                             debug!("Accepted connection from {} on port {}", peer_addr, port);
 
                             tokio::spawn(async move {
+                                // Move permit into the task — auto-releases on drop
+                                let _permit = permit;
+                                // RAII guard ensures connection_closed is called on all paths
+                                let _ct_guard = ConnectionTrackerGuard::new(ct, ip);
                                 let result = Self::handle_connection(
-                                    stream, port, peer_addr, rm, m, tc, hp, cc, cn, sr,
+                                    stream, port, peer_addr, rm, m, tc, sa, hp, cc, cn, sr,
                                 ).await;
                                 if let Err(e) = result {
                                     debug!("Connection error from {}: {}", peer_addr, e);
                                 }
-                                ct.connection_closed(&ip);
                             });
                         }
                         Err(e) => {
@@ -388,6 +486,7 @@ impl TcpListenerManager {
         route_manager: Arc<RouteManager>,
         metrics: Arc<MetricsCollector>,
         tls_configs: Arc<HashMap<String, TlsCertConfig>>,
+        shared_tls_acceptor: Arc<Option<TlsAcceptor>>,
         http_proxy: Arc<HttpProxyService>,
         conn_config: Arc<ConnectionConfig>,
         cancel: CancellationToken,
@@ -396,8 +495,48 @@ impl TcpListenerManager {
         use tokio::io::AsyncReadExt;
 
         stream.set_nodelay(true)?;
+        if conn_config.keep_alive {
+            let delay = std::time::Duration::from_millis(conn_config.keep_alive_initial_delay_ms);
+            if let Err(e) = socket_opts::apply_keepalive(&stream, delay) {
+                debug!("Failed to set keepalive on client socket: {}", e);
+            }
+        }
 
-        // Extract source IP once for all metric calls
+        // --- PROXY protocol: must happen BEFORE ip_str and fast path ---
+        // Only parse PROXY headers from trusted proxy IPs (security).
+        // Non-proxy connections skip the peek entirely (no latency cost).
+        let mut effective_peer_addr = peer_addr;
+        if !conn_config.proxy_ips.is_empty() && conn_config.proxy_ips.contains(&peer_addr.ip()) {
+            // Trusted proxy IP — peek for PROXY protocol header
+            let mut proxy_peek = vec![0u8; 256];
+            let pn = match tokio::time::timeout(
+                std::time::Duration::from_millis(conn_config.initial_data_timeout_ms),
+                stream.peek(&mut proxy_peek),
+            ).await {
+                Ok(Ok(n)) => n,
+                Ok(Err(e)) => return Err(e.into()),
+                Err(_) => return Err("Initial data timeout (proxy protocol peek)".into()),
+            };
+
+            if pn > 0 && crate::proxy_protocol::is_proxy_protocol_v1(&proxy_peek[..pn]) {
+                match crate::proxy_protocol::parse_v1(&proxy_peek[..pn]) {
+                    Ok((header, consumed)) => {
+                        debug!("PROXY protocol: real client {} -> {}", header.source_addr, header.dest_addr);
+                        effective_peer_addr = header.source_addr;
+                        // Consume the proxy protocol header bytes
+                        let mut discard = vec![0u8; consumed];
+                        stream.read_exact(&mut discard).await?;
+                    }
+                    Err(e) => {
+                        debug!("Failed to parse PROXY protocol header: {}", e);
+                        // Not a PROXY protocol header, continue normally
+                    }
+                }
+            }
+        }
+        let peer_addr = effective_peer_addr;
+
+        // Extract source IP once for all metric calls (reflects real client IP after PROXY parsing)
         let ip_str = peer_addr.ip().to_string();
 
         // === Fast path: try port-only matching before peeking at data ===
@@ -418,6 +557,7 @@ impl TcpListenerManager {
                 tls_version: None,
                 headers: None,
                 is_tls: false,
+                protocol: None,
             };
 
             if let Some(quick_match) = route_manager.find_route(&quick_ctx) {
@@ -486,6 +626,12 @@ impl TcpListenerManager {
                             Err(_) => return Err("Backend connection timeout".into()),
                         };
                         backend.set_nodelay(true)?;
+                        if conn_config.keep_alive {
+                            let delay = std::time::Duration::from_millis(conn_config.keep_alive_initial_delay_ms);
+                            if let Err(e) = socket_opts::apply_keepalive(&backend, delay) {
+                                debug!("Failed to set keepalive on backend socket: {}", e);
+                            }
+                        }
 
                         // Send PROXY protocol header if configured
                         let should_send_proxy = conn_config.send_proxy_protocol
@@ -529,37 +675,6 @@ impl TcpListenerManager {
         }
         // === End fast path ===
 
-        // Handle PROXY protocol if configured
-        let mut effective_peer_addr = peer_addr;
-        if conn_config.accept_proxy_protocol {
-            let mut proxy_peek = vec![0u8; 256];
-            let pn = match tokio::time::timeout(
-                std::time::Duration::from_millis(conn_config.initial_data_timeout_ms),
-                stream.peek(&mut proxy_peek),
-            ).await {
-                Ok(Ok(n)) => n,
-                Ok(Err(e)) => return Err(e.into()),
-                Err(_) => return Err("Initial data timeout (proxy protocol peek)".into()),
-            };
-
-            if pn > 0 && crate::proxy_protocol::is_proxy_protocol_v1(&proxy_peek[..pn]) {
-                match crate::proxy_protocol::parse_v1(&proxy_peek[..pn]) {
-                    Ok((header, consumed)) => {
-                        debug!("PROXY protocol: real client {} -> {}", header.source_addr, header.dest_addr);
-                        effective_peer_addr = header.source_addr;
-                        // Consume the proxy protocol header bytes
-                        let mut discard = vec![0u8; consumed];
-                        stream.read_exact(&mut discard).await?;
-                    }
-                    Err(e) => {
-                        debug!("Failed to parse PROXY protocol header: {}", e);
-                        // Not a PROXY protocol header, continue normally
-                    }
-                }
-            }
-        }
-        let peer_addr = effective_peer_addr;
-
         // Peek at initial bytes with timeout
         let mut peek_buf = vec![0u8; 4096];
         let n = match tokio::time::timeout(
@@ -622,6 +737,8 @@ impl TcpListenerManager {
             tls_version: None,
             headers: None,
             is_tls,
+            // For TLS connections, protocol is unknown until after termination
+            protocol: if is_http { Some("http") } else if !is_tls { Some("tcp") } else { None },
         };
 
         let route_match = route_manager.find_route(&ctx);
@@ -750,6 +867,12 @@ impl TcpListenerManager {
                     Err(_) => return Err("Backend connection timeout".into()),
                 };
                 backend.set_nodelay(true)?;
+                if conn_config.keep_alive {
+                    let delay = std::time::Duration::from_millis(conn_config.keep_alive_initial_delay_ms);
+                    if let Err(e) = socket_opts::apply_keepalive(&backend, delay) {
+                        debug!("Failed to set keepalive on backend socket: {}", e);
+                    }
+                }
 
                 // Send PROXY protocol header if configured
                 if let Some(ref header) = proxy_header {
@@ -777,13 +900,9 @@ impl TcpListenerManager {
                 Ok(())
             }
             Some(rustproxy_config::TlsMode::Terminate) => {
-                let tls_config = Self::find_tls_config(&domain, &tls_configs)?;
+                // Use shared acceptor (session resumption) or fall back to per-connection
-
-                // TLS accept with timeout, applying route-level TLS settings
                 let route_tls = route_match.route.action.tls.as_ref();
-                let acceptor = tls_handler::build_tls_acceptor_with_config(
+                let acceptor = Self::get_tls_acceptor(&domain, &tls_configs, &*shared_tls_acceptor, route_tls)?;
-                    &tls_config.cert_pem, &tls_config.key_pem, route_tls,
-                )?;
                 let tls_stream = match tokio::time::timeout(
                     std::time::Duration::from_millis(conn_config.initial_data_timeout_ms),
                     tls_handler::accept_tls(stream, &acceptor),
@@ -803,13 +922,20 @@ impl TcpListenerManager {
                     }
                 };
 
+                // Check protocol restriction from route config
+                if let Some(ref required_protocol) = route_match.route.route_match.protocol {
+                    let detected = if peeked { "http" } else { "tcp" };
+                    if required_protocol != detected {
+                        debug!("Protocol mismatch: route requires '{}', got '{}'", required_protocol, detected);
+                        return Err("Protocol mismatch".into());
+                    }
+                }
+
                 if peeked {
                     debug!(
                         "TLS Terminate + HTTP: {} -> {}:{} (domain: {:?})",
                         peer_addr, target_host, target_port, domain
                     );
-                    // HTTP proxy manages its own per-request metrics — disarm TCP-level guard
-                    _conn_guard.disarm();
                     http_proxy.handle_io(buf_stream, peer_addr, port, cancel.clone()).await;
                 } else {
                     debug!(
@@ -826,6 +952,12 @@ impl TcpListenerManager {
                         Err(_) => return Err("Backend connection timeout".into()),
                     };
                     backend.set_nodelay(true)?;
+                    if conn_config.keep_alive {
+                        let delay = std::time::Duration::from_millis(conn_config.keep_alive_initial_delay_ms);
+                        if let Err(e) = socket_opts::apply_keepalive(&backend, delay) {
+                            debug!("Failed to set keepalive on backend socket: {}", e);
+                        }
+                    }
 
                     let (tls_read, tls_write) = tokio::io::split(buf_stream);
                     let (backend_read, backend_write) = tokio::io::split(backend);
@@ -843,18 +975,63 @@ impl TcpListenerManager {
                 Ok(())
             }
             Some(rustproxy_config::TlsMode::TerminateAndReencrypt) => {
+                // Inline TLS accept + HTTP detection (same pattern as Terminate mode)
                 let route_tls = route_match.route.action.tls.as_ref();
-                Self::handle_tls_terminate_reencrypt(
+                let acceptor = Self::get_tls_acceptor(&domain, &tls_configs, &*shared_tls_acceptor, route_tls)?;
-                    stream, n, &domain, &target_host, target_port,
+                let tls_stream = match tokio::time::timeout(
-                    peer_addr, &tls_configs, Arc::clone(&metrics), route_id, &conn_config, route_tls,
+                    std::time::Duration::from_millis(conn_config.initial_data_timeout_ms),
-                ).await
+                    tls_handler::accept_tls(stream, &acceptor),
+                ).await {
+                    Ok(Ok(s)) => s,
+                    Ok(Err(e)) => return Err(e),
+                    Err(_) => return Err("TLS handshake timeout".into()),
+                };
+
+                // Peek at decrypted data to detect protocol
+                let mut buf_stream = tokio::io::BufReader::new(tls_stream);
+                let is_http_data = {
+                    use tokio::io::AsyncBufReadExt;
+                    match buf_stream.fill_buf().await {
+                        Ok(data) => sni_parser::is_http(data),
+                        Err(_) => false,
+                    }
+                };
+
+                // Check protocol restriction from route config
+                if let Some(ref required_protocol) = route_match.route.route_match.protocol {
+                    let detected = if is_http_data { "http" } else { "tcp" };
+                    if required_protocol != detected {
+                        debug!("Protocol mismatch: route requires '{}', got '{}'", required_protocol, detected);
+                        return Err("Protocol mismatch".into());
+                    }
+                }
+
+                if is_http_data {
+                    // HTTP: full per-request routing via HttpProxyService
+                    // (backend TLS handled by HttpProxyService when upstream.use_tls is set)
+                    debug!(
+                        "TLS Terminate+Reencrypt + HTTP: {} (domain: {:?})",
+                        peer_addr, domain
+                    );
+                    http_proxy.handle_io(buf_stream, peer_addr, port, cancel.clone()).await;
+                } else {
+                    // Non-HTTP: TLS-to-TLS tunnel (existing behavior for raw TCP protocols)
+                    debug!(
+                        "TLS Terminate+Reencrypt + TCP: {} -> {}:{}",
+                        peer_addr, target_host, target_port
+                    );
+                    Self::handle_tls_reencrypt_tunnel(
+                        buf_stream, &target_host, target_port,
+                        peer_addr, Arc::clone(&metrics), route_id,
+                        &conn_config,
+                    ).await?;
+                }
+                Ok(())
             }
             None => {
                 if is_http {
                     // Plain HTTP - use HTTP proxy for request-level routing
                     debug!("HTTP proxy: {} on port {}", peer_addr, port);
-                    // HTTP proxy manages its own per-request metrics — disarm TCP-level guard
-                    _conn_guard.disarm();
                     http_proxy.handle_connection(stream, peer_addr, port, cancel.clone()).await;
                     Ok(())
                 } else {
@@ -868,6 +1045,12 @@ impl TcpListenerManager {
                         Err(_) => return Err("Backend connection timeout".into()),
                     };
                     backend.set_nodelay(true)?;
+                    if conn_config.keep_alive {
+                        let delay = std::time::Duration::from_millis(conn_config.keep_alive_initial_delay_ms);
+                        if let Err(e) = socket_opts::apply_keepalive(&backend, delay) {
+                            debug!("Failed to set keepalive on backend socket: {}", e);
+                        }
+                    }
 
                     // Send PROXY protocol header if configured
                     if let Some(ref header) = proxy_header {
@@ -982,40 +1165,18 @@ impl TcpListenerManager {
         Ok(())
     }
 
-    /// Handle TLS terminate-and-reencrypt: accept TLS from client, connect TLS to backend.
+    /// Handle non-HTTP TLS-to-TLS tunnel for terminate-and-reencrypt mode.
-    async fn handle_tls_terminate_reencrypt(
+    /// TLS accept has already been done by the caller; this only connects to the
-        stream: tokio::net::TcpStream,
+    /// backend over TLS and forwards bidirectionally.
-        _peek_len: usize,
+    async fn handle_tls_reencrypt_tunnel(
-        domain: &Option<String>,
+        buf_stream: tokio::io::BufReader<tokio_rustls::server::TlsStream<tokio::net::TcpStream>>,
         target_host: &str,
         target_port: u16,
         peer_addr: std::net::SocketAddr,
-        tls_configs: &HashMap<String, TlsCertConfig>,
         metrics: Arc<MetricsCollector>,
         route_id: Option<&str>,
         conn_config: &ConnectionConfig,
-        route_tls: Option<&rustproxy_config::RouteTls>,
     ) -> Result<(), Box<dyn std::error::Error + Send + Sync>> {
-        let tls_config = Self::find_tls_config(domain, tls_configs)?;
-        let acceptor = tls_handler::build_tls_acceptor_with_config(
-            &tls_config.cert_pem, &tls_config.key_pem, route_tls,
-        )?;
-
-        // Accept TLS from client with timeout
-        let client_tls = match tokio::time::timeout(
-            std::time::Duration::from_millis(conn_config.initial_data_timeout_ms),
-            tls_handler::accept_tls(stream, &acceptor),
-        ).await {
-            Ok(Ok(s)) => s,
-            Ok(Err(e)) => return Err(e),
-            Err(_) => return Err("TLS handshake timeout".into()),
-        };
-
-        debug!(
-            "TLS Terminate+Reencrypt: {} -> {}:{} (domain: {:?})",
-            peer_addr, target_host, target_port, domain
-        );
-
         // Connect to backend over TLS with timeout
         let backend_tls = match tokio::time::timeout(
             std::time::Duration::from_millis(conn_config.connection_timeout_ms),
@@ -1026,8 +1187,9 @@ impl TcpListenerManager {
             Err(_) => return Err("Backend TLS connection timeout".into()),
         };
 
-        // Forward between two TLS streams
+        // Forward between decrypted client stream and backend TLS stream
-        let (client_read, client_write) = tokio::io::split(client_tls);
+        // (BufReader preserves any already-buffered data from the peek)
+        let (client_read, client_write) = tokio::io::split(buf_stream);
         let (backend_read, backend_write) = tokio::io::split(backend_tls);
 
         let base_inactivity_ms = conn_config.socket_timeout_ms;
@@ -1069,6 +1231,30 @@ impl TcpListenerManager {
         Ok(())
     }
 
+    /// Get a TLS acceptor, preferring the shared one (with session resumption)
+    /// and falling back to per-connection when custom TLS versions are configured.
+    fn get_tls_acceptor(
+        domain: &Option<String>,
+        tls_configs: &HashMap<String, TlsCertConfig>,
+        shared_tls_acceptor: &Option<TlsAcceptor>,
+        route_tls: Option<&rustproxy_config::RouteTls>,
+    ) -> Result<TlsAcceptor, Box<dyn std::error::Error + Send + Sync>> {
+        let has_custom_versions = route_tls
+            .and_then(|t| t.versions.as_ref())
+            .map(|v| !v.is_empty())
+            .unwrap_or(false);
+
+        if !has_custom_versions {
+            if let Some(shared) = shared_tls_acceptor {
+                return Ok(shared.clone()); // TlsAcceptor wraps Arc<ServerConfig>, clone is cheap
+            }
+        }
+
+        // Fallback: per-connection acceptor (custom TLS versions or shared build failed)
+        let tls_config = Self::find_tls_config(domain, tls_configs)?;
+        tls_handler::build_tls_acceptor_with_config(&tls_config.cert_pem, &tls_config.key_pem, route_tls)
+    }
+
     /// Find the TLS config for a given domain.
     fn find_tls_config<'a>(
         domain: &Option<String>,
@@ -1216,3 +1402,13 @@ impl TcpListenerManager {
         (bytes_in, bytes_out)
     }
 }
+
+/// Safety net: cancel and abort all listener tasks if dropped without graceful_stop().
+impl Drop for TcpListenerManager {
+    fn drop(&mut self) {
+        self.cancel_token.cancel();
+        for (_, handle) in self.listeners.drain() {
+            handle.abort();
+        }
+    }
+}

rust/crates/rustproxy-passthrough/src/tls_handler.rs

@@ -1,17 +1,102 @@
+use std::collections::HashMap;
 use std::io::BufReader;
-use std::sync::Arc;
+use std::sync::{Arc, OnceLock};
 
 use rustls::pki_types::{CertificateDer, PrivateKeyDer};
+use rustls::server::ResolvesServerCert;
+use rustls::sign::CertifiedKey;
 use rustls::ServerConfig;
 use tokio::net::TcpStream;
 use tokio_rustls::{TlsAcceptor, TlsConnector, server::TlsStream as ServerTlsStream};
-use tracing::debug;
+use tracing::{debug, info};
+
+use crate::tcp_listener::TlsCertConfig;
 
 /// Ensure the default crypto provider is installed.
 fn ensure_crypto_provider() {
     let _ = rustls::crypto::ring::default_provider().install_default();
 }
 
+/// SNI-based certificate resolver with pre-parsed CertifiedKeys.
+/// Enables shared ServerConfig across connections — avoids per-connection PEM parsing
+/// and enables TLS session resumption.
+#[derive(Debug)]
+pub struct CertResolver {
+    certs: HashMap<String, Arc<CertifiedKey>>,
+    fallback: Option<Arc<CertifiedKey>>,
+}
+
+impl CertResolver {
+    /// Build a resolver from PEM-encoded cert/key configs.
+    /// Parses all PEM data upfront so connections only do a cheap HashMap lookup.
+    pub fn new(configs: &HashMap<String, TlsCertConfig>) -> Result<Self, Box<dyn std::error::Error + Send + Sync>> {
+        ensure_crypto_provider();
+        let provider = rustls::crypto::ring::default_provider();
+        let mut certs = HashMap::new();
+        let mut fallback = None;
+
+        for (domain, cfg) in configs {
+            let cert_chain = load_certs(&cfg.cert_pem)?;
+            let key = load_private_key(&cfg.key_pem)?;
+            let ck = Arc::new(CertifiedKey::from_der(cert_chain, key, &provider)
+                .map_err(|e| format!("CertifiedKey for {}: {}", domain, e))?);
+            if domain == "*" {
+                fallback = Some(Arc::clone(&ck));
+            }
+            certs.insert(domain.clone(), ck);
+        }
+
+        // If no explicit "*" fallback, use the first available cert
+        if fallback.is_none() {
+            fallback = certs.values().next().map(Arc::clone);
+        }
+
+        Ok(Self { certs, fallback })
+    }
+}
+
+impl ResolvesServerCert for CertResolver {
+    fn resolve(&self, client_hello: rustls::server::ClientHello<'_>) -> Option<Arc<CertifiedKey>> {
+        let domain = match client_hello.server_name() {
+            Some(name) => name,
+            None => return self.fallback.clone(),
+        };
+        // Exact match
+        if let Some(ck) = self.certs.get(domain) {
+            return Some(Arc::clone(ck));
+        }
+        // Wildcard: sub.example.com → *.example.com
+        if let Some(dot) = domain.find('.') {
+            let wc = format!("*.{}", &domain[dot + 1..]);
+            if let Some(ck) = self.certs.get(&wc) {
+                return Some(Arc::clone(ck));
+            }
+        }
+        self.fallback.clone()
+    }
+}
+
+/// Build a shared TLS acceptor with SNI resolution, session cache, and session tickets.
+/// The returned acceptor can be reused across all connections (cheap Arc clone).
+pub fn build_shared_tls_acceptor(resolver: CertResolver) -> Result<TlsAcceptor, Box<dyn std::error::Error + Send + Sync>> {
+    ensure_crypto_provider();
+    let mut config = ServerConfig::builder()
+        .with_no_client_auth()
+        .with_cert_resolver(Arc::new(resolver));
+
+    // ALPN: advertise h2 and http/1.1 for client-facing HTTP/2 support
+    config.alpn_protocols = vec![b"h2".to_vec(), b"http/1.1".to_vec()];
+
+    // Shared session cache — enables session ID resumption across connections
+    config.session_storage = rustls::server::ServerSessionMemoryCache::new(4096);
+    // Session ticket resumption (12-hour lifetime, Chacha20Poly1305 encrypted)
+    config.ticketer = rustls::crypto::ring::Ticketer::new()
+        .map_err(|e| format!("Ticketer: {}", e))?;
+
+    info!("Built shared TLS config with session cache (4096), ticket support, and ALPN h2+http/1.1");
+    Ok(TlsAcceptor::from(Arc::new(config)))
+}
+
 /// Build a TLS acceptor from PEM-encoded cert and key data.
 pub fn build_tls_acceptor(cert_pem: &str, key_pem: &str) -> Result<TlsAcceptor, Box<dyn std::error::Error + Send + Sync>> {
     build_tls_acceptor_with_config(cert_pem, key_pem, None)
@@ -40,6 +125,9 @@ pub fn build_tls_acceptor_with_config(
             .with_single_cert(certs, key)?
     };
 
+    // ALPN: advertise h2 and http/1.1 for client-facing HTTP/2 support
+    config.alpn_protocols = vec![b"h2".to_vec(), b"http/1.1".to_vec()];
+
     // Apply session timeout if configured
     if let Some(route_tls) = tls_config {
         if let Some(timeout_secs) = route_tls.session_timeout {
@@ -97,21 +185,40 @@ pub async fn accept_tls(
     Ok(tls_stream)
 }
 
+/// Get or create a shared backend TLS `ClientConfig`.
+///
+/// Uses `OnceLock` to ensure only one config is created across the entire process.
+/// The built-in rustls `Resumption` (session tickets + session IDs) is enabled
+/// by default, so all outbound backend connections share the same session cache.
+static SHARED_CLIENT_CONFIG: OnceLock<Arc<rustls::ClientConfig>> = OnceLock::new();
+
+pub fn shared_backend_tls_config() -> Arc<rustls::ClientConfig> {
+    SHARED_CLIENT_CONFIG.get_or_init(|| {
+        ensure_crypto_provider();
+        let config = rustls::ClientConfig::builder()
+            .dangerous()
+            .with_custom_certificate_verifier(Arc::new(InsecureVerifier))
+            .with_no_client_auth();
+        info!("Built shared backend TLS client config with session resumption");
+        Arc::new(config)
+    }).clone()
+}
+
 /// Connect to a backend with TLS (for terminate-and-reencrypt mode).
+/// Uses the shared backend TLS config for session resumption.
 pub async fn connect_tls(
     host: &str,
     port: u16,
 ) -> Result<tokio_rustls::client::TlsStream<TcpStream>, Box<dyn std::error::Error + Send + Sync>> {
-    ensure_crypto_provider();
+    let config = shared_backend_tls_config();
-    let config = rustls::ClientConfig::builder()
+    let connector = TlsConnector::from(config);
-        .dangerous()
-        .with_custom_certificate_verifier(Arc::new(InsecureVerifier))
-        .with_no_client_auth();
-
-    let connector = TlsConnector::from(Arc::new(config));
 
     let stream = TcpStream::connect(format!("{}:{}", host, port)).await?;
     stream.set_nodelay(true)?;
+    // Apply keepalive with 60s default (tls_handler doesn't have ConnectionConfig access)
+    if let Err(e) = crate::socket_opts::apply_keepalive(&stream, std::time::Duration::from_secs(60)) {
+        debug!("Failed to set keepalive on backend TLS socket: {}", e);
+    }
 
     let server_name = rustls::pki_types::ServerName::try_from(host.to_string())?;
     let tls_stream = connector.connect(server_name, stream).await?;

rust/crates/rustproxy-routing/src/route_manager.rs

@@ -12,6 +12,8 @@ pub struct MatchContext<'a> {
     pub tls_version: Option<&'a str>,
     pub headers: Option<&'a HashMap<String, String>>,
     pub is_tls: bool,
+    /// Detected protocol: "http" or "tcp". None when unknown (e.g. pre-TLS-termination).
+    pub protocol: Option<&'a str>,
 }
 
 /// Result of a route match.
@@ -87,9 +89,17 @@ impl RouteManager {
                 if !matchers::domain_matches_any(&patterns, domain) {
                     return false;
                 }
+            } else if ctx.is_tls {
+                // TLS connection without SNI cannot match a domain-restricted route.
+                // This prevents session-ticket resumption from misrouting when clients
+                // omit SNI (RFC 8446 recommends but doesn't mandate SNI on resumption).
+                // Wildcard-only routes (domains: ["*"]) still match since they accept all.
+                let patterns = domains.to_vec();
+                let is_wildcard_only = patterns.iter().all(|d| *d == "*");
+                if !is_wildcard_only {
+                    return false;
+                }
             }
-            // If no domain provided but route requires domain, it depends on context
-            // For TLS passthrough, we need SNI; for other cases we may still match
         }
 
         // Path matching
@@ -137,6 +147,17 @@ impl RouteManager {
             }
         }
 
+        // Protocol matching
+        if let Some(ref required_protocol) = rm.protocol {
+            if let Some(protocol) = ctx.protocol {
+                if required_protocol != protocol {
+                    return false;
+                }
+            }
+            // If protocol not yet known (None), allow match — protocol will be
+            // validated after detection (post-TLS-termination peek)
+        }
+
         true
     }
 
@@ -277,6 +298,7 @@ mod tests {
                 client_ip: None,
                 tls_version: None,
                 headers: None,
+                protocol: None,
             },
             action: RouteAction {
                 action_type: RouteActionType::Forward,
@@ -327,6 +349,7 @@ mod tests {
             tls_version: None,
             headers: None,
             is_tls: false,
+            protocol: None,
         };
 
         let result = manager.find_route(&ctx);
@@ -349,6 +372,7 @@ mod tests {
             tls_version: None,
             headers: None,
             is_tls: false,
+            protocol: None,
         };
 
         let result = manager.find_route(&ctx).unwrap();
@@ -372,6 +396,7 @@ mod tests {
             tls_version: None,
             headers: None,
             is_tls: false,
+            protocol: None,
         };
 
         assert!(manager.find_route(&ctx).is_none());
@@ -457,6 +482,116 @@ mod tests {
             tls_version: None,
             headers: None,
             is_tls: false,
+            protocol: None,
+        };
+
+        assert!(manager.find_route(&ctx).is_some());
+    }
+
+    #[test]
+    fn test_tls_no_sni_rejects_domain_restricted_route() {
+        let routes = vec![make_route(443, Some("example.com"), 0)];
+        let manager = RouteManager::new(routes);
+
+        // TLS connection without SNI should NOT match a domain-restricted route
+        let ctx = MatchContext {
+            port: 443,
+            domain: None,
+            path: None,
+            client_ip: None,
+            tls_version: None,
+            headers: None,
+            is_tls: true,
+            protocol: None,
+        };
+
+        assert!(manager.find_route(&ctx).is_none());
+    }
+
+    #[test]
+    fn test_tls_no_sni_rejects_wildcard_subdomain_route() {
+        let routes = vec![make_route(443, Some("*.example.com"), 0)];
+        let manager = RouteManager::new(routes);
+
+        // TLS connection without SNI should NOT match *.example.com
+        let ctx = MatchContext {
+            port: 443,
+            domain: None,
+            path: None,
+            client_ip: None,
+            tls_version: None,
+            headers: None,
+            is_tls: true,
+            protocol: None,
+        };
+
+        assert!(manager.find_route(&ctx).is_none());
+    }
+
+    #[test]
+    fn test_tls_no_sni_matches_wildcard_only_route() {
+        let routes = vec![make_route(443, Some("*"), 0)];
+        let manager = RouteManager::new(routes);
+
+        // TLS connection without SNI SHOULD match a wildcard-only route
+        let ctx = MatchContext {
+            port: 443,
+            domain: None,
+            path: None,
+            client_ip: None,
+            tls_version: None,
+            headers: None,
+            is_tls: true,
+            protocol: None,
+        };
+
+        assert!(manager.find_route(&ctx).is_some());
+    }
+
+    #[test]
+    fn test_tls_no_sni_skips_domain_restricted_matches_fallback() {
+        // Two routes: first is domain-restricted, second is wildcard catch-all
+        let routes = vec![
+            make_route(443, Some("specific.com"), 10),
+            make_route(443, Some("*"), 0),
+        ];
+        let manager = RouteManager::new(routes);
+
+        // TLS without SNI should skip specific.com and fall through to wildcard
+        let ctx = MatchContext {
+            port: 443,
+            domain: None,
+            path: None,
+            client_ip: None,
+            tls_version: None,
+            headers: None,
+            is_tls: true,
+            protocol: None,
+        };
+
+        let result = manager.find_route(&ctx);
+        assert!(result.is_some());
+        let matched_domains = result.unwrap().route.route_match.domains.as_ref()
+            .map(|d| d.to_vec()).unwrap();
+        assert!(matched_domains.contains(&"*"));
+    }
+
+    #[test]
+    fn test_non_tls_no_domain_still_matches_domain_restricted() {
+        // Non-TLS (plain HTTP) without domain should still match domain-restricted routes
+        // (the HTTP proxy layer handles Host-based routing)
+        let routes = vec![make_route(80, Some("example.com"), 0)];
+        let manager = RouteManager::new(routes);
+
+        let ctx = MatchContext {
+            port: 80,
+            domain: None,
+            path: None,
+            client_ip: None,
+            tls_version: None,
+            headers: None,
+            is_tls: false,
+            protocol: None,
         };
 
         assert!(manager.find_route(&ctx).is_some());
@@ -475,6 +610,7 @@ mod tests {
             tls_version: None,
             headers: None,
             is_tls: false,
+            protocol: None,
         };
 
         assert!(manager.find_route(&ctx).is_some());
@@ -525,6 +661,7 @@ mod tests {
             tls_version: None,
             headers: None,
             is_tls: false,
+            protocol: None,
         };
         let result = manager.find_route(&ctx).unwrap();
         assert_eq!(result.target.unwrap().host.first(), "api-backend");
@@ -538,8 +675,102 @@ mod tests {
             tls_version: None,
             headers: None,
             is_tls: false,
+            protocol: None,
         };
         let result = manager.find_route(&ctx).unwrap();
         assert_eq!(result.target.unwrap().host.first(), "default-backend");
     }
+
+    fn make_route_with_protocol(port: u16, domain: Option<&str>, protocol: Option<&str>) -> RouteConfig {
+        let mut route = make_route(port, domain, 0);
+        route.route_match.protocol = protocol.map(|s| s.to_string());
+        route
+    }
+
+    #[test]
+    fn test_protocol_http_matches_http() {
+        let routes = vec![make_route_with_protocol(80, None, Some("http"))];
+        let manager = RouteManager::new(routes);
+
+        let ctx = MatchContext {
+            port: 80,
+            domain: None,
+            path: None,
+            client_ip: None,
+            tls_version: None,
+            headers: None,
+            is_tls: false,
+            protocol: Some("http"),
+        };
+        assert!(manager.find_route(&ctx).is_some());
+    }
+
+    #[test]
+    fn test_protocol_http_rejects_tcp() {
+        let routes = vec![make_route_with_protocol(80, None, Some("http"))];
+        let manager = RouteManager::new(routes);
+
+        let ctx = MatchContext {
+            port: 80,
+            domain: None,
+            path: None,
+            client_ip: None,
+            tls_version: None,
+            headers: None,
+            is_tls: false,
+            protocol: Some("tcp"),
+        };
+        assert!(manager.find_route(&ctx).is_none());
+    }
+
+    #[test]
+    fn test_protocol_none_matches_any() {
+        // Route with no protocol restriction matches any protocol
+        let routes = vec![make_route_with_protocol(80, None, None)];
+        let manager = RouteManager::new(routes);
+
+        let ctx_http = MatchContext {
+            port: 80,
+            domain: None,
+            path: None,
+            client_ip: None,
+            tls_version: None,
+            headers: None,
+            is_tls: false,
+            protocol: Some("http"),
+        };
+        assert!(manager.find_route(&ctx_http).is_some());
+
+        let ctx_tcp = MatchContext {
+            port: 80,
+            domain: None,
+            path: None,
+            client_ip: None,
+            tls_version: None,
+            headers: None,
+            is_tls: false,
+            protocol: Some("tcp"),
+        };
+        assert!(manager.find_route(&ctx_tcp).is_some());
+    }
+
+    #[test]
+    fn test_protocol_http_matches_when_unknown() {
+        // Route with protocol: "http" should match when ctx.protocol is None
+        // (pre-TLS-termination, protocol not yet known)
+        let routes = vec![make_route_with_protocol(443, None, Some("http"))];
+        let manager = RouteManager::new(routes);
+
+        let ctx = MatchContext {
+            port: 443,
+            domain: None,
+            path: None,
+            client_ip: None,
+            tls_version: None,
+            headers: None,
+            is_tls: true,
+            protocol: None,
+        };
+        assert!(manager.find_route(&ctx).is_some());
+    }
 }

rust/crates/rustproxy/Cargo.toml

@@ -39,6 +39,7 @@ hyper = { workspace = true }
 hyper-util = { workspace = true }
 http-body-util = { workspace = true }
 bytes = { workspace = true }
+tikv-jemallocator = { workspace = true }
 
 [dev-dependencies]
 rcgen = { workspace = true }

rust/crates/rustproxy/src/lib.rs

@@ -27,7 +27,7 @@
 pub mod challenge_server;
 pub mod management;
 
-use std::collections::HashMap;
+use std::collections::{HashMap, HashSet};
 use std::sync::Arc;
 use std::time::Instant;
 
@@ -51,6 +51,7 @@ use rustproxy_passthrough::{TcpListenerManager, TlsCertConfig, ConnectionConfig}
 use rustproxy_metrics::{MetricsCollector, Metrics, Statistics};
 use rustproxy_tls::{CertManager, CertStore, CertBundle, CertMetadata, CertSource};
 use rustproxy_nftables::{NftManager, rule_builder};
+use tokio_util::sync::CancellationToken;
 
 /// Certificate status.
 #[derive(Debug, Clone)]
@@ -77,6 +78,10 @@ pub struct RustProxy {
     started_at: Option<Instant>,
     /// Shared path to a Unix domain socket for relaying socket-handler connections back to TypeScript.
     socket_handler_relay: Arc<std::sync::RwLock<Option<String>>>,
+    /// Dynamically loaded certificates (via loadCertificate IPC), independent of CertManager.
+    loaded_certs: HashMap<String, TlsCertConfig>,
+    /// Cancellation token for cooperative shutdown of background tasks.
+    cancel_token: CancellationToken,
 }
 
 impl RustProxy {
@@ -118,6 +123,8 @@ impl RustProxy {
             started: false,
             started_at: None,
             socket_handler_relay: Arc::new(std::sync::RwLock::new(None)),
+            loaded_certs: HashMap::new(),
+            cancel_token: CancellationToken::new(),
         })
     }
 
@@ -214,6 +221,13 @@ impl RustProxy {
             extended_keep_alive_lifetime_ms: options.extended_keep_alive_lifetime,
             accept_proxy_protocol: options.accept_proxy_protocol.unwrap_or(false),
             send_proxy_protocol: options.send_proxy_protocol.unwrap_or(false),
+            proxy_ips: options.proxy_ips.as_deref().unwrap_or(&[])
+                .iter()
+                .filter_map(|s| s.parse::<std::net::IpAddr>().ok())
+                .collect(),
+            keep_alive: options.keep_alive.unwrap_or(true),
+            keep_alive_initial_delay_ms: options.keep_alive_initial_delay.unwrap_or(60_000),
+            max_connections: options.max_connections.unwrap_or(100_000),
         }
     }
 
@@ -268,6 +282,13 @@ impl RustProxy {
             }
         }
 
+        // Merge dynamically loaded certs (from loadCertificate IPC)
+        for (d, c) in &self.loaded_certs {
+            if !tls_configs.contains_key(d) {
+                tls_configs.insert(d.clone(), c.clone());
+            }
+        }
+
         if !tls_configs.is_empty() {
             debug!("Loaded TLS certificates for {} domains", tls_configs.len());
             listener.set_tls_configs(tls_configs);
@@ -282,18 +303,26 @@ impl RustProxy {
         self.started = true;
         self.started_at = Some(Instant::now());
 
-        // Start the throughput sampling task
+        // Start the throughput sampling task with cooperative cancellation
         let metrics = Arc::clone(&self.metrics);
+        let conn_tracker = self.listener_manager.as_ref().unwrap().conn_tracker().clone();
         let interval_ms = self.options.metrics.as_ref()
             .and_then(|m| m.sample_interval_ms)
             .unwrap_or(1000);
+        let sampling_cancel = self.cancel_token.clone();
         self.sampling_handle = Some(tokio::spawn(async move {
             let mut interval = tokio::time::interval(
                 std::time::Duration::from_millis(interval_ms)
             );
             loop {
-                interval.tick().await;
+                tokio::select! {
-                metrics.sample_all();
+                    _ = sampling_cancel.cancelled() => break,
+                    _ = interval.tick() => {
+                        metrics.sample_all();
+                        // Periodically clean up stale rate-limit timestamp entries
+                        conn_tracker.cleanup_stale_timestamps();
+                    }
+                }
             }
         }));
 
@@ -440,51 +469,59 @@ impl RustProxy {
             .unwrap_or(80);
 
         let interval = std::time::Duration::from_secs(check_interval_hours as u64 * 3600);
+        let renewal_cancel = self.cancel_token.clone();
 
         let handle = tokio::spawn(async move {
             loop {
-                tokio::time::sleep(interval).await;
+                tokio::select! {
-                debug!("Certificate renewal check triggered (interval: {}h)", check_interval_hours);
+                    _ = renewal_cancel.cancelled() => {
+                        debug!("Renewal timer shutting down");
+                        break;
+                    }
+                    _ = tokio::time::sleep(interval) => {
+                        debug!("Certificate renewal check triggered (interval: {}h)", check_interval_hours);
 
-                // Check which domains need renewal
+                        // Check which domains need renewal
-                let domains = {
+                        let domains = {
-                    let cm = cm_arc.lock().await;
+                            let cm = cm_arc.lock().await;
-                    cm.check_renewals()
+                            cm.check_renewals()
-                };
+                        };
 
-                if domains.is_empty() {
+                        if domains.is_empty() {
-                    debug!("No certificates need renewal");
+                            debug!("No certificates need renewal");
-                    continue;
+                            continue;
-                }
-
-                info!("Renewing {} certificate(s)", domains.len());
-
-                // Start challenge server for renewals
-                let mut cs = challenge_server::ChallengeServer::new();
-                if let Err(e) = cs.start(acme_port).await {
-                    error!("Failed to start challenge server for renewal: {}", e);
-                    continue;
-                }
-
-                for domain in &domains {
-                    let cs_ref = &cs;
-                    let mut cm = cm_arc.lock().await;
-                    let result = cm.renew_domain(domain, |token, key_auth| {
-                        cs_ref.set_challenge(token, key_auth);
-                        async {}
-                    }).await;
-
-                    match result {
-                        Ok(_bundle) => {
-                            info!("Successfully renewed certificate for {}", domain);
                         }
-                        Err(e) => {
+
-                            error!("Failed to renew certificate for {}: {}", domain, e);
+                        info!("Renewing {} certificate(s)", domains.len());
+
+                        // Start challenge server for renewals
+                        let mut cs = challenge_server::ChallengeServer::new();
+                        if let Err(e) = cs.start(acme_port).await {
+                            error!("Failed to start challenge server for renewal: {}", e);
+                            continue;
                         }
+
+                        for domain in &domains {
+                            let cs_ref = &cs;
+                            let mut cm = cm_arc.lock().await;
+                            let result = cm.renew_domain(domain, |token, key_auth| {
+                                cs_ref.set_challenge(token, key_auth);
+                                async {}
+                            }).await;
+
+                            match result {
+                                Ok(_bundle) => {
+                                    info!("Successfully renewed certificate for {}", domain);
+                                }
+                                Err(e) => {
+                                    error!("Failed to renew certificate for {}: {}", domain, e);
+                                }
+                            }
+                        }
+
+                        cs.stop().await;
                     }
                 }
-
-                cs.stop().await;
             }
         });
 
@@ -499,14 +536,17 @@ impl RustProxy {
 
         info!("Stopping RustProxy...");
 
-        // Stop sampling task
+        // Signal all background tasks to stop cooperatively
+        self.cancel_token.cancel();
+
+        // Await sampling task (cooperative shutdown)
         if let Some(handle) = self.sampling_handle.take() {
-            handle.abort();
+            let _ = handle.await;
         }
 
-        // Stop renewal timer
+        // Await renewal timer (cooperative shutdown)
         if let Some(handle) = self.renewal_handle.take() {
-            handle.abort();
+            let _ = handle.await;
         }
 
         // Stop challenge server if running
@@ -528,6 +568,8 @@ impl RustProxy {
         }
         self.listener_manager = None;
         self.started = false;
+        // Reset cancel token so proxy can be restarted
+        self.cancel_token = CancellationToken::new();
 
         info!("RustProxy stopped");
         Ok(())
@@ -555,6 +597,12 @@ impl RustProxy {
             vec![]
         };
 
+        // Prune per-route metrics for route IDs that no longer exist
+        let active_route_ids: HashSet<String> = routes.iter()
+            .filter_map(|r| r.id.clone())
+            .collect();
+        self.metrics.retain_routes(&active_route_ids);
+
         // Atomically swap the route table
         let new_manager = Arc::new(new_manager);
         self.route_table.store(Arc::clone(&new_manager));
@@ -562,6 +610,8 @@ impl RustProxy {
         // Update listener manager
         if let Some(ref mut listener) = self.listener_manager {
             listener.update_route_manager(Arc::clone(&new_manager));
+            // Prune HTTP proxy caches (rate limiters, regex cache, round-robin counters)
+            listener.prune_http_proxy_caches(&active_route_ids);
 
             // Update TLS configs
             let mut tls_configs = Self::extract_tls_configs(&routes);
@@ -576,6 +626,12 @@ impl RustProxy {
                     }
                 }
             }
+            // Merge dynamically loaded certs (from loadCertificate IPC)
+            for (d, c) in &self.loaded_certs {
+                if !tls_configs.contains_key(d) {
+                    tls_configs.insert(d.clone(), c.clone());
+                }
+            }
             listener.set_tls_configs(tls_configs);
 
             // Add new ports
@@ -786,6 +842,12 @@ impl RustProxy {
             cm.load_static(domain.to_string(), bundle);
         }
 
+        // Persist in loaded_certs so future rebuild calls include this cert
+        self.loaded_certs.insert(domain.to_string(), TlsCertConfig {
+            cert_pem: cert_pem.clone(),
+            key_pem: key_pem.clone(),
+        });
+
         // Hot-swap TLS config on the listener
         if let Some(ref mut listener) = self.listener_manager {
             let mut tls_configs = Self::extract_tls_configs(&self.options.routes);
@@ -809,6 +871,13 @@ impl RustProxy {
                 }
             }
 
+            // Merge dynamically loaded certs from previous loadCertificate calls
+            for (d, c) in &self.loaded_certs {
+                if !tls_configs.contains_key(d) {
+                    tls_configs.insert(d.clone(), c.clone());
+                }
+            }
+
             listener.set_tls_configs(tls_configs);
         }
 
@@ -941,3 +1010,21 @@ impl RustProxy {
         configs
     }
 }
+
+/// Safety net: abort background tasks if RustProxy is dropped without calling stop().
+/// Normal shutdown should still use stop() for graceful behavior.
+impl Drop for RustProxy {
+    fn drop(&mut self) {
+        self.cancel_token.cancel();
+        if let Some(handle) = self.sampling_handle.take() {
+            handle.abort();
+        }
+        if let Some(handle) = self.renewal_handle.take() {
+            handle.abort();
+        }
+        // Cancel the listener manager's token and abort accept loops
+        if let Some(ref mut listener) = self.listener_manager {
+            listener.stop_all();
+        }
+    }
+}

rust/crates/rustproxy/src/main.rs

@@ -1,3 +1,6 @@
+#[global_allocator]
+static GLOBAL: tikv_jemallocator::Jemalloc = tikv_jemallocator::Jemalloc;
+
 use clap::Parser;
 use tracing_subscriber::EnvFilter;
 use anyhow::Result;

rust/crates/rustproxy/tests/common/mod.rs

@@ -185,6 +185,76 @@ pub async fn wait_for_port(port: u16, timeout_ms: u64) -> bool {
     false
 }
 
+/// Start a TLS HTTP echo backend: accepts TLS, then responds with HTTP JSON
+/// containing request details. Combines TLS acceptance with HTTP echo behavior.
+pub async fn start_tls_http_backend(
+    port: u16,
+    backend_name: &str,
+    cert_pem: &str,
+    key_pem: &str,
+) -> JoinHandle<()> {
+    use std::sync::Arc;
+
+    let acceptor = rustproxy_passthrough::build_tls_acceptor(cert_pem, key_pem)
+        .expect("Failed to build TLS acceptor");
+    let acceptor = Arc::new(acceptor);
+    let name = backend_name.to_string();
+
+    let listener = TcpListener::bind(format!("127.0.0.1:{}", port))
+        .await
+        .unwrap_or_else(|_| panic!("Failed to bind TLS HTTP backend on port {}", port));
+
+    tokio::spawn(async move {
+        loop {
+            let (stream, _) = match listener.accept().await {
+                Ok(conn) => conn,
+                Err(_) => break,
+            };
+            let acc = acceptor.clone();
+            let backend = name.clone();
+            tokio::spawn(async move {
+                let mut tls_stream = match acc.accept(stream).await {
+                    Ok(s) => s,
+                    Err(_) => return,
+                };
+
+                let mut buf = vec![0u8; 16384];
+                let n = match tls_stream.read(&mut buf).await {
+                    Ok(0) | Err(_) => return,
+                    Ok(n) => n,
+                };
+                let req_str = String::from_utf8_lossy(&buf[..n]);
+
+                // Parse first line: METHOD PATH HTTP/x.x
+                let first_line = req_str.lines().next().unwrap_or("");
+                let parts: Vec<&str> = first_line.split_whitespace().collect();
+                let method = parts.first().copied().unwrap_or("UNKNOWN");
+                let path = parts.get(1).copied().unwrap_or("/");
+
+                // Extract Host header
+                let host = req_str
+                    .lines()
+                    .find(|l| l.to_lowercase().starts_with("host:"))
+                    .map(|l| l[5..].trim())
+                    .unwrap_or("unknown");
+
+                let body = format!(
+                    r#"{{"method":"{}","path":"{}","host":"{}","backend":"{}"}}"#,
+                    method, path, host, backend
+                );
+
+                let response = format!(
+                    "HTTP/1.1 200 OK\r\nContent-Type: application/json\r\nContent-Length: {}\r\nConnection: close\r\n\r\n{}",
+                    body.len(),
+                    body,
+                );
+                let _ = tls_stream.write_all(response.as_bytes()).await;
+                let _ = tls_stream.shutdown().await;
+            });
+        }
+    })
+}
+
 /// Helper to create a minimal route config for testing.
 pub fn make_test_route(
     port: u16,
@@ -201,6 +271,7 @@ pub fn make_test_route(
             client_ip: None,
             tls_version: None,
             headers: None,
+            protocol: None,
         },
         action: rustproxy_config::RouteAction {
             action_type: rustproxy_config::RouteActionType::Forward,
@@ -381,6 +452,86 @@ pub fn make_tls_terminate_route(
     route
 }
 
+/// Start a TLS WebSocket echo backend: accepts TLS, performs WS handshake, then echoes data.
+/// Combines TLS acceptance (like `start_tls_http_backend`) with WebSocket echo (like `start_ws_echo_backend`).
+pub async fn start_tls_ws_echo_backend(
+    port: u16,
+    cert_pem: &str,
+    key_pem: &str,
+) -> JoinHandle<()> {
+    use std::sync::Arc;
+
+    let acceptor = rustproxy_passthrough::build_tls_acceptor(cert_pem, key_pem)
+        .expect("Failed to build TLS acceptor");
+    let acceptor = Arc::new(acceptor);
+
+    let listener = TcpListener::bind(format!("127.0.0.1:{}", port))
+        .await
+        .unwrap_or_else(|_| panic!("Failed to bind TLS WS echo backend on port {}", port));
+
+    tokio::spawn(async move {
+        loop {
+            let (stream, _) = match listener.accept().await {
+                Ok(conn) => conn,
+                Err(_) => break,
+            };
+            let acc = acceptor.clone();
+            tokio::spawn(async move {
+                let mut tls_stream = match acc.accept(stream).await {
+                    Ok(s) => s,
+                    Err(_) => return,
+                };
+
+                // Read the HTTP upgrade request
+                let mut buf = vec![0u8; 4096];
+                let n = match tls_stream.read(&mut buf).await {
+                    Ok(0) | Err(_) => return,
+                    Ok(n) => n,
+                };
+
+                let req_str = String::from_utf8_lossy(&buf[..n]);
+
+                // Extract Sec-WebSocket-Key for handshake
+                let ws_key = req_str
+                    .lines()
+                    .find(|l| l.to_lowercase().starts_with("sec-websocket-key:"))
+                    .map(|l| l.split(':').nth(1).unwrap_or("").trim().to_string())
+                    .unwrap_or_default();
+
+                // Send 101 Switching Protocols
+                let accept_response = format!(
+                    "HTTP/1.1 101 Switching Protocols\r\n\
+                     Upgrade: websocket\r\n\
+                     Connection: Upgrade\r\n\
+                     Sec-WebSocket-Accept: {}\r\n\
+                     \r\n",
+                    ws_key
+                );
+
+                if tls_stream
+                    .write_all(accept_response.as_bytes())
+                    .await
+                    .is_err()
+                {
+                    return;
+                }
+
+                // Echo all data back (raw TCP after upgrade)
+                let mut echo_buf = vec![0u8; 65536];
+                loop {
+                    let n = match tls_stream.read(&mut echo_buf).await {
+                        Ok(0) | Err(_) => break,
+                        Ok(n) => n,
+                    };
+                    if tls_stream.write_all(&echo_buf[..n]).await.is_err() {
+                        break;
+                    }
+                }
+            });
+        }
+    })
+}
+
 /// Helper to create a TLS passthrough route for testing.
 pub fn make_tls_passthrough_route(
     port: u16,

rust/crates/rustproxy/tests/integration_http_proxy.rs

@@ -407,6 +407,305 @@ async fn test_websocket_through_proxy() {
     proxy.stop().await.unwrap();
 }
 
+/// Test that terminate-and-reencrypt mode routes HTTP traffic through the
+/// full HTTP proxy with per-request Host-based routing.
+///
+/// This verifies the new behavior: after TLS termination, HTTP data is detected
+/// and routed through HttpProxyService (like nginx) instead of being blindly tunneled.
+#[tokio::test]
+async fn test_terminate_and_reencrypt_http_routing() {
+    let backend1_port = next_port();
+    let backend2_port = next_port();
+    let proxy_port = next_port();
+
+    let (cert1, key1) = generate_self_signed_cert("alpha.example.com");
+    let (cert2, key2) = generate_self_signed_cert("beta.example.com");
+
+    // Generate separate backend certs (backends are independent TLS servers)
+    let (backend_cert1, backend_key1) = generate_self_signed_cert("localhost");
+    let (backend_cert2, backend_key2) = generate_self_signed_cert("localhost");
+
+    // Start TLS HTTP echo backends (proxy re-encrypts to these)
+    let _b1 = start_tls_http_backend(backend1_port, "alpha", &backend_cert1, &backend_key1).await;
+    let _b2 = start_tls_http_backend(backend2_port, "beta", &backend_cert2, &backend_key2).await;
+
+    // Create terminate-and-reencrypt routes
+    let mut route1 = make_tls_terminate_route(
+        proxy_port, "alpha.example.com", "127.0.0.1", backend1_port, &cert1, &key1,
+    );
+    route1.action.tls.as_mut().unwrap().mode = rustproxy_config::TlsMode::TerminateAndReencrypt;
+
+    let mut route2 = make_tls_terminate_route(
+        proxy_port, "beta.example.com", "127.0.0.1", backend2_port, &cert2, &key2,
+    );
+    route2.action.tls.as_mut().unwrap().mode = rustproxy_config::TlsMode::TerminateAndReencrypt;
+
+    let options = RustProxyOptions {
+        routes: vec![route1, route2],
+        ..Default::default()
+    };
+
+    let mut proxy = RustProxy::new(options).unwrap();
+    proxy.start().await.unwrap();
+    assert!(wait_for_port(proxy_port, 2000).await);
+
+    // Test alpha domain - HTTP request through TLS terminate-and-reencrypt
+    let alpha_result = with_timeout(async {
+        let _ = rustls::crypto::ring::default_provider().install_default();
+        let tls_config = rustls::ClientConfig::builder()
+            .dangerous()
+            .with_custom_certificate_verifier(std::sync::Arc::new(InsecureVerifier))
+            .with_no_client_auth();
+        let connector = tokio_rustls::TlsConnector::from(std::sync::Arc::new(tls_config));
+
+        let stream = tokio::net::TcpStream::connect(format!("127.0.0.1:{}", proxy_port))
+            .await
+            .unwrap();
+        let server_name = rustls::pki_types::ServerName::try_from("alpha.example.com".to_string()).unwrap();
+        let mut tls_stream = connector.connect(server_name, stream).await.unwrap();
+
+        let request = "GET /api/data HTTP/1.1\r\nHost: alpha.example.com\r\nConnection: close\r\n\r\n";
+        tls_stream.write_all(request.as_bytes()).await.unwrap();
+
+        let mut response = Vec::new();
+        tls_stream.read_to_end(&mut response).await.unwrap();
+        String::from_utf8_lossy(&response).to_string()
+    }, 10)
+    .await
+    .unwrap();
+
+    let alpha_body = extract_body(&alpha_result);
+    assert!(
+        alpha_body.contains(r#""backend":"alpha"#),
+        "Expected alpha backend, got: {}",
+        alpha_body
+    );
+    assert!(
+        alpha_body.contains(r#""method":"GET"#),
+        "Expected GET method, got: {}",
+        alpha_body
+    );
+    assert!(
+        alpha_body.contains(r#""path":"/api/data"#),
+        "Expected /api/data path, got: {}",
+        alpha_body
+    );
+    // Verify original Host header is preserved (not replaced with backend IP:port)
+    assert!(
+        alpha_body.contains(r#""host":"alpha.example.com"#),
+        "Expected original Host header alpha.example.com, got: {}",
+        alpha_body
+    );
+
+    // Test beta domain - different host goes to different backend
+    let beta_result = with_timeout(async {
+        let _ = rustls::crypto::ring::default_provider().install_default();
+        let tls_config = rustls::ClientConfig::builder()
+            .dangerous()
+            .with_custom_certificate_verifier(std::sync::Arc::new(InsecureVerifier))
+            .with_no_client_auth();
+        let connector = tokio_rustls::TlsConnector::from(std::sync::Arc::new(tls_config));
+
+        let stream = tokio::net::TcpStream::connect(format!("127.0.0.1:{}", proxy_port))
+            .await
+            .unwrap();
+        let server_name = rustls::pki_types::ServerName::try_from("beta.example.com".to_string()).unwrap();
+        let mut tls_stream = connector.connect(server_name, stream).await.unwrap();
+
+        let request = "GET /other HTTP/1.1\r\nHost: beta.example.com\r\nConnection: close\r\n\r\n";
+        tls_stream.write_all(request.as_bytes()).await.unwrap();
+
+        let mut response = Vec::new();
+        tls_stream.read_to_end(&mut response).await.unwrap();
+        String::from_utf8_lossy(&response).to_string()
+    }, 10)
+    .await
+    .unwrap();
+
+    let beta_body = extract_body(&beta_result);
+    assert!(
+        beta_body.contains(r#""backend":"beta"#),
+        "Expected beta backend, got: {}",
+        beta_body
+    );
+    assert!(
+        beta_body.contains(r#""path":"/other"#),
+        "Expected /other path, got: {}",
+        beta_body
+    );
+    // Verify original Host header is preserved for beta too
+    assert!(
+        beta_body.contains(r#""host":"beta.example.com"#),
+        "Expected original Host header beta.example.com, got: {}",
+        beta_body
+    );
+
+    proxy.stop().await.unwrap();
+}
+
+/// Test that WebSocket upgrade works through terminate-and-reencrypt mode.
+///
+/// Verifies the full chain: client→TLS→proxy terminates→re-encrypts→TLS→backend WebSocket.
+/// The proxy's `handle_websocket_upgrade` checks `upstream.use_tls` and calls
+/// `connect_tls_backend()` when true. This test covers that path.
+#[tokio::test]
+async fn test_terminate_and_reencrypt_websocket() {
+    let backend_port = next_port();
+    let proxy_port = next_port();
+    let domain = "ws.example.com";
+
+    // Frontend cert (client→proxy TLS)
+    let (frontend_cert, frontend_key) = generate_self_signed_cert(domain);
+    // Backend cert (proxy→backend TLS)
+    let (backend_cert, backend_key) = generate_self_signed_cert("localhost");
+
+    // Start TLS WebSocket echo backend
+    let _backend = start_tls_ws_echo_backend(backend_port, &backend_cert, &backend_key).await;
+
+    // Create terminate-and-reencrypt route
+    let mut route = make_tls_terminate_route(
+        proxy_port,
+        domain,
+        "127.0.0.1",
+        backend_port,
+        &frontend_cert,
+        &frontend_key,
+    );
+    route.action.tls.as_mut().unwrap().mode = rustproxy_config::TlsMode::TerminateAndReencrypt;
+
+    let options = RustProxyOptions {
+        routes: vec![route],
+        ..Default::default()
+    };
+
+    let mut proxy = RustProxy::new(options).unwrap();
+    proxy.start().await.unwrap();
+    assert!(wait_for_port(proxy_port, 2000).await);
+
+    let result = with_timeout(
+        async {
+            let _ = rustls::crypto::ring::default_provider().install_default();
+            let tls_config = rustls::ClientConfig::builder()
+                .dangerous()
+                .with_custom_certificate_verifier(std::sync::Arc::new(InsecureVerifier))
+                .with_no_client_auth();
+            let connector =
+                tokio_rustls::TlsConnector::from(std::sync::Arc::new(tls_config));
+
+            let stream = tokio::net::TcpStream::connect(format!("127.0.0.1:{}", proxy_port))
+                .await
+                .unwrap();
+            let server_name =
+                rustls::pki_types::ServerName::try_from(domain.to_string()).unwrap();
+            let mut tls_stream = connector.connect(server_name, stream).await.unwrap();
+
+            // Send WebSocket upgrade request through TLS
+            let request = format!(
+                "GET /ws HTTP/1.1\r\n\
+                 Host: {}\r\n\
+                 Upgrade: websocket\r\n\
+                 Connection: Upgrade\r\n\
+                 Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==\r\n\
+                 Sec-WebSocket-Version: 13\r\n\
+                 \r\n",
+                domain
+            );
+            tls_stream.write_all(request.as_bytes()).await.unwrap();
+
+            // Read the 101 response (byte-by-byte until \r\n\r\n)
+            let mut response_buf = Vec::with_capacity(4096);
+            let mut temp = [0u8; 1];
+            loop {
+                let n = tls_stream.read(&mut temp).await.unwrap();
+                if n == 0 {
+                    break;
+                }
+                response_buf.push(temp[0]);
+                if response_buf.len() >= 4 {
+                    let len = response_buf.len();
+                    if response_buf[len - 4..] == *b"\r\n\r\n" {
+                        break;
+                    }
+                }
+            }
+
+            let response_str = String::from_utf8_lossy(&response_buf).to_string();
+            assert!(
+                response_str.contains("101"),
+                "Expected 101 Switching Protocols, got: {}",
+                response_str
+            );
+            assert!(
+                response_str.to_lowercase().contains("upgrade: websocket"),
+                "Expected Upgrade header, got: {}",
+                response_str
+            );
+
+            // After upgrade, send data and verify echo
+            let test_data = b"Hello TLS WebSocket!";
+            tls_stream.write_all(test_data).await.unwrap();
+
+            // Read echoed data
+            let mut echo_buf = vec![0u8; 256];
+            let n = tls_stream.read(&mut echo_buf).await.unwrap();
+            let echoed = &echo_buf[..n];
+
+            assert_eq!(echoed, test_data, "Expected echo of sent data");
+
+            "ok".to_string()
+        },
+        10,
+    )
+    .await
+    .unwrap();
+
+    assert_eq!(result, "ok");
+    proxy.stop().await.unwrap();
+}
+
+/// Test that the protocol field on route config is accepted and processed.
+#[tokio::test]
+async fn test_protocol_field_in_route_config() {
+    let backend_port = next_port();
+    let proxy_port = next_port();
+
+    let _backend = start_http_echo_backend(backend_port, "main").await;
+
+    // Create a route with protocol: "http" - should only match HTTP traffic
+    let mut route = make_test_route(proxy_port, None, "127.0.0.1", backend_port);
+    route.route_match.protocol = Some("http".to_string());
+
+    let options = RustProxyOptions {
+        routes: vec![route],
+        ..Default::default()
+    };
+
+    let mut proxy = RustProxy::new(options).unwrap();
+    proxy.start().await.unwrap();
+    assert!(wait_for_port(proxy_port, 2000).await);
+
+    // HTTP request should match the route and get proxied
+    let result = with_timeout(async {
+        let response = send_http_request(proxy_port, "example.com", "GET", "/test").await;
+        extract_body(&response).to_string()
+    }, 10)
+    .await
+    .unwrap();
+
+    assert!(
+        result.contains(r#""backend":"main"#),
+        "Expected main backend, got: {}",
+        result
+    );
+    assert!(
+        result.contains(r#""path":"/test"#),
+        "Expected /test path, got: {}",
+        result
+    );
+
+    proxy.stop().await.unwrap();
+}
+
 /// InsecureVerifier for test TLS client connections.
 #[derive(Debug)]
 struct InsecureVerifier;

test/helpers/port-allocator.ts

@@ -0,0 +1,70 @@
+import * as net from 'net';
+
+/**
+ * Finds `count` free ports by binding to port 0 and reading the OS-assigned port.
+ * All servers are opened simultaneously to guarantee uniqueness.
+ * Returns an array of guaranteed-free ports.
+ */
+export async function findFreePorts(count: number): Promise<number[]> {
+  const servers: net.Server[] = [];
+  const ports: number[] = [];
+
+  // Open all servers simultaneously on port 0
+  await Promise.all(
+    Array.from({ length: count }, () =>
+      new Promise<void>((resolve, reject) => {
+        const server = net.createServer();
+        server.listen(0, '127.0.0.1', () => {
+          const addr = server.address() as net.AddressInfo;
+          ports.push(addr.port);
+          servers.push(server);
+          resolve();
+        });
+        server.on('error', reject);
+      })
+    )
+  );
+
+  // Close all servers
+  await Promise.all(
+    servers.map(
+      (server) => new Promise<void>((resolve) => server.close(() => resolve()))
+    )
+  );
+
+  return ports;
+}
+
+/**
+ * Verifies that all given ports are free (not listening).
+ * Useful as a cleanup assertion at the end of tests.
+ * Throws if any port is still in use.
+ */
+export async function assertPortsFree(ports: number[]): Promise<void> {
+  const results = await Promise.all(
+    ports.map(
+      (port) =>
+        new Promise<{ port: number; free: boolean }>((resolve) => {
+          const client = net.connect({ port, host: '127.0.0.1' });
+          client.on('connect', () => {
+            client.destroy();
+            resolve({ port, free: false });
+          });
+          client.on('error', () => {
+            resolve({ port, free: true });
+          });
+          client.setTimeout(1000, () => {
+            client.destroy();
+            resolve({ port, free: true });
+          });
+        })
+    )
+  );
+
+  const occupied = results.filter((r) => !r.free);
+  if (occupied.length > 0) {
+    throw new Error(
+      `Ports still in use after cleanup: ${occupied.map((r) => r.port).join(', ')}`
+    );
+  }
+}

test/test.acme-http01-challenge.ts

@@ -1,9 +1,12 @@
 import { tap, expect } from '@git.zone/tstest/tapbundle';
 import { SmartProxy, SocketHandlers } from '../ts/index.js';
 import * as net from 'net';
+import { findFreePorts, assertPortsFree } from './helpers/port-allocator.js';
 
 // Test that HTTP-01 challenges are properly processed when the initial data arrives
 tap.test('should correctly handle HTTP-01 challenge requests with initial data chunk', async (tapTest) => {
+  const [PORT] = await findFreePorts(1);
+
   // Prepare test data
   const challengeToken = 'test-acme-http01-challenge-token';
   const challengeResponse = 'mock-response-for-challenge';
@@ -37,7 +40,7 @@ tap.test('should correctly handle HTTP-01 challenge requests with initial data c
     routes: [{
       name: 'acme-challenge-route',
       match: {
-        ports: 8080,
+        ports: PORT,
         path: '/.well-known/acme-challenge/*'
       },
       action: {
@@ -60,7 +63,7 @@ tap.test('should correctly handle HTTP-01 challenge requests with initial data c
   
   // Connect to the proxy and send the HTTP-01 challenge request
   await new Promise<void>((resolve, reject) => {
-    testClient.connect(8080, 'localhost', () => {
+    testClient.connect(PORT, 'localhost', () => {
       // Send HTTP request for the challenge token
       testClient.write(
         `GET ${challengePath} HTTP/1.1\r\n` +
@@ -86,10 +89,13 @@ tap.test('should correctly handle HTTP-01 challenge requests with initial data c
   // Cleanup
   testClient.destroy();
   await proxy.stop();
+  await assertPortsFree([PORT]);
 });
 
 // Test that non-existent challenge tokens return 404
 tap.test('should return 404 for non-existent challenge tokens', async (tapTest) => {
+  const [PORT] = await findFreePorts(1);
+
   // Create a socket handler that behaves like a real ACME handler
   const acmeHandler = SocketHandlers.httpServer((req, res) => {
     if (req.url?.startsWith('/.well-known/acme-challenge/')) {
@@ -113,7 +119,7 @@ tap.test('should return 404 for non-existent challenge tokens', async (tapTest)
     routes: [{
       name: 'acme-challenge-route',
       match: {
-        ports: 8081,
+        ports: PORT,
         path: '/.well-known/acme-challenge/*'
       },
       action: {
@@ -135,7 +141,7 @@ tap.test('should return 404 for non-existent challenge tokens', async (tapTest)
   
   // Connect and send a request for a non-existent token
   await new Promise<void>((resolve, reject) => {
-    testClient.connect(8081, 'localhost', () => {
+    testClient.connect(PORT, 'localhost', () => {
       testClient.write(
         'GET /.well-known/acme-challenge/invalid-token HTTP/1.1\r\n' +
         'Host: test.example.com\r\n' +
@@ -157,6 +163,7 @@ tap.test('should return 404 for non-existent challenge tokens', async (tapTest)
   // Cleanup
   testClient.destroy();
   await proxy.stop();
+  await assertPortsFree([PORT]);
 });
 
 export default tap.start();

test/test.connection-forwarding.ts

@@ -5,6 +5,7 @@ import * as fs from 'fs';
 import * as path from 'path';
 import { SmartProxy } from '../ts/proxies/smart-proxy/smart-proxy.js';
 import type { IRouteConfig } from '../ts/proxies/smart-proxy/models/route-types.js';
+import { findFreePorts, assertPortsFree } from './helpers/port-allocator.js';
 
 // Setup test infrastructure
 const testCertPath = path.join(process.cwd(), 'test', 'helpers', 'test-cert.pem');
@@ -13,8 +14,14 @@ const testKeyPath = path.join(process.cwd(), 'test', 'helpers', 'test-key.pem');
 let testServer: net.Server;
 let tlsTestServer: tls.Server;
 let smartProxy: SmartProxy;
+let PROXY_TCP_PORT: number;
+let PROXY_TLS_PORT: number;
+let TCP_SERVER_PORT: number;
+let TLS_SERVER_PORT: number;
 
 tap.test('setup test servers', async () => {
+  [PROXY_TCP_PORT, PROXY_TLS_PORT, TCP_SERVER_PORT, TLS_SERVER_PORT] = await findFreePorts(4);
+
   // Create TCP test server
   testServer = net.createServer((socket) => {
     socket.write('Connected to TCP test server\n');
@@ -24,8 +31,8 @@ tap.test('setup test servers', async () => {
   });
 
   await new Promise<void>((resolve) => {
-    testServer.listen(7001, '127.0.0.1', () => {
+    testServer.listen(TCP_SERVER_PORT, '127.0.0.1', () => {
-      console.log('TCP test server listening on port 7001');
+      console.log(`TCP test server listening on port ${TCP_SERVER_PORT}`);
       resolve();
     });
   });
@@ -45,8 +52,8 @@ tap.test('setup test servers', async () => {
   );
 
   await new Promise<void>((resolve) => {
-    tlsTestServer.listen(7002, '127.0.0.1', () => {
+    tlsTestServer.listen(TLS_SERVER_PORT, '127.0.0.1', () => {
-      console.log('TLS test server listening on port 7002');
+      console.log(`TLS test server listening on port ${TLS_SERVER_PORT}`);
       resolve();
     });
   });
@@ -60,13 +67,13 @@ tap.test('should forward TCP connections correctly', async () => {
       {
         name: 'tcp-forward',
         match: {
-          ports: 8080,
+          ports: PROXY_TCP_PORT,
         },
         action: {
           type: 'forward',
           targets: [{
             host: '127.0.0.1',
-            port: 7001,
+            port: TCP_SERVER_PORT,
           }],
         },
       },
@@ -77,7 +84,7 @@ tap.test('should forward TCP connections correctly', async () => {
 
   // Test TCP forwarding
   const client = await new Promise<net.Socket>((resolve, reject) => {
-    const socket = net.connect(8080, '127.0.0.1', () => {
+    const socket = net.connect(PROXY_TCP_PORT, '127.0.0.1', () => {
       console.log('Connected to proxy');
       resolve(socket);
     });
@@ -106,7 +113,7 @@ tap.test('should handle TLS passthrough correctly', async () => {
       {
         name: 'tls-passthrough',
         match: {
-          ports: 8443,
+          ports: PROXY_TLS_PORT,
           domains: 'test.example.com',
         },
         action: {
@@ -116,7 +123,7 @@ tap.test('should handle TLS passthrough correctly', async () => {
           },
           targets: [{
             host: '127.0.0.1',
-            port: 7002,
+            port: TLS_SERVER_PORT,
           }],
         },
       },
@@ -129,7 +136,7 @@ tap.test('should handle TLS passthrough correctly', async () => {
   const client = await new Promise<tls.TLSSocket>((resolve, reject) => {
     const socket = tls.connect(
       {
-        port: 8443,
+        port: PROXY_TLS_PORT,
         host: '127.0.0.1',
         servername: 'test.example.com',
         rejectUnauthorized: false,
@@ -164,7 +171,7 @@ tap.test('should handle SNI-based forwarding', async () => {
       {
         name: 'domain-a',
         match: {
-          ports: 8443,
+          ports: PROXY_TLS_PORT,
           domains: 'a.example.com',
         },
         action: {
@@ -174,14 +181,14 @@ tap.test('should handle SNI-based forwarding', async () => {
           },
           targets: [{
             host: '127.0.0.1',
-            port: 7002,
+            port: TLS_SERVER_PORT,
           }],
         },
       },
       {
         name: 'domain-b',
         match: {
-          ports: 8443,
+          ports: PROXY_TLS_PORT,
           domains: 'b.example.com',
         },
         action: {
@@ -191,7 +198,7 @@ tap.test('should handle SNI-based forwarding', async () => {
           },
           targets: [{
             host: '127.0.0.1',
-            port: 7002,
+            port: TLS_SERVER_PORT,
           }],
         },
       },
@@ -204,7 +211,7 @@ tap.test('should handle SNI-based forwarding', async () => {
   const clientA = await new Promise<tls.TLSSocket>((resolve, reject) => {
     const socket = tls.connect(
       {
-        port: 8443,
+        port: PROXY_TLS_PORT,
         host: '127.0.0.1',
         servername: 'a.example.com',
         rejectUnauthorized: false,
@@ -231,7 +238,7 @@ tap.test('should handle SNI-based forwarding', async () => {
   const clientB = await new Promise<tls.TLSSocket>((resolve, reject) => {
     const socket = tls.connect(
       {
-        port: 8443,
+        port: PROXY_TLS_PORT,
         host: '127.0.0.1',
         servername: 'b.example.com',
         rejectUnauthorized: false,
@@ -261,6 +268,7 @@ tap.test('should handle SNI-based forwarding', async () => {
 tap.test('cleanup', async () => {
   testServer.close();
   tlsTestServer.close();
+  await assertPortsFree([PROXY_TCP_PORT, PROXY_TLS_PORT, TCP_SERVER_PORT, TLS_SERVER_PORT]);
 });
 
 export default tap.start();

test/test.forwarding-regression.ts

@@ -1,9 +1,12 @@
 import { expect, tap } from '@git.zone/tstest/tapbundle';
 import * as net from 'net';
 import { SmartProxy } from '../ts/proxies/smart-proxy/smart-proxy.js';
+import { findFreePorts, assertPortsFree } from './helpers/port-allocator.js';
 
 // Test to verify port forwarding works correctly
 tap.test('forward connections should not be immediately closed', async (t) => {
+  const [PROXY_PORT, SERVER_PORT] = await findFreePorts(2);
+
   // Create a backend server that accepts connections
   const testServer = net.createServer((socket) => {
     console.log('Client connected to test server');
@@ -21,8 +24,8 @@ tap.test('forward connections should not be immediately closed', async (t) => {
 
   // Listen on a non-privileged port
   await new Promise<void>((resolve) => {
-    testServer.listen(9090, '127.0.0.1', () => {
+    testServer.listen(SERVER_PORT, '127.0.0.1', () => {
-      console.log('Test server listening on port 9090');
+      console.log(`Test server listening on port ${SERVER_PORT}`);
       resolve();
     });
   });
@@ -34,13 +37,13 @@ tap.test('forward connections should not be immediately closed', async (t) => {
       {
         name: 'forward-test',
         match: {
-          ports: 8080,
+          ports: PROXY_PORT,
         },
         action: {
           type: 'forward',
           targets: [{
             host: '127.0.0.1',
-            port: 9090,
+            port: SERVER_PORT,
           }],
         },
       },
@@ -51,7 +54,7 @@ tap.test('forward connections should not be immediately closed', async (t) => {
 
   // Create a client connection through the proxy
   const client = net.createConnection({
-    port: 8080,
+    port: PROXY_PORT,
     host: '127.0.0.1',
   });
 
@@ -105,6 +108,7 @@ tap.test('forward connections should not be immediately closed', async (t) => {
   client.end();
   await smartProxy.stop();
   testServer.close();
+  await assertPortsFree([PROXY_PORT, SERVER_PORT]);
 });
 
 export default tap.start();

test/test.http-port8080-forwarding.ts

@@ -1,10 +1,13 @@
 import { tap, expect } from '@git.zone/tstest/tapbundle';
 import { SmartProxy } from '../ts/index.js';
 import * as http from 'http';
+import { findFreePorts, assertPortsFree } from './helpers/port-allocator.js';
 
 tap.test('should forward HTTP connections on port 8080', async (tapTest) => {
+  const [PROXY_PORT, TARGET_PORT] = await findFreePorts(2);
+
   // Create a mock HTTP server to act as our target
-  const targetPort = 8181;
+  const targetPort = TARGET_PORT;
   let receivedRequest = false;
   let receivedPath = '';
   
@@ -36,7 +39,7 @@ tap.test('should forward HTTP connections on port 8080', async (tapTest) => {
     routes: [{
       name: 'test-route',
       match: {
-        ports: 8080
+        ports: PROXY_PORT
         // Remove domain restriction for HTTP connections
         // Domain matching happens after HTTP headers are received
       },
@@ -46,16 +49,16 @@ tap.test('should forward HTTP connections on port 8080', async (tapTest) => {
       }
     }]
   });
-  
+
   await proxy.start();
-  
+
   // Give the proxy a moment to fully initialize
   await new Promise(resolve => setTimeout(resolve, 500));
-  
+
   // Make an HTTP request to port 8080
   const options = {
     hostname: 'localhost',
-    port: 8080,
+    port: PROXY_PORT,
     path: '/.well-known/acme-challenge/test-token',
     method: 'GET',
     headers: {
@@ -97,14 +100,17 @@ tap.test('should forward HTTP connections on port 8080', async (tapTest) => {
   await new Promise<void>((resolve) => {
     targetServer.close(() => resolve());
   });
-  
+
   // Wait a bit to ensure port is fully released
   await new Promise(resolve => setTimeout(resolve, 500));
+  await assertPortsFree([PROXY_PORT, TARGET_PORT]);
 });
 
 tap.test('should handle basic HTTP request forwarding', async (tapTest) => {
+  const [PROXY_PORT, TARGET_PORT] = await findFreePorts(2);
+
   // Create a simple target server
-  const targetPort = 8182;
+  const targetPort = TARGET_PORT;
   let receivedRequest = false;
   
   const targetServer = http.createServer((req, res) => {
@@ -126,7 +132,7 @@ tap.test('should handle basic HTTP request forwarding', async (tapTest) => {
     routes: [{
       name: 'simple-forward',
       match: {
-        ports: 8081
+        ports: PROXY_PORT
         // Remove domain restriction for HTTP connections
       },
       action: {
@@ -142,7 +148,7 @@ tap.test('should handle basic HTTP request forwarding', async (tapTest) => {
   // Make request
   const options = {
     hostname: 'localhost',
-    port: 8081,
+    port: PROXY_PORT,
     path: '/test',
     method: 'GET',
     headers: {
@@ -184,9 +190,10 @@ tap.test('should handle basic HTTP request forwarding', async (tapTest) => {
   await new Promise<void>((resolve) => {
     targetServer.close(() => resolve());
   });
-  
+
   // Wait a bit to ensure port is fully released
   await new Promise(resolve => setTimeout(resolve, 500));
+  await assertPortsFree([PROXY_PORT, TARGET_PORT]);
 });
 
 export default tap.start();

test/test.long-lived-connections.ts

@@ -2,15 +2,17 @@ import { tap, expect } from '@git.zone/tstest/tapbundle';
 import * as net from 'net';
 import * as tls from 'tls';
 import { SmartProxy } from '../ts/index.js';
+import { findFreePorts, assertPortsFree } from './helpers/port-allocator.js';
 
 let testProxy: SmartProxy;
 let targetServer: net.Server;
 
-const ECHO_PORT = 47200;
+let ECHO_PORT: number;
-const PROXY_PORT = 47201;
+let PROXY_PORT: number;
 
 // Create a simple echo server as target
 tap.test('setup test environment', async () => {
+  [ECHO_PORT, PROXY_PORT] = await findFreePorts(2);
   // Create target server that echoes data back
   targetServer = net.createServer((socket) => {
     console.log('Target server: client connected');
@@ -148,6 +150,8 @@ tap.test('cleanup', async () => {
       resolve();
     });
   });
+
+  await assertPortsFree([ECHO_PORT, PROXY_PORT]);
 });
 
 export default tap.start();

test/test.metrics-new.ts

@@ -2,14 +2,16 @@ import { expect, tap } from '@git.zone/tstest/tapbundle';
 import * as plugins from '../ts/plugins.js';
 import { SmartProxy } from '../ts/index.js';
 import * as net from 'net';
+import { findFreePorts, assertPortsFree } from './helpers/port-allocator.js';
 
 let smartProxyInstance: SmartProxy;
 let echoServer: net.Server;
-const echoServerPort = 47300;
+let echoServerPort: number;
-const proxyPort = 47301;
+let proxyPort: number;
 
 // Create an echo server for testing
 tap.test('should create echo server for testing', async () => {
+  [echoServerPort, proxyPort] = await findFreePorts(2);
   echoServer = net.createServer((socket) => {
     socket.on('data', (data) => {
       socket.write(data); // Echo back the data
@@ -267,6 +269,8 @@ tap.test('should clean up resources', async () => {
       resolve();
     });
   });
+
+  await assertPortsFree([echoServerPort, proxyPort]);
 });
 
 export default tap.start();

test/test.perf-improvements.ts

@@ -0,0 +1,477 @@
+import { tap, expect } from '@git.zone/tstest/tapbundle';
+import { SmartProxy } from '../ts/index.js';
+import * as http from 'http';
+import * as https from 'https';
+import * as http2 from 'http2';
+import * as net from 'net';
+import * as tls from 'tls';
+import * as fs from 'fs';
+import * as path from 'path';
+import { findFreePorts, assertPortsFree } from './helpers/port-allocator.js';
+
+// ---------------------------------------------------------------------------
+// Port assignments (dynamically allocated to avoid conflicts)
+// ---------------------------------------------------------------------------
+let HTTP_ECHO_PORT: number;
+let PROXY_HTTP_PORT: number;
+let PROXY_HTTPS_PORT: number;
+let TCP_ECHO_PORT: number;
+let PROXY_TCP_PORT: number;
+
+// ---------------------------------------------------------------------------
+// Shared state
+// ---------------------------------------------------------------------------
+let httpEchoServer: http.Server;
+let tcpEchoServer: net.Server;
+let proxy: SmartProxy;
+
+const certPem = fs.readFileSync(path.join(import.meta.dirname, '..', 'assets', 'certs', 'cert.pem'), 'utf8');
+const keyPem  = fs.readFileSync(path.join(import.meta.dirname, '..', 'assets', 'certs', 'key.pem'), 'utf8');
+
+// ---------------------------------------------------------------------------
+// Helper: make an HTTP request and return { status, body }
+// ---------------------------------------------------------------------------
+function httpRequest(
+  options: http.RequestOptions,
+  body?: string,
+): Promise<{ status: number; body: string }> {
+  return new Promise((resolve, reject) => {
+    const req = http.request(options, (res) => {
+      let data = '';
+      res.on('data', (chunk: string) => (data += chunk));
+      res.on('end', () => resolve({ status: res.statusCode!, body: data }));
+    });
+    req.on('error', reject);
+    req.setTimeout(5000, () => {
+      req.destroy(new Error('timeout'));
+    });
+    if (body) req.end(body);
+    else req.end();
+  });
+}
+
+// Same but for HTTPS
+function httpsRequest(
+  options: https.RequestOptions,
+  body?: string,
+): Promise<{ status: number; body: string }> {
+  return new Promise((resolve, reject) => {
+    const req = https.request(options, (res) => {
+      let data = '';
+      res.on('data', (chunk: string) => (data += chunk));
+      res.on('end', () => resolve({ status: res.statusCode!, body: data }));
+    });
+    req.on('error', reject);
+    req.setTimeout(5000, () => {
+      req.destroy(new Error('timeout'));
+    });
+    if (body) req.end(body);
+    else req.end();
+  });
+}
+
+// Helper: wait for metrics to settle on a condition
+async function waitForMetrics(
+  metrics: ReturnType<SmartProxy['getMetrics']>,
+  condition: () => boolean,
+  maxWaitMs = 3000,
+): Promise<void> {
+  const start = Date.now();
+  while (Date.now() - start < maxWaitMs) {
+    // Force a fresh poll
+    await (proxy as any).metricsAdapter.poll();
+    if (condition()) return;
+    await new Promise((r) => setTimeout(r, 100));
+  }
+}
+
+// ===========================================================================
+// 1. Setup backend servers
+// ===========================================================================
+tap.test('setup - backend servers', async () => {
+  [HTTP_ECHO_PORT, PROXY_HTTP_PORT, PROXY_HTTPS_PORT, TCP_ECHO_PORT, PROXY_TCP_PORT] = await findFreePorts(5);
+
+  // HTTP echo server: POST → echo:<body>, GET → ok
+  httpEchoServer = http.createServer((req, res) => {
+    if (req.method === 'POST') {
+      let body = '';
+      req.on('data', (chunk: string) => (body += chunk));
+      req.on('end', () => {
+        res.writeHead(200, { 'Content-Type': 'text/plain' });
+        res.end(`echo:${body}`);
+      });
+    } else {
+      res.writeHead(200, { 'Content-Type': 'text/plain' });
+      res.end('ok');
+    }
+  });
+
+  await new Promise<void>((resolve, reject) => {
+    httpEchoServer.on('error', reject);
+    httpEchoServer.listen(HTTP_ECHO_PORT, () => {
+      console.log(`HTTP echo server on port ${HTTP_ECHO_PORT}`);
+      resolve();
+    });
+  });
+
+  // TCP echo server
+  tcpEchoServer = net.createServer((socket) => {
+    socket.on('data', (data) => socket.write(data));
+  });
+
+  await new Promise<void>((resolve, reject) => {
+    tcpEchoServer.on('error', reject);
+    tcpEchoServer.listen(TCP_ECHO_PORT, () => {
+      console.log(`TCP echo server on port ${TCP_ECHO_PORT}`);
+      resolve();
+    });
+  });
+});
+
+// ===========================================================================
+// 2. Setup SmartProxy
+// ===========================================================================
+tap.test('setup - SmartProxy with 3 routes', async () => {
+  proxy = new SmartProxy({
+    routes: [
+      // Plain HTTP forward: 47601 → 47600
+      {
+        name: 'http-forward',
+        match: { ports: PROXY_HTTP_PORT },
+        action: {
+          type: 'forward',
+          targets: [{ host: 'localhost', port: HTTP_ECHO_PORT }],
+        },
+      },
+      // TLS-terminate HTTPS: 47602 → 47600
+      {
+        name: 'https-terminate',
+        match: { ports: PROXY_HTTPS_PORT, domains: 'localhost' },
+        action: {
+          type: 'forward',
+          targets: [{ host: 'localhost', port: HTTP_ECHO_PORT }],
+          tls: {
+            mode: 'terminate',
+            certificate: {
+              key: keyPem,
+              cert: certPem,
+            },
+          },
+        },
+      },
+      // Plain TCP forward: 47604 → 47603
+      {
+        name: 'tcp-forward',
+        match: { ports: PROXY_TCP_PORT },
+        action: {
+          type: 'forward',
+          targets: [{ host: 'localhost', port: TCP_ECHO_PORT }],
+        },
+      },
+    ],
+    metrics: {
+      enabled: true,
+      sampleIntervalMs: 100,
+    },
+    enableDetailedLogging: false,
+  });
+
+  await proxy.start();
+  // Give the proxy a moment to fully bind
+  await new Promise((r) => setTimeout(r, 500));
+});
+
+// ===========================================================================
+// 3. HTTP/1.1 connection pooling: sequential requests reuse connections
+// ===========================================================================
+tap.test('HTTP/1.1 connection pooling: sequential requests reuse connections', async (tools) => {
+  tools.timeout(30000);
+  const metrics = proxy.getMetrics();
+  const REQUEST_COUNT = 20;
+
+  // Use a non-keepalive agent so each request closes the client→proxy socket
+  // (Rust's backend connection pool still reuses proxy→backend connections)
+  const agent = new http.Agent({ keepAlive: false });
+
+  for (let i = 0; i < REQUEST_COUNT; i++) {
+    const result = await httpRequest(
+      {
+        hostname: 'localhost',
+        port: PROXY_HTTP_PORT,
+        path: '/echo',
+        method: 'POST',
+        headers: { 'Content-Type': 'text/plain' },
+        agent,
+      },
+      `msg-${i}`,
+    );
+    expect(result.status).toEqual(200);
+    expect(result.body).toEqual(`echo:msg-${i}`);
+  }
+
+  agent.destroy();
+
+  // Wait for all connections to settle and metrics to update
+  await waitForMetrics(metrics, () => metrics.connections.active() === 0, 5000);
+  expect(metrics.connections.active()).toEqual(0);
+
+  // Bytes should have been transferred
+  await waitForMetrics(metrics, () => metrics.totals.bytesIn() > 0);
+  expect(metrics.totals.bytesIn()).toBeGreaterThan(0);
+  expect(metrics.totals.bytesOut()).toBeGreaterThan(0);
+
+  console.log(`HTTP pooling test: ${REQUEST_COUNT} requests completed. bytesIn=${metrics.totals.bytesIn()}, bytesOut=${metrics.totals.bytesOut()}`);
+});
+
+// ===========================================================================
+// 4. HTTPS with TLS termination: multiple requests through TLS
+// ===========================================================================
+tap.test('HTTPS with TLS termination: multiple requests through TLS', async (tools) => {
+  tools.timeout(30000);
+  const REQUEST_COUNT = 10;
+
+  const agent = new https.Agent({ keepAlive: false, rejectUnauthorized: false });
+
+  for (let i = 0; i < REQUEST_COUNT; i++) {
+    const result = await httpsRequest(
+      {
+        hostname: 'localhost',
+        port: PROXY_HTTPS_PORT,
+        path: '/echo',
+        method: 'POST',
+        headers: { 'Content-Type': 'text/plain' },
+        rejectUnauthorized: false,
+        servername: 'localhost',
+        agent,
+      },
+      `tls-${i}`,
+    );
+    expect(result.status).toEqual(200);
+    expect(result.body).toEqual(`echo:tls-${i}`);
+  }
+
+  agent.destroy();
+
+  console.log(`HTTPS termination test: ${REQUEST_COUNT} requests completed successfully`);
+});
+
+// ===========================================================================
+// 5. TLS ALPN negotiation verification
+// ===========================================================================
+tap.test('HTTP/2 end-to-end: ALPN h2 with multiplexed requests', async (tools) => {
+  tools.timeout(15000);
+
+  // Connect an HTTP/2 session over TLS
+  const session = http2.connect(`https://localhost:${PROXY_HTTPS_PORT}`, {
+    rejectUnauthorized: false,
+  });
+
+  await new Promise<void>((resolve, reject) => {
+    session.on('connect', () => resolve());
+    session.on('error', reject);
+    setTimeout(() => reject(new Error('h2 connect timeout')), 5000);
+  });
+
+  // Verify ALPN negotiated h2
+  const alpnProtocol = (session.socket as tls.TLSSocket).alpnProtocol;
+  console.log(`TLS ALPN negotiated protocol: ${alpnProtocol}`);
+  expect(alpnProtocol).toEqual('h2');
+
+  // Send 5 multiplexed POST requests on the same h2 session
+  const REQUEST_COUNT = 5;
+  const promises: Promise<{ status: number; body: string }>[] = [];
+
+  for (let i = 0; i < REQUEST_COUNT; i++) {
+    promises.push(
+      new Promise<{ status: number; body: string }>((resolve, reject) => {
+        const reqStream = session.request({
+          ':method': 'POST',
+          ':path': '/echo',
+          'content-type': 'text/plain',
+        });
+
+        let data = '';
+        let status = 0;
+
+        reqStream.on('response', (headers) => {
+          status = headers[':status'] as number;
+        });
+        reqStream.on('data', (chunk: Buffer) => {
+          data += chunk.toString();
+        });
+        reqStream.on('end', () => resolve({ status, body: data }));
+        reqStream.on('error', reject);
+        reqStream.end(`h2-msg-${i}`);
+      }),
+    );
+  }
+
+  const results = await Promise.all(promises);
+  for (let i = 0; i < REQUEST_COUNT; i++) {
+    expect(results[i].status).toEqual(200);
+    expect(results[i].body).toEqual(`echo:h2-msg-${i}`);
+  }
+
+  await new Promise<void>((resolve) => session.close(() => resolve()));
+  console.log(`HTTP/2 end-to-end: ${REQUEST_COUNT} multiplexed requests completed successfully`);
+});
+
+// ===========================================================================
+// 6. Connection stability: no leaked connections after repeated open/close
+// ===========================================================================
+tap.test('connection stability: no leaked connections after repeated open/close', async (tools) => {
+  tools.timeout(60000);
+  const metrics = proxy.getMetrics();
+  const BATCH_SIZE = 50;
+
+  // Ensure we start clean
+  await waitForMetrics(metrics, () => metrics.connections.active() === 0);
+
+  // Record total connections before
+  await (proxy as any).metricsAdapter.poll();
+  const totalBefore = metrics.connections.total();
+
+  // --- Batch 1: 50 sequential TCP connections ---
+  for (let i = 0; i < BATCH_SIZE; i++) {
+    await new Promise<void>((resolve, reject) => {
+      const client = new net.Socket();
+      client.connect(PROXY_TCP_PORT, 'localhost', () => {
+        const msg = `batch1-${i}`;
+        client.write(msg);
+        client.once('data', (data) => {
+          expect(data.toString()).toEqual(msg);
+          client.end();
+        });
+      });
+      client.on('close', () => resolve());
+      client.on('error', reject);
+      client.setTimeout(5000, () => {
+        client.destroy(new Error('timeout'));
+      });
+    });
+  }
+
+  // Wait for all connections to drain
+  await waitForMetrics(metrics, () => metrics.connections.active() === 0, 5000);
+  expect(metrics.connections.active()).toEqual(0);
+  console.log(`Batch 1 done: active=${metrics.connections.active()}, total=${metrics.connections.total()}`);
+
+  // --- Batch 2: another 50 ---
+  for (let i = 0; i < BATCH_SIZE; i++) {
+    await new Promise<void>((resolve, reject) => {
+      const client = new net.Socket();
+      client.connect(PROXY_TCP_PORT, 'localhost', () => {
+        const msg = `batch2-${i}`;
+        client.write(msg);
+        client.once('data', (data) => {
+          expect(data.toString()).toEqual(msg);
+          client.end();
+        });
+      });
+      client.on('close', () => resolve());
+      client.on('error', reject);
+      client.setTimeout(5000, () => {
+        client.destroy(new Error('timeout'));
+      });
+    });
+  }
+
+  // Wait for all connections to drain again
+  await waitForMetrics(metrics, () => metrics.connections.active() === 0, 5000);
+  expect(metrics.connections.active()).toEqual(0);
+
+  // Total should reflect ~100 new connections
+  await (proxy as any).metricsAdapter.poll();
+  const totalAfter = metrics.connections.total();
+  const newConnections = totalAfter - totalBefore;
+  console.log(`Batch 2 done: active=${metrics.connections.active()}, total=${totalAfter}, new=${newConnections}`);
+  expect(newConnections).toBeGreaterThanOrEqual(BATCH_SIZE * 2);
+});
+
+// ===========================================================================
+// 7. Concurrent connections: burst and drain
+// ===========================================================================
+tap.test('concurrent connections: burst and drain', async (tools) => {
+  tools.timeout(30000);
+  const metrics = proxy.getMetrics();
+  const CONCURRENT = 20;
+
+  // Ensure we start clean
+  await waitForMetrics(metrics, () => metrics.connections.active() === 0, 5000);
+
+  // Open 20 TCP connections simultaneously
+  const clients: net.Socket[] = [];
+  const connectPromises: Promise<void>[] = [];
+
+  for (let i = 0; i < CONCURRENT; i++) {
+    const client = new net.Socket();
+    clients.push(client);
+    connectPromises.push(
+      new Promise<void>((resolve, reject) => {
+        client.connect(PROXY_TCP_PORT, 'localhost', () => resolve());
+        client.on('error', reject);
+        client.setTimeout(5000, () => {
+          client.destroy(new Error('timeout'));
+        });
+      }),
+    );
+  }
+
+  await Promise.all(connectPromises);
+
+  // Send data on all connections and wait for echo
+  const echoPromises = clients.map((client, i) => {
+    return new Promise<void>((resolve, reject) => {
+      const msg = `concurrent-${i}`;
+      client.once('data', (data) => {
+        expect(data.toString()).toEqual(msg);
+        resolve();
+      });
+      client.write(msg);
+      client.on('error', reject);
+    });
+  });
+
+  await Promise.all(echoPromises);
+
+  // Poll metrics — active connections should be CONCURRENT
+  await waitForMetrics(metrics, () => metrics.connections.active() >= CONCURRENT, 3000);
+  const activeWhileOpen = metrics.connections.active();
+  console.log(`Burst: active connections while open = ${activeWhileOpen}`);
+  expect(activeWhileOpen).toBeGreaterThanOrEqual(CONCURRENT);
+
+  // Close all connections
+  for (const client of clients) {
+    client.end();
+  }
+
+  // Wait for drain
+  await waitForMetrics(metrics, () => metrics.connections.active() === 0, 5000);
+  expect(metrics.connections.active()).toEqual(0);
+  console.log('Drain: all connections closed, active=0');
+});
+
+// ===========================================================================
+// 8. Cleanup
+// ===========================================================================
+tap.test('cleanup', async () => {
+  await proxy.stop();
+
+  await new Promise<void>((resolve) => {
+    httpEchoServer.close(() => {
+      console.log('HTTP echo server closed');
+      resolve();
+    });
+  });
+
+  await new Promise<void>((resolve) => {
+    tcpEchoServer.close(() => {
+      console.log('TCP echo server closed');
+      resolve();
+    });
+  });
+
+  await assertPortsFree([HTTP_ECHO_PORT, PROXY_HTTP_PORT, PROXY_HTTPS_PORT, TCP_ECHO_PORT, PROXY_TCP_PORT]);
+});
+
+export default tap.start();

test/test.port-forwarding-fix.ts

@@ -1,17 +1,19 @@
 import { expect, tap } from '@git.zone/tstest/tapbundle';
 import * as net from 'net';
 import { SmartProxy } from '../ts/proxies/smart-proxy/smart-proxy.js';
+import { findFreePorts, assertPortsFree } from './helpers/port-allocator.js';
 
 let echoServer: net.Server;
 let proxy: SmartProxy;
 
-const ECHO_PORT = 47400;
+let ECHO_PORT: number;
-const PROXY_PORT_1 = 47401;
+let PROXY_PORT_1: number;
-const PROXY_PORT_2 = 47402;
+let PROXY_PORT_2: number;
 
 tap.test('port forwarding should not immediately close connections', async (tools) => {
   // Set a timeout for this test
   tools.timeout(10000); // 10 seconds
+  [ECHO_PORT, PROXY_PORT_1, PROXY_PORT_2] = await findFreePorts(3);
   // Create an echo server
   echoServer = await new Promise<net.Server>((resolve, reject) => {
     const server = net.createServer((socket) => {
@@ -96,6 +98,7 @@ tap.test('cleanup', async () => {
       });
     });
   }
+  await assertPortsFree([ECHO_PORT, PROXY_PORT_1, PROXY_PORT_2]);
 });
 
 export default tap.start();

test/test.port-mapping.ts

@@ -9,13 +9,14 @@ import {
   createPortOffset
 } from '../ts/proxies/smart-proxy/utils/route-helpers.js';
 import type { IRouteConfig, IRouteContext } from '../ts/proxies/smart-proxy/models/route-types.js';
+import { findFreePorts, assertPortsFree } from './helpers/port-allocator.js';
 
 // Test server and client utilities
 let testServers: Array<{ server: net.Server; port: number }> = [];
 let smartProxy: SmartProxy;
 
-const TEST_PORT_START = 4000;
+let TEST_PORTS: number[];    // 3 test server ports
-const PROXY_PORT_START = 5000;
+let PROXY_PORTS: number[];   // 6 proxy ports
 const TEST_DATA = 'Hello through dynamic port mapper!';
 
 // Cleanup function to close all servers and proxies
@@ -101,53 +102,60 @@ function createTestClient(port: number, data: string): Promise<string> {
 
 // Set up test environment
 tap.test('setup port mapping test environment', async () => {
+  const allPorts = await findFreePorts(9);
+  TEST_PORTS = allPorts.slice(0, 3);
+  PROXY_PORTS = allPorts.slice(3, 9);
+
   // Create multiple test servers on different ports
   await Promise.all([
-    createTestServer(TEST_PORT_START),     // Server on port 4000
+    createTestServer(TEST_PORTS[0]),
-    createTestServer(TEST_PORT_START + 1), // Server on port 4001
+    createTestServer(TEST_PORTS[1]),
-    createTestServer(TEST_PORT_START + 2), // Server on port 4002
+    createTestServer(TEST_PORTS[2]),
   ]);
-  
+
+  // Compute dynamic offset between proxy and test ports
+  const portOffset = TEST_PORTS[1] - PROXY_PORTS[1];
+
   // Create a SmartProxy with dynamic port mapping routes
   smartProxy = new SmartProxy({
     routes: [
       // Simple function that returns the same port (identity mapping)
       createPortMappingRoute({
-        sourcePortRange: PROXY_PORT_START,
+        sourcePortRange: PROXY_PORTS[0],
         targetHost: 'localhost',
-        portMapper: (context) => TEST_PORT_START,
+        portMapper: (context) => TEST_PORTS[0],
         name: 'Identity Port Mapping'
       }),
-      
+
-      // Offset port mapping from 5001 to 4001 (offset -1000)
+      // Offset port mapping using dynamic offset
       createOffsetPortMappingRoute({
-        ports: PROXY_PORT_START + 1,
+        ports: PROXY_PORTS[1],
         targetHost: 'localhost',
-        offset: -1000,
+        offset: portOffset,
-        name: 'Offset Port Mapping (-1000)'
+        name: `Offset Port Mapping (${portOffset})`
       }),
-      
+
       // Dynamic route with conditional port mapping
       createDynamicRoute({
-        ports: [PROXY_PORT_START + 2, PROXY_PORT_START + 3],
+        ports: [PROXY_PORTS[2], PROXY_PORTS[3]],
         targetHost: (context) => {
           // Dynamic host selection based on port
-          return context.port === PROXY_PORT_START + 2 ? 'localhost' : '127.0.0.1';
+          return context.port === PROXY_PORTS[2] ? 'localhost' : '127.0.0.1';
         },
         portMapper: (context) => {
           // Port mapping logic based on incoming port
-          if (context.port === PROXY_PORT_START + 2) {
+          if (context.port === PROXY_PORTS[2]) {
-            return TEST_PORT_START;
+            return TEST_PORTS[0];
           } else {
-            return TEST_PORT_START + 2;
+            return TEST_PORTS[2];
           }
         },
         name: 'Dynamic Host and Port Mapping'
       }),
-      
+
       // Smart load balancer for domain-based routing
       createSmartLoadBalancer({
-        ports: PROXY_PORT_START + 4,
+        ports: PROXY_PORTS[4],
         domainTargets: {
           'test1.example.com': 'localhost',
           'test2.example.com': '127.0.0.1'
@@ -155,9 +163,9 @@ tap.test('setup port mapping test environment', async () => {
         portMapper: (context) => {
           // Use different backend ports based on domain
           if (context.domain === 'test1.example.com') {
-            return TEST_PORT_START;
+            return TEST_PORTS[0];
           } else {
-            return TEST_PORT_START + 1;
+            return TEST_PORTS[1];
           }
         },
         defaultTarget: 'localhost',
@@ -165,44 +173,45 @@ tap.test('setup port mapping test environment', async () => {
       })
     ]
   });
-  
+
   // Start the SmartProxy
   await smartProxy.start();
 });
 
-// Test 1: Simple identity port mapping (5000 -> 4000)
+// Test 1: Simple identity port mapping
 tap.test('should map port using identity function', async () => {
-  const response = await createTestClient(PROXY_PORT_START, TEST_DATA);
+  const response = await createTestClient(PROXY_PORTS[0], TEST_DATA);
-  expect(response).toEqual(`Server ${TEST_PORT_START} says: ${TEST_DATA}`);
+  expect(response).toEqual(`Server ${TEST_PORTS[0]} says: ${TEST_DATA}`);
 });
 
-// Test 2: Offset port mapping (5001 -> 4001)
+// Test 2: Offset port mapping
 tap.test('should map port using offset function', async () => {
-  const response = await createTestClient(PROXY_PORT_START + 1, TEST_DATA);
+  const response = await createTestClient(PROXY_PORTS[1], TEST_DATA);
-  expect(response).toEqual(`Server ${TEST_PORT_START + 1} says: ${TEST_DATA}`);
+  expect(response).toEqual(`Server ${TEST_PORTS[1]} says: ${TEST_DATA}`);
 });
 
 // Test 3: Dynamic port and host mapping (conditional logic)
 tap.test('should map port using dynamic logic', async () => {
-  const response = await createTestClient(PROXY_PORT_START + 2, TEST_DATA);
+  const response = await createTestClient(PROXY_PORTS[2], TEST_DATA);
-  expect(response).toEqual(`Server ${TEST_PORT_START} says: ${TEST_DATA}`);
+  expect(response).toEqual(`Server ${TEST_PORTS[0]} says: ${TEST_DATA}`);
 });
 
 // Test 4: Test reuse of createPortOffset helper
 tap.test('should use createPortOffset helper for port mapping', async () => {
-  // Test the createPortOffset helper
+  // Test the createPortOffset helper with dynamic offset
-  const offsetFn = createPortOffset(-1000);
+  const portOffset = TEST_PORTS[1] - PROXY_PORTS[1];
+  const offsetFn = createPortOffset(portOffset);
   const context = {
-    port: PROXY_PORT_START + 1,
+    port: PROXY_PORTS[1],
     clientIp: '127.0.0.1',
     serverIp: '127.0.0.1',
     isTls: false,
     timestamp: Date.now(),
     connectionId: 'test-connection'
   } as IRouteContext;
-  
+
   const mappedPort = offsetFn(context);
-  expect(mappedPort).toEqual(TEST_PORT_START + 1);
+  expect(mappedPort).toEqual(TEST_PORTS[1]);
 });
 
 // Test 5: Test error handling for invalid port mapping functions
@@ -210,7 +219,7 @@ tap.test('should handle errors in port mapping functions', async () => {
   // Create a route with a function that throws an error
   const errorRoute: IRouteConfig = {
     match: {
-      ports: PROXY_PORT_START + 5
+      ports: PROXY_PORTS[5]
     },
     action: {
       type: 'forward',
@@ -229,7 +238,7 @@ tap.test('should handle errors in port mapping functions', async () => {
   
   // The connection should fail or timeout
   try {
-    await createTestClient(PROXY_PORT_START + 5, TEST_DATA);
+    await createTestClient(PROXY_PORTS[5], TEST_DATA);
     // Connection should not succeed
     expect(false).toBeTrue();
   } catch (error) {
@@ -254,6 +263,8 @@ tap.test('cleanup port mapping test environment', async () => {
     testServers = [];
     smartProxy = null as any;
   }
+
+  await assertPortsFree([...TEST_PORTS, ...PROXY_PORTS]);
 });
 
 export default tap.start();

test/test.route-config.ts

@@ -562,4 +562,168 @@ tap.test('Route Integration - Combining Multiple Route Types', async () => {
   }
 });
 
+// --------------------------------- Protocol Match Field Tests ---------------------------------
+
+tap.test('Routes: Should accept protocol field on route match', async () => {
+  // Create a route with protocol: 'http'
+  const httpOnlyRoute: IRouteConfig = {
+    match: {
+      ports: 443,
+      domains: 'api.example.com',
+      protocol: 'http',
+    },
+    action: {
+      type: 'forward',
+      targets: [{ host: 'backend', port: 8080 }],
+      tls: {
+        mode: 'terminate',
+        certificate: 'auto',
+      },
+    },
+    name: 'HTTP-only Route',
+  };
+
+  // Validate the route - protocol field should not cause errors
+  const validation = validateRouteConfig(httpOnlyRoute);
+  expect(validation.valid).toBeTrue();
+
+  // Verify the protocol field is preserved
+  expect(httpOnlyRoute.match.protocol).toEqual('http');
+});
+
+tap.test('Routes: Should accept protocol tcp on route match', async () => {
+  // Create a route with protocol: 'tcp'
+  const tcpOnlyRoute: IRouteConfig = {
+    match: {
+      ports: 443,
+      domains: 'db.example.com',
+      protocol: 'tcp',
+    },
+    action: {
+      type: 'forward',
+      targets: [{ host: 'db-server', port: 5432 }],
+      tls: {
+        mode: 'passthrough',
+      },
+    },
+    name: 'TCP-only Route',
+  };
+
+  const validation = validateRouteConfig(tcpOnlyRoute);
+  expect(validation.valid).toBeTrue();
+
+  expect(tcpOnlyRoute.match.protocol).toEqual('tcp');
+});
+
+tap.test('Routes: Protocol field should work with terminate-and-reencrypt', async () => {
+  // Create a terminate-and-reencrypt route that only accepts HTTP
+  const reencryptRoute = createHttpsTerminateRoute(
+    'secure.example.com',
+    { host: 'backend', port: 443 },
+    { reencrypt: true, certificate: 'auto', name: 'Reencrypt HTTP Route' }
+  );
+
+  // Set protocol restriction to http
+  reencryptRoute.match.protocol = 'http';
+
+  // Validate the route
+  const validation = validateRouteConfig(reencryptRoute);
+  expect(validation.valid).toBeTrue();
+
+  // Verify TLS mode
+  expect(reencryptRoute.action.tls?.mode).toEqual('terminate-and-reencrypt');
+  // Verify protocol field is preserved
+  expect(reencryptRoute.match.protocol).toEqual('http');
+});
+
+tap.test('Routes: Protocol field should not affect domain/port matching', async () => {
+  // Routes with and without protocol field should both match the same domain/port
+  const routeWithProtocol: IRouteConfig = {
+    match: {
+      ports: 443,
+      domains: 'example.com',
+      protocol: 'http',
+    },
+    action: {
+      type: 'forward',
+      targets: [{ host: 'backend', port: 8080 }],
+      tls: { mode: 'terminate', certificate: 'auto' },
+    },
+    name: 'With Protocol',
+    priority: 10,
+  };
+
+  const routeWithoutProtocol: IRouteConfig = {
+    match: {
+      ports: 443,
+      domains: 'example.com',
+    },
+    action: {
+      type: 'forward',
+      targets: [{ host: 'fallback', port: 8081 }],
+      tls: { mode: 'terminate', certificate: 'auto' },
+    },
+    name: 'Without Protocol',
+    priority: 5,
+  };
+
+  const routes = [routeWithProtocol, routeWithoutProtocol];
+
+  // Both routes should match the domain/port (protocol is a hint for Rust-side matching)
+  const matches = findMatchingRoutes(routes, { domain: 'example.com', port: 443 });
+  expect(matches.length).toEqual(2);
+
+  // The one with higher priority should be first
+  const best = findBestMatchingRoute(routes, { domain: 'example.com', port: 443 });
+  expect(best).not.toBeUndefined();
+  expect(best!.name).toEqual('With Protocol');
+});
+
+tap.test('Routes: Protocol field preserved through route cloning', async () => {
+  const original: IRouteConfig = {
+    match: {
+      ports: 8443,
+      domains: 'clone-test.example.com',
+      protocol: 'http',
+    },
+    action: {
+      type: 'forward',
+      targets: [{ host: 'backend', port: 3000 }],
+      tls: { mode: 'terminate-and-reencrypt', certificate: 'auto' },
+    },
+    name: 'Clone Test',
+  };
+
+  const cloned = cloneRoute(original);
+
+  // Verify protocol is preserved in clone
+  expect(cloned.match.protocol).toEqual('http');
+  expect(cloned.action.tls?.mode).toEqual('terminate-and-reencrypt');
+
+  // Modify clone should not affect original
+  cloned.match.protocol = 'tcp';
+  expect(original.match.protocol).toEqual('http');
+});
+
+tap.test('Routes: Protocol field preserved through route merging', async () => {
+  const base: IRouteConfig = {
+    match: {
+      ports: 443,
+      domains: 'merge-test.example.com',
+      protocol: 'http',
+    },
+    action: {
+      type: 'forward',
+      targets: [{ host: 'backend', port: 3000 }],
+      tls: { mode: 'terminate-and-reencrypt', certificate: 'auto' },
+    },
+    name: 'Merge Base',
+  };
+
+  // Merge with override that changes name but not protocol
+  const merged = mergeRouteConfigs(base, { name: 'Merged Route' });
+  expect(merged.match.protocol).toEqual('http');
+  expect(merged.name).toEqual('Merged Route');
+});
+
 export default tap.start();

test/test.smartproxy.ts

@@ -1,11 +1,19 @@
 import { expect, tap } from '@git.zone/tstest/tapbundle';
 import * as net from 'net';
 import { SmartProxy } from '../ts/proxies/smart-proxy/index.js';
+import { findFreePorts, assertPortsFree } from './helpers/port-allocator.js';
 
 let testServer: net.Server;
 let smartProxy: SmartProxy;
-const TEST_SERVER_PORT = 4000;
+let TEST_SERVER_PORT: number;
-const PROXY_PORT = 4001;
+let PROXY_PORT: number;
+let CUSTOM_HOST_PORT: number;
+let CUSTOM_IP_PROXY_PORT: number;
+let CUSTOM_IP_TARGET_PORT: number;
+let CHAIN_DEFAULT_1_PORT: number;
+let CHAIN_DEFAULT_2_PORT: number;
+let CHAIN_PRESERVED_1_PORT: number;
+let CHAIN_PRESERVED_2_PORT: number;
 const TEST_DATA = 'Hello through port proxy!';
 
 // Track all created servers and proxies for proper cleanup
@@ -64,6 +72,7 @@ function createTestClient(port: number, data: string): Promise<string> {
 
 // SETUP: Create a test server and a PortProxy instance.
 tap.test('setup port proxy test environment', async () => {
+  [TEST_SERVER_PORT, PROXY_PORT, CUSTOM_HOST_PORT, CUSTOM_IP_PROXY_PORT, CUSTOM_IP_TARGET_PORT, CHAIN_DEFAULT_1_PORT, CHAIN_DEFAULT_2_PORT, CHAIN_PRESERVED_1_PORT, CHAIN_PRESERVED_2_PORT] = await findFreePorts(9);
   testServer = await createTestServer(TEST_SERVER_PORT);
   smartProxy = new SmartProxy({
     routes: [
@@ -110,7 +119,7 @@ tap.test('should forward TCP connections to custom host', async () => {
       {
         name: 'custom-host-route',
         match: {
-          ports: PROXY_PORT + 1
+          ports: CUSTOM_HOST_PORT
         },
         action: {
           type: 'forward',
@@ -128,9 +137,9 @@ tap.test('should forward TCP connections to custom host', async () => {
     }
   });
   allProxies.push(customHostProxy); // Track this proxy
-  
+
   await customHostProxy.start();
-  const response = await createTestClient(PROXY_PORT + 1, TEST_DATA);
+  const response = await createTestClient(CUSTOM_HOST_PORT, TEST_DATA);
   expect(response).toEqual(`Echo: ${TEST_DATA}`);
   await customHostProxy.stop();
   
@@ -143,8 +152,8 @@ tap.test('should forward TCP connections to custom host', async () => {
 // Modified to work in Docker/CI environments without needing 127.0.0.2
 tap.test('should forward connections to custom IP', async () => {
   // Set up ports that are FAR apart to avoid any possible confusion
-  const forcedProxyPort = PROXY_PORT + 2;      // 4003 - The port that our proxy listens on
+  const forcedProxyPort = CUSTOM_IP_PROXY_PORT;
-  const targetServerPort = TEST_SERVER_PORT + 200;  // 4200 - Target test server on different port
+  const targetServerPort = CUSTOM_IP_TARGET_PORT;
   
   // Create a test server listening on a unique port on 127.0.0.1 (works in all environments)
   const testServer2 = await createTestServer(targetServerPort, '127.0.0.1');
@@ -252,13 +261,13 @@ tap.test('should support optional source IP preservation in chained proxies', as
       {
         name: 'first-proxy-default-route',
         match: {
-          ports: PROXY_PORT + 4
+          ports: CHAIN_DEFAULT_1_PORT
         },
         action: {
           type: 'forward',
           targets: [{
             host: 'localhost',
-            port: PROXY_PORT + 5
+            port: CHAIN_DEFAULT_2_PORT
           }]
         }
       }
@@ -274,7 +283,7 @@ tap.test('should support optional source IP preservation in chained proxies', as
       {
         name: 'second-proxy-default-route',
         match: {
-          ports: PROXY_PORT + 5
+          ports: CHAIN_DEFAULT_2_PORT
         },
         action: {
           type: 'forward',
@@ -296,7 +305,7 @@ tap.test('should support optional source IP preservation in chained proxies', as
   
   await secondProxyDefault.start();
   await firstProxyDefault.start();
-  const response1 = await createTestClient(PROXY_PORT + 4, TEST_DATA);
+  const response1 = await createTestClient(CHAIN_DEFAULT_1_PORT, TEST_DATA);
   expect(response1).toEqual(`Echo: ${TEST_DATA}`);
   await firstProxyDefault.stop();
   await secondProxyDefault.stop();
@@ -313,13 +322,13 @@ tap.test('should support optional source IP preservation in chained proxies', as
       {
         name: 'first-proxy-preserved-route',
         match: {
-          ports: PROXY_PORT + 6
+          ports: CHAIN_PRESERVED_1_PORT
         },
         action: {
           type: 'forward',
           targets: [{
             host: 'localhost',
-            port: PROXY_PORT + 7
+            port: CHAIN_PRESERVED_2_PORT
           }]
         }
       }
@@ -337,7 +346,7 @@ tap.test('should support optional source IP preservation in chained proxies', as
       {
         name: 'second-proxy-preserved-route',
         match: {
-          ports: PROXY_PORT + 7
+          ports: CHAIN_PRESERVED_2_PORT
         },
         action: {
           type: 'forward',
@@ -361,7 +370,7 @@ tap.test('should support optional source IP preservation in chained proxies', as
   
   await secondProxyPreserved.start();
   await firstProxyPreserved.start();
-  const response2 = await createTestClient(PROXY_PORT + 6, TEST_DATA);
+  const response2 = await createTestClient(CHAIN_PRESERVED_1_PORT, TEST_DATA);
   expect(response2).toEqual(`Echo: ${TEST_DATA}`);
   await firstProxyPreserved.stop();
   await secondProxyPreserved.stop();
@@ -446,6 +455,8 @@ tap.test('cleanup port proxy test environment', async () => {
   // Verify all resources are cleaned up
   expect(allProxies.length).toEqual(0);
   expect(allServers.length).toEqual(0);
+
+  await assertPortsFree([TEST_SERVER_PORT, PROXY_PORT, CUSTOM_HOST_PORT, CUSTOM_IP_PROXY_PORT, CUSTOM_IP_TARGET_PORT, CHAIN_DEFAULT_1_PORT, CHAIN_DEFAULT_2_PORT, CHAIN_PRESERVED_1_PORT, CHAIN_PRESERVED_2_PORT]);
 });
 
 export default tap.start();

test/test.socket-handler-race.ts

@@ -1,12 +1,15 @@
 import { expect, tap } from '@git.zone/tstest/tapbundle';
 import * as net from 'net';
 import { SmartProxy } from '../ts/index.js';
+import { findFreePorts, assertPortsFree } from './helpers/port-allocator.js';
 
 tap.test('should handle async handler that sets up listeners after delay', async () => {
+  const [PORT] = await findFreePorts(1);
+
   const proxy = new SmartProxy({
     routes: [{
       name: 'delayed-setup-handler',
-      match: { ports: 7777 },
+      match: { ports: PORT },
       action: {
         type: 'socket-handler',
         socketHandler: async (socket, context) => {
@@ -41,7 +44,7 @@ tap.test('should handle async handler that sets up listeners after delay', async
   });
   
   await new Promise<void>((resolve, reject) => {
-    client.connect(7777, 'localhost', () => {
+    client.connect(PORT, 'localhost', () => {
       // Send initial data immediately - this tests the race condition
       client.write('initial-message\n');
       resolve();
@@ -78,6 +81,7 @@ tap.test('should handle async handler that sets up listeners after delay', async
   expect(response).toContain('RECEIVED: test-message');
   
   await proxy.stop();
+  await assertPortsFree([PORT]);
 });
 
 export default tap.start();

test/test.socket-handler.ts

@@ -2,15 +2,19 @@ import { expect, tap } from '@git.zone/tstest/tapbundle';
 import * as net from 'net';
 import { SmartProxy } from '../ts/index.js';
 import type { IRouteConfig } from '../ts/index.js';
+import { findFreePorts, assertPortsFree } from './helpers/port-allocator.js';
 
 let proxy: SmartProxy;
+let PORT: number;
 
 tap.test('setup socket handler test', async () => {
+  [PORT] = await findFreePorts(1);
+
   // Create a simple socket handler route
   const routes: IRouteConfig[] = [{
     name: 'echo-handler',
-    match: { 
+    match: {
-      ports: 9999
+      ports: PORT
       // No domains restriction - matches all connections
     },
     action: {
@@ -43,11 +47,11 @@ tap.test('should handle socket with custom function', async () => {
   let response = '';
   
   await new Promise<void>((resolve, reject) => {
-    client.connect(9999, 'localhost', () => {
+    client.connect(PORT, 'localhost', () => {
       console.log('Client connected to proxy');
       resolve();
     });
-    
+
     client.on('error', reject);
   });
   
@@ -78,7 +82,7 @@ tap.test('should handle async socket handler', async () => {
   // Update route with async handler
   await proxy.updateRoutes([{
     name: 'async-handler',
-    match: { ports: 9999 },
+    match: { ports: PORT },
     action: {
       type: 'socket-handler',
       socketHandler: async (socket, context) => {
@@ -108,12 +112,12 @@ tap.test('should handle async socket handler', async () => {
   });
   
   await new Promise<void>((resolve, reject) => {
-    client.connect(9999, 'localhost', () => {
+    client.connect(PORT, 'localhost', () => {
       // Send initial data to trigger the handler
       client.write('test data\n');
       resolve();
     });
-    
+
     client.on('error', reject);
   });
   
@@ -131,7 +135,7 @@ tap.test('should handle errors in socket handler', async () => {
   // Update route with error-throwing handler
   await proxy.updateRoutes([{
     name: 'error-handler',
-    match: { ports: 9999 },
+    match: { ports: PORT },
     action: {
       type: 'socket-handler',
       socketHandler: (socket, context) => {
@@ -148,12 +152,12 @@ tap.test('should handle errors in socket handler', async () => {
   });
   
   await new Promise<void>((resolve, reject) => {
-    client.connect(9999, 'localhost', () => {
+    client.connect(PORT, 'localhost', () => {
       // Connection established - send data to trigger handler
       client.write('trigger\n');
       resolve();
     });
-    
+
     client.on('error', () => {
       // Ignore client errors - we expect the connection to be closed
     });
@@ -168,6 +172,7 @@ tap.test('should handle errors in socket handler', async () => {
 
 tap.test('cleanup', async () => {
   await proxy.stop();
+  await assertPortsFree([PORT]);
 });
 
 export default tap.start();

test/test.throughput.ts

@@ -8,24 +8,25 @@ import * as https from 'https';
 import * as fs from 'fs';
 import * as path from 'path';
 import { fileURLToPath } from 'url';
+import { findFreePorts, assertPortsFree } from './helpers/port-allocator.js';
 
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = path.dirname(__filename);
 
 // ────────────────────────────────────────────────────────────────────────────
-// Port assignments (unique to avoid conflicts with other tests)
+// Port assignments (dynamically allocated to avoid conflicts)
 // ────────────────────────────────────────────────────────────────────────────
-const TCP_ECHO_PORT = 47500;
+let TCP_ECHO_PORT: number;
-const HTTP_ECHO_PORT = 47501;
+let HTTP_ECHO_PORT: number;
-const TLS_ECHO_PORT = 47502;
+let TLS_ECHO_PORT: number;
-const PROXY_TCP_PORT = 47510;
+let PROXY_TCP_PORT: number;
-const PROXY_HTTP_PORT = 47511;
+let PROXY_HTTP_PORT: number;
-const PROXY_TLS_PASS_PORT = 47512;
+let PROXY_TLS_PASS_PORT: number;
-const PROXY_TLS_TERM_PORT = 47513;
+let PROXY_TLS_TERM_PORT: number;
-const PROXY_SOCKET_PORT = 47514;
+let PROXY_SOCKET_PORT: number;
-const PROXY_MULTI_A_PORT = 47515;
+let PROXY_MULTI_A_PORT: number;
-const PROXY_MULTI_B_PORT = 47516;
+let PROXY_MULTI_B_PORT: number;
-const PROXY_TP_HTTP_PORT = 47517;
+let PROXY_TP_HTTP_PORT: number;
 
 // ────────────────────────────────────────────────────────────────────────────
 // Test certificates
@@ -49,6 +50,8 @@ async function pollMetrics(proxy: SmartProxy): Promise<void> {
 // Setup: backend servers
 // ════════════════════════════════════════════════════════════════════════════
 tap.test('setup - TCP echo server', async () => {
+  [TCP_ECHO_PORT, HTTP_ECHO_PORT, TLS_ECHO_PORT, PROXY_TCP_PORT, PROXY_HTTP_PORT, PROXY_TLS_PASS_PORT, PROXY_TLS_TERM_PORT, PROXY_SOCKET_PORT, PROXY_MULTI_A_PORT, PROXY_MULTI_B_PORT, PROXY_TP_HTTP_PORT] = await findFreePorts(11);
+
   tcpEchoServer = net.createServer((socket) => {
     socket.on('data', (data) => socket.write(data));
     socket.on('error', () => {});
@@ -151,11 +154,28 @@ tap.test('TCP forward - real-time byte tracking', async (tools) => {
   console.log(`TCP forward (during) — recent throughput: in=${tpDuring.in}, out=${tpDuring.out}`);
   expect(tpDuring.in + tpDuring.out).toBeGreaterThan(0);
 
+  // ── v25.2.0: Per-IP tracking (TCP connections) ──
+  // Must check WHILE connection is active — per-IP data is evicted on last close
+  const byIP = mDuring.connections.byIP();
+  console.log('TCP forward — connections byIP:', Array.from(byIP.entries()));
+  expect(byIP.size).toBeGreaterThan(0);
+
+  const topIPs = mDuring.connections.topIPs(10);
+  console.log('TCP forward — topIPs:', topIPs);
+  expect(topIPs.length).toBeGreaterThan(0);
+  expect(topIPs[0].ip).toBeTruthy();
+
+  // ── v25.2.0: Throughput history ──
+  const history = mDuring.throughput.history(10);
+  console.log('TCP forward — throughput history length:', history.length);
+  expect(history.length).toBeGreaterThan(0);
+  expect(history[0].timestamp).toBeGreaterThan(0);
+
   // Close connection
   client.destroy();
   await tools.delayFor(500);
 
-  // Final check
+  // Final check — totals persist even after connection close
   await pollMetrics(proxy);
   const m = proxy.getMetrics();
   const bytesIn = m.totals.bytesIn();
@@ -168,21 +188,10 @@ tap.test('TCP forward - real-time byte tracking', async (tools) => {
   const byRoute = m.throughput.byRoute();
   console.log('TCP forward — throughput byRoute:', Array.from(byRoute.entries()));
 
-  // ── v25.2.0: Per-IP tracking (TCP connections) ──
+  // After close, per-IP data should be evicted (memory leak fix)
-  const byIP = m.connections.byIP();
+  const byIPAfter = m.connections.byIP();
-  console.log('TCP forward — connections byIP:', Array.from(byIP.entries()));
+  console.log('TCP forward — connections byIP after close:', Array.from(byIPAfter.entries()));
-  expect(byIP.size).toBeGreaterThan(0);
+  expect(byIPAfter.size).toEqual(0);
-
-  const topIPs = m.connections.topIPs(10);
-  console.log('TCP forward — topIPs:', topIPs);
-  expect(topIPs.length).toBeGreaterThan(0);
-  expect(topIPs[0].ip).toBeTruthy();
-
-  // ── v25.2.0: Throughput history ──
-  const history = m.throughput.history(10);
-  console.log('TCP forward — throughput history length:', history.length);
-  expect(history.length).toBeGreaterThan(0);
-  expect(history[0].timestamp).toBeGreaterThan(0);
 
   await proxy.stop();
   await tools.delayFor(200);
@@ -694,6 +703,7 @@ tap.test('cleanup - close backend servers', async () => {
   await new Promise<void>((resolve) => httpEchoServer.close(() => resolve()));
   await new Promise<void>((resolve) => tlsEchoServer.close(() => resolve()));
   console.log('All backend servers closed');
+  await assertPortsFree([TCP_ECHO_PORT, HTTP_ECHO_PORT, TLS_ECHO_PORT, PROXY_TCP_PORT, PROXY_HTTP_PORT, PROXY_TLS_PASS_PORT, PROXY_TLS_TERM_PORT, PROXY_SOCKET_PORT, PROXY_MULTI_A_PORT, PROXY_MULTI_B_PORT, PROXY_TP_HTTP_PORT]);
 });
 
 export default tap.start();

ts/00_commitinfo_data.ts

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@push.rocks/smartproxy',
-  version: '25.3.1',
+  version: '25.8.0',
   description: 'A powerful proxy package with unified route-based configuration for high traffic management. Features include SSL/TLS support, flexible routing patterns, WebSocket handling, advanced security options, and automatic ACME certificate management.'
 }

ts/proxies/smart-proxy/models/route-types.ts

@@ -39,6 +39,7 @@ export interface IRouteMatch {
   clientIp?: string[];     // Match specific client IPs
   tlsVersion?: string[];   // Match specific TLS versions
   headers?: Record<string, string | RegExp>; // Match specific HTTP headers
+  protocol?: 'http' | 'tcp';  // Match specific protocol (http includes h2 + websocket upgrades)
 }
 
 

ts/proxies/smart-proxy/smart-proxy.ts

@@ -409,6 +409,7 @@ export class SmartProxy extends plugins.EventEmitter {
       keepAliveTreatment: this.settings.keepAliveTreatment,
       keepAliveInactivityMultiplier: this.settings.keepAliveInactivityMultiplier,
       extendedKeepAliveLifetime: this.settings.extendedKeepAliveLifetime,
+      proxyIps: this.settings.proxyIPs,
       acceptProxyProtocol: this.settings.acceptProxyProtocol,
       sendProxyProtocol: this.settings.sendProxyProtocol,
       metrics: this.settings.metrics,